Http profiling wlc 7.3

Similar Messages

• ISE 1.2 does not do HTTP profiling ???

  Hi, guys.
  Has anyone ISE 1.2 Patch 1 successfully enabled to do profiling using HTTP on a monitor session/span port ???
  I have tried the following:
  - DMZ switch, which holds a vlan where (only) the central proxy server resides
  - ESX 5.1 host, one nic connected to the DMZ switch
  - configured a virtual switch/network on this host, which uses the nic connected to the DMZ switch (enabled promiscious mode on the vswitch and network)
  - ISE 1.2 Patch 1 installed on the ESX host, two interfaces (Gig 0 and 1), Gig 1 connected to the vswitch and virtual network
  - configured virtual ISE to do http profiling on Gig 1
  Here are some shows:
  #sh moni
  Session 1
  Type                   : Local Session
  Source VLANs           :
      Both               : xx
  Destination Ports      : Gi2/0/48
      Encapsulation      : Native
            Ingress      : Disabled
  #sh run int gig2/0/48
  interface GigabitEthernet2/0/48
  description *** ISE Proxy SPAN Port
  switchport access vlan xx
  The span destination port shows lots of outgoing packets:
  #sh int gig2/0/48
  GigabitEthernet2/0/48 is up, line protocol is down (monitoring)
    Hardware is Gigabit Ethernet, address is 588d.0941.7130 (bia 588d.0941.7130)
    Description: *** ISE-Riker Proxy SPAN Port
    MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
       reliability 255/255, txload 10/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    Keepalive set (10 sec)
    Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
    input flow-control is off, output flow-control is unsupported
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input never, output 00:22:36, output hang never
    Last clearing of "show interface" counters 03:03:20
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14352300
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 42962000 bits/sec, 13051 packets/sec
       33 packets input, 2436 bytes, 0 no buffer
       Received 33 broadcasts (18 multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog, 18 multicast, 0 pause input
       0 input packets with dribble condition detected
      223104868 packets output, 98731284385 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier, 0 PAUSE output
       0 output buffer failures, 0 output buffers swapped out
  But the interface on ISE hardly shows any incoming packets:
  # sh int gig 1
  GigabitEthernet 1
            Link encap:Ethernet  HWaddr 00:50:56:8D:4A:C1
            inet6 addr: fe80::250:56ff:fe8d:4ac1/64 Scope:Link
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:3810 errors:0 dropped:0 overruns:0 frame:0
            TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:347928 (339.7 KiB)  TX bytes:936 (936.0 b)
            Interrupt:67 Base address:0x20a4
  I have tested if the vmware virtual network makes the packets disappear, therefore I have connected a windows virtual machine to the same network as ISE 
  Running Wireshark on this windows machine shows me LOOOOOTS of http packets on this virtual network, seem like the ISE nic just doesn't see them ......
  Any ideas ???
  Rgs
  Frank

  1. it is vm, right?    
  Yepp !!
  can you get netstat -i?
  Executed where ?? On the esx host ?? On the ise vm ??
  What do you expect to see ??
  2. Did you configure an ip for the span receive interface?
  No, why should this be necessary ?? (switchport, wireshark, etc. don't need an ip to capture
  packets on a promiscuous interface, even ISE 1.1.4 didn't need one on the http profiling interface .....)
  Configuration guide doesn't say so anyway ......
  if not, you must configure one to make it work.
  looks like you don't have one,,, pls configure one...
  Ok, ok ..., configured an ip address, checked the profiling attributes ...
  Result: did not make any difference ..... (tadaaaahhhhh !!!)
  tcpdump: WARNING: eth1: no IPv4 address assigned
  Right, but tcpdump shows dozens of live packets as they arrive live on ise, they are just not reflected in the "sh int gig 1" counters
  and furthermore not picked up by the application, that is why I would suspect a nic driver malfunction on the underlying linux os ......
  3. on vswitch make sure the port is in promiscuous mode.
  As I already mentioned before in this thread, it is.
  If the vmware virtual network inbetween ise and the non-virtual network would swallow the packets, why would "tech dumptcp 1" show anything at all ??
  (see screenshots above)
  Rgs
  Frank

• Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)

  Hello,
  I have configured a Guest SSID with web authentication (captive portal).
  wlan XXXXXXX 2 Guest
   aaa-override
   client vlan YYYYYYYYY
   no exclusionlist
   ip access-group ACL-Usuarios-WIFI
   ip flow monitor wireless-avc-basic input
   ip flow monitor wireless-avc-basic output
   mobility anchor 10.181.8.219
   no security wpa
   no security wpa akm dot1x
   no security wpa wpa2
   no security wpa wpa2 ciphers aes
   security web-auth
   security web-auth parameter-map global
   session-timeout 65535
   no shutdown
  The configuration of webauth parameter map  is :
  service-template webauth-global-inactive
   inactivity-timer 3600 
  service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   voice vlan
  parameter-map type webauth global
   type webauth
   virtual-ip ipv4 1.1.1.1
   redirect on-success http://www.google.es
  I need to  login on web authentication on HTTP instead of HTTPS.
  If I  login on HTTP, I will not receive certificate alerts that prevent the users connections.
  I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
  Web Authentication on HTTP Instead of HTTPS
  You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
  For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
  For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
  On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
  Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
  Thanks in advance.
  Regards.

  The documentation doesn't provide very clear direction, does it?
  To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

• CSCur27551 - SSLv3 Poodle attack against https in wlc, CVE-2014??-3566 - 1

  Is there  a reason why Cisco doesn't add this code/fix 7.6.130.13 to their main downloads for the 5508 WLC?  I need to get this again and most likely need to resubmit a ticket just to get a link to download.

  Firmware 1.05.36 of MyCloud Mirror fixed that: http://community.wd.com/t5/WD-My-Cloud-Mirror/New-Release-My-Cloud-Mirror-Firmware-Release-1-05-36-7-8-2015/td-p/886778

• ISE Profiling Deployment

  We are starting a ISE deployment to segregate mobile devices (Iphones and IPads, initially) from corporate notebooks. We have a single SSID and two separate vlans, one for mobile devices and another for corporate notebooks, assigned by ISE. We successfully setup profiling in lab environment, with a few devices, but when we put in production  we had problems with devices not being profiled correctly. Since devices are not profiled their access are denied. Since devices are denied the cannot be profiled because ISE doesn´t see any traffic (DHCP, HTTP) from clients.
  What strategy are you using to deploy ISE profiling? Must I put ISE to listen our network for some time before segregating access?

  Hi
  I've had the same problem with first time users being denied, that's due to ise not being able to profile before it denies.
  I think they should come up with something that will profile devices then continue the authentication process.
  Someone mentioned doing a re-auth for couple of seconds. (see attached pic how the authorization rule looks like), that could save you from people being denied for the first time, but if your device is never being profiled then it will just spin there all the time re-authenticating.
  What you could do is also setup an unrouted VLAN and all the unknown devices stay there until profiled.
  I've talked to cisco and they recommened the same thing so I guess that's it for now
  What we have done before deploying ISE and it worked pretty good is I have forwarded all DHCP traffic to ISE before deploying ISE at that particular site, so DHCP forwarding ran for few days and I've already had their devices in my database and when I deployed it, it worked pretty neat
  By forwarding all dhcp requests I mean:
  We have Active Directory and DHCP servers centrally located, so in the router config I've added helper address to ISE ip address and that's it
  Now WLC 7.3 has DHCP PROFILING and HTTP PROFILING options.
  Http profiling sends first https packets to ISE and capturing USER-Agent string, that helps if you browse with safari, but if you use any other application that uses http traffic it will end up totally wrong.
  example you connect with your iphone to wifi and open up VIBER, ISE will capture viber_blabla_smth as user agent and will not profile accurately.
  Hope it helps

• I receive error message when I try to update my profile to download product

  http://profile.oracle.com/jsp/reg/update_failed.jsp?language=en
  "We're sorry. There was a problem in processing your request. "
  I try many times and days but i Can't continue.
  Please help me
  Diego.
  Oracle Partner

