Backgroound Image

Unable to add Cisco ISR to WAAS Central Manager

If you are trying to add an ISR to the WAAS CM and the process fails with no error (and it detects as WAAS Express) then I may have found the solution.  Use the CLI.  I know, seems obvious in hindsight, the CLI working where the GUI fails.  The issue for me was actually finding the process for the CLI in the documentation.

Well, here’s the link to the documentation:

The short version is you need to do the following:

  1. Create a user with privilege level 15 
    1. For a local account – from config#: username user privilege 15 password 0 password
  2. Export WAAS vCM cert
    1. From exec: show crypto certificate-detail admin
    2. Copy the cert (including the —Begin Certificate— and —End Certificate—)
  3. Import the certificate into the router
    1. From config#:
      1. crypto pki trustpoint wcm
      2. enroll terminal pem
      3. exit
      4. crypto pki authenticate wcm
      5. Paste the certificate, and then enter a blank line to complete
      6. accept the certificate
  4. Create a router certificate
    1. From config#:
      1. crypto pki trustpoint local
      2. enrollment selfsigned
      3. subject-alt-name RouterFQDN
      4. exit
      5. crypto pki enroll local
        1. Answer the questions as prompted
        2. Serial number: Yes
        3. IP address: Yes
        4. Enter IP: IP_address
        5. Generate certificate: Yes
  5. Enable the web server and set authentication
    1. From config#:
      1. ip http secure-server
      2. ip http authentication local
  6. Enable SSH V2
    1. From config#: ip ssh version 2
  7. Register with vCM
    1. From exec: appnav cm-register https://vCMIP:8443/wcm/register

Unfortunately, there’s no output to the command, so you have to go to the Central Manager to see if it worked.  If it didn’t here are a few things to look at:

  1. Make sure the two devices can ping each other
  2. Verify that NTP is configured on both devices
  3. Verify that the AppX license is installed and activated on the router

Cisco ISR Project – IWAN Branch deployment (8 of?)

To get a branch router deployed simply log into Prime Infrastructure and go to IWAN Enablement again (Menu – Services – IWAN Enablement).

IWAN Enablement

Hit Next on the intro page and then enter the configuration.  For my site I am doing a single router branch.  It becomes apparent quiet quickly that the rest of the information is nearly identical to what was needed to set up the DC routers.

Single Router Branch

After setting the category and role the rest of the fields are automatically filled.  Next will come the device selection.

For the branch locations I decided to do this the hard way.  Since I am using new routers they aren’t on the existing network I wanted to try doing an offline configuration.  Since you can’t continue without selecting a device I just selected on of the routers I have at the Hub.  Before committing the changes to the router I will just copy the CLI commands and run them on the router.

Most of the DMVPN fields should be familiar:

The loopback is just a local /32 address.  Internet bandwidth is in Kb, not KB, so that’s easy enough.  The tunnel IP needs to be on the same subnet as the Internet tunnel IP from the HQ side.  The Internet Hub Tunnel IP is the IP that was assigned to the tunnel interface from the Internet Hub deployment.  The interface is the router interface that will connect to the ISP.  Lastly, the pre-shared key is the DMVPN key that was set on the hub router.

The MPLS fields are essentially the same as the Internet fields, but with the MPLS addressing.

Under the Internet WAN section you will enter the public IP address that will be assigned to the router, and the same applies for the subnet mask and gateway.  Now, according to Cisco’s documentation, the remote DMVPN router supports a dynamic address, but the wizard requires an IP address assigned.  I presume this can be cleaned up in the CLI after the deployment.

Again, the MPLS WAN settings are self explanatory.  Enter the IP, mask, and gateway.  If you are unsure of this information for either the MPLS or Internet interface contact your ISP.

The last section for the DMVPN is the EIGRP settings.  For the LAN subnet you would enter the LAN subnet that will be at the remote site.  The wizard doesn’t allow multiple subnets to be entered, but they can be added via the CLI later.

When complete, click Apply, then Next.  This will bring up the PfR settings.  Enter it IP of the Master Controller and the PfR password.  Again, click Apply and Next

The next page will be the QoS settings.  The wizard asks for the interfaces for Internet, LAN, and MPLS, as well as bandwidth.

