Working with an older Cisco ASA, I was not able to directly SSH to the host using SSH on Windows unless I specified the diffie-hellman-group1-sha1 algorithm. PuTTY gives the following warning: For Windows, I can use the following command to SSH (as well as SCP). ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@host
Read More Unable to negotiate withWorking with some older Cisco ASA devices, I’m trying to access the ASDM interface. The browser isn’t giving me luck, so I turned to PowerShell to help me, but I get the following error when trying an Invoke-WebRequest to grab the asdm.jnlp file I need. The underlying connection was closed: Could not establish trust relationship for the…
Read More Could not establish trust relationship for the SSL/TLS secure channel.For some reason on a Cisco WAP571, the SNMP value returned from apRadioNumAssociatedStations is always zero. This is true on firmware tested WAP571 (pgwap571, 1.1.0.3). I have a few of these units around that are not updated to the latest firmware and will test that OID. I can find data in the apAssocTable to create…
Read More Cisco WAP571 SNMP poll of apRadioNumAssociatedStations returning 0snmptable -Cl -CB -Ci -OX -Cb -Cc 16 -Cw 64 -v2c -c <community> <host:port> CISCO-WLAN-ACCESS-POINT-MIB::apAssocTable On a Cisco WAP571, it produces the following output. Interface Authenticated Associated RxPackets TxPackets RxBytes TxBytes ListenInterval LastRssi TxDropBytes RxDropBytes TxDropPackets RxDropPackets ClntQoSStatus BwLimitUp BwLimitDown ACLType ACL Policy TsViolateTxPack TsViolateRxPack Uptime index: [8:c5:e1:35:b5:89] wlan1vap2 yes yes 17056 23016 3871353 25017797…
Read More snmptableI’ve been meaning to copy this back here but haven’t had the chance until now. I reference this so much, figured it’d have stuck in my mind by now… Anyway, this is one of the best resources for quick analysis troubleshooting of MM_WAIT_MSG errors on VPN tunnels for Cisco ASA / PIX from https://www.tunnelsup.com/isakmp-ike-phase-1-status-messages/. ISAKMP (IKE…
Read More ISAKMP (IKE Phase 1) Status Messages MM_WAIT_MSG#For all ASA models, the maximum number of DHCP client addresses varies depending on the license: If the limit is 10 hosts, the maximum available DHCP pool is 32 addresses. If the limit is 50 hosts, the maximum available DHCP pool is 128 addresses. If the number of hosts is unlimited, the maximum available DHCP…
Read More Warning, DHCP pool range is limited to 128 addressesWhen installing Cisco AnyConnect VPN client, encountered an error: The vpn client agent was unable to create the interprocess communication depot. This error is due to Internet Connection Sharing being enabled. To resolve, disable ICS per adapter, or globally through Services. Per Adapter: Click the Start button. Click on Control Panel. Click on View Network…
Read More The vpn client agent was unable to create the interprocess communication depot.Quick setup for WPA on Cisco Aironet 350 Access Point to remind myself… interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers tkip ! ssid HomeWIFI authentication open authentication key-management wpa guest-mode wpa-psk ascii 0 s3cr3t
Read More Configure WPA on Cisco Aironet 350 Access PointQuick example of setting up SSH access on a Cisco router. I have a few dozen routers in my lab I’m working on and actually made this scripted. This is here for me to remember in the future. Router(config)# crypto key generate rsa usage-keys label rtr-key The name for the keys will be: rtr-key Choose…
Read More Enable SSH Login on a Cisco RouterOn a Cisco ASA you can configure capturing of data to allow for deeper troubleshooting of issues. With the recent issue of the Heartbleed bug, I needed a way to capture HTTPS traffic and inspect remote hosts for the vulnerability. If the site was vulnerable, I would create a temporary block until that site patched.
Read More Configure Cisco ASA to Capture Specific Port Traffic