Ironport WSA - Management interface

Similar Messages

• IronPort WSA management through Security Management Appliance

  Hi,
  I have two identically configured (policies) IronPort WSA S670 appliances running 7.5.0-833 and both added in SMA M670 management appliance running 7.9.1-102. Appliance A has McAfee license expired. Newly installed appliance B has Mcafee running for 28 more days. "Sophos" is enabled on both and working good. Config Master 7.5 was built based on the config from appliance A.
  Now, when i want to push the Config Master to both the associated WSA, it fails on appliance B as "McAfee" is disabled in Config Master but enabled on it. The setting "Security Services Display" in M670 was changed to enable "McAfee" but now appliance A fails giving a mis-match error on publishing.
  How to workaround this ? Can McAfee license/feature key on appliance B be expired / disabled now without waiting 28 days to let it expire.
  Thanks,
  Rick.

  Hello Rick,
  You can disable Mcafee globally on the SMA by going to :
  GUI -> Web -> Utilities -> Security Services Display -> Edit Display Settings-> Under Configuration Master 7.5 ->
  Do your Web Appliances have McAfee Anti-Malware enabled? -> Uncheck the box and submit.
  Also, Disable Mcafee on the appliance that thas 28 days of the licenses left, This way Mcafee will be disabled on all your boxes.
  I hope this helps.
  Regards,
  -Puja

• Cisco Ironport management interface IP configuration?

  Hi,
  For configuring the management interface IP for Cisco Ironport device, should it be on the public IP address or private IP address? Could you please confirm the IP address desing for the ironport management interface? thanks
  arman

  Greetings Aman,
  The answer to this question depends on several factors, what you intend to do with the appliance, how you intend on allowing access to the appliance and where it sits in your network. Typically customers will utilize the management interface on their internal network thus giving it a private IP. This way the web interface, ssh and ftp access are allowed internally but not to the public.  Those services can be enabled on other interfaces as well, but the most common practice is to set up the management interface for internal access only on your private network.
  Christopher C Smith
  CSE
  Cisco IronPort Customer Support 

• IronPort WSA S650 Faild to acquire the server manifest

  Hello,
  I have a demo WSA S650 from cisco and the appliance can't download the definition updates and asyncos updates.
  IronPort WSA S650
  According:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/ps10154/eol_c51-716512.html
  The WSA is End of SW Maintenance Releases Date: December 31, 2012
  From cisco.com i can't find in download area of new asyncos version S650 series(the section for s650 is gone).
  When i try to update the appliance i get the error: Failed to acquire the server manifest
  From browser i go to : http://updates.ironport.com/fetch_manifest.html
  And after i insert the serial nr and version and i get the error:
  An error occurred.
  (('base', 'get_server_manifest', '851'), 'phone.base.ManifestError', 'Connection unexpectedly closed.', '[local_manifest|web_fetch_manifest|247] [local_manifest|assemble_manifest|299] [base|get_server_manifest|851]')
  I believe that this  WSA don't have the rights to download the updates definition webfiltering!

  It seems that the appliance don't care about update settings.
  I have setup that updates to be done by the data interface, all routes are checked and are OK, but the updates is not working.
  When i set up only one interface for management and data the updates was done right, so i suppose that the update was done on the management interface even i set up to be done on the data interface.

• ACE working with IronPort WSA server farm

  We have an ACE load balancing a group of Ironport WSA. The WSA are working with the feature IP Spoofing, then the request to WWW has the source ip address of the WSA client and not the WSA itself.
  We follow the documento behind, but it is not working. When the packet coming from Internet having the destination address the WSA client address, the ACE can not delivery the packet even with the mac-sticky configured.
  I read in other forum that ACE needs to have in its arp table or route table the destination IP address for being able to deal with the packet by the encapid.
  But we don't have this entry in the arp table.
  When we configure the WSA with IP spoofing and the source ip address is the WSA itself the configuration works fine.
  Some have this kind of problem in some ocasion?
  Thank you,
  Everaldo