There are a few things to be aware of- QoS Marking LAN Interface is the inside interface.  When entering the interface names spelling counts.  I would recommend just copying the interface name from the router CLI to eliminate the risk of typos.  The Device Type field needs to be left with “Product Series” as the value.  Finally, select the bandwidth that is the closest match to what you have, and again, this is Mbps, not MBPS.

Click Next through the AVS settings, then review the CLI Summary.  As I mentioned, I did an offline config, so I essentially copied the CLI summary to the router CLI.  One thing the be aware of is that if the CLI commands are copied it should be done is small batches.  There may be issues with commands, and it’s much easier to spot issues if it’s in small chunks.  If you are doing an online config then the deployment can be scheduled and confirmed.

If all goes according to plan, the deployment should go without issue.  When it finishes make sure to save the config (unless that was selected as part of the deployment options.  Then I would reload the router so it can come up with the new config.

In theory, when the routers are up the DMVPN should connect, and you should be able to ping the tunnel IP across the tunnels.  Then run ‘show ip route’ and verify that routes are being added via EIGRP.

If so, you should be set to move on.  If not, well something went wrong.  Unfortunately, what the issue is could be one of many.  Here are a couple things to try:

  • Ping remote public interface
  • Ping the remote tunnel interface
  • The ‘show int’ command can help identify if interfaces might be down
  • It might be worth looking through the running config for any misconfigurations, like mistyped IP addresses, or incorrect masks.
  • Traceroute can also be helpful to make sure that things are getting where they need to
  • Check the routing table with ‘show ip route’ to verify routes, including the default route, are correct.

Cisco ISR Project – IWAN Deployment to DC1 (7 of?)

Now that Prime and the routers are deployed it’s time to start getting them added in.  I have a deployed a set-up lab using an old Catalyst 2960 and a 2911 router to simulate Internet and MPLS connections between my HQ and remote routers.  Since the MPLS isn’t in place yet I can’t add the remote routers, but I will add the CSR and the ISR devices at HQ.

Log into Prime and click the Menu button in the top left corner, the Inventory – Network Devices

Prime Network Devices

A Discovery could be created to find and add all the devices, but since there’s only three devices I added them manually.  Simply click “Add Device” in the All Devices pane and then fill out the connection information.

Add Device window

Compete the fields in the Add Device window.  Make sure to complete the SNMP and SSH windows to make sure you are able to get a full inventory collection from the devices.

After the devices are added it takes a few minutes for the initial sync to complete.

Once the devices are added then we can start the IWAN deployment.  Initially, I am going to have a single CSR at my primary datacenter, with a second being added later at a DR DC.  At the HQ there will be a pair of ISR 4331s, one for terminating MPLS and the other for terminating Internet connections.

To start the process of IWAN Enablement first click on the menu button in the top left corner, then Services – IWAN Enablement.

IWAN Enablement

First off, there’s a picture of the IWAN topologies.

The IWAN design is a hub and spoke topology, though there can be a redundant hub.  At the hub site there are three rolls, the Master Controller which basically oversees the IWAN topology, and both an Internet and MPLS router.  If a second hub location is used then it would have a Transit Master Controller, as well as the Internet and MPLS routers.  For the branch locations they can be single router or dual router.  With a single router location both MPLS and Internet connections terminate on a single router.  The dual router sites have two routers, so MPLS terminates on one router and Internet terminates on the other.

Cisco also has a link to their YouTube video on the IWAN deployment process.

I did notice that the video is for the non-updated version of Prime Infrastructure 3.0, so it doesn’t match up with the prompts I was seeing.  However, it’s still an awesome resource.

After clicking Next on the first page the wizard prompts to chose the configuration.  The first options are:

IWAN Branch



Since this is at the primary HQ site (the DR site will be added at a later date) the selection is IWAN Hub DC1.  Once that selection is made it will prompt to determine the device role:

Master Controller DC1


Internet Hub DC1

The first thing needed is the Master Controller, so that’s the selection to make.  It will then prompt for a template.  One thing to be aware of is CVD stands for Cisco Validated Design.  So the default (and only) option is the CVD template for the Master Controller at DC1.

DC1 Master Controller

After clicking Next the wizard will prompt to select a Device

Master Controller Device selection

Find the CSR 1000V and check the box next to that.  The only thing the CSR will do is serve as the Master Controller for the IWAN deployment.

Here’s a diagram Cisco provides on the DC topology:

DC Topology

Now comes setting the Master Controller specific settings.

