Cisco sns-3415 configuration

Similar Messages

• ISE 1.2 SNS-3415 NIC Bonding / Teaming

  Hello,
  I have installed the SNS-3415 with ISE 1.2 and i'm trying to setup redundnacy (Team) nic modes for the authentication requests and not for management purpose.
  The tests showed that when the one interface was unpluged everything was lost and nobody from our internal users was able to authenticated by the ISE node.
  In contrast when i was unpluged the " second interface " (probably the inactive ) nothing was happened which shows that is a useless  interface
  My purpose is to connect it to my twins core switches and have a full high availability deployment.
  - I have search enough on the WEB but i didn't found any clear and precisely document of saying how this could be achieved.
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/installation/guide/csacs_book/csacs_hw_ins_ucs.html#wp1185589
  Themis

  ISE 1.2 does not support NIC teaming.  Especially on appliances.  There is a workaround for VM using the ESXi host to team the NICs so that it is transparent to the VM.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Meaning of this error (ISE 1.2 on SNS-3415): HARDWARE RNG INTEGRITY CHECK HAS FAILED!

  Hi. We recently purchased an ISE 1.2 appliance (SNS-3415 hardware). It installed fine, but I am unable to access the GUI. When I login to the box and run the following command on the CLI
  ISE-12-NS-SD-2/admin# show application status ise
  I see the following output:
  ISE Database listener is running, PID: 7737
  ISE Database is running, number of processes: 38
  ISE Application Server process is not running.
  ISE Profiler DB is running, PID: 9090
  ISE M&T Session Database is running, PID: 8959
  ISE M&T Log Collector is running, PID: 9294
  ISE M&T Log Processor is running, PID: 9376
  % ERROR: ISE SERVICES HAVE BEEN DISABLED BECAUSE
  %        HARDWARE RNG INTEGRITY CHECK HAS FAILED!
  Can anyone help me? What can I do to ensure that the hardware RNG integrity check succeeds. Is it a license issue? Is it faulty hardware? Please advise. I would be very greatful.
  Thanks in advance.

  I worked with a TAC engineer on this and he said one other customer had this issue and the only recourse was reimaging the appliance with the ISE 1.2 ISO image.
  I did reboot, restarted services, reset to factory default and none of that worked. It is possible that the issue happened because during setup of the appliance I didn't have network connectivity and went ahead with the setup and configuration of the ISE application anyway. I later had network connectivity but by that time ISE manifested this fault.
  Reimaging and ensuring network connectivity during setup the next time around fixed the problem.

• Spare parts for SNS-3415

  Hi guys,
  I saw the HW specs of the 3415.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/data_sheet_c78-726524.pdf
  There is a spare part for the disk and for the power supply. Does anyone has the experience if the ISE software will check for the HW. The SNS server has a hardware raid controller. I want to know if I can use the raid controller just for mirroring for HW redundancy.
  The SNS 3415 has two power slots. So i suspose this can be easily done without breaking the 'service' requiremtents for TAC.
  regards,
  Sander

  Hi Ravi,
  For the OS disk, I'm pretty sure we will run into problems. Like you said the UNIX distri will check for the HW bases on the system ID (3415 will have only 1 disk like the specs of Cisco). So sure I don't want to run into problems with my service agreement.
  But for the PSU it would be a nice to know if I can install this without any issues. Maybe you got the HW in the LABs?
  regards,
  Sander

• ISE SNS-3415-K9 License Issue

   Hi All,
  We are planning to take ISE SNS-3415-K9 appliance for 2500 wireless end points.
  Can you please guide me how to take license?  Base lances are really required for wireless end points??
  Your early response will be highly appreciated.
  Regards,
  Satish.

  If you are purchasing Wireless license then Base license is not required, it would support the below services
  Device onboarding/provisioning
  AAA
  Guest provisioning
  Link encryption policies
  Device profiling and feed service
  Host posture
  Cisco Security Group Access
  Integrated vendor MDM support
  Refer : http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.html

• Cisco ISE migration from VM to SNS 3415 Appliance

  HI Experts,
  My customer is running a ISE VM  ( os is 1.1.1 ) with base license used only for guest authentication . As per the requirement we need to migrate the existing setup to the ISE hardware  (1.2 ). 
  Can anyone please help me in the best way to do .
  I am planning to install a new ISE setup rather than migration but confused regarding the ISE Licensing .
  Thanks in advance 
  Regards
  Agnus 

  Angus,
  First and foremost, you must have a current, non-expired license.
  The best way to accomplish this is to log in to the Licensing Portal:
  https://tools.cisco.com/SWIFT/LicensingUI/Quickstart#
  Click on Licenses.  Choose the license you would like top transfer to the new 3415 Appliance.
  Note that I have selected two licenses, Base and Advanced.  You can only select ONE LICENSE at a time.  To Re-Host a Base and an Advanced License, you must do this twice.
  Then click Actions > Rehost/Transfer...
  A new window will appear requesting the information from your new 3415 Appliance (you must have already installed ISE on the appliance):
  You can find this information on the new 3415 by going to Administration > Licensing and clicking on the name of your node.
  This is all found in the ISE Admin Guide.
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_0111.html#concept_E664BCA9F4164C7F8DE590B7C2C4AD99
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Cisco ASA 5505 configuration

  Hi,
  I have configured cisco ASA 5505 but I can't get access to internet using my laptop connected to the ASA. I did not use the console but the graphical interface for the configuration. I changed the inside adress of the ASA and it is 192.168.2.1. From the inside I can't ping the material in outside and from outside I can't ping the laptop connected to the ASA.
  Here is my configuration:
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.2(5)
  hostname xxxxxxxxxxxxxxxxx
  domain-name xxxxxxxxxxxxxxxxxxx
  enable password xxxxxxxxxxxxxx encrypted
  passwd xxxxxxxxxxxxxxxxxxxx encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 192.168.1.48 255.255.255.0
  ftp mode passive
  dns server-group DefaultDNS
  domain-name processia.com
  access-list outside_access_in extended permit ip any any
  access-list icmp_out_in extended permit icmp any any
  access-list inside_access_in extended permit ip any any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ipv6 access-list outside_access_ipv6_in permit ip any any
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  access-group icmp_out_in in interface outside
  access-group outside_access_ipv6_in in interface outside
  route outside 0.0.0.0 0.0.0.0 192.168.1.48 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.2.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.2.2-192.168.2.129 inside
  dhcpd dns 80.10.246.2 80.10.246.129 interface inside
  dhcpd ping_timeout 5000 interface inside
  dhcpd domain xxxxxxxxxxxxxxxxx interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  policy-map global_policy
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:7e6f35db321b722ca60009b0c0dc706e
  : end
  Thank you for your help

  Hi Sylla,
  The static route you have configured for Internet access needs to be corrected:
  route outside 0.0.0.0 0.0.0.0 192.168.1.48 1
  The next hop address should be your ISP's gateway IP address and not the ASA's outside interface IP. Currently, both are configured for 192.168.1.48.
  -Mike

• Cisco ASA 5505 Configurations. Help... Beyond Frustrated

  Hello All,
  I'm fairly new to Cisco products and Network management in general. At my place of employment, I was hired as an IT Tech- Repair and Building computers, most aspects of Physical networking, and software refresh/upgrades as well as solving compatibility issues among a plethora of other things. I've configured APs, a couple Catalyst switches, a router or two, and that is about the breadth of my Cisco knowledge. I was kind of thrown into a project which is to update the current inventory of computers which all run Windows XP Professional. We are making a capital purchase of 20 Laptops and 40 Desktops all of which will run Windows 7. This means the outdated PIX they were using is now useless. I purchased a Cisco ASA 5505 (Version 8.2(1)) because it is compatible with Windows XP and Windows 7. I have spent several days and sleepless nights trying to figure out how to configure this thing. I was hoping to use SSL for the VPN. I did some basic configurations just to get started but like I said, I have no real experience with Adaptive Security Appliances and I am so frustrated right now. I tried using the Wizard to no avail. I did a write erase using CLI and tried to configure that way but I'm doing something wrong as far as I can tell. The configurations were mostly pulled from here, the Cisco Community, and a couple other web sites.
  I’m connecting the ASA 5505 to a cable modem (gateway 24.39.245.33) and to our Netvanta for VPN purposes. Here are the commands/what I have configured so far:
  hostname AMDASA
  domain-name asa.(mydomain).com
  enable password (encrypted)
  passwd (encrypted)
  interface Ethernet0/0
  description TWCoutside
  switchport access vlan 2
  no shutdown
  write mem
  exit
  interface Ethernet0/1
  description Port1inside
  switchport access vlan 1
  no shutdown
  write mem
  exit
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.0.250 255.255.255.0
  write mem
  exit
  interface Vlan2
  nameif outside
  security-level 0
  ip address 24.39.245.36 255.255.255.240
  write mem
  exit
  object-group icmp-type DefaultICMP
  description Default ICMP Types permitted
  icmp-object echo-reply
  icmp-object unreachable
  icmp-object time-exceeded
  write mem
  exit
  ftp mode passive
  write mem
  clock timezone EST -5
  clock summer-time EDT recurring
  write mem
  exit
  dns server-group DefaultDNS
  domain-name asa.adcmotors.com
  write mem
  exit
  access-list acl_outside extended permit icmp any any object-group DefaultICMP
  access-group acl_outside in interface outside
  access-list acl_inside extended permit icmp any any object-group DefaultICMP
  access-group acl_inside in interface inside
  write mem
  exit
  write mem
  That is the extent of the configurations I made via CLI. I don't know how to set the DNS lookup from a static port and I have no idea what else I'm supposed to do after the above configurations I have done. Is there a place to actually obtain ALL of the configurations needed to VPN in? Is there an easier way to make this thing work? I've seriously grown a patch of gray hair because of this device. Please help me if you can!!!!!!

  Hi our desperate friend .
  First I would suggest to use the Cisco VPN client instead of SSL VPN (AnyConnect). The configuration is a bit simpler and for the SSL VPN you would need to install the client on the ASA and purchase additional license if you plan to have more than 2 clients. The VPN Client usually comes with the ASA. If you dont have it or dont have access to download it from cisco.com go to the person from which you purchased your ASA and ask him how to get it.
  That said, I also think that your ASA lacks of some basic configuration as of now.  If you are planning to use this in replacement for your current PIX. You would need to configure a default route and some basic NAT:
  route outside 0.0.0.0 0.0.0.0 24.39.245.33
  global (outside) 1 interface
  nat (inside) 1 192.168.0.0  255.255.255.0
  Now regarding the VPN Client configuration you would need to something like this:
  Create an isakmp policy:
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha    
  group 2
  lifetime 86400
  Create a couple of ACLs that we will use later:
  access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list split_tun standard permit 192.168.0.0 255.255.255.0
  Create a Pool for the VPN Clients to use:
  ip local pool TestPool 192.168.100.1-192.168.100.20 mask 255.255.255.0
  Create a Group Policy:
  group-policy TEST internal
  group-policy TEST attributes
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split_tun
  Create a group:
  tunnel-group TEST type ipsec-ra
  tunnel-group TEST general-attributes
  address-pool TestPool
  authentication-server-group ABTVPN
  default-group-policy TEST
  tunnel-group TEST ipsec-attributes
  pre-shared-key cisco123
  Create crypto map and do a NAT 0:
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
  crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
  crypto map Outside_map interface outside
  nat (inside) 0 access-l nonat
  Finally create a user that you will use to connect:
  username test password test123
  Then you would need to configure your VPN Client to connect with the ASA.
  Here is a config Example of VPN clients to the ASA. It uses an external server for the authentication but just skip those parts. For the initial config you might want to keep the authentication local.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
  I hope this helps. Feel free to ask if you have any questions. Also it would very usefull if you could upload the current config (show run) of the ASA in case you need to ask something else.
  Have fun.
  Raga

• Cisco Wireless AP configuration as DHCP

  I have 10 Cisco 1242 wireless Ap in my Office. 04 of them will be relocated in a different place where we dont have any DHCP server. I would like to configure those AP's as DHCP provider for their associated clients.
  Is it possible I know but I dont know how to accomplish that.
  Is there anyone who can answer this? If yes please let me know this from which option CLI or Web view I can configure those AP's?
  Regards,
  Sayeed.

  Hi,
  Here is the link which tells us how to accomplish  the task.. But make sure.. the IP addresses will be leased by the AP in the management ip subnet only.. please check the below doc before implementing..
  http://www.cisco.com/en/US/docs/wireless/access_point/12.4_21a_JA1/configuration/guide/scg12421aJA1-chap5-admin.html#wp1090319
  Lemme know if this answered your question!!
  Regards
  Surendra

• Cisco ISE managing configuration

  Is there a built-in mechansim for revision control in Cisco ISE? If not built-in, then what is the other way? I have been trying to look for documentation online but didn't find any.
  Just to explain what I am looking for:
  A way to properly manage all the configuration changes to ISE node.  Changes are  usually identified by a number or letter code, termed the "revision  number". For example, an initial  set of files is "revision 1". When the first change is made, the  resulting set is "revision 2", and so on. Each revision is associated  with a timestamp  and the person making the change. Revisions can be compared, restored, and with some types of files, merged.
  I ask this because "show run" output in ISE CLI does not give all the configuration details. How can we maintain the history of configurations?
  PS: I rate useful posts
  Thanks,
  Kashish

  There is not a way to track which version a specific ISE configuration is on. The ADE-OS configuration, or cli configuration typically is static once the repositories, dns info...etc is all set and done. For the application database you can setup a timer where an automatic backup is generated, from there you can manage what dates a backup is good for.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE log configuration commands enetered on routers

