I was SSH'd into a router & changed the the modulos size using the "crypto key generate rsa" command. After that when I try SSH with Putty I get a "connection refused" error & cant log in anymore. Any ideas?
... View more
Does anyone know what form factor the 5512-X uses for an SSD? I am trying to install FTD image and demo a next gen firewall & I have a few laying around and would like to use. My 5512-X does not have one.
... View more
First off Anyconnect works perfectly with 3 laptops my techs are using. They all have version 4.5 Anyconnect client apps & never have any issues. However one of my other users has Anyconnect client version 3.1.12020 & can successfully authenticate (most of the time) when trying to connect to the same ASA but immediately after entering the password & seeing the banner, the user gets an error saying "The vpn client failed to establish connection ". I am including my config below & the log I captured when the user experienced this issue.
Here are some important facts worth mentioning...
1) The user puts the public address of the outside interface of the ASA in question into the Anyconnect client & attempts connections the same way the other users do.
2) There is no tacacs+/radius authentication involved just locally configured usernames.
3) The issue happens on the same circuits that the successful users use.
4) The user experiencing issues only experiences this issue with this ASA & can successfully connect to other ASA's using the same laptop & client.
5) The same exact .pkg file/version on the ASA in question is running on other ASA's that the problem user is connectiong to successfully with no issues.
6) Anyconnect client version 3.1.12020 is end of life & can not be downloaded from cisco support anymore so I can not downgrade my other users from 4.5, nor do I want to if I could.
7) There are 100 IP addresses available for SSL clients in the pool when the issue happens.
8) I in
Apr 02 2018 16:05:16: %ASA-6-302013: Built inbound TCP connection 63426 for outside:22.214.171.124/62276 (126.96.36.199/62276) to identity:188.8.131.52/443 (184.108.40.206/443) Apr 02 2018 16:05:16: %ASA-6-725001: Starting SSL handshake with client outside:220.127.116.11/62276 for TLS session. Apr 02 2018 16:05:16: %ASA-7-725010: Device supports the following 6 cipher(s). Apr 02 2018 16:05:16: %ASA-7-725011: Cipher : RC4-SHA Apr 02 2018 16:05:16: %ASA-7-725011: Cipher : DHE-RSA-AES128-SHA Apr 02 2018 16:05:16: %ASA-7-725011: Cipher : DHE-RSA-AES256-SHA Apr 02 2018 16:05:16: %ASA-7-725011: Cipher : AES128-SHA Apr 02 2018 16:05:16: %ASA-7-725011: Cipher : AES256-SHA Apr 02 2018 16:05:16: %ASA-7-725011: Cipher : DES-CBC3-SHA Apr 02 2018 16:05:16: %ASA-7-725008: SSL client outside:18.104.22.168/62276 proposes the following 3 cipher(s). Apr 02 2018 16:05:16: %ASA-7-725011: Cipher : AES256-SHA Apr 02 2018 16:05:16: %ASA-7-725011: Cipher : AES128-SHA Apr 02 2018 16:05:16: %ASA-7-725011: Cipher : DES-CBC3-SHA Apr 02 2018 16:05:16: %ASA-7-725012: Device chooses cipher : AES128-SHA for the SSL session with client outside:22.214.171.124/62276 Apr 02 2018 16:05:16: %ASA-6-725002: Device completed SSL handshake with client outside:126.96.36.199/62276
Apr 02 2018 16:05:16: %ASA-6-725007: SSL session with client outside:188.8.131.52/62276 terminated.
