VPN device profiling issue ISE In Line with ASA

Similar Messages

• The Ultimate Guide to Resolving Profile and Device Manager Issues

  The following article also applies to issues after re-setting the severs' hostname. It also applies to situations where re-setting the Code Signing Certifictateas described by Apple has not resolved the issue.
  Hello,
  I have been plagued with Profile Manager and Device Manager issues since day one.
  I would like to share my experience and to suggest a way how to resolve issues such as device cannot be enrolled or Code Signing Certificate not accepted.
  I shall try to be as brief as possible, just giving an overview of the steps that resolved my issues. The individual steps have been described elsewhere in this forum. For users who have purchased commercial SSL certs the following may not apply.
  In my view many of these issues are caused by missing or faulty certificates. So let us first touch on the very complex matter of certificates.
  Certificates come in many flavours such as CA (Certificate Authority), Code Signing Certificate, S/MIME and Server Identification.
  (Mountain?) Lion Server creates a so-called Intermediate CA certificate (IntermediateCA_hostname_1") and Server Identification Certificate ("hostname") when it installs first. This is critical for the  operation of many server functionalities, including Open Direcory. These certs together with the private/public keys can be found in your Keychain. Profile  and Device Manager may need a Code Signing Certificate.
  The most straightforward way to resolve the Profile Manaher issues is in my view to reset the server created certicates.
  The bad news is that this procedure involves quite a few steps and at least 2 hours of your precious time because it means creating a fresh Direcory Master.
  I hope that I have not forgotten to mention an important step. Readers' comments and addenda are welcome.
  I shall outline a sensible strategy:
  1. Clone your dysfunctional server to an external harddrive (SuperDuper does a reliable job)
  2. Start the server fom the clone and shut down ALL services.
  3. It may be sensible to set up a root user access.
  4. Back-up all user data such as addess book, calendar and other data that you *may* need to set up your server.
  5. Open Workgroup Manager and export all user and workgroup accounts to the drive that you using to re-build your server (it may cause problems if you back-up to an external drive).
  6. Just in case you may also want to back-up the Profile Manager database and erase user profiles:
  In Terminal (this applies to Lion Server - paths may be diferent in Mountain Lion !)
  Backup: sudo pg_dump -U _postgres -c device_management > $HOME/device_management.sql
  Erase database:
  sudo /usr/share/devicemgr/backend/wipeDB.sh
  7. Note your Directory (diradmin) password for later if you want to re-use it.
  8. Open Open Server Admin and demote OD Master to Standalone Directory.
  9. In Terminal delete the old Certificate Authority
  sudo rm -R /var/root/Library/Application\ Support/Certificate\ Authority/
  This step is crucial because else re-building you OD Master will fail.
  9. Go back to Server Admin and promote the Standalone Directory to OD Master. You may want to use the same hostname.
  10. When the OD Master is ready click on Overview and check that the LDAP and Keberos Realm reflect your server's hostname.
  11. Go back to Workgroup Manager and re-import users and groups.
  NOTE: passwords are not being exported. I do not know how to salvage user passwords. (Maybe passwords can be recovered by re-mporting an OD archive - comments welcome! ).
  12. Go to Server App and reset passwords and (not to forget) user homefolder locations, in particular if you want to login from a network account!
  If the home directory has not been defined you cannot login from a network account.
  13. You may now want to restore Profile Manager user profiles in Terminal. Issue the following commands:
  sudo serveradmin stop devicemgr
  sudo serveradmin start postgres
  sudo psql -U _postgres -d device_management -f $HOME/device_management.sql
  sudo serveradmin start devicemgr
  14. You can now switch back on your services, including Profile Manager.
  In Profile Manager you may have to configure Device Management. This creates a correct Code Signng Certicate.
  15. Check the certificate settings in Server App -> Hadware -> Settings-> SSL Certificates.
  16. Check that Apple Push Notifications are set.(you easily check if they are working later)
  17. You may want to re-boot OS Server from the clone now.
  18. After re-boot open Server App and check that your server is running well.
  19. Delete all profiles in System Preferences -> Profiles.
  19. Login to Profile Manager. You should have all users and profiles back. In my experience devices have to be re-enrolled before profiles can be pushed and/or devices be enrolled. You may just as well delete the displayed devices now.
  20. Grab one of your (portable) Macs that you want to enrol and go to (yourhostname)/mydevices and install the server's trust profile. The profile's name  should read "Trust Profile for...) and underneath in green font "Verified".
  21. Re-enrol that device. At this stage keep your finger's crossed and take a deep breath.
  22. If the device has been successfully enrolled you may at last want to test if pushing profiles really works. Login to Profile Manager as admin, select the newly enrolled device. Check that Automatic Push is enabled (-> Profile -> General). Create a harmless management profile such as defining the dock's position on the target machine. (Do not forget to click SAVE at the end - this is easily missed here). If all is well Profile Manager will display an active task (sending) and the dock's position on the target will have changed in a few seconds if you are on a LAN (Note: If sending seems to take forever: check on the server machine and/or on your router that the proper ports are open and that incoming data is not intercepted by Little Snitch or similar software).
  Note: if you intend to enrol an Apple iPhone you may first need to install the proper Apple Configuration software.
  Now enjoy Profile and Device Manager !
  Regards,
  Twistan

