Cisco 5760 - Anchor config issue

Similar Messages

• Cisco 2950 switch config issues

  WOOHOO that worked!  Have been on another site for a week trying to get this done.
  Now, how do I change the default SSH port from 22 to the port I want?

  Hello,I have a Cisco 2950 switch that I am trying to get working correctly. I want to be able to make console and SSH connections, but not Telnet.
  Texten!config tusername admin secret Pa55w0rden secret Pa55w0rd!line con 0password Pa55w0rdlogin local!line vty 0 4password Pa55w0rdlogin localtransport input ssh!hostname GEMSWI0001ip domain-name domain.localntp server 192.168.217.10!crypto key generate rsa2048username admin priv 15 secret Pa55w0rdaaa new-model!service password-encryption!ip http serverip http port 65410!!vlan 128name Officeint vlan128ip address 192.168.128.254 255.255.255.0shut!vlan 217name GEMint vlan217ip address 192.168.217.254 255.255.255.0shut!vlan 999name GEM-Adminint vlan999ip address 192.168.255.251 255.255.255.248no shut!int fa0/47description GEMCON0000-1switch access vlan 999switchport mode accessswitchport...
  This topic first appeared in the Spiceworks Community

• Cisco 5760 controller in centralized mode supports 4404 controller as anchor controller?

  Hello All,
  I have a cisco 5760 controller running in centralized mode. I want to configure one 4404 controller as anchor controller to work with the 5760 controller. Is this supported?.
  Thanks in advance
  Shabeeb

  No, It is not supported.
  You cannot have a mobility peer with 5760 unless you enable "new mobility" on its peer . In CUWN products this is supported in 5508/WiSM2/8510 on specific codes. In current supported codes it has to be 7.6.x or 8.x.
  As you know 4400 only supported upto 7.0.x code. So new mobility is not supported, hence you cannot peer with CA products.
  In case if you have a "new mobility" supported WLC, here how you configure it
  http://mrncciew.com/2014/05/06/configuring-new-mobility/
  HTH
  Rasika
  **** Pls rate all useful responses ****

• 3850 WLC - 5760 Anchor: Multiple Guest SSIDs issue

  Hi,
  I have configured a 3850 Foreign WLC and a 5760 as anchor WLC in a DMZ behind an ASA FW. The Anchor Controller is configured to advertise 3 GUEST Wireless:
  (INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- L3 Link-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
  GUEST1: 10.9.65.0/24 – VLAN 11
  GUEST2: 10.9.66.0/24 – VLAN 12
  GUEST3: 10.9.67.0/24 – VLAN 13
  Management VLAN 1: 10.8.252.1 (Anchor Management VLAN – Mobility)
  The link between the WLC and the Guest OUT Interface on the ASA Firewall is a L3 Link, NOT a Trunk.
  The 5760 WLC is also a DHCP server for the three client VLANs above. I have also configured 3 SVIs as default gateways for these VLANs:
  Interface vlan 11 – 10.9.65.1
  Interface vlan 12 – 10.9.66.1
  Interface vlan 13 – 10.9.67.1
  wgh-anchorwlc5760-primary#show ip interface brief
  Interface              IP-Address      OK? Method Status                Protocol
  Vlan1                  10.8.252.1      YES NVRAM  up                    up
  Vlan11                 10.9.65.1       YES manual up                    up
  Vlan12                 10.9.66.1       YES manual up                    up
  Vlan13                 10.9.67.1       YES manual up                    up
  GigabitEthernet0/0     10.8.252.85     YES NVRAM  down                  down
  Te1/0/1                unassigned      YES unset  up                    up
  Te1/0/2                10.8.253.1      YES NVRAM  up                    up
  Capwap0                unassigned      YES unset  up                    up
  If a client connects to GUEST1 SSID it gets an IP address in VLAN 11 and its default gateway is 10.9.65.1.
  If a client connects to GUEST2 SSID it gets an IP address in VLAN 12 and its default gateway is 10.9.66.1.
  If a client connects to GUEST3 SSID it gets an IP address in VLAN 13 and its default gateway is 10.9.67.1.
  Mobility is UP and I can see clients connected to the Anchor WLC either in IPLEARN or WEBAUTH_PEND state. DHCP is working fine, clients get an IP and the right default gateway and DNS servers when connect, for example, to GUEST1.
  anchorwlc5760-primary#show wireless client summary
  Number of Local Clients : 3
  MAC Address    AP Name                          WLAN State              Protocol
  04f7.e482.b21c N/A                              2    IPLEARN            Mobile
  bc3e.6d32.17f6 N/A                              2    IPLEARN            Mobile
  a826.d5b3.5ae8 N/A                              2    WEBAUTH_PEND       Mobile
  However, they are not able to ping the default gateway – SVI VLAN 11: 10.9.65.1, so I can not see any traffic leaving the Anchor WLC to continue with the Web Authentication Process (cwa) using ISE. I can see that the authorization policy (“unkown” and the URL to ISE) has been pushed to the clients but I am not redirected to ISE Web Authentication Portal when I open my web browser. I have done some captures on the FW interfaces but I cannot see any traffic coming from the clients.
  I know that usually there is a Trunk (that allows client VLANs) between a WLC and L3 Switch when you configure multiples SSIDs and then configure the SVIs on the L3 Switch. However, I think this design with a L3 Link should work too because 5760 is a WLC+L3Switch.
  My question is: Why clients are not able to ping their default gateway?
  I hope it makes sense.
  I appreciate any thoughts and help. Thanks in advance.
  Joana.

