Cisco ASA - The number of concurrent remote connections.

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 > Configuring Access Control > Configuring Management Access:

• The ASA allows a maximum of 5 concurrent SSH connections per context, if available, with a maximum of 100 connections divided between all contexts.

• The security appliance allows a maximum of 5 concurrent ASDM instances per context, if available, with a maximum of 32 ASDM instances between all contexts.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.1 > System Administration > Configuring Management Access:

• A maximum of 5 concurrent Telnet connections per context, if available, with a maximum of 100 connections divided among all contexts.

• A maximum of 5 concurrent SSH connections per context, if available, with a maximum of 100 connections divided among all contexts.

• A maximum of 5 concurrent ASDM instances per context, if available, with a maximum of 32 ASDM instances among all contexts.

Some important notes:

• Regardless of session state, could be just “KeyExchange” (in terms of SSH), it will be counted.
• 5 session for all of three types of connections in summary, it means, if you have 1 active ASDM connection, you can open no more than 4 SSH session, so 5 in total.
• By default, you can see any error or warning in ASDM while having a problem with establishing a new session exceeded a session limit.

Cacti - Switching to 1 minute polling interval. [TESTED]

By default the Cacti has 5 minute interval polling. To get higher resolution I decided to reconfigure it to 1 minute. BTW, I’ve found this thread the most detailed.

For example, we have some “Cisco - SAA” graph templates:

• “Console” > “Data Templates” > “Cisco Router - SAA”:
– “Associated RRA’s” > Add “Hourly (1 minute average)”.
– Change “Step” from 300 to 60.
– Change “Heartbeat” from 600 to 120 for each Data Source Item (http_dns_rtt Delete, http_rtt Delete, http_tcp_rtt, etc…).
• Change crontab interval for poller:

vi /etc/crontab
* * * * * cactiuser php /var/www/html/cacti/poller.php > /dev/null 2>&1

• “Console” > “Configuration” > “Settings” > “Poller” > Change “Poller Interval” and “Cron Interval” to “Every Minute” > Save.
• “Console” > “Utilities” > “System Utilities” > “Rebuild Poller Cache”.
• Check log files to make we have no any error. “Console” > “Utilities” > “System Utilities” > “View Cacti Log File”.

Cisco ASA - How to interrupt “interactive prompts”. [TESTED]

Really annoying thing happens when you clear configuration “wri erase” and reboot an ASA box - “interactive prompts” prompt appears and if you automatically press ENTER…

Pre-configure Firewall now through interactive prompts [yes]?
Firewall Mode [Routed]:
Enable password []:
Allow password recovery [yes]?
Clock (UTC):
  Year [2015]:
  Month [Feb]:
  Day [18]:
  Time [17:03:18]:
Management IP address:
~

So, I tried to stop it by issuing some basic key sequences like "Ctrl+C", etc - no luck.

Here I've found the answer - "Ctrl+Z" - so simple...

Cisco ASA v8.3- LAN-to-LAN IPsec VPN. [TESTED]

We’re gonna use Symmetric Cipher - on both ends the same cypher key will be configured (pre-shared).

http://en.wikibooks.org/wiki/Cryptography/Symmetric_Ciphers:

A symmetric key cipher (also called a secret-key cipher, or a one-key cipher, or a private-key cipher, or a shared-key cipher) is one that uses the same (necessarily secret) key to encrypt messages as it does to decrypt messages.

Until the invention of asymmetric key cryptography (commonly termed “public key / private key” crypto) in the 1970s, all ciphers were symmetric. Each party to the communication needed a key to encrypt a messages; and a recipient needed a copy of the same key to decrypt the message.