  Hi Jorge,
  The behavior is when we have IP Spoofing configured in the WSAs, the connection is not established. The ACE establishes the connection with the client but the connection with Internet is not established. I captured the packets that arrive in the ACE coming from Internet and I see SYN packets with source address as a public IP (Google) and the destination address as the internal client IP address with no ACK just RST.
  With no IP Spoofing, meaning that the ip source address is tha WSA the connection is established with no RST.
  Follow the output the commands:
  show service-policy WSA-VIPS class-map WSA_VIP_TCP_3128 detail
  Status     : ACTIVE
  Description: -----------------------------------------
  Interface: vlan 304
    service-policy: WSA-VIPS
      class: WSA_VIP_TCP_3128
       VIP Address:                              Protocol:  Port:
       10.10.193.25                              tcp    eq   3128
        loadbalance:
          L7 loadbalance policy: WSA-POLICY
          VIP Route Metric     : 77
          VIP Route Advertise  : ENABLED-WHEN-ACTIVE
          VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
          VIP State: INSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: DISABLED
          curr conns       : 3         , hit count        : 1260
          dropped conns    : 4
          conns per second    : 0
          client pkt count : 19271     , client byte count: 2326106
          server pkt count : 26140     , server byte count: 16572023
          conn-rate-limit      : 0         , drop-count : 0
          bandwidth-rate-limit : 0         , drop-count : 0
          L7 Loadbalance policy : WSA-POLICY
            class/match : class-default
              LB action :
                 primary serverfarm: WSA_FARM
                      state: UP
                  backup serverfarm : -
              hit count        : 1260
              dropped conns    : 0
              compression      : off
        compression:
          bytes_in  : 0                          bytes_out : 0
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0
          Content size: 0               Content type       : 0
          Not HTTP 1.1: 0               HTTP response error: 0
          Others      : 0
  switch/WSA# show probe WSA_TCP_3128
  probe       : WSA_TCP_3128
  type        : TCP
  state       : ACTIVE
     port      : 3128         address   : 0.0.0.0
     addr type : -            interval  : 5       pass intvl  : 10
     pass count: 3            fail count: 30      recv timeout: 10
                  ------------------ probe results ------------------
     associations     ip-address         port porttype probes failed passed health
     ------------ ----------------------+----+--------+------+------+------+------
     serverfarm  : WSA_FARM
       real      : WSA-01[0]
       real      : WSA-02[0]
                            10.10.193.37 3128 PROBE   15076  72     15004  SUCCESS
       real      : WSA-03[0]
       real      : WSA-04[0]
       real      : WSA-05[0]
       real      : WSA-06[0]
       real      : WSA-07[0]
       real      : WSA-08[0]
       real      : WSA-09[0]
       real      : WSA-10[0]
  switch/WSA# show probe WSA_TCP_3128 detail
  probe       : WSA_TCP_3128
  type        : TCP
  state       : ACTIVE
  description :
     port      : 3128         address   : 0.0.0.0
     addr type : -            interval  : 5       pass intvl  : 10
     pass count: 3            fail count: 30      recv timeout: 10
     conn termination : FORCED
     expect offset    : 0         , open timeout     : 3
     expect regex     : -
     send data        : -
                  ------------------ probe results ------------------
     associations     ip-address         port porttype probes failed passed health
     ------------ ----------------------+----+--------+------+------+------+------
     serverfarm  : WSA_FARM
       real      : WSA-01[0]
       real      : WSA-02[0]
                            10.10.193.37 3128 PROBE   15088  72     15016  SUCCESS
     Socket state        : CLOSED
     No. Passed states   : 2         No. Failed states : 1
     No. Probes skipped  : 0         Last status code  : 0
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err :  -
     Last probe time     : Mon Sep  3 21:06:47 2012
     Last fail time      : Mon Sep  3 20:45:05 2012
     Last active time    : Mon Sep  3 20:45:57 2012
       real      : WSA-03[0]
       real      : WSA-04[0]
       real      : WSA-05[0]
       real      : WSA-06[0]
       real      : WSA-07[0]
       real      : WSA-08[0]
       real      : WSA-09[0]
       real      : WSA-10[0]
  Thank you,
  Everaldo

• Cisco ironport WSA Communication Ports.

