I have noticed that under the Device Change Audit list under the configuration dashboard. LMS lists the wrong user for the last change. For example. User ABC performed a change on a switch yesterday but switch shows user XYZ has performed the change.
e.g.
SwitchA
! Last configuration change at 16:27:06 AEST Mon Aug 15 2011 by ABC
User XYZ then performs changes on switchB, switchC. These show up correctly. but the change on switchA shows user XYZ instead of ABC.
User XYZ has never logged into the switchA in question.
We are trying to finally get rid of a couple old 3060 concentrators and would like to see how many active connections are still on. Is there any reporting that can be seen from the concentrators?
I need to understand why change audit report reports an unused username Name of the user who performed the change. This is the name entered when the user logged in. It can be the name under which the LMS application is running, or the name using which the change was performed on the device. #The User Name field may not always reflect the user name. The User Name is reflected only when: A config change was performed using LMS. #A config change was performed outside of LMS, but the network has username-based AAA security model, wherein authentication is performed by an AAA server, which could be TACACS/RADIUS or local.
My cisco works LMS3.2 is not showing recent configuration of my Cisco devices. also it dont show any change report on last 24 hours or even if i select x number of day, looks like its not saving any changes made on devices.
today i logged in and cisco ASA was showing this in status as well Configuration Last Archived Time May 03 2012 11:27:46 EDT on checking i could see it is same date when cisco ASA was added in cisco works. do i need to click some where for auto update configuration changes and latest confoguration in cisco works setting?
when u use the debug cryoto isakmp 127 on the asa 5510, in order to troubleshhot remote access vpn users,to which entry r u looking in the debug to see if the user enter wrong password?
For access by external users on our network use all Cisco VPN Client, we have a VPN3000 Concentrator and a Cisco ACS 2.6 for authentication.We wanted to upgrade to the latest release of ACS 4, x .... you can set a password expiration for VPN Client? Or make sure that the remote user can change password?
I want to set-up a HA for ASA5510. I wanted to design the network to achieve HA. I am attaching the present set-up of the network. At present, I have 2 ISPs connections terminating in ASA5510. The configuration is done for failover in ASA5510.I have another ASA5510 and want to use it for HA. I needed to know the design for the set-up. I want a stateless failover since the amount of traffic is less. I don't have any ISP routers in the present network. I suppose I need 2 routers for HA and couple of switches. One more question is that, as there are SSL VPN users, is there any way for the users to not get disconnected when one device fails.
I am using ACS 5.3 What I am about is setting user authentication against existence of the user in specific AD group, not just being a member in any AD. What is happening now, users get authenticated as long as they exists in the AD, luckily they fail on authorization, as it is bound to specific AD group.
how can I bind the authentication aginst specific group in AD, not just using AD1 as the identity source.
Ive changed the IP address of a laptop to connect to the router with IP 192.168.15.1 but now want to change the router IP address from the defaul to another subnet, so that it is accessable with other workstations on the LAN, but I could not readily find the option to set the Ip address on the router.
I'm signed in with user admin.
I also wanted to add addiontal users. The help indicates there is a User List Add Entry option but from the Administration bar, the left hand menu option shows User Management & User Privileges options. On User Management, it is possible to change the 2 default user names, but I wanted to leve them and create new ones.
A customer contacted us that he can't connect his devices via web since he changed the IP address. Ok, big laugh "type the correct IP" but no. Even if you use the correct IP, no user can't connect anymore to the device. Also via CLI!The only thing that worked was the password recovery procedure. After that everything worked fine.The customer and me tried it again with another 2960, maybe there went something wrong when he did it last time and it was an accident. Nice thought but no: another device same error, no login possible.