  HI
  1. In Action profiles, logon to system and recheck correcion are available in action definition as well in condition configuration and the schedule condition is also maintained. but the display is not coming(i.e in the worklist this action is not getting displayed).
  You can check the schedule condition for the action and match the status values...or try recreating the action with schedule condition again....for customer specific ....copy the standard aciton with ur zname and make a schedule condition and check the same.
  2, In suppport team of incident when i give individual processor it throwing a warning that u r not the processor. but when i give org unit it is working perfectly. Could anyone guide on this.
  You need to have the empolyee role for BP ..goto BP and got here dropdown for ur bp and choose role Employee and then enter ur userid
  also make sure that u have the message processing role
  Hope it clarifies ur doubt and resolve ur prob
  Regards
  Prakhar

• VPN device with dual ISP, fail-over, and load balancing

  We currently service a client that has a PIX firewall that connects to multiple, separate outside vendors via IPSEC VPN. The VPN connections are mission critical and if for any reason the VPN device or the internet connection (currently only a T1) goes down, the business goes down too. We're looking for a solution that allows dual-ISP, failover, and load balancing. I see that there are several ASA models as well as the IOS that support this but what I'm confused about is what are the requirements for the other end of the VPN, keeping in mind that the other end will always be an outside vendor and out of our control. Current VPN endpoints for outside vendors are to devices like VPN 3000 Concentrator, Sonicwall, etc. that likely do not support any type of fail-over, trunking, load-balancing. Is this just not possible?

  Unless I am mistaken the ASA doesn't do VPN Load Balancing for point-to-point IPSec connections either. What you're really after is opportunistic connection failover, and/or something like DMVPN. Coordinating opportunistic failover shouldn't be too much of an issue with the partners, but be prepared for lot of questions.

• Bat multiple BLF with User Device Profiles

  Has anyone able to BAT in multiple Speed Dial/BLF into a user device profile.  I have CUCM 7.1 and trying to BAT in a line with multiple SD/BLF for the other buttons.  I get this error
  Error : Missing key in referenced table for referential constraint (informix.fk_blfspeeddial_fknumplan).
  I checked my phone template and it has 1 line with 5 SD/BLF
  My phone type is 9951
  Thanks

