The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again.
I had uploaded the windows pkg file and nothing else.
If you are connecting from a mac or linux, and getting this error that is because you need to ALSO upload the pkg files for each OS.
Showing posts with label Cisco. Show all posts
Showing posts with label Cisco. Show all posts
Tuesday, August 23, 2011
Friday, February 18, 2011
Problems with ASA5505 LDAP authentication. Error: Unable to remove PeerTblEntry, Removing peer from peer table failed, no match!
I ran into some problems when trying to authenticate to my Active Directory Server. The problem was with the crypto. I wanted to use AES 256, but I was getting error messages. ASDM told me "Unable to contact the server or ip address". The two messages the ASDM log were:
Error: Unable to remove PeerTblEntry
Removing peer from peer table failed, no match!
Here is what was in my show running config.
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 10
Everything was configured correctly according to documentation. But after spending a while searching google a user named zx10guy explained the problem.
Now what we learned from this was that the IPSec client doesn't like any group numbers higher then 2. So I changed my configuration to this.
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
Now I am able to contact the server successfully while testing the AAA authentication!
Error: Unable to remove PeerTblEntry
Removing peer from peer table failed, no match!
Here is what was in my show running config.
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 10
Everything was configured correctly according to documentation. But after spending a while searching google a user named zx10guy explained the problem.
I suggest you go through the ASDM VPN wizard. It makes it really easy to set things up. I'm going to assume you're going to use the highest level of encryption possible which would be settings like AES 256, SHA-1, etc. One word of warning. I don't think Cisco has fixed this issue yet. But when you select the Diffie Helmen Group number, you'll have a choice of 1 up to 7. Do not select anything higher than 2. The wizard is going to bark at you about not using a stronger group number. But this is incorrect. The Cisco VPN client only supports DH Group 2 as the highest. If you select anything higher in the wizard, you'll never get the tunnel to come up and the error messages you'll get won't point you to this. I figured it out through lots of pain, trial and error, and cursing.Source: Link
Other things you'll need to set up are the remote client IP pools and the user accounts for authentication. The IP pools get assigned when the connection is made. The IP pool addresses are what the remote client will be assigned on your local network. I would suggest using a set of privates which are NOT in your current subnet range. This will help in troubleshooting and provides some segregation. You need to make sure either the ASA is your default gateway as it will be the only device which knows how to route traffic back to the remote client or you can set up a static route rule on your current default gateway to point to the ASA to reach the remote clients.
You can set up the ASA to have a list of users which can then be assigned to specific VPN policy groups for authentication. With the number of users you're talking about, I think this is the best way and easiest. For my corporate network, I was able to tie in the PIX 515 to use our Active Directory server for user authentication. Took some doing but I got it to work.
Other than that, you should create a PCF file which is the connection profile file used by the Cisco VPN client. You need to enter the hostname or IP address of the public registered to the ASA or the device which will forward the traffic to it. The group policy name you created in the wizard gets entered here. Also the preshared key you used to set up the group policy for initial Phase 1 negotiation would also be entered here. Once you create the PCF file in the VPN client, you can then copy the PCF file and distribute it to other users. The preshared key is hashed in the file so you won't be able to read in plain text.
I know there are problem some details I've left out, but this should get you started.
Now what we learned from this was that the IPSec client doesn't like any group numbers higher then 2. So I changed my configuration to this.
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
Now I am able to contact the server successfully while testing the AAA authentication!
How to configure LDAP access for an ASA 5505
Assumptions:
Reactivation Mode: Depletion
Dead Time: 10 Minutes (this was the default setting)
Max Failed Attempts: 3 (this was the default setting)
Click Ok. You should now see that in the AAA Server Group box at the top of the page. Highlight the newly created group and click add button beside the servers in the selected group box. This is what it should be set to:
Interface Name: Inside
Servername or IP Address: Your active directory server IP
Timeout: 10 seconds
Enable LDAP over SSL: Unchecked (this is up to your current setup)
Server Port: 389
Server Type: Microsoft
Base DN: dc=example,dc=com (see note below on how to find this and your user name)
Naming Attribute(s): sAMAccountName
Login DN: CN=John Doe,OU=Custom Users,DC=example,dc=com
Login Password: Type the password to the user
LDAP Attribute Map: None
Everything else was just left as default. Click ok, then click apply. Highlight the server IP in the box and click the test button. You will see a box pop up. You will want to choose the Authentication button and type your active directory username and password. If everything is configured correctly, you should get a message saying "Authentication test to host ip is successful."
***Note:*** Now I had some problems when configuring this. The first problem I felt deserved its own post. It's here.
The second problem was getting the right syntax for the LDAP part of it. You can refer to my post that talks about dsquery more in depth. It could help you. It is here. The two commands that will help you the most are:
dsquery user (This lists every single user. I only have maybe 20 users so if you have alot more then this, you can use some more specific switches to narrow it down).
dsquery computer (This will show you all the computers. Same possible problem with dsquery user. The big thing here is all you need is the dc part of the results).
