ASA me2

Let's troubleshoot... We also do trainings .. Checkout our training page https://asame2.blogspot.com/p/we-also-deliver-trainings.html

Featured Post

How to generate a CSR on Cisco ASA using CLI? CSR- (Certificate signing request)

First thing we need is an RSA key pair:   crypto key generate rsa label SSL-Key modulus 1024 noconfirm Create a trust-point crypto ca...

Recent Comments

Recent Post

Wednesday 9 November 2016

How to delete anyconnect cache?

  November 09, 2016    

I had a few xml profiles in my profile folder. I have deleted them all and restarted anyconnect but I still see last connected name in any-connect. Shouldn't it be clean?

So I then deleted prefrences.xml file from this location and restarted any-connect service:

C:\Users\<username>\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client

 That did the trick!

 Download a batch file to do this:

 https://drive.google.com/file/d/0B5l3rOLgYvw4QTVYSnh6SVlLV1E/view?usp=sharing&resourcekey=0-GGOunpyw-z7H-r7ZB_cuMw

  2 Comments

Thursday 13 October 2016

ASA as a CA server:

  October 13, 2016    



sh crypto ca certificate

ASA as a CA server:
====================

1. clock must be correct.
sh crypto mypubkey

Generate keys:

crypto key gen rsa label mykey modu 2048

crypto ca server

CA server ka naam:

issuer-name cisco

subject name default CN=nameofthe CA, C=IN

Start CA server : no shutdown

It will ask for a passphrase : give any key here


then u will see certificat server enabled.

crypto ca server user-db add mitin

goi to this URL : https://ip/+CSCOCA+/login.html

https://10.197.222.122/+CSCOCA+/login.html

https://172.16.0.22/+CSCOCA+/enroll.html

crypto ca server user-db allow mitin display-otp

it will disaply an OTP, give that OTP to user.
enter user name and OTP, he will get certificate downloaded.
enter the passphrase.


clear configure crypto ca server : to clear the configuration for CA
whenever we shut a ca server it will also delete the user database, so be careful here.


Via ASDM: local CA authority
manage user database>> allow regetration

as we enable CA server, we can see a CA certificate on firewal, where issued by and issued to will be same. THis is called as root certificate.






===========================================================
HOw to add certificate using CLI:

Generate CSR:
===============
Generate key : crypto key generate rsa label mykey mod 2048
crypto ca trustpoint ca
enrollment terminal : this iwill enable a terminal where we can copy and paste certificate text
enrollment self : this means generate a self sign certificate
Tell key pair to use:
keypair mykey

remove fqdn : fqdn none
subject name CN=asa.cisco.com
crypto ca enroll ca <trustpoint ka name>
Add device serial number : NO

this will genarate CSR.
now copy this and send to CA.

DER encoding and base 64 encodeing

crypto ca import ca certificate --------> this imports ID cert. crypto ca authenticate ca certificate ---> This imports Root CA cert, crypto ca enroll --->> to generate CSR. There are the only 3 options available.
paste here
quit

debug crypto ca message 255

If cert was generated with sha256 and we are trying to import it on older code 8.0,8.2 then it will give an error.

==========================================================
ECHQ VPN
vpn.ensenta.com


SCEP : simple certificat enrollment procedure
automatic enrollment procedure it is. we can conifgure asa to get a certificate automatically. ASA can be configured SECP client and then ASA will send the request to your CA server

http://10.197.222.221/certsrv/mscep/mscep.dll
ASA as SCEP client:
crypto ca trustpoint ca
enrollment url http://ip/certsrv/mscep/mscep.dll
subject-name CN=ASAme2
exit
crypto ca authenticate ca
this will autmatically downlaod root ca certificate

crypto ca import ca certificate/ crypto ca enroll ca certificate ----- > this will request certificate from CA using SCEP. both commands will do the same thing.

sh crypto ca certificate --> this will show you the ID certificate that we have received.

Ca server :  10.77.178.91





  No Comments

Thursday 15 September 2016

Some users are unable to connect with anyconnect while others can : PUBLICPROXIES_ERROR_NO_INSTANCE

  September 15, 2016    

Hello there,

So this time I ran into an issue where some users (Windows) were unable to connect with any-connect while others can. Sometimes uninstalling anyconnect software helped, sometimes not.