  Juergen,
  Do your fields look like this?
  Busy Lamp Field Label 3
  Busy Lamp Field Label ASCII 3
  Busy Lamp Field Destination 3
  Busy Lamp Field Directory Number 3
  J. Nelson
  J. Nelson
  2303 in INTERNAL-PT
  Nurse
  Nurse
  4062 in INTERNAL-PT
  Library
  Library
  4017 in INTERNAL-PT
  B. Hipsher
  B. Hipsher
  4092 in INTERNAL-PT
  C. Kirkland
  C. Kirkland
  8246 in INTERNAL-PT
  L. Stoner
  L. Stoner
  2040 in INTERNAL-PT
  South Lounge
  South Lounge
  2637 in INTERNAL-PT
  Ginger W
  Ginger W
  6043 in INTERNAL-PT
  K. Jaffie
  K. Jaffie
  4609 in INTERNAL-PT
  L. Cornwall
  L. Cornwall
  2755 in ES-ClassRm-PT
  NA Counselor
  NA Counselor
  2123 in ES-ClassRm-PT
  S. Brigman
  S. Brigman
  8262 in INTERNAL-PT
  D. Sorden
  D. Sorden
  8205 in INTERNAL-PT
  J. Brandel
  J. Brandel
  8105 in INTERNAL-PT
  J. Brandel
  J. Brandel
  8105 in INTERNAL-PT
  S. Pebley
  S. Pebley
  5512 in INTERNAL-PT
  S. Pebley
  S. Pebley
  5512 in INTERNAL-PT
  Wanda B
  Wanda B
  6072 in INTERNAL-PT

• ADSL2+ line with ADSLMax profile

  Hi,
  I have just migrated in from IDNet.
  I am on a fairly long line and have a sync around 5200 Kbs
  About 6 months ago, soon after my exchange was enabled, I moved onto WBC ADSL2+ and since than have enjoyed the higher upstream speed and a stable connection. DLM has even removed interleaving.
  However BT have put me back on an ADSLMax profile reducing my upload speed.
  Is it possible to request through the mods here to move back back to ADSL2+ profile?
  When my line was migrated my Home Hub had not arrived so I just changed the login account on my existing Netgear DGND3300V2 and carried on using it. Will it cause support problems carrying on using my own router?
  I was a little surprised that I was supplied with a HH3 rather than a HH4, but as it will just stay in its box as a spare it of little consequence.
  Thanks for your help
  Tim.

  Thanks, I heard back from the mods today. Not quite what I was expecting or hoped.
  They say that the lineis only capable of 448kHz and they cannot do anything.
  However I have been syncing at over 800kbps since I upgraded to WBC in Dec2012. Here is a screenshot of the BT wholesale test showing an upstrean IPprofile of 0.83Mbps taken on 1st June.
  I have 20 speed tests recorded on Thinkbroadband showing an upstrem throughput between 0.68 & 0.80Mbps between Feb and June before moving to BT.
  The email says If this issue is not resolved to your satisfaction, you may reopen it within the next 14 days.
  Do I just use your link to contact the mods again?
  Thanks for your help
  Tim

• CUCM SQL: Device Profile without Line [1] Number

  Hi Guys,
  we're cleaning up our Callmanager environment right now and I wanna get rid of User Device Profiles which never have been deleted. Is there any way (my thought was via SQL) to at least show up the Device Profiles, who don't have a Line [1] number associated with it (the DNs already have been deleted but there still a lot of old Profiles laying around)
  Thanks for a short reply
  cheers
  Marc

  Try this: 
  run sql select device.name from device where not exists (select fkdevice from devicenumplanmap where devicenumplanmap.fkdevice = device.pkid) and device.tkclass = 254
  ... though George's answer is equally practical for non-SQL types (+5) :-)
  Aaron

• My iPhone 5S has not connected to 4G LTE service in the last few days? Is there an outage/issue with 4G in my area (Pittsburgh) or is this a device specific issue?

  My iPhone 5S has not connected to 4G LTE service in the last few days? Is there an outage/issue with 4G in my area (Pittsburgh) or is this a device specific issue?

