ACS sends NetBios broadcasts

Hello

We have two devices ACS and they send a large number of NetBios broadcasts. Why they are sent (are they necessary) and is it possible to disable this?

Thanks in advance and best regards

Dominic

If your ACS a version 4.2 device there is a bug that identifies this problem, it is not yet fixed I would advise you to subscribe to this bug to get updates as to when it will be fixed:

http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=%20CSCsw19289

CSCsw19289

Tags: Cisco Security

Similar Questions

Authentication ACS 16:01

We have an existing servers Cisco ACS 4.1 ha deployment wireless with 802 user authentication. 1 X against AD. We are seeking to remove a number of former DCs in the near future. Before retiring from the DCs, I want if ensure no authentication request is not sent to them. Since the interface of GBA, I can't determine what DC IP / host names GBA points to. Within databases users Exernal-> Database Configuration-> database Windows, I see no mention of the server ip address / host name. I ran through the configuration he guide but have not seen any place where you enter the information either. Is it possible that the IP addresses of the servers DC may also be stored in a file of configuration on the server itself? Are there any suggestions short of performance capture wireshark to/from each of the domain controllers to see if authentication requests from the ACS servers? Any advice or suggestions would be appreciated.

From the perspective of the ACS, this may be because it is not under the control of the AEC to choose the domain controller. ACS sends the user credentials to a database of Windows by passing the user credentials for the Windows operating system of the computer running ACS for Windows or the remote agent Solution engine. The success or failure of the ACS authentication request Windows database.

You can refer to the link listed below:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_ser....
2/user/guide/UsrDb.html#wp353547

If you run ACS on windows you have a freedom to use the lmhost windows file.

The final goal to ensure communication with specific domain controllers, on the member server running ACS, configure an LMHOSTS file to include entries for each domain controller that must authenticate the ACS. The format of an LMHOSTS file is very special. Make sure you understand the requirements of configuration of the LMHOSTS file. For more information, see:

-Microsoft.com: LMHOSTS file
-L' sample LMHOSTS file is provided with the Windows operating system.
The default location and name of the file of the sample is
SystemRoot > \system32\drivers\etc\lmhosts

For more information, please see the below listed doc
http://www.Scribd.com/doc/50262863/345/using-the-Lmhosts-file

NOTE: In order to check what domain and ACS DC trying to connect, check auth.log when complete the value of logging.

I hope this helps.

Kind regards

Jatin kone

* Make the rate of useful messages *.

ACS wireless authentication failed

Greetings,

We have recently migrated to IAS in Windows to Cisco ACS 5.2.0.26 for our wireless authentication and use PEAP-MSCHAPv2 hit AD. Everything seems to work fine except when a user account has a restriction on which machines they are allowed to connect to, date to which an ACS journal entry shows as follows.

24441 account not allowed to log on by using the current workstation

This was work properly when we were using the IAS server and I think ACS is not just pass the attributes required at this time. All know how what extra configuration may be needed in ACS to support this configuration?

See you soon,.

Rob

Sounds like you have enabled computer authentication. In the case of ACS wireless can get the names of the authentication request machine. With this strategy/limitation defined in Active Directory to apply the restriction of user login then ACS will have to provide a name of host machine for each request that it send to Active Directory. As it has already set up it is not possible for the CSA to know the name of the actual machine of the authentication of the user, ACS sends a default name for the machine its own name with each request to AD. On the ad, we create a computer by name of ACS account and then allow all users to connect to this computer. This way ACS is allowed to authenticate all.

If please see Add GBA as a computer account on the ad with the same host name and see if helps.

Rgds,

Jousset

The rate of useful messages-

802. 1 x with dACL - prefix of an invalid attribute: "ACS."

Dear all,

I spent half an update to fix this problem without success, I hope you could help me.

I configured a simple solution of 802. 1 x on a PC driver who must authenticate through PEAP-MSCHAPv2 users against my user database internal GBA.

Version of the switch:

Model number: WS-C3750V2-48PS-S

Software: c3750-ipbasek9 - mz.122 - 52.SE.bin

ACS:

C1121 with version 5.3.0.40

The problem occurs when the ACS sends within the radius Authentication accept packet the following attribute:

Cisco-AV-pair=ACS:CiscoSecure-defined-ACL=#ACSACL#-IP-auth-4eb90704

On the side of the switch, I see the following debug log:

002558: 8 Nov 14:31:35.586: % AUTHMGR-5-START: start "dot1x' for the client (0022.680b.da7b) on the Interface Fa1/0/1 AuditSessionID AC1FFE4E0000003105BCDE19

002559: 14:31:35.703 8 Nov: AAA/ATTR: prefix of an invalid attribute: "ACS."

002560: 8 Nov 14:31:35.703: % DOT1X-5-FAIL: failure of authentication for the client (0022.680b.da7b) on the Interface Fa1/0/1 AuditSessionID AC1FFE4E0000003105BCDE19

002561: 8 Nov 14:31:35.703: % AUTHMGR-7-RESULT: result of the "dead server" authentication of 'dot1x' for the client (0022.680b.da7b) on the Interface Fa1/0/1 AuditSessionID AC1FFE4E0000003105BCDE19

802.1 x switch associated config:

GLOBAL:

Group AAA dot1x default authentication RADIUS

Group AAA authorization network default RADIUS

start-stop radius group AAA accounting dot1x default

RADIUS-server host 172.31.254.140 auth-port 1645 acct-port 1646

RADIUS-server host 172.31.254.141 auth-port 1645 acct-port 1646

RADIUS server key 7 123415ASFASFAS55512

RADIUS vsa server send accounting

RADIUS vsa server send authentication

analysis of IP device

IP access-list extended by DEFAULT, ALL

allow an ip

SPECIFIC PORT

interface FastEthernet1/0/1

Description model Port 802. 1 x

switchport access vlan 244

switchport mode access

IP access-group by DEFAULT, while

authentication event fail following action method

open authentication

authentication priority dot1x mab

Auto control of the port of authentication

periodic authentication

MAB

dot1x EAP authenticator

dot1x tx-time 10

end

Next to the ACS authentication ends successfully, but for some reason, the switch cannot understand attribute was sent by the ACS:

Why Authentication translates as 'server-dead?