Master Controller settings

There is a little help bubble next to each field that will give additional information about that field.  Additionally, there is a help button near the top right of the page.  However, here’s what the fields are asking for.

The Loopback IP is an IP address that is basically used for the device to communicate with itself.  It’s not used by any other device on the network.  With that said, it is recommended to use a /32 mask for the address.  So, pick an address that’s not going to overlap with anything in the network and assign that.

The PfR-Auth-Password is the password that all routers will use to authenticate routing updates.  Make a note of this, as this password will need to be used on all PfR devices.

Wondering what PfR means?  It is Performance Routing.  Traditional routing protocols look at network stats, like hop count, and link speed to determine the best path.  PfR actually monitors traffic on a per-flow basis, so it finds the best path for a specific application.  For example, route VoIP calls over MPLS as it has the lowest latency, but route a file transfer over the Internet VPN as there’s better throughput.  Now, to clarify this a little bit… PfR doesn’t replace a routing protocol, but instead it augments the protocol.  Later on, we will select the overlay routing protocol that is used.  More information on PfR can be found here:

Enterprise_Prefix is the network prefix for the entire network.  This includes HQ and all remote locations.  I’m still not clear on how to handle this field if you have a non-contiguous network, like some 10.X.X.X networks, and a few 172.16.X.X networks.

The DC1_Prefix is the networks at the DC the Master Controller is being installed at.  The field does allow multiple networks to be entered with a comma (,) separator.

The Netflow Collector IP is the Prime Sever, or VIP if there is a HA deployment of PI.

After everything has been entered you click Apply.  This will populate the CLI preview, which shows what the commands are that will be entered.

Clicking on Next will bring up the CLI Summary.  Since there was only one configuration step this shows the same thing as the CLI Preview from the previous step.  If there were more configuration pages then this would compile all the CLI entries for all the pages.

By clicking Next again it brings up the option to schedule the deployment.

Master Config deployment schedule

Personally, I leave it set to run now since the device isn’t in production.  I also check both boxes to Copy Running Config to Startup and Archive Config after Deploy.  This way I have the config committed, and I have a backup of it.

All that’s left is to click Next, and then on the Confirmation page click Deploy.  Then wait while this configuration is deployed.  The deployment process can be monitored from the Job Dashboard.  Once this is complete then the MPLS and Internet routers can be configured.

To configure the MPLS router go back into the IWAN Enablement wizard.  This time select the IWAN Hub DC1 category, then MPLS Hub DC1.

MPLS Hub DC1 config

After the device role is selected a number of additional options become available.  The Overlay Protocol is the routing that is used to build the network route topology, and then is used by PfR to determine the best application pathing.  There are two options here, EIGRP and BGP.  Since this a Cisco shop, and EIGRP is generally an easier protocol to configure, that is the option I selected.

The rest of the dropdowns only have the default setting.  The only other customization is the Deploy PKI checkbox. When unchecked the DMVPN uses a pre-shared key to authenticate routers.  If a PKI is used then certificates are used for authentication.  The PKI deployment requires an APIC-EM (

Application Policy Infrastructure Controller Enterprise Module), which I don’t have, so pre-shared keys are fine by me.

After clicking Next the wizard will prompt to select the device that the config will be applied to.

MPLS Hub DC1 Device selection

Find and select the MPLS router, then click Next.

Now comes setting the MPLS DMVPN settings.

MPLS Hub DC1 setting (1 of 2)

Again, a loopback IP is required.  Use a /32 that doesn’t overlap with the rest of the network.

For the bandwidth don’t get confused by the use of all CAPS.  It is asking for the bandwidth in Kbps.

The tunnel IP address is the virtual IPs that will be used to create the tunnel endpoints.  These IPs are what allow the devices to think they are peers even over an Internet or MPLS connection.  A single subnet will be used for the tunnel IPs for all MPLS endpoints, and another subnet will be used for all Internet VPN endpoints.  As an example, for MPLS and 192.168.20.X/24 for Internet endpoints.

Set the Tunnel Subnet Mask according to the IP range selected.

The Tunnel subnet field is a bit confusing.  This is just the network IP for the subnet selected.  In the example of using 192.168.10.X/24 for the MPLS Tunnel IPs the fields would look like this:

Tunnel IP:

Tunnel Subnet Mask:

Tunnel Subnet:

The MPLS WAN Interface is self explanatory.  This is the interface of the router connected to the WAN.

