We help IT Professionals succeed at work.






Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Hi, I noticed a couple of errors about vMotion events on my VMware ESXi Cluster (mostly 6.7, two hosts have 6.0).
Apparently, two VMs weren't able to migrate due to "the vMotion failed because the destination hsot did not receive any data from the source host on the vMotion network".
I checked all ports of my host in the vMotion VLAN, and they are up&running on Cisco switches.
It seems that just ONE host isn't able to vmkping other hosts on vMotion VLAN.
I confirm that affected host HAS his IP address, and it is able to vmkping itself.
From other hosts, I have no arp for this host (checked with esxcli network ip  neighbor list | grep IP_OF_ISOLATED_HOST).

How can I troubleshoot this?
Thank you!
A limit of four simultaneous VPN connections was reported by my client.  I found they had overlooked the need to renewed licensing for AnyConnect.  The license key must be applied to the Cisco ASA 5505 and I have priv. level 15 credentials but cannot physically get to the server room due to the quarantine.  I can connect to a local management PC via RDP and utilize ASDM successfully.  Cisco
Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.8(2)
Question 1:  Aside from using a console cable, what other methods may I utilize to install the AnyConnect license on the ASA? My searches have all led back to VPN implementation instruction and the console cable method regardless of my attempts to make these results an ill fit through variations of the question.  I am grateful for any enlightenment.
Does anyone have any experience with pushing the server paths to the Cisco Anyconnect client? We are moving our gateways around and I cannot find anything online regarding Cisco admx files or the settings that I'm looking for.

Many thanks!
Does anyone by chance have a step by step install documentation created for a Cisco ASA 5508 for anyconnect?  We had a firewall die and installed this one as new.   They were IPSEC now on SSL.  We need to deploy anyconnect to everyone and just need to tweak the document to fit our clients config.  Any help would be greatly appreciated.   No one can tunnel in without setting this up.   This is pretty high priority.
Mobile VPN to Cisco ASA 55xx-
I'm not as Cisco user until recently and I have a question that I think a Cisco admin can answer- Where do I configure the policies for accessing local LAN resources via mobile device connected to the ASA 55xx VPN ?  Any help would be greatly appreciated.  Thanks!
We have two Cisco 4500's running IOS 3.06 and using VSS. On one of the interfaces of the port channel that connects to our Core switch, we are setting a high output drop rate. The switch hosts 95% of our VMware Server and VDI environment. Cisco support stated the drops are mostly like caused by one of the interfaces is getting overwhelmed. Since the Load Balancing policy is set to Source IP, and support suggested we change it. Which is the best LB policy to use?
I am looking for Anyconnect 4.8+ version for Mac. Catalina is making my life miserable. I understand if I had a CISCO SmartNet this wouldn't be a question but anyone know anywhere else to obtain? ***insert laughing here
Hi, I have a Cisco RV340, I enabled the PPTP server like I have with the old RV042's setup the users and passwords and from the client I get the following error.

The remote connection was denied because the user name and password combination you provided is not recognized or the selected authentication protocol is not permitted on the remote access server

I have checked MSChap v2 and all.

Thanks all.
Running into an issue where there are perhaps 100 hosts all trying to ping HSRP address for keepalives for active directory. Is there a way to determine if the switch is being overwhelmed with ping requests? What would I be looking for?
How do I setup a user so they can connect using SSH to a firewall. I can do it but I don't know how to assign that person permissions.  The firewall is a Cisco ASA 5525.
Hi peoples - my scenario is this: I want to setup my router to forward rdp traffic across my router to my server.
1. All incoming traffic from ISP going to G 0/0.
2. Want RDP traffic from 10.1.x.x: 3389 to be forwarded to the server.

What commands would I have to set up on the router to achieve this?

Thanks in advance for any help!!
I have been trying to SSH to my ASA 5525 and get a list of users that are currently connected to Remote Access VPN.  I run show vpn-sessiondb remote and I get an error that states, "Info: There are presently no active sessions of the type specified".  According to ASDM Monitoring > VPN > VPN Statistics > Sessions it shows that I have a number of Active sessions.  This makes sense because I have one of them.  

