Professional Documents
Culture Documents
Diagnostic 2
Diagnostic 2
I know this is not a good way… we need resources to properly identify. If anyone resources for
DIAG2 please share will document them properly and highlight to differences.
DIAG2
DIAG2+
DIAG2++
DIAG2+++
Points 1
Answer
Select an answer:
Incorrect network device group configuration on ISE DIAG2+
Authorization policy needs to be corrected on ISE
Radius Packet from SW2 has been sourced from an incorrect interface.
Authentication policy needs to be corrected on ISE for the MAB session. DIAG2
There is an issue with aaa login authentication method configuration on SW2
Authorization condition needs to be corrected on ISE for the MAB session DIAG2+++
SW2 port is incorrectly configured for MAB
ISE has the incorrect key for the network device DIAG2++
Task Number-2: Network Connectivity issue with Employee profile
Support engineer from Sunshine Inc. has opened a TAC case with Cisco TAC reporting
issue with employee profile has network connectivity.
Point 1
Answer
Select an answer:
Authentication Condition needs to be corrected on ISE for DOT1x session. DIAG2++
The ISE has incorrect network device address. DIAG2
Authorization condition needs to be corrected on ISE for the Dot1x session.
SW1 is pointing to incorrect ISE server for Dot1x session authentication
Incorrect user group configuration on ISE DIAG2+
Issue with aaa network authorization method configuration on SW1.
SW1 port is incorrectly configured for Dot1x
Authorization policy needs to be corrected on ISE for the Dot1x session.
.
Task Number- 3: Network Connectivity issue with Contractor profile
Support engineer from Mezrak Inc. opened case with Cisco TAC reporting issue that users
with contractor profile has network connectivity issue.
Point 1
Answer
Select an answer:
ISE unable to communicate with active directory server.
Incorrect network device configuration group. DIAG2+
Issue with AD group mapping on ISE DIAG2++
There is an issue with CoA configuration on ISE.
There is an issue with CoA configuration on SW2.
SW2 port is incorrectly configured for MAB authentication.
Radius packet has been sourced from an incorrect interface on SW2.
Issue with MAB Authorization result configuration on ISE. DIAG2
Task Number-4: Site-to-Site IPsec VPN Issue
Support engineer from Opensky Inc. opened case with Cisco TAC on site-to-site IPsec VPN
failure on FTDs.
Point 1
Answer
Select an answer:
FMC 6.2 does not support point-to-point VPN tunnel.
FTD2 VPN policy is Incorrect.
Issue with FTDs network zones configuration.
R4 is missing static routes for VPN tunnel establishment
FTD1 policy is not consistent with the topology. DIAG2++
FTD2 interface configuration not consistent from topology. DIAG2+
Issue with FMC Licensing DIAG2
FTD1 outside object is incorrectly configured. DIAG2+++
Point 1
Answer
Select an answer:
Incorrect export group mapping on the Cloud for FMC.
DNS is incorrectly configured for the cloud “Defense Centre Link” resolution. DIAG2
FMC should be manually configured for time and NTP should not be used.
Probably Issue with sliding windows time-range for AMP events analysis on FMC.
DIAG2++
Cloud and FMC should not be doing lookups using same DNS.
Cloud has an incorrect next hop DIAG2+
Time synchronization issue with the NTP server on Cloud.
Cloud is disable under FMC AMP management.
FMC 6.2 is pointing to the incorrect DNS.
FMC is pointing to a wrong default gateway for cloud reachabililty.
DNS is incorrectly configured for the cloud “Defense Centre Link” resolution. DIAG2+++
Task Number-6: Unable to add a device into DNAC
Support engineer from Supplychane Limited. Opened case with Cisco TAC complaining on
unable to add a device into cisco DNA center (DNAC) from network orchestration
Point 1
Answer
Select an answer:
Incorrect protocol used on DNAC to communicate with SW1_V.
RO community string mismatch when adding device to DNAC DIAG2
Incorrect enable password used when adding device to DNAC. DIAG2+++
Incorrect VTY password entered when adding devices to DNAC DIAG2+
SW1_V interface to reach DNAC is down.
SW1 Should disable NTP DIAG2++
SW1_V not setup for RO community string.
SNMP version mismatch between DNAC and SW1_V.
VTY line missing authentication method.
Point 1
Answer
Select an answer:
Management PC cannot reach DNAC.
DNAC is blocking HTTPS access.
Script is not referencing IP address of network devices.
Script is calling incorrect API to retrieve device list from DNAC.
Script has incorrect DNAC login username. DIAG2+
Script has incorrect DNAC address
Script has incorrect DNAC login password. DIAG2++
Script his not configured to use service ticket for DNAC login.
Script is not configured to use HTTPS for DNAC access. DIAG2
Script has incorrect DNAC login password. DIAG2+++
Task number-8: CWA Broken
Support engineer from Sunshine Inc. has opened case with Cisco TAC complaining that central
WebAuth is broken from the suget account.
Point 1
Answer
Select an answer:
ISE CoA authorization rule is incorrectly configured.
SW2 is not able to communicate with ISE.
Incorrect ACL pushed on MAB Authorization profile. DIAG2+
Switch redirect ACL is incorrectly configured.
Issue with CoA configuration on SW2.
CWA authentication rule is pointing to incorrect database.
MAB is disabled on SW2 authentication port.
Issue with CWA policy set condition on ISE. DIAG2
CWA authentication rule is incorrectly configured for supplicant MAC not found.
SW2 belongs to incorrect device group in ISE. DIAG2++
Point 1
Answer
Select an answer:
Incorrect Redirect ACL configured on ASA1.
Incorrect provisioning portal URL.
HTTP server not enabled on ASA1.
HTTPS server not enabled on ASA1.
Posture profile missing on ASA1.
Redirect ACL not properly configured in posture authorization profile.
Incorrect translation for ISE on ASA1.
No inside route on ASA1 for ISE.
Incorrect Posture policy set configuration.
Incorrect posture policy set configuration DIAG2++
Issue with network device configuration on ISE. DIAG2
Issue with network device configuration on ISE. DIAG2+++
Task Number- 10: Device Profile Not Working
Support engineer from Meezan inc has opened a case with Cisco TAC complaining device
profiing is not working to deny authorization rogue MAC
Point 1
Answer
Select an answer:
Authorizaion rule is incorrectly configured DIAG2++
Matching identity group should be disabled for profile.
Authentication rule is incorrectly configured.
Profiler Policy is disabled DIAG2+
Issue with network device configuration on switch.
Access policy is incorrectly configured.
Profile policy rule is incorrectly configured DIAG2
Issue with authentication port configuration on SW2.
Logical profile incorrectly configured.
Issue with network device configuration on ISE.
NOTE: TASK10 is completely different in DIAG2+++ you can use for identification.