when you have internal certificate for your ASA and the certificate is expired on the PC, you might get a couple of warning or error messages
first warning will be " the certificate has an invalid date"
after your enter the username and password, you will get disconnect error message "AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network."
solution: find the expired certificate and delete it then try again
another issue is the url in connection profile
don't use https://xxx.xxx.com/ddd/
have a "/" there might cause some unexpected issue,
Tuesday, August 12, 2014
Tuesday, June 10, 2014
cisco VOIP phone logout services not available
sometime The login process works fine, when press the service button and then it asks me for userid and pin, if the authentication is successful the device profile that you set above is loaded into the phone, the problem is when you try to do a logout that profile on the phone, when you try to do a logout and press the service button, you get the following message "No services configured".
Do subscriber service on the profile, you go to CUCM Admin > Device > Device Settings > Device Profile. Click on the EM profile. Then use "Related Links" on upper-right hand corner to subscriber EM services.
Do subscriber service on the profile, you go to CUCM Admin > Device > Device Settings > Device Profile. Click on the EM profile. Then use "Related Links" on upper-right hand corner to subscriber EM services.
Wednesday, May 14, 2014
anyconnect installation stalled with hostscan data-limit
some time, the installation of anyconnect stalled, keep showing waiting for next hostscan or something like that
for the log of the ASA you can see error message like "Reject 293KB hostscan data from ip x.x.x.x host scan results exceed default limit 200kB"
here is the solution, increase the data-limit to a bigger number.
for the log of the ASA you can see error message like "Reject 293KB hostscan data from ip x.x.x.x host scan results exceed default limit 200kB"
here is the solution, increase the data-limit to a bigger number.
config t
service internal
webvpn
hostscan data-limit 300
Wednesday, April 30, 2014
setup a lab with real devices, GNS, cloudy router XRV
physical topology:
1. ESXI host
2. on esxi, installed 3 XRV, each one have 4 ports, make sure you can access the console of these routers
you might need name pipe(near end: server, far end: virtual machine), if network console not working.
3. windows7 installed GNS3, installed putty to access console of XRV if network console not working
a. depend on how many links you need connect to XRV you need install network adapter for each connection to XRV.
b. you need install 3 serial ports for the connection of console of XRV use name pipe (near client, far end: virtual machine).
4. in GNS3 add cloud, configure cloud, add network adapters to Cx
5. add routers
6. use ESXi network adapter to connect to physical devices such as layer 3 switches, or connect to internet
for ESXI you need : Go into the vswitch properties. then click on security tab and change promiscuous mode reject to accept.
Thursday, April 24, 2014
Windows server 2012 remote desktop enable
1. enable remote desktop in system properties
The Server Info launches the Control Panel System page. Click Advance System Settings on the right. This would launch the same System Properties page.
GUI – Graphical User Interface
1. Open Control Panel, then select System and Security by clicking on that header
-
-
2. Select Windows Firewall
-
-
3. Advanced Settings
-
-
4. In ‘Windows Firewall with Advanced security’ click on ‘Inbound rules’
Friday, April 11, 2014
VPN service not available
VPN service not available
”The VPN service is not available & restart application after one minute.”
First try to start the service manually:
If that does not work:
1) Open Windows Explorer
2) Navigate to c:\windows\system32\drivers\etc
3) Move all files in the root to a new folder you create - any name is fine, I used 'old'.
4) Authorize the move in User Account Control.
5) Start Cisco AnyConnect client. You should not receive the error message.
6) Completely exit Cisco AnyConnect client.
7) Move HOSTS from 'old' back to c:\windows\system32\drivers\etc
8) Start Cisco AnyConnect client. You should not receive the error message.
First try to start the service manually:
- Within Control Panel->System and Security->Admin Tools -> Services
- Look for the Cisco AnyConnect Secure Mobility Agent service
- Right click the service and select Start or Restart if the service is already running.
If that does not work:
1) Open Windows Explorer
2) Navigate to c:\windows\system32\drivers\etc
3) Move all files in the root to a new folder you create - any name is fine, I used 'old'.