The Pre-shared key here is the DMVPN key, not the PfR key that was set on the Master Controller.  Enter a key, then make note of it as it will be needed for the spoke routers.

When those fields are done then we can scroll down…

MPLS Hub DC1 settings (2 of 2)

This should all be pretty straight  forward.  For the MPLS WAN, enter the WAN IP of the router, the subnet mask for the MPLS link, and the gateway IP for the MPLS.  If unsure of this info, contact the ISP as they should be able to provide it.

Under the EIGRP section, the Master Controller IP is the address of the CSR 1000V.  The PI IP address is for the Prime Infrastructure server (or VIP if clustered), the APIC-EM IP is if a APIC-EM appliance is being used for PKI, and lastly, the DC prefix is the network range for the datacenter.  As before, if needed, additional IP ranges can be applied to the DC prefix field using a comma separator.

Click Apply, then click Next.  It will now ask for the PfR information.  Again, enter the IP of the Master Controller and the Auth password.  This is the PfR password that was set up when the Master Controller was deployed.  Again, click Apply, then click Next.

For the MPLS settings leave the Device Type as “ProductSeries” and set the WAN bandwidth (again, ignore the capital B, this field should be in kilobits per second) and the physical interface that the MPLS connection is on.

I must admit, I find it odd that the wizard asks for the same information that was previously entered.  It seems like this is just asking for a misconfiguration, as it doesn’t compare the two values.  The one that really surprises me is that for the DMVPN-Physical-Interface it doesn’t give a dropdown for the interface names, so you have to correctly type it.  With that said, type the full name, not the CLI shorthand, so use “GigabitEthernet0/0/1” as opposed to “gi0/0/1”

When that’s completed click Apply and Next.  Then it will bring up the AVC-MPLS page.  Even though there’s a log on the page there’s nothing that can be modified.

Clicking Next again will bring up the CLI summary for everything that was entered.  Review the CLI summary if desired, then click Next.

Again, the page to schedule the job deployment will come up.  Select the desired option and click Next.  At the Confirmation page click Deploy to complete the wizard and start the deployment (if it was set to run now).

The deployment process will take a few minutes to complete.

For the Internet Hub DC1 router settings it’s nearly identical to the MPLS settings.  Just replace the word MPLS with Internet.  All the fields, and even the order are identical, just for the Internet side instead of the MPLS.

When the deployments are complete the next thing to do is to integrate the new routers into the existing topology.  It seems the wizard uses EIGRP AS 400.  That AS can be modified to match an existing EIGRP AS, or it could be configured on the existing gear.  Route redistribution or static routes could also be used, all depending on the existing environment.

Cisco ISR Project – ISR 4351 and UCS E-Series base config (6 of?)

For the base config of the router you can follow this guide:

The config of the router portion is the same between the two models.  The difference comes in with the UCS E-Series server.

By default the CIMC of the blade (out-of-band management) is set to use the dedicated management port (the one labeled with a green background with an “M”) and it’s set for DHCP.  If you are running DHCP you should be able to find the record in your DHCP server.  The client name will be the model and serial of the server, so E160D-FOCXXXXXXXX for example.  If you don’t have DHCP or if you want to assign a static IP you can run these commands from a config prompt on the router:

ucse subslot 1/0

imc ip address A.B.C.D E.F.G.H

 You’ll need to replace A.B.C.D with the desired IP and E.F.G.H with the subnet mask.  As usual, remember to save the config after making changes.

You can also set up the CIMC address by booting into the CIMC manager (press F8 during boot to get to the CIMC manager) and setting it there, but I think it’s easier to just use the router CLI.

To simplify my life, I set up a management station on the same subnet as the management IPs I used on the CIMC and router management.  This way I don’t need to worry about getting routing set up yet.

You should be able to open a browser window and connect to the CIMC IP address.  First, the CIMC web interface requires Adobe Flash Player, so you may need to install/update that.

CIMC login page

The default username is: admin

The default password is: password

You will be prompted to change the password when you log in for the first time.

First things first.  Let’s get the CIMC firmware updated.  If you haven’t done this yet, go to the Cisco site and download the latest CIMC software.

When logged in click the admin tab in the left pane.

CIMC Admin

 Then select Firmware Management

CIMC Firmware Management

Now click Install CIMC Firmware through Browser Client

Firmware install

In the window that pops up browse to the firmware download and click Install.  This process will take some time, and it’s not actually installing the firmware.  It’s just getting the firmware copied and ready.  When this process is complete you will need to activate the firmware by click Activate CIMC firmware.

