Networking

Working with an older Cisco ASA, I was not able to directly SSH to the host using SSH on Windows unless I specified the diffie-hellman-group1-sha1 algorithm. PuTTY gives the following warning: For Windows, I can use the following command to SSH (as well as SCP). ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@host

Read More Unable to negotiate with port 22: no matching key exchange method found.

Working with some older Cisco ASA devices, I’m trying to access the ASDM interface. The browser isn’t giving me luck, so I turned to PowerShell to help me, but I get the following error when trying an Invoke-WebRequest to grab the asdm.jnlp file I need. The underlying connection was closed: Could not establish trust relationship for the…

Read More Could not establish trust relationship for the SSL/TLS secure channel.

For some reason on a Cisco WAP571, the SNMP value returned from apRadioNumAssociatedStations is always zero. This is true on firmware tested WAP571 (pgwap571, 1.1.0.3). I have a few of these units around that are not updated to the latest firmware and will test that OID. I can find data in the apAssocTable to create…

Read More Cisco WAP571 SNMP poll of apRadioNumAssociatedStations returning 0

snmptable -Cl -CB -Ci -OX -Cb -Cc 16 -Cw 64 -v2c -c <community> <host:port> CISCO-WLAN-ACCESS-POINT-MIB::apAssocTable On a Cisco WAP571, it produces the following output. Interface Authenticated Associated RxPackets TxPackets RxBytes TxBytes ListenInterval LastRssi TxDropBytes RxDropBytes TxDropPackets RxDropPackets ClntQoSStatus BwLimitUp BwLimitDown ACLType ACL Policy TsViolateTxPack TsViolateRxPack Uptime index: [8:c5:e1:35:b5:89] wlan1vap2 yes yes 17056 23016 3871353 25017797…

Read More snmptable

Post thumbnail

I’ve been meaning to copy this back here but haven’t had the chance until now. I reference this so much, figured it’d have stuck in my mind by now… Anyway, this is one of the best resources for quick analysis troubleshooting of MM_WAIT_MSG errors on VPN tunnels for Cisco ASA / PIX from https://www.tunnelsup.com/isakmp-ike-phase-1-status-messages/. ISAKMP (IKE…

Read More ISAKMP (IKE Phase 1) Status Messages MM_WAIT_MSG#

For all ASA models, the maximum number of DHCP client addresses varies depending on the license: If the limit is 10 hosts, the maximum available DHCP pool is 32 addresses. If the limit is 50 hosts, the maximum available DHCP pool is 128 addresses. If the number of hosts is unlimited, the maximum available DHCP…

Read More Warning, DHCP pool range is limited to 128 addresses

When installing Cisco AnyConnect VPN client, encountered an error: The vpn client agent was unable to create the interprocess communication depot. This error is due to Internet Connection Sharing being enabled.  To resolve, disable ICS per adapter, or globally through Services. Per Adapter: Click the Start button. Click on Control Panel. Click on View Network…

Read More The vpn client agent was unable to create the interprocess communication depot.

On a Cisco ASA you can configure capturing of data to allow for deeper troubleshooting of issues. With the recent issue of the Heartbleed bug, I needed a way to capture HTTPS traffic and inspect remote hosts for the vulnerability. If the site was vulnerable, I would create a temporary block until that site patched.

Read More Configure Cisco ASA to Capture Specific Port Traffic