Nexus 7700 License Installation

Below is the steps to install the license

1. Get license file from cisco
2. Copy license file to USB
3. Connect USB to N7K
4. Confirm the license file is issued to correct host-id.
5 .Copy lic file from usb to bootflash
6. Install the file

NOTE : Make sure that the host-id in N7K and license file is same or get new license file from cisco.License only install if they both are same

User Access Verification
SW1-AdminVDC login: admin
Password: *******

Check the current license
SW1-Admin-VDC# show license usage
Feature                      Ins  Lic   Status Expiry Date Comments
MPLS_PKG                      No    -   Unused             -
STORAGE-ENT                   No    -   Unused             -
VDC_LICENSES                  No    0   Unused             Grace expired
FCOE-N7K-F248XP               No    0   Unused             -
ENHANCED_LAYER2_PKG           No    -   Unused             -
TRANSPORT_SERVICES_PKG        No    -   Unused             -
LAN_ENTERPRISE_SERVICES_PKG   Yes   -   Unused Never       -
SW1-AdminVDC# dir usb1:
        393    Jan 08 11:56:54 2018
        298    Jan 08 04:08:32 2018  N7700201801080XXXXXXX.lic
       4096    Dec 31 11:20:48 2017  N7k run/

SW1-AdminVDC# sh file usb1:N7700201801080XXXXXXX.lic

SERVER this_host ANY
VENDOR cisco
INCREMENT VDC_LICENSES cisco 1.0 permanent 4 \
        NOTICE="<LicFileID>2018010804083XXX</LicFileID><LicLineID>1</LicLineID> \
        <PAK></PAK>" SIGN=DE7FC25XXXX8

SW1-AdminVDC# sh license host-id
License hostid: VDH=N77-C7710:JPGXXXXXXX

SW1-AdminVDC# copy usb1:N7700201801080XXXXXXX.lic bootflash://
Copy progress 100% 298B
Copy complete, now saving to disk (please wait)...

SW1-AdminVDC# install license bootflash:N7700201801080XXXXXXX.lic
Installing license ..............done

SW1-AdminVDC# sh license usage
Feature                      Ins  Lic   Status Expiry Date Comments
MPLS_PKG                      No    -   Unused             -
STORAGE-ENT                   No    -   Unused             -
VDC_LICENSES                  Yes   4   Unused Never       -
FCOE-N7K-F248XP               No    0   Unused             -
ENHANCED_LAYER2_PKG           No    -   Unused             -
TRANSPORT_SERVICES_PKG        No    -   Unused             -
LAN_ENTERPRISE_SERVICES_PKG   Yes   -   Unused Never       -


How to Remote port monitoring using Wireshark

Remote port monitoring using Wireshark
Step 1: Need to create RSPAN VLAN

SW1(config)# vlan 900
SW1(config-vlan)# remote span
SW1(config-vlan)# end
SW3(config)# vlan 900
SW3(config-vlan)# remote span
SW3(config-vlan)# end

-          The RSPAN Vlan needs to exist in the Vlan database of the source switch, the destination switch and all switches in the transit path between them. It also needs to be allowed on all Trunk ports between the source and destination switches.
-          The RSPAN VLAN cannot be VLAN 1 (the default VLAN) or VLAN IDs 1002 through 1005 (reserved for Token Ring and FDDI VLANs).

Need to configure the following commands on the switch which has the Internet port:

#no monitor session 1
#monitor session 1 source interface fastethernet 0/1
#monitor session 1 destination remote vlan 900

The source interface above will be your Internet port that you need to monitor and the Vlan ID for the remote VLAN will be your newly created RSPAN Vlan.

Then on the destination switch, i.e. the one you have the host who needs to see the packets:

#no monitor session 1
#monitor session 1 source remote vlan 900
#monitor session 1 destination interface fastethernet 0/10

The source Vlan will be the RSPAN Vlan and the destination interface will be the port that you want to output your packets to.

#Show monitor 1


Cisco Anyconnect Error : “The AnyConnect package on the secure gateway could not be located.“

Error: Cisco AnyConnect VPN Client The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again.

Solution :

You have to upload or locate Anyconnect .pkg file on the ASA.