4) Authorize the move in User Account Control.
5) Start Cisco AnyConnect client. You should not receive the error message.
6) Completely exit Cisco AnyConnect client.
7) Move HOSTS from 'old' back to c:\windows\system32\drivers\etc
8) Start Cisco AnyConnect client. You should not receive the error message.
Thursday, April 3, 2014
Cisco anyconnect error "Failed to install AnyConnect VPN Profile because of file move error. A VPN connection cannot be established."
some time you might seeing this error when installing Anyconnect. this could be the permission issue with client profile file, the .xml file.
to resolve the issue by verifying (and correcting) the permissions on the directory that the profile is stored in. This varies by operating system, the paths for XP and 7 are:
WinXP: C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
Win 7: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
In my case the permissions on the file got blanked somewhere along the way, just had to go to the next higher directory and re-propagate the permissions down to the child objects (files and subdirectories residing under this directory).
Monday, March 31, 2014
Cisco ASA ASDM Incompatibility with Java 7 Update 51
The latest version of Java 7 Update 51 that was deployed this week breaks access to Cisco ASA firewalls running ASDM. When you connect with the ASDM you get the following error message: “Unable to launch device manager from X.X.X.X”
“Unable to launch device manager from”
The symptoms are that the web page for the firewall will show up and display normally, but you can’t connect to the server with the ASDM launcher. The log on the firewall shows
%ASA-6-302013: Built inbound TCP connection 112 for outside:X.X.X.X/64508 (X.X.X.X/64508) to identity:Y.Y.Y.Y/443 (Y.Y.Y.Y/443)
%ASA-6-725001: Starting SSL handshake with client outside:X.X.X.X/64508 for TLSv1 session.
%ASA-7-725010: Device supports the following 6 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-RSA-AES256-SHA
%ASA-7-725011: Cipher[4] : AES128-SHA
%ASA-7-725011: Cipher[5] : AES256-SHA
%ASA-7-725011: Cipher[6] : DES-CBC3-SHA
%ASA-7-725008: SSL client outside:X.X.X.X/64508 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : RC4-SHA
%ASA-7-725011: Cipher[5] : DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:X.X.X.X/64508
%ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: sslv3 alert certificate unknown
%ASA-6-725006: Device failed SSL handshake with client outside:X.X.X.X/64508
%ASA-6-302014: Teardown TCP connection 112 for outside:X.X.X.X/64508 to identity:Y.Y.Y.Y/443 duration 0:00:00 bytes 580 TCP Reset by appliance
Cisco has included this information in their latest release notes:
If you use Java 7 Update 51, you must upgrade ASDM to Version 7.1(5.100) or later, and you can only use the Java web start. The ASDM Launcher is not supported.
So the alternatives are to downgrade your Java on your workstation or upgrade to the latest ASDM version at this point to get the ASDM working again.
How to change the subnet mask of DHCP scope windows server
You can’t change the subnet mask of the DHCP scope directly without deleting the scope, need to delete the DHCP scope first then recreate the scope with new subnet, but this will lead to largeamount of manual work
To avoid the manual work use the below netsh command toChange the subnet mask in existing DHCP scope with the simple steps
Use the below command to export the scope configuration
Syntex:
C:\>netsh dhcp server \\”Server name” scope “scope subnet” dump>c:\dhcp.txt
Example:
C:\>netsh dhcp server \\Test01 scope 192.168.1.0 dump>c:\dhcp.txt
To change the subnet mask of the scope
Open the dhcp.txt file and change the subnet mask, dhcp.txt fileresemble the following
Changed the current scope context to 192.168.1.0 scope.