  Hi,
  I couldn't get it working (I doubt if it is really possible). I had to add a switch between the 5760 Anchor Controller and the ASA Firewall:
  (INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- SWITCH-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
  The link between the 5760 and the Switch is configured as a Trunk and it allows the 3 Guest SSIDs (VLANs). The link between the Switch and the ASA FW is configured as a Layer 3 link. I also set up the default gateways for the 3 GUEST VLANs in the Switch (3 vlan interfaces) and the 5760 as DHCP Server.
  I hope it helps.
  Joana.

• Cisco 5760 WLC initial config

  Hi,
  I am configuring up a Cisco 5760 WLC and wondering if it is required to put in a default route? In this document it says to put one in but i dont see why it is needed as it is connected to a switch via a layer 2 Trunk.
  Reference:
  https://supportforums.cisco.com/docs/DOC-34430
  Another question, since there is no more Dynamic Interfaces and they are replaced with Layer 2 & 3 interfaces instead. Do all Layer 2 interfaces you create require a layer 3 interface IP address to be configured also? As shown below:
  Thanks

  So by default the 5760 has IP routing enabled so you will need to put in a default route. A default gateway won't work unless you disable IP routing first.
  Sent from Cisco Technical Support iPhone App

• Can't delete WLAN, missing anchor config...

  Using WLC v7.6.100.0
  (Cisco Controller) >config wlan delete <n>
  This WLAN is used in AP groups.
  Are you sure you want to continue? (y/n) y
  Anchors configured on WLAN - unable to delete WLAN entry.
  There are no anchors configured on the WLAN... I think this is seen when an IP address changes in the mobility group, but the anchor for a WLAN isn't removed prior to the change.  This is an old bug from 4.2
  https://tools.cisco.com/bugsearch/bug/CSCsy94911
  Anyone got a workaround other than resetting the WLC?  That would be very annoying...

  Hi Rasika,
  Yes I tried that .
  One thing to note is that when you add the problem anchor it no longer appears on the list of selectable anchors but it doesn't appear above in the configured anchors...
  I then tried removing all WLAN anchor configs, then changing the mobility group entry for the anchor WLC to the previous (original) IP entry, then adding and removing that.
  So I assume that there is hidden WLAN config mapping anchor wlc by MAC to IP...  If there is a mobility group change this config goes into limbo.... It's still there but is removed from GUI and console running config somehow
  :S

• I can sync bookmarks on my Firfox for android, but folders aren't sync, i can only get bookmarks from bookmarks main folder. Is a bug or a config issue?

  I can sync bookmarks in firefox for android, but only the ones that are on Bookmarks main folder, the folders create below the main folder are not synchronized. Is this a bug or a config issue?
  Thanks

  Thanks Barney, I tried that but all that comes up in Spotlight are the log files that show the file paths! I don't know how Steam works. Are all the files held by Steam on their server perhaps?