1. Login to ASA via CLI and in config mode give below commands

 enable outside
 anyconnect image disk0:/anyconnect-win-4.2.00096-k9.pkg 

Note : You need to upload the appropriate .pkg file to ASA before giving above command .You can also check the anyconnect pkg file in ASA using #show disk0: command

 asa1/act/pri# show disk0:
--#--  --length--  -----date/time------  path
   175  6487517     May 22 2014 12:49:30  anyconnect-macosx-i386-2.5.2014-k9.pkg
  176  6689498     May 22 2014 12:49:30  anyconnect-linux-2.5.2014-k9.pkg
  177  4678691     May 22 2014 12:49:32  anyconnect-win-2.5.2014-k9.pkg
   179  38191104    Feb 03 2016 16:34:36  asa912-smp-k8.bin
   184  23374256    Feb 21 2016 10:42:28  asdm-716.bin
  191  69285888    May 19 2016 13:29:32  asa942-smp-k8.bin
  192  18989375    May 22 2016 10:49:54  anyconnect-win-4.2.00096-k9.pkg <-- This file is used in this example
  193  25819140    May 23 2016 12:23:32  asdm-761.bin
  196  84805632    Aug 17 2017 10:49:16  asa963-1-smp-k8.bin
  197  26916144    Aug 17 2017 10:50:26  asdm-781-150.bin

2. To verify
Do a "show run webvpn" on your ASA to check the above.

asa1/act/pri# sh run webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.2.00096-k9.pkg 1
 anyconnect enable

Save the configuration and try to login again using the anyconnect

Upgrade OS in Palo alto

STEP 1 Take Backup 

1. Select Device > Setup > Operations and Export "Export named configuration snapshot."
2. Select the XML file that contains your running configuration (for example, running-config.xml) and click OK to export the configuration file.
3. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.

STEP 2 : Make sure the firewall is running content release needed for the installation of required OS 

1.Select Device > Dynamic Updates.
2.If the firewall is not running the minimum required update, Check Now to retrieve a list of available updates.
4.Locate and Download the appropriate update.
5.After the download completes, Install the update.

STEP 3: Determine the upgrade path.

1.Select Device > Software > Check now for the latest update
2.Locate and Download the version to which you intend to upgrade.
3.After the download completes, Install the update.
4.After the installation successfully completes, reboot using one of the following methods:
If you are prompted to reboot, click Yes.
If you are not prompted to reboot, select Device > Setup > Operations and Reboot Device (Device Operations section).

NOTE : You cannot skip installation of any major releases in the path to your target PAN-OS version. Therefore, if you intend to upgrade to a version that is more than one major release away, you must still download, install, and reboot the firewall for each intermediate major release along the upgrade path.

For example, if you want to upgrade from PAN-OS 6.0.11 to PAN-OS 7.1.5, you must:

Download and install PAN-OS 6.1.0 and reboot.
Download and install PAN-OS 7.0.1 and reboot (7.0.1 is the base image for the 7.0 release, not 7.0.0).
Download PAN-OS 7.1.0 (you do not need to install it).
Download and install PAN-OS 7.1.5 and reboot.

STEP 4: Verify that the firewall is passing traffic. Select Monitor > Session Browser.

Firepower 9300 - Initial configuration

Configure for Firepower Management

Below steps are for booting up Firepower 9300 for the first time

- Connect to the Firepower 9300 CLI using and complete the system configuration as prompted

Enter the setup mode; setup newly or restore from backup. (setup/restore) ? setup
You have chosen to setup a new Security Appliance. Continue? (y/n): y
Enforce strong password? (y/n): n
Enter the password for “admin”: <new password>
Confirm the password for “admin”: <repeat password>
Enter the system name: 9300FPR1
Physical Switch Mgmt0 IP address :
Physical Switch Mgmt0 IPv4 netmask :
IPv4 address of default gateway :
Configure the DNS Server IP address? (yes/no) [n]: n
Configure the default domain name? (yes/no) [n]: n

Following configurations will be applied:
Switch Fabic=A
System Name=9300FPR1
Enforced Strong Password=no
Physical Switch Mgmt0 IP Address=
Physical Switch Mgmt0 IP Netmask=
Default Gateway=
Ipv6 value=0

Apply and save the configuration (select ‘n’ if you want to re-enter)? (yes/no): yes
Applying configuration. Please wait.

Launch the Firepower Chassis Manager Web Interface from browser using https://<chassis_mgmt_ip_address> [This is the IP address of the Firepower 9300 that you entered during initial configuration] and login

If you have more than one chassis configure it in the same way using different management IP address.