Cisco Prime and WLC audit

Similar Messages

• Cisco Prime and WLC packet capture error - Request Timed Out

  Hello,
  We have a Cisco Prime installation (2.2.0) and a WLC (Cisco 5508)
  I’ve been trying to test the wireless packet capture function, but have now run into problems, a quick rundown of my actions so far:
  Selected a wireless access point in Prime and clicked ‘Packet Capture’
  Did a packet capture saving to the PI, the capture worked fine
  Could not find any way to delete the packet capture
  Selected a wireless access point in Prime and clicked ‘Packet Capture’
  Did a packet capture saving to an FTP server, the capture worked fine
  The 1st capture had finished (10 minute capture) before testing the second
  The 2nd capture has also finished and saved the files to the FTP server as specified
  Now though I cannot capture from any access point as when I click ‘Packet Capture’ I get the error:
  “Request Timed out. Error in getting data from server.”
  The error is ‘instant’ as in no delay indicating something actually timing out.
  So the 2 problems I have are:
  How do I fix the ‘request timed out’ error above
  How do I delete old packet captures from the PI
  I hope someone can help as I can’t find any info on either of the problems.
  Cheers
  Adrian

  I think I've solved (2) by deleting the files from the FTP directory on the prime box through SSH.
  So I'm now just stuck on the timed out error.

• Cisco Prime and WLC HA-SSO

  Hi All.
  i implemented the HA_SSO on two wlc, WLC1 Active and WLC2 Hot Stanby and the system works fine.
  My question reguarding the monitoring. Is Possible monitoring  to the WLC Secondary?
  if by chance the wlc standby should be broken as I can realize this fault?
  Regards

  Is Possible monitoring to the WLC Secondary?
  Currently, the answer is NO.  Wait a few more months.  If I remembered correctly, this feature has been asked several times and might actually be incorporated with CPI 3.0 which is rumoured to be released on May/June 2015.

• Cisco Prime and Maps

  Hi
  When you create a map in Cisco Prime and place the APs, does this effect in any way the RRM configuration on the AP's? or there power\channel selection?
  Or are the maps a purely passive tool?
  Thanks in advance

  RRM operates at the controller level.  Prime maps are passive only and have no impact on RRM.  The maps are more of a visual/graphical tool for heatmaps and planning scenarios.

• Cisco Prime and UCS 220M3

  Dear folks,
  I have a confusion in one of my deployments. My client ordered initially a UCS 220M3 server, which came along with a windows CD. It was supposed to be used as an LMS 4.1 server. Later on there were some variation and customer wants to have prime infrastructure over it. Now I am unable to understand how to do it. The server which came doesnt have any OS. It has one 600 GB hard drive. Can anyone guide me what should i do / or order additionally to work out through this. I am pasting the BoQ for this server which is the original one before variation, the task is to make it work with Prime Infrastructure. Along with this i am attaching some snaps of the physical server and CIMC console...just to clear out any doubts... i will be very thankful if you suggest me the correct way.
  Part Number
  NMS
  LMS-4.1-100-K9
  Cisco Prime LMS 4.1 Base DVD - 100 device license
  1
  R200-BUN-4
  UCS C200 M2 Rack Svr  1x E5506  1x4GB  1PS
  1
  A01-X0113
  2.13GHz Xeon E5506 80W CPU/4MB cache/DDR3 800MHz
  1
  A02-M304GB2-L
  4GB DDR3-1333MHz RDIMM/PC3-10600/single rank/Low-Dual Volt
  2
  R200-D1TC03
  Gen 2 1TB SAS 7.2K RPM 3.5in HDD/hot plug/C200 drive sled
  1
  CAB-9K10A-UK
  Power Cord  250VAC 10A BS1363 Plug (13 A fuse)  UK
  2
  R2X0-PSU2-650W-SB
  650W power supply  w/added 5A Standby for UCS C200 or C210
  1
  MSWS-08R2-ENHV-RM
  Windows Svr 2008 R2 EN (1-8CPU  25CAL)  Media
  1
  R2X0-ML002
  LSI 1064E (4-port SAS 3.0G RAID 0  1  1E ) Mezz Card
  1
  A01-X0113
  2.13GHz Xeon E5506 80W CPU/4MB cache/DDR3 800MHz
  1
  N01-M304GB1
  4GB DDR3-1333MHz RDIMM/PC3-10600/dual rank 1Gb DRAMs
  1
  R2X0-PSU2-650W-SB
  650W power supply  w/added 5A Standby for UCS C200 or C210
  1
  R2XX-G31032RAIL
  Rail Kit for UCS C200  C210 Rack Servers (23.5 to 36)
  1
  R200-BBLKD
  HDD slot blanking panel for UCS C200 M1 Rack Servers
  3
  R200-BHTS1
  CPU heat sink for UCS C200 Rack Server
  2
  R200-PCIBLKF1
  PCIe Full Height blanking panel for UCS 200 M1 Rack Server
  2
  R200-PCIBLKL1
  PCIe Low Profile blanking panel for UCS 200 M1 Rack Server
  1
  R200-SASCBL-001
  Internal SAS Cable for a base UCS C200 Server
  1
  CON-UCW5-R200BN4W
  UC PLUS 8X5XNBDOS UCSC200M2RckSvr 1x E5506 1x4GB 1PS
  1