• Cisco 5760 WebAuth "Consent Success Page"

  I've downloaded the WebAuth bundle from cisco.com and uploaded to a Cisco 5760 software version 3.6
  It is all functioning correctly, except one aspect.
  After the user reads the AUP and clicks the submit button they are sent to a "Consent Success Page" that reads "Thanks for Accepting our Consent" and will redirect to the ios configured redirectURL after 5 seconds.
  Has anyone come across this? Can anyone advise how I customise this "Consent Success Page"? It doesn't appear to load the success.html page that I've configured below.
  parameter-map type webauth global
   type webconsent
   virtual-ip ipv4 1.1.1.1
   max-http-conns 100
   intercept-https-enable
  parameter-map type webauth PublicWiFi
   type consent
   consent email
   redirect on-success http://bbc.co.uk
   custom-page login device flash://consent/pub/consent.html
   custom-page success device flash://consent/pub/success.html
   custom-page failure device flash://consent/pub/failed.html
   custom-page login expired device flash://consent/pub/logout.html
   logout-window-disabled

  May be the bug CSCup67821 with no workaround

• Anchor config with 802.1x

  I have working guest configuration using an anchor config.  I'm trying to do it with a second SSID but the difference is that the second SSID is supposed to use 802.1x.
  Now I do see the client associate with the remote site controller using this second SSID, but I don't see anything on the anchor controller.  And because of that I don't see that client getting an IP address either.  I have the same exact SSID on the anchor controller as well and users are working fine connecting to it in the corporate office.

  It doesn't appear that the handoff to the anchor happens, there are a ton of messages about DHCP being dropped due to ongoing mobility handshake:
  DHCP Socket Task: Oct 01 15:21:20.141: 3c:ab:8e:67:9f:28 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
  and then the user gets dropped onto the management interface, which I assume is the interface in the WLAN config:
  *apfMsConnTask_0: Oct 01 15:16:00.182: 3c:ab:8e:67:9f:28 Applying Local Bridging Interface Policy for station 3c:ab:8e:67:9f:28 - vlan 0, interface id 0, interface 'management'
  First, I wouldn't leave an anchored WLAN linked to management, I like to create a dummy interface.
  Second, can you post the WLAN configs?
  HTH,
  Steve

• 851 Router Config Issue

  Hi all,
  Hopefully this will be a nice easy one for you all.
  I have recently configured and installed an 851 router successfully :) I now only have one issue, the damn thing switches itself off after a period of inactivity!
  If I want to use it again I have to issue a reset command then a boot command.
  This takes me to the:
  router>
  prompt. I then have to issue a copy start run command. And then a no shut on each of my interfaces.
  Obviously I would just like the router to stay up and running. But I cant work out how to do it. Im sure that this is just a simple config issue and I would dearly love for you all to solve it!
  If any of you know the answer can you please provide clear an accurate commands as I will copy it parrott fashion into the router.
  Thank you all in advance.
  Stuart

  Hello,
  as spremkumar already pointed out the config register usually is set to 0x2102. You can reconfigure the register by:
  Router#configute terminal
  Router(config)#config-register 0x2102
  Router(config)#end
  Then perform a reload and check whether the config is present after the router finished booting.
  Hope this helps! Please rate all posts.
  Regards, Martin

• CISCO PRIME INFRASTRUCTURE 1.2 CONFIG ISSUE

  hello all,
  this is my fist time running a cisco prime infrastructure1.2  but it seem not to be working properly as i have errors on it,
  I had issues from the very begining and had to write erase the config but the appliance only boots to a blank screen wit a cursor.
  can anyone advice on how to restore it back to initial setup
  and please whats the effect of the RESET button on the device.
  thanks

  I don't know if this has been fixed in 2.0 or not.  By the looks of the bug it hasn't.  However, there is a workaround-
  https://tools.cisco.com/bugsearch/search?kw=prime%20infrastructure%20copy%20run%20start&pf=prdNm&sb=anfr&srtBy=byRel&bt=custV
  BugID
  CSCuf89957
  Prime Infrastructure - No option to save running config to startup
  Conditions:
  Prime Infrastructure 1.2/1.3
  Workaround:
  Create a Configuration Template that runs either:
  "do write mem"
  Or for devices which no longer support "write mem", use:
  "file prompt quiet
  do copy run start
  no file prompt quiet"

• IOS XE Cisco 4431 NAT Config DNS Issues

  Hi All,
  I found out that  the XE IOS does not support IP DNS Server and therefor you are required to have a DNS sever seperately. My question is if i push all clients to a public DNS server such as google why does it not work?
  I can ping out and do NSLOOKUPS but nothing resolves in the browser. I have added an inbound rule to the WAN ACL to allow UDP/TCP 53 from 8.8.4.4 and it does not work. Ive spent ages and only thing that does work is IP ANY ANY and obviously i am not leaving that rule there. Is it a bug?
  Thanks
  Ben

  Hi Collin,
  Sorry for the delay, i have left the "IP any any" under WAN ACL 102.
  I did try CBAC at the 11th hour but was spewing up unrecognised remarks and didn't have time to go through.
  Please see confirm below for reference i have put in google DNS.
  Just to be clear No DNS resolves from DHCP clients if i remove the IP any any from WAN ACL102. The router can resolve locally i.e over serial.
  Many Thanks
  Ben
  Bespoke#sh run
  Building configuration...
  Current configuration : 12805 bytes
  ! Last configuration change at 18:24:43 GMT Sun Mar 15 2015 by admin
  ! NVRAM config last updated at 18:24:45 GMT Sun Mar 15 2015 by admin
  version 15.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  no platform punt-keepalive disable-kernel-core
  hostname Bespoke
  boot-start-marker
  boot system flash bootflash:isr4400-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin
  boot-end-marker
  vrf definition Mgmt-intf
   address-family ipv4
   exit-address-family
   address-family ipv6
   exit-address-family
  logging buffered 16386 informational
  logging rate-limit 100 except warnings
  no logging console
  aaa new-model
  aaa authentication fail-message ^CCCC Login failed.
  This could be because your RADIUS credentials are incorrect, or the RADIUS servers are unreachable. If servers are unreachable, use a local username and password.^C
  aaa authentication login default group radius local enable
  aaa authentication enable default group radius enable
  aaa authorization console
  aaa authorization exec default group radius local
  aaa session-id common
  clock timezone GMT 0 0
  clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
  no ip source-route
  ip options drop
  no ip bootp server
  ip domain name x.net
  ip name-server x.x.x.x
  ip name-server x.x.x.x
  ip dhcp bootp ignore
  no ip dhcp conflict logging
  ip dhcp excluded-address 192.168.1.1 192.168.1.15
  ip dhcp excluded-address 10.10.10.1
  ip dhcp excluded-address 172.1.0.1
  ip dhcp excluded-address 172.1.1.1
  ip dhcp excluded-address 172.1.2.1
  ip dhcp excluded-address 172.1.3.1
  ip dhcp pool ManagementVLAN100
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.4.4
  ip dhcp pool VLAN200
   network 10.10.8.0 255.255.252.0
   default-router 10.10.10.1
   dns-server 8.8.4.4
   lease 0 1
  ip dhcp pool VLAN300
   network 172.1.0.0 255.255.255.0
   default-router 172.1.0.1
   dns-server 8.8.4.4
  ip dhcp pool VLAN400
   network 172.1.1.0 255.255.255.0
   default-router 172.1.1.1
   dns-server 8.8.4.4
  ip dhcp pool VLAN500
   network 172.1.2.0 255.255.255.0
   default-router 172.1.2.1
   dns-server 8.8.4.4