  Hai any body please suggest the different ports the WSA using to communicate with devices like AD using NTLM, ACS, NTP etc.??
  Regards,
  Fayz

  Hi,
  The WSA uses the management interface to communicate with AD.
  Thanks
  Chris

• ASA 5515 management interface

  I started to configure a new ASA 5515 to replace an 5510.  When I attempted to remove the "management-only" command from the Management0/0 interface I was greeted with the following error:
  "ERROR: It is not allowed to make changes to this option for management interface on this platform."
  Does this mean we can't use the managment interface anymore on these newer ASAs?  I was planning on using that port when we bought it.  If this is the case, let this be a warning to whoever is counting the managment port as a 7th interface on the 5515!

  Update: I just found out that you can't use the management interface for failover purposes either.     Argggggg.
  "Management interface cannot be configured for failover on this platform."

• Home Hub 3.0B Management interface unresponsive.

  This month (2 weeks ago) I upgraded to Infinity 2 and got a new Home Hub 3.0 Type B.
  I was able to get it all working as I wanted to - home network using 172.16.0.1/23 (because of conflicts with vpning into work which already routes 192.168./16 and 10./8)
  However, often, very often, trying to access the Hub web interface on 172.16.0.1 or via bthomehub.home simply fails to respond. Regardless of the browser, or me using telnet to simulate a HTTP call.
  #host bthomehub.home 172.16.0.1
  Using domain server:
  Name: 172.16.0.1
  Address: 172.16.0.1#53
  Aliases:
  bthomehub.home has address 172.16.0.1
  # telnet 172.16.0.1 80
  Trying 172.16.0.1...
  Connected to 172.16.0.1.
  Escape character is '^]'.
  GET /
  And it just hangs.
  Even though the web management interface is unresponsive, the internet seems to work ok, though wifi is sporadic.
  Rebooting the hub doesn't seem to help.  I read some reports of badly fitted heatsinks on these Type B's - so could mine be over heating and causing this lock up?  If I leave it and try again in a few hours it may work again.  Yesterday the internet connection dropped twice and when I was able to login to the web interface, the Event log showed that the hub had spontaneously rebooted itself.
  Do I have a bad home hub?

  Hi pgregg,
  Have you tried a full reset of the hub yet? Not just a reboot?
  Chris
  BT Mod Team.
  If you like a post, or want to say thanks for a helpful answer, please click on the Ratings star on the left-hand side of the post.
  If someone answers your question correctly please let other members know by clicking on ’Mark as Accepted Solution’.

• End-user notification is not working for one of the untagorized HTTPS webistes on IronPort WSA

  When users try to access the URL https://cloud.skytap.com/tools/connectivity they are getting 'Internet Explorer cannot display the webpage' instead of regular IronPort WSA end-user-notification. This URL is currently uncategorized. Please advice.

  Yes, we have set drop all the uncategorized URLs. We do get end-user-notifications for HTTP websites which are uncategorized.
  However, if any of the HTTPS websites which are uncategorized, then we wont get end-user-notification.

• WLC Duplicate IP address detected for AP-Manager Interface

  I am getting an error log in the WLC saying, its IP address is duplicate by another machine with MAC address A.B.C.D
  But this MAC address A.B.C.D is the MAC address of the AP-Manager Interface in the same controller.
  Model No.                   AIR-WLC2106-K9
  Software Version                 7.0.116.0
  %LWAPP-3-DUP_IP: spam_lrad.c:27626 Adding client 58:b0:35:83:72:86 to  exclusion list due to IP Address conflict with AP 'AP_DUXO_3'
  %LWAPP-3-DUP_AP_IP: spam_lrad.c:27612 Duplicate IP address  detected for AP AP_DUXO_3, IP address of AP  10.184.1.224, this is a  duplicate of IP on another machine (MAC address 58:b0:35:83:72:86)
  Cisco AP Identifier.............................. 1
  Cisco AP Name.................................... AP_DUXO_3
  Country code..................................... US  - United States
  Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-A
  AP Country code.................................. US  - United States
  AP Regulatory Domain............................. 802.11bg:-A    802.11a:-N
  Switch Port Number .............................. 1
  MAC Address...................................... cc:ef:48:1a:e4:af
  IP Address Configuration......................... Static IP assigned
  IP Address....................................... 10.184.1.224
  IP NetMask....................................... 255.255.0.0
  Gateway IP Addr.................................. 10.184.20.2
  Domain...........................................
  Name Server......................................
  NAT External IP Address.......................... None
  CAPWAP Path MTU.................................. 1485
  Telnet State..................................... Enabled
  Ssh State........................................ Disabled
  Cisco AP Location................................ DUXO_BOX
  Cisco AP Group Name.............................. default-group
  Does anyone have an issue like this ?