Any ideas?
When I add a new blade to a UCS chassis the server profile from a template has it create six vNICs - two for mgt, two for iSCSI, two for data. They are numbered 0 through 5. And so it is also on the VMWare side where VMNICs are numbered 0 to 5. But the last time I turned the newly registered server over to the VMWare admins the VMNICs 0 through 5 had the mac addresses all jumbled up. What was 1 in UCS might be 4 in VMWare, 2 might align with  3 and so on. My question is - what mechanism determines which NIC as defined by its mac address is associated with what sequence number in VMWare. Is it just a matter of how the VMW engineer selects the NICs for attachment to the VM? Do they all come in at once and VMW just decides the sequence number of each? Inquiring minds want to know!

Hi all,

We have squid proxy server on Ubuntu 16.04 in our company and use Cisco ASA redirects the Internet traffic through wccp tunnel. We planed to upgrade the Ubuntu to 18.04 recently.

I setup the new proxy server on Ubuntu 18.04 in a test environment, but the wccp didn't work.

Here are the configurations and some troubleshooting steps I have taken:

### Squid config
acl localnet src  # RFC 1122 "this" network (LAN)
acl localnet src             # RFC 1918 local private network (LAN)
acl localnet src          # RFC 6598 shared address space (CGN)
acl localnet src         # RFC 3927 link-local (directly plugged) machines
acl localnet src          # RFC 1918 local private network (LAN)
acl localnet src         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # …
I was hoping that you can point me in the right direction, and provide some instructions on how to complete switch port mapping.
I would like to discover MAC and possibly IP addresses of all devices connected, and match each with a specific switch port.

- Cisco SNMP configuration
- Recommended network tool (paid version is fine)

We are dealing with multiple Cisco network switches, mostly SG-500s and SG-250s.
Simple flat network for now, two VLANs default and voice.

Please let me know, your help is much appreciated.

Thank you,
If I wanted to just add a PAN firewall to a DMVPN spoke site with an ISR, would it be fine for the ISR to sit NATted behind the firewall?

{INTERNET}-----[public IP]{PAN}[private IP}------[private IP]{ISR DMVPN}{private site IPs}-----{switch}

Currently the ISR has the public IP at its outside interface. The idea would be to give the public IP to the PAN and NAT to a new private IP on the outside of the DMVPN router. Would DMVPN work in that scenario?

Or would I be better off to configure the PAN as a virtual wire and retain the public IP address at the router?
Hello I'm using CUCM 11.5 and using SIP phones. I have my DID's and looks like I have what I need to have setup so that I can connect to my ISTP. but when they dial in, they cannot establish a connection to download their config files.

I wanted to know what else do I need to setup in CUCM? For SIP phones?

We have CUCM V12.5 installed. I have users in London, Paris and Singapore and I am having issues with Call Forwarding.

I am based in London and if I put my 8851 on call forward to my mobile anyone in the London office can call my number and it will forward to my mobile fine.

If someone in my Paris or Singapore offices calls my number they get "Fast Busy". If I turn call forwarding off they can call me fine.

If I forward my number to another internal number it also works fine. The issue just seems to be forwarding to external numbers.

Each location uses its own Device Pools, Partitions and CSS's etc...

My guess is the call is coming to london and then trying to break out of the London Voice Gateway but the format is incorrect. The London Voice Gateway is a Cisco ISR4321 andis attached to a SIP line.

Thanks in advance
I have 8gigs installed on a VMware ESXI 6.0.0 and I want to increase the memory of a Cisco Defense Center VM from 4gigs to 8gigs.   How do I do this?


On one of my DMVPN Cisco 3945 routers, show licenses revealed that HSECK9 was enabled. But the column to the right to it said "RightToUse" was No. How can a feature like hsecK9 be enabled but Right To Use be set to no? Is the feature enabled and available to the system or not??