They get error message : Failed to get configuration from secure gateway. Contact your system administrator

Luckily I  picked DART from a user PC and found the following:

Invoked Function: ConnectIfc::TranslateStatusCode
Return Code: -32899061 (0xFE0A000B)
TEST_TG: PUBLICPROXIES_ERROR_NO_INSTANCE
Connection attempt failed. Please try again


This led me to these two windows updates: 
KB3161949 also KB3160005

After I uninstalled these two windows updates, everything worked fine.

I hope this helps you :)

-
Raj

  No Comments

Some users are unable to connect with anyconnect while others can

  September 15, 2016    

Hello there,

So this time I ran into an issue where some users (Windows) were unable to connect with any-connect while others can. Sometimes uninstalling anyconnect software helped, sometimes not.

They get error message : Failed to get configuration from secure gateway. Contact your system administrator.

Luckily I  picked DART from a user PC and found the following:

Invoked Function: ConnectIfc::TranslateStatusCode
Return Code: -32899061 (0xFE0A000B)
TEST_TG: PUBLICPROXIES_ERROR_NO_INSTANCE
Connection attempt failed. Please try again


This led me to these two windows updates: 
KB3161949 also KB3160005

After I uninstalled these two windows updates, everything worked fine.

I hope this helps you :)

-
Raj

  No Comments

Wednesday 14 September 2016

How to check if ASA has Apex license installed or not?

  September 14, 2016    


Q. How to check if ASA has Apex license installed or not?

A. Use command: debug menu license 23

Q. I am not able to select "Match All" for DAP Policy - Endpoint - Device - MAC address - MATCH ALL. I am trying to match (!=) for multiple mac addresses.
A. You will need to have "Advanced endpoint assessment" enabled.

  No Comments

Thursday 11 August 2016

Run script when any-connect connects/disconnects

  August 11, 2016    

1. In XML profile, Preferences Part 2> Enable Scripting > Uncheck "Enable post SBL option"
2. Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization> Script
3. Import > Add a name > Script runs when client disconnects > select platform windows > upload the script from your local machine > import now > apply
4. Refresh ASDM and make sure all settings are correctly applied. Check XML and make sure script file is present.

  No Comments

Wednesday 1 June 2016

Policy based NAT on router

  June 01, 2016    

Here is my requirement:

I want to NAT the traffic coming from 10.2.2.0 0.0.0.255 going to 2.2.2.2

I want my source IP to change to 192.168.2.0/24 subnet, how do I do that?

1. Create an access list to define your actual traffic:
ip access-list extended ACL1
permit ip 10.2.2.0 0.0.0.255 host 2.2.2.2

2. Create a route map and call this ACL
 route-map mymap permit 10
  match ip add ACL1
3. Now create a pool for the IP range (NATed range)
 ip nat pool NAT1 192.168.2.1 192.168.2.254 prefix-length 24
4. Create your NAT statement now:
 ip nat inside source route-map mymap pool NAT1

  No Comments

Saturday 30 April 2016

How to enable a aaa-server on ASA if it has failed?

  April 30, 2016    

How to verify the status of a aaa-server configure on ASA?

sh aaa-server
============================
Server Group:    Test
Server Protocol: radius
Server Address:  10.60.2.6
Server port:     1645(authentication), 1646(accounting)
Server status:   FAILED, Server disabled
 ==============================
Failed servers only reactivate after all of the servers in the group are inactive.

If the server is now available, test ping from ASA. Then we can enable it by following command:

aaa-server Test active host 10.60.2.6

If you want to disable a aaa-server, use following:
 aaa-server Test fail host 10.60.2.6
 
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/a1.html#wp1558160
 

  No Comments

Thursday 14 April 2016

User authentication fails with ldap, how debugs will look like?

  April 14, 2016    

This is how the debugs for ldap user authentication will look like:

ASA(host)# test aaa autho TEST host 192.168.1.4
Username: awesome\test
INFO: Attempting Authorization test to IP address <192.168.1.4> (timeout: 12 seconds)

[-2147483639] Session Start
[-2147483639] New request Session, context 0x00002aaad5771be0, reqType = Other
[-2147483639] Fiber started
[-2147483639] Creating LDAP context with uri=ldap://192.168.1.4:389
[-2147483639] Connect to LDAP server: ldap://192.168.1.4:389, status = Successful
[-2147483639] supportedLDAPVersion: value = 3
[-2147483639] supportedLDAPVersion: value = 2
[-2147483639] Binding as awesome\aduser
[-2147483639] Performing Simple authentication for awesome\aduser to 192.168.1.4
[-2147483639] LDAP Search:
        Base DN = [DC=awesome,DC=ca]
        Filter  = [sAMAccountName=awesome\\test]
        Scope   = [SUBTREE]
[-2147483639] Search result parsing returned failure status
[-2147483639] Fiber exit Tx=259 bytes Rx=1023 bytes, status=-1
[-2147483639] Session End
ERROR: Authorization Rejected: Unspecified


This definitely means either username is wrong or password. There is one more case : Username doesn't exist :)

Share/like/google+ if this has helped you!

  No Comments

LDAP Admin bind failed debugs

  April 14, 2016    

This is how the debugs will look like if LDAP admin bind fails:

ASA(host)# test aaa autho TEST host 192.168.1.4
Username: raj
INFO: Attempting Authorization test to IP address <192.168.1.4> (timeout: 12 seconds)

[-2147483640] Session Start
[-2147483640] New request Session, context 0x00002aaad5771be0, reqType = Other
[-2147483640] Fiber started
[-2147483640] Creating LDAP context with uri=ldap://192.168.1.4:389
[-2147483640] Connect to LDAP server: ldap://192.168.1.4:389, status = Successful
[-2147483640] supportedLDAPVersion: value = 3
[-2147483640] supportedLDAPVersion: value = 2
[-2147483640] Binding as aduser
[-2147483640] Performing Simple authentication for aduser to 192.168.1.4
[-2147483640] Simple authentication for aduser returned code (49) Invalid credentials
[-2147483640] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[-2147483640] Fiber exit Tx=205 bytes Rx=723 bytes, status=-2
[-2147483640] Session End
ERROR: Authorization Server not responding: AAA Server has been removed

 Remember: If admin bind fails it will clearly say "Failed to bind as administrator"

Below was the configuration during this test:

aaa-server TEST (inside) host 192.168.1.4
 ldap-base-dn DC=awesome,DC=ca
 ldap-group-base-dn DC=awesome,DC=ca
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *******
 ldap-login-dn "CN=aduser,CN=Users,DC=norseman,DC=ca"
 server-type microsoft
 ldap-attribute-map LDAP_memberOf


I changed the ldap-login-dn to domain\username. The new configuration looks like:

aaa-server TEST (inside) host 192.168.1.4
 ldap-base-dn DC=awesome,DC=ca
 ldap-group-base-dn DC=awesome,DC=ca
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *******
 ldap-login-dn awesome\aduser
 server-type microsoft
 ldap-attribute-map LDAP_memberOf


Share/like/google+ if this has helped you! 

  1 Comment

Wednesday 30 March 2016

Anyconnect 4.x to use SHA 256

  March 30, 2016    

I want my any-connect to use SHA2 or SHA256 when it negotiates. How do I go about that?

Answer: use the below ciphers:

  ssl cipher tlsv1.2 custom "AES256-SHA256:AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA"


I am unable to connect using any-connect 3.x, I get an error message : Unable to reach host / verify internet connectivity.

Answer: 
Check "sh run all ssl"
make sure you have "ssl server-version tlsv1" This means that ASA supports tlsv1 and above.  Because any-connect 3.x does not support tlsv1.1 and 1.2.


  No Comments

Tuesday 29 March 2016

How to boot ASA from/using TFTP

  March 29, 2016    

So you have issue with your flash memory and ASA is unable to pick the image from flash.
It goes into a booting loop but never boots up.

You can now boot using a TFTP server.

IP address that you want to assign to ASA:

ADDRESS=10.197.222.100


IP Address of TFTP Server:
SERVER=10.197.161.160

Default gateway IP address:
GATEWAY=10.197.222.1

Image path or name:
IMAGE=asa961-smp-k8.bin

On which port do you want to assign IP address on ASA:
PORT=Gi0/0

Enter this command to start download process: tftpdnld
==============

All the commands at once:


ADDRESS=10.197.222.100
!
SERVER=10.197.161.160
!
GATEWAY=10.197.222.1
!
IMAGE=asa961-smp-k8.bin
!
PORT=Gi0/0
!
set
!
tftpdnld

  No Comments

Monday 21 March 2016

Port forwarding on ASA

  March 21, 2016    

 I need to access a resource from outside world that is in my private network at port 5900 using ASA's public IP.

object service port_vnc

service tcp source eq 5900
!
nat (inside,outside) source static obj_192.168.1.11 interface destination static any_1 any_1 service port_vnc port_vnc

  No Comments

Saturday 27 February 2016

Packet capture on IOS XE

  February 27, 2016    


Specify the interface where you would like to take capture:
monitor capture mycap interface <interface_name> both

What are the interested IPs:
monitor capture mycap match ipv4 host <IP> host <IP>

or you can apply captures for a protocol:

monitor capture mycap match ipv4 protocol ?
tcp
udp
 monitor capture mycap match ipv4 protocol tcp any any

Start the capture:
monitor capture mycap start

Stop the capture:
monitor capture mycap stop

Look at the capture: If you do not stop the capture and directly enter this command, it automatically stops the capture.
show monitor cap mycap buffer bri

If you are done taking a look at this capture and would like to clear the capture so that you can capture some new data:

monitor capture mycap clear






  No Comments

Wednesday 10 February 2016

Tuesday 9 February 2016

How to check on which port ASA is listening at?

  February 09, 2016    

"show asp table sockets" will show you all the ports that an ASA is listening at.

 TEST-ASA5505(config-webvpn)#  sh asp table so
Protocol  Socket    Local Address               Foreign Address         State
SSL       00022cef  10.10.10.253:443            0.0.0.0:*               LISTEN
TCP       0005509f  10.10.10.253:23             0.0.0.0:*               LISTEN
TCP       0006af1f  10.10.10.253:22             0.0.0.0:*               LISTEN
TCP       00095f0f  1.93.34.130:22             0.0.0.0:*               LISTEN
SSL       0076a158  10.10.10.253:443            10.10.10.55:60820       ESTAB
SSL       007e4038  10.10.10.253:443            10.10.10.55:60824       ESTAB
SSL       08f3732f  1.93.34.130:4443           0.0.0.0:*               LISTEN
DTLS      08f5b9df  1.93.34.130:443            0.0.0.0:*               LISTEN

  No Comments

How many address pools can be configured in a tunnel group or group policy?

  February 09, 2016    

A maximum of 6 address pools can be configured under a tunnel group or group policy.

This is what happens when you try to call 7th address pool.

Test-ASA(config-tunnel-general)# address-pool 7
ERROR: list full: only 6 address pools can be specified

For more reference :
http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/vpngrp.html

  No Comments

Sunday 17 January 2016

What is Service?

  January 17, 2016    














  No Comments

Friday 15 January 2016

EZVPN between ASAs

  January 15, 2016    


Server:
===========
Server configuration will be like RAVPN configuration.

Phase 1 policy
Phase 2 policy
Create a pool
Create Split access list (Extended)
Create group policy
Create a tunnel group and call-in the group policy

In the group policy attributes, put this additional command:
nem enable

Create dynamic map and then call the dynamic map in crypto map
Enable crypto map on interface.

Client end configuration:
===================
vpnclient server "ip add of server ASA"
vpnclient mode network-extentention-mode
vpnclient vpngroup <tunnel group name that we have created on other ASA> 
password <Password that we have created as pre-shared key in our tunnel group on server ASA>
vpnclient username <a username that we have created on server ASA> password <password for that user>
client nem-st-autoconnect
vpnclient enable


Debugs::

Debug cry isa 200

  No Comments

Wednesday 13 January 2016

Could not connect to server : Anyconnect

  January 13, 2016    

Back once again!

This time its my Any-connect. It gives me an error the moment I hit Connect :
"Could not connect to server. Please verify Internet connectivity and server address"

I am using any-connect 3. 1.13015. When I try to connect I get an immediate error message as shown above.

Debugs were saying :
Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: no IPv6 ACL

Luckily I had  Any-connect 4.2 installed on one of my machine and when I tested it from that machine it works fine.
I then figured out that Any-connect 3.x supports only TLSv1 and not 1.1 or 1.2, so I thought of verifying that: sh run all ssl

sh run all ssl
ssl server-version tlsv1.2
ssl client-version tlsv1.1
ssl cipher default custom "DES-CBC3-SHA:AES128-SHA:AES256-SHA"
ssl cipher tlsv1 custom "DES-CBC3-SHA:AES128-SHA:AES256-SHA"
ssl cipher tlsv1.1 medium
 
What did I do to fix this issue ?
conf t
 ssl client-version tlsv1
 

  1 Comment

Replay check failed on Cisco Router with IPsec

  January 13, 2016    

Hello Again!!!

You are absolutely right, I am back with another issue with VPN :(

So this time, I have a router and have VTI tunnel setup on it. I don't know how it all started but I now see some logs on my router :

%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
        connection id=3625, sequence number=1281790

So I started to figure out what does this message mean?

