ASA me2

Let's troubleshoot... We also do trainings .. Checkout our training page https://asame2.blogspot.com/p/we-also-deliver-trainings.html

Featured Post

How to generate a CSR on Cisco ASA using CLI? CSR- (Certificate signing request)

First thing we need is an RSA key pair:   crypto key generate rsa label SSL-Key modulus 1024 noconfirm Create a trust-point crypto ca...

Recent Comments

Recent Post

Wednesday 23 December 2015

%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled

  December 23, 2015    

I don't understand why it has to be me every time to run into wired issues like this:

I have a router and I disabled AM mode using command : crypto isakmp aggressive-mode disable

Well, then I see these logging messages and they don't stop:

"%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to 
Aggressive Mode while disabled"


I was just looking if there is a way I can disable this message. Then I found this information:



Router checks for aggressive-mode during initiating or responding IKE requests. If you are getting this message, it means that some unauthorized remote-peer
keeps trying to initiate IPSec to this router. You can use interface access-list to block these addresses. 'show crypto isakmp sa' will show you the incomplete session for such traffic from which IP address can be obtained.
 
you could also use "logging discriminator" feature, available since 12.4(11). You should be able to use it to drop messages in the buffer as well as in syslog server, here is an example (not tested) for buffer logging:
 
1) Configure a discriminator: 
                    logging discriminator IKMP-AG mnemonics drops IKMP_AG_MODE_DISABLED 
2) Apply it to logging buffer:
                    logging buffered discriminator IKMP-AG 4096
 
logging buffered discriminator IKMP-AG 4096" will set the logging buffer to 4096 this may not be what you want, use what is configured on your router currently, and add the discriminator to that line:
 
        show run | i logging buffered



  No Comments

Tuesday 22 December 2015

Save password for Ipsec client on machine

  December 22, 2015    

How to save password on client machine for IPsec users?

I ran through an issue where I needed to save user password on client machine for IPsec user. I tried using ASDM and once I apply the setting and come back and check I find its disabled. So for some reason ASDM wasn't allowing me to enable it.

The option is available under group policy:





So I did using CLI mode. I went into the group policy and made the change and it worked.

      group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
        password-storage enable


  No Comments

Wednesday 9 December 2015

How to disable IKE Aggressive Mode?

  December 09, 2015    


ASA is vulnerable because AM (aggressive) mode was enabled.


 


How to disable it?


 


First check if your ASA has any current tunnel using AM mode, if not then you can go


ahead and disable it. 

 
crypto isakmp am-disable

  No Comments

Friday 20 November 2015

Any-Connect not connecting with some of the tunnel groups, while working fine with others

  November 20, 2015    

I ran into an issue with my Any-Connect
I had some couple of tunnel groups and I upgraded my ASA from 8.6 to 9.2 , after upgrade Any-Connect stopped connecting with few of the tunnel groups.

Debugs were saying :
Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: no IPv6 ACL


Any-Connect was giving this error:

Failed to get configuration from secure gateway. Contact your system administrator.


Here is the link that helped:  https://supportforums.cisco.com/discussion/11792386/failed-get-configuration-secure-gateway-contact-your-system-administrator

What was I missing?
Somehow my xml profiles were missing from the ASA but they were called under group policies.
I removed them from those group policies.

Sh run webvpn will show what xml porifiles you have.

How did I remove them from group policies?
group-policy TEST attributes
webvpn
anyconnect profiles none

 

  No Comments

Ipsec over GRE : Tunnel protocol is down : Tunnel with Vlan interface

  November 20, 2015    

I have an IPSec over GRE tunnel between two routers (ofcourse :) )

I had some physical interface limitation so I could not assign an IP address to it. It is a L2 interface. So I have created a vlan and assigned an Ip address to vlan and then called the vlan under interface.