Hereby, I have attached the authorization profile, the downloadable ACLs and the detail of the RADIUS authentication for the request...

Any idea?

Thank you very much!

Yes, I came across the same issue and ended up as a bug with the 3750

CSCtj28883 dACL attribute the parsing failed when debug "author of aaa" on

Description is

The DACL processing fails when the following debug settings are turned on.

1 debug aaa attr

2 debug aaa authorization

The same works very well when they are turned down. Set the switch of newspaper.

I believe has been resolved in version 3750-Build 12.2 (55) as to the next note, attached to the bug as proved to be irreparable on later constructions

The issuer has confirmed that the bug is not seen on the image of 55SE.

The issue is only seen in 53SE

can also try and switch debug off

9.1 ASA + ACS 5.4 SSL Web portal bookmarks according to the ad group.

Hello.

Having some problems with ssl vpn on ASA 5515-X.

I have ASA (9.1) connected to the web portal without client ssl ACS (5.4) and set up mobile client anyconnect. ACS also have connection to Active Directory.

So he has set up this group AD users, for example, the VPN_clients connect via the anyconnect client or no client via SSL web page. And it works very well.

My goal is to make different bookmarks portals SSL (in terms of strategies of different group ASA) according to the users AD Group.

For example: I have 3 groups in AD: VPN_admin, VPN_Finance, VPN_Logistic. I want that the users in the group after authentication to SSL web portal would see only their own bookmarks available only for their group.

As I inderstand once ACS authentication process must respond to ASA which the user consist of ad groups and ASA should choose the group policy right for the user, but I have no experience how to do that?

Hello Ivan,.

You're right, ACS can leave the ASA what group policy is to assign based on the RADIUS of the 25 attribute.

Measures on the ACS:

1 - definition of ad groups:

2 set the authorization profile tab elements of the policy:

3. create the policy and authorization access criteria:

Then, on the ASA:

1 create a group policy and name it.

2. through the ASDM, create and assign bookmarks to this group policy.

3 - once a user authenticates, the ACS sends 25 attribute, which contains the string 'OU = it'.

4 - ASA seeks group it strategy and assigns it to the user's session.

Let me know if you have any questions.

HTH.

Please note all useful messages.

Broadcast message
Hello

I need help on the utility of message Boroadcost. Message from Boradcost that I try to run it in the background, it works very well in Production. If I try to work on QA with the same syntax that it does not work.
Please find the below syntax I used.

BroadcastMessage.cmd - f: passwordFile.txt localhost < application name >, < message >; admin.
Location: E:\Hyperion\products\Planning\bin
The passwordFile contains the password encrypted, generated by another utility of planning.

Even I do not get any kind of error on it. It is said that it is executed. but the user does not receive the message... in QA. We use the 11.1.3 version...

Please, help us to check any kind of scanario...

Thank you
Suresh

Edited by: user13124234 11 July 2010 23:56

Edited by: user13124234 11 July 2010 23:57
Have you tried to send msg broadcast from inside the planning application. Tools-> broadcast message. Try this.

Impossible to establish a VPN between AG241 and WAG54GP2 tunnel

Hello

This is my first post on this forum and I send my best regards to everyone!

I signed up because I have a problem with establishing a VPN tunnel between an AG241 modem/router and a modem/router WAG54GP2 with wireless and VoIP.

The scenario is simple: both ends have dynamic IP, so I set up an account with dyndns.org for both routers.

WAG54GP2 has 192.168.1.1/255.255.255.0 AG241 has 192.168.3.254/255.255.255.0 IP and IP.

In both routers, I turned block anonymous internet requests, so I can ping both routers.

This is the configuration of WAG54GP2:

VPN Passthrough
IPSec PassThrough: activate
Intercommunication PPPoE: activate
PPTP PassThrough: enable
L2TP PassThrough: enable

IPSec VPN tunnel
Select the Tunnel: 1
VPN IPSec tunnel: enabled
Tunnel name: Office

Local security group:
Subnet
IP: 192.168.1.0
Mask: 255.255.255.0

Local security gateway: PVC 1 (ppp0)

Remote secure group:
IP: 192.168.3.0
Mask: 255.255.255.0

Remote security gateway:
IP Addr.
The remote router's public IP address IP address: w.x.y.z.
Encryption: THE (I also tried 3DES and disabled)
Authentication: SHA

Key management:
Auto. (IKE)
PFS: enabled
Pre-shared Key: the password I chose
Life key: 3600 Sec.

Advanced settings

Phase 1
Mode of operation: main mode (I also tried aggressive mode)

Proposal1
Encryption: A
Authentication: SHA
Group: 768 bits
Life key: 3600 sec.

Proposition2
Encryption: ESP_NULL
Authentication: SHA
Group: 768 bits
Life key: 3600 sec.

Another parameter
NAT traversal not verified
NetBIOS broadcast Checked
Anti-reponse not checked
Keep-Alive not verified
If IKE 5 times failedmore
Not checked

This is the AG241 configuration:

VPN Passthrough
IPSec PassThrough: activate
Intercommunication PPPoE: activate
PPTP PassThrough: enable
L2TP PassThrough: enable

IPSec VPN tunnel
Select the Tunnel: 1
VPN IPSec tunnel: enabled
Name of the tunnel: user 1

Local security group:
Subnet
IP: 192.168.3.0
Mask: 255.255.255.0

Local security gateway: PVC 1 (ppp0)

Remote secure group:
IP: 192.168.1.0
Mask: 255.255.255.0

Remote security gateway:
Any

Key management:
Auto. (IKE)
PFS: enabled
Pre-shared Key: the same password I put on the WAG54GP2
Life key: 3600 Sec.

Advanced settings

Phase 1
Mode of operation: main mode (I also tried aggressive mode)

Proposal1
Encryption: A
Authentication: SHA
Group: 768 bits
Life key: 3600 sec.