Replay Attack: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. In a replay attack someone records legitimate communications and repeats them in order to impersonate a valid user, and to disrupt or cause negative impact for legitimate connections.

 Replay Check Failure: IPSec provides anti-replay protection against an attacker who duplicates encrypted packets with the assignment of a monotonically increasing sequence number to each encrypted packet. The receiving IPSec endpoint keeps track of which packets it has already processed on the basis of these numbers with the use of a sliding window of all acceptable sequence numbers. Currently, the default anti-replay window size in Cisco IOS implementation is 64 packets.

How the incoming IPSec traffic on the receiving tunnel endpoint will be processed with anti-replay enabled?

 

  1. When a packet is received, if the sequence number falls within the window and was not previously received, the packet is accepted, and marked as received before it is sent to integrity verification.
  2. If the sequence number falls within the window and was previously received, the packet is dropped, and the replay counter is incremented. (In this case a replay check failure occurs, and the router displays an error message similar to this: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed)
  3. If the sequence number is greater than the highest sequence number in the window, the packet is accepted, and marked as received. The sliding window is then moved to the right.
  4. If the sequence number is less than the lowest sequence in the window, the packet is dropped, and the replay counter is incremented. (In this case a replay check failure occurs, and the router displays an error message similar to this: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed)
I have referred this doc here:

http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/116858-problem-replay-00.html#anc2



If the window size is small (which it is by default 64) then the packet gets dropped due to a replay failure (it is not really an attack).
In such scenarios, increase the size of the replay window in order to ensure that such delays are accounted for and prevent legitimate packets from being dropped. By default, the window size is fairly small (window size of 64). If you increase the size, it does not greatly increase the risk of an attack.

Use show crypto ipsec sa peer ip-address platform command in order to verify the hardware anti-replay window size.
 
How can I change the Window size?

1. Change the window size globally : Configure IPsec Anti-Replay Window: Expanding and Disabling globally (so that it affects all SAs that are created— except for those that are specifically overridden on a per-crypto map basis)
crypto ipsec security-association replay window-size 512

2. Configuring IPsec Anti-Replay Window: Expanding and Disabling
on a Crypto Map 

crypto map Test 10 ipsec-isakmp
set security-association replay window-size 512

 

  

 

 

  No Comments

Thursday 7 January 2016

Ipsec on router (with HSRP failover) doesn't work after failover

  January 07, 2016    

This made me really scratch my head!

Here I am first trying to put a picture of the scenario:



This looks cool, whats the problem ?

Well, the problem is I have R1 and R2 running as HSRP peers. I have SLA monitoring going on to even check Internet connectivity, if Internet connectivity goes down, it will failover.

R1 and R2 both have a tunnel with R3. Under normal circumstances both R1 and R2 show the tunnel is UP and Active and I can reach the remote end subnets from both R1 and R2 when sourced it from inside interface.

Lets say there is some ongoing traffic over the tunnel, for some reason R1 fails and Failover occurs. R2 becomes the active router now and VPN traffic works fine as well.

Lets say there is no ongoing traffic over the tunnel and for some reason R1 fails and Failover occurs.
R2 becomes active router now. Now if we try to initiate the traffic for the tunnel it won't work, you wait as long as you want, it just won't work. (Clearing the session was the only thing that will make it work : clear crypto session)

ON R2:
==========
So when I further investigated, found that "sh cry ipsec sa peer 3.3.3.3" shows me encaps increasing but no decaps.

It starts making some sense now. So we are doing encaps and sending to peer , but peer is not sending it back to us. WHY ?

Let's take a look at the R3:
=====================
"Sh cry isa sa" on R3 shows that the tunnel is still UP with R1 and there are Ipsec as well. And its doing encap for peer 1.1.1.1 which is no longer alive, but this router R3 doesn't know that.

Now the question comes, why doesn't R3 know R1 has gone down?

DPD : Dead peer Detection

On R3 : sh run | in keepalive
crypto isakmp keepalive 30 5

Router supports two kind of keep-alives : 1. On-Demand DPD and 2. Periodic

This document really helped me to understand these two different keep alives :
https://supportforums.cisco.com/document/32546/dead-peer-detection

DPD is disabled by default on Cisco routers. The default mode is "on-demand" if not specified.

Here is how did I fix it:
==================
Changed the keepalive mode to periodic:
conf t
crypto isakmp keepalive 30 5 periodic

Voila!

Thanks to periodic keep-alive feature.

  No Comments

Subscribe to: Posts (Atom)