Cisco Prime ..unable to add switches

Similar Messages

• Cisco Prime Infastructure connectivity to Switches

  I am running into an issue with Cisco Prime Infrastructure 2.1 and a couple of our switches.  When I initially added these Cisco 2960's to Prime the had connectivity and they discovered everything correctly.  After a couple of days I can no longer ping my two switches from Prime and Prime from my two switches, I get an unreachable error.  There is no ACL that would be preventing connectivity. Any suggestion on what this may be? 

  This was caused by interface vlan 1 not being shut down on the switch.  Cisco Prime sits on vlan 1 and when it hit the switch it was trying to route back out on vlan 1 which has no ip address assigned.

• Cisco Prime infrastructure Change severity Switches and hubs - link down alarm

  Hi, I want to change the severity of the link down alarm in the Cisco Prime Infrastructure 1.3, but in the menu Administration -> System Settings -> Severity Configuration i can not find the alarm. Some body knows where is it? o where i can change the severity of that alarm?
  Thanks in advanced.

  Hi Rollin and Daniel,
  the first test i did changing the severity was with a new installation, with no devices added and it worked, when i did it in a Prime infrastructure with devices added it didn´t work, well, for this Prime with devices i upgraded it with the patch for 1.3 version and now it works too, the alarms is ok as the alarm severity, this is the link for the patch:
  http://software.cisco.com/download/release.html?mdfid=284652876&flowid=38562&softwareid=284272933&release=1.3.0&relind=AVAILABLE&rellifecycle=&reltype=all
  i hope this helps,
  Regards,
  Milton Tizoc.

• Cisco Prime unable to connect to TAC Service Requests

  Always had the problem, but now decided to mess around with it. 
  When I try to get Cisco Prime 4.1 to connect to TAC Service Request I get the following error....
  "There was an error while fetching the list of TAC Service Requests: String index out of range: -1"
  I am able to download IOSs and other software with Prime, just not able to connect to TAC.
  Thanks

  Hi Marco,
  actually it took me quite a long time to understand what the problem was. I found that on my CISCO AP i had to put "payload-encapsulation dot1h" on the radio interface to get the WIP310 communicate with the AP.
  By the way It seems to me that the phone is a little buggy from the wireless point of view. Sometimes i have to try several times before getting the phone connected to the AP. Once the phone gets connected it's pretty stable, but getting it connected it's a nightmare :-)
  Try with the above ption if you have a Cisco AP. Also try different channels on the AP...it might help
  Hope this will help you
  regards
  Nicola

• Unable to add switches to CAM via SNMP

  Hello all,
  I am now starting some POC work and was progressing well until I came to adding some 4510 switches to the CAM to control OOB devices.
  I have full IP connectivity between the switch management VLAN interface (the switch is running in layer 2 only) and the CAM eth0 interface over the network with no firewalls in the way.
  I have tried configuring both SNMP versions on the CAM and I have captured the SNMP communication between the switch and the CAM which is being received by the switch and is being responded to. So I have proved that SNMP packets are reaching the various devices. There is no routing or switching issues.
  Would someone please mind giving me a hand and tell me why the CAM cannot control the switch. When you try to add the switch it comes up with a message like "unable to control 10.108.2.15" This is the management VLAN2 on the test switch. I have used test communities public and private respectively on the CAM to match the switch.
  SNMP switch config snippet below. The CAM is at 10.108.100.10.
  snmp-server engineID local 800000090300001D4572F86E
  snmp-server community public RO 10
  snmp-server community private RW 10
  snmp-server trap-source Vlan2
  snmp-server enable traps snmp linkdown
  snmp-server enable traps mac-notification change move threshold
  snmp-server host 10.108.100.10 version 2c private
  snmp-server host 10.108.100.10 version 2c public
  access-list 10 permit 10.108.100.10   (This is the CAM referenced in ACL 10 so the poll will work)
  Thanks kindly,
  Oliver

  Hi again Faisal,
  The switch is a 4510R-R with 2 x SUP6-E's running code 12.2.53SG so the code is very recent. As the SUP6-E's are based on 4900 code I think that may be clue as to why things are not working however the SUP6-E should have full NAC support according to all documentation.
  I would just like to add that our 5508 WLC's cannot be added to the CAM either and they are running version 6.0 WLC code. Again very recent code.
  I can add 3750 switches fine so I know the configs are correct.
  Doing this testing is most frustrating indeed as the NAC products just do not work as they should. I have asked for this to escalated to our SE so we should get a TAC case raised.
  Faisal if you could be of any additional assistance this would be most appreciated.
  Thanks,
  Oliver

• 2 Cisco Stacks, need to add switches

  Hello,
  I have 6 x 3750 switch split into 2 stacks ( A & B).  This is for our VMware hosts and SANs and it works well.  We have now run out of space and I have been given 2 x ws-3750G-12s-s chassis switches to add, 1 to each stack.   So I have a few question on added these to the stacks, here is a diag to help:
  These switches are slightly different to what we are using (in red) and we have to buy the SFP modules as the ports are empty, however will these switch be compatible?
  I will need to use the same old IOS 12.2(53)?
  I have highlighted in red where I think the stack cables need to go/moved does it look about right?
  Will pullin gthese stack cables cause downtime?
  I have to provision the stack to see the 4th switches is there any reboot required?
  Thanks

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  Examples:
  sh platform stack manager all
                   Stack State Machine View
  ==============================================================
  Switch   Master/   Mac Address          Version    Current
  Number   Member                          (maj.min)  State
  1        Master    ####.####.####          1.45        Ready
  2        Member    ####.####.####          1.45        Ready
  3        Member    ####.####.####          1.45        Ready
  sh sdm prefer
   The current template is "desktop routing" template.
   The selected template optimizes the resources in
   the switch to support this level of features for
   8 routed interfaces and 1024 VLANs.
    number of unicast mac addresses:                  3K
    number of IPv4 IGMP groups + multicast routes:    1K
    number of IPv4 unicast routes:                    11K
      number of directly-connected IPv4 hosts:        3K
      number of indirect IPv4 routes:                 8K
    number of IPv4 policy based routing aces:         0.5K
    number of IPv4/MAC qos aces:                      0.5K
    number of IPv4/MAC security aces:                 1K

• Cisco Prime SNMP Traps Best Pratice

  The Cisco Prime documentation recommends configuring switches to send SNMP traps. However it does not give any more details.
  I was wondering what sorts of SNMP traps people in the community are using with Cisco Prime 2.1. I'm looking for some sort of best practice or for an idea of what traps would be the most useful to configure on the switches, to send to Prime.

  Hi ,
  Snmp traps need to be configured only on device end , there is no config need to be done on PI.
  you can enable all the traps that you want.  for e.g
  snmp-server enable traps syslog
  snmp-server enable traps ipsec start stop
  snmp-server enable traps memory-threshold
  snmp-server enable traps interface-threshold
  snmp-server enable traps connection-limit-reached
  snmp-server enable traps cpu threshold rising
  etc......
  and you can monitor then in PI (Administration > System Settings > Severity Configuration, Link down)
  check the below link as well:
  https://supportforums.cisco.com/discussion/11919481/prime-infrastructure-20-link-status-alarms
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ***

• Cisco Prime Infrastructure 2.1 Inventory Job

  My cisco prime infrastructure performs a switch inventory job every night at 22:00 hrs.  When I looked at the syslog of the devices in the inventory, I see some entries that I never saw with other LMS versions.
  2014-06-30 22:00:01    Local7.Notice    xxx.xxx.xxx.xxx    5410: Jun 30 22:00:00.623 CST: %SYS-5-CONFIG_I: Configured from xxx.xxx.xxx.xxx by snmp
  2014-06-30 22:00:01    Local7.Notice    xxx.xxx.xxx.xxx    5411: Jun 30 22:00:01.567 CST: %SYS-5-CONFIG_I: Configured from console by vty1 (xxx.xxx.xxx.xxx)
  2014-06-30 22:05:10    Local7.Notice    xxx.xxx.xxx.xxx    5412: Jun 30 22:05:09.008 CST: %SYS-5-CONFIG_I: Configured from console by vty0 (xxx.xxx.xxx.xxx)
  I don't understand what the PI is doing with the switches.  Does anyone know what is happening during this inventory background job?  TIA

  Hello all,
  we have the same problem maybe; Cisco Prime IF 2.1 is changing the running-configs and produces out-of-syncs ;
  it turns so for us is, as if Cisco Prime IF 2.1 a snmp-server host x.x.x.x community entry writes in the running-config,
  so are running-and startup-config are out-of-sync; is this correct?  Herbert

• SYSLOG Cisco Prime LMS

  Hi friends,
  I have a question about my syslog from Cisco Prime LMS 4.1, the hours from this syslog in the LMS is diferent from my switch log.  I dont kown why.. I verified the hours betewen switch y the Cisco Prime is the same(the LMS is over Windows Server 2008R2) . both are the same log but in diferent hours about 5 hours.
  maybe I have to configure the hours for Syslog in the Cisco Prime.
  Log from Switch
  Log from Cisco Prime LMS

  If you have LMS, i am not sure, but if you have PI 1.2. Take a look at my post.
  Basically, syslog feature doesn't work well. I could see couple of syslog through event / alarm, but syslog itself is not working properly.
  https://supportforums.cisco.com/message/3861981#3861981

• Cisco Prime Infrastructure 2.0 Alarms (switch port down)

  We have a cisco Prime Infrastructure 2.0 managing switches, routers and AP.
  By default, when a port of a switch goes down, the cisco Prime Infrastructre generates a Critical Alarm for that. (this is a problem, because every phone of laptop disconnection will generate a critical alarm for me)
  I found out that if we go to Administration --> Alarm Severity --> Link down, I can change the Alarm from Critical to another type of alarm.(ex: warning)
  The problem is that I want to keep the Critical Alarm for my Uplinks ports and for some important switch ports, and I would like to make the alarm as warning for the normal user ports.
  I know that I can create Port Groupping and add ports to each group and apply monitoring templates on those groups. But This couldn't Help me solving my alarm problem.
  So I just need to know how to manage the alarms severity for each group of ports.
  Thank you

  Hi,
  Same problem here.
  I am using Cisco Prime Infrastructure 2.0 (evaluation version for 60 days). I want to deploy port monitoring for my trunk ports between switches and some other important ports e.g. servers. Basically I want to get alarms when these ports are down, there are errors on ports and etc.
  So in Design>Port Grouping I created User Defined group with important ports. In Deploy>Monitoring Deployment I selected Interface Health (default)>Deploy selected Port Groups and when selected port group I created.
  Now the rule shows Deployed: Yes and Status: Active. After that I just pulled out one port which was in monitored group, waited 5min as it is set in Interface Health (default) template, and nothing happened, and worse, alarms started to show up of other ports where regular users are connected (computers was turned off), which I do not want to see at all. I tried redeploy template, I even created my own template but still no desired result.
  Any suggestions how to make port monitoring work?

• Cisco Prime 2.1 - Collection Failure 2950 Series Switch

  Hi All,
  I am trying to add various devices in the Cisco Prime Infrastructure 2.1, but with the followings I get a message: Collection Failure (Inventory Collection Status).
  Cisco Catalyst 2950 24 Switch
  Cisco Catalyst 2950G 24 EI DC Switch
  ¿Why I can't sync this devices?
  Kind Regards!
  JEFFERSSONQG

  Leo,
  I think you are not correct ...
  ( to be truth - I hope it ;- )  )
  in PI 2.2 the Cat 3550 is listed under the supported devices whereas the Cat 2950, 2955 are not:
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-2/release/notes/cpi_rn.html#pgfId-43885
  But the latter are listed as being supported in PI 2.1 (while the Cat 3550 is not...)
  http://www.cisco.com/c/dam/en/us/td/docs/net_mgmt/prime/infrastructure/2-1/supported/devices/pi21-supported-devices-list.xlsx?mdfid=284540974
  So hopefully it is just a matter of time to get them ALL on the list of supported devices for the current version of PI 2.2 ...
  I just saw that for Prime Network (Management SW for Service Providers) they even have Cat 3500XL on the list of supported devices... (but I do not know for which type of management they do support these devives, e.g. config, alarming,etc) 
  http://www.cisco.com/c/dam/en/us/td/docs/net_mgmt/prime/network/4-2/supported/vnes/CiscoPrimeNetwork-4-2-SupportedCiscoVNEs.pdf 

• Cisco ASA 5505 VPN connection issue ("Unable to add route")

  I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
  Setup:
  * Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
  * PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
  NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
  I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
  First I tried with the built-in ASDM IPSec Wizard, instructions found here.
  VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
  Client logs show following error messages:
  1 15:53:09.363 02/11/12 Sev=Warning/3     IKE/0xA300005F
  Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
  2 15:53:13.593 02/11/12 Sev=Warning/2     CVPND/0xE3400013
  AddRoute failed to add a route with metric of 0: code 160
  Destination     192.168.1.255
  Netmask     255.255.255.255
  Gateway     172.16.1.1
  Interface     172.16.1.101
  3 15:53:13.593 02/11/12 Sev=Warning/2     CM/0xA3100024
  Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
  4 15:54:30.425 02/11/12 Sev=Warning/2     CVPND/0xA3400015
  Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
  5 15:54:31.433 02/11/12 Sev=Warning/2     CVPND/0xA3400015
  Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
  6 15:54:32.445 02/11/12 Sev=Warning/2     CVPND/0xA3400015
  Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
  7 20:50:45.355 02/11/12 Sev=Warning/3     IKE/0xA300005F
  Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
  8 20:50:50.262 02/11/12 Sev=Warning/2     CVPND/0xE3400013
  AddRoute failed to add a route with metric of 0: code 160
  Destination     192.168.1.255
  Netmask     255.255.255.255
  Gateway     172.16.1.1
  Interface     172.16.1.100
  9 20:50:50.262 02/11/12 Sev=Warning/2     CM/0xA3100024
  Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
  I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
  A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
  Result of the command: "sh run"
  : Saved
  ASA Version 8.2(5)
  hostname AsaDWD
  enable password kLu0SYBETXUJHVHX encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group DW-VPDN
  ip address pppoe setroute
  ftp mode passive
  access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  vpdn group DW-VPDN request dialout pppoe
  vpdn group DW-VPDN localname fa******@SKYNET
  vpdn group DW-VPDN ppp authentication pap
  vpdn username fa******@SKYNET password *****
  dhcpd auto_config outside
  dhcpd address 192.168.2.5-192.168.2.36 inside
  dhcpd domain DOMAIN interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DWD internal
  group-policy DWD attributes
  vpn-tunnel-protocol IPSec
  username test password ******* encrypted privilege 0
  username test attributes
  vpn-group-policy DWD
  tunnel-group DWD type remote-access
  tunnel-group DWD general-attributes
  address-pool DWD-VPN-Pool
  default-group-policy DWD
  tunnel-group DWD ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
  : end
  I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
  Following commands have been entered:
  ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
  username *** password ****
  isakmp policy 1 authentication pre-share
  isakmp policy 1 encryption 3des
  isakmp policy 1 hash sha
  isakmp policy 1 group 2
  isakmp policy 1 lifetime 43200
  isakmp enable outside
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
  crypto dynamic-map outside_dyn_map 10 set reverse-route
  crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
  crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp nat-traversal
  sysopt connection permit-ipsec
  sysopt connection permit-vpn
  group-policy dwdvpn internal
  group-policy dwdvpn attributes
  vpn-tunnel-protocol IPSec
  default-domain value DWD
  tunnel-group dwdvpn type ipsec-ra
  tunnel-group dwdvpn ipsec-attributes
  pre-shared-key ****
  tunnel-group dwdvpn general-attributes
  authentication-server-group LOCAL
  default-group-policy dwdvpn
  Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
  I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
  The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
  Does anyone know what's going on?

  Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
  Please find my renewed config below:
  DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum client auto  message-length maximum 512policy-map global_policy class inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)#