asa# sh run : Saved : : Serial Number: JMX1422Z1SF : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz : ASA Version 9.2(4) ! hostname asa enable password Z5tXLWscwJUZOz0q encrypted passwd Z5tXLWscwJUZOz0q encrypted names ip local pool SSLCLIENTPOOL 10.0.2.1-10.0.2.100 mask 255.255.255.0 ip local pool NON-ADMINS 10.0.3.1-10.0.3.100 mask 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport access vlan 2 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 switchport access vlan 3 ! interface Ethernet0/5 switchport access vlan 3 ! interface Ethernet0/6 shutdown ! interface Ethernet0/7 shutdown ! interface Vlan1 nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ddns update hostname enterprise.ddns.net ip address dhcp setroute ! interface Vlan3 no forward interface Vlan1 nameif DMZ security-level 50 ip address 10.20.10.1 255.255.255.0 ! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring same-security-traffic permit intra-interface object service HTTP service tcp source eq www object service HTTPS-ALTERNATE service tcp source eq 4443 description Port 443 used for Anyconnet- Cant reassign object-group network DENIED-ADDRESSES network-object host 184.108.40.206 object-group network ANYCONNECT-REMOTE-USERS network-object 10.0.2.0 255.255.255.0 network-object 10.0.3.0 255.255.255.0 object-group network DMZ-SUBNET network-object 10.20.10.0 255.255.255.0 object-group network SERVER description internal server 10.0.1.0/24 network-object host 10.0.1.15 object-group network INSIDENET network-object 10.0.1.0 255.255.255.0 access-list acl-inside extended permit tcp any any eq www access-list acl-inside extended permit tcp any any eq https access-list acl-inside extended permit udp any any eq domain access-list acl-inside extended permit icmp any any access-list acl-inside extended permit icmp any any echo-reply access-list acl-outside extended permit icmp any any access-list acl-outside extended permit icmp any any echo-reply access-list acl-outside extended permit tcp any object-group SERVER eq www access-list acl-outside extended permit tcp any object-group SERVER eq 4443 access-list acl-outside extended deny ip any any log access-list acl-DMZ extended permit icmp any any access-list acl-DMZ extended permit icmp any any echo-reply access-list acl-DMZ extended permit ip any any pager lines 24 logging enable logging timestamp logging buffer-size 512000 logging monitor debugging logging buffered debugging logging class auth console debugging logging class webvpn console debugging logging class ssl console debugging mtu inside 1500 mtu outside 1500 mtu DMZ 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-631.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static SERVER interface service HTTP HTTP nat (inside,outside) source static SERVER interface service HTTPS-ALTERNATE HTTPS-ALTERNATE nat (inside,outside) source static any any destination static ANYCONNECT-REMOTE-USERS ANYCONNECT-REMOTE-USERS no-proxy-arp route-lookup nat (outside,outside) source dynamic ANYCONNECT-REMOTE-USERS interface ! nat (DMZ,outside) after-auto source dynamic DMZ-SUBNET interface nat (inside,outside) after-auto source dynamic INSIDENET interface access-group acl-inside in interface inside access-group acl-outside in interface outside access-group acl-DMZ in interface DMZ timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication enable console LOCAL aaa authorization exec LOCAL no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint LOCALTRUST enrollment self fqdn none subject-name CN=eagleshouse.ddns.net keypair SSLVPNKEY crl configure crypto ca trustpool policy telnet timeout 5 ssh stricthostkeycheck ssh 10.0.2.0 255.255.255.0 inside ssh 10.0.1.0 255.255.255.0 inside ssh timeout 60 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside
dhcp-client update dns server both dhcpd update dns both ! dhcpd address 10.0.1.100-10.0.1.200 inside dhcpd dns 220.127.116.11 18.104.22.168 interface inside dhcpd lease 604800 interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 22.214.171.124 source outside webvpn enable outside anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1 anyconnect enable tunnel-group-list enable group-policy SSLCLIENT-user internal group-policy SSLCLIENT-user attributes banner value <3<3<3<3<3<3<3<3<3<3<3<3<3<3<3<3<3<3 banner value banner value Private Network Accessed Successfully banner value banner value <3<3<3<3<3<3<3<3<3<3<3<3<3<3<3<3<3<3 dns-server value 126.96.36.199 vpn-tunnel-protocol ssl-client address-pools value NON-ADMINS group-policy SSLCLIENT internal group-policy SSLCLIENT attributes banner value $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ banner value banner value Private LAN Accessed Successfully banner value banner value $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ dns-server value 188.8.131.52 vpn-tunnel-protocol ssl-client address-pools value SSLCLIENTPOOL username user password fRAgGdr9iEIBx9ry encrypted privilege 15 username user attributes service-type remote-access username manager password 2bCZa9d0lswzoyHg encrypted privilege 15 username usernet password u7/ry.bOw8ISRWnM encrypted privilege 15 username usernet attributes vpn-group-policy SSLCLIENT-user service-type remote-access tunnel-group SSLCLIENT-VPN type remote-access tunnel-group SSLCLIENT-VPN general-attributes default-group-policy SSLCLIENT tunnel-group SSLCLIENT-VPN webvpn-attributes group-alias ENTERPRISE enable ! ! prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email firstname.lastname@example.org destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:2c6cdb344525bea4f49f8178829c9e02 : end
... View more
I am trying to see HTTP connections from 2 devices both on the same subnet. One device can access another totally fine & there are no communication issues but when I run the captures below I dont see anything show up on the capture. I double checked my capture command to make sure I am capturing the right traffic on the right interface & Im starting to wonder if anything will even show up since both devices are on the same subnet & are probably not crossing the inside interface, they most likely are going layer 2 directly from device to device communicating on the switch not through the router. Should I expect to see anything?