  You have the necessary CPU, memory and hard drive specifications for an Express size installation (Reference).
  To install Prime Infrastructure 2.0 you will need to first install VMware ESX/ESXi. This is documented in the same Getting Started Guide I linked to above at this link.
  Once you get that far along, just follow the setup wizard and installation is pretty simple.
  FYI you will get better attention to Prime questions over in the Network Management forum.

• Cisco ISE and WLC Access-List Design/Scalability

  Hi,
  I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:
  User group 1 -- Apply ACL 1 --On Vlan 1 
  User group 2 -- Apply ACL 2 -- On Vlan 1
  User group 3 -- Apply ACL 3 -- On Vlan 1
  The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
  Any suggestion is appreciated.
  Thanks.

  Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html
  The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. 
  Overall, I see three ways to overcome your current issue:
  1. Shrink the ACLs by making them less specific
  2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there
  3. Use SGT/SGA
  Hope this helps!
  Thank you for rating helpful posts!

• Cisco ISE and WLC Timeout Best Practices

  I am fairly new to ISE. Our Cisco WLC is using 802.1x and ISE is configured for PEAP with all inner methods enabled.
  I am looking for some guidance around where I should be configuring timeouts. There is a PEAP Session timeout in ISE, a session timeout on the WLC and a RADIUS reauthentication timeout that can be set in the Authorization profile results object in ISE.
  Currently I have the WLC configured for its default 1800 second timeout and ISE PEAP timeout at the default 7,200 value.

  I ended up answering my own question. The authorization session timeouts should be set in ISE if at all.
  Once I removed the session timeout value from the WLC and used the re-auth value in the ISE policy I had less complaints about disconnects.
  The session timeout on the PEAP settings has not caused any ill affects at it's default. The session resume has taken a huge load off of AAA though. Its worth turning on.

• Cisco Prime and Radius

  I have setup Prime to use Radius, i can see authenication request to my radius but i keep getting user name and password is incorrect. I have 100's of switches authenticating to this radius server and everything works fine. I have loooked for logs in Prime for radius errors but I can't find anything.
  any suggestions?                  

  What's getting confused is the difference between AUTHENTICation (who are you?) and AUTHORIZation (what are you allowed to do?).  Clearly FreeRADIUS is saying that the AUTHENTICation passed--the credentials were correct--but it's not passing the correct AUTHORIZation information back.  Your IOS devices may bow to "shell:priv-lvl=15", but Prime Infrastructure isn't an IOS device, and has no idea what to do with that.  As well, the login failure mechanism isn't complicated enough yet to reflect to a user the difference between a failed AUTHENTICation or a failed AUTHORIZation.
  There's a sample configuration document about NCS here in the Support Forum:
  Freeradius for NCS config
  All the correct AUTHORIZation attributes--the lines 'cisco-avpair += "NCS:task0=View Alerts and Events",'--from that sample are what you're missing.  The attributes are listed under Administration >  Users, Roles & AAA > User Groups > select a group > Task List hotlink for each group of user.  Remember that there HAS to be a VIRTUAL-DOMAIN attribute, a ROLE attribute and *ALL* of the TASK attributes associated with that group.  The attributes are going to be different from NCS to Prime Infrastructure, and tend to be different from version to version of each product, so you have to use the ones that are listed in whatever version of whatever product you're using right now.
  Once you have FreeRADIUS configured to send the right attributes, to diagnose this full on, go to Administration > Logging, and set the logging level to Trace for the modules AAA, GUI and System, and click Save.  Then change your AAA settings and make a login attempt, allowing it to fail.  When it does, please return to Administration > Logging, and click the Download button to retrieve the logs.zip file.  Look in the ncs-0-0.log file and you'll see the transaction to FreeRADIUS, what Prime Infrastructure has to say to it, what FreeRADIUS says back, and what Prime Infrastructure does with the responses.