Dhcp Server 192.168.1.24 add scope 192.168.1.0 255.255.255.0 "Vlan-1" "Vlan-1"
Dhcp Server 192.168.1.24 Scope 192.168.1.0 set state 1
Edit the file and save
After this, delete the scope and run the below command to create the scope from the txt file
C:\>netsh exec c:\dhcp.txt
This will automatically create the DHCP scope with the new subnet mask
This way you can change other configuration details along with subnet mask change, like IP range and Excluderanges
To avoid the manual work use the below netsh command toChange the subnet mask in existing DHCP scope with the simple steps
Use the below command to export the scope configuration
Syntex:
C:\>netsh dhcp server \\”Server name” scope “scope subnet” dump>c:\dhcp.txt
Example:
C:\>netsh dhcp server \\Test01 scope 192.168.1.0 dump>c:\dhcp.txt
To change the subnet mask of the scope
Open the dhcp.txt file and change the subnet mask, dhcp.txt fileresemble the following
Changed the current scope context to 192.168.1.0 scope.
Dhcp Server 192.168.1.24 add scope 192.168.1.0 255.255.255.0 "Vlan-1" "Vlan-1"
Dhcp Server 192.168.1.24 Scope 192.168.1.0 set state 1
Edit the file and save
After this, delete the scope and run the below command to create the scope from the txt file
C:\>netsh exec c:\dhcp.txt
This will automatically create the DHCP scope with the new subnet mask
This way you can change other configuration details along with subnet mask change, like IP range and Excluderanges
Thursday, January 30, 2014
checking Cisco ASA ASDM connection, https, ssh
Unable to asdm
make sure vpn 3-des is enabled
Issue "sh ver" and make sure the unit has 3-des license.
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 64MB
Slot 1: ATA Compact Flash, 32MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Internal ATA Compact Flash, 64MB
Slot 1: ATA Compact Flash, 32MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
.
.
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
If 3DES is not enabled, it is easy and free to the activaton key to enable that. Please go to http://www.cisco.com/go/license
and loging with your CCO ID and
please click here for available licenses.
and then choose Cisco ASA 3DES/AES License
Fill out all the information including the serial number of the firewall and you should see a message that says you will receive the activation key via
e-mail within 1 hour.
Once you receive the activation key via e-mail please add it to the unit via CLI
ASA#conf t
ASA(config)#activation-key <copy and paste the 4-tuple or 5-tuple>
ASA(config)#wri mem
ASA(config)#exit
Make sure to issue "sh ver" and make sure 3DES shows enabled.
make sure asdm image is loaded
Issure "sh ver" and make sure asdm image is loaded.
ASA# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Device Manager Version 6.2(1)
If not make sure to tftp the appropriate bin fil to flash and configure "asdm image disk0:/asdm-621.bin".
Make sure you are running a matching asdm version for the ASA.
http server is enabled
Issure "sh run http" and make sure http server is enabled.
http server enable
http 172.18.124.0 255.255.255.0 inside ------> all hosts in this subnet are allowed to asdm
http 10.10.10.10 255.255.255.255 dmz ----> only one host 10.10.10.10 is the subnet is allowed to asdm
http 172.18.124.0 255.255.255.0 inside ------> all hosts in this subnet are allowed to asdm
http 10.10.10.10 255.255.255.255 dmz ----> only one host 10.10.10.10 is the subnet is allowed to asdm
sh asp table socket
Make sure that the "sh asp table socket" shows that the unit is listening on port 443 on the interface that you are trying to asdm to. This command is not supported on the FWSM.
ASA# sh asp table socket
Protocol Socket Local Address Foreign Address State
SSL 0000e5bf 172.18.124.254:443 0.0.0.0:* LISTEN
SSL 00019c6f 10.10.10.1:443 0.0.0.0:* LISTEN
SSL 0000e5bf 172.18.124.254:443 0.0.0.0:* LISTEN
SSL 00019c6f 10.10.10.1:443 0.0.0.0:* LISTEN
If you do not see the unit listening on port 443 then try to remove the "http server enable" line and add it back to the config.
ASA#conf t
ASA(config)#no http server enable
ASA(config)#http server enable
http access is allowed
Issue the command "sh run http" and make sure the IP address that you are trying to asdm from is allowed.
ASA# sh run http
http server enable
http 172.18.124.0 255.255.255.0 inside
http 10.2.180.32 255.255.255.248 inside
http 172.18.124.0 255.255.255.0 inside
http 10.2.180.32 255.255.255.248 inside
webvpn enabled on the port 443
Issue the command "sh run webvpn" and see if it is enabled and has configuration section under webvpn, then change the port that asdm
listens to something else other than 443.
ASA#conf t
ASA(config)#http server enable 4443
Once done try to lauch asdm by going to https://10.10.10.1:4443 where 10.10.10.1 is the interface IP address of the firewall that is closer to the client.
sh run all ssl
Issue the command "sh run all ssl" and make sure you see the following line highlighted in red in the output. If not add it in the config.
ASA# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl server-version any
ssl client-version any
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
make sure to run the latest java
Download the latest java available http://www.java.com/en/download/index.jsp and install it on the client and try to launch asdm.
try another browser
If IE (Internet Explorer) doesn't work, try a different browser like Fire Fox, Safari or Chrome.
check the logs
Enable logging with the following command if not already enabled and check the logs.
ASA#conf t
ASA(config)#logging on
ASA(config)#logging buffered debug
ASA(config)#end
ASA#sh logg | i x.x.x.x where x.x.x.x is the client's IP address from which you are trying to asdm.
collect captures
If you are running ASA /PIX 7.2 or above code you can issue the "match" keyword in the capture. In the below command
capin - is the name of the capture
10.10.10.1 - is the IP address of the ASA that is listening on port 443
inside - is the name of the interface to which we are trying to asdm
cap capin int inside match tcp any host 10.10.10.1 eq 443
sh cap capin
Once done troubleshooting you can remove the cature by issuing "no cap capin". In case of FWSM the "match" keyword does not work please follow this link to configure captures on the FWSM: https://supportforums.cisco.com/docs/DOC-1222
Unable to telnet
make sure telnet is allowed
Issue the command "sh run telnet" and make sure telnet is allowed. Bear in mind that you cannot telnet to the lowest security interface on the firewall.
ASA# sh run telnet
telnet 0.0.0.0 0.0.0.0 dmz1
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
telnet 0.0.0.0 0.0.0.0 dmz1
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
sh asp table socket
Issue the command "sh asp table socket" and make sure the firewall is listening on tcp port 23. This command is not supported on the FWSM.
ASA# sh asp table socket
Protocol Socket Local Address Foreign Address State
TCP 00024a1f 172.18.124.254:23 0.0.0.0:* LISTEN
TCP 0002ea9f 10.10.10.1:23 0.0.0.0:* LISTEN
TCP 00024a1f 172.18.124.254:23 0.0.0.0:* LISTEN
TCP 0002ea9f 10.10.10.1:23 0.0.0.0:* LISTEN
If you do not see it listening then, remove the telnet lines from the config and add them back in.
check the logs
Enable logging with the following command if not already enabled and check the logs.
ASA#conf t
ASA(config)#logging on
ASA(config)#logging buffered debug
ASA(config)#end
ASA#sh logg | i x.x.x.x where x.x.x.x is the client's IP address from which you are trying to telnet
collect captures
If you are running ASA /PIX 7.2 or above code you can issue the "match" keyword in the capture. In the below command
capin - is the name of the capture
10.10.10.1 - is the IP address of the ASA that is listening on port 23
inside - is the name of the interface to which we are trying to asdm
cap capin int inside match tcp any host 10.10.10.1 eq 23
sh cap capin
Once done troubleshooting you can remove the cature by issuing "no cap capin". In case of FWSM the "match" keyword does not work please follow this link to configure captures on the FWSM: https://supportforums.cisco.com/docs/DOC-1222
Unable to ssh
make sure ssh is enabled and allowed
Issue the command "sh run ssh" and make sure ssh is enabled for the client IP or subnet. If not add the subnet or IP address that is allowed to ssh with the corresponding inteface.
ASA# sh run ssh
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 dmz1
ssh 10.10.10.0 255.255.255.0 inside
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 dmz1
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 60
Is there an rsa key-pair
Issue the command "sh cry key mypubkey rsa" and make sure the "Default-RSA-Key" is present. If not create the rsa key-pair with the command "cry key generate rsa modulus 1024"
ASA# sh cry key mypubkey rsa
Key pair was generated at: 22:52:03 CEDT Aug 22 2007
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
Key pair was generated at: 22:52:03 CEDT Aug 22 2007
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00b41d91
.