Proposition2
Encryption: A
Authentication: SHA
Group: 768 bits
Life key: 3600 sec.

Another parameter
NAT traversal not verified
NetBIOS broadcast Checked
Anti-reponse not checked
Keep-Alive not verified
If IKE 5 times failedmore
Not checked

When I click on Connect the WAG54GP2 router, do not access and in the newspapers, I see:

2009 07-30 T 16: 16:10 + 01:00 IKE ["Board"] Tx > MM_I1: SA w.x.y.z.

2009 07-30 T 16: 16:20 + 01:00 IKE ["Board"] ERROR: message w.x.y.z. port 500: connection refused

If I use the dynamic FQDN instead of the dynamic IP (w.x.y.z.) change of message for:

2009 07-30 T 16: 46:16 + 01:00 IKE ["Board"] ERROR: problem of remote domain name Security Gateway!

Is there someone who could help me build this tunnel?

A big thank you to everyone who will help me!

Cinghiuz

If you are Encountering difficulties connecting to the VPN Tunnel using a router ADSL modem you should see this

Also, make sure that you have the latest firmware installed on your entry door and change the MTU setting...

Wake on LAN (WOL) through different VLAN on SG-300-10

Hello

I try to get WOL working through different VLAN on a Switch SG-300-10 in layer 3 Mode. To achieve this, I set up a UDP relay (GUI menu Configuration IP) for UDP Port 7 to 255.255.255.255 (this should inundate all interfaces with the package), however, does not work WOL in different VLANS. When I am connected directly to the VLAN corresponding, WOL works fine in the same subnet. Am I missing something here?

All comments appreciated!

Thank you very much!

Hi Romeo,.

A few minutes to try it on my SG300 - 10 p mode layer 3.

My NAS unit is capable WOL and I thought I would use it in my test environment...

Ran a basic test to check my sender of packet Magic from my PC "awakened" my NAS unit.

As you would expect, on the same subnet, the magic packet WOL caused my NAS unit to power, no problem.

But this isn't really the test, just a test database to check that my sender of the packet magic WOL and NAS was working well.

The screenshot below shows WOL software I used on my PC. Why use this software, no reason except that it was available for free. Also, I'm sure other WOL software out there for different platforms that work just as well or with more features.

First of all, I see according to your question, you used relays UDP destination port 7, well it is the default setting on the UDP relay on my switch.

I wonder why you used or stayed with destination UDP port 7, because the Magic packet mailers may use different destination UDP ports?

I had to use wireshark to see the real destination UDP port that uses my sender of the magic packet WOL.

Notice of capturing wireshark above, that my magic packet software uses the UDP port destination 9, NOT the default value that you can see on the switch. Ignore what wireshark labels this port.

OK, I then created a VLAN that I named "VLAN2' with a = 2 VID on my SG300 - 10 p (SRW2008P-K9-NA)

I added a 192.168.2.1/24 IP interface to VLAN2, which is a different network from the default VLAN.

I then added three ports this VLAN newly created as a member untagged VLAN2.

The default VLAN (VID = 1) an IP network 192.168.10.0/24.

My NAS (WOL capable) unit has an IP address of 192.168.10.61.

I plugged my PCt to the vlan 2 and statically assigned 192.168.2.2/24. It is the PC that has the magic package software.

I added a route static to my router WAN, just so that I could access the router my PC attached to the VLAN2 WAN.

I tried the magic packet WOL software and will not turn on my NAS. He expected that the magic packet broadcast would never jump over a limit of LAN in one VLAN different...

Now, I tried to install a UDP relay so that the Magic Packet WOL "would be" the VLAN2 network interface VLAN1.

So I configure and add to my SG300 UDP relay entry - 10 p. See the screen capture below.

I have to admit, I'm used to using UDP relay normally take a netbios broadcast and unicast to a server Ms.

But check the screenshot below, I put the switch to send the UDP relay to the broadcast address of VLAN1 network... The magic packet Wakeup sent from my PC into 2 VLANS must have passed over the limit VLAN that my NAS unit woke.

In order to check the destination port UDP to your WOL software using wireshark, and then create an appropriate UDP relay.

Experiment and play with that, once you get your device WOL properly powereing successfully.

Best regards, Dave

If I answered your question, please rate the relevance of this response

What are these "channel messages"? (In German, "Kanalnachrichten")

Sometimes I get a notifitcation the title of "Kanalnachricht". There are numbers displayed.
To give you an image, I uploaded an image in my blog:

http://WP.me/a44nIR-16

I have not yet scanned the source code to determine, why I got these notifitcations.
I guess, it could be due to the "Cell of reception information" setting in the "Phone settings" dialog box (c.f. preferences app).

Soon I'll crosspost this question in the forum of the carrier (i.e. in the forum of Congstar) German in German.

Some providers (e.g. O2 in Germany) send Cell broadcast on channel 221.
They use it to post the coordinates of the base station so it can be determined, for example, if the phone is in the area of the House. It seems to me that this could well be caused by the information of the cell 'receive' setting.
I don't know about other providers - so if you use Congstar/T-Mobile, I'm not sure if the above is valid.

Ethernet and Windows Firewall

Hello

I need to know what Windows Firewall rules must be defined for TestStand/CVI see the ARP protocol. We see nothing, no ethernet traffic.

I have a system (Army Gold Master 7, using TestStand and CVI) who has "standard" Government firewall rules We strive to communicate by Ethernet to specialized devices and we see no traffic unless disable us the firewall. We are not on the internet (not allowed by gov). The specialized devices send a broadcast request for IP but the software it never sees.

I added (incoming and outgoing) rules to allow traffic to and from my application (CVI app that does a lot of TestStand active X calls). In the logs I saw something on cviproxy so I put rules to allow that. I've set allow rules for TestStand Runtime engine. I also disabled Windows defender.

Any suggestions? BTW, we will not disable the firewall once it is deployed.

