Generating a CSR from Cisco TelePresence Profile 52/55 C40

Similar Messages

• How to generate / renew CSR for Cisco AppSpace technology

  Hi all,
  I'm not align on AppSpace technology and CSR renewing and I'd like to know from the community some steps in order to renew our certificate used by  AppSpace.
  Exist some simple steps to perform this renew?
  I have to contact our Certificate Authority in order to do this or I can do it by myself?
  Many regards.

  Hi all,
  I'm not align on AppSpace technology and CSR renewing and I'd like to know from the community some steps in order to renew our certificate used by  AppSpace.
  Exist some simple steps to perform this renew?
  I have to contact our Certificate Authority in order to do this or I can do it by myself?
  Many regards.

• Any ways to receive calls only from address book on Cisco Telepresence SX20?

  I have been receiving numerous unknown calls on my conference call device and I would like to know if there are any ways to block these calls or even possibly only receive calls on the address book.

  In the Bug Search, I see this info (it won't let me cut and paste the rest of the page but it's bug search CSCue55239:
  Last Modified:
  Feb 3,2015
  Status:
  Fixed
  Severity:
  2 Severe
  Product:
  Cisco Telepresence Integrator C Series
  Support Cases:
  103
  When it says "Status:  Fixed" and Known Fixed Releases: is a version older than the one we use, does that mean that the problem should be resolved from that firmware version forward? Also wondering if "Fixed" means that we still need to do the workaround to fix the problem on ALL versions of firmware, or just the ones prior to 6.2.0 ? Thanks.
  Known Affected Releases:
  (1)
  5.1.2
  Known Fixed Releases:
  (1)
  6.2.0