Activate firmware

You’ll get a popup to select the firmware version to activate.  Select the version you just installed and click Activate Firmware.  Since the server isn’t in production yet we are going to ignore the recommendation to set the maintenance mode.  When the firmware is activated it will restart the CIMC service, so remote access will be lost temporarily.

That should get the CIMC configuration done, and now an OS can be installed.

First, we need to set the boot order.  Click BIOS in the left pane on the Server tab, then select Configure Boot Order.  If there is a pop up click OK on it.

Boot order

For my deployment I am going to be installing the OS on the embedded SD card.  For that, I set the boot order to first look at the Linux Virtual CD/DVD, then Cypress (the SD card).

Set boot order

Once things are moved as needed click Apply.  To start the OS install click the KVM icon (it’s in the top bad, and it looks vaguely like a keyboard.

Start KVM

The KVM does require Java, so that may need to be installed.  Also, since it uses Java expect a series of security prompts, as well as the difficulty that can accompany.  One thing to be aware of is if it downloads a file that looks like this ‘viewer.jnlp(’ it can be renamed to remove everything in the parenthesis, as well as the parenthesis leaving just ‘viewer.jnlp’ and then you can run that.

You will likely see this pop up more than once during the install.  Just click ‘Accept this session’ and then check the box to remember the setting.  Since we are doing an install of a OS there’s nothing that needs to be encrypted.  If encryption is needed, it can be enabled on the CIMC interface, under Remote Presence.  On the Virtual KVM tab check the box the enable video encryption, and on the Virtual Media tab check the box to enable virtual media encryption.

Unencrypted Virtual Media Session

 When the session is connected, click the Virtual Media tab at the top, then Add Image on the right.

Add image

Browse to the VMware ISO and select it.  When selected, it will be listed in the window, and you will need to check the box under Mapped.  Then go back to the KVM tab and boot the server (or reboot if it is running).

The VMware install is pretty self explanatory, and I presume familiar.  If not, here’s the VMware install guide:

When the installation finishes the server will reboot into a two-tone page that will have the machine info, including DHCP address.  If you need to modify the network settings press ‘F2’ and then log in.

Since this is a text based configuration I won’t bother with screenshots for most of this.  In the menu select Configure Management Network.

For Network Adapters, determine what adapter will be used.  VMNIC0 and VMNIC1 are built into the UCS server, and are connected internally to the ISR.  VMNIC2 and VMNIC3 are matched to GE2 and GE3 on the server module.

After selecting the adapters then set the IP address, and make any needed DNS changes.

Once the server is online these changes can be made from the GUI as well.

Cisco ISR Project – ISR 4331 base config (5 of?)

On to the CLI config of the ISRs.  For this portion we are simply going to get the basic configuration done so we can SSH into the routers.

Connect a console cable (or USB cable) to the device and open up your favorite terminal emulator, then boot the router.  Eventually you should get a set up prompt.  If you don’t and you get a Router> prompt type these two commands:



The setup wizard is pretty straightforward.  Follow the prompts and enter the information needed.  Note that GigabitEthernet0 is the management interface.

ISR setup

When you are done with the IP addressing it will ask if you want to run the auto secure wizard.  I recommend running that, as it disables some unneeded services, and applies more secure policies.  When prompted for SSH, make sure you enable that.

Unfortunately, the setup process does not create a SSL certificate for SSH.  To create the certificate use this command from a config prompt (enable, conf t):

cyrpto key generate rsa

Then it will prompt for a bit size.  I used 1024 in this example.

RSA key generation

 After generating the key make sure to save the config.  From the config prompt, it’s quickest to just type this command:

do wr

Otherwise ‘do write mem’ or ‘do copy run start’ would work.  You could also exit the config session and do ‘wr’ or any other variant at the enable prompt.

The other thing that you may need to do is enable routing on the management VRF if you will be connecting from a different network.  From a config prompt use this command:

ip route Gateway IP

This will route all traffic to the default gateway that you specify.  Again, save the changes, then test the SSH connection to the management IP.