  I try to download products from OTN.
  But firts the OTN require me post new information about me and .... I have this trouble.
  I'm partner.
  Diego

• WLC to ISE authentication for Guest

  Hi Experts,
  Hope if you could guide me with our setup for Guest users. Below is what we are doing
  a)     Guest connects to SSID
  b)     WLC is being used to redirect Guest HTTP to WLC internal Portal
  c)     WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
  The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
  'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
  Appreciate your help

  The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
  Please follow below guide for step by step configuration:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• ISE and Android Profiling

  G'day All,
  I am building a wireless ISE solution that will service laptops (windows and OSX) via posture assessment, and mobile devices such as iphone, ipad and android.
  I looking for help with the profiling of the android devices. I am using the profiler radius and HTTP probes, the radius probe appears to be sufficient for the laptops and the iphone/ipads.
  HTTP has been introduced for the Androids as the radius probe wasn't receiving the user agent string from all the test android devices, for example a Samsung Galaxy S3 phone would send the user agent string and be profiled correctly, where as a Samsung Note 10.1 tablet wouldn't send the user agent string, so would be profiled as an unknown device.
  I was attempting to keep it as seamless as possible for the end user. So I am not using device registrations, supplicant provisioning, etc. Obviously the posture assessment process isn't exactly semless, but once the users have downloaded the NAC client, etc, it is pretty seamless from a user interaction point of view, then on.
  From the apple devices and the androids, I have an authorisation policy that says if the device is a profiled iphone/ipad/android, use CWA  and guest portal, users login via AD creadentials and accept the AUP and away they go. Some of the androids ignore this policy and then match on the policy for the laptops (posture assessment). Once connected and in posture pending status, the redirection to the NAC agent page fails, but the android is then profiled correctly via the HTTP probe. If I attempt to browse again, I get redirected to the guest portal via CWA as the devices has been profiled as an Android and the user can login, accept the AUP and away they go.
  I'd love to hear from people who have implemented android profiling in the production environments, and how you have done it?
  I am aware that not using device registrations/supplicant provision, etc isn't exactly validated design, but for the purpose of the Android profiling, it shouldn't be relevant.
  I am presently using ise 1.1.3
  Huge thanks in advanced guys, any assistance is always greatly appreciated.
  Cheers,
  JS

  I have ran into this scenario also and I shy away from using the http profiling on the wireless device sensor because it causes issues with applications that fail to include the typr of device.
  Have you checked the dhcp client identifier? I think the android has an android specific string so you may want to bump up the certaintity factor.
  Sent from Cisco Technical Support Android App

• LWA Guest Access with ISE and WLC

  Hi guys,
  Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
  1. Guests try to connect wifi with SSID Guest
  2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
  3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
  https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
  4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
  5. After that the Guest Login Page will appear, and guests input their username and password.
  6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
  The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
  I know it happened when guests didn't have the WLC Login Page Certificate...
  My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
  Thx 4 your answer and sorry for my bad English....

  Thx for your reply Peter, your solution is right,
  i don't choose CWA, because their DNS is not stable...
  i've found the problem...
  the third-party CA is revoked, so there is no way it will success until it fixed...
  and there is no guarantee, they will fix it soon..
  so solution that we choose is by disable "HTTPS" on WLC...
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable"
  thank you all...

• Profiling a java application with HPjmeter

  I have a java application and i want to identify the performance problems .
  I'm doing a static analyze and a dinamic analyze.
  For the dinamic analyze everything work ok.In the command line i have the options:
  java -agentlib:hjmeter name
  When i want to have a static analyze i have the option:
  java -agentlib:hprof name
  or
  java -Xrunhprof name
  But i get the following error message:
  hprof error:can't create temp heap file: java.hprof.txt.TMP[../../../src/share/demo/jvmti/hprof/hprof_init.c :775]
  My application is running on a HP-UX server:
  java version "1.5.0.03"
  Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0.03-_13_feb_2006_16_39)
  Java HotSpot(TM) Server VM (build 1.5.0.03 jinteg:02.13.06-15:51 PA2.0 (aCC_AP), mixed mode)
  Can anybody help me with some sugestions?
  Thank you!