.
.
effb9f5c 50a2ed60 290cdc4b ab1e0cc7 d334afdf e9850be4 c00faa18 47020301 0001
Key pair was generated at: 03:04:55 CEDT Sep 15 2010
Key name: <Default-RSA-Key>.server
Usage: Encryption Key
Modulus Size (bits): 768
Key Data:
Key pair was generated at: 03:04:55 CEDT Sep 15 2010
Key name: <Default-RSA-Key>.server
Usage: Encryption Key
Modulus Size (bits): 768
Key Data:
307c300d 06092a86 4886f70d 01010105 00036b00 30680261 008eba15 2281909f
.
.
.
82db59d0 c3633648 6334ca6b ff531605 48ec82ce e9977506 97020301 0001
82db59d0 c3633648 6334ca6b ff531605 48ec82ce e9977506 97020301 0001
sh asp table socket
Issue the command "sh asp table socket" and make sure the firewall is listening on tcp 22. This command is not supported on the FWSM.
ASA# sh asp table socket
Protocol Socket Local Address Foreign Address State
TCP 0003dc4f 172.18.124.254:22 0.0.0.0:* LISTEN
TCP 00043c7f 10.10.10.1:22 0.0.0.0:* LISTEN
TCP 005de0a8 172.18.124.254:22 10.117.14.67:64892 ESTAB
check the logs
Enable logging with the following command if not already enabled and check the logs.
ASA#conf t
ASA(config)#logging on
ASA(config)#logging buffered debug
ASA(config)#end
ASA#sh logg | i x.x.x.x where x.x.x.x is the client's IP address from which you are trying to ssh.
collect captures
If you are running ASA /PIX 7.2 or above code you can issue the "match" keyword in the capture. In the below command
capin - is the name of the capture
10.10.10.1 - is the IP address of the ASA that is listening on port 22
inside - is the name of the interface to which we are trying to asdm
cap capin int inside match tcp any host 10.10.10.1 eq 22
sh cap capin
Once done troubleshooting you can remove the cature by issuing "no cap capin". In case of FWSM the "match" keyword does not work please follow this link to configure captures on the FWSM: https://supportforums.cisco.com/docs/DOC-1222
Friday, January 17, 2014
cisco anyconnect installation issue: Cisco security desktop won't run
this issue mostly due to Java or activeX security setting
solution:
1. low the java security setting.
or change the IE security setting by uncheck the protected mode.
solution:
1. low the java security setting.
or change the IE security setting by uncheck the protected mode.
anyconnect installation error: The VPN client agent was unable to create the interprocess communication depot
Internet Connection Sharing (ICS) is not compatible with AnyConnect. You must disable ICS for proper AnyConnect functionality.
When you try to launch AnyConnect on a PC on which ICS is already running, AnyConnect returns this error message:
The vpn client agent was unable to create the interprocess communication depot.
In order to resolve this issue, disable the ICS and launch again AnyConnect.
solution:
When you try to launch AnyConnect on a PC on which ICS is already running, AnyConnect returns this error message:
The vpn client agent was unable to create the interprocess communication depot.
In order to resolve this issue, disable the ICS and launch again AnyConnect.
solution:
- Click theStartbutton.
- Click onControl Panel.
- Click onView Network Status and Tasks
- Click onChange adapter settings
- Right-click the shared connection and choose Properties
- Click the Sharing tab
- Clear theAllow other network users to connect through this computer's Internet connectioncheckbox
- Click OK
- reboot
- reinstall anyconnect
Subscribe to:
Posts (Atom)
-
when you updated your firmware of fortigate or setup new sslvpn, if you are using certificate other than factory default you might have is...
-
Installing or Upgrading HostScan Use this procedure to upload, or upgrade, and enable a new HostScan image on the ASA. Use the image to ...
-
Reboot the switch. You will see a prompt during boot right after the cisco logo made out of #s that says "Autoboot in 2 seconds - p...
