AnyConnect – “Connection attempt has failed due to server communication errors’

KB ID 0001279 

Problem

We had a firewall fail at work this week, as part of the rebuild the latest OS was put on it, version 9.7(1). I thought no more about it until I tried to VPN in and got this;

I used my Windows 10 VM and that connected fine, only my MacBook could not connect, this VPN tunnel is a big deal I need it to get onto client’s networks. I tried my other VPN connections and every one was fine, only the recently rebuilt one didn’t work? Ive seen OSX throw a wobbly with AnyConnect in the past so I did a complete uninstall,  deleted the opt/cisco folder and put on the latest version (4.4.00243 at time of writing) no change.

VPN

Connection attempt has failed due to server communication errors. Please retry the connection

A look in the client message history showed me this..

Connection attempt has failed.

No valid certificates available for authentication.

I checked my certificates, and the certificate on the firewall both they, (and the certificate chain,) were fine.

Debugging AnyConnect gave NO OUTPUT at all, but debugging SSL showed me this;

[box]

Petes-ASA#dedug ssl 255
debug ssl enabled at level 255.
Petes-ASA# error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2832
error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2832
error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2832
error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2832
error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2832
error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters@p_lib.c:143
error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2832

[/box]

Try Googling that and getting a result! In fact that’s probably what brought you here.

Solution

If you change a Cisco OS and things like this stop working normally it’s because they’ve dropped support for something that’s got a security hole in it. In the wake of the Poodle Exploit I assumed it was an SSL/TLS problem, but that wasn’t it.

I was in the right ball park though, and a bit of lateral thinking and SSL cipher problems I’ve had with ASDM, made me think, what if it’s SHA that’s been dropped because everyone is dropping SHA1 cause it’s the hashing algorithm of Satan?

Well as soon as I added a SHA1 ciphers back in, everything started working again!

[box]

Petes-ASA(config)# ssl encryption aes256-sha1 aes128-sha1
WARNING: This command has been deprecated; use 'ssl cipher' instead.
INFO: Converting to: ssl cipher default custom "AES256-SHA:AES128-SHA"
INFO: Converting to: ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA"
INFO: Converting to: ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA"

[/box]

 

Disclaimer: SHA1 is bad, where practical all cert ciphers should be at least SHA256

Related Articles, References, Credits, or External Links

NA

Getting MORE! Free Airport / Hotel Free Wi-Fi

KB ID 0001278 

Problem

I was at the Airport the other day, and was pleased to find they had free Wi-Fi. So I opened my Email and started doing some work. The problem was, it was only free for 45 minutes and, (as is usually the case) I was going to be in the airport for a couple of hours.

Not only that, you are expected to sign up for airport related spam and marketing materials?

So 45 minutes later, I was dumped off the WiFi, and was asked to pay? With a sigh I fired up VLC and watched a film, (productivity over). Though I did notice there was a reference to my ‘device ID’ on the captive portal page that was asking for money, (not shown on diagram).

How was the system maintaining my ‘device ID’ to stop me simply reconnecting and getting more free WiFi? This turned out to be a moot point, because my flight was cancelled, but on the drive home I resolved to work out how it was done, and see if it could be bypassed.

Solution

Well when I returned to the Airport the next day it let me have more time so either it was keeping a hash of my laptop name and MAC address, (this would seem to be the most secure method,) or was it simply caching my MAC address? If it was the latter then that’s painfully easy to defeat (On a Windows Laptop you can change your MAC address on the advanced properties of your network card, or with a registry key). With my MackBook, (which is essentially Linux in a pretty dress. I just need to drop to command line.

Spoofing / Changing macOSX MAC address

Open a terminal session and generate a RANDOM MAC address with the following command.

[box]openssl rand -hex 6 | sed ‘s/\(..\)/\1:/g; s/./0/2; s/.$//'[/box]

Take a copy of the MAC address it gives you;

Now, for you own piece of mind, take a look at your actual current MAC address, (so you know when it’s changed).

