Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

Need help from ISE experts/gurus in this forum.
Due to a nasty bug in Cisco ISE (bug ID CSCue38827 ISE Adclient daemon not initializing on leave/join), this bug will make the ISE stopping working completely and a reboot is required (very nice bug from cisco) . This leaves me no choice but to upgrade to version 1.2.0.899-2-85601.
Scenario:
- 4 nodes in the environment running ISE version 1.1.2.145 patch 3
- node 1 is Primary Admin and Secondary Monitoring - hostname is node1
- node 2 is Secondary Admin and Primary Monitoring - hostname is node2
- node 3 is Policy service node - hostname is node3
- node 4 is Policy service node - hostname is node4
Objective: Upgrade the ISE environment to ISE version 1.2 with patch version 1.2.0.899-2-85601.
My understand is that I have to upgrade the existing environment from ISE version 1.1.2.145 patch 3
to ISE version 1.1.2.145 patch 10 (patch 10 was released on 10/04/2013) before I can proceed with
upgrading to ISE version 1.2 and patch it with 1.2.0.899-2-85601.
Can I patch my exsiting environment from 1.1.2 patch 3 to patch 10 prior to upgrading to version 1.2.0.899-2-85601?
I look at Cisco website and patch 10 was released on 10/04/2013 while version 1.2 was released back in 07/05/2013.
I am trying to get a definite answer from Cisco TAC but it seems like they don't know either.
Question #1: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 3 to 1.1.2.145 patch 10?
Propose solution:
step #1: make ISE node1 to be both Primary Admin and Primary monitoring. ISE node2 is now Secondary Admin and Secondary Monitoring.
         Then go ahead and apply ISE version 1.1.2.145 patch 10 to ISE node2 via the GUI,
step #2: Once ISE node2 patch 10 is completed, make node2 Primary Admin and Primary Monitoring. At this point, apply ISE 1.1.2.145 patch 10
         to ISE node1 via the GUI,
step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
step #4: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node3. Once that is completed, verify that node2 is working and accepting traffics,
step #5: apply ISE 1.1.2.145 patch 10 to ISE Policy Service node4. Once that is completed, verify that node2 is working and accepting traffics,
Question #2: How do I proceed with upgrading the current ISE environment from 1.1.2.145 patch 10 to ISE version 1.2 with patch version 1.2.0.899-2-85601?
Propose solution:
step #1: Make ISE node1 the Primary Admin and Primary monitoring. At this point ISE node2 will become Secondary Admin and Secondary Monitoring
step #2: Perform upgrade on the ISE node2 via the command line "application upgrade <app-bundle> <repository>". Once ISE node2 upgrade is completed, it will
          form a new ISE 1.2 cluster independent of the old cluster,
step #3: Perform upgrade on the ISE Policy Service node3 via the command line "application upgrade <app-bundle> <repository>". After the upgrade the ISE
          Policy Service Node3 will automatically joins the ISE node2 which is already in version 1.2
step #4: Perform upgrade on the ISE Policy Service node4 via the command line "application upgrade <app-bundle> <repository>". After the upgrade the ISE
          Policy Service Node4 will automatically joins the ISE node2 which is already in version 1.2
step #5: At this point the only node remaining in the 1.1.2.145 patch 10 is the ISE node1 Primary Admin and Primary Monitoring
step #6: Check and see if there are any more PSN's registered in ISE node1 (there should not be any)
step #7: Perform the upgrade on the ISE node1 from command line "application upgrade <app-bundle> <repository>"
step #8: Once upgrade on ISE node1 is complete, ISE node1 will automatically join the new ISE 1.2 cluster,
step #9: Make ISE node1 Primary Admin and Secondary and ISE node2 Secondary Admin and Primary Monitoring,
Question #3: How do I proceed with upgrading the current ISE environment from 1.2 patch0 to 1.2.0.899-2-85601?
Propose solution:
step #1: make ISE node1 to be both Primary Admin and Primary monitoring. ISE node2 is now Secondary Admin and Secondary Monitoring.
         Then go ahead and apply ISE 1.2.0.899-2-85601 to ISE node2 via the GUI,
step #2: Once ISE node2 1.2.0.899-2-85601 is completed, make node2 Primary Admin and Primary Monitoring. At this point, apply 1.2.0.899-2-85601
         to ISE node1 via the GUI,
step #3: Once ISE node1 patch 10 is completed, make node1 Primary Admin and Secondary Monitoring and node2 Secondary Admin and Primary Monitoring,
step #4: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node3. Once that is completed, verify that node2 is working and accepting traffics,
step #5: apply ISE 1.2.0.899-2-85601 to ISE Policy Service node4. Once that is completed, verify that node2 is working and accepting traffics,
does these steps make sense to you?
Thanks in advance.