The next step will be getting the licenses installed.  The first thing we will need is the UDI.  From an enable prompt run this command:

show license udi

Make a note of the PID and SN. They will be needed to get the license registered.  Now go to the Cisco licensing portal ( and select the PAK you want to use, then Get New License.  Follow the prompts, making sure to set the quantity, enter the PID and SN, then accept the agreement.  This will allow you to download the license file.

Before we can continue, we need a way to move the license file.  My personal favorite is the SolarWinds free TFTP server that can be found here:

As a side note, if you’re not familiar with Thwack, the SolarWinds user community you should check it out.  There’s a lot of good information about both SolarWinds products, but also some general IT info.  Plus they have some pretty awesome contests.  Check it out:

Place the downloaded license file (should be a .lic file, so you may need to unzip) into the TFTP root folder and start the TFTP server.  Then run the following from an enable prompt:

license install tftp://IP of the TFTP server/license file name.lic

You will of course need to enter the IP of your TFTP server, and the license file name including extension.  The process should be pretty quick, and you will get a result that looks like this:

ISR license install

Repeat that process for all licenses needed.

The last step of the base setup of the device will be to get the firmware to the right level.  I decided to match my ISRs and CSRs on 3.16.  First, you’ll need to find the current firmware version.  You can do that with this command:

show ver

The version should be listed at or near the top of the result.  You will also want to make a note of the System image file name and path.  If you are going to upgrade the firmware then you will need to download if from Cisco if you haven’t already.  When you have the firmware you want you will need to place the .bin file in your TFTP root folder.  Then you copy the file to the bootflash directory on the router using this command:

copy tftp://IP of the TFTP server/firmware file name.bin bootflash:

Again, set the IP of your TFTP server, and the firmware file name of the firmware downloaded.  It will prompt to confirm the file name, and you can just accept the default, which keeps the same name.  The copy process will take a while to complete.  When it completes we will verify the file integrity by running this command from and enable prompt:

verify bootflash:firmware file name.bin

This will also take some time to complete.  Now we want to check if there is an existing setting for the firmware boot.  Run this command from an enable prompt:

show run | in boot system

If nothing is displayed then you are good to move on, but if something is displayed you’ll need to note it and then we will clear it out by running this at a config prompt:

 no boot system firmware file location:firmware file name.bin

You could also simply copy the output from the show command, then from a config prompt type “no ” and then paste the command.

The next step is to set the system to boot from that image by issuing this command from a config prompt:

boot system bootflash:firmware file name.bin

Now it’s just a matter of saving the config and reloading the router.

When the router is done booting you can verify the new firmware by logging and running ‘show ver’ again.  Verify that the firmware is now the desired version.

Lastly, if you want to clean up the router you can delete the old image file.  From an enable prompt type this command:

delete old firmware file location:old firmware file name.bin

You should have the file name and location from the output of the ‘show ver’ command that was done to find the firmware version initially.

Now, one very important note- If this is being done in a lab, and private IP addresses are being used there could be an issue caused by the auto secure script.  During the auto secure script it asks if an interface is internet facing.  For interfaces that are listed as internet facing it configures the interface to drop packets from private IPs.  Since I’m using private IPs to create a virtual internet the auto secure script caused major problems since it effectively dropped all traffic.  To check if this could be a problem run this:

show run interface gi0/0/X

 In the command replace “X” with the interface that might be internet facing.  If this line is present int the config “ip verify unicast source reachable-via rx” then it will cause issues.  To remove that command go to a config prompt, then the interface in question, and run this command:

no ip verify unicast source reachable-via rx

The Cisco guide for the ISR initial config can be found here:

Firmware update guide:

Cisco Prime Infrastructure VM error – INIT: Id “S0” respawning too fast: disabled for 5 minutes

If you run Cisco Prime there’s a chance you’ve seen the error “INIT: Id “S0″ respawning too fast: disabled for 5 minutes” come up on the console.  If not, this is what it looks like:

INIT: Id “S0” respawning too fast: disabled for 5 minutes

It doesn’t seem to cause any issues other than noise on the console screen, but that’s too much annoyance for me.  It seems there’s an easy fix.

  1. Shut down the Prime VM
  2. In VMware go into the VM settings
  3. Add a serial port (I set it to output to a .txt file in the VM’s folder)
  4. Restart the VM.

It seems that this is an issue with the serial port not being seen when expected.  You could also attempt to remove the serial interface from the OS, but I thought adding it to the VM was much easier.

Cisco ISR Project – Cisco Prime Infrastructure deployment (4 of ?)