  inside Java Studio Enterprise/Netbeans stack of tools this functionality is implemented as NetBeans Profiler
  http://profiler.netbeans.org/
  The Profiler hasn't been a part of default Netbeans distribution. The JSE8 is based on NB4.1. Profiler compatible with NB4.1 is an early-access Milestone release, and thus i'd recommend to consider more recent version of the Profiler, the one for NB5.x (though you'd need to install NB5 also).

• OSX Server 3.2.1 Profile variables stopped working

  Hi FOLKS,
  since i upgraded our OXS Server to Version 3.2.1, i can´t use variables like %short_name% or %email% anymore.
  Profile installtion fails with -invalid profile-.
  Anyone ran into this problem too?
  The log shows correct substituion of the needed variables, then creates this strange %20key% is invalid entry and finaly fails to install the profile.
  Regards
  Christian
  0::Sep 25 11:43:52.417 [208] <80.187.106.118> {_connect_transaction_1 (db.php:396)} Status='Idle'
  1::Sep 25 11:43:52.436 [208] <80.187.106.118> {ReplaceSubstitutionVariables (common.php:556)} '%short_name%' => 'xxxxxx'
  1::Sep 25 11:43:52.436 [208] <80.187.106.118> {ReplaceSubstitutionVariables (common.php:556)} '%email%' => 'xxxxx'
  0::Sep 25 11:43:52.437 [208] <80.187.106.118> {ReplaceSubstitutionVariables (common.php:556)} Substitution variable '%20Key%' is invalid, leaving unchanged
  0::Sep 25 11:43:52.437 [208] <80.187.106.118> {ReplaceSubstitutionVariables (common.php:556)} Substitution variable '%20Key%' is invalid, leaving unchanged
  0::Sep 25 11:43:52.520 [208] <80.187.106.118> {Task_generate_next_request (mdm_connect.php:108)} Sending request 'InstallProfile' as CommandUUID=78F829A2-F4C8-407F-82BB-4B021B7E09F3
  1::Sep 25 11:43:52.527 [208] <80.187.106.118> {SendFinalOutput (mdm_connect.php:133)} Sent Final Output (13976 bytes)
  1::Sep 25 11:43:52.527 [208] <80.187.106.118> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - /devicemanagement/mdm/mdm_connect
  0::Sep 25 11:43:52.527 [208] <80.187.106.118> {SendFinalOutput (mdm_connect.php:133)} Completed in 114ms | 200 OK [https://profile.dpa.com/devicemanagement/api/device/mdm_connect]
  1::Sep 25 11:43:52.972 [207] <80.187.106.118> {LogElapsedTime (common.php:78)} Time since script start: 128us [https://profile.dpa.com/devicemanagement/api/device/mdm_connect]
  1::Sep 25 11:43:52.972 [207] <80.187.106.118> {require_once (mdm_connect.php:11)} vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv - PUT mdm_connect
  1::Sep 25 11:43:52.977 [207] <80.187.106.118> {Target_for_incoming_request (mdm_connect.php:20)} Found target iOS: <'iPhone'[2616](OWNER:User[435])>
  0::Sep 25 11:43:52.977 [207] <80.187.106.118> {_connect_transaction_1 (db.php:396)} Status='Error' CommandUUID=78F829A2-F4C8-407F-82BB-4B021B7E09F3
  0::Sep 25 11:43:52.977 [207] <80.187.106.118> {Task_handle_error (mdm_connect.php:94)} ErrorChain: [ {
  0::Sep 25 11:43:52.977 [207] <80.187.106.118>     'ErrorCode'=>1000,
  0::Sep 25 11:43:52.977 [207] <80.187.106.118>     'ErrorDomain'=>'MCProfileErrorDomain',
  0::Sep 25 11:43:52.977 [207] <80.187.106.118>     'LocalizedDescription'=>'Ung\374ltiges Profil',
  0::Sep 25 11:43:52.977 [207] <80.187.106.118>     'USEnglishDescription'=>'Invalid Profile'
  0::Sep 25 11:43:52.977 [207] <80.187.106.118>   } ]
  1::Sep 25 11:43:53.006 [207] <80.187.106.118> {SendFinalOutput (mdm_connect.php:133)} Sent Final Output (0 bytes)
  1::Sep 25 11:43:53.006 [207] <80.187.106.118> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - /devicemanagement/mdm/mdm_connect
  0::Sep 25 11:43:53.006 [207] <80.187.106.118> {SendFinalOutput (mdm_connect.php:133)} Completed in 33ms | 200 OK

  I'm in the same boat and we have about 100 iPads that are in the pipe of getting delivered to customers.
  We manage 2000+ ipads at the moment and these bugs are severely hurting our business.
  We have a payload with SCEP and Certificates and a Wifi-Network that is using the %SerialNumber% variable to create unique certs for every iPads.
  But after this update to 3.2.1 it's crippled and we can't enroll new iPads.
  I'm in desperate need of a fix.
  I've isolated it to that if i create one separate payload with the SCEP and the %SerialNumber% it generates it correct, but if I include the other stuff I need for it all to work it fails.

• Tryin to Profile weblogic with NetBeans Profiler, getting jrocke exception

  Hi there,
  I am using Weblogic 10, and want to profile a web application on it with Netbeans Profiler. But am getting the following exception upon starting weblogic (Please tell a solution......)
  JAVA Memory arguments: -Xms256m -Xmx512m
  WLS Start Mode=Development
  +.+
  CLASSPATH=;C:\bea\patch_wls1001\profiles\default\sys_manifest_classpath\weblogic_patch.jar;C:\bea\JROCKI~1\lib\to
  +;C:\bea\WLSERV~1.0\server\lib\weblogic_sp.jar;C:\bea\WLSERV~1.0\server\lib\weblogic.jar;C:\bea\modules\features\w+
  +.server.modules_10.0.1.0.jar;C:\bea\modules\features\com.bea.cie.common-plugin.launch_2.1.2.0.jar;C:\bea\WLSERV~1+
  er\lib\webservices.jar;C:\bea\modules\ORGAPA~1.5/lib/ant-all.jar;C:\bea\modules\NETSFA~1.0/lib/ant-contrib.jar;;C
  LSERV~1.0\common\eval\pointbase\lib\pbclient51.jar;C:\bea\WLSERV~1.0\server\lib\xqrl.jar;;
  +.+
  PATH=C:\bea\patch_wls1001\profiles\default\native;C:\bea\WLSERV~1.0\server\native\win\32;C:\bea\WLSERV~1.0\server
  +\bea\modules\ORGAPA~1.5\bin;C:\bea\JROCKI~1\jre\bin;C:\bea\JROCKI~1\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS+
  +32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\CVSNT\;C:\bea\WLSERV~1.0\server\native\win\32\oci92+
  +.+
  +*  To start WebLogic Server, use a username and   *+
  +*  password assigned to an admin-level user.  For *+
  +*  server administration, use the WebLogic Server *+
  +*  console at http:\\hostname:port\console        *+
  starting weblogic with Java version:
  Listening for transport dt_socket at address: 8453
  java version "1.5.0_11"
  Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03)
  BEA JRockit(R) (build R27.3.1-1_CR344434-89345-1.5.0_11-20070925-1628-windows-ia32, compiled mode)
  Starting WLS with line:
  C:\bea\JROCKI~1\bin\java -jrockit -Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,address=8453,server=y,suspend=n
  +.compiler=NONE -Xms256m -Xmx512m -agentpath:"C:\Program Files\NetBeans 6.1\profiler3\lib\deployed\jdk15\windows\+
  +rinterface.dll=\"C:\Program Files\NetBeans 6.1\profiler3\lib\"",5140 -Xverify:none -ea -da:com.bea... -da:javel+
  da:weblogic... -ea:com.bea.wli... -ea:com.bea.broker... -ea:com.bea.sbconsole... -Dplatform.home=C:\bea\WLSERV~1.
  +.home=C:\bea\WLSERV~1.0\server -Dweblogic.home=C:\bea\WLSERV~1.0\server -Dwli.home=C:\bea\WLSERV~1.0\integration+
  ogic.management.discover=true  -Dwlw.iterativeDev= -Dwlw.testConsole= -Dwlw.logErrorsToConsole= -Dweblogic.ext.di
  ea\patch_wls1001\profiles\default\sysext_manifest_classpath -Dweblogic.Name=AdminServer -Djava.security.policy=C:
  SERV~1.0\server\lib\weblogic.policy   weblogic.Server
  Profiler Agent: Initializing...
  Profiler Agent: Options: >"C:\Program Files\NetBeans 6.1\profiler3\lib",5140<
  Profiler Agent: Initialized succesfully
  Listening for transport dt_socket at address: 8453
  Profiler Agent: Waiting for connection on port 5140 (Protocol version: 8)
  Profiler Agent: Established local connection with the tool
  Profiler Agent: Unable to get address of JVM_DumpHeap function
  +===== BEGIN DUMP =============================================================+
  JRockit dump produced after 0 days, 00:00:20 on Thu Aug 28 18:46:28 2008
  Additional information is available in:
  C:\bea\user_projects\domains\nms_dev\jrockit.3728.dump
  C:\bea\user_projects\domains\nms_dev\jrockit.3728.mdmp
  If you see this dump, please open a support case with BEA and
  supply as much information as you can on your system setup and
  the program you were running. You can also search for solutions
  to your problem at http://forums.bea.com in
  the forum jrockit.developer.interest.general.
  Error Message: Unhandled native exception [85]
  Exception Rec: EXCEPTION_STACK_OVERFLOW (c00000fd) at 0x004FE3DF
  Minidump     : Wrote mdmp. Size is 297MB
  SafeDllMode  : -1
  .