David,
A few answers to your questions -
Question 1: My recommendation is to follow vivek's blog since most fixes and upgrade steps are provided there - I would recommend installing the patch that was release prior to the 1.2 release date since the directions to "install the latest patch" would put you at the version of when the ISE 1.2 was released
https://supportforums.cisco.com/community/netpro/security/aaa/blog/2013/07/19/upgrading-to-identity-services-engine-ise-12
You do not have the ability to install ISE patch through the GUI on any of the "non-primary" nodes (you can use the cli commmand to achieve this), the current patching process was designed so you can install the patch on the primary admin node and it will then roll the patches out to the entire deployment (one node at at time). I painfully verified this by watching the services on each node and when a node was up and operational the next node would start the patching process. First the admin nodes then the PSNs.
Every ISE upgrade that I have attempted as not been flawless and I can assure you that I have done an upgrade on 1.1.2 patch 3 and this worked fine, however I used the following process. You will need the service account information that is used to join your ISE to AD.
I picked the secondary admin/monitoring node and made it a standalone node by deregistering (much like the old procedure) in your case this will be node2.
I backed up the certificates from the UI and the database from the CLI (pick the local disk or ftp-your choice).
I reset the database and ran the upgrade script (since I did not have access to the vsphere console or at the location of the non UCS hardware [for a 1.1.4 upgrade]).
Once the upgrade was completed I then restored the 1.1.x database, ISE 1.2 now has the ability to detect the version of the database that is restored and will perform the migration for you.
Once the restore finished, I then restored the certificate and picked one of the PSNs
backup the cert,
Had the AD join user account handy
reset-db,
and run the upgrade script.
Once that is done I then restore the cert
Join the PSN to the new deployment
Join both nodes to AD through primary admin node
Monitor for a few days (seperate consoles to make sure everything runs smooth)
If anything doesnt look or feel right, you can shut down the 1.2 PSN and force everything through the existing 1.1.2 setup and perform some investigation, if it all goes smooth you can then follow the above step for the other two nodes, starting with the last PSN and the the last admin node.
Thanks and I hope that helps,
Tarik Admani
*Please rate helpful posts*

Similar Messages

ISE 1.1.2.145 patch-3 and CLI password disable

I am running ISE 1.1.2.145 patch-3 on VMWare ESXi 4.1 The ISE is running fine without any issues.
During the initial setup of the ISE, I create an account called "admin" so that I can ssh into the ISE. According to Cisco, the CLI password does NOT expire and does NOT lock out. However, when I ssh into the ISE and "intentionally" entered the wrong password 5 times. After that, I can no longer ssh or console in the ISE with the "admin" account. The only way to fix this is to do "password recovery" with the DVD.
I notice the same issue with ISE version 1.1.1.268 patch-5 as well.
Is this a "known" issue with ISE or bug?

There looks like there was a bug fixed for this issue in 1.1.1, you may need to open a tac case and see if the bug has resurfaced.
http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
CSCub89895
SNMP process stops randomly due to an issue in netsnmp
The netsnmp daemon on Cisco ISE can halt, causing any SNMP monitoring of the Cisco ISE node to fail until the daemon is restarted. This issue has been observed in Cisco ISE, Release 1.1.1.
Workaround Remove all SNMP commands and re-add them to start the daemon again or restart the ISE node.
For more information, see: http://sourceforge.net/tracker/index.php?func=detail&aid=3400106&group_id=12694&atid=112694
Tarik Admani
*Please rate helpful posts*

Help with Cisco Output Interpreter tool!!

Hi All,
I am experiencing a problem with Cisco Output Interpreter tool.
While the tool is working fine and displaying the "CONFIGURATION COMMAND REFERENCE NOTIFICATIONS (if any)" very effectively but I am unable to use the hyperlink to get an understanding about a particular command.
When I click on a particular command(hyperlink) it pops up another window and the below error is displayed.
Not Found
The requested URL /cgi-bin/Support/Cmdlookup/ios-command-lookup.pl was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Anyone else had/have this particular error. Could you please help me with this.
Apologies if this topic does not belong to this group.
Thanks in advance
Sam

Noone to help me on this?

