How do I use Cisco MARS to monitor two ASA (active/stby) with IPS modules?

Similar Messages

• How do I use Cisco MARS to monitor two FWSMs in two Cat6500 in failover ?

  Hello,
  I understad that I can add both Catalysts to MARS and that I can add primary FWSM as a module to primary catalyst as well. But how can I add secondary FWSM.
  Any ideas appreciated
  Thanks

  If you have already configured the primary, you don't have to configure the secondary. No need to configure the secondary as it is not recommended to do so, In case of a failover the secondary firewall will automatically take over the active configuration( EX: IP address) of the primary so the source of the syslogs will remain the same

• NPAS: How do I use Cisco ASA RADIUS attribute 146?

  We have a Cisco ASA 5520 running firmware 8.4.5 and are using it for AnyConnect SSL VPN.  We are using Microsoft Network Policy and Access Services (NPAS) as a RADIUS server to handle authentication requests coming from the ASA.
  We have three tunnel groups configured on the ASA, and have three Active Directory security groups that correspond with each one.  At this time, we are using Cisco's vendor-specific RADIUS attribute 85 (tunnel-group-lock) to send back to the ASA a string
  that corresponds to a policy rule in NPAS based on the matched group membership.  This works in the sense that each user can only be a member of one of the three AD security groups used for VPN, and if they pick a tunnel group in the AnyConnect client
  that doesn't correspond to them, the ASA doesn't set up the session for them.
  Well, Cisco added vendor-specific RADIUS attribute 146 (tunnel-group-name) in firmware 8.4.3.  This is an *upstream* attribute, and is one that is sent by the ASA to the RADIUS server.  We would like to use this attribute in our policies in NPAS
  to help with policy matching.  By doing this, we could allow people to be in more than one VPN group and select more than one of the tunnel groups in the AnyConnect client, each of which may provide different network access.
  The question becomes, how can I use this upstream RADIUS attribute in my policy conditions?  I tried putting it in the policy in the Vendor-Specific section under Policies (the same place where we had attribute 85 defined), but this doesn't work. 
  These are just downstream attributes that the NPAS server sends back to the RADIUS client (the ASA).  The ASA seems to ignore attribute 146 if it is sent back in this manner and the result is that the first rule that contains a group the user is a member
  of is matched and authentication is successful.  This is undesirable, because it means the person could potentially select a tunnel group and successfully authenticate even though that isn't what we desire.
  Here is Cisco's documentation that describes these attributes: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html

  Philippe:
  Thank you for the response, but I am already aware how to use Cisco's group-lock or tunnel-group-lock with RADIUS and, in fact, we are already using tunnel-group-lock (attribute 85).
  Using tunnel-group-lock works in the sense that you have three RADIUS policies and three AD security groups (one per tunnel group configured on the ASA).  Each AD group basically is designed to map to a specific tunnel group.  Each RADIUS policy
  contains vendor-specific attribute 85 with the name of the tunnel group.  So when you connect and attempt authentication through NPAS, it goes down the RADIUS policies until the conditions match (in this case the conditions are the source RADIUS client
  - the ASA - and membership in a particular AD security group), it determines if your authentication attempt is successful, and if so it sends the tunnel group name back to the ASA.  If the tunnel group name matches the one associated to the user group
  you selected from the list in the AnyConnect client, a VPN tunnel is established.  Otherwise, the ASA rejects the connection attempt.
  Frankly, tunnel-group-lock works fine so long as it is only necessary for a given individual to need to connect to only a single tunnel group.  If there is a need for an individual to be able to use two out of the three or all three tunnel groups in
  order to gain different access, using tunnel-group-lock or group-lock won't work.  This is because the behavior will be when the RADIUS server processes the policies, the first one in the list that has the AD security group that the user is a member of
  will be matched and the tunnel group name associated with that policy will be sent back to the ASA every time.  If that name doesn't match the one they picked, the tunnel will not be established.  This will happen every time if the tunnel group is
  associated with the second or third AD group they are a member of in terms of order in the NPAS policy list.
  Group-lock (attribute 25) works similarly.  In such a case, the result won't be a failure to connect if the user group chosen is associated with the second or third AD group in the policy list; rather, it will just always send the ASA the first group
  name and the ASA will establish the session but always apply the same policy to the client rather than the desired one.
  We upgraded to firmware 8.4.5 on our ASA 5520 specifically so that we could make use of attribute 146 (tunnel-group-name).   Since this is an upstream attribute sent by the ASA to the RADIUS server (rather than something send by the RADIUS server
  to the ASA as part of the authentication response), we were hoping to be able to use it as an additional condition in the NPAS policies.  In this way, people could be members of more than one of the AD security groups related to VPN at a time.  The
  problem is, I just do not know how to leverage it in the NPAS policy conditions or if it is even possible.