- ASDM is already installed
- You know the password to the ASA
Reactivation Mode: Depletion
Dead Time: 10 Minutes (this was the default setting)
Max Failed Attempts: 3 (this was the default setting)
Click Ok. You should now see that in the AAA Server Group box at the top of the page. Highlight the newly created group and click add button beside the servers in the selected group box. This is what it should be set to:
Interface Name: Inside
Servername or IP Address: Your active directory server IP
Timeout: 10 seconds
Enable LDAP over SSL: Unchecked (this is up to your current setup)
Server Port: 389
Server Type: Microsoft
Base DN: dc=example,dc=com (see note below on how to find this and your user name)
Naming Attribute(s): sAMAccountName
Login DN: CN=John Doe,OU=Custom Users,DC=example,dc=com
Login Password: Type the password to the user
LDAP Attribute Map: None
Everything else was just left as default. Click ok, then click apply. Highlight the server IP in the box and click the test button. You will see a box pop up. You will want to choose the Authentication button and type your active directory username and password. If everything is configured correctly, you should get a message saying "Authentication test to host ip is successful."
***Note:*** Now I had some problems when configuring this. The first problem I felt deserved its own post. It's here.
The second problem was getting the right syntax for the LDAP part of it. You can refer to my post that talks about dsquery more in depth. It could help you. It is here. The two commands that will help you the most are:
dsquery user (This lists every single user. I only have maybe 20 users so if you have alot more then this, you can use some more specific switches to narrow it down).
dsquery computer (This will show you all the computers. Same possible problem with dsquery user. The big thing here is all you need is the dc part of the results).
Tuesday, February 15, 2011
How to configure remote access for ASDM and SSH for an ASA 5505
Assumptions:
You will also have to generate the ssh key. Type the following from ASDM or through a console connection to the ASA.
conf t
ca generate rsa key 1024
wr mem
**NOTE: If you see error messages like below, then the key wasn't completed correctly or you skipped that step.***
ssh_exchange_identification: Connection closed by remote host
Fail to establish SSH session because RSA host key retrieval failed.
Source: Link
Now you need to configure the authentication piece of remote access for the connection. On the left side select Users/AAA -> AAA Access. Under the Authentication Tab, Check SSH and select Server Group: LOCAL. This will allow you authenticate with a local user account on the ASA while connection through SSH. I have not tested this authenticating it against Active Directory, but I would imagine you can do this by setting up a AAA group and selected it instead of the LOCAL group.
At the time of writing my ASA was running 8.2(1) and ASDM 6.2(1).
- ASDM is already installed
- You know the password to the ASA
You will also have to generate the ssh key. Type the following from ASDM or through a console connection to the ASA.
conf t
ca generate rsa key 1024
wr mem
**NOTE: If you see error messages like below, then the key wasn't completed correctly or you skipped that step.***
ssh_exchange_identification: Connection closed by remote host
Fail to establish SSH session because RSA host key retrieval failed.
Source: Link
Now you need to configure the authentication piece of remote access for the connection. On the left side select Users/AAA -> AAA Access. Under the Authentication Tab, Check SSH and select Server Group: LOCAL. This will allow you authenticate with a local user account on the ASA while connection through SSH. I have not tested this authenticating it against Active Directory, but I would imagine you can do this by setting up a AAA group and selected it instead of the LOCAL group.
At the time of writing my ASA was running 8.2(1) and ASDM 6.2(1).
Setting up an ASA 5505
So I setup my first Cisco ASA. This what I did...
First off this device has 8 Ports. Ports Ethernet 0/1-7 are the switch ports on the device and the Ethernet 0/0 is the outside interface that will connect to your ISP. This needs to be set for DHCP unless your ISP requires you to set a static IP. That static IP would be given to you from your ISP.
Basically follow the guides that come with the ASA. They will get you to setup everything up to get you started.
First thing is you should go to https://192.168.1.1/admin. This will bring you to a page that allows you to download the ASDM software.
How to configure remote access: Link
We had to add one line to configure the ASA to route to the ISP .
Open an SSH client and connect to your ASA's IP.
Login
Type enable
Type config t
Type interface vlan 2 (or whatever vlan your outside interface is in)
Type ip address dhcp setroute
Type exit
Type exit
Type wr mem
Once applying this, I was able to then get to the internet.
How to configure LDAP: Link
How to configure VPN access on the ASA: Link (add later)
How to configure VPN access on the Cisco IPSec Client: Link (add later)
At the time of writing my ASA was running 8.2(1) and ASDM 6.2(1).
First off this device has 8 Ports. Ports Ethernet 0/1-7 are the switch ports on the device and the Ethernet 0/0 is the outside interface that will connect to your ISP. This needs to be set for DHCP unless your ISP requires you to set a static IP. That static IP would be given to you from your ISP.
Basically follow the guides that come with the ASA. They will get you to setup everything up to get you started.
First thing is you should go to https://192.168.1.1/admin. This will bring you to a page that allows you to download the ASDM software.
How to configure remote access: Link
We had to add one line to configure the ASA to route to the ISP .
Open an SSH client and connect to your ASA's IP.
Login
Type enable
Type config t
Type interface vlan 2 (or whatever vlan your outside interface is in)
Type ip address dhcp setroute
Type exit
Type exit
Type wr mem
Once applying this, I was able to then get to the internet.
How to configure LDAP: Link
How to configure VPN access on the ASA: Link (add later)
How to configure VPN access on the Cisco IPSec Client: Link (add later)
At the time of writing my ASA was running 8.2(1) and ASDM 6.2(1).
Subscribe to:
Posts (Atom)