Need help with Cisco Interface Cards???/

Hi, I purchased 4 WIC-1AM cards for my cisco 1760 gateway to use with cisco call manager server. I'm trying to figure out if I can even use these cards for voice cards to make calls inbound and outbound. I'm seing that the cards that CM gives me are all VIC cards listed and i don't see any WIC cards listed in the endpoint list on the CM for the gatway. So can I even use these cards for what I'm trying to do??? Please help???
Thanks

If i got the vontage sip account how would i hook it up to my CM Sever?
I'm using a 1760 gatway, what is a DSP resource?
When i do show diag I get this from my router:
show diag
Slot 0:
C1760 1FE VE 4SLOT DV Mainboard Port adapter, 3 ports
Port adapter is analyzed
Port adapter insertion time unknown
EEPROM contents at hardware discovery:
Hardware Revision : 5.0
PCB Serial Number : FOC08077JDP
Part Number : 73-7167-05
Board Revision : B0
Fab Version : 04
Product (FRU) Number : CISCO1760
EEPROM format version 4
EEPROM contents (hex):
0x00: 04 FF 40 03 16 41 05 00 C1 8B 46 4F 43 30 38 30
0x10: 37 37 4A 44 50 82 49 1B FF 05 42 42 30 02 04 FF
0x20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0x30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
Packet Voice DSP Module Slot 0:
Not populated
Packet Voice DSP Module Slot 1:
Not populated
WIC/VIC Slot 0:
One Port Modem WIC
Hardware revision 1.0 Board revision H0
Serial number 0034764142 Part number 800-08823-01
FRU Part Number WIC-1AM=
Test history 0x00 RMA number 00-00-00
Connector type WAN Module
EEPROM format version 1
EEPROM contents (hex):
0x20: 01 38 01 00 02 12 75 6E 50 22 77 01 00 00 00 00
0x30: 88 00 00 00 06 02 10 01 FF FF FF FF FF FF FF FF
WIC/VIC Slot 1:
One Port Modem WIC
Hardware revision 1.0 Board revision H0
Serial number 0034764050 Part number 800-08823-01
FRU Part Number WIC-1AM=
Test history 0x00 RMA number 00-00-00
Connector type WAN Module
EEPROM format version 1
EEPROM contents (hex):
0x20: 01 38 01 00 02 12 75 12 50 22 77 01 00 00 00 00
0x30: 88 00 00 00 06 02 10 01 FF FF FF FF FF FF FF FF
What do you think?

Help with CISCO-887VA adsl over pots and PPPoE with dynamic IP

Hi
I've got problem trying to connect the CISCO-887VDSL/ADSL OVER POTS ROUTER to internet. Only got the LAN part working.
I'm trying to setup PPPoE with dynamic IP
Followed CISCO's documentations but the commands used were not recognized by the router. Any simple working config for me to follow will be enough.
I'll appreciate any help. Thanks a lot!
here's my config.
! Last configuration change at 08:31:51 UTC Sat Feb 11 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
ip source-route
ip dhcp excluded-address 10.0.0.1 10.0.0.149
ip dhcp excluded-address 10.0.0.199 10.0.0.254
ip dhcp pool sdm-pool
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server x.x.x.x x.x.x.x.x
lease 0 2
ip cef
no ipv6 cef
license udi pid CISCO887VA-K9 sn FGLxxxxxxx
controller VDSL 0
ip ftp username cisco
ip ftp password cisco
interface Ethernet0
pppoe enable group global
pppoe-client dial-pool-number 1
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Vlan1
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip directed-broadcast
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxx
ppp chap password 0 xxxx
ppp pap sent-username xxxx password 0 xxxx
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list standard 1
permit 10.0.0.0 0.0.0.255
no cdp run
line con 0
line aux 0
line vty 0 4
login
transport input all
end

Try to check with your ISP the modem string to use for VDSL
and some ISP support direct dhcp on Ethernet0 without PPPoE.
An equivalent config is working for me in Switzerland with Swisscom.
N.B. "modem" under VDSL controller is enable using service internal !
service internal
controller VDSL 0
operating mode vdsl2
modem co5
ip source-route
ip cef
ip dhcp excluded-address 10.0.0.1 10.0.0.149
ip dhcp excluded-address 10.0.0.199 10.0.0.254
ip dhcp pool sdm-pool
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 8.8.8.8
lease 0 2
interface Ethernet0
ip address dhcp
ip nat outside
interface Vlan1
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
ip nat inside source list 23 interface Ethernet0 overload
access-list 23 permit 10.0.0.0 0.0.0.255
end