Thank you

Hey Joe,

I did some checking, and generally, CVI does not implement itself - treatment rather ARP packet, it uses Windows built in functionality to receive ARP packets and assign IP addresses. ARP is contained in the Protocol Ethernet himself and is at a lower level than the concept of ports, so that Windows Firewall cannot directly block ARP packets.

Your software CVI aims to process ARP packets in some way, or are you just wanting to communicate with devices via Ethernet? If it's the last, then the assignment of intellectual property should arrive outside the CVI and regarding the CVI you must only make sure that the correct port has been opened for communication with the specialized unit. This port number would be depends on the configuration of the device itself.

When you disable the firewall and are able to communicate with the device, how is the appliance gets its IP address? For example, it is automatically assigned by Windows or your router (with DHCP) or it has a static IP address assigned to him? It is possible that the IP address is assigned, but given that the specific communication port is blocked by the firewall, the communication can occur.

I hope this helps a little, and if you can give us the answers to these questions, we can provide I hope to better understand the situation.

When you try to find the IP address of my computer, I see two different results with two different numbers. Which is accurate?

original title: a different output for ping - an IP address

I am trying to determine the name of the computer to an IP address

When I open a command prompt in a computer (Windows XP connected to our domain) and type ping - a [IP address], I get a result

When I open a command prompt in another computer (Windows Server 2008 connected to the WORKING group) and type ping - a [IP address], I get a different result

And there are other times when ping - [IP address] will display the name of the computer on a computer (usually the Windows Server 2008), but not the other

I tried to google

1. why this happens

2. what result is correct

Please specify.

The order of DNS in Windows name resolution is as follows:
1. Name of the local host (file Hosts Local generally in c:\windows\system32\drivers\etc\hosts)
2. Cache Client DNS resolution
3. DNS server
4. Cache of NetBIOS names
5. WINS server
6. NetBIOS broadcasts
7. File LMHosts (same location as the HOSTS file)
The reason you get different results could be because machines could be on different subnets (different results for broadcast), using a different DNS server machines or are configured for different WINS servers, or the names are already cached because of prior activity.

HTH,
JW

ARP expire for Windows XP, Vista and 7

What is the exact value or ARP expire for Windows XP, Vista and 7, if the primary remote DHCP server is not available, then how long long time, it will release ARP and send DHCP broadcast again?

Hello

Your question of Windows 7 is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the TechNet Windows 7 forum.

http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threads

VLAN Basics

I read the books of Wendell Odom and I have a question about VLANS and trunking. As far I knew trunking is necessary when you have a network that is split in two between multiple switches. When a host sends a broadcast shall be issued to all hosts in this VLAN on all switches. Switches in turn need to know the VLAN ID when the package comes from another switch. Otherwise he won't know where to deliver the broadcast.

So in short, my understanding is that trunking is only required for the provision of programming (or packages from unknown hosts, when the package is also flooded to all ports VLAN and trunk) between the switches and only in cases where the network is split between them.

But I also read that the trunks are necessary between switches and default gateways for networks with the switch services. But I don't see the reason for it. Say, you switch1 switch2 vlanB, vlanA. There is no spread between the switches. And if the host vlanA must deliver unicast packets to host vlanB, then packet is routed using general rules. It comes to the default gateway, then the corresponding switch. Who needs to know the VLAN ID here and for what reason?

I understand your concern in this way - if the MAC address is unique so why should we VLAN for unicast transfer of packages of L2 if this can be done simply using the destination MAC.

In a very simple situation it is possible, YES. But the network is not that simple now. Accept this notion of VLAN began with the broadcast domain. And at the beginning of each unicast is unknown unicast to switch that is sent on all ports to get to the destination - then it's first use of the VLAN - limit the scope of unknown unicast.

Once that known and learned switch destination MAC on his CAM it can transfer packets by dest MAC and no limit to reach necessary because we have unique destination port. But imagine switch is reloaded or CAM table age expired time-out and all MAC removed - now your unicast is unknown still - if you do not use of VLAN at this time here you will flood all ports with it until your learn the destination MAC in CAM. So it's not like--we have VLAN only for broadcast - we need for the unicast to the field of application of the limit of the outbound ports when dest MAC is unknown. And once configured this VLAN we cannot say - tag only these unicast packets and not tag other - we tag all - that's the concept.

Another thing to support VLAN for unicast - imagine this package came to its final output port. You have this connected IP phone and PC port. Those of design in the field of different mailing - in different VLANS. PC VLAN is untagged, and voice VLAN is tagged as IP phone can understand this encapsulation. If you package was voice and you have lost your tag VLAN already - he will send you to the PC not identified even if you have the right destination MAC of the IP phone and it will be dropped on PC because of incorrect Mac

Third situation is when the output port is connected to the server hostying multiple virtual machines. Those who can share the same physical MAC but server can support dot1q tagging and put them in different VLANS. Once again if you have lost your code of VLANS through switches you will not be able to achieve the correct server.

So the questions of VLAN is not just about how to pass from one switch to another - is the notion of transfer from one side to the other packages L2. Package from one VLAN must always stay there if that's the L2 and the output of the last switch to VLAN correct (labeled or not identified based on the connected device).

VLAN concept goes further L3 routing as explained above in my and Alans messages.

I hope this helps.

Nik

Routing over VPN between ISA550W and RV215W

Hello all I have a problem with the VPN between my two office

I have an ISA550W at the head office (chcnorth)

I have a RV215W to the remote desktop (chcsouth)

the VPN is up and running, I can connect from Headquarters to remote control (chcsouth-RV215W)

and vice versa however when client computers on the remote end are trying to connect to the

Main office to access the database, they can't.

the problem started last week I received a call from the remote desktop that they can connect to our database

on the main office, I tried to connect remotely to see what was going on, it turns out that the router has completely put back

at the plant, including the firmware

I reinstalled the latest firmware for the RV215W of installation all connections as they were, I could

get VPN to connect, I can ping to the interface of the RV215W from my seat and I ping the ISA550W

the remote desktop, however my remote clients still cannot access my server at the main office

I realized after I have everything set up, I had a backup of my original installation and thinking I had

just missed something I restored it to the firmware to factory upgraded to power and restored the backup of the

RV215W I've had. still no dice

So I am now at a loss, there were no other changes to the network on both ends, I've been on this som my eyes several times

are blurred,

any ideas, workarounds for solutions would be greatly appreciated

Thanks in advance

John G

John,

It doesn't look like your question is more DNS related, as you can access the server by its IP address if the "connection" allows you to set up this way. It is quite common, that you cannot resolve names through the tunnel because netbios broadcasts will not pass. The RV215W have shared DNS within the parameters of the tunnel, so this isn't an option more.