After the OVA is deployed it’s time to set up Cisco Prime.  Prime will be the monitoring and management software for the IWAN deployment, so it’s a logical place to start.

Before starting the process, we will fix an issue discussed in my post here:

Edit the settings of the VM and add a serial port.  (I just set it to output to a .txt file in the VM’s folder)

Time to power up the VM and connect to the console.

Prime Setup

To begin the setup, type “setup”

Prime config

Then you will get a series of prompts to configure the device.  Most are self explanatory, except the timezone.  Cisco has a list of accepted timezone names, which can be found here:  It’s also worth noting that the ‘admin’ account entered here is for CLI access.  A web user is added later.

Prime config

The setup process will enable the network interface and run a few tests.  After that you will receive a notification that the install completed and it will ask if this is for an HA node.  I’m not setting up an HA node, so I entered “no” and continued on.

Prime Config

The default admin account on the web interface is ‘root’ so here you set the password.  After that you’ll get a prompt confirming that all is well.  After confirmation the server will finish the setup script and reboot.  This process takes a while, like 10-15 minutes.

While this is working, it would be a good opportunity to get the license key for Prime downloaded, as well as the patches and tech pack.  There is a bug in the licensing that will report the license is invalid (

The patches and tech pack can be found here: (note that they need to be installed in order – 3.0.2, tech pack, 3.0.2 update 2)

The device pack can be found here:

When the Prime startup is complete you should be able to access it from a web browser.

Prime web UI login

Remember that the login name is ‘root’ and the password is what you set for the root account, not the admin account.

After logging in you will see an icon in the top left to open a menu.  Click that, then Administration > Software Update.

Prime Menu

 In the Software Update window there is a link to upload files.  Click that, browse to the update you want, and then upload it.

Prime Software Update

After the file is uploaded you will have an Install button next to the file.  Click Install and it will confirm the install and inform you if a reboot is required.

If a reboot is required go back to console of the Prime VM and log in.  To restart Prime there are two commands needed:

ncs stop

ncs start 

And the link to the Cisco document on restarting Prime:

The restart will ofcourse take about 10 minutes, and you will need to do it multiple times to get the patches installed.

When all the patches are installed then the license(s) can be installed.  However, before starting that, grab the UDI of the VM.  Click the menu button in the top left, then Administration > Appliance

Prime Appliance settings

The UDI is in the right column, in the middle.  You will want to make note of the product ID and serial number.  Those may be needed to license a PAK.

After downloading the licenses from the PAK registrations (they may be in .zip files, and if so, they need to be extracted) the keys can be installed.  Again, open the menu at the top left, the Administration > Licenses.

Prime Appliance settings

To load a license click Files > License Files on the left side.  Then click Add and browse to the license file (it should be a .lic file).  Repeat those steps to install all the Prime licenses.

That will get Prime installed, patched, and on the network.  Adding devices into Prime will be covered later.

Cisco ISR Project – Deploying the OVAs (3 of ?)

The next stage of the process is relatively straight forward.  The deployment of the OVAs for the virtual appliances.

First and foremost is the resource requirements.  Each OVA will be unpacked into a VM in the environment, so we need to make sure there are sufficient resources.

Name vCPU GB vRAM GB Disk (thin) GB Disk (thick) Notes
vCM 100 2 2 1.6 254
vWAAS 2500 4 8 1.5 754
vNAM 2 4 100 Thin not available
LiveAction 4 16 230 Thin not available
Prime Infrastructure – Express  4 12 300 Thin TBD
Prime Infrastructure – Express-Plus 8 16 600 Thin TBD
Prime Infrastructure – Standard  16 16 900 Thin TBD
Prime Infrastructure – Professional 16 24 1200 Thin TBD
CSR 1000V – Small 1 4 0.6 8.3
CSR 1000V – Medium 2 4 0.6 8.3
CSR 1000V – Large 4 4 0.6 8.3
CSR 1000V – Large w/ DRAM upgrade 4 8 0.6 8.3 Requires DRAM SKU


For Cisco Prime, the Scaling information can be found in the Quickstart guide here:

For the OVA deployment it should be pretty self-explanatory.  From the vSphere client click File – Deploy OVF Template.

From the VMware vSphere Web Client select your cluster, then on the top bar click the Actions drop down and select Deploy OVF Template.

