Archive for the ‘CISCO’ Category

Troubleshooting ISAKMP Phase 1 Messages – Part 1

January 22nd, 2015 No comments

This is a must-keep aide-memoir for troubleshooting VPN connections.

IKE (PHASE 1) Messages: Read more…

Categories: CISCO, Security Tags: , ,

Cisco ASA Java 7 update causes ASDM not to Launch

April 14th, 2014 No comments

The recent update to Java has caused problems when the web interface of the Cisco ASDM has a security problem such as an unsigned or expired certificate. Java no longer allows ASDM to launch. The error message is shown as “This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute”. This problem is fixed by adding a site exception to Java. Read more…

Categories: CISCO, Security Tags:

Cisco ASA Debug, Syslog and Logging Lists

April 10th, 2014 No comments

When troubleshooting and using debug, it is possible to create logging lists to filter out messages which are unrelated to your problem.

%ASA-2-106016: Deny IP spoof from ( to on interface Inside

logging enable
logging timestamp
logging buffered warnings
logging buffer-size 65000
logging list ACL-MESSAGES_LOG-LIST message 106023
logging console ACL-MESSAGES_LOG-LIST
logging monitor ACL-MESSAGES_LOG-LIST
show log

Categories: CISCO, Protocol Analysis Tags:

F5 BIG-IP: Monitoring TCP Applications

April 4th, 2014 No comments

LTM has built-in application health monitor templates for many TCP-based application protocols (FTP, HTTP, HTTPS, IMAP, LDAP, MSSQL, NNTP, POP3, RADIUS, RTSP, RPC, SASP, SIP, SMB, SMTP, SOAP).

If you need to monitor an application which depends on an upper layer protocol for which there is not a built-in monitor template, LTM provides a number of options to build a monitor based on the underlying transport layer protocol– TCP. Read more…

Categories: Network Design Tags:

Installing a Signed X.509 SSL Certificate into ASA via the CLI

March 11th, 2014 No comments

Having already generated the RSA key-pair on the ASA with “crypto key generate rsa mod 2048”) create a trustpoint for the VPN users, generated an SSL cetificate and CSR and have received the signed X.509 certificate and CA and intermediate SSL certificates, the certificate and CA certs will need to be installked onto the Cisco ASA.  This procedure describes the method using the CLI. Read more…

Categories: Network Design, SSL/TLS Tags:

SSL/TLS Handshake and Record Data Protocol

March 3rd, 2014 No comments

When an TLS/SSL session (such as HTTPS (default port 443) is established an SSL handshake or exchange of messages occur between the client (initiating the connection) – and a server. (See this post for an explanation of SSL certificates and encoding).

The first set of messages are called the Handshake Protocol after which both client and server enter the Record (or Data) Protocol. The messages exchanged during the Handshake Protocol achieves the following: Read more…

Categories: Security, SSL/TLS Tags: ,

Peer-to-Peer IPSec VPN using PAT

February 28th, 2014 No comments

There may be an occasion to setup a site-to-site VPN with a customer or partner network but due to the risk of overlapping private RFC1918 address space, to use a single public address and Port Address Translation.  This methos uses a single IP address in a NAT (PAT) object.  This example uses simplified NAT available from  ASA software version 8.3+

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
ccrypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac Read more…

Categories: CISCO, Security Tags: , ,

Executing ipconfig and other commands on remote machines

February 25th, 2014 No comments

To execute the “ipconfig /all” command on one or more remote machines you can use the psexec utility that is part of pstools, available from Microsoft. The syntax is: pstools \\machine_name command
For example:

C:\Users\dmatthews\Desktop\pstools>psexec \\L00151270 ipconfig /all

To list just the IP version 4 address, pipe the output throught the ‘find’ command:

C:\Users\dmatthews\Desktop\pstools>psexec \\L00151270 ipconfig /all | find “IPv4” Read more…

Categories: Network Management, Security Tags:

Troubleshooting ISAKMP Phase 1 Messages – Part 2

January 24th, 2014 No comments

This post explains the IKE Debug message: “Duplicate first packet detected”

This event is logged when packets do not reach their destination, usually due to network routing problems. The Phase 1 IKE exchange between the tunnel peers fail at MM_WAIT_MSG2

( see: Troubleshooting ISAKMP Phase 1 Messages – Part 1 to understand the IKE Messages further)

1) IKE initator sends MM_SND_MSG1 and goes into MM_WAIT_MSG2 state
2) IKE responder receives MM_SND_MSG1 and sends MM_SND_MSG2 back to the initiator and goes into a MM_WAIT_MSG3 state, expecting MM_SND_MSG3 as the next exchage from the initiator
3) IKE initiator having not received MM_SND_MSG2 from the responder, resends MM_SND_MSG1, resulting in the “Duplicate first packet detected” being logged on the responder. Read more…

Categories: CISCO, Security Tags: , ,

Understanding IPSec VPN

January 16th, 2014 No comments

IPSec involves many component technologies and encryption methods. Yet IPSec’s operation can be broken down into five main steps. The five steps are summarised as follows:

Step 1 Interesting traffic initiates the IPSec process—Traffic is deemed interesting when the IPSec security policy configured in the IPSec peers starts the IKE process.
Step 2 IKE phase one—IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure channel for negotiating IPSec SAs in phase two.
Step 3 IKE phase two—IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers.
Step 4 Data transfer—Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database.
Step 5 IPSec tunnel termination—IPSec SAs terminate through deletion or by timing out.

A crypto map—is a Cisco IOS software configuration entity that performs two primary functions. First, it selects data flows that need security processing. Second, it defines the policy for these flows and the crypto peer that traffic needs to go to. A crypto map is applied to an interface. The concept of a crypto map was introduced in classic crypto but was expanded for IPsec.  This aide-memoir pulls together items from to provide a useful recipe and refresher. Read more…

Categories: CISCO, Security, SSL/TLS Tags: