ASA me2

Let's troubleshoot... We also do trainings .. Checkout our training page https://asame2.blogspot.com/p/we-also-deliver-trainings.html

Featured Post

How to generate a CSR on Cisco ASA using CLI? CSR- (Certificate signing request)

First thing we need is an RSA key pair:   crypto key generate rsa label SSL-Key modulus 1024 noconfirm Create a trust-point crypto ca...

Recent Comments

Recent Post

Friday, 1 June 2018

ASA doesn't display Primary/secondary status.

  June 01, 2018    

Hello again,

I had a pair of ASAs and wanted to put them in failover. I configured that and everything was working fine.
Only thing I did not like was how my ASA was displaying its name. On both ASAs I see the name as ciscoasa#

I wanted it to be something that can tell me on which ASA I am. Am I on Primary or Secondary ASA?
Am I on Active or standby ASA?

"sh failover" will show that.

Then I figured out that we can even have the "priority" and "state" displayed right there in hostname.

Use command " prompt"

ASA1(config)# prompt hostname ?

configure mode commands/options:
  cluster-unit     Display the cluster unit name in the session prompt
  context          Display the context in the session prompt (multimode only)
  domain           Display the domain in the session prompt
  management-mode  Display management mode
  priority         Display the priority in the session prompt (If your ASA is Primary/Secondary)
  state            Display the traffic passing state in the session prompt (Active or Standby)
  <cr>

With command "prompt hostname" it will only display ASA hostname. Now if you want to display "priority" of ASA use "prompt hostname priority".

Let's also have "state" displayed as well:

ASA1(config)# prompt hostname  priority state

  No Comments

Monday, 23 April 2018

Why my ASA presents a self signed certificate?

  April 23, 2018    




This issue presents itself when an RSA keypair is used with the certificate. 
 On ASA versions from 9.4(1) onwards, all the ECDSA and RSA ciphers are enabled by default and the strongest cipher (usually an ECDSA cipher) will be used for negotiation. 

If this happens, the ASA presents a Self-Signed certificate instead of the currently configured RSA-based certificate. There is an enhancement in place to change the behaviour when an RSA-based certificate is installed on an interface and is tracked by Cisco bug ID CSCuu02848

How to fix it: Disable ECDSA ciphers with these CLI commands: 

ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"

  No Comments

Tuesday, 27 February 2018

How to configure IP SLA monitoring on Cisco ASA?

  February 27, 2018    

IP SLA MONITORING on Cisco ASA:

I have 2 ISPs connected on "outside" and "outside2".
I want to have ISP connected on outside interface as my primary and if something goes wrong with this ISP then I would like to change my default route towards ISP on outside2.
In this case I will be tracking some IP that guarantees me the availability for ISP1. And then I will apply this track on my "Main" route.

To understand how it works, look at the very bottom.

First configure SLA monitoring process using a unique ID. In t.his example I am using 100
Here we define what IP address we will be sending pings to and what interface will be used to source it from.
here we are going to send pings to  8.8.8.8 using "outside" interface IP address.
We want to send 3 ping packets at an interval of 10 seconds.

sla monitor 100
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 num-packets 3
 frequency 10

Now schedule your monitoring process, when would you like to have it started.

sla monitor schedule 100 life forever start-time now

Create a Track and associate it with the monitoring process that we created above.
I am using a track ID 1 and associating it with monitoring process 100.

track 1 rtr 100 reachability

rtr = Response Time Reporter

Now the track is ready to be applied on a route that you would like to MONITOR.

route outside 0.0.0.0 0.0.0.0 65.123.2.1 1 track 1
route outside2 0.0.0.0 0.0.0.0 34.65.1.2 10

Working:
=============
As per the above example I am pinging to 8.8.8.8 by sending 3 packets after every 10 seconds. If I do not get reply for 1 packet, it will think that something went wrong with ISP1 and track will FAIL. When track fails, the route that it has been applied to also fails.
It dynamically disables that route, and the other static route configured with a higher metric value becomes active. During this time, that SLA is still sending pings to 8.8.8.8 via ISP1. If it receives a reply, considers ISP1 back online and track becomes active. As a results that route also becomes active.

All configuration at once:
sla monitor 100
 type echo protocol ipIcmpEcho 8.8.8.8 interface outside
 num-packets 3
 frequency 10
 !
sla monitor schedule 100 life forever start-time now
!
track 1 rtr 100 reachability
!
route outside 0.0.0.0 0.0.0.0 65.123.2.1 1 track 1

  No Comments

How to configure failover on Cisco ASA?

  February 27, 2018    

 Cisco ASA failover prerequisites:
1. Both ASAs must be same hardware model.
2. Both ASAs must have same interfaces and modules (can be verified using "sh inventory" command)
3. Both ASAs must have same licenses.
4. Both must have failover license enabled.
5. It is recommended to have same software version for better stability.
6. They can have different amount of flash.
7. Flash content is not replicated during a stateful failover.

Below is an example configuration for "Stateful Failover" using 2 interfaces (one for LAN failover and other for stateful failover).

on Primary:
==============================================================================
failover lan unit primary
inter gi0/0
no shut
inter gi0/1
no shut
! note: There is no additional configuration required on physical interfaces. All other configuration such as assigning ip address and nameif will be done by "failover" comamnds shown below.
! Define interface for failover
! Syntx: failover lan interface <nameif> <name of physical innterface on which you would like to have this nameif assigned>
failover lan interface FAIL GigabitEthernet0/0
! Define interface for stateful data transfer
! Syntx: failover lan interface <nameif> <name of physical innterface on which you would like to have this nameif assigned>
failover link State GigabitEthernet0/1
! Assign IP for failover link
failover interface ip FAIL 10.10.10.1 255.255.255.0 standby 10.10.10.2
! Assign ip for stateful link
failover interface ip State 172.16.10.1 255.255.255.0 standby 172.16.10.2
failover
==============================================================================

On Secondary
==============================================================================
failover lan unit secondary
inter gi0/0
no shut
inter gi0/1
no shut
! Define interface for failover
failover lan interface FAIL GigabitEthernet0/0
! Define interface for stateful data transfer
failover link State GigabitEthernet0/1
! Assign IP for failover link
failover interface ip FAIL 10.10.10.1 255.255.255.0 standby 10.10.10.2
! Assign ip for stateful link
failover interface ip State 172.16.10.1 255.255.255.0 standby 172.16.10.2
Failover
==============================================================================

Useful debug comamnds:
To check failover LAN status:
 debug  fover cable

 Working output:
 fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_lan_check() Failover Interface OK

When there is actually a problem with failover LAN link:

fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
fover_health_monitoring_thread: fover_lan_check() Failover Interface TEST started
fover_health_monitoring_thread: send_mate_arp(0x2) - 10.10.10.1
fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
fover_health_monitoring_thread: send_mate_arp(0x2) - 10.10.10.1
fover_health_monitoring_thread: fover_luifc_check: skip lu ifc monitoring
fover_health_monitoring_thread: fover_lan_check() Failover LAN Check
fover_health_monitoring_thread: fover_chk_my_down_ifcs() Local unit has 0 down ifcs
Debug fover tx
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x2489 size = 32 bytes
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x248a size = 32 bytes
fover_health_monitoring_thread: send_msg_reliable_ip cmd = 1 seqNum = 0x248b size = 32 bytes

Debug fover rx
fover_ip: HA TRANS: receive message for client Failover Control Module, length 200
fover_rx: rx msg: cmd 0x30, seqNum 0xce1
fover_rx: receive_msg(cmd=FXCHG_CARD_INFO), seqNum=0xce1, size=200
fover_parse: parse_thread_helper() - execute msg 48
fover_ip: HA TRANS: receive message for client Failover Control Module, length 28

  No Comments

Monday, 26 February 2018

How to allocate interfaces in multiple contexts?

  February 26, 2018    

When we have switched to multiple context, ASA created a system space and admin context by default. Admin context can be used as a normal user context, but is not recommended. System context is used to manage the entire system space, such as creating contexts, allocating resources, allocating interfaces, etc.

Lets say I have created a context with name ASA1 and I would like to allocate Eth0/0 and Eth0/1 to this context.
This will be done from System context: Here are the commands

changeto System
allocate-interface Eth0/0
allocate-interface Eth0/1

  No Comments

Wednesday, 9 November 2016

How to delete anyconnect cache?

  November 09, 2016    

I had a few xml profiles in my profile folder. I have deleted them all and restarted anyconnect but I still see last connected name in any-connect. Shouldn't it be clean?

So I then deleted prefrences.xml file from this location and restarted any-connect service:

C:\Users\<username>\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client

 That did the trick!

 Download a batch file to do this:

 https://drive.google.com/file/d/0B5l3rOLgYvw4QTVYSnh6SVlLV1E/view?usp=sharing&resourcekey=0-GGOunpyw-z7H-r7ZB_cuMw

  2 Comments

Thursday, 13 October 2016

ASA as a CA server:

  October 13, 2016    



sh crypto ca certificate

ASA as a CA server:
====================

1. clock must be correct.
sh crypto mypubkey

Generate keys:

crypto key gen rsa label mykey modu 2048

crypto ca server

CA server ka naam:

issuer-name cisco

subject name default CN=nameofthe CA, C=IN

Start CA server : no shutdown

It will ask for a passphrase : give any key here


then u will see certificat server enabled.

crypto ca server user-db add mitin

goi to this URL : https://ip/+CSCOCA+/login.html

https://10.197.222.122/+CSCOCA+/login.html

https://172.16.0.22/+CSCOCA+/enroll.html

crypto ca server user-db allow mitin display-otp

it will disaply an OTP, give that OTP to user.
enter user name and OTP, he will get certificate downloaded.
enter the passphrase.


clear configure crypto ca server : to clear the configuration for CA
whenever we shut a ca server it will also delete the user database, so be careful here.


Via ASDM: local CA authority
manage user database>> allow regetration

as we enable CA server, we can see a CA certificate on firewal, where issued by and issued to will be same. THis is called as root certificate.






===========================================================
HOw to add certificate using CLI:

Generate CSR:
===============
Generate key : crypto key generate rsa label mykey mod 2048
crypto ca trustpoint ca
enrollment terminal : this iwill enable a terminal where we can copy and paste certificate text
enrollment self : this means generate a self sign certificate
Tell key pair to use:
keypair mykey

remove fqdn : fqdn none
subject name CN=asa.cisco.com
crypto ca enroll ca <trustpoint ka name>
Add device serial number : NO

this will genarate CSR.
now copy this and send to CA.

DER encoding and base 64 encodeing

crypto ca import ca certificate --------> this imports ID cert. crypto ca authenticate ca certificate ---> This imports Root CA cert, crypto ca enroll --->> to generate CSR. There are the only 3 options available.
paste here
quit

debug crypto ca message 255

If cert was generated with sha256 and we are trying to import it on older code 8.0,8.2 then it will give an error.

==========================================================
ECHQ VPN
vpn.ensenta.com


SCEP : simple certificat enrollment procedure
automatic enrollment procedure it is. we can conifgure asa to get a certificate automatically. ASA can be configured SECP client and then ASA will send the request to your CA server

http://10.197.222.221/certsrv/mscep/mscep.dll
ASA as SCEP client:
crypto ca trustpoint ca
enrollment url http://ip/certsrv/mscep/mscep.dll
subject-name CN=ASAme2
exit
crypto ca authenticate ca
this will autmatically downlaod root ca certificate

crypto ca import ca certificate/ crypto ca enroll ca certificate ----- > this will request certificate from CA using SCEP. both commands will do the same thing.

sh crypto ca certificate --> this will show you the ID certificate that we have received.

Ca server :  10.77.178.91





  No Comments

Thursday, 15 September 2016

Some users are unable to connect with anyconnect while others can : PUBLICPROXIES_ERROR_NO_INSTANCE

  September 15, 2016    

Hello there,

So this time I ran into an issue where some users (Windows) were unable to connect with any-connect while others can. Sometimes uninstalling anyconnect software helped, sometimes not.

They get error message : Failed to get configuration from secure gateway. Contact your system administrator

Luckily I  picked DART from a user PC and found the following:

Invoked Function: ConnectIfc::TranslateStatusCode
Return Code: -32899061 (0xFE0A000B)
TEST_TG: PUBLICPROXIES_ERROR_NO_INSTANCE
Connection attempt failed. Please try again


This led me to these two windows updates: 
KB3161949 also KB3160005

After I uninstalled these two windows updates, everything worked fine.

I hope this helps you :)

-
Raj

  No Comments

Some users are unable to connect with anyconnect while others can

  September 15, 2016    

Hello there,

So this time I ran into an issue where some users (Windows) were unable to connect with any-connect while others can. Sometimes uninstalling anyconnect software helped, sometimes not.

They get error message : Failed to get configuration from secure gateway. Contact your system administrator.

Luckily I  picked DART from a user PC and found the following:

Invoked Function: ConnectIfc::TranslateStatusCode
Return Code: -32899061 (0xFE0A000B)
TEST_TG: PUBLICPROXIES_ERROR_NO_INSTANCE
Connection attempt failed. Please try again


This led me to these two windows updates: 
KB3161949 also KB3160005

After I uninstalled these two windows updates, everything worked fine.

I hope this helps you :)

-
Raj

  No Comments

Wednesday, 14 September 2016

How to check if ASA has Apex license installed or not?

  September 14, 2016    


Q. How to check if ASA has Apex license installed or not?

A. Use command: debug menu license 23

Q. I am not able to select "Match All" for DAP Policy - Endpoint - Device - MAC address - MATCH ALL. I am trying to match (!=) for multiple mac addresses.
A. You will need to have "Advanced endpoint assessment" enabled.

  No Comments

Thursday, 11 August 2016

Run script when any-connect connects/disconnects

  August 11, 2016    

1. In XML profile, Preferences Part 2> Enable Scripting > Uncheck "Enable post SBL option"
2. Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization> Script
3. Import > Add a name > Script runs when client disconnects > select platform windows > upload the script from your local machine > import now > apply
4. Refresh ASDM and make sure all settings are correctly applied. Check XML and make sure script file is present.

  No Comments

Wednesday, 1 June 2016

Policy based NAT on router

  June 01, 2016    

Here is my requirement:

I want to NAT the traffic coming from 10.2.2.0 0.0.0.255 going to 2.2.2.2

I want my source IP to change to 192.168.2.0/24 subnet, how do I do that?

1. Create an access list to define your actual traffic:
ip access-list extended ACL1
permit ip 10.2.2.0 0.0.0.255 host 2.2.2.2

2. Create a route map and call this ACL
 route-map mymap permit 10
  match ip add ACL1
3. Now create a pool for the IP range (NATed range)
 ip nat pool NAT1 192.168.2.1 192.168.2.254 prefix-length 24
4. Create your NAT statement now:
 ip nat inside source route-map mymap pool NAT1

  No Comments

Saturday, 30 April 2016

How to enable a aaa-server on ASA if it has failed?

  April 30, 2016    

How to verify the status of a aaa-server configure on ASA?

sh aaa-server
============================
Server Group:    Test
Server Protocol: radius
Server Address:  10.60.2.6
Server port:     1645(authentication), 1646(accounting)
Server status:   FAILED, Server disabled
 ==============================
Failed servers only reactivate after all of the servers in the group are inactive.

If the server is now available, test ping from ASA. Then we can enable it by following command:

aaa-server Test active host 10.60.2.6

If you want to disable a aaa-server, use following:
 aaa-server Test fail host 10.60.2.6
 
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/a1.html#wp1558160
 

  No Comments

Thursday, 14 April 2016

User authentication fails with ldap, how debugs will look like?

  April 14, 2016    

This is how the debugs for ldap user authentication will look like:

ASA(host)# test aaa autho TEST host 192.168.1.4
Username: awesome\test
INFO: Attempting Authorization test to IP address <192.168.1.4> (timeout: 12 seconds)

[-2147483639] Session Start
[-2147483639] New request Session, context 0x00002aaad5771be0, reqType = Other
[-2147483639] Fiber started
[-2147483639] Creating LDAP context with uri=ldap://192.168.1.4:389
[-2147483639] Connect to LDAP server: ldap://192.168.1.4:389, status = Successful
[-2147483639] supportedLDAPVersion: value = 3
[-2147483639] supportedLDAPVersion: value = 2
[-2147483639] Binding as awesome\aduser
[-2147483639] Performing Simple authentication for awesome\aduser to 192.168.1.4
[-2147483639] LDAP Search:
        Base DN = [DC=awesome,DC=ca]
        Filter  = [sAMAccountName=awesome\\test]
        Scope   = [SUBTREE]
[-2147483639] Search result parsing returned failure status
[-2147483639] Fiber exit Tx=259 bytes Rx=1023 bytes, status=-1
[-2147483639] Session End
ERROR: Authorization Rejected: Unspecified


This definitely means either username is wrong or password. There is one more case : Username doesn't exist :)

Share/like/google+ if this has helped you!

  No Comments

LDAP Admin bind failed debugs

  April 14, 2016    

This is how the debugs will look like if LDAP admin bind fails:

ASA(host)# test aaa autho TEST host 192.168.1.4
Username: raj
INFO: Attempting Authorization test to IP address <192.168.1.4> (timeout: 12 seconds)

[-2147483640] Session Start
[-2147483640] New request Session, context 0x00002aaad5771be0, reqType = Other
[-2147483640] Fiber started
[-2147483640] Creating LDAP context with uri=ldap://192.168.1.4:389
[-2147483640] Connect to LDAP server: ldap://192.168.1.4:389, status = Successful
[-2147483640] supportedLDAPVersion: value = 3
[-2147483640] supportedLDAPVersion: value = 2
[-2147483640] Binding as aduser
[-2147483640] Performing Simple authentication for aduser to 192.168.1.4
[-2147483640] Simple authentication for aduser returned code (49) Invalid credentials
[-2147483640] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[-2147483640] Fiber exit Tx=205 bytes Rx=723 bytes, status=-2
[-2147483640] Session End
ERROR: Authorization Server not responding: AAA Server has been removed

 Remember: If admin bind fails it will clearly say "Failed to bind as administrator"

Below was the configuration during this test:

aaa-server TEST (inside) host 192.168.1.4
 ldap-base-dn DC=awesome,DC=ca
 ldap-group-base-dn DC=awesome,DC=ca
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *******
 ldap-login-dn "CN=aduser,CN=Users,DC=norseman,DC=ca"
 server-type microsoft
 ldap-attribute-map LDAP_memberOf


I changed the ldap-login-dn to domain\username. The new configuration looks like:

aaa-server TEST (inside) host 192.168.1.4
 ldap-base-dn DC=awesome,DC=ca
 ldap-group-base-dn DC=awesome,DC=ca
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *******
 ldap-login-dn awesome\aduser
 server-type microsoft
 ldap-attribute-map LDAP_memberOf


Share/like/google+ if this has helped you! 

  1 Comment

Subscribe to: Posts (Atom)