%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled

%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled

  December 23, 2015    Raj

---

I don't understand why it has to be me every time to run into wired issues like this: I have a router and I disabled AM mode using command : crypto isakmp aggressive-mode disable Well, then I see these logging messages and they don't stop: "%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to  Aggressive Mode while disabled" I was just looking if there is a way I can disable...

Read More

Save password for Ipsec client on machine

Save password for Ipsec client on machine

  December 22, 2015    Raj

---

How to save password on client machine for IPsec users? I ran through an issue where I needed to save user password on client machine for IPsec user. I tried using ASDM and once I apply the setting and come back and check I find its disabled. So for some reason ASDM wasn't...

Read More

How to disable IKE Aggressive Mode?

How to disable IKE Aggressive Mode?

  December 09, 2015    Raj

---

ASA is vulnerable because AM (aggressive) mode was enabled.   How to disable it?   First check if your ASA has any current tunnel using AM mode, if not then you can go ahead and disable it. crypto isakmp am-disabl...

Read More

Any-Connect not connecting with some of the tunnel groups, while working fine with others

Any-Connect not connecting with some of the tunnel groups, while working fine with others

  November 20, 2015    Raj

---

I ran into an issue with my Any-Connect I had some couple of tunnel groups and I upgraded my ASA from 8.6 to 9.2 , after upgrade Any-Connect stopped connecting with few of the tunnel groups. Debugs were saying : Not calling vpn_remove_uauth: not IPv4!webvpn_svc_np_tear_down: no IPv6 ACL Any-Connect was giving this error: Failed to get configuration from secure gateway. Contact your system administrator. Here...

Read More

Ipsec over GRE : Tunnel protocol is down : Tunnel with Vlan interface

Ipsec over GRE : Tunnel protocol is down : Tunnel with Vlan interface

  November 20, 2015    Raj

---

I have an IPSec over GRE tunnel between two routers (ofcourse :) ) I had some physical interface limitation so I could not assign an IP address to it. It is a L2 interface. So I have created a vlan and assigned an Ip address to vlan and then called the vlan under interface. Here is my configuration : After I have configured this I see tunnel protocol status is DOWN crypto map mymap local-address...

Read More

Packet capture on router

Packet capture on router

  November 19, 2015    Raj

---

1.Define a 'capture buffer' with the specified name monitor capture buffer mycap size 2048 max-size 4000 circular 2. Specify access-list ip access-list ex mycap permit ip host permit ip host monitor capture buffer mycap filter access-list mycap 3. Defines a capture point monitor capture point ip cef cap fastEthernet 1/0 both 4. Attach capture point with the capture buffer specified. monitor...

Read More

How to disable sysloggging on ASA?

How to disable sysloggging on ASA?

  November 17, 2015    Raj

---

I have an ASA and all the debugs are going to syslog. I need to quickly run debug icmp trace and check the results. How can I disable syslog temporarly? no logging debug-trace How to enable it back? logging debug-trace...

Read More

Anyconnect 4.0 License Scheme

Anyconnect 4.0 License Scheme

  November 07, 2015    Raj

---

Failover: If you are using failover firewalls you can (but don't have to) use a shared license' model, this lets you purchase a bundle of Premium licenses. and share them across multiple pieces of hardware, This requires an ASA to be setup as the license' server'....

Read More