ASA me2

Let's troubleshoot... We also do trainings .. Checkout our training page https://asame2.blogspot.com/p/we-also-deliver-trainings.html

Featured Post

How to generate a CSR on Cisco ASA using CLI? CSR- (Certificate signing request)

First thing we need is an RSA key pair:   crypto key generate rsa label SSL-Key modulus 1024 noconfirm Create a trust-point crypto ca...

Recent Comments

Recent Post

Let's troubleshoot... We also do trainings .. Checkout our training page https://asame2.blogspot.com/p/we-also-deliver-trainings.html

Wednesday, 9 November 2016

How to delete anyconnect cache?

  November 09, 2016    

I had a few xml profiles in my profile folder. I have deleted them all and restarted anyconnect but I still see last connected name in any-connect. Shouldn't it be clean? So I then deleted prefrences.xml file from this location and restarted any-connect service: Normal 0 false false false EN-US X-NONE X-NONE MicrosoftInternetExplorer4 ...

  2 Comments

Thursday, 13 October 2016

ASA as a CA server:

  October 13, 2016    

sh crypto ca certificate ASA as a CA server: ==================== 1. clock must be correct. sh crypto mypubkey Generate keys: crypto key gen rsa label mykey modu 2048 crypto ca server CA server ka naam: issuer-name cisco subject name default CN=nameofthe CA, C=IN Start CA server : no shutdown It will ask for a passphrase : give any key here then u will see certificat server enabled. crypto...

  No Comments

Thursday, 15 September 2016

Some users are unable to connect with anyconnect while others can : PUBLICPROXIES_ERROR_NO_INSTANCE

  September 15, 2016    

Hello there, So this time I ran into an issue where some users (Windows) were unable to connect with any-connect while others can. Sometimes uninstalling anyconnect software helped, sometimes not. They get error message : Failed to get configuration from secure gateway. Contact your system administrator Luckily I  picked DART from a user PC and found the following: Invoked Function: ConnectIfc::TranslateStatusCode Return...

  No Comments

Some users are unable to connect with anyconnect while others can

  September 15, 2016    

Hello there, So this time I ran into an issue where some users (Windows) were unable to connect with any-connect while others can. Sometimes uninstalling anyconnect software helped, sometimes not. They get error message : Failed to get configuration from secure gateway. Contact your system administrator. Luckily I  picked DART from a user PC and found the following: Invoked Function: ConnectIfc::TranslateStatusCode Return...

  No Comments

Wednesday, 14 September 2016

How to check if ASA has Apex license installed or not?

  September 14, 2016    

Q. How to check if ASA has Apex license installed or not? A. Use command: debug menu license 23 Q. I am not able to select "Match All" for DAP Policy - Endpoint - Device - MAC address - MATCH ALL. I am trying to match (!=) for multiple mac addresses. A. You will need to have "Advanced endpoint assessment" enable...

  No Comments

Thursday, 11 August 2016

Run script when any-connect connects/disconnects

  August 11, 2016    

1. In XML profile, Preferences Part 2> Enable Scripting > Uncheck "Enable post SBL option" 2. Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization> Script 3. Import > Add a name > Script runs when client disconnects > select platform windows > upload the script from your local machine > import now > apply 4....

  No Comments

Wednesday, 1 June 2016

Policy based NAT on router

  June 01, 2016    

Here is my requirement: I want to NAT the traffic coming from 10.2.2.0 0.0.0.255 going to 2.2.2.2 I want my source IP to change to 192.168.2.0/24 subnet, how do I do that? 1. Create an access list to define your actual traffic: ip access-list extended ACL1 permit ip 10.2.2.0 0.0.0.255 host 2.2.2.2 2. Create a route map and call this ACL  route-map mymap permit 10   match ip...

  No Comments

Saturday, 30 April 2016

How to enable a aaa-server on ASA if it has failed?

  April 30, 2016    

How to verify the status of a aaa-server configure on ASA? sh aaa-server ============================ Server Group:    TestServer Protocol: radiusServer Address:  10.60.2.6Server port:     1645(authentication), 1646(accounting)Server status:   FAILED, Server disabled  ============================== Failed servers only reactivate after all...

  No Comments

Thursday, 14 April 2016

User authentication fails with ldap, how debugs will look like?

  April 14, 2016    

This is how the debugs for ldap user authentication will look like: ASA(host)# test aaa autho TEST host 192.168.1.4 Username: awesome\test INFO: Attempting Authorization test to IP address <192.168.1.4> (timeout: 12 seconds) [-2147483639] Session Start [-2147483639] New request Session, context 0x00002aaad5771be0, reqType = Other [-2147483639] Fiber started [-2147483639] Creating LDAP context...

  No Comments

LDAP Admin bind failed debugs

  April 14, 2016    

This is how the debugs will look like if LDAP admin bind fails: ASA(host)# test aaa autho TEST host 192.168.1.4 Username: raj INFO: Attempting Authorization test to IP address <192.168.1.4> (timeout: 12 seconds) [-2147483640] Session Start [-2147483640] New request Session, context 0x00002aaad5771be0, reqType = Other [-2147483640] Fiber started [-2147483640] Creating LDAP context with uri=ldap://192.168.1.4:389 [-2147483640]...