Help with Cisco ASA 5500 and NAS drives

Hello:
I have 2 My Book World Edition II NAS drives. They both are configured to use a static IP address and both are on the same workgroup.
One of them is supposed to be replaced with a newer one that I just installed yesterday.
What I am trying to do is to transfer all the information from NAS1 to NAS2.
Both are connected to a Cisco VPN router.
I created a batch file that was basically several xcopy commands to copy all the information from NAS1 to NAS2.
As this process was going to take like 8 hours I ran the batch file yesterday at 4:00PM when everyone was logged off the NAS drives.
To my surprise this morning I found out that only a portion of the files were copied from the NAS1 to the NAS2.
After reading the system logs of the NAS1 drive I found a lot of errors.For example:
getpeername failed. Error was Transport endpoint is not connected
Error writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 192.168.10.105. Error Connection reset by peer
Error writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 192.168.10.105. Error Connection reset by peer
Error writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 192.168.10.105. Error Connection reset by peer
Error writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 192.168.10.105. Error Connection reset by peer
writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer
getpeername failed. Error was Transport endpoint is not connected
Someone suggested that the problem has to do with the network configuration.
The suggestion was to change from "auto-negotiate" to Full Duplex 100 on the Cisco VPN router configuration.
What do you think? Could this be the problem?
Thanks and help is greatly appreciated.

Hello:
I have 2 My Book World Edition II NAS drives. They both are configured to use a static IP address and both are on the same workgroup.
One of them is supposed to be replaced with a newer one that I just installed yesterday.
What I am trying to do is to transfer all the information from NAS1 to NAS2.
Both are connected to a Cisco VPN router.
I created a batch file that was basically several xcopy commands to copy all the information from NAS1 to NAS2.
As this process was going to take like 8 hours I ran the batch file yesterday at 4:00PM when everyone was logged off the NAS drives.
To my surprise this morning I found out that only a portion of the files were copied from the NAS1 to the NAS2.
After reading the system logs of the NAS1 drive I found a lot of errors.For example:
getpeername failed. Error was Transport endpoint is not connected
Error writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 192.168.10.105. Error Connection reset by peer
Error writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 192.168.10.105. Error Connection reset by peer
Error writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 192.168.10.105. Error Connection reset by peer
Error writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 192.168.10.105. Error Connection reset by peer
writing 4 bytes to client. -1. (Connection reset by peer)
write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer
getpeername failed. Error was Transport endpoint is not connected
Someone suggested that the problem has to do with the network configuration.
The suggestion was to change from "auto-negotiate" to Full Duplex 100 on the Cisco VPN router configuration.
What do you think? Could this be the problem?
Thanks and help is greatly appreciated.

Help with Cisco RV180 VPN

I have installed the Cisco RV180 VPN at a customer location.
Because this customer makes credit card transactions over the Internet, their merchant account requires a third-party to perform a security scan on the gateway. When scanning, the third-party states they are not in compliance with this report:
THREAT REFERENCE
Summary:
TLS Protocol Session Renegotiation Security Vulnerability
Risk: High (3)
Port: 443
Protocol: TCP
Threat ID: misc_opensslrenegotiation
Details: Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability
06/11/12
CVE 2009-3555
Multiple vendors TLS protocol implementations are prone to a security vulnerability related to the session-renegotiation process which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context.
Information From Target:
Service: 443:TCP
Session Renegotiation succeeded on 443:TCP
They are using the QuickVPN Client to connect and must be able to connect from anywhere in the world. From my understanding, port 443 must be opened for the QuickVPN Client to function. How do I block port 443 from everyone except the QuickVPN Client? Or how do I configure the RV180 to satisfy the above threat?
Thanks in advance for any information you can provide.