Now it’s just a matter of following the prompts based on the environment.  Find the OVA file, name the VM, set the appropriate host, network, and datastore, and the rest of the things the wizard asks for.

The CSR will prompt for a bunch of information for the setup.

CSR OVA properties

The PNSC and Intercloud settings can be left blank.  The rest depends on your environment.  I would recommend enabling SSH, so you will need to have a domain name configured for the key generation.

Cisco ISR project – Licensing (2 of ?)

After the hardware has been purchased comes what might be the most difficult part of the project – sorting out Cisco licenses.

Hopefully you’re well aware of the Cisco licensing and support process.  I’ll try and make this clear as mud…

First and foremost, you need a Cisco account.  If you don’t have one you can go here:   Your account will need to be associated with the business you work for, so this can get more complicated.  If you get stuck, contact your reseller.

For reasons beyond me, Cisco likes to send out the cardboard mailers with the PAK licenses (and EULA, and paper license, and sometimes T&Cs on a CD…).  Sort through the material you receive and find everything that lists a PAK.  Also, be careful to actually look at each piece of paper, as sometimes there are specific instructions for product access.

To register a PAK you need to go to:

Again, you’ll need to log in with a Cisco account.  When you are logged in you will be able to register the PAK.

You should be able to follow the instructions to register the PAK.  I would suggest waiting on actually generating licenses until you are ready to use the specific product.  Some require the SN or UDI of the device the license is applied to.  It’s easier to just do that when you are ready.  So, now the PAKs should be done.

But wait, there’s more!  You still need to register your support contract.

Log into your Cisco account, and at the top of the screen click “Account” then “Customer Profile Manager”  (Note: the link at the bottom for Cisco Service Contract Center is very helpful.  It will show all the contracts and details that are linked to your account)

Under your account you can add access to your Cisco contract.  Click the “Access” tab at the top and this will list your contracts and allow you to add more by clicking the “Add Access” button.

Typically, I just use the Full Support option, as that allows me to download software and open TAC cases for the products.

The next page can be difficult.  I use a Cisco reseller, so the Bill-to ID on my orders is for my reseller.  Usually, I just open a chat session and provide the agent with my Cisco SO# (it can be found on the packing slip, in the eDelivery e-mail, or it will be listed in the licensing page when you activate a PAK).  The agent then can find the specific contract number(s) to add.

After the contracts are added you should be able to download firmware for the hardware.

Here are the links for what I downloaded:

CSR 1000V

ISR 4331

ISR 4351


Prime vNAM


It seems that vCM OVA isn’t downloadable, but media for that should be sent with the PAK.  The vCM can be upgraded by using the “Universal Binary Image” which can be downloaded from the WAAS software location


VMware vSphere

Cisco USB console driver Not needed, but it’s nice to have the USB console driver

Cisco ISR project – IWAN, WAAS, UCS-E, Prime, and more (1 of ?)

This is the start of a series of posts about my adventures in getting a Cisco IWAN project deployed.

To start with, the new gear order was as follows:

  • HQ
    • Two Cisco ISR 4331 routers (Cisco ONE for WAN license)
      • One to terminate MPLS and one for Internet
    • Two CSR 1000V routers in an HA pair
    • Cisco WAAS virtual central manager (vCM)
    • Cisco WAAS virtual application engine (AE)
    • Cisco Prime VM
    • Cisco virtual network analysis module (vNAM)
    • LiveAction Pro
  • Site 1 (MPLS only)
    • Cisco ISR 4351 (Cisco ONE for WAN license)
    • UCS E-160D-M2 server
      • 64GB RAM
      • 3x 900GB drives in RAID 5
  • Site 2 (Dual connected)
    • Two Cisco ISR 4351 (Cisco ONE for WAN license)
    • Two UCS E-160D-M2 servers
      • 64GB RAM
      • 3x 900GB drives in RAID 5
  • Site 3 (VPN Only)
    • Cisco ISR 4351 (Cisco ONE for WAN license)
    • UCS E-160D-M2 server
      • 64GB RAM
      • 3x 900GB drives in RAID 5

For the remote sites, this will completely replace any routers, firewalls, servers, and/or WAN accelerators deployed.  From the HQ side this will augment the existing environment, as the current hardware still needs to support sites that aren’t migrating to the ISR solution yet.

IWAN topology

There were a few iterations of the design process.  I would recommend working with your Cisco partner to figure out what the best design would be for your environment