  It looks like NetBeans does not support JRockit: http://profiler.netbeans.org/docs/help/5.5/vms.html
  Regards,
  /Staffan

• Profiling a Java Application

  I am relatively new in using a profiler. A large simulation software that I developed requires to be profiled. I want to keep track of the memory usage, CPU usage, time, etc associated with a function call etc. I tried to use Sun Studio 8 to run the profiler. It seems the tutorials on profilers .. all of them ... are intended for Enterprise Applications. All I require is to monitor a general Java application. Could someone answer whether it is possible to profile a java Application?

  inside Java Studio Enterprise/Netbeans stack of tools this functionality is implemented as NetBeans Profiler
  http://profiler.netbeans.org/
  The Profiler hasn't been a part of default Netbeans distribution. The JSE8 is based on NB4.1. Profiler compatible with NB4.1 is an early-access Milestone release, and thus i'd recommend to consider more recent version of the Profiler, the one for NB5.x (though you'd need to install NB5 also).

• Application Profilling

  I know how to profil a enterprise application with the Studio but how do I profil a simple application, which starts with a main method?
  Thank you for any help
  Andy

  While Java Studio Enterprise 7 does not have this type of profiler, one is available for free for the NetBeans 4.x IDE. It's called JFluid and is available here:
  http://profiler.netbeans.org/

• ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe

  Hello guys
  Just prepping an ISE 1.2 patch 8 setup in our organization. I am going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. I've got 2 points I will like to get some guidance on:
  Our DC has a dedicated mgmt network and I plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
  I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
  Thanks in advance
  Sayre

  Hello Sayre-
  For Question #1:
  Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
  You can configure Radius and Profiling to be enabled on other interfaces
  Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
  Take a look at this link for more info:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html
  For Question #2
  If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations. 
  The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:
  –Option 12—HostName of the client
  –Option 60—The Vendor Class Identifier
  After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
  Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
  On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):
  http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
  I hope this helps!
  Thank you for rating helpful posts!