• How can I use one gmail address on two different macbooks in 'mail'?

  I'm using one business gmail address. Me and my girlfriend both have a macbook. Now the gmail address is linked to my macbook. But she wants to use it as well. Unfortunately the 'mail' system won't allow her to sync with the gmail address. And I get messages from gmail saying that someone tried to log in to my account. Which is something I certainly want, but can't change. Does anyone now how I can use 1 gmail address on two different mac's? Thanks

  You may be able to change the suspicious account activity message alerts
  in your Gmail settings, and check that side of it, since I can use several
  means of accessing my Gmail and Google Accounts; and in the past had
  shared an account (not google) with another party half a world away when
  her email server went down for a month.
  The Mail software should not know the difference, unless the setup in there
  is not correct; if this is so, then more than what she says would be wrong.
  The Google mail Support help site pages should cover this adequately.
  Gmail Help - Google Help
  https://support.google.com/mail/?hl=en

• How can I use a 3rd party XML parser such as xerces with OC4J ?

  Hi all tech experts,
  I am using Oracle Application Server 10g Release 2 (10.1.2) and i have
  installed Portal and Wireless and OracleAS Infrastructure on the same
  computer.
  i tried all the solutions on this thread
  Use of Xerces Parser in out application with Oracle App Server 9.0.4
  but still fighting.
  I have also posted this query on OTN on following thread
  How can I use a 3rd party XML parser such as xerces with OC4J?
  but no reply....
  Please help me on this issue.
  Since OC4J is preconfigured to use the Oracle XML parser which is xmlparserv2.jar.
  i have read the following article which states that
  OC4J is preconfigured to use the Oracle XML parser. The Oracle XML parser is fully JAXP 1.1 compatible and will serve the needs of applications which require JAXP functionality. This approach does not require the download, installation, and configuration of additional XML parsers.
  The Oracle XML parser (xmlparserv2.jar) is configured to load as a system level library of OC4J through it's inclusion as an entry in the Class-Path entry of the oc4j.jar Manifest.mf file. This results in the Oracle XML parser being used for all common deployment and packaging situations. You are not permitted to modify the Manifest.mf file of oc4j.jar.
  It must be noted that configuring OC4J to run with any additional XML parser or JDBC library is not a supported configuration. We do know customers who have managed to successfully replace the system level XML parser and the Oracle JDBC drivers that ship with the product, but we do not support this type of configuration due to the possibility of unexpected system behavior and system errors that might occur from replacing the tested and certified libraries.
  If you absolutely must use an additional XML parser such as xerces, then you have to start OC4J such that the xerces.jar file is loaded at a level above the OC4J system classpath. This can be accomplished using the -Xbootclasspath flag of the JRE.
  i have also run the following command
  java -Xbootclasspath/a:d:\xerces\xerces.jar -jar oc4j.jar
  but no success.
  How could i utilize my jar's like xerces.jar and xalan.jar for parsing instead of OC4J in-built parser ?
  All reply will be highly appreciated.
  Thnx in advance to all.
  Neeraj Sidhaye
  try_catch_finally @ Y !

  Hi Neeraj Sidhaye,
  I am trying to deploy a sample xform application to the Oracle Application Server (10.1.3). However, I encountered the class loader issue that is similar to your stuation. I tried all the three solutions but the application is still use the Oracle xml paser class. I am wondering if you have any insight about this?
  Thanks for your help.
  Xingsheng Qian
  iPass Inc.
  Here is the error message I got.
  Message:
  java.lang.ClassCastException: oracle.xml.parser.v2.XMLElement
  Stack Trace:
  org.chiba.xml.xforms.exception.XFormsException: java.lang.ClassCastException: oracle.xml.parser.v2.XMLElement
       at org.chiba.xml.xforms.Container.dispatch(Unknown Source)
       at org.chiba.xml.xforms.Container.dispatch(Unknown Source)
       at org.chiba.xml.xforms.Container.initModels(Unknown Source)
       at org.chiba.xml.xforms.Container.init(Unknown Source)
       at org.chiba.xml.xforms.ChibaBean.init(Unknown Source)
       at org.chiba.adapter.servlet.ServletAdapter.init(ServletAdapter.java:153)
       at org.chiba.adapter.servlet.ChibaServlet.doGet(ChibaServlet.java:303)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
       at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:719)
       at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:376)
       at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:870)
       at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:451)
       at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:299)
       at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:187)
       at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
       at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
       at java.lang.Thread.run(Thread.java:595)
  Caused by: java.lang.ClassCastException: oracle.xml.parser.v2.XMLElement
       at org.chiba.xml.xforms.Instance.iterateModelItems(Unknown Source)
       at org.chiba.xml.xforms.Bind.initializeModelItems(Unknown Source)
       at org.chiba.xml.xforms.Bind.init(Unknown Source)
       at org.chiba.xml.xforms.Initializer.initializeBindElements(Unknown Source)
       at org.chiba.xml.xforms.Model.modelConstruct(Unknown Source)
       at org.chiba.xml.xforms.Model.performDefault(Unknown Source)
       at org.chiba.xml.xforms.XFormsDocument.performDefault(Unknown Source)
       at org.chiba.xml.xforms.XFormsDocument.dispatchEvent(Unknown Source)
       at org.apache.xerces.dom.NodeImpl.dispatchEvent(Unknown Source)
       ... 18 more

• How do I use a song in my iTunes library to record with in garage band on my iPhone?

  How do I use a song in my iTunes library to record with in garage band on my iPhone? Like music from my library I want to use invGarageBand to record over.

  Short answer:
  Click Hide Song(s), it is what you wanted to do...
  Long answer:
  iTunes in the Cloud is a feature of your iTunes store account that allows you to redownload or stream your past purchases. When you delete a purchased track that is downloaded to your computer (like the first one shown here) you are asked if you also want to hide the song from iCloud. This would remove it from the computer and also stop it showing up with the iCloud symbol as the other tracks from that album (which are not downloaded) do.
  If a track shows with the cloud symbol you can play (stream) it by double-clicking the title, or click the cloud symbol to download a local copy to your library. If you try to delete one of these tracks you get a slightly different message confirming that you want to hide the track. Clicking hide will remove the listing from the library and any other device that shows your past purchases.
  Should you want to retrieve any item hidden in this way at a later date use Store > View My Account > iTunes in the Cloud > Hidden Purchases > Manage.
  To hide all your previous purchases that are not downloaded to your computer use Edit > Preferences > Store and untick Show iTunes in the Cloud purchases.
  tt2

• How can I use a firewire hard drive on a new Macbook with one USB-C only?

  How can I use a firewire hard drive on a new MacBook with only one USB-C?

  kaz-k is correct about FireWire not being supported by any possible connector or adaptor to USB-C and never will.  However, there is no such thing as a FireWire Hard Drive.  There are only SATA (or if it is a really old one, ATA,) drives in a FireWire enclosure.  If you can remove the drive from the case/enclosure - bust it open somehow if it is a glued-up unit - then the drive can be placed into a regular USB3 enclosure. Then it can connect to the new MacBook via any one of the adaptors Apple sells.

• How can I use JTA in my business logic and execute process with PAPI?

  HI All,
  How can I use JTA in my business logic and execute process with PAPI?
  When my business logic has exception, the process will rollback.
  or the process has some exceptions, my business logic also will rollback.
  I don't know how to do it.
  Does anyone know how to do it?

  Thank you for your reply, Daniel.
  But I think I did not express my mind clearly.
  There is a scene that I have 2 Application Server.
  My business code is deployed in one Server.
  The BPM is deployed in another Server.
  I want to execute Task use PAPI.(ProcessServiceSession.runActivity)
  In my business code, I will do something before execute Task.
  I need my business logic and Task in same transaction.
  To ensure them "all-or-nothing" .
  As you say, if The transactions are managed by Oracle BPM.
  then can I retrieve OBPM transcaction in my business code?

• How can i use Nikon D 7100 and Panasonic Lumix DMC-LF1 with Photoshop CS 5 Camera Raw?

  How can i use Nikon D 7100 and Panasonic Lumix DMC-LF1 with Photoshop CS 5 Camera Raw?

  The one needs 7.4 (or better), the other 8.1, so Photoshop CS5 with ACR6 is not up to the task.
  The free DNG Converter could be used to convert the RAW images to DNG which your version of ACR should be able to process.

• How do I use Cisco Registered Email Service with 10.7?