      JHblues Let's get your data working again. There are not any reported issues in the area. Try this step:  http://vz.to/1kUSSk2
  Sheritah_vzw
  Follow us on Twitter
  @VZWSupport

• Having issues making GarageBand work with iPad and line 6 midi mobilizer. Any suggestions?

  I am having issues making the line 6 midi mobilizer for keyboard work with GarageBand for ipad2.

  Check out the iRig Midi iRig MIDI

• Hi i got a mac mini but when i connect it to my smartax mt882 modem via ethernet it says device not connected can anyone solve this issue it work fine with the usb connection but the ethernet is giving me problems plz help

  hi i got a mac mini but when i connect it to my smartax mt882 modem via ethernet it says device not connected can anyone solve this issue it work fine with the usb connection but the ethernet is giving me problems plz help

  Hello, give this a try...
  Make a New Location, Using network locations in Mac OS X ...
  http://support.apple.com/kb/HT2712
  10.5, 10.6, 10.7 & 10.8…
  System Preferences>Network, top of window>Locations>Edit Locations, little plus icon, give it a name.
  10.5.x/10.6.x/10.7.x/10.8.x instructions...
  System Preferences>Network, click on the little gear at the bottom next to the + & - icons, (unlock lock first if locked), choose Set Service Order.
  The interface that connects to the Internet should be dragged to the top of the list.
  For 10.5/10.6/10.7/10.8, System Preferences>Network, unlock the lock if need be, highlight the Interface you use to connect to Internet, click on the advanced button, click on the DNS tab, click on the little plus icon, then add these numbers...
  208.67.222.222
  208.67.220.220
  (There may be better or faster DNS numbers in your area, but these should be a good test).
  Click OK.

• HT204387 BOSE Bluetooth wireless headphones work with iPhone but not iMac - Profile issue I assume - but why not!!!!

  I have a great pair of BOSE wirless headphones that connect faultlessy to my iPhone.  I'm very dissappointed however to find that I cannot use the same headphonse on my iMac or my MacBook Air.  I assume it's a bluetooth profile issue but in product utility terms it makes no sense.  Is anyone aware of a way of circumventing this resytiction (e.g. third-party product, mac setting,...etc)?

  Yes. This has to be the 8.xx iOS.
  I have experienced this since purchasing the 6+. Now, I attempting to pair the phone to Sync in my Ford F150, it
  can't find the phone. I go through any number of attempts: rebooting the phone, finding a bluetooth device on Sync, etc.
  Most of the time it shows a "cannot find bluetooth device". Or the Sync shows a pairing number to type in the phone in order
  to pair, but the iPhone doesn't see Sync, so nothing can be done.
  Sometimes, and I mean only sometime, the device is paired by itself. (On sync, "choose input: usb or bluetooth" and trying this
  several times, Lo and Behold.....wait for it......the iPhone 6+ connects!
  This is not what I had, an iPhone 4S, that one pairing, and always paired. (truck off, crank and instantly paired). The old days!
  I have check Ford to look for an update. I have the latest from 2012. The final one for my truck model year.
  This version of iOS needs works and must be updated again.
  I don't know who to contact at Apple but the mods here don't say how to do that.  It another Apple waiting and see.
  If I find a solution, I will post it immediately. I hope you will post as well. Thanks for reading.
  M.

• Device profilling with WLC - wrong result with Nokia

  Hi,
  I have created a Wireless Device Policy Classification into a WLC with 8.0.110.0
  The WLC configured to local profile, profile the nokia device (with windows-mobile) as a Windows-Workstations.
  How is possible?
  Regards.
  Mirko Severi.

  Hi, Scott.
  Thanks for your help.
  In this case, my device is Lumia 635 and its MAC is B8-4F-D5-D6-3F-3C
  In the oui there is
  B8-4F-D5   (hex) Microsoft Corporation
  B84FD5     (base 16) Microsoft Corporation
                       1 Microsoft Way
                    Redmond Washington 98052
                   UNITED STATES.
  The WLC profiling the device right!
  Is possible to put an exception?
  Regards.
  Mirko

• Generic Device Profile with TouchScreen Functionality

  Will there be a generic profile for (multi) touchscreen
  devices supporting FL3 in the near future?
  Since there are already devices that are utilizing a
  touchdisplay in combination with FL3, like the Chumby, wouldn't it
  be nice to test the applications you develop for that device in
  ADC?
  After years without touchdisplays even Nokia is also
  developing new devices (N98) with touchscreen-functionality to
  fulfill customer needs that may have arised by the iPhone (that
  probably also might incorporate a Flash Lite implementation), so
  maybe a generic device profile might be useful to already start
  developing and testing applications in that (future) field.
  Do you know anything about that topic? Maybe a new Adobe
  Device Profile Package Release?

  Same problem here. New shiny setup working just fine - until today. iMac G5 lost pairing with the keyboard. Now it's only visible as an "other device", and typing the passphrase into the keyboard achieves nothing. Search for keyboards and there's no sign of it.
  I've seen other posts that relate, especially:
  http://discussions.apple.com/thread.jspa?threadID=293328
  and tried turning things on/off in different orders, but no luck.

• Logical Profiles in ISE 1.2

  I created a logical profiles group that is assigned with the Apple-ipad, Apple-iPhone and Apple-iDevice policies. Now ISE will not update the feed policies for the three devices. This is the message that I recieved from ISE when it does it Feed Polices update, I use the logical profiles group matching for authentication and authorization. Is there any way for me to update these feed polices? Thanks for the help!!
  Feed Version 1 policies downloaded.
  Total number of feed polices to apply are 3.
  Feed policies total 3 skipped.
  Feed policies warning message : Apple-Device has been changed by admin.
  Apple-Device:Apple-iDevice has been changed by admin.
  Apple-Device:Apple-iPad has been changed by admin.

  Hello Toua,
  Please Verify switch configuration for those network segments where endpoints are not being appropriately profiled to ensure that:
  •The required information to profile the endpoint is being sent to Cisco ISE for it to profile.
  •Probes are configured on the network Policy Service node entities.
  •Verify that packets are received at the Cisco ISE profiler module by running the tcpdump function at Operations > Troubleshoot > Diagnostic Tools > General Tools > Tcpdump.
  Note If you are observing this issue with endpoints on a WAN collected by HTTP, Netflow, and NMAP, ensure that the endpoint IP address has been updated with a RADIUS/DHCP Probe before other attributes are updated using the above probes
  For more information, please visit the following link:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#wp192504

• Issue of  Schedule Lines in MRP List

  Hi,
  We ran MRP for one material, we observed MRP generated 3 schedules lines with respect to single Schedule Agreement with exception message as 30(Plan Process according to schedule).
  Schedule line 1 --- Delivery Date is 10/06/2011 in MD05, Delivery date in Schedule Agreement is 10/04/2011,Rescheduling date is 08/27/2011 Exception message is 30(Plan Process according to schedule(08/27/2011 08/25/2011).
  Schedule line 2 --- Delivery Date is 10/06/2011 in MD05, Delivery date in Schedule Agreement is 10/04/2011,Rescheduling date is 10/05/2011 Exception message is 30(Plan Process according to schedule(10/05/2011 10/03/2011).
  Schedule line 3 --- Delivery Date is 10/06/2011 in MD05, Delivery date in Schedule Agreement is 10/04/2011,Rescheduling date is 09/08/2011 Exception message is 30(Plan Process according to schedule(09/08/2011 09/06/2011).
  But in Schedule Agreement, we are seeing that all the 3 delivery schedules with delivery dates as "10/04/2011" as GR Processing time is 2 days.
  Can anyone tell why the MRP has not updated the Schedule Agreement with the new Delivery dates proposed by the exception message 30 in MD05 list.
  Thanks in advance.

  Hi Vivek,
  I am not knowing how to upload the details.
  Please find the Material master details for the issue material:-
  MRP type- PD, Lot Size - ZE - Period lot size, Sched.2, Split ( Config Setting of this lot size key is provided below),
  Minimum lot size-2,000.000, rounding profile-2,000.000, Material type- ROH,Safety Stock - 1224, Pld Delivery time -63 days, GR Processing time- 2 days, Planning Calendar-ZEX.,Consumption mode     2,Bwd consumption per. 999,Fwd consumption per. 999 ,Mixed MRP --      1, Strategy group =      Z1 ( Final assembly & assembly level, i.e., combination of 40 + 70))
  Config Setting of Lot size key- ZE are :-
  LotSizeProced.  P Period lot-sizing procedure ,Lot-size ind.-   K Period lot size as in PPC planning calendar
  Scheduling  --    2 Period end := delivery date ,No. of periods  1, Splitting Quota - Checked ,Last Lot Exact- Checked.
  b) Scheduling Agreement has 3 delivery schedule lines with Delivery Date as "10/04/2011" and scheduled quantities as 2000,1617 and 2000 EA.
  As per the MD05 screen,for this material, corresponding to these 3 schedules lines, we have exception message -30 with different delivery dates. Our Question is why MRP does not updated the Delivery dates for the schedule lines in the scheduled agreement proposed by these exception message.
  Can you please let me know whether this information is sufficient for you to understand my problem?.
  Thanks in advance.

• How to use Device Profiles and Viewing Conditions Profile in Photoshop Elements 11?

  In trying to get to grips with the Colour management aspects of PSE11, I have encountered the following problems:
  Having selected "Display" a sequence of clicks (Change display settings -> Advanced settings -> Colour Management -> Colour Management tab -> Colour Management)
  gives a screen which includes the headings:
  Device Profile  and Viewing Conditions Profile.
  1. Device Profile. Besides sRGB and ARGB, the profile list includes the profiles for all of the Epson papers. (I have an Epson Stylus Photo PX810FW).
  I changed the Profile to an Epson Grayscale, this was accepted within the menu, but there are no changes from normal when I viewed the image on the Windows screen or within
  PSE11. ("normal" is sRGB or ARGB).
  I thought it worth a try to test that, if I wanted the display image to closely represent what I would get on a particular Epson paper, this may be a way to do it.(I suspected this approach because I have never
  seen it in the literature!).
  So what is the purpose of all of the paper Profiles appearing in the Display listing?
  2. The Viewing Conditions Profile has also several options. I have tried to find the criteria for choosing one rather than the other, but failed to find any information. Can anyone help? I seek general guidance
  rather than the details of the Profiles.
  As a seperate question:
  Selecting Image on the PSE11 menu across the top of the displayed image, and then Convert Colour Profile, I tried this process on an image, converting tiff to sRGB. When saved there was an extra asterisk in the saved title but in this case,
  the file was still labelled tiff and there was no change in the number of Mbs. If a conversion has taken place, how is one to know?  Does saving a tiff file as jpeg change its colour profile? When is it useful to use this feature?
  Many thanks to all responders! 

  Addressing your second question, you are confusing two different things.
  tiff is an image file format, as is jpeg, as is psd, as is png, as are dozens (if not hundreds, http://en.wikipedia.org/wiki/Image_file_formats) of other formats.
  A colour profile represents the colour characteristics of devices so that, for example, displays know how to display the colours, printers know how to print them.
  Image files MAY, but do not have to, contain colour profiles.
  For details:
  http://help.adobe.com/en_US/creativesuite/cs/using/WS52323996-D045-437d-BD45-04955E987DFB. html
  http://en.wikipedia.org/wiki/Color_management#Color_profiles
  http://en.wikipedia.org/wiki/ICC_profile
  Cheers,
  Neale
  Insanity is hereditary, you get it from your children
  If this post or another user's post resolves the original issue, please mark the posts as correct and/or helpful accordingly. This helps other users with similar trouble get answers to their questions quicker. Thanks.