Cisco FMC FTD user to IP mapping troubleshooting

To check whether user to IP mapping works correctly, SSH to FMC and FTD and run the following commands in order to check if the entries are there

expert
user_map_query.pl -i 10.10.10.10 (to check for IP to user mapping)
user_map_query.pl -u bob (to check user to IP mapping)
If results display "For policy = 1" then this is set to propagate to FTD


Another approach
expert
u2dump /var/sf/user_enforcement/user_ip_map.* > /var/tmp/user-ip-map.dump
vi /var/tmp/user-ip-map.dump 


Credit for some of the above goes to dependencyhell.net blog.

Anyconnect DNS issues on VPN

If you 're facing troubles with clients connecting to VPN and can't resolve DNS please check the following

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz27826/?rfs=qvred

In short
Anyconnect creates a static route on the client for the DHCP server. if your DHCP server also servers as DNS etc. this breaks the DNS resolution for your client.
Apply the following as workaround

group-policy DfltGrpPolicy attributes
  webvpn
     anyconnect-custom-attr no-dhcp-server-route
     anyconnect-custom-data no-dhcp-server-route no-dhcp-server-route true

group-policy <XXX> attributes 
  anyconnect-custom no-dhcp-server-route value no-dhcp-server-route

Google NTP service

Google's started a public network time protocol (NTP) servers.
You'll find the servers at time.google.com – 216.239.35.0

More info here: https://developers.google.com/time/

Cisco ISE check Profiler Feed logs and Updates

Hi all,

In order to check your profiler logs and check the upgrade progress use the following command in CLI

sh logging application profiler.log tail