• Cisco Prime Infrastructure 2.2 Rest API XML does not add LF

  I am using several scripts that dig the data from XML files created through Cisco Prime Infrastructure Rest API. It worked fine until 2.1. Now, with 2.2, seems Cisco stopped adding LF to each line and everything is 'one' line.
  Here is an example with 2.1, there is a LF to the end of each line:
  ?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <queryResponse type="AccessPointDetails" rootUrl="https://server/webacs/api/v1/data" requestUrl="https://server/webacs/api/v1/data/AccessPointDetails?type=contains(UnifiedAp)&amp;.full=true&amp;.maxResults=1000&amp;.firstResult=0" responseType="listEntityInstances" count="715" first="0" last="714">
      <entity url="https://server/webacs/api/v1/data/AccessPointDetails/1505569" type="AccessPointDetails" dtoType="accessPointDetailsDTO">
          <accessPointDetailsDTO id="1505569" displayName="1505569">
              <adminStatus>ENABLE</adminStatus>
              <apType>AP1240</apType>
              <cdpNeighbors>
                  <cdpNeighbor>
                      <capabilities>Switch IGMP </capabilities>
                      <duplex>Half Duplex</duplex>
                      <interfaceSpeed>100Mbps</interfaceSpeed>
                      <localPort>2</localPort>
                      <neighborIpAddress>10.1.1.1</neighborIpAddress>
                      <neighborName>switch</neighborName>
                      <neighborPort>FastEthernet0/1</neighborPort>
                      <platform>cisco WS-C3560-8PC</platform>
                  </cdpNeighbor>
  Now, with 2.2, there is not LF anywhere:
  ?xml version="1.0" encoding="UTF-8" standalone="yes"?><queryResponse type="AccessPointDetails" rootUrl="https://server/webacs/api/v1/data" requestUrl="https://server/webacs/api/v1/data/AccessPointDetails?type=contains(UnifiedAp&amp;.full=true&amp;.maxResults=1000&amp;.firstResult=0" responseType="listEntityInstances" count="715" first="0" last="714">
  <entity url="https://server/webacs/api/v1/data/AccessPointDetails/1505569" type="AccessPointDetails" dtoType="accessPointDetailsDTO">
  <accessPointDetailsDTO id="1505569" displayName="1505569"><adminStatus>ENABLE</adminStatus><apType>AP1240</apType><cdpNeighbors><cdpNeighbor>
  Does anyone know, is this intentional or a mistake? Or is there a way how I control this?
  I am reading on-line CPI Rest API docs, but seems cannot find anything.
  Thanks,
  Vlad

  PI 2.0 is in Beta mode for testing in closed group already. However it may still take some time to get released on CCO for FCS.
  I think it is expected to be released between aug-sep. BU has also started working on CPI 2.1, which you can see test uploads on CCO.
  For what does it have for customers?
  > As Cisco have a vision of one network Management software for both wired and wireless infrastructure, which started getting real partially with Cisco PI.
  As WCS got evolved to NCS and eventually to Cisco Prime Infrastructure, but it doesnt yet have full Management capability for wired infra., which is there with LMS.
  With CPI 2.x Cisco plans to blend entire LMS and WCS features together.
  -Thanks

• Cannot add WLC 5508 7.2.111.3 to Cisco Prime Infrastructure 2.0

  Though the Cisco Prime Infrastructure Compatibility Matrix list out that 7.2.111.3 is supported for PI 2.0
  I am not able to add the controller to the PI 2.0.
  The Reachability Status always shown "Unknow" and SNMP Status always shown "No response for SNMP Get".
  There is no firewall between the WLC and PI.
  And ping test shows it is reachable.
  If I try to add controller by non-management port (I know it is not work but I want to try the reachability), the Reachability Status shown "Reachable" but the SNMP Status always shown error.
  And if I use some SNMP testing software to test the SNMP port. SNMP can be quoted.
  I have try to lower down the "Maximum VarBinds per Get PDU" but no luck.
  Any thing I can do to troubleshoot the problem?

  Yes, I follow the procedure but it does not work.
  Another update:
  I add another WLC with version 7.0.98.0. It is fine.
  And I setup another new PI 2.0 and new temporary WLC5508 with 7.2.111.3 to test. It work fine also......
  So, I am wondering the existing 7.2 WLC have problem in responsing the SNMP Get. But I dont have any idea to test....
  Do anyone have idea to test the snmp connection between PI and WLC?

• Configuring SNMpv3 in switch 2960 and connect to cisco prime 6.3

  hi
  I configuring the parameters in the switch for snmp v3 and the cisco prime, but i don´t have any response
  but, I configure snmp version1 this work
  in the scree on the cisco prime, don´t appear this field´s to configure all parameters for snmpv3
  any idea??
  thanks

  Hi ,
  share your SNMPv3 config  or I have attached the sample SNMPv3 config , kindly check or reconfigure it and see if it help
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ***