Friday 28 August 2015

Cisco ASA web interface not working

Cisco ASA: web interface not working


I had to troubleshoot a Cisco ASA today, where the client wasn’t able to connect to the management web interface anymore via https. The customer didn’t install ASDM locally, but always starts the Java-based version.
After upgrading the Cisco ASA to software version 8.2(1) and a reboot, the client wasn’t able to connect to the web interface anymore. I was able to connect to the firewall with my locally installed ASDM client, but I couldn’t access the web interface either.
While troubleshooting I first tried the basic settings, like management access-list, regenerate crypto keys and change the management port. All these options didn’t help, but the strange thing was that the web interface was working remotely.
While working with Mozilla I received the following error:
cannot communicate securely with peer: no common encryption algorithm(s).
In Google Chrome I receive the following error:
Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.
And of course Internet Explorer didn’t gave any usable information. I started looking at the supported encryption algorithms within the firewall with a show version. I noticed that VPN-3DES-AES was disabled. The next step was the enable the VPN-3DES-AES ciphers. The upgrade license for this feature is available for free athttp://www.cisco.com/go/license.
I activated the VPN-3DES-AES feature, but still wasn’t able to connect to the firewall with the web interface. I checked the SSL encryption used by the firewall.
fw01# show ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: des-sha1
Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled
The firewall still didn’t enable the ciphers supported in my browser. If the VPN-3DES-AES license isn’t installed, only the cipher des-sha1 is enabled by default. I added the correct ciphers with the following command:
fw01(config)# ssl encryption aes256-sha1 aes128-sha1 3des-sha1
After adding the command I was able to connect to the ASA with both the web interface and the ASDM.
Taken from:
http://www.booches.nl/2010/12/cisco-asa-web-interface-not-working/
Posted by at No comments:

Getting strong encryption license for Cisco ASA

How to obtain strong-crypto licenses for ASA

Update from Mike Wenstrom
The process to obtain K9 activation key has changed. Here's a summary of the steps:
Strong Crypto (3DES/AES) License
Q. How can I obtain strong-crypto licenses for my ASA?
A. ASA strong crypto (3DES / AES) keys are available at: http://www.cisco.com/go/license
  1. Enter your CCO userid and password
  2. Click the “Continue to Product License Activation” link.
  3. Click Get Other Licenses > IPS, Crypto, Other…
  4. Select Security Products > Cisco ASA 3DES/AES License, click Next
  5. Enter ASA Serial number and click Next
    • If this is the first time you have applied for a strong crypto product, review and accept the terms of the license windows. You may need to return to http://www.cisco.com/go/license  and complete the steps above.
  6. In the 3. Review and Submit window, click the I Agree with the terms of the License  check box, review your contact information, and click Submit
  7. An email will be sent you with the ASA Activation key and instructions on how to apply the key

https://supportforums.cisco.com/document/67701/asa-versions-image-names-and-
licensing#How_to_obtain_strong-crypto_licenses_for_ASA
Posted by at No comments:

Tuesday 25 August 2015

Cisco ASA Error writing disk0:/.private/startup-config (I/O error)

The flash has got messed up. You can try:

  • backup config  
  • fsck disk0 
  • If that fails format disk0
  • tftp config back on


This is documented below but if you are under warranty you can just get a replacement ASA.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-
firewalls/81884-asa5500-disk0-error.html
Posted by at No comments:
Labels: , ,

Monday 24 August 2015

slowness on login to linux server

Had a server which was taking 10 seconds to login after moving it from a hub to a VLAN on a switch. Sub interfaces were also created on the ASA.

Checked all the speed and duplex on the switch ports and server all looked good.
Linux command for checking network card info
sudo ethtool eth0

Sent some large ping packets back and forth was fine.

Found the issue was /etc/resolv.conf
The server couldn't reach the DNS servers configured in there

We changed the DNS servers to reachable ones and the issue was resolved.

The server must have been trying to resolve our IP address during login.






Posted by at No comments:
Labels: , ,

Wednesday 19 August 2015

can't access internet after creating sub interfaces on cisco ASA

I moved some interfaces into sub interfaces. Everything looked good in the config but I wasn't getting any internet connection from my hosts after the changes.

When I cleared out the config on the physical interface the ASA removed all the NAT statements for me. Good thing I had a backup of the config before making any changes. I just put all the NAT's back in and everything was good again.


Posted by at No comments:
Labels: , ,

Tuesday 18 August 2015

errors and discards

Errors indicate packets that were received but couldn't be processed because there was a problem with the packet. In most cases, when you're seeing inbound errors on a router interface the issue is upstream of that device. Could be a bad cable, misconfiguration on one end or the other, or etc. In most cases, these issues are resolved outside of the router where you're seeing the errors. Errors reporting is documented within RFC 1213 (among others including RFC 1573) and typically is pulled from the IF-MIB (ifInErros and ifOutErrors).
With discards, the situation is almost the opposite. The packets were received with no errors but were dumped before being passed on to a higher layer protocol. A typical cause of discards is when the router needs to regain some buffer space. In the case of discards, the issue is almost always with the router that's reporting the discards (not witha a next hop device, bad cable, etc). RFC 1213 also documents discard reporting and they're right beside the errors within the IF-MIB.
In any healthy network, traffic needs to be discarded at certain points. Consider configuring a switchport to trunk mode. For security reasons, the administrator only allows VLANs 1 and 2 on the link with the switchport trunk allowed vlan 1,2 command. If a packet is received with a VLAN tag of 3, it will be dropped. In this case, a discard will be incremented indicating the interface is working as configured.

The causes of discards can be many, including (but not limited to) the following:
    • the device lacks resources to do anything with the packet (such as full buffers).
    • the device does not have a route to send the packet to the destination,
    • the device has been configured to discard certain traffic or


  • “InDiscards”, are almost always caused by a port that is receiving tagged frames for a VLANID that that port is not a member of.
  • “NoResourcesPktsDropped” on the other hand are generally caused by a switch that’s “low on/out of” buffer memory, so it will start dropping packets.
  • Rx discards could be faulty cabling, interface or NIC. One reason is mismatched VLANs. Check the Configured VLANs on each switch port. The port with the RX discards will be “missing” a VLAN as compared to the other end of the trunk. The switch just “discards” the packets arriving on the missing VLAN. Once the VLANs were matched up, the discards stopped. All broadcast traffic in that vlan will be discarded by the switch port.
  • TX discards usually equates to output drops in Show interface.  That is generally from the port queue’s filling up and tail dropping because it cannot transmit the data fast enough out the port. Transmit discards are *not* errors.The first fix is to stop using UDP for the transfer and use TCP for the window control. Transmit Discards indicate that packets were not transmitted because of network congestion. It can’t handle any more packets, so the switch tries to queue them up. Once the queues/buffers are full, the packets are discarded.
  • Also, note that average utilization is a bad indicator of peak utilization. You can have a very low average utilization but still have out discards if there’s a spike of traffic greater than link speed + egress buffer.
  • CRC or duplex mismatches would show as errors not discards. A vlan interface like any other interface has resources assigned , buffers etc.  When these are over run you see discards. If the other interfaces that have the errors are Ethernet, you may want to check that both sides of that interface are set to the same speed/duplex, if they are not, you will transmit/receive discards and errors.Changing interfaces may help.
  • If you have ACLs on your vlan, the packets that are dropped because of that ACL may be shown as discards.
  • ARP table refresh.  On many platforms, the ARP table entries are held for 4 hours. thus, Every 4 hours, ARP cache would be flushed and suddenly your may see thousands of ARP requests a second, causing some interfaces to fill buffer space.
  • The discards can also be caused by packets with an MTU size that is too large and have the DF bit set.
  • “A discard can occur because a packet was sent to a TCP/UDP port for which there was no listener.  E.g. if someone tried to make a telnet connection to the IP address on the VLAN interface, but telnet was disabled.”
From:

See also


Posted by at No comments:
Labels: , ,

Monday 17 August 2015

Using NPS / RADIUS for logins on network (and other devices)



https://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/


Check user has allow remote access (dial-in tab)  AD users and computers
Check user is a member of the right  AD group if using one in your RADIUS pol

NPS server setup both DC1 + DC2
NPS radius clients match and password matches
NPS policy setup and match
NPS server install wireshark
NPS server enable auditing.
NPS server registered in AD
After adding new RADIUS clients stop/start the NPS server

Side note - Upgraded a 3750E to 15.2 and it broke Radius
Change to calling the Group

Turn aaa on 
aaa new-model

Setup radius servers
radius server NPS-1
address ipv4 172.16.35.63 auth-port 1812 acct-port1813
pac key **********
!
radius server NPS-2
address ipv4 172.16.35.43 auth-port 1812 acct-port 1813
pac key ********
!

 Setup radius group
aaa group server radius RADIUS-GROUP
server name NPS-1
server name NPS-2

Set source interface
ip radius source-interface



Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)