ASA me2

Let's troubleshoot... We also do trainings .. Checkout our training page https://asame2.blogspot.com/p/we-also-deliver-trainings.html

Featured Post

How to generate a CSR on Cisco ASA using CLI? CSR- (Certificate signing request)

First thing we need is an RSA key pair:   crypto key generate rsa label SSL-Key modulus 1024 noconfirm Create a trust-point crypto ca...

Recent Comments

Recent Post

Wednesday 23 December 2015

%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled

  December 23, 2015    

I don't understand why it has to be me every time to run into wired issues like this:

I have a router and I disabled AM mode using command : crypto isakmp aggressive-mode disable

Well, then I see these logging messages and they don't stop:

"%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to 
Aggressive Mode while disabled"


I was just looking if there is a way I can disable this message. Then I found this information:



Router checks for aggressive-mode during initiating or responding IKE requests. If you are getting this message, it means that some unauthorized remote-peer
keeps trying to initiate IPSec to this router. You can use interface access-list to block these addresses. 'show crypto isakmp sa' will show you the incomplete session for such traffic from which IP address can be obtained.
 
you could also use "logging discriminator" feature, available since 12.4(11). You should be able to use it to drop messages in the buffer as well as in syslog server, here is an example (not tested) for buffer logging:
 
1) Configure a discriminator: 
                    logging discriminator IKMP-AG mnemonics drops IKMP_AG_MODE_DISABLED 
2) Apply it to logging buffer:
                    logging buffered discriminator IKMP-AG 4096
 
logging buffered discriminator IKMP-AG 4096" will set the logging buffer to 4096 this may not be what you want, use what is configured on your router currently, and add the discriminator to that line:
 
        show run | i logging buffered



  No Comments

Tuesday 22 December 2015

Save password for Ipsec client on machine

  December 22, 2015    

How to save password on client machine for IPsec users?

I ran through an issue where I needed to save user password on client machine for IPsec user. I tried using ASDM and once I apply the setting and come back and check I find its disabled. So for some reason ASDM wasn't allowing me to enable it.

The option is available under group policy:





So I did using CLI mode. I went into the group policy and made the change and it worked.

      group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
        password-storage enable


  No Comments

Wednesday 9 December 2015

How to disable IKE Aggressive Mode?

  December 09, 2015    


ASA is vulnerable because AM (aggressive) mode was enabled.


 


How to disable it?


 


First check if your ASA has any current tunnel using AM mode, if not then you can go


ahead and disable it. 

 
crypto isakmp am-disable

  No Comments

Subscribe to: Posts (Atom)