I have a device specific question. I was wondering how/if it would be possible to change an aftermarket device's bluetooth name? For example, this bluetooth dongle. I need to be able to connect multiple bluetooth transmitters to either 1 receiver or an equal amount of receivers without the 'same' devices interfering with each other, and these dongles are the cheapest on the net. I'm assuming I'll need to get into it on my computer somehow to change the name.
is there anyway to change the IP address of a device without data lost? I saw an option in to change it in Inventory > Device Administration: Add / Import / Manage Devices > Edit identity but from what I read I can get a data lose,
how do i change a default gateway? the current gateway 170.130.110.254 needs to be changed to 170.130.110.2 so my two devices at separate locations can communicate with each other
we just replace 6500 with N7K, after migration there're some device (server,pc,printer) change its ip address configuration (subnet and gateway) by it self. can N7K did it?
I picked up this RV180 router because it has one of the fastest thru speeds of all the routers tested that I viewed on smallnetbuilder. That and it has the cisco name. I grew tired of purchasing wireless home routers every year after they fail. So far the thing is nice with one exception.
I have one device that is essential on my network called an airave. It is a small device similar to a wireless access point that works on springs voice network. The thing essentially makes a small cell tower inside your house and connects to the sprint network through an Ipsec vpn. I have not ability to change ipsec settings on the device on my end. The device works fine connected to the cable modem or to the old slow dlink. When I first connect the thing it works fine for about 5-10 minutes on the cisco. Then the thing loses connection and I lose my cell phone service. Just to test any port conflicts I made this the the DMZ with no luck.
I have also tried a firmware upgrade. I have not messed with any of the firewall settings or port forwarding since DMZ should in theory fix that. I have assigned the thing a fixed IP address but that does not seem to make a difference. It did not on my old router and is mostly just for my sanity and to facilitate the DMZ.
In our network we use cisco WS-C6509-E (R7000) Backbobe switch. We want to route syslog to log server.But I couldn't do it. How can solve this problem?
We have a PIX 515E running ver 6.3 and we want to implemente some sort of logging to keep track of who/when logs in to the PIX and if they make any config changes or to the file system. All of this is for forensic purposes in the future. I have already looked at some PIX docs but I don´t seem to find what I am lokking for.
ACS and i would like to know how to enable the "Configuration Audit" for someone login to my network devices using their ACS login and i can monitor what they did on it.
I have new DIA Internet service coming in and unlike the last vendor who provided a router, I am configuring my own. This is my first full Cisco config - I've been looking at this for 3 days now. I have SIP signalling, rtp and default traffic on a (3) t1 multilink (4.5mb). My lan and firewall uses dscp tags and passes them to the 1841 for outbound. The ISP only prioritizes by destination address so I just need the 1841 to respect the tags internally. Inbound, I have only port numbers to go by to differentiate voice traffic and I want to tag EF and CS3 accordingly for use by the 1841 and the rest of my network.
Below is part of my proposed config. I have read tons of Cisco docs and looked at all the queuing methods and this one I understand the best. I am getting the error: "CBWFQ : Can be enabled as an output feature only", so I presume that something is wrong on an input definition somewhere. For now all the firewall functions are done at the actual firewall (Sonicwall NSA) so other than limiting ports to the PBX everything else is just pass-through. Any changes required. IOS is 12.4(4)T1.
i can configure a requirement type as audit (opposed to mandatory or optional), so the client will still access the network, the user will not be notified, and the information will be sent to the cas.It is possibile to generate an email or similar automated process to notify administrators on these audits?
Sometimes our network lag and i thing there is a computer making this problem. i'd like to audit all input output of all port of a Catalyst 1900. all i manage to do is to enter to the console menu via Telnet.. once here, i try monitoring but i'm afraid to do a bad thing :
Catalyst 1900 - Main Menu
[C] Console Settings [S] System [N] Network Management [P] Port Configuration
When performing an audit from NCS Prime 1.3 on our 5508 controllers (500 lic) we are getting mismatch messages from many of our 3602i AP's that say the following...