VPN01#sho license feature
Feature name             Enforcement  Evaluation  Subscription   Enabled  RightToUse
ipbasek9                 no           no          no             yes      no
securityk9               yes          yes         no             yes      yes
uck9                     yes          yes         no             no       yes
datak9                   yes          yes         no             no       yes
FoundationSuiteK9        yes          yes         no             no       yes
AdvUCSuiteK9             yes          yes         no             no       yes
LI                       yes          no          no             no       no
ios-ips-update           yes          yes         yes            no       yes
SNASw                    yes          yes         no             no       yes
hseck9                   yes          no          no             yes      no
cme-srst                 yes          yes         no             no       yes
mgmt-plug-and-play       yes          no          no             no       no
mgmt-lifecycle           yes          no          no             no       no
mgmt-assurance           yes          no          no             no       no
Have you ever fat fingered a command into a Cisco device - and then you're blocked
from entering anything further as the device attempts to resolve the "host" you've
typed. Is there any way to have the Cisco router or switch just tell you they don't
recognize the command you typed rather than assuming you want it to go on a hunt
 to resolve your mistake?

% Bad IP address or host name
Translating "sholog"...domain server (
Translating "sholog"...domain server (
Below is a snippet of sho crypto session on a DMVPN router. Altho the status of the session is down I can't get these entries to disappear from the router. I've tried "clear crypto session" and "clear crypto sa peer". Yet these keep showing up like a zombie. What's going on with this?

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: port 500
  IPSEC FLOW: permit ip
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip
        Active SAs: 0, origin: crypto map
I'm looking for help determining the best solution for our environment for wireless.  We currently have an 8 year old Cisco 5508 Wireless LAN Controller, and 94 Aironet access points split between really 3 buildings.  We are due for a refresh and have a bid in from a vendor who is recommending using Meraki WiFi6 with licensed cloud controller, and did not suggest using a locally managed WLC with Aironet APs.

We are a school district and need feedback as this is a vendor I have not dealt with before so I have trust issues.  I like the idea of not having a physical piece of hardware on site that if fails my wireless is down, but I don't like paying costly yearly licensing fees either.  Any insight?
I have an ASA adjacent to a router with the following redistribution into the EIGRP AS shared with the Cisco ASA:

redistribute eigrp 100 metric 100000 0    255    1      1500 route-map EIGRP100-TO-EIGRP10

When I look on the ASA route table it's showing an AD of 170 and a metric of 25856 for the routes in EIGRP 10 that were redistributed from EIGRP 100.

EIGRP Metric = 256 * ( (K1*Bw) + ( (K2*Bw) / (256-Load) ) + (K3*Delay) ) * (K5 / (Reliability + K4) ) )    {I'm assuming default K values 1 0 1 0 0 }

256*((1*100,000)+((0*bw/256-load))+(1*0)   *    (0/255+0) => 25,600,000
           K`1*BW            K2*Bw                    K3*dely    K5/Rel+K4

Anyhow the ASA is seeing traffic taking this route as 25856. I can not figure out where that number is coming from. The actual bandwidth between the ASA and router is 1Gbps.

Any insight appreciated!
Dear Experts,

I would like to find out what would be the best suited network certification to obtain for myself.
I have a mish-mash background, after getting M.S. in computer science with software engineering emphasis, I was working as a software/field engineer, then software project manager.
After taking time off to raise children, I started my own business as an IT consultant, where I did everything from hardware/software installation, infrastructure management, training, and troubleshooting for small businesses.  All of my knowledge came from basically learning as I needed from vendors and other sources.
A few more jobs later, I am now bouncing back and forth between Sr. System/Network Admin roles at my current employer.
My problem is, besides my degree, I do not have any certification, but I can administer Cisco/Fortinet Firewalls, switches, Windows servers, Exchange servers, and am versed in PowerShell scripts as well as Java, VBA.  I feel very non-standardized, and would like to have some type of certification.  Since I really don't need to learn more about Windows servers or Azure AD, I was leaning towards some type of network certification.  Cisco, CompTIA Network+, etc.  I do have basic theoretic knowledge on networking from my graduate courses, however I have a feeling some of those are outdated at this point.
Please advise.






Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).