ASA me2

Let's troubleshoot... We also do trainings .. Checkout our training page https://asame2.blogspot.com/p/we-also-deliver-trainings.html

Featured Post

How to generate a CSR on Cisco ASA using CLI? CSR- (Certificate signing request)

First thing we need is an RSA key pair:   crypto key generate rsa label SSL-Key modulus 1024 noconfirm Create a trust-point crypto ca...

Recent Comments

Recent Post

Friday 20 November 2015

Any-Connect not connecting with some of the tunnel groups, while working fine with others

  November 20, 2015    

I ran into an issue with my Any-Connect
I had some couple of tunnel groups and I upgraded my ASA from 8.6 to 9.2 , after upgrade Any-Connect stopped connecting with few of the tunnel groups.

Debugs were saying :
Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: no IPv6 ACL


Any-Connect was giving this error:

Failed to get configuration from secure gateway. Contact your system administrator.


Here is the link that helped:  https://supportforums.cisco.com/discussion/11792386/failed-get-configuration-secure-gateway-contact-your-system-administrator

What was I missing?
Somehow my xml profiles were missing from the ASA but they were called under group policies.
I removed them from those group policies.

Sh run webvpn will show what xml porifiles you have.

How did I remove them from group policies?
group-policy TEST attributes
webvpn
anyconnect profiles none

 

  No Comments

Ipsec over GRE : Tunnel protocol is down : Tunnel with Vlan interface

  November 20, 2015    

I have an IPSec over GRE tunnel between two routers (ofcourse :) )

I had some physical interface limitation so I could not assign an IP address to it. It is a L2 interface. So I have created a vlan and assigned an Ip address to vlan and then called the vlan under interface.

Here is my configuration : After I have configured this I see tunnel protocol status is DOWN

crypto map mymap local-address FastEthernet0/0/0
crypto map mymap 10 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set myset
 match address 110

interface Tunnel40
 bandwidth 2000
 ip address 10.10.10.10 255.255.255.252
 ip mtu 1420
 ip tcp adjust-mss 1380
 keepalive 10 3
 tunnel source FastEthernet0/0/0
 tunnel destination 2.2.2.2
 tunnel path-mtu-discovery
end

interface fa0/0/0
switchport access vlan1
 crypto map mymap


Here are the debugs:

Nov 18 15:52:48.276: IPSEC(validate_transform_proposal): invalid local address 213.163.150.250
Nov 18 15:52:48.276: ISAKMP:(0:196:HW:2): IPSec policy invalidated proposal
Nov 18 15:52:48.280: ISAKMP:(0:196:HW:2): phase 2 SA policy not acceptable! (local 213.163.150.250 remote 80.169.157.115)
Nov 18 15:52:48.280: ISAKMP: set new node -1071324651 to QM_IDLE
Nov 18 15:52:48.280: ISAKMP:(0:196:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 1698541472, message ID = -1071324651


Solution:
=============

Here is the solution that fixed the issue:
 Removed this crypto map mymap local-address FastEthernet0/0/0

interface Tunnel40
no  keepalive 10 3
no  tunnel source FastEthernet0/0/0
 tunnel source vlan1

  No Comments

Thursday 19 November 2015

Packet capture on router

  November 19, 2015    



1.Define a 'capture buffer' with the specified name
monitor capture buffer mycap size 2048 max-size 4000 circular

2. Specify access-list
ip access-list ex mycap
permit ip host
permit ip host


monitor capture buffer mycap filter access-list mycap

3. Defines a capture point
monitor capture point ip cef cap fastEthernet 1/0 both

4. Attach capture point with the capture buffer specified.
monitor capture point associate cap mycap

5. Enables the capture point to start capturing packet data:
monitor capture point start cap



Now the capture is enabled and allows collecting necessary data as configure in ACL

To disable the capture point and stops the packet data capture process use following command:
monitor capture point stop cap

How to see the capture:
==============================
show monitor capture buffer all parameters