(Type)Configuration Name Audit Status Attribute Prime Infrastructure Value Controller Value (AP APname, Interface) 802.11a/n Mismatch Spectrum Intelligence true false
These AP's are not configured as Spectrum Intelligence on the controllers, rather as local. It seems that NCS believes that they are supposed to be SI. We have refreshed the config from controller many times but this does not change. The 5508's run v.7.2.111.3 Is there a change I can make on NCS or otherwise to make this mismatch go away? Is this a bug? It is not causing any problems (that we can see) but as most would rather not have these mismatches.
I'm using ACS 5.4p2 within distributed systems: one primary and one secondary instance.For now, primary instance is acting as Log Collector server and I can see any AAA audit logs.
When the primary instance fails I can authenticate successfully using the secondary instance.However, when primary instance comes back, I'm not able to see any audit logs operated by secondary.
I've got a Cisco 1841 with 2 FastEthernet ports here. My Cisco isn't great, and I've been given a problem I don't seem to be able to crack.Essentially, I have one network with two sides. I've connected these to fe0/0 and fe0/1 on the router, and put them interfaces into a bridge group which as far as I can tell, essentially makes the router a 2 port switch...I know this won't make a lot of sense from a normal network point of view, but what we need to do is allow all traffic from fe0/0 to fe0/1, but not allow any traffic in the reverse direction. The traffic allowed to flow from fe0/0 to fe0/1 must include broadcast traffic (infact that is the most important traffic, its how the silly theatre application works). None of the traffic is IP addressed.... ie, each of the devices on the network assign themselves an IP address, and then throw broadcast traffic out on to the "dedicated physical network" that exists between them for communication[CODE]
I am trying to unravel a ASA 5550 config that has been created over several years, by multiple people, some who used ADSM, some who used CLI.
None of them ever removed any lines from the configuration, and none did any documentation. When examining the actual configuration from a CLI perspective:
1. Does an ADSM- created access list end with any specific ADSM- added suffix? 2. When ANY access list is created in an ASA 5550, does it HAVE to be included in the access-group command to be functional? Can it also be functional if referenced in a "nat" command? 3. If the access list does meet either of the criteria specified in question #2, is it completely non-functional? 4. If an access list is applied to a logical or physical port that is shut down, is the access list functional?
I am using a Pix 515 with IOS 8.0(3).I have in my access list on the outside interface.......access-list outside_access_in extended permit icmp any 12.23.34.0 255.255.255.0 echo access-list outside_access_in extended permit icmp any 12.23.34.0 255.255.255.0 echo-reply.......in order to allow ping requests and ping replies into my inside network. This certainly works since I can ping the inside from outside and vice versa, but in the ASDM display of access rules, the hit count for these two lines is always zero. If I run 'show access-list', the hit count for these lines is non-zero.
Why doesn't the hit count show up in the ASDM gui display?Also, I have read that the PIX does not treat ICMP in the same way as TCP or UDP and there is no stateful behaviour towards ICMP. However, if I set up a continuous ping from outside to inside and then disable the above access list rule allowing echo requests towards the inside, the ping continues whereas I would expect it to stop.
In the config there is 'timeout icmp 00:00:02' if there is no stateful connection for ICMP, why is there a timeout value for it?
I have started to use ip extended access-lists on several 3750X-switches to filter inbound and outbond traffic on the VLANs. But it seems that the use of object-groups is not supported, is this correct? Is it really no way to group different ip-addresses into groups and then use these groups in the access-lists?
I have been told that if an access list is created with the suffix _access_in, that if the preifx is the name of an interface, then that access list is automatically bound to that interface, even if there is no explicit command doing that. I looking at the config of an ASA 5550.
example:
Interface is Production access list is called Production_access_in.
Is that access list automatically bound to the Production interface, even though it does not show up in any other commands?
Yesterday, I configured ASA via CLI for Static PAT and created some entries in an access-list. I will be testing that setup this evening.
However on a quick double check of the settings on the device via ASDM I could not see the acess-list settings. I searched every tab and found nothing so I PuTTYed into the device and checked the running config. The rules I created were right there. Is this something I should expect? If so doesn't it defeat the point of having a GUI if it does not show a complete running config?