If the "connection" is a PC, you can work around this by editing the LMHOSTS file. Please see the following instructions:

http://www.JakeLudington.com/Windows_7/20100924_how_to_edit_windows_7_lmhosts_file.html

In your case, it might look more at:

192.168.1.200 sqlsvr

Now if you ping or try to access sqlsvr from the computer, it will automatically know that it should go to 192.168.1.200 without having to find the IP address.

Answer please if you have any questions.

-Marty

Access gui Cisco 2811 v7.0.4 w/AIM-CUE

Hello

We are running an older router which works fine for our needs, as indicated in the subject. I am trying to access the graphical interface for the AIM - CUE and am unable to. I can access the ccme.html to the router, but that is not integrated with the function of automatic monitoring, nor there of our current configuration info. I added a route to the QUEUE of the command prompt and I am able to ping and the ip address of the QUEUE to access from a browser, but it points to builtin of the 2811 CCME or CCP. Any help anyone could offer would be greatly appreciated. Thanks in advance for your help. Please find the config for the router and the GUIDE below.

Router:

Router#sh running-config

Building configuration...

Current configuration : 12555 bytes

! Last configuration change at 20:19:49 CDT Sat Oct 26 2013 by GlennP

! NVRAM config last updated at 20:06:24 CDT Sat Oct 26 2013 by cmeadmin

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname Router

boot-start-marker

boot-end-marker

logging discriminator ENV severity drops 4 facility drops ENVMON mnemonics drops

FAN_LOW_RPM

logging buffered discriminator ENV 4096

logging console discriminator ENV

logging monitor discriminator ENV

enable secret 5 $1$nCKH$KBDP9dCX10xvqP98Ucm5u/

no aaa new-model

clock timezone CST -6

clock summer-time CDT recurring

dot11 syslog

ip source-route

ip cef

ip dhcp excluded-address 172.22.1.154

ip dhcp excluded-address 172.22.1.200

ip dhcp pool Voice

network 172.22.1.0 255.255.255.0

default-router 172.22.1.154

option 150 ip 172.22.1.154

ip name-server 4.2.2.2

no ipv6 cef

multilink bundle-name authenticated

trunk group FXO

voice hunt-group 1 parallel

list 101,102,103,104,105,106,107

timeout 60

pilot 200

voice-card 0

crypto pki trustpoint TP-self-signed-4121280238

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4121280238

revocation-check none

rsakeypair TP-self-signed-4121280238

crypto pki certificate chain TP-self-signed-4121280238

certificate self-signed 02

3082023E 308201A7 A0030201 02020102 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 34313231 32383032 3338301E 170D3133 31303237 30313035

34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31323132

38303233 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100C0A7 8EB7F49F C57776E1 9CD28DF9 F3EDF876 BB02405F 1DF7B345 319C419A