• Ask the Expert: Cisco TelePresence for the Enterprise

  Welcome to the Cisco® Support Community Ask the Expert conversation.  This is an opportunity to learn and ask questions about Cisco Telepresence® for the enterprise. 
  Cisco experts Jaret, Fernando, and Fred will be covering all Cisco TelePresence products.  Topics include Cisco TelePresence endpoints and TelePresence infrastructure such as the Cisco TelePresence Video Communication Server (VCS), Cisco Expressway Series, Cisco Unified Communication Manager (CallManager), Cisco TelePresence Servers (MSE 8710, on Virtual Machine, etc.), MCU (MSE 8510, etc.), Cisco TelePresence Management Suite (TMS), and all other Cisco TelePresence related devices.
  Jaret Osborne is an 8-year Cisco Advanced Services veteran.  In his Advanced Services tour, Jaret has covered all aspects of Cisco Unified Communications and TelePresence products, including both enterprise and service provider verticals. Most recently Jaret has been working with global service providers supporting their Cisco TelePresence as a Service offerings while also incubating new cloud services at Cisco.
  Fernando Rivas is a Cisco Advanced Services NCE, starting in the Cisco Technical Assistance Center (TAC), 2007, on the Collaboration Technology Team mastering the Cisco Unified Communication  technologies and specialized in call control CUCM,VCS) and  conferencing (MeetingPlace, Telepresence). In 2011, he joined Cisco Advanced Services as a member of the Cisco Collaboration team and participated in several Cisco TelePresence and video-related technologies deployments. Currently he is a member of the Video Cloud Technology Team, supporting video exchanges in several and architecting new private video cloud solutions for large enterprises. Fernando holds a routing and switching CCIE® certification (22975).
  Fred Mollenkopf  is a Cisco Advanced Services Network consulting engineer working at Cisco for the last 7 years. Fred has led some of the largest Cisco Unified Communication and Collaboration deployments done for Cisco customers and partners. Over 15 years’ experience in data networking with a specialization in Cisco Unified Communications in 2004. Currently he is a member of the SP Video Advanced Services Team, supporting SP video exchanges and the Cisco Telepresence solutions.  Fred maintains an active CCIE® in Voice (17521).
  Remember to use the rating system to let Jaret, Fernando, and Fred know if you have received an adequate response. 
  Because of the volume expected during this event, Jaret, Fred, and Fernando might not be able to answer every question. Remember that you can continue the conversation in the Collaboration, Voice and Video Community, under the sub-community TelePresence, shortly after the event. This event lasts through August 15, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Tenaro,
  Additionally here are the most common login issues.  Unfortunately this includes items related to Presence implementation but I commented where we did not use these in our lab setup for CUCM Phone Capabilities only.  
  Login Issues
  Problem:
  Jabber Unable to Sign-in Through MRA
  Solution
  This can be caused by a number of things, a few of which are outlined below.
   1.  Collaboration Edge SRV record not created and/or port 8443 unreachable
  For a jabber client to be able to login successfully using MRA, a specific collaboration edge SRV record must be created and accessible externally. When a jabber client is initially started it will make server DNS SRV queries:
  _cisco-uds : this SRV record is used to determine if a CUCM server is available.
  _cuplogin : this SRV record is used to determine if an IM&P server is available.
  _collab-edge : this SRV record is used to determine if MRA is available.
  If the jabber client is started and does not receive an SRV answer for _cisco-uds and _cuplogin, and does receive an answer for _collab-edge then it will use this answer to try to contact the Expressway-E listed in the SRV answer.
  The _collab-edge SRV record should point to the FQDN of the Expressway-E using port 8443. If the _collab-edge SRV is not created, or is not externally available,  or if it is available, but port 8443 is not reachable, then the jabber client will fail to login.
   2.  Unacceptable or No Available Certificate on VCS Expressway
  After the jabber client has received an answer for _collab-edge, it will then contact the expressway using TLS over port 8443 to try to retrieve the certificate from the expressway to setup TLS for communication between the jabber client and the expressway.
  If the Expressway does not have a valid signed certificate that contains either the FQDN or domain of the Expressway, then this will fail and the jabber client will fail to login.
  If this is occurring, the you should use the CSR tool on the Expressway, which will automatically include the FQDN of the expressway as a Subject Alternative Name.
  MRA requires secure communication between the Expressway-C and Expressway-E, and between the Expressway-E and external endpoints.
  Expressway-C Server Certificate Requirements:
  The Chat Node Aliases configured on the IM&P servers. This is required if you are doing XMPP federation.  The Expressway-C should automatically include these in the CSR provided that an IM&P server has already been discovered on the Expressway-C.
  The names in FQDN format of all Phone Security Profiles in CUCM configured for TLS and used on devices configured for MRA. This allows for secure communication between the CUCM and Expressway-C  for the devices using those Phone Security Profiles.
  Expressway-E Server Certificate Requirements:
  All domains configured for Unified Communications. This includes the domain of the Expressway-E and C, e-mail address domain configured for Jabber, and any presence domains.
  The Chat Node Aliases configured on the IM&P servers. This is required if you are doing XMPP federation. 
  The MRA Deployment guide describes this in greater detail on pages 17-18. (http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Mobile-Remote-Ac...
  Note: In our lab for testing Phone Capabilities only, we did not include the Chat Node Aliases in the certificate as we were not using IM&P.
   3.  No UDS Servers Found in Edge Config
  After the Jabber client successfully establishes a secure connection with the Expressway-E, it will ask for its edge config. This edge config will contain the SRV records for _cuplogin and _cisco-uds. If these SRV records are not returned in the edge config, then the jabber client will not be able to proceed with trying to login.
  To fix this, make sure that _cisco-uds and _cuplogin SRV records are created internally and resolvable by the Expressway-C
  More information on the DNS SRV records can be found on page 10 of the MRA deployment guide for X8.1.1 (http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-1/Mobile-Remote-Access-via-Expressway-Deployment-Guide-X8-1-1.pdf)
  Note: In our lab for testing Phone Capabilities only, we did not include the DNS SRV for _cuplogin.
   4.  The Expressway-C logs will indicate the following error: XCP_JABBERD  Detail="Unable to connect to host '%IP%', port 7400:(111) Connection  refused"
  If Expressway-E NIC is incorrectly configured, this can cause the XCP server to not be updated. If the Expressway-E meets the following criteria, then you will likely have this issue:
  Using a single NIC
  Advanced Networking Option Key is installed
  Use Dual Network Interfaces option is set to “Yes”
  To correct this problem, change the “Use Dual Network Interfaces” option to “No”
  The reason this is a problem is because the Expressway-E will be listening for the XCP session on the wrong network interface, which will cause the connection to fail/timeout. The Expressway-E listens on TCP port 7400 for the XCP session. You can verify this by using the netstat command from the VCS as root.
  Note: We used a Dual Network Interface Expressway for testing but were not using XCP, so this was not applicable to us.
   5.  VCE-E Server hostname/domain name does not match what is configured in the _collab-edge SRV.
  If the Expressway-E Server hostname/domain name does not match what was received in the _collab-edge SRV answer, the jabber client will not be able to communicate to the Expressway-E. The Jabber client uses the xmppEdgeServer/Address element in the get_edge_config response to establish the XMPP connection to the Expressway-E.
  This is an example of what the xmppEdgeServer/Address would look like in the get_edge_config response from the Expressway-E to the Jabber client:
  <xmppEdgeServer>
  <server>
  <address>ott-vcse1.vcx.cisco.com</address>
  <tlsPort>5222</tlsPort>
  </server>
  </xmppEdgeServer>
  To avoid this, make sure that the _collab-edge SRV record matches the Expressway-E hostname/domain name. Enhancement CSCuo83458 has been filed for this. 
  Note: This was one of our issues when we first setup.  We adjusted our Expressway-E to insure the below:
  System > Administration > System Name this was the FQDN
  System > DNS > System Host Name was the host portion of the FQDN
  System > DNS > Domain Name was the domain portion of the FQDN
  System > Clustering > Cluster Name (FQDN for Provisioning) was the FQDN
   6. Unable to log into certain IM&P servers. VCS logs say "No realm found for host cups-example.domain.com, check connect auth configuration"
  From the Expressway-E, go to Configuration -> Unified Communications -> IM&P Servers. Open each server and click "Save" again. Not sure exactly why this happens.
  Note:  This was N/A to our test and can be ignored with Phone Capabilities only.
  Thanks
  Fred