Hi,
following config is for cisco VPN client access with dynamic allocation and split-tunnel.
Hope this helps, please rate post if it does!
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
username vpnc password 0 userpass
crypto isakmp client configuration group vpncg
key grouppass
dns 4.2.2.1
wins 10.59.2.10
domain domain.com
pool ip-pool
acl 108
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
ip nat outside
crypto map clientmap
interface vlan1
ip address 10.59.2.1 255.255.255.0
ip nat inside
ip local pool ip-pool 10.0.230.1 10.0.230.20
access-list 108 remark VPN client split tunnel
access-list 108 permit ip 10.59.2.0 0.0.0.255 10.0.230.0 0.0.0.255

Need help with cisco 881 configuration.

Hi, I have cisco 881 wireless router, and I need to configure this as a switch, I have dhcp server in network 192.168.12.254, and I need that cisco wifi and lan clients get IP addresses from existing dhcp server.
I connect wire from network (with dhcp server) to FastEthernet0, create vlan interface (192.168.12.10 255.255.255.0), described vlan on other FastEthernet interfaces, so LAN clients get IP addresses from my dhcp server without problems, but how to do the same with wifi clients?

Follow this support doc because you need to trunk the AP to the router and specify the vlan the wireelss clients will be on.
https://supportforums.cisco.com/docs/DOC-16145
Here is a doc that guides you through multiple vlans/subnets on access points:
https://supportforums.cisco.com/docs/DOC-14496
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Help with cisco 881

Hello
I'm having some trouble configuring a cisco 881. I'm building a lab where I connect 2 cisco 881 through the fe4 interface (Wan port), and then connect to each router a PC, at interface fe0 (Lan port). The idea was to establish connection and implementing a static route between the 2 routers.
As a default the 881 has dhcp enabled on VLAN1 (10.10.10.0/24). So I set the pc's to get Ip's automatically. On Router A, I changed the dhcp pool so that I had a different network (11.10.10.0/24). So I have PC1 (11.10.10.2) connected to Router A on interface fa0. Router A connects to Router B through the fe4 interfaces (WAN ports). And PC2 (10.10.10.0/24) connects to Router B on fa0 interface.
I assigned an ip address to fe4 on Router A (192.168.10.1/24) and an ip address to fe4 on Router B (192.168.10.2/24).
At last I configured the static routes on both routers.
On Router A : ip route 10.10.10.0 255.255.255.0 192.168.10.2
On Router B : ip route 11.10.10.0 255.255.255.0 192.168.10.1
With everything configured I tested the connections.
PC 1 to its gateway: successful
PC 1 to 192.168.10.2: successful
PC1 to the gateway of PC2(10.10.10.1/24): successful
PC 1 to PC 2: failed
PC 2 to its gateway: successful
PC 2 to 192.168.10.1: successful
PC2 to the gateway of PC1(11.10.10.1/24): successful
PC 1 to PC 2: failed
Well this is the scenario. I really don’t understand the problem. I thing I did everything right, but I simply don’t get the result. Is there an error with my configuration or is this simply not doable?
Thanks a lot.

Have you checked that the firewalls are turned off? If you can ping the far side, that tells me you have a default gateway configured on the workstation and that the far side router has a route back to you. The only thing left would be firewalls need to be turned off on the workstations.
HTH,
John
*** Please rate all useful posts ***

Help with Cisco

Hi all, I'm looking for some help regarding selling Cisco devices. I am a select partner whom did nothing for the first 2 years and just re-certified. I am now ready to make a big push to create a Cisco vertical in my company. I have the resources via Cisco for my marketing campaign and going to be doing some trade shows. My question is, I purchase the equipment via my distributor at my partner level price and now when I turn around to sell it to my client, what do I sell it for? What is the mark up? MSRP (and if so how do I find out what that is)? or something lower?
Any help would be appreciated.

The discussion was moved to the Network Infrastructure forum in the WAN Routing and Switching section.
I see a few things about this config that seem problematic.
In this DHCP pool
ip dhcp pool LAN
network 10.20.76.0
default-router 10.10.76.1
You have the default route in a subnet different from the client subnet. The default route should be 10.20.76.1.
Also it looks like you are trying to run the wireless vlan 10 to the dot1q subinterface of FA4. I do not believe that works.
Looking at the NAT configuration I do not see any particular issue and wonder if your real problem was really the default gateway and not the NAT.
HTH
Rick

Foot stand not provided with my replacement WRT-350N - need help with Cisco contact

