Cisco ASA - crypto ipsec df-bit clear-df. [TESTED]

When you use Cisco ASA to build a VPN you better make sure that you’re passing packets with max size with DF-bit enabled. Here is the way to do it:

crypto ipsec df-bit clear-df outside

Before:

Router#ping vrf TEST 1.1.1.1 size 1500 df-bit
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with the DF bit set
M.M.M
Success rate is 0 percent (0/5)
Router#

“M” means “Could not fragment.”

After:

Router#ping vrf TEST 1.1.1.1 size 1500 df-bit
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with the DF bit set
.!!!!
Router#

Good luck!

Cisco ASA - “no management-only” in “Transparent” mode.

Today I had to setup a pair of old ASA 5500 firewalls in Transparent mode and unfortunately hit another limitation that I haven’t noticed before - you can’t use Management interface for any other purposes. My idea was to use Management 0/0 as a Failover interface, but when I tried to do so I got an error:

ciscoasa# conf t
ciscoasa(config)# firewall transparent
ciscoasa(config)#
ciscoasa(config)# interface Management 0/0
ciscoasa(config-if)# no management-only 
ERROR: It is not allowed to make changes to this option in transparent mode.
ciscoasa(config-if)#

Another thing that you might want to know is that U-turn traffic can NOT be configured in Transparent mode. It actually does make sense.

ERROR: same-security-level intra-interface CLI is not allowed in Transparent mode

I haven’t see any document mentioning these limitations related to just Transparent mode. Now I know!

Cisco ASA - How to debug/troubleshoot safely.

Real quick and really short note.

• To see “Denies” being in CLI:

ter mon

conf t
 logging on
 logging monitor 4

• To check why the traffic is blocked - use packet-tracer.
• To capture the traffic - ASA: Using Packet Capture to troubleshoot ASA Firewall : Configuration and Scenario’s.

Windows 8 - AnyConnect error - Failed to initialize connection subsystem. [SOLVED]

We had a problem with the AnyConnect client v3.1.05187 on Windows 8. We got the error message - “Failed to initialize connection subsystem”. We solved it using the following procedure:

• Install all windows updates on Windows 8.
• Reboot the PC.
• Update AnyConnect client to the latest version using anyconnect-win-3.1.07021-pre-deploy-k9.msi file.
• Reboot the PC - This is important.

Enjoy!

Cisco ASA - The number of concurrent remote connections.

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 > Configuring Access Control > Configuring Management Access:

• The ASA allows a maximum of 5 concurrent SSH connections per context, if available, with a maximum of 100 connections divided between all contexts.

• The security appliance allows a maximum of 5 concurrent ASDM instances per context, if available, with a maximum of 32 ASDM instances between all contexts.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1 > System Administration > Configuring Management Access:

• A maximum of 5 concurrent Telnet connections per context, if available, with a maximum of 100 connections divided among all contexts.

• A maximum of 5 concurrent SSH connections per context, if available, with a maximum of 100 connections divided among all contexts.

• A maximum of 5 concurrent ASDM instances per context, if available, with a maximum of 32 ASDM instances among all contexts.

Some important notes:

• Regardless of session state, could be just “KeyExchange” (in terms of SSH), it will be counted.
• 5 session for all of three types of connections in summary, it means, if you have 1 active ASDM connection, you can open no more than 4 SSH session, so 5 in total.
• By default, you can see any error or warning in ASDM while having a problem with establishing a new session exceeded a session limit.

Admin area