• How  to  generate  an  alert  from  within  a  workflow?

  Hi Experts,
  Let  me  describe  my  scenario. Presently  I  am  working  in  CRM 5.0. There is a need  to generate an alert from my workflow . This alert   should  be generated in the Web Client in  a  particular tab only.
    Now I have identified a function module called  'SALRT_CREATE_API'  which can be  used to generate alerts. But  in  that  function  module  one  of  the  import  parameters is   'IP_Category'  which accepts  the category of the alert . Now the  alerts  in  the WebClient do not have any such thing as 'Alert Category' . They only possess 'Alert Id' and 'Alert Class'. (spro => SAP Reference Img => Customer Relationship Management => Interaction Center Webclient =>Basic functions => Define Alert  and Alert Profiles ).
  So  please suggest  me  some  solution.
  Thanks & Regards ,
  Samrat Dutta

  Hi,
  I am not sure whether you have gone through this documentation:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/45/732041c877f623e10000000a155106/content.htm
  Which mentions that you will have to maintain the Alert Category. You can use transaction SALRTCATDEF to define your alert. You will have to maintain the Business Object from where you are triggering the alert.
  If you need it via Business workflow then you can see the documentation:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/43/8f507464246353e10000000a11466f/content.htm
  Hope this helps,
  Sudhi

• Cisco Telepresence and Meeting Place Integration with Third Party Call Pros

  Dear colleages:
  i want to ask if Cisco Telepresence can integrate with 3rd party call processing systems.
  as my project has already existing Nortel Communication Server 1000,
  which supports:
  Operating System: VXWorks and Linux
  Network Signaling Protocols: H.323v4, MCDN, SIP, LDAP, QSig, QSS, in band and DPNSS
  Trunking Support:
  IP:IP Virtual Trunks using IP Peer Networking over H.323 or SIP
  Digital: DTI, ISDN-PRI, ISDN-BRI
  Analog: Loop and Ground Start CO, FX, WATS, two or four wire E&M, four wire DX, DID, TIE, RAN Paging.
  and i want to build Video Converence system over the WAN.
  please to tell me if that integration is possible and what is the design components that is required for such project to be handled from A- to Z.
  Regards,

  I have been told that i need to use SIP protocol API instead of TAPI to have a TRUE VOIP Windows solution.
  Could you guys please tell me the difference between SIP API and TAPI?
  And could you please suggest a way which API (SPI or TAPI) the OnCast solution is based on (http://www.litescape.com/oncastsoftware.html) - we have to develop something similar.
  Thank you for your replies,
  Alexey

• Passing args to: Cisco Telepresence Movi.msi

  Hi -
  I'm working with Movi 4.2 and am using the Cisco Telepresence Movi.msi because I'm creating my own installer.
  I'm trying to pass these arguments to it for a silent install:
  /quiet DOMAIN=transport-you.com EXTERNALVCS=transport-you.com HIDEADVANCEDLOGIN=1
  The Movi_Administrator_Guide_4-2.pdf says I can set these properties but for some reason it's failing when I run it. Here's an example error msg:
  The system cannot find the file DOMAIN=transport-you.com.
      while executing
  "::InstallJammer::actions::$component $this"
  Error in action LaunchFile
  What am I missing here?

  Hi Mattew!
  Use the .exe installer file provided in the zip file!
  The MSI would be used if you want to build your own software package.
  From the admin guide:

• Need to generate a CSR for a new Lync 2013 Edge server

  I am upgrading my Lync 2010 Edge to 2013. Part of the process is exporting all the certificates on the 2010, some public, and eventually importing them into my 2013 Edge. I have a problem with one certificate that was generated by our internal CA for the
  2010 server itself named servername.domain.local. Since my new Edge will be renamed to the same name as the old Edge, I was planning on exporting this certificate but the private key can't be exported. The option is grayed out.
  I need to therefore figure out how to get a certificate on my new Edge. No Lync software has been installed yet. What is the best way to generate a CSR so I can manually create a certificate on my internal CA. Since I don't have access to the internal CA
  from the DMZ, I need to do it this way. I am thinking maybe the MMC but maybe Windows PowerShell? Once I get the CSR generated, I will figure out how to create a certificate on my internal CA.
  I know I can do it during the Lync install but I wanted to have it ready on the server when installing.

  The option is most likely grayed out, because the private key was not marked as exportable.
  Now, you can either request the certificate by using the Deployment Tool and requesting the certificates, selecting offline and then manually copying the CSR to your Internal CA (and the certificate back)
  Or you can use Powershell and do a Request-CsCertificate (see here: http://technet.microsoft.com/en-us/library/gg425723.aspx)
  Try something like this: Request-CsCertificate -New -Type Internal -ComputerFqdn "lyncedge.domain.com" -FriendlyName "Internal Edge"
  -Template jcila -PrivateKeyExportable $True -DomainName "edge.domain.com" -Output C:\path\test.req​
  If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"
  Georg Thomas | Lync MVP
  Blog www.lynced.com.au | Twitter
  @georgathomas
  Lync Edge Port Check (Beta)
  This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• I have Cisco TelePresence SX10 and content sharing is not working when I am dialing through the bridge

  I have Cisco TelePresence SX10 and content sharing is not working when I am dialing through the bridge, I can share the content if I drag and drop from RMX, but if schedule the call in Resource manager or manually dial in from device the content is not going to other hand, I have tried to turn off encryption as well but still same issue. can you please help me out with this. I am from Lion co and purchased sx 10 recently.
  regards
  Hemang

  Can you please provide us with a little more information on your systems and configuration / topology, such as, what call control are you using (Cisco VCS, CUCM, other?). what type of "Bridge" are you using (is this a Cisco MCU, or Cisco TelePresence Server, or other device?), what versions of the software are on each of the devices, etc.  The more information we have about your environment will help us assist you better.  But saying that, if all your core equipment isn't Cisco, you may have more luck in the forums for the manufacturer of such equipment (ie Polycom's Support Community).
  Wayne
  Please remember to rate responses and to mark your question as answered if appropriate.

• RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE

  Dear Team,
  I have faced an issue with dot1x mab authorization between cisco switch 3750 and ISE 1.1. I have cisco IP phone connected on port # gig1/0/1 to authenticated through MAB with cisco ISE
  int gig 1/0/1
  switchport mode access
  switchport access vlan 9
  switchport voice vlan 410
  authentication order mab dot1x
  authentication priority dot1x mab
  spanning-tree portfast
  authentication host-mode multi-domain
  authentication port-control auto
  dot1x pae authenticator
  mab
  dot1x timeout tx-period 3
  dot1x max-reauth-req 2
  authentication periodic
  authentication timer reauthenticate server
  I can get authentication successfuly but can't download the authorization profile on the gig1/0/1 port since I can see that everything seems fine from the ISE side. the phone is authenticated and authorized fine. so, I debug the dot1x & radius flows from the switch side and get this result.
  RADIUS/ENCODE(00000043):Orig. component type = Dot1X
  RADIUS(00000043): Config NAS IP: 1.1.1.2
  RADIUS(00000043): Config NAS IPv6: ::
  RADIUS/ENCODE(00000043): acct_session_id: 57
  RADIUS(00000043): sending
  RADIUS(00000043): Sending a IPv4 Radius Packet
  RADIUS(00000043): Send Access-Request to 1.1.1.1:1812 id 1645/72, len 261
  RADIUS:  authenticator 82 94 D8 85 E9 E0 CF 71 - 03 FE C5 BA 76 EC 76 C4
  RADIUS:  User-Name           [1]   14  "00152bd20c19"
  RADIUS:  User-Password       [2]   18  *
  RADIUS:  Service-Type        [6]   6   Call Check                [10]
  RADIUS:  Vendor, Cisco       [26]  31 
  RADIUS:   Cisco AVpair       [1]   25  "service-type=Call Check"
  RADIUS:  Framed-MTU          [12]  6   1500                     
  RADIUS:  Called-Station-Id   [30]  19  "30-F7-0D-CD-5F-01"
  RADIUS:  Calling-Station-Id  [31]  19  "00-15-2B-D2-0C-19"
  RADIUS:  Message-Authenticato[80]  18 
  RADIUS:   90 B9 61 65 CC A6 B2 89 BC C8 3D DC D4 14 03 C5               [ ae=]
  RADIUS:  EAP-Key-Name        [102] 2   *
  RADIUS:  Vendor, Cisco       [26]  49 
  RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A8424200000036001B2AAE"
  RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  RADIUS:  NAS-Port            [5]   6   50101                    
  RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/1"
  RADIUS:  Called-Station-Id   [30]  19  "30-F7-0D-CD-5F-01"
  RADIUS:  NAS-IP-Address      [4]   6   1.1.1.2                  
  RADIUS(00000043): Started 5 sec timeout
  RADIUS: Received from id 1645/72 1.1.1.1:1812, Access-Accept, len 297
  RADIUS:  authenticator D5 2C 29 3B AC C8 A7 2F - A4 75 45 F5 51 6D 4F A8
  RADIUS:  User-Name           [1]   19  "00-15-2B-D2-0C-19"
  RADIUS:  State               [24]  40 
  RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 43 30  [ReauthSession:C0]
  RADIUS:   41 38 34 32 34 32 30 30 30 30 30 30 33 36 30 30  [A842420000003600]
  RADIUS:   31 42 32 41 41 45            [ 1B2AAE]
  RADIUS:  Class               [25]  50 
  RADIUS:   43 41 43 53 3A 43 30 41 38 34 32 34 32 30 30 30  [CACS:C0A84242000]
  RADIUS:   30 30 30 33 36 30 30 31 42 32 41 41 45 3A 69 73  [00036001B2AAE:is]
  RADIUS:   65 33 2F 31 35 30 33 30 36 35 37 38 2F 33 38 36  [ e3/150306578/386]
  RADIUS:  Termination-Action  [29]  6   1                        
  RADIUS:  Message-Authenticato[80]  18 
  RADIUS:   09 17 84 AB 27 8E B4 E0 F4 A6 93 EE 19 2A A6 34               [ '*4]
  RADIUS:  Vendor, Cisco       [26]  34 
  RADIUS:   Cisco AVpair       [1]   28  "device-traffic-class=voice"
  RADIUS:  Vendor, Cisco       [26]  75 
  RADIUS:   Cisco AVpair       [1]   69  "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-4fe7f797"
  RADIUS:  Vendor, Cisco       [26]  35 
  RADIUS:   Cisco AVpair       [1]   29  "profile-name=Cisco-IP-Phone"i
  RADIUS(00000043): Received from id 1645/72
  RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE
  %MAB-5-SUCCESS: Authentication successful for client (0015.2bd2.0c19) on Interface Gi1/0/1 AuditSessionID C0A8424200000036001B2AAE
  %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0015.2bd2.0c19) on Interface Gi1/0/1 AuditSessionID C0A8424200000036001B2AAE
  %DOT1X_SWITCH-5-ERR_VLAN_RSPAN: Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1. 802.1x is incompatible with RSPAN AuditSessionID C0A8424200000036001B2AAE
  RADIUS/ENCODE(00000000):Orig. component type = Invalid
  so, I notice two things :-
  1-" RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE " on the radius attribute since I beleive that I configure the radius vsa attribute fine as shows
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting system default start-stop group radius
  aaa session-id common
  aaa accounting update periodic 5
  aaa server radius dynamic-author
  client 1.1.1.1 server-key 0 cisco
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key cisco
  radius-server vsa send accounting
  radius-server vsa send authentication
  2- "%DOT1X_SWITCH-5-ERR_VLAN_RSPAN:" since I didn't have any configuration related to RSPAN.
  so, anybody have any idea to fix this issue.
  Regards
  Basel