Send it to TFTP :
monitor capture mycap export tftp://1.1.1.2//Capture.pcap 


=================
All commands at once, just copy and paste:
=================
!
conf t
!
ip access-list ex mycap
permit ip host
permit ip host
!
exit
exit
!
monitor capture buffer mycap size 2048 max-size 4000 circular
    
monitor capture buffer mycap filter access-list mycap
 
monitor capture point ip cef cap fastEthernet 1/0 both 
!
monitor capture point associate cap mycap
!
monitor capture point start cap
!
==========================================================

  No Comments

Tuesday 17 November 2015

Saturday 7 November 2015

Anyconnect 4.0 License Scheme

  November 07, 2015    


Failover: If you are using failover firewalls you can (but don't have to) use a shared license' model, this lets you purchase a bundle of Premium licenses. and share them across multiple pieces of hardware, This requires an ASA to be setup as the license' server'. Before version 8.3 you needed to purchase licenses for both firewalls. After version 8.3, Cisco allowed the licenses. to be replicated between firewalls in a failover pair. The exception is Active/Active where the amount of licenses. is aggregated together from both firewalls and ALL are available providing the figure does not exceed the maximum for the hardware being used
Prior to version 4 Anyconnect had the AnyConnect Essentials and Premium licensing scheme. The newer v4.xAnyConnect licenses now have one of the three licensing options:
  • Cisco AnyConnect Plus License (Subscription Based) - 1 year, 3 ,5
  • Cisco AnyConnect Plus Perpetual License (Permanent – no subscription) - Need to buy once permanently
  • Cisco AnyConnect Apex License (Subscription Based) - 1 year, 3 ,5\

The Plus Perpetual License on the other hand allows Cisco customers to purchase a one-time license, however the license costs significantly higher than the subscription-based license.

We should also note that AnyConnect 4.0 is not licensed based on simultaneous connections (like the previous AnyConnect 3.x), but is now user-based. This means a user connecting via his smartphone and laptop simultaneously will only occupy a single license.

Cisco AnyConnect Secure Mobility Client 4.0 supports the following operating systems:
  • Windows 8.1 (32bit & 64Bit)
  • Windows 8 (32bit & 64Bit)
  • Windows 7 (32bit & 64Bit)
  • Linux Ubuntu 12.X 64Bit
  • Linux RedHat 6 64Bit
  • Mac OS X 10.10 – 10.8
Let’s take a look at each license feature and how the older AnyConnect Essentials and Premium licenses map to the newer AnyConnect Plus and Apex licenses:
 
  
AnyConnect Mobile is now integrated into the new AnyConnect Plus license.

  

  No Comments

How to assign IP address on ASA 5505 - and how to create local pool for Inside on ASA 5505

  November 07, 2015    


Create VLAN Interface : interface vlan 1
ip address 192.168.1.1 255.255.255.0
no shut
exit


Go to physical interface and call the vlan using switchport access command

Interface eth0/0
switchport access vlan 1
no shut

For the ASA 5505, the maximum number of DHCP client addresses varies depending on the license: • If the limit is 10 hosts, the maximum available DHCP pool is 32 addresses.
• If the limit is 50 hosts, the maximum available DHCP pool is 128 addresses.
• If the number of hosts is unlimited, the maximum available DHCP pool is 256 addresses.

By default, the ASA 5505 ships with a 10-user license

You can configure a DHCP server on each interface of the ASA. Each interface can have its own pool of addresses to draw from.

You cannot configure a DHCP client or DHCP relay services on an interface on which the server is enabled. DHCP clients must be directly connected to the interface on which the server is enabled.

 show running-config dhcpd ----------- Shows the current DHCP configuration




  No Comments

Thursday 5 November 2015

Anyconnect gives error : Not calling vpn_remove_uauth: not IPv4! webvpn_svc_np_tear_down: no ACL

  November 05, 2015    

Error message when connecting to Anyconnect:
==============================================

Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: no ACL webvpn_svc_np_tear_down: no IPv6 ACL


So for me the issue was :

Anyconnect was trying to establish connection with Default RA group tunnel-group.
There was no IP pool called under it.

I then enabled tunnel-group-list enable under Webvpn
and
tunnel-group Bangalore webvpn-attributes
group-alias Bangalore enable

This resolved the issue. 
 

  3 Comments

Subscribe to: Posts (Atom)