  Are you sure this MAC address 58:b0:35:83:72:86 isn't some type of Apple device?  Its OUI is registered to apple.  How do clients get ip addresses DHCP?  It appears that the IP 10.184.1.224 is statically assigned to your ap-manager and that this client 58:b0:35:83:72:86 is either getting that same IP from DHCP or the client is statically assigning it themselves. 

• I accidently deleted my ap-manager interface How can I get it back? WLC440

  I accidently deleted my ap-manager interface How can I get it back? WLC4400
  Thanks in advance..
  admin_users 1 301 10.147.1.8 Dynamic No
  hvac 1 268 172.19.15.8 Dynamic No
  management 1 447 10.147.8.8 Static No
  nwlan 1 862 10.147.6.8 Dynamic No
  service-port N/A N/A 192.168.168.200 Static No
  switch mgmt 1 1 192.168.15.8 Dynamic No
  virtual N/A N/A 1.1.1.1 Static No
  voice 1 860 10.147.4.8 Dynamic No

  Take a look at this documentation:
  http://www.cisco.com/en/US/docs/wireless/controller/5.2/configuration/guide/c52mint.html#wpmkr1159694
  It should help with creating ap-manager interfaces.

• Standard Asynchronous ES for Quality Management interface

  Hi,
  Synchronous standard ES is available for Quality Management interfaces under ES bundle. 
  Could you please suggest if there is any standard Asynchronous ES available for above QM interfaces like Inspection plan, Inspection results and Usage Decision.
  Br,
  Madan

  Dear Hummel
  This link required SAP ID and use less for those who do not have S User ID's.
  further more.... could you please differentiate Stand SAP QM process compare to QM process in  RDS?

• WLC to use Management Interface & Few more getting started Questions

  Hello,
  I'm yet to implement the Wireless LAN in one of our client's corporate office. There 40 x 1130AG LWAPP AP's and 4404 WLC with ACS 4.x for the Authentication of the Wireless Clients who is trying to access the LAN.
  For the WLC to connect to the Dual Core Switch, i need to use only one Management Interface with Distribution System port 1 being the Primary and mapping the DS Port 2 as the Backup port for the Management Interface. Is this Right? or do i have configure Dynamic Interfaces as well. Is management interface for accessing / management and configuration only? Management Interface will communicate with ACS for AAA and AP's who would like to associate with the WLC, is this Right?
  Note: WLC, AP's, Wireless Clients & AP's are in the same IP Subnet.
  Few other question of WLAN's so it helps me during implementation -
  • Can I use the 802.1x Authentication application found in the Windows XP for the Wireless Interface; instead of Cisco Client Application. For this; I have to configure the WLC / Wireless Client to use EAP algorithm; is this Right?
  • With the help of RRM, the channel interference between multiple AP's (3 - 4 AP's) in the same area is controlled by the WLC by changing the Channels used by the AP which is not same on all the AP's. Is this right?
  • How many Client Users will connect per Channels. 802.11 a / g will provide 11 Channels, is this Right?.
  • I'm trying to set in the WLC to limit the Client connections per AP to 25, can this be achieved?
  Please, can anyone help me in calrifying the above points.
  Regards,
  Keshava Raju