  It is not the ACL it is ignoring, it's the profile-name, which it should, because it has nothing to use that for. However, you should look into VLAN 410, to check and see if you have any config relating to that vlan, the only actual error i see in your logs is the one regarding assigning vlan 410. Could you please post you entire switch config, see we can see what else you might have configured.
  %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at:  https://supportforums.cisco.com/message/3863298#3863298
  %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at:  https://supportforums.cisco.com/message/3863298#3863298
  %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at:  https://supportforums.cisco.com/message/3863298#3863298
  %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at: https://supportforums.cisco.com/message/3863298#3863298
  %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at: https://supportforums.cisco.com/message/3863298#3863298
  %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at: https://supportforums.cisco.com/message/3863298#3863298
  %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at: https://supportforums.cisco.com/message/3863298#3863298
  %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at: https://supportforums.cisco.com/message/3863298#3863298
  %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at: https://supportforums.cisco.com/message/3863298#3863298

• Can we download ISE Pofile Policy from Cisco?

  The ISE comes with certain  profile policies. Can we download the profile policy from Cisco as new devices come into the market?

  Yes, you can.  jan.nielson is correct that the Profile Feed Service will allow for this.  Be advised that the Feed Service does require a Plus license for activation.  Here is a snippet from the ISE 1.3 Admin Guide:
  To activate the Feed Service, go to Administration > Feed Service > Profiler.  Enable the checkbox for Enable Profiler Feed Service, fill out the rest of the options (optional) and click Save.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Device Alert from Cisco LMS

  Hi All,
  I am currently getting buried in a flurry of alerts from Cisco LMS. However when I check on the device in fault manager or with Device Diagnostic Tools, I do not see any issues. Anyone have any ideas as to why these alerts are being generated? ( I have removed our specific info with xxxx)
  Additionally, I don't want to seem like I am bashing the LMS product, but could these alerts be made any more cryptic?
  ALERT ID                = 00001LI
  TIME                    = Wed 24-Mar-2010 01:21:49 GMT-06:00
  STATUS                  = Active
  SEVERITY                = Critical
  MANAGED OBJECT          = xxxx
  MANAGED OBJECT TYPE     = Switches and Hubs
  EVENT DESCRIPTION       = xxxx: Cisco Configuration Management Trap:InformAlarm; xxxx [xxxx]:Unresponsive;
  ALERT ID                = 00001LI
  TIME                    = Wed 24-Mar-2010 06:54:37 GMT-06:00
  STATUS                  = Active
  SEVERITY                = Critical
  MANAGED OBJECT          = xxxx
  MANAGED OBJECT TYPE     = Switches and Hubs
  EVENT DESCRIPTION       = xxxx: STP Topology Change:MinorAlarm; xxxx [xxxx]:Unresponsive;
  ALERT ID                = 00001LI
  TIME                    = Wed 24-Mar-2010 13:13:16 GMT-06:00
  STATUS                  = Active
  SEVERITY                = Critical
  MANAGED OBJECT          = xxxx
  MANAGED OBJECT TYPE     = Switches and Hubs
  EVENT DESCRIPTION       = xxxx: vlanTrunkPortDynamicStatusChange Trap:InformAlarm; xxxx [xxxx]:Unresponsive;
  ALERT ID                = 00001LI
  TIME                    = Wed 24-Mar-2010 13:13:52 GMT-06:00
  STATUS                  = Active
  SEVERITY                = Critical
  MANAGED OBJECT          = xxxx
  MANAGED OBJECT TYPE     = Switches and Hubs
  EVENT DESCRIPTION       = xxxx: STP Topology Change:MinorAlarm; ess016184.casino.sk.ca: vlanTrunkPortDynamicStatusChange Trap:InformAlarm; xxxx[xxxx]:Unresponsive;
  ALERT ID                = 00001LI
  TIME                    = Wed 24-Mar-2010 14:05:49 GMT-06:00
  STATUS                  = Active
  SEVERITY                = Critical
  MANAGED OBJECT          = xxxx
  MANAGED OBJECT TYPE     = Switches and Hubs
  EVENT DESCRIPTION       = xxxx: vlanTrunkPortDynamicStatusChange Trap:InformAlarm; xxxx: STP Topology Change:MinorAlarm; xxxx [xxxx]:Unresponsive;
  Thanks,
  Rick