• Cisco Prime and ESX 5.1

  Hi
  we are upgrading LMS from 3.2 (windows) to LMS 4.2 and VMWare. But now i recogniced that it only runs with ESX 5.0.
  We only have version 5.1 so does anyone have experience if its running with 5.1 ?
  Is there any plan from cisco for an official version supporting ESX 5.1 ?
  Thanks
  Norbert                     

  Hello Norbert,
  I've once installed LMS 4.2 on ESXi 5.0 and 5.1 for a test enviroment. Installation and running the application works, but the LMS Software is so slow, that when you click on a menuentrie you have to wait up do 45 second until anything happens.
  As Sebastian said, PI 1.x works fine on ESXi 5.0 and 5.1. We're running several PI 1.3 Installations on ESXi 5.1. Installation and running the application works perfect. For installation I've used the .ova files which can be received at the Cisco Download area.
  But if you ask me, if you want to install PI as a new installation you should switch to PI 2.0 which is or will be release in June, if I'm right.
  If you need some installation help, feel free to contact me.
  Kind regards
  Kai

• Cisco Prime 2.1 HA and NFS backup

  Hi,
  I've just configured my Cisco Prime with the external NFS backup server using instruction from the Administration Guide,
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-1/administrator/guide/PIAdminBook/backup_restore.html#pgfId-1085464
  all works fine but I'm wondering what about HA server? Should I configure all the same steps I did on a primary server?
  Regards
  Gunter

  No, this instruction is for how to configure backup server and how to configure Cisco Prime to be able to use NFS for backup files. It works, I did this and there was no problem during the configuration. The only thing I'm wondering is that I did this on the primary Cisco Prime and not on the HA CP server. So what will hempen if the primary fail and the HA switch over as a primary? Should I configure the same repository on it, should I enable NFS on the HA server also?

• Cisco Prime - extract list of hostnames and their serial numbers.

  Hi all,
  is there a way of extracting a list of hostnames ( for devices in EMEA ) and their associated serial numbers from Cisco Prime and into say a csv file?
  Many thanks,
  Paul

  Hi Paul,
  if you have Prime Infrastructure then  run the below report :
  Report > Report Launch Pad > Device > Detailed Hardware > Detailed Hardware Report Details
  If Prime LMS then :
  Reports > Inventory > Detailed Device
  Hope it will help
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ***

• How view snmp Traps CISCO PRIME 1.2

                     It is posible to view snmp Traps from WLC to CISCO Prime ?? How ?

  Hi Steve :
  I need to view the traps which are generated in the Controller, I need to view that in the Cisco Prime Infractructure. I´ve configured Communities in WLC with IP Address to Cisco Prime and Trap Receiver with IP address to Cisco Prime.
  Now, How can I view these Traps in the Cisco Prime ?.
  Another question , Is it posible to configure Switch from Cisco Prime ?
  Thanks,
  Claudio