23C7D891 28F496B4 675D290C 60FAE2F4 6730D680 655DD0B5 61E64C72 2B73599A

A5567091 499FD933 646168FD 4E730B8C C1079AC5 7327B695 10ED4D76 2D931584

DDA2B93B 6681E10D C82F2ABB 9DB055C8 D157EACE AB19335C B172C3E3 D8EF8452

34E90203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603

551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 ADD5749E

6A87B4CF 22F924BE 400851F6 B9F8412A 301D0603 551D0E04 160414AD D5749E6A

87B4CF22 F924BE40 0851F6B9 F8412A30 0D06092A 864886F7 0D010104 05000381

81004F81 D08AC0B6 41AAEA8B 35CAC6AF BC07DBF9 9CA42AF1 782BBCE9 1CBB68B6

0AD5A177 664FDFA0 079A5C76 29FB06B2 5760445F 8468F04B B6A37A39 32F8F079

DB6302FE 1792547D 199922B0 907C0CCA 1FD3C322 F7B70E7C 594E96F1 DE283C2A

B7313614 A028D7FF 96E9F047 79162805 4C1CA86F 0232BF0E 0A0659F5 24B7EEDA D5AE

quit

license udi pid CISCO2811 sn FTX1030A49Q

username cmeadmin privilege 15 password 7 08721D1D5C4854424A

username GlennP privilege 15 password 7 115A485642435A595C

no ip ftp passive

ip ftp source-interface FastEthernet0/0

ip ftp username cmeadmin

ip ftp password 7 091F1F5A4C54464753

interface FastEthernet0/0

ip address 10.1.1.146 255.255.255.0

duplex auto

speed auto

interface Service-Engine0/0

ip unnumbered FastEthernet0/1.1

service-module ip address 172.22.1.155 255.255.255.0

service-module ip default-gateway 172.22.1.154

interface FastEthernet0/1

ip address dhcp

duplex auto

speed auto

interface FastEthernet0/1.1

encapsulation dot1Q 1 native

ip address 172.22.1.154 255.255.255.0

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http path flash:/gui

ip route 0.0.0.0 0.0.0.0 10.1.1.30

ip route 172.22.1.155 255.255.255.255 Service-Engine0/0

tftp-server flash:phone/7940-7960/P00308000500.bin alias P00308000500.bin

tftp-server flash:Desktops/320x212x12/CampusNight.png

tftp-server flash:Desktops/320x212x12/CiscoFountain.png

tftp-server flash:Desktops/320x212x12/MorroRock.png

tftp-server flash:Desktops/320x212x12/NantucketFlowers.png

tftp-server flash:Desktops/320x212x12/TN-CampusNight.png

tftp-server flash:Desktops/320x212x12/TN-CiscoFountain.png

tftp-server flash:Desktops/320x212x12/TN-Fountain.png

tftp-server flash:Desktops/320x212x12/TN-MorroRock.png

tftp-server flash:Desktops/320x212x12/TN-NantucketFlowers.png

tftp-server flash:Desktops/320x212x12/Fountain.png

tftp-server flash:Desktops/320x212x12/CiscoLogo.png

tftp-server flash:Desktops/320x212x12/TN-CiscoLogo.png

tftp-server flash:Desktops/320x212x12/List.xml

tftp-server flash:gui/admin_user.html alias admin_user.html

tftp-server flash:gui/admin_user.js alias admin_user.js

tftp-server flash:gui/CiscoLogo.gif alias CiscoLogo.gif

tftp-server flash:gui/Delete.gif alias Delete.gif

tftp-server flash:gui/dom.js alias dom.js

tftp-server flash:gui/downarrow.gif alias downarrow.gif

tftp-server flash:gui/ephone_admin.html alias ephone_admin.html

tftp-server flash:gui/logohome.gif alias logohome.gif

tftp-server flash:gui/normal_user.html alias normal_user.html

tftp-server flash:gui/normal_user.js alias normal_user.js

tftp-server flash:gui/Plus.gif alias Plus.gif

tftp-server flash:gui/sxiconad.gif alias sxiconad.gif

tftp-server flash:gui/Tab.gif alias Tab.gif

tftp-server flash:gui/telephony_service.html alias telephony_service.html

tftp-server flash:gui/uparrow.gif alias uparrow.gif

tftp-server flash:gui/xml-test.html alias xml-test.html

tftp-server flash:gui/xml.template alias xml.template

tftp-server flash:ringtones/Analog1.raw alias Analog1.raw

tftp-server flash:ringtones/Analog2.raw alias Analog2.raw

tftp-server flash:ringtones/AreYouThere.raw alias AreYouThere.raw

tftp-server flash:ringtones/AreYouThereF.raw alias AreYouThereF.raw

tftp-server flash:ringtones/Bass.raw alias Bass.raw

tftp-server flash:ringtones/CallBack.raw alias CallBack.raw

tftp-server flash:ringtones/Chime.raw alias Chime.raw

tftp-server flash:ringtones/Classic1.raw alias Classic1.raw

tftp-server flash:ringtones/Classic2.raw alias Classic2.raw

tftp-server flash:ringtones/ClockShop.raw alias ClockShop.raw

tftp-server flash:ringtones/DistinctiveRingList.xml alias DistinctiveRingList.xm

tftp-server flash:ringtones/Drums1.raw alias Drums1.raw

tftp-server flash:ringtones/Drums2.raw alias Drums2.raw

tftp-server flash:ringtones/FilmScore.raw alias FilmScore.raw

tftp-server flash:ringtones/HarpSynth.raw alias HarpSynth.raw

tftp-server flash:ringtones/Jamaica.raw alias Jamaica.raw

tftp-server flash:ringtones/KotoEffect.raw alias KotoEffect.raw

tftp-server flash:ringtones/MusicBox.raw alias MusicBox.raw

tftp-server flash:ringtones/Piano1.raw alias Piano1.raw

tftp-server flash:ringtones/Piano2.raw alias Piano2.raw

tftp-server flash:ringtones/Pop.raw alias Pop.raw

tftp-server flash:ringtones/Pulse1.raw alias Pulse1.raw

tftp-server flash:ringtones/Ring1.raw alias Ring1.raw

tftp-server flash:ringtones/Ring2.raw alias Ring2.raw

tftp-server flash:ringtones/Ring3.raw alias Ring3.raw

tftp-server flash:ringtones/Ring4.raw alias Ring4.raw

tftp-server flash:ringtones/Ring5.raw alias Ring5.raw

tftp-server flash:ringtones/Ring6.raw alias Ring6.raw

tftp-server flash:ringtones/Ring7.raw alias Ring7.raw

tftp-server flash:ringtones/RingList.xml alias RingList.xml

tftp-server flash:ringtones/Sax1.raw alias Sax1.raw

tftp-server flash:ringtones/Sax2.raw alias Sax2.raw

tftp-server flash:ringtones/Vibe.raw alias Vibe.raw

tftp-server flash:phone/7940-7960/P00308000500.loads alias P00308000500.loads

tftp-server flash:phone/7940-7960/P00308000500.sb2 alias P00308000500.sb2

tftp-server flash:phone/7940-7960/P00308000500.sbn alias P00308000500.sbn

tftp-server flash:phone/7941-7961/apps41.8-4-1-23.sbn alias apps41.8-4-1-23.sbn

tftp-server flash:phone/7941-7961/cnu41.8-4-1-23.sbn alias cnu41.8-4-1-23.sbn

tftp-server flash:phone/7941-7961/cvm41sccp.8-4-1-23.sbn alias cvm41sccp.8-4-1-2

3.sbn

tftp-server flash:phone/7941-7961/dsp41.8-4-1-23.sbn alias dsp41.8-4-1-23.sbn

tftp-server flash:phone/7941-7961/jar41sccp.8-4-1-23.sbn alias jar41sccp.8-4-1-2

3.sbn

tftp-server flash:phone/7941-7961/SCCP41.8-4-2S.loads alias SCCP41.8-4-2S.loads

tftp-server flash:phone/7941-7961/term41.default.loads alias term41.default.load