  The alerts are quite generic.  The individual EVENT details will contain many more details.  Initially, it looks like DFM is showing you trap information relating to config  and STP changes.  If you have determined that these are not important, then you can clear the events (or mark them as acknowledged).  If you're receiving these as notifications (e.g. email notifications), you might consider creating event sets to filter the events to just the ones in which you are interested, then unchecking the boxes for alerts in your Notification Group.

• Need Help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect

  Hi All,
  I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect
  2811 having C2800NM-ADVIPSERVICESK9-M
  2811 router connects to the Internet SW then connects to the Internet router.
  Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?
  Below is router config for VPN & NAT
  crypto keyring ISR_Keyring
    pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp keepalive 10
  crypto isakmp profile isa-profile
     keyring ISR_Keyring
     self-identity user-fqdn [email protected]
     match identity user vpn-proxy.websense.net
  crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
  crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
  set peer vpn.websense.net dynamic
  set transform-set ESP-NULL-SHA
  set isakmp-profile isa-profile
  match address 101
  interface FastEthernet0/1
  description connected to Internet
  ip address 216.222.208.101 255.255.255.128
  ip access-group HVAC_Public in
  ip nat outside
  ip virtual-reassembly
  duplex full
  speed 100
  no cdp enable
  crypto map GUEST_WEB_FILTER
  access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
  access-list 103 permit ip 192.168.8.0 0.0.3.255 any
  ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
  ip nat inside source list 103 interface FastEthernet0/1 overload
  ip nat inside source route-map nonat pool mypool overload

  How does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?
  Check
  show crypto isakmp sa
  show crypto ipsec sa
  show crypto session
  You'd better remove the preshared key from your post.

• Certiciate app generating vulnerable CSRs

  All,
  After generating a new CSR from WebLogic's (6.1/sp2) certificate app , and proceeding
  to submit the CSR at the Verisign WebSite, I get a cautionary message (below)
  from Verisign that the request is only 512 bit. They state there are know vulnerabilities
  with CSRs less than 512 bits and that they recommend 1024 bit CSRs.
  Can someone decipher this and explain what these "know vulnerabilities" are?
  Also, does this mean that that WebLogic would not be using the full encryption
  capabilities of a 128 bit certiciate?
  If 1024 bit CSRs are needed, why isn't this an option on the WebLogic certificate
  app? Also, can someone tell me how to get WebLogic to generate 1024 bit CSRs.
  TIA,
  John Hogan
  ===========================================================
  512 bit Key Detected
  We have detected the key length in the Certificate Signing Request (CSR) submitted
  is not greater than 512 bits. There are known vulnerabilities associated with
  keys up to this length. We recommend you submit CSR with a longer key (1024 bits
  recommended). You may do this by using your web server to generate another CSR.
  Refer to your server documentation for details.
  Note: Some older web servers are incapable of generating longer keys.

• The CSCup62113 bug also removes Personal Conferencing accounts from disabled users' profiles

  It has been confirmed that the CSCup62113 bug that has been confirmed in MR4 (CWMS version 2.0.1.407B) also removes Personal Conferencing accounts from disabled users' profiles, if CWMS has been configured for synchronization with CUCM/LDAP. There is no way to restore the Personal Conferencing accounts; all affected end users need to be notified that their Personal Conferencing accounts and PINs need to be manually re-created (with host/participant codes being re-generated).

  It has been confirmed that the CSCup62113 bug that has been confirmed in MR4 (CWMS version 2.0.1.407B) also removes Personal Conferencing accounts from disabled users' profiles, if CWMS has been configured for synchronization with CUCM/LDAP. There is no way to restore the Personal Conferencing accounts; all affected end users need to be notified that their Personal Conferencing accounts and PINs need to be manually re-created (with host/participant codes being re-generated).