• Cisco wireless and Apple Mac woes

  Hello all,
  I've been working with Cisco wireless and WLC's for a couple of years now but the recent onslaught of Apple Mac's is giving me heart burn.  I've seen this at numerous sites now and need to throw it to eht community for guidance.
  Basically we have had a number of instances where the Macs just fall off the wifi.  Sometimes it's when they wake from sleep and other times when roaming between AP's (1131s with same SSID's).  Our standard install is WPA2 and per ap local authentication.  PC's work fine and never an issue.
  We have completed a survey with a spectrum analyser and no RF interefence is present nor errors on the radio interface.
  Questions:
  - Is there a preferred Cisco config/setup for Mac's to work reliably?  I've heard loads of rumors but nothing concrete and nor can I find anything specific.
  - Should I be setting up WDS in case there is an authenticating issue.
  - For those who are Mac gurus and happen to be reading. What Mac options we should look at?
  This has all come to a head because the clients IT company who recommended the Macs (different from us doing the network infrastructure) are insisting that the problem is Cisco incompatibility and that we should rip out the Cisco kit and install airports (what tha!!!).
  Thanks in advance for any pointers.
  For those who like a config here it is .... Vanilla stuff really
  Building configuration...
  Current configuration : 2236 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP4
  no logging console
  enable secret xxxxxxxxxxxxxxxxx
  no aaa new-model
  dot11 syslog
  dot11 ssid Home
     vlan 1
     authentication open
     authentication key-management wpa
     guest-mode
     mbssid guest-mode
     wpa-psk ascii xxxxxxxxxxxx
  dot11 ssid avnet
     vlan 2
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii xxxxxxxxxxxxxxxx
  username abcd password 1234
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 1 mode ciphers tkip
  encryption vlan 2 mode ciphers tkip
  ssid Home
  mbssid
  speed  basic-1.0 basic-2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
  channel 2412
  station-role root
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.2
  encapsulation dot1Q 2
  no ip route-cache
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  bridge-group 2 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  hold-queue 80 in
  interface FastEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.2
  encapsulation dot1Q 2
  no ip route-cache
  bridge-group 2
  no bridge-group 2 source-learning
  bridge-group 2 spanning-disabled
  interface BVI1
  ip address 192.168.10.54 255.255.255.0
  no ip route-cache
  ip default-gateway 192.168.10.1
  no ip http server
  no ip http secure-server
  bridge 1 route ip
  line con 0
  line vty 0 4
  login local
  end

  Yeah!! even i have come across multiple issue with MAC and Cisco.. these are the below settings which i normally do on the cisco gears and most of the times this solved the issue..
  on the IOS AP disable Aironet Extentions and set the poer local and ofdm to max
  no dot11 extension aironet
  power local cck max
  power local ofdm max
  end
  On the WLC, disable Aironet IE..
  lemme know if this answered your question..
  Regards
  Surendra
  ====
  Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

• Cisco Prime Infrastructure 2.1: SNMP Connectivity Failed

  Hi,
  I have discharged all my Cisco devices within Cisco Prime and after a few days and when everything worked correctly one of the switches is displayed with the SNMP error Connectivity Failed, nothing has been changed.
  I deleted and i have returned to create the object but it continues to be the same, I've also tried to create another SNMP community still receiving the same error.
  This is the configuration of snmp in the switch WS-C3850-48P with version 03.02.02.SE
  snmp-server community "community" RW
  snmp-server location "location"
  snmp-server contact "contact"
  snmp-server host 10.180.5.22 version 2c "community"
  Best regards.

  Hi ,
  check if you are getting these errors in "show log" again:
   %SNMP-3-INPUT_QFULL_ERR: Packet dropped due to input queue full
  If yes , then either a lot of SNMP polling happening on the device
  or
  CPU utilization is going high sometime , being SNMP as a least priority process , you will see this issue. check for "show proc cpu history"
  It is a device side issue definitely.
  I would suggest to apply a Access-list on the SNMP community string allowing only the
  valid NMS to poll the device
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ***

• E-mail will be suppressed up to 30 minutes for these alarms. Cisco Prime

  Hi
  I'm trying out the email notification in the cisco prime and encountered this issue.
  E-mail will be suppressed up to 30 minutes for these alarms.
  This causes the other AP's that I restart to not send an notification, and I cannot find a way to remove this email suppression.
  I want all the critical emails to be sent and not get dropped.
  Or am I misunderstanding this? I cant find any threshold to change / disable
  Cisco prime 2.0 fyi
  thanks!

  This is still a problem in Prime 2.0.  I opened a case asking how to change the email suppression time period from 30 minutes to 4 hours so that alarms tripped overnight that won't be acknowledged wouldn't result in a flooded mailbox, and was told this is not a configurable option. So apparently the only "fix" is to turn off the alarm, or change the category to a lesser one that won't result in an email being sent.  I hope in a future release they will decide to make this configurable.