Here is my configuration : After I have configured this I see tunnel protocol status is DOWN

crypto map mymap local-address FastEthernet0/0/0
crypto map mymap 10 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set myset
 match address 110

interface Tunnel40
 bandwidth 2000
 ip address 10.10.10.10 255.255.255.252
 ip mtu 1420
 ip tcp adjust-mss 1380
 keepalive 10 3
 tunnel source FastEthernet0/0/0
 tunnel destination 2.2.2.2
 tunnel path-mtu-discovery
end

interface fa0/0/0
switchport access vlan1
 crypto map mymap


Here are the debugs:

Nov 18 15:52:48.276: IPSEC(validate_transform_proposal): invalid local address 213.163.150.250
Nov 18 15:52:48.276: ISAKMP:(0:196:HW:2): IPSec policy invalidated proposal
Nov 18 15:52:48.280: ISAKMP:(0:196:HW:2): phase 2 SA policy not acceptable! (local 213.163.150.250 remote 80.169.157.115)
Nov 18 15:52:48.280: ISAKMP: set new node -1071324651 to QM_IDLE
Nov 18 15:52:48.280: ISAKMP:(0:196:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 1698541472, message ID = -1071324651


Solution:
=============

Here is the solution that fixed the issue:
 Removed this crypto map mymap local-address FastEthernet0/0/0

interface Tunnel40
no  keepalive 10 3
no  tunnel source FastEthernet0/0/0
 tunnel source vlan1

  No Comments

Thursday 19 November 2015

Packet capture on router

  November 19, 2015    



1.Define a 'capture buffer' with the specified name
monitor capture buffer mycap size 2048 max-size 4000 circular

2. Specify access-list
ip access-list ex mycap
permit ip host
permit ip host


monitor capture buffer mycap filter access-list mycap

3. Defines a capture point
monitor capture point ip cef cap fastEthernet 1/0 both

4. Attach capture point with the capture buffer specified.
monitor capture point associate cap mycap

5. Enables the capture point to start capturing packet data:
monitor capture point start cap



Now the capture is enabled and allows collecting necessary data as configure in ACL

To disable the capture point and stops the packet data capture process use following command:
monitor capture point stop cap

How to see the capture:
==============================
show monitor capture buffer all parameters

Send it to TFTP :
monitor capture mycap export tftp://1.1.1.2//Capture.pcap 


=================
All commands at once, just copy and paste:
=================
!
conf t
!
ip access-list ex mycap
permit ip host
permit ip host
!
exit
exit
!
monitor capture buffer mycap size 2048 max-size 4000 circular
    
monitor capture buffer mycap filter access-list mycap
 
monitor capture point ip cef cap fastEthernet 1/0 both 
!
monitor capture point associate cap mycap
!
monitor capture point start cap
!
==========================================================

  No Comments

Tuesday 17 November 2015

Saturday 7 November 2015

Anyconnect 4.0 License Scheme

  November 07, 2015    


Failover: If you are using failover firewalls you can (but don't have to) use a shared license' model, this lets you purchase a bundle of Premium licenses. and share them across multiple pieces of hardware, This requires an ASA to be setup as the license' server'. Before version 8.3 you needed to purchase licenses for both firewalls. After version 8.3, Cisco allowed the licenses. to be replicated between firewalls in a failover pair. The exception is Active/Active where the amount of licenses. is aggregated together from both firewalls and ALL are available providing the figure does not exceed the maximum for the hardware being used
Prior to version 4 Anyconnect had the AnyConnect Essentials and Premium licensing scheme. The newer v4.xAnyConnect licenses now have one of the three licensing options:
  • Cisco AnyConnect Plus License (Subscription Based) - 1 year, 3 ,5
  • Cisco AnyConnect Plus Perpetual License (Permanent – no subscription) - Need to buy once permanently
  • Cisco AnyConnect Apex License (Subscription Based) - 1 year, 3 ,5\

The Plus Perpetual License on the other hand allows Cisco customers to purchase a one-time license, however the license costs significantly higher than the subscription-based license.

We should also note that AnyConnect 4.0 is not licensed based on simultaneous connections (like the previous AnyConnect 3.x), but is now user-based. This means a user connecting via his smartphone and laptop simultaneously will only occupy a single license.

Cisco AnyConnect Secure Mobility Client 4.0 supports the following operating systems:
  • Windows 8.1 (32bit & 64Bit)
  • Windows 8 (32bit & 64Bit)
  • Windows 7 (32bit & 64Bit)
  • Linux Ubuntu 12.X 64Bit
  • Linux RedHat 6 64Bit
  • Mac OS X 10.10 – 10.8
Let’s take a look at each license feature and how the older AnyConnect Essentials and Premium licenses map to the newer AnyConnect Plus and Apex licenses:
 
  
AnyConnect Mobile is now integrated into the new AnyConnect Plus license.

  

  No Comments

Subscribe to: Posts (Atom)