Hi!
I am starting to feel like Michael Douglas in the movie Falling Down and need some help.
Story:
I finally sent in my faulty WRT-350N router and when I got the replacement everything but the plastic foot stand was included. I want to have my router standing up to save desk space but now I have no foot.
"OK, should not be hard to get Linksys to send me the missing foot stand" was my thought. Now I have called the RMA line and also emailed them and I get a similar answer like Michael Douglas got with a smile
I keep hearing that I cannot get the part since it is not on the product's content list. Like that is *my* problem. I just want the part and do not care whether it is on a list or not. It is the part on top of the router in the picture. I even asked the Linksys representative to Google a bit for WRT-350N and there are foot stands on almost all pictures and it is definitely included in the box. I was told I could go nowhere else for help either with this. I really doubt that but fail to find a channel to Linksys that may be able to help.
If some Linksys representative sees this please help me!
Thanks, Niklas
RMA XXXXX - missing router stand/foot
(Mod note: Edited for guideline compliance. E-mail conversation removed.)
Message Edited by kent07 on 07-01-2009 03:10 AM
Solved!
Go to Solution.

Now it should be working. To moderators, this does not hold any personal info but just want to show the quite long text to read through for the RMA:
Thank you for contacting Linksys Customer Service Department. First of all, we would like to inform you that, if your item has been purchased less than 2 years ago, you have the possibility of replacing it through the place of purchase.
If you want to replace your item through Linksys, we are more than glad to provide you with our assistance. In order to create an RMA ( authorization number for the replacement under warranty), you can do it online at
https://linksysrma.moduslink.com/Consumer/pag/ChooseRegion.aspx.
On the other hand, if you prefer us placing the RMA, please reply to this email including the following information:
Name:
Last Name:
Company Name:
Street Address:
City:
Postal Code:
Day Time Phone Number:
Model (include version):
Serial Number:
Date of Purchase:
Place of Purchase (store):
Once the RMA is created, you will receive a confirmation e-mail with the RMA number on a shipping label ( not a prepaid, as the inbound shipping is up to the customer) and all the terms and conditions . You will have to print three copies of that label. The first copy you are going to stick it in the outside of the box, the second one you are going to join it in the inside of the box and the last one is a copy for you as assurance. Together with this e-mail it will also be included all the terms and conditions. We will strongly appreciate your reading them carefully before sending the item to us. In relation to this, it will be our pleasure to summarize some of the important conditions we state in order to clarify our standard procedure:
Please write down the RMA# ( not the case id#) on the outside of the box with big numbers and letters. Moreover, we recommend our customers to use a traceable shipping method in order to get a tracking number for the delivery. This number will be helpful to track the package in case of any potential inconvenience. Remember that you will have to pay just for the inbound shipping while Linksys will be responsible for the rest of the expenses.
Furthermore, remember to include all the accessories that were included in the original package: Power Supply, Cables, User Guide, CD's. Otherwise, warranty replacement will not be possible to be performed. All other accessories shipped that did not come in the original box may not be returned. Moreover, it is important to remember that you do not have to ship the original box. Also, include on the shipping box a copy of the proof of purchase, not the original.
IMPORTANT: -If your product is part of a network kit just send the defective unit.
If you have further questions do not hesitate to call us or replying to this e-mail. Our lines are open from Monday to Friday from 10 a.m. to 7 p.m. We recommend our customers to have the case id# handy.
Regards,
Linksys Customer Service - EMEA
Linksys does NOT offer refunds, substitutions, credits, or upgrades.
Linksys is NOT responsible for lost packages in transit. Please obtain a tracking number as a safeguard for your shipment. Linksys strongly suggests using a reputable shipping company that will provide a tracking number and will insure the package.
Linksys is not able to accommodate walk-in customers.
Processing the Defective Unit.
Package your return unit(s) in one box, please make sure the contents are secure and that enough packaging material is included to prevent the unit(s) from moving around during shipping.
Please ship the defective unit(s) to the address below.
Linksys RMA/SILS/ML
IJsseldijk 29 in Apeldoorn
7325 WZ Apeldoorn
The Netherlands
All original Linksys accessories, such as power adapters, couplers/dongles, and antennas MUST BE RETURNED with the product.
If you are replacing a product that belongs to a networking kit, only return the defective product listed on the previous web form belonging to the networking kit. Please do not include the working product.
Linksys is NOT responsible for lost packages in transit. Please obtain a tracking number as a safeguard for your shipment. Linksys strongly suggests using a reputable shipping company that will provide a tracking number and will insure the package.
Linksys is NOT responsible for lost or damaged personal accessories. If you have attached any accessories that did not come with the original product, please remove these items prior to returning your unit(s). In addition, if your product uses any internal fiber modules please also remove these items unless they are listed as one of the products on the RMA web form.
Linksys is not responsible for data stored on the hard drive of the defective unit. If the defective unit has a hard drive and it cannot easily be removed form the defective unit, backup your data prior to shipping the defective unit to Linksys.
The customer bears the cost of sending the defective unit(s) to Linksys including all customs fees and applicable taxes.
A COPY of the proof of purchase must be included for all products. A valid proof of purchase includes a copy of the receipt, invoice, or packing slip from the retailer, or distributor. A copy of your credit card statement, internal requisition, or purchase order is NOT considered a valid proof of purchase. DO NOT SEND YOUR ORIGINALS.
Processing the Replacement Unit.
Linksys bears the cost of shipping the replacement unit to the CUSTOMER unless the expedited shipping option is chosen at the time the RMA is created.
Upon receipt of the defective unit, a replacement unit is usually shipped within 3-5 business days
Linksys ships replacement products via GLS ground to customers within the European Union. Non European Union Customer's replacements are shipped FedEx.
In the event of a backorder, units will ship when available, and the shipping method will remain the same as the option selected at the time the RMA was created.
If you wish to change the shipping method, YOU MUST contact the Linksys Customer Service department prior to the replacement unit being shipped. Once the unit has been shipped, the funds paid for expedited shipping cannot be refunded. The Customer Service phone numbers are listed below.
Once you receive your replacement unit, test the unit, and verify that it is working properly.
Damaged or missing part(s) must be reported within five business days of receiving the replacement unit(s).
IMPORTANT: If your unit uses a power supply, make sure to use the power supply that comes with the replacement unit, and not the original power supply.
COUNTRY
PHONE NUMBER
Austria
01360 2772061
Belgium
02 627 7077
Czech Republic
800 800156
Denmark
82 332729
Finland
0800 523062
France
0800 881 026
Germany
0800 1013311
Hungary
06 80 204 548
Iceland
44 207 660 0121
Ireland
1 800 818 188
Italy
02 38 591012
Lithuania
44 207 660 0121
Luxembourg
32 2-627-7077
Malta
44 207 660 0121
Netherlands
0800 020 0101
Norway
235 00060
Poland
00800 331 1345
Portugal
213 180 081
Spain
900 902 207
Sweden
0851 992 251
Switzerland
022 5675 330
Turkey
212 444 2726
United Kingdom
0800 026 1418