tftp-server flash:phone/7941-7961/term61.default.loads alias term61.default.load

tftp-server flash:CP7905080002SCCP060817A.zup

tftp-server flash:CP7912080003SCCP070409A.sbin

tftp-server flash:ATA030204SCCP090202A.zup

tftp-server exit

tftp-server music-on-hold.au

tftp-server enable

control-plane

voice-port 0/3/0

trunk-group FXO

no battery-reversal

no comfort-noise

connection plar 300

description 715833XXXX

caller-id enable

voice-port 0/3/1

trunk-group FXO

no battery-reversal

no comfort-noise

connection plar 300

description 715833YYYY

caller-id enable

voice-port 0/3/2

trunk-group FXO

no battery-reversal

no comfort-noise

connection plar 300

description 715833AAAA

caller-id enable

voice-port 0/3/3

dial-peer voice 100 pots

trunkgroup FXO

destination-pattern 9.T

dial-peer voice 800 voip

description VM

destination-pattern 800

session protocol sipv2

session target ipv4:172.22.1.155

dtmf-relay rtp-nte

codec g711ulaw

no vad

dial-peer voice 300 voip

description Sterling AA

destination-pattern 300

session protocol sipv2

session target ipv4:172.22.1.155

dtmf-relay rtp-nte

codec g711ulaw

no vad

sip-ua

mwi-server ipv4:172.22.1.155 expires 86400 port 5060 transport u

telephony-service

no auto-reg-ephone

max-ephones 40

max-dn 100

ip source-address 172.22.1.154 port 2000

timeouts interdigit 3

system message Sterling Optical #258

load 7960-7940 P00308000500

dialplan-pattern 1 . extension-length 3

voicemail 800

max-conferences 8 gain -6

call-park system application

moh flash:/music-on-hold.au

multicast moh 239.10.16.1 port 2000

web admin system name admin password cisco

dn-webedit

time-webedit

transfer-system full-consult

secondary-dialtone 9

fac custom dpark-retrieval *00

create cnf-files version-stamp 7960 Apr 15 2013 22:15:20

ephone-dn 1

ephone-dn 11 dual-line

number 101

name Front 1

call-forward busy 800

call-forward noan 800 timeout 70

ephone-dn 12 dual-line

number 102

name Front 2

call-forward busy 800

call-forward noan 800 timeout 70

ephone-dn 13

number 103

name Front 3

call-forward busy 800

call-forward noan 800 timeout 70

ephone-dn 14

number 104

name Exam Room

call-forward busy 800

call-forward noan 800 timeout 70

ephone-dn 15

number 105

name Screening Area

call-forward busy 800

call-forward noan 800 timeout 70

ephone-dn 16

number 106

name Lab

call-forward busy 800

call-forward noan 800 timeout 70

ephone-dn 17

number 107

name Insurance Office

call-forward busy 800

call-forward noan 800 timeout 10

mwi sip

ephone-dn 18

number 108

name 7940

ephone-dn 19

number 109

name Spare1

call-forward busy 800

call-forward noan 800 timeout 70

ephone-dn 20

number 110

name spare2

call-forward busy 800

call-forward noan 800 timeout 70

ephone-dn 21

number 111

name Spare1

call-forward busy 800

call-forward noan 800 timeout 70

ephone-dn 30

number 201

label General VM

description General VM

call-forward all 800

hold-alert 30 originator

ephone-dn 77

number 777

park-slot timeout 300 limit 2 recall

description Call Park Slot

ephone-dn 88

number 888

park-slot timeout 300 limit 2 recall

description Call Park Slot

ephone-dn 99

number 000

mwi off

ephone-dn 100

number 001

mwi on

ephone 1

mac-address 0015.62EA.5C58

username "frontdesk1" password cisco

type 7960

button 1:11

ephone 2

mac-address 0015.62B5.DBF6

username "frontdesk2" password cjp44206

type 7960

button 1:12

ephone 3

mac-address 0007.855C.853F

type 7940

button 1:13

ephone 4

mac-address 0017.E001.0940

type 7940

button 1:14

ephone 5

mac-address 0007.8553.2B3C

type 7940

button 1:15

ephone 6

mac-address 0015.C614.A1D1

type 7940

button 1:16

ephone 7

mac-address 0015.F9EC.1EED

username "insurance" password 1234

type 7940

button 1:17

ephone 9

ephone 10

mac-address 0007.8553.2E74

type 7940

button 1:20

ephone 11

mac-address 0019.E855.7616

type 7940

button 1:21

line con 0

line aux 0

line 194

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

line vty 0 4

transport input telnet ssh

transport output telnet ssh

scheduler allocate 20000 1000

ntp master 6

ntp peer 69.164.217.193

ntp peer 204.9.136.253

end

CUE:

Router#service-module service-Engine 0/0 sess

Trying 172.22.1.154, 2194 ... Open

AIM-CUE#

AIM-CUE# sh running-config

Generating configuration:

clock timezone America/Chicago

hostname AIM-CUE

line console

exit

system language preferred "en_US"

ip name-server 4.2.2.2 4.2.2.3

ntp server 172.22.1.154 prefer

software download server url "ftp://127.0.0.1/ftp" credentials hidden "6u/dKTN/h

sEuSAEfw40XlF2eFHnZfyUTSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfG

WTYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmP"

site name local

site-hostname 172.22.1.154

web credentials hidden "c9yem6kD1vJqrOHVxftjAknfGWTYHfmPSd8ZZNgd+Y9J3xlk2B35j0n

fGWTYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmP"

end site

privilege ViewHistoricalReports create

privilege manage-users create

privilege manage-passwords create

privilege ViewRealTimeReports create

privilege local-broadcast create

privilege broadcast create

privilege vm-imap create

privilege ManagePublicList create

privilege ViewPrivateList create

privilege ManagePrompts create

groupname staff create

groupname Broadcasters create

username GlennP create

username insurance create

username admin create

username cisco create

privilege ViewHistoricalReports description "Privilege to view historical report

privilege manage-users description "Privilege to create, modify, and delete user

s and groups"

privilege manage-passwords description "Privilege to reset user passwords"

privilege ViewRealTimeReports description "Privilege to view realtime reports"

privilege local-broadcast description "Privilege to send local broadcast message

privilege broadcast description "Privilege to send local or remote broadcast mes

sages"

privilege vm-imap description "Privilege to manage personal voicemail via IMAP c

lient"

privilege ManagePublicList description "Privilege to manage public lists"

privilege ViewPrivateList description "Privilege to view private list"