  I received a email via someone using Cisco Registered Email/Envelope Service.  The authentication process required the latest version of JAVA for 10.7, which I downloaded and installed.  When I try to logon, the screen hangs with the message "Loading Envelope Tools."  If I press "open" again it states "Inactive tools."  The alternate method is to open the mail via a secure Web site, which I can open, but I am unable to download attachments.  To download attachments, I am directed to a page that begins with "x-msg:" and I get a message that says: "Safari can't open the address .. . because MAC OX doesn't recognize Internet Addresses starting with "x-msg:"

  Thanks for the info Roger, this is indeed did work for me (at least the part about signing in on apple.com, haven't tried the rest). Since Apple does not allow for the merging of Apple IDs, my plan is to use the old me.com address (from the free trial) with iCloud but then forward all the messages from the old me.com to my current Apple ID. Problem is all my devices are already associated with iCloud. So... if I want to activate iCloud using the old me.com, how do I do it?
  I have two ideas: 1) as you suggest, signing out and signing back in through the iCloud preference pane (either on Mac OS or iOS); but I'm worried this will have consequence - will I be able to sign back in to my main Apple ID account after doing this?
  2) create a new user on my Mac and then sign in to iCloud with the old me.com address there, then delete the account.
  Thanks for any help with this.

• How to make use of AM Pool Monitor

  Hi,
  I get Java.lang.OutOfMemory when i run my OA application depoyed in the server.
  (It works fine for 5 to 6 rounds of testing.next time when i access the page I get the error)
  Oracle FAQ answer suggests to make use of AM pool Monitor.
  What is this AM Pool Monitor.
  How can I use it?
  Thanks,
  Gowtam.

  Enabling AM Pool allows re-use of AM objects thus saving creation of new AMs and consuming less JVM memory.
  To enable AM pooling you need to set the profile FND: Application Module Pool Enabled value to "Yes".

• How can i use an airport base station and multiple airport expresses with U-verse and still use wireless tv boxes?

  I just got uverse, and when I put my Airport Base Station in Bridge mode I lose access to the 4 airport express stations I have. Can anyone tell me how to turn off the u-verse wireless, set up a network with all the apple stations and still have wireless u-verse tv boxes work? Thanks!

  Can I relocate the airport base station to downstairs and connect it to the Sawtooth there for receiving wireless from the Verizon router and broadcast further to its wireless network?
  Sorry but no the AirPort Extreme base station (AEBS) will not wirelessly connect to the network provided by the Verizon FiOS router.
  What you could do is get another AEBS, an AX, or a Time Capsule and place that downstairs. Then use that device to wirelessly connect to the wireless network provided by your current AEBS. If your current AEBS is not 802.11n capable then you would need to use WDS to make this happen. One bad thing about WDS is that each WDS link cuts your affective wireless bandwidth in half.

• How to find using SQL query application deployed on win 7 machines with SCCM 2012 server or user installed manually.

  Hi,
  how to find using SCCM SQL query,  application deployed on win 7 machines with SCCM 2012 server or user/technician installed manually. Please let me know.

  Thanks, is it not possible via any script also?
  Like Torsten said, how can you tell the difference between CM12 installed applications and locally installed? Once you can answer that, then you can write report.
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• How can we use same material code for two different sales area

  Hello friendsu2026
  Hope you all doing well
  I am facing a problem and I will be thankful to all of you, for your suggestions
  Issue:
  I have a *material created in 3000/10/19 for domestic purpose *,now our company has decided to export it for that we have created a new sales are 3000/13/20 for export,we cannot create the salesa are as 3000/13/19 due to some  company issues,
  Is there any way how I can use the material already in 3000/10/19 into new sales area 3000/13/20.
  Will common distribution channel and division concept will be applicable here
  As the material is same,and we donu2019t want to go for any more new material code. *
  Thanks
  Siddharth Sharma

  Hi Sharma,
  when a material is used in domestic and exports.....i hope it should be seggreagated based on dist chnl.......but not division.
  because material is Division specific. it can be there in only one division. like mother child relation.
  that is the reason why...... it is maintained inside BASIC DATA...... but not in input screen while creating material master.[unlike dist chnl]
  because a material can be in multiple dist chnl....but not multiple division.
  I feel only alternative is creating new material if you are already decided to devide the sales by division for domestic and foriegn.
  Purpose of common dist chnl/div is to maintain pricing/condition in one common whenever you change master data.......
  hope this gives you the clarity
  regards
  Satya.SCM

• How can i use the same id on two different laptops?

  When trying to use the same login on two different laptops so that i can connect my nook to either depending on which one is free, i get the error that the id is already in use on another computer?

  The issue is embedded in the way the software works.  To comply with the
  Digital Millenium Copyright Act of 2000, all software companies in this
  business keep track of where their software is installed, making
  information about the computer and ereaders part of an ID file.  So, your
  user ID is embedded in the ID file of each computer, but each computer has
  a different ID of its own that is also embedded in that file.  Adobe's
  master server (yes, there is one that you connect to even if you didn't
  know it) also has that information, and when you try to use an ID on one
  that's embedded in the file of another, Adobe's server blows the whistle,
  and as you can see, you can't do that....
  ==========