Help with cisco 837 VPN firewall configuration

Hi guys,
I attempted to configure remote access VPN using cisco 837.IPSEC and firewall features were added already.However, the VPN client keeps saying "remote peer no longer responding".
Upon removing firewall and ACLs, VPN client works. Therefore, I believe these two parts went wrong. Could you please take a look on my config below and see what is going on. On the other hand, when i issue the same config to cisco 827, it does not work. My question is whether cisco 827 IOS 12.1(3)support IPSEC.
Any help would be highly appreciated.

This document demonstrates how to configure a connection between a router and the Cisco VPN Client 4.x using Remote Authentication Dial-In User Service (RADIUS) for user authentication. Cisco IOS? Software Releases 12.2(8)T and later support connections from Cisco VPN Client 3.x. The VPN Clients 3.x and 4.x use Diffie Hellman (DH) group 2 policy. The isakmp policy # group 2 command enables the VPN Clients to connect.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946b7.shtml

NEED HELP WITH CISCO 1601

Dear Sir,
good day , i have a Cisco router model 1601 and i forget my enable secret
when i login with consol to reset the password and i follow all steps you mention in your support web site and type reset at end of steps to reload again and access my router
i suddenly found my router do not reponds to consol or evern ping or telnet
my router is ON and system LED is working ( OK ) but no responds to any thing
plz advice how to solve this problem and why it happen
appreciated send your reply soon for so urgent
regards
Mourad Aziz

may be you changed the console rate from 9600 to other settings. try to modofy console speed, parity,...
try also to connect a sniffer to ethernet port and capture packets coming from router may be this will guide you and give you more idea.

Help with Cisco Unified CME B-ACD

Hi:
I have a cisco callmanager express v 7.1 installed in a 2801 router.
I want to setup a basic CME B-ACD script. I have 4 DNs from 4000 to 4003, in this setup i need to run the script based on this 4 Dns, i read part of the guide but seems complex for my configuration. i just want when somebody calls, go to the basic assistant and that can calls directly to the stations. This is my basic configuration.
incoming number 809-323-4322
This is a IP TRUNK service.
CMELAB#show running-config
Building configuration...
Current configuration : 3206 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname CCMELAB
boot-start-marker
boot-end-marker
logging message-counter syslog
no aaa new-model
no network-clock-participate slot 1
voice-card 0
voice-card 1
dspfarm
ip source-route
ip cef
ip dhcp pool ITS
   network 192.168.0.0 255.255.255.0
   option 150 ip 192.168.0.1
   default-router 192.168.0.1
no ipv6 cef
multilink bundle-name authenticated
voice translation-rule 1
rule 1 /^98/ /8/
rule 2 /^918/ /18/
rule 3 /^90/ /0/
voice translation-profile cisco
translate called 1
archive
log config
hidekeys
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.0.254
ip http server
tftp-server flash:P00305000600.bin
tftp-server flash:P00305000600.sbn
tftp-server flash:P00308000400.loads
control-plane
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
dial-peer voice 9 voip
translation-profile outgoing cisco
destination-pattern 9T
session target ipv4:172.19.10.170
incoming called-number 8093234322
dtmf-relay h245-alphanumeric
codec g711ulaw
ip qos dscp cs3 signaling
dial-peer voice 4000 voip
service aa
destination-pattern 4...
session target ipv4:1.1.1.1
incoming called-number 4000
dtmf-relay h245-alphanumeric
num-exp 8093234322 4000
gatekeeper
shutdown
telephony-service
authentication credential admin cisco
pin 8135 override
max-ephones 5
max-dn 5
ip source-address 192.168.0.1 port 2000
auto assign 1 to 5
load 7960-7940 P00308000400
voicemail 8093234322
max-conferences 8 gain -6
transfer-system full-consult
after-hours block pattern 1 90 7-24
after-hours block pattern 4 9T 7-24
create cnf-files version-stamp Jan 01 2002 00:00:00
ephone-dn 1 dual-line
number 4000
ephone-dn 2 dual-line
number 4001
ephone-dn 3 dual-line
number 4002
ephone-dn 4 dual-line
number 4003
ephone-dn 5 dual-line
number 4004
ephone 1
no phone-ui speeddial-fastdial
no phone-ui snr
no multicast-moh
mac-address 0024.2BB0.DAAD
after-hours exempt
type CIPC
button 1:1
pin 8135
ephone 2
no phone-ui speeddial-fastdial
no phone-ui snr
no multicast-moh
mac-address 000A.F489.A181
type 7940
button 1:2
pin 8135
ephone 3
no phone-ui speeddial-fastdial
no phone-ui snr
no multicast-moh
mac-address 000D.2928.46D6
type 7905
button 1:3
pin 8135
ephone 4
no phone-ui speeddial-fastdial
no phone-ui snr
no multicast-moh
ephone 5
no phone-ui speeddial-fastdial
no phone-ui snr
no multicast-moh
line con 0
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login
scheduler allocate 20000 1000
end

Neither coming to a board looking hoping for free recipes after browising documentation and finding that is "too much" is an example of inclination toward our line of work.
And the sarcasm doesn't help, so good luck.

Help with Cisco 871-K9

Hi everyone! I'm having trouble with my 871 router.
My problem is the next one.
It's starts like this:
My ISP give me an address by DHCP, it is connected to a 1841 (Fe 0/1), on Fe0/0 I assign 10.22.1.1 and by DHCP on my 871, I gather the IP the router gives me.
Now, in the 871, as you can see on the attach everything's configured, I can make pings to everything unless to my computer, with the IP 10.22.2.3 and Gateway 10.22.2.1 (Vlan1). Therefore, I ping from my computer to the vlan1 (inside) and the Fe4 port (outside) -works- but I dont have access to the web. Neither I can ping 10.22.1.2 that is 1841 router.
Any ideas of what I'm doing wrong?
1841 is working perfect and it's natting the public ip into private.

Hello.
Have you configured a static route from the 1841 back to the 871?
The route on the 1841 should look at bit like this:
ip route 10.22.2.0 255.255.255.248 10.22.1.1
Simon

Help with cisco ISE 1.1.2.145 patch-3 to ISE 1.2.0.899-2-85601 upgrade procedure

Similar Messages

Maybe you are looking for