  Many Thanks Mr. Dennis for your help & Clarification.
  With ref to your reply point no# 1. I have actually planned to connect one Gig port of the controller to each of the Dual Cisco Core Switch setup. Can i use all 4 Controller Interfaces configured as LAG and Port 1 & 2 connecting to Core Switch 01 and Port 3 & 4 connecting to Core Switch 02?
  I have Final two more questions, Request you to help me calrifying this?
  • I'm willing to configure Multicast communication between the WLC & AP's. For this configuration is it necessary to Connect the WLC in a different VLAN than the VLAN of the AP's. Is it necessary that I have to set the controller to LWAPP Layer 3 mode to support the Multicast communication?
  • Though I do not have implementation experience of the WLAN. My understanding of the Interface settings on the WLC - is I will have to configure one Management Interface for in-band management. Do I have to configure AP-Manager Interface (to support Multicast communication) and to make the WLC to communicate with ACS for Client Authentication. All of the Wireless Devices including the ACS are in one VLAN / IP Subnet, is only one Management Interface is enough for communicating with AP's (with Multicast) and communicating with ACS for forwarding the Authentication messages between the ACS & Wireless Clients?

• Setting management interface WLC 7.4.121.0

  Hello.
  I have a problem setting Management interface IP in new controller 5508. I get the error "Error in setting management interface IP".I can not place a management controller IP.
  Starting IPv6 Services: ok
  Starting Config Sync Manager : ok
  Starting Hotspot Services: ok
  Starting PMIP Services: ok
  Starting Portal Server Services: ok
  Starting mDNS Services: ok
  Starting Management Services: 
     Web Server:    CLI: ok
     Secure Web: Web Authentication Certificate not found (error). If you cannot access management interface via HTTPS please reconfigure Virtual Interface.
     License Agent: ok
  (Cisco Controller) 
  Welcome to the Cisco Wizard Configuration Tool
  Use the '-' character to backup
  Would you like to terminate autoinstall? [yes]: -
  Invalid response
  Would you like to terminate autoinstall? [yes]: no
  System Name [Cisco_bf:dd:c4] (31 characters max): 
  AUTO-INSTALL: process terminated -- no configuration loaded
  Enter Administrative User Name (24 characters max): admin
  Enter Administrative Password (3 to 24 characters): ********
  Re-enter Administrative Password                 : ********
  Service Interface IP Address Configuration [static][DHCP]: none
  Service Interface IP Address: 1.1.1.1
  Service Interface Netmask: 255.255.255.0
  Enable Link Aggregation (LAG) [yes][NO]: no
  Management Interface IP Address: 192.168.10.1
  Management Interface Netmask: 255.255.255.0
  Management Interface Default Router: 192.168.10.10
  Error in setting management interface IP 
  Management Interface IP Address: 10.10.10.1
  Management Interface Netmask: 255.255.255.0
  Management Interface Default Router: 10.10.10.100
  Error in setting management interface IP 
  Management Interface IP Address: 
  Does anyone faced this issue?
  Thanks. 

  Hi,
  Try these:
  1. With the WLC, Please set flow control(in SecureCRT or hperterminal) to none. Once the changes are made, CLI will start working as usual.
   2. Another  common reason can be related to the virtual interface configuration of the controller. In order to resolve this problem, remove the virtual interface and then re-generate it with this command:
  WLC>config interface address virtual 1.1.1.1
  Then, reboot the controller. After the controller is rebooted, re-generate the webauth certificate locally on the controller with this command:
  WLC>config certificate generate webauth
  In the output of this command, you should see this message: Web Authentication certificate has been generated.
  Now, you should be able to access the secure web mode of the controller upon reboot.
  3. Try to use some diff IP address for service interface don't use 1.1.1.1.
  Regards
  Dont forget to rate helpful posts

• Mobility group only works using management interface?

  Hello,  in order to stablish the control traffic between 2 WLC-5508, it's necessary to use the management interface??
  It's possible using a dynamic interface o service port ?
  I think it only works with management interface,  but I don't understand the meaning of this text in the Configuration Manual:
  "Mobility control packets can use any interface address as the source, based on routing table."
  Thank you,

  No... mobility communication is done only with the management interface.
  Thanks,
  Scott
  *****Help out other by using the rating system and marking answered questions as "Answered"*****