privilege ManagePrompts description "Privilege to create, modify, or delete syst

em prompts"

privilege ViewHistoricalReports operation report.historical.view

privilege manage-users operation user.configuration

privilege manage-users operation user.mailbox

privilege manage-users operation user.password

privilege manage-users operation user.remote

privilege manage-users operation user.pin

privilege manage-users operation system.debug

privilege manage-users operation user.notification

privilege manage-users operation group.configuration

privilege manage-passwords operation user.password

privilege manage-passwords operation user.pin

privilege manage-passwords operation system.debug

privilege ViewRealTimeReports operation report.realtime

privilege local-broadcast operation broadcast.local

privilege local-broadcast operation system.debug

privilege broadcast operation broadcast.local

privilege broadcast operation system.debug

privilege broadcast operation broadcast.remote

privilege vm-imap operation voicemail.imap.user

privilege ManagePublicList operation voicemail.lists.public

privilege ManagePublicList operation system.debug

privilege ViewPrivateList operation voicemail.lists.private.view

privilege ManagePrompts operation prompt.modify

privilege ManagePrompts operation system.debug

groupname Administrators member admin

groupname Administrators member cisco

groupname Broadcasters member admin

groupname staff privilege broadcast

groupname staff privilege local-broadcast

groupname Broadcasters privilege broadcast

groupname staff phonenumber "201"

username insurance phonenumber "107"

username GlennP supervisor designate

restriction msg-notification create

restriction msg-notification min-digits 1

restriction msg-notification max-digits 30

restriction msg-notification dial-string preference 1 pattern * allowed

backup server url "ftp://127.0.0.1/ftp" credentials hidden "EWlTygcMhYmjazXhE/VN

XHCkplVV4KjescbDaLa4fl4WLSPFvv1rWUnfGWTYHfmPSd8ZZNgd+Y9J3xlk2B35j0nfGWTYHfmPSd8Z

ZNgd+Y9J3xlk2B35j0nfGWTYHfmP"

calendar biz-schedule sterling_open

closed day 1 from 00:00 to 24:00

open day 2 from 10:00 to 18:00

open day 3 from 10:00 to 20:00

open day 4 from 10:00 to 18:00

open day 5 from 10:00 to 20:00

open day 6 from 10:00 to 18:00

open day 7 from 09:00 to 17:00

end schedule

calendar biz-schedule systemschedule

open day 1 from 00:00 to 24:00

open day 2 from 00:00 to 24:00

open day 3 from 00:00 to 24:00

open day 4 from 00:00 to 21:00

open day 4 from 22:00 to 24:00

open day 5 from 00:00 to 24:00

open day 6 from 00:00 to 24:00

open day 7 from 00:00 to 24:00

end schedule

ccn application autoattendant aa

description "Sterling Auto-Attendant"

enabled

maxsessions 4

script "aa.aef"

parameter "busClosedPrompt" "AABusinessClosed.wav"

parameter "holidayPrompt" "AAHolidayPrompt.wav"

parameter "welcomePrompt" "AAWelcome.wav"

parameter "disconnectAfterMenu" "false"

parameter "dialByFirstName" "false"

parameter "allowExternalTransfers" "false"

parameter "MaxRetry" "3"

parameter "dialByExtnAnytime" "false"

parameter "busOpenPrompt" "AABusinessOpen.wav"

parameter "businessSchedule" "systemschedule"

parameter "dialByExtnAnytimeInputLength" "4"

parameter "operExtn" "1001"

end application

ccn application ciscomwiapplication aa

description "ciscomwiapplication"

enabled

maxsessions 6

script "setmwi.aef"

parameter "CallControlGroupID" "0"

parameter "strMWI_OFF_DN" "8001"

parameter "strMWI_ON_DN" "8000"

end application

ccn application msgnotification aa

description "msgnotification"

enabled

maxsessions 6

script "msgnotify.aef"

parameter "logoutUri" "http://localhost/voicemail/vxmlscripts/mbxLogout.jsp"

parameter "DelayBeforeSendDTMF" "1"

end application

ccn application promptmgmt aa

description "promptmgmt"

enabled

maxsessions 1

script "promptmgmt.aef"

end application

ccn application sterlingaa aa

description "sterlingaa"

enabled

maxsessions 6

script "sterlingaa.aef"

parameter "Sterling_Sched" "sterling_open"

parameter "Sterling_Hunt" "200"

end application

ccn application voicemail aa

description "Sterling Voicemail by RhinoIT"

enabled

maxsessions 4

script "voicebrowser.aef"

parameter "logoutUri" "http://localhost/voicemail/vxmlscripts/mbxLogout.jsp"

parameter "uri" "http://localhost/voicemail/vxmlscripts/login.vxml"

end application

ccn engine

end engine

ccn reporting historical

database local

description "se-10-1-1-6"

end reporting

ccn subsystem sip

gateway address "172.22.1.154"

mwi envelope-info

mwi sip sub-notify

end subsystem

ccn trigger http urlname msgnotifytrg

application "msgnotification"

enabled

maxsessions 2

end trigger

ccn trigger http urlname mwiapp

application "ciscomwiapplication"

enabled

maxsessions 1

end trigger

ccn trigger sip phonenumber 2000

application "voicemail"

enabled

maxsessions 4

end trigger

ccn trigger sip phonenumber 300

application "sterlingaa"

enabled

maxsessions 6

end trigger

ccn trigger sip phonenumber 800

application "voicemail"

enabled

maxsessions 6

end trigger

service phone-authentication

end phone-authentication

service voiceview

enable

end voiceview

voicemail callerid

voicemail broadcast recording time 300

voicemail default messagesize 240

voicemail notification restriction msg-notification

voicemail mailbox owner "admin" size 775

description "admin mailbox"

end mailbox

voicemail mailbox owner "insurance" size 775

description "insurance mailbox"

end mailbox

end

-Pat

Is not clear what you mean. IP of CUe should put CUE GUI.

ACS sends NetBios broadcasts

Similar Questions

Maybe you are looking for