Documentation/Tips

conf t
 vpnsetup site-to-site steps

Step by Step

• We need to create tunnel-group and associate it with group-policy allowed IKEv1. So, the 1st step is to create group-policy to be able to specify it under tunnel-group configuration section. We can also disable vpn-idle-timeout which is 30min by default.

group-policy 75.75.75.2 internal
group-policy 75.75.75.2 attributes
 vpn-tunnel-protocol ikev1
 vpn-idle-timeout none
 exit

Then create tunnel-group, specify group-policy and a KEY.

tunnel-group 75.75.75.2 type ipsec-l2l
tunnel-group 75.75.75.2 general-attributes
 default-group-policy 75.75.75.2
 exit
tunnel-group 75.75.75.2 ipsec-attributes
 ikev1 pre-shared-key EXAMPLE_KEY
 exit

• ASA 9.1(5) has the following default parameters: pre-shared auth, 3DES, SHA, DH group 2 (1024 bit), lifetime 86400 (24 hours). Technically, you can create it by issuing only ONE command “crypto ikev1 policy 1“.
• To check the result:

ASA# show run crypto ikev1
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
ASA#

• Enable IKEv1 on outside interface.

crypto ikev1 enable outside

• After that you will see that on some ASA models (5510 for instance) policy sequence 65535 will be created with the default parameters. So, technically, on some models (not all), you can issue just one command “crypto ikev1 enable outside” and you will get the following.

crypto ikev1 enable outside
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

Known issues

vpn-idle-timeout

• “vpn-idle-timeout” is 30min by default, could be different on different sides of L2L VPN (locally significant). You can see the reason of disconnection:

%ASA-5-713259: Group = 75.75.75.1, IP = 75.75.75.1, Session is being torn down. Reason: Idle Timeout

un-encrypted INVALID_COOKIE

• If you have NO tunnel-group configured for the remote IP address, you will get the following:

%ASA-5-713904: Group = 75.75.75.2, IP = 75.75.75.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: Group = 75.75.75.2, IP = 75.75.75.2, Information Exchange processing failed

• Reason: No proper tunnel-group and group-policy configured on far end, just check current configurations.

QM FSM error

%ASA-5-713119: Group = 75.75.75.2, IP = 75.75.75.2, PHASE 1 COMPLETED
%ASA-5-713904: Group = 75.75.75.2, IP = 75.75.75.2, All IPSec SA proposals found unacceptable!
%ASA-3-713902: Group = 75.75.75.2, IP = 75.75.75.2, QM FSM error (P2 struct &0xae432b50, mess id 0xee9d1cbd)!
%ASA-3-713902: Group = 75.75.75.2, IP = 75.75.75.2, Removing peer from correlator table failed, no match!
%ASA-5-713259: Group = 75.75.75.2, IP = 75.75.75.2, Session is being torn down. Reason: Phase 2 Mismatch
%ASA-4-113019: Group = 75.75.75.2, Username = 75.75.75.2, IP = 75.75.75.2, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
%ASA-5-713904: IP = 75.75.75.2, Received encrypted packet with no matching SA, dropping

• Reason: PFS isn’t configured on far end.

Useful links to learn

Вебкаст на тему: “Некоторые аспекты построения отказоустойчивых Site-to-Site VPN на ASA” - презентация - MUST READ!
ASA-Fault-tolerant-L2L-VPNs-Webinar.pdf.
Understanding ASA IPSec and IKE debugs - IKEv1 Main Mode..
Cisco ASA 5500 Site to Site VPN (From CLI).
LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example.
ASA 8.3 Upgrade - What You Need to Know.

IE v11 - F12 developer tools.

Впервые за долгие годы пришлось вспоминать HTML, CSS, JS и хаки/баги для IE v11. Много лет назад я, как и многие другие разработчики кросс-браузерных сайтов, ненавидели версии IE 7, 8, 9. Я наивно полагал, что эти времена канули в лету, но не нет….

Итак, всем известно встроенный по умолчанию в Mozilla FireFox инструмент “Web Developer Tool”. Т.е. нажав, к примеру Ctrl+Shift+C (Inspector) и выделив объект на странице можно получить исчерпывающую информацию. К моему счастью такой же инструмент (очень-очень похожий аналог) встроен в IE 11 - “F12 developer tools”. Выглядит “один в один” как у FireFox, работает сносно. Благодаря этому решил проблему достаточно быстро и удалось получить результат для следующих версий браузеров:

• Mozilla FireFox 35.0.1 (For Windows) - the latest version.
• Microsoft IE 11.0.9600.17280
• Google Chrome 40.0.2214.111 m (For Windows) - the latest version.
• Safari 5.1.7 (7534.57.2) (For Windows) - the latest version.

Немного ссылок по теме:
Using the F12 developer tools
Обзор средств для разработчиков в разных браузерах

Admin area