Goodyear# capture I-HHTP interface inside match tcp any any eq 80
Goodyear# sh cap capture I-HHTP type raw-data interface inside [Capturing - 0 bytes] match tcp any any eq www
... View more
So is this normal? I know that technically when a tunnel rekeys phase 1 that there can be a delay from an end user application perspective due to rekeying (e.g RDP session hangs for a second or 2). Is that whats happening in this case? When I hear the tunnel is down immediately I assume there are serious problems.
... View more
I am trying to find a way to know if my IPsec tunnel went down at any given point in the last month. I have my logs set to store for 90 days no matter how big the log file. Can someone help me try to determine tunnel states historically speaking? I have examples but I'm not sure if these logs are saying that my tunnel is actually going down or if the "connection terminated" message below is normal & phase 1 is just simply rekeying. If below is normal behavior could someone tell me what they would expect to see in a log if the tunnel went down for any reason?
asa-20180305.gz:Mar 4 01:13:24 192.168.210.20 %ASA-5-713050: Group = 184.108.40.206, IP = 220.127.116.11, Connection terminated for peer 18.104.22.168. Reason: IPSec SA Idle Timeout Remote Proxy 192.168.105.0, Local Proxy 0.0.0.0 asa-20180305.gz:Mar 4 01:13:24 192.168.210.20 %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xA9744E49) between 22.214.171.124 and 126.96.36.199 (user= 188.8.131.52) has been deleted. asa-20180305.gz:Mar 4 01:13:24 192.168.210.20 %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x515BEA40) between 184.108.40.206 and 220.127.116.11 (user= 18.104.22.168) has been deleted. asa-20180305.gz:Mar 4 01:13:29 192.168.210.20 %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x743A157A) between 22.214.171.124 and 126.96.36.199 (user= 188.8.131.52) has been deleted. asa-20180305.gz:Mar 4 01:13:29 192.168.210.20 %ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x035B5B9B) between 184.108.40.206 and 220.127.116.11 (user= 18.104.22.168) has been deleted. asa-20180305.gz:Mar 4 01:14:10 192.168.210.20 %ASA-5-713041: Group = 22.214.171.124, IP = 126.96.36.199, IKE Initiator: New Phase 2, Intf outside, IKE Peer 188.8.131.52 local Proxy Address 0.0.0.0, remote Proxy Address 192.168.105.0, Crypto map (outside_map) asa-20180305.gz:Mar 4 01:14:10 192.168.210.20 %ASA-5-713073: Group = 184.108.40.206, IP = 220.127.116.11, Responder forcing change of IPSec rekeying duration from 28800 to 3600 seconds asa-20180305.gz:Mar 4 01:14:10 192.168.210.20 %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x86011ECF) between 18.104.22.168 and 22.214.171.124 (user= 126.96.36.199) has been created. asa-20180305.gz:Mar 4 01:14:10 192.168.210.20 %ASA-5-713049: Group = 188.8.131.52, IP = 184.108.40.206, Security negotiation complete for LAN-to-LAN Group (220.127.116.11) Initiator, Inbound SPI = 0xe205e5aa, Outbound SPI = 0x86011ecf asa-20180305.gz:Mar 4 01:14:10 192.168.210.20 %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xE205E5AA) between 18.104.22.168 and 22.214.171.124 (user= 126.96.36.199) has been created. asa-20180305.gz:Mar 4 01:14:10 192.168.210.20 %ASA-5-713120: Group = 188.8.131.52, IP = 184.108.40.206, PHASE 2 COMPLETED (msgid=3e1f6c99)
... View more
Sorry I was under the impression you saw the config I posted. There are only 2 interfaces on the ASA, an inside & an outside. The server & inside devices I am reffering to are utilizing inside addresses from the inside interface 10.0.1.0/24. These are the IP’s that I cant ping as well as anything outside on the Internet such as 220.127.116.11
I ran captures on my server & other inside devices, pinging them and telneting to open ports on these inside devices, while successfully connected with anyconnect. The captures show no attempts from my anyconnect IP address pool (10.0.2.0/24) while doing this.
Not to get off path but I also tried anyconnecting in from another PC which has anyconnect client version 3.1 & got mixed results, all bad I should say. When this happened the anyconnect client gave me an error saying the certificate on the secure gateway is not valid (something to that effect) & from the same PC/client another error saying I need to get on a web browser first & my provider is not online (something to that affect also). I was able to successfully anyconnect to other ASA’s from the same PC/client. Dont know if this helps. Not sure what else to do.
... View more
I am able to connect with the AnyConnect client version 4.5 but im not able to access anything inside or out. Im trying to access my switch & server via SSH & RDP but cannot get to or ping anything. What do you think is going on.
... View more