  1 Comment

Wednesday, 30 March 2016

Anyconnect 4.x to use SHA 256

  March 30, 2016    

(adsbygoogle = window.adsbygoogle || []).push({ google_ad_client: "ca-pub-5845227107240424", enable_page_level_ads: true }); I want my any-connect to use SHA2 or SHA256 when it negotiates. How do I go about that? Answer: use the below ciphers:   ssl cipher tlsv1.2 custom "AES256-SHA256:AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA" I...

  No Comments

Tuesday, 29 March 2016

How to boot ASA from/using TFTP

  March 29, 2016    

(adsbygoogle = window.adsbygoogle || []).push({ google_ad_client: "ca-pub-5845227107240424", enable_page_level_ads: true }); So you have issue with your flash memory and ASA is unable to pick the image from flash. It goes into a booting loop but never boots up. You can now boot using a TFTP server. IP address that you want to assign to ASA: ADDRESS=10.197.222.100 IP...

  No Comments

Monday, 21 March 2016

Port forwarding on ASA

  March 21, 2016    

(adsbygoogle = window.adsbygoogle || []).push({ google_ad_client: "ca-pub-5845227107240424", enable_page_level_ads: true });  I need to access a resource from outside world that is in my private network at port 5900 using ASA's public IP. object service port_vncservice tcp source eq 5900!nat (inside,outside) source static obj_192.168.1.11 interface destination...

  No Comments

Saturday, 27 February 2016

Packet capture on IOS XE

  February 27, 2016    

(adsbygoogle = window.adsbygoogle || []).push({ google_ad_client: "ca-pub-5845227107240424", enable_page_level_ads: true }); Specify the interface where you would like to take capture:monitor capture mycap interface <interface_name> bothWhat are the interested IPs: monitor capture mycap match ipv4 host <IP> host <IP> or you can apply captures for...

  No Comments

Wednesday, 10 February 2016

Tuesday, 9 February 2016

How to check on which port ASA is listening at?

  February 09, 2016    

(adsbygoogle = window.adsbygoogle || []).push({ google_ad_client: "ca-pub-5845227107240424", enable_page_level_ads: true }); "show asp table sockets" will show you all the ports that an ASA is listening at.  TEST-ASA5505(config-webvpn)#  sh asp table soProtocol  Socket    Local Address              ...

  No Comments

How many address pools can be configured in a tunnel group or group policy?

  February 09, 2016    

(adsbygoogle = window.adsbygoogle || []).push({ google_ad_client: "ca-pub-5845227107240424", enable_page_level_ads: true }); A maximum of 6 address pools can be configured under a tunnel group or group policy. This is what happens when you try to call 7th address pool. Test-ASA(config-tunnel-general)# address-pool 7ERROR: list full: only 6 address pools can be specifiedFor...

  No Comments

Sunday, 17 January 2016

What is Service?

  January 17, 2016    

(adsbygoogle = window.adsbygoogle || []).push({ google_ad_client: "ca-pub-5845227107240424", enable_page_level_ads: true }); ...

  No Comments

Friday, 15 January 2016

EZVPN between ASAs

  January 15, 2016    

Server: =========== Server configuration will be like RAVPN configuration. Phase 1 policy Phase 2 policy Create a pool Create Split access list (Extended) Create group policy Create a tunnel group and call-in the group policy In the group policy attributes, put this additional command: nem enable Create dynamic map and then call the dynamic map in crypto map Enable crypto map on interface. Client...

  No Comments

Wednesday, 13 January 2016

Could not connect to server : Anyconnect

  January 13, 2016    

Back once again! This time its my Any-connect. It gives me an error the moment I hit Connect : "Could not connect to server. Please verify Internet connectivity and server address" I am using any-connect 3. 1.13015. When I try to connect I get an immediate error message as shown above. Debugs were saying : Not calling vpn_remove_uauth: not IPv4!webvpn_svc_np_tear_down: no IPv6 ACL Luckily I had ...

  1 Comment

Replay check failed on Cisco Router with IPsec

  January 13, 2016    

Hello Again!!! You are absolutely right, I am back with another issue with VPN :( So this time, I have a router and have VTI tunnel setup on it. I don't know how it all started but I now see some logs on my router : %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed         connection id=3625, sequence number=1281790 So I started to figure out what does...

  No Comments

Thursday, 7 January 2016

Ipsec on router (with HSRP failover) doesn't work after failover

  January 07, 2016    

This made me really scratch my head! Here I am first trying to put a picture of the scenario: This looks cool, whats the problem ? Well, the problem is I have R1 and R2 running as HSRP peers. I have SLA monitoring going on to even check Internet connectivity, if...

  No Comments

Subscribe to: Posts (Atom)