  Hello,
  I am trying to migrate from Cisco ACS to ISE.
  I want to log configuration commands entered on routers.
  I have configured the routers to send accounting radius to ISE but ISE sees the messages as:
  "22003  Missing attribute for authentication
  11014  RADIUS packet contains invalid attribute(s)"
  Can I configure ISE to receive radius accounting messages ?
  Is there another way to configure ISE to log configuration commands ?
  Another way would be to send syslog messages using the archive configuration on routers, but I cannot find the syslog mesages on ISE.
  Regards,
  Bogdan

  You should post your question on the AAA forum
  https://supportforums.cisco.com/community/netpro/security/aaa
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Re: Help on Cisco UC 520 Configuration

  Dear All,
  I am new to UC 520 Call Manager Express and Cisco Unity Express. I would like help in solving the following problems encountered during the config of the latter:
  1. Call Transfer
  - When I transfer a call, I need to know if the other person to whom the call will be transferred is available or not,
  - if possible i should be able to put the current person on hold and call the other person and see if he is available or not before doing the transfer
  - if ever a call is being transferred and the other person is busy or unavailable, the call should be reverted back or forwarded to another number instead of going to voicemail.
  2. Configuring phones for call conferencing.
  Please note the following details:
  Unity Express Version being used: 3.0
  Thanks in advance

  Hi
  1. In order to get transfers working the way you like, ensure you create ephone-dns as 'dual-line' - this allows one call to be on hold whilst a 'transfer' call is made outbound. Also ensure transfer-system full-consult is configured under 'telephony-service' mode. Basically transfers then are two-step - whilst on a call, hit transfer then dial the target extension. If they answer, announce the caller and hit 'transfer' again, or hit 'end call' to go back to the original caller.
  2. You can enable three-party conferences by setting 'max-conferences' under telephony-service. It works the same way as transfer; hit 'Confrn' to start whilst on a call, dial another phone, and then when they answer Confrn again to set up the conference.
  Regards
  Aaron
  Please rate helpful posts..

• Cisco WLC 2125 configuration help

  So in a nutshell, from My computer I can ping all VLANS - everything seems to in workding order.
  when telnet to the HP 5406zl core routing switch I can ping all VLANs and other parts of the network
  But when logged into the Cisco wireless Lan Controller I cant ping VLAN 108 gateway IP (172.24.156.2 ) from the neighbour switch or other services on this VLAN
  for example cant ping the DHCP on this vlan from WLC.
  The neighbour switch can ping IP of the management interface created on the WLC
  WLC cant ping VLAN 108
  WLC can ping all other VLAN 102,104,106
  Not sure where the problem is ??
  Configure Dynamic Interfaces on the WLC for the Guest and Internal Users - DONE
  Create WLANs for the Guest and Internal Users - DONE
  Configure the 5406zl Layer 2/3 Switch Port that Connects to the WLC as Trunk Port allowing the relevant vlans i.e. management vlan, vlan 102 and Vlan 108 - DONE
  Configure the Switch Port that Connects to the AP to VLAN 102 - DONE
  configure virtual interface IP 1.1.1.1 - DONE
  Configure the Router for the WLANs - DONE
  LAP is registered to the WLC - DONE
  WLAN and SSID broadcast - OK

  Not at present it is not, the port on the 5406zl that the WLC is connected was setup as a trunk group and All VLAN tagged.  When I tried this I lost all connectivity to the WLC.  Is there something on the WLC that need changing also?.

• Cisco Standalone AP configuration

  Hi All,
  Ap 1600 radios are automatically disabled if i configure WEP for Shared authentication.What can be the issue..?

  See whether your configurations is done correctly. Below documents may helps you
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080c1e263.shtml
  As you know this is not a good security mechanism & you should not configure it unless client only supporting  WEP
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Cisco 6800 SSO configuration

  Hi All,
  I am trying to find the guide on how to configure the SSO for the two supervisor engines. I am trying to recall if secondary ip addresses were required for the secondary supervisor for the SSO to work. Can someone guide me on this?

  Hi,
  There is no need for any secondary IP address.  When one sup fails, the back up sup will take over all the functionally of the primary sup.
  here is the configs:
  make sure you have the same exact IOS in both sups.
  Router> enable
  Router# configure terminal
  Enter configuration commands, one per line. End with CNTL/Z.
  Router(config)# redundancy
  Router(config-red)# mode sso
  Router(config-red)# end
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/nsfsso.html#wp1119694
  HTH