  ip dhcp pool VLAN600
   network 172.1.3.0 255.255.255.0
   default-router 172.1.3.1
   dns-server 8.8.4.4
  subscriber templating
  multilink bundle-name authenticated
  redundancy
   mode none
  no cdp run
  ip ssh time-out 60
  ip ssh authentication-retries 2
  ip ssh version 2
  class-map match-all 140mbpsratelimit
   match access-group 103
  policy-map 140mbpsratelimit
   class 140mbpsratelimit
    police cir 146800500 bc 27525120 be 55050240
     conform-action transmit
     exceed-action drop
     violate-action drop
  interface Null0
   no ip unreachables
  interface GigabitEthernet0/0/0
   no ip address
   negotiation auto
  interface GigabitEthernet0/0/0.602
   description PRIMARYWAN200MBPS
   encapsulation dot1Q 602
   ip address x.x.x.x 255.255.255.252
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat outside
   ip verify unicast source reachable-via rx allow-default
   ip access-group 102 in
   no cdp enable
   ip virtual-reassembly
  interface GigabitEthernet0/0/1
   no ip address
   negotiation auto
  interface GigabitEthernet0/0/1.100
   description ManagementVLAN100
   encapsulation dot1Q 100
   ip address 192.168.1.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat inside
   no cdp enable
   ip virtual-reassembly
  interface GigabitEthernet0/0/1.200
   encapsulation dot1Q 200
   ip address 10.10.10.1 255.255.252.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat inside
   no cdp enable
   service-policy input 140mbpsratelimit
   service-policy output 140mbpsratelimit
   ip virtual-reassembly
  interface GigabitEthernet0/0/1.300
   encapsulation dot1Q 300
   ip address 172.1.0.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat inside
   no cdp enable
   ip virtual-reassembly
  interface GigabitEthernet0/0/1.400
   encapsulation dot1Q 400
   ip address 172.1.1.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat inside
   no cdp enable
   ip virtual-reassembly
  interface GigabitEthernet0/0/1.500
   encapsulation dot1Q 500
   ip address 172.1.2.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat inside
   no cdp enable
   ip virtual-reassembly
  interface GigabitEthernet0/0/1.600
   encapsulation dot1Q 600
   ip address 172.1.3.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat inside
   no cdp enable
   ip virtual-reassembly
  interface GigabitEthernet0/0/2
   no ip address
   negotiation auto
  interface GigabitEthernet0/0/2.603
  interface GigabitEthernet0/0/3
   no ip address
   shutdown
   negotiation auto
  interface GigabitEthernet0
   vrf forwarding Mgmt-intf
   no ip address
   shutdown
   negotiation auto
  ip nat inside source list 1 interface GigabitEthernet0/0/0.602 overload
  ip nat inside source static tcp 192.168.1.15 443 x.x.x.x 443 extendable
  no ip forward-protocol nd
  no ip forward-protocol udp
  no ip http server
  no ip http secure-server
  ip route 0.0.0.0 0.0.0.0 x.x.x.x
  ip route 0.0.0.0 255.0.0.0 Null0
  ip route 10.0.0.0 255.0.0.0 Null0
  ip route 127.0.0.0 255.0.0.0 Null0
  ip route 169.254.0.0 255.255.0.0 Null0
  ip route 172.16.0.0 255.240.0.0 Null0
  ip route 192.0.0.0 255.255.255.0 Null0
  ip route 192.0.2.0 255.255.255.0 Null0
  ip route 192.168.0.0 255.255.0.0 Null0
  ip route 198.18.0.0 255.254.0.0 Null0
  ip route 198.51.100.0 255.255.255.0 Null0
  ip route 203.0.113.0 255.255.255.0 Null0
  ip radius source-interface GigabitEthernet0/0/0.602
  access-list 1 remark NAT-LAN
  access-list 1 permit 192.168.1.0 0.0.0.255
  access-list 1 permit 10.10.8.0 0.0.3.255
  access-list 1 permit 172.1.0.0 0.0.0.255
  access-list 1 permit 172.1.1.0 0.0.0.255
  access-list 1 permit 172.1.2.0 0.0.0.255
  access-list 1 permit 172.1.3.0 0.0.0.255
  access-list 50 remark SNMP_ACCESS
  access-list 50 permit x.x.x.x 0.0.0.31
  access-list 50 permit x.x.x.x 0.0.0.31
  access-list 51 remark NTP_ACCESS
  access-list 51 permit x.x.x.x
  access-list 51 permit x.x.x.x
  access-list 51 deny   any
  access-list 51 remark NTP_ACCESS
  access-list 102 remark WAN_INGRESSPrimary
  access-list 102 permit ip any any
  access-list 102 permit tcp any host x.x.x.x eq 443
  access-list 102 permit udp host 8.8.4.4 eq domain host x.x.x.x
  access-list 102 permit udp host 8.8.8.8 eq domain host x.x.x.x
  access-list 102 permit udp host x.x.x.x eq ntp host x.x.x.x eq ntp
  access-list 102 permit udp host x.x.x.x eq ntp host x.x.x.x eq ntp
  access-list 102 permit udp host x.x.x.x eq 1645 host x.x.x.x eq 1645
  access-list 102 permit udp host x.x.x.x eq 1645 host x.x.x.x eq 1645
  access-list 102 permit udp x.x.x.x 0.0.0.31 host x.x.x.x eq snmp
  access-list 102 permit udp x.x.x.x 0.0.0.31 host x.x.x.x eq snmp
  access-list 102 permit tcp x.x.x.x 0.0.0.31 host x.x.x.x eq telnet
  access-list 102 permit tcp x.x.x.x 0.0.0.31 host x.x.x.x eq 22
  access-list 102 permit tcp x.x.x.x 0.0.0.31 host x.x.x.x eq telnet
  access-list 102 permit tcp x.x.x.x 0.0.0.31 host x.x.x.x eq 22
  access-list 102 permit icmp x.x.x.x 0.0.0.31 any echo
  access-list 102 permit icmp x.x.x.x 0.0.0.31 any echo
  access-list 102 permit icmp any any echo-reply
  access-list 102 permit icmp any any time-exceeded
  access-list 102 permit icmp any any unreachable
  access-list 102 deny   icmp any any
  access-list 102 deny   ip host 0.0.0.0 any
  access-list 102 deny   ip host 255.255.255.255 any
  access-list 102 deny   ip any any
  access-list 103 remark 140mbpsratelimit
  access-list 103 permit udp any any
  access-list 103 permit tcp any any
  access-list 150 remark VTY_ACCESS
  access-list 150 permit tcp x.x.x.x 0.0.0.31 any eq telnet
  access-list 150 permit tcp x.x.x.x 0.0.0.31 any eq 22
  access-list 150 permit tcp x.x.x.x 0.0.0.31 any eq telnet
  access-list 150 permit tcp x.x.x.x 0.0.0.31 any eq 22
  access-list 150 deny   ip any any
  snmp-server community x.x.x.x RO 50
  radius server RadiusPR
   address ipv4 x.x.x.x auth-port 1645 acct-port 1646
   timeout 3
  radius server RadiusTC
   address ipv4 x.x.x.x auth-port 1645 acct-port 1646
   timeout 3
  control-plane
  line con 0
   logging synchronous
   transport output none
   stopbits 1
  line aux 0
   exec-timeout 0 1
   no exec
   transport output none
   stopbits 1
  line vty 0 4
   access-class 150 in
   logging synchronous
   transport input telnet ssh
   transport output none
  line vty 5 15
   access-class 150 in
   logging synchronous
   transport input telnet ssh
  ntp access-group peer 51
  ntp server x.x.x.x
  ntp server x.x.x.x
  end

• CISCO ASA config issue (Remote management ASDM/SSH/etc)

  I cant ping the device from 10.23.1.x either, I can ping it on 10.23.2.x though. 

  I have a couple ASA devices than I want to be able to manage across our network. I have two devices, Device A-10.23.1.10 the other is on 10.23.2.10, if I remote into a machine on the 10.23.2.x network I can connect through SSH and ASDM, but on the 10.23.1.x network I can not connect.. I have the ASDM configured to accept connection from both netowkrs. any idea why it does not work, the remote ASA is on the local/inside netwkr just on a diff subnet.
  This topic first appeared in the Spiceworks Community

• WLC 5508 HA Anchor DHCP issue

  Hi Cisco Support Community,
  I am currently notice some issues within my WiFi infrastructure.
  Our infrastructure is setup with a 8510 WLC high availability cluster (AP SSO) and a 5508 WLC high availability cluster (AP SSO) as mobility anchor within the DMZ zone.
  The issue I noticed is that if there is a switchover on the 5508 WLC high availability cluster the users wont be able to receive a DHCP IP address.
  I already read some of the other threads regarding this topic. (About Mobility Anchor: Policy Manager State = DHCP_REQD) (DHCP Anchor controller problem.)
  But unfortunately I was unable to find any solution for my issue.
  We currently have three SSID´s with anchoring active and I have noticed that only the SSID´s with layer 3 security enabled are affected by this issue.
  The one SSID with PSK and MAC Auth are not affected by this issue.
  I already checked the configuration for the SSID´s between the main controller and the anchor controller the SSID´s are configured the same except the breakout interface.
  Even the described SSID with PSK and MAC Auth configured uses the same breakout interface as one of our layer 3 security enabled SSID´s.
  The configuration works so far only in case of failover the clients connected to one of the SSID´s with layer 3 security enabled are unable to receive a IP address by the DHCP server.
  I also performed some troubleshooting for the client on the anchor side.
  I added part oft the troubleshooting outputs as workingssid.txt and notworkingssid.txt to this thread.
  Maybe one of you guys have some advice for me to address the issue.
  Thanks for your support in advance
  With kind regards
  Benedikt

  As far as your L3 roaming is concerned ,Make sure your using latest and most stable firmware for WLC,
  Make sure Mobility group are same and config on WLCs before switchover happens. Make sure if DHCP is out the network then option 43 is set and you are able to get ip from both WLC manually and able to ping. Make sure AP-manager interface virtual ip is set. Make sure SSO is enabled on both controller.
  Check the following link also.
  https://supportforums.cisco.com/discussion/11662541/layer-3-roaming-and-dhcp
  Please confirm and mark it correct answer if your issue resolved.

• Cisco ASA 5505 performance issues on downloads - data into the ASA from the Internet

  I have having serious issues with performance on my ASA 5505s that I am testing with 9.2.3 code.
  I stripped the config and removed as much stuff as I could - no VPN etc. and I am ONLY getting about 30-40Mbps downloads from sites but 95Mbps uploads????  Anyone else seeing these problems?   If I remove the firewall my PC can hit 300/300Mbps to the same sites using the same switch and cable.
  I installed 1Gb of mem on the ASA 5505 but it made no difference. The ASA has a UL IP Security license but I am only using and inside and outside address for these tests, no other ports configured.
  Is anyone else seeing this performance problem with the 9.2.3 code?  I went to this from 8.2.5 to try to resolve QOS failure bugs that I found in the 8.2.5 code. I did not expect to have a performance hit though and it is only on downloads TO the ASA from the Internet from all speed test sites that I try. Uploading speeds seem fine. No access-lists on my interfaces either...barebones config.
  My FIOS and switch interfaces are fine...no errors on any interfaces and the same switch interface hits 300/300Mbps when my laptop is directly attached. 
  Anyone have a barebones config on their ASA 5505 that flies...I will try it on mine and see if some command somewhere (hidden) is causing the issue. I even cleared the config and started with a clean slate just in case I was missing some command from the older configs that may have impacted performance.

  After changing the switch with a high end switch my performance increased but I am still not happy with the throughput out of my ASA. I have about 50+ ASAs 5505s and a dozen 5510s. Most remote sites have 5505s. All my sites right now have 8.2.5-51 and I wanted to put 9.2.3 out there to solve issues I have uncovered on the 8.2.5 code with regards to QOS issues.
  I get much better results using the Cisco 3750X attached to the FIOS  (right around 300/300 with my laptop directly attached to the 3750x bypassing the ASA - my FIOS circuit rating is also 300/300).  Going through the ASA to the same test site I get download speeds of 35 to 75. Changes randomly which really bothers me. My uploads speeds are ALWAYS faster then my download speeds.  Example - best download I would ever get is 75Mb and my upload would usually hit 95Mb during the same test period.
  I may have to live with it but the inconsistency is what really bothers me.
  Here is the config I am currently using. Nothing going on during testing since only a single PC is attached. VPN tunnel to the main site can be up or down...doesn't seem to make any difference. PC does to site directly from outside interface of ASA...split tunneling. Even when I removed tunnels and tested with just the ASA as a firewall to the Internet I was still seeing the same inconsistencies.
  Anything obviously  missing - new command or anything?   Xlates causing issues?