[box]ifconfig en0 | grep ether[/box]

Note: On some macOSX machines your wireless network card may be en1.

The next bit tripped me up for  a while, you CAN’T change your MAC address while its associated with a wireless network. So you need to disassociate, change the MAC address then rescan the interface. Execute each of these three commands one at time, after the first one, you will need to enter your password.

[box]

sudo /System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport -z
{ENTER PASSWORD}
sudo ifconfig en0 ether f0:99:80:a1:b4:d6
networksetup -detectnewhardware

[/box]

To prove its changed simply run, the following command again;

[box]ifconfig en0 | grep ether[/box]

Connect back to the wireless and enjoy.

Related Articles, References, Credits, or External Links

NA

Unified Networking Lab – Connecting ESX VM to the Internet

KB ID 0001276

Problem

UPDATE: This is an old article, UNL is now EVE-NG, please use the following link;

EVE-NG Connecting to the Internet

UNL is by far the coolest bit of kit I’ve got my hands on this year. I can run it in ESX, and connect to it from anywhere, so I don’t have to keep my labs on my laptop. But what if you want to connect your labs to a live network? Theres a great article on the unetlab website for the smaller versions of VMWare. If you’re lucky enough to have your own vSphere environment there’s a few more hoops to jump through.

Solution

First job is to present the vNics to the UNL virtual machine. Here all those vNics are in the same ‘port group’, but they don’t have to be, there’s no reason why you can’t present different VLANS,  test networks, or DMZs for example.

Here I’m directly on the console, but you can also connect via SSH if you prefer. Make sure you can see the presented vNics with the following command;

[box]ifconfig -a | grep ^eth[/box]

Those networks need to be ‘bridged’ to the pnet interfaces that you use within UNL, to do that edit the network setttings;

[box]nano /etc/network/interfaces[/box]

Note: I already had nano installed, ‘apt-get install nano’ will install it for you if you don’t. 

Make sure it looks like this, (OK, I’ve got 10 network cards bridged and only presented 5, but I can add more now, without having to go though this process again).

[box]

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
iface eth0 inet manual
auto pnet0
iface pnet0 inet dhcp
    bridge_ports eth0
    bridge_stp off
    bridge_ageing 0

# Cloud devices
iface eth1 inet manual
auto pnet1
iface pnet1 inet manual
    bridge_ports eth1
    bridge_stp off
    bridge_ageing 0

iface eth2 inet manual
auto pnet2
iface pnet2 inet manual
    bridge_ports eth2
    bridge_stp off
    bridge_ageing 0

iface eth3 inet manual
auto pnet3
iface pnet3 inet manual
    bridge_ports eth3
    bridge_stp off
    bridge_ageing 0

iface eth4 inet manual
auto pnet4
iface pnet4 inet manual
    bridge_ports eth4
    bridge_stp off
    bridge_ageing 0

iface eth5 inet manual
auto pnet5
iface pnet5 inet manual
    bridge_ports eth5
    bridge_stp off
    bridge_ageing 0

iface eth6 inet manual
auto pnet6
iface pnet6 inet manual
    bridge_ports eth6
    bridge_stp off
    bridge_ageing 0

iface eth7 inet manual
auto pnet7
iface pnet7 inet manual
    bridge_ports eth7
    bridge_stp off
    bridge_ageing 0

iface eth8 inet manual
auto pnet8
iface pnet8 inet manual
    bridge_ports eth8
    bridge_stp off
    bridge_ageing 0

iface eth9 inet manual
auto pnet9
iface pnet9 inet manual
    bridge_ports eth9
    bridge_stp off
    bridge_ageing 0

[/box]

You can ensure the interfaces are up by running;

[box]brctl show[/box]

If there’s a problem, you can bring tham up manually by running ‘for i in $(seq 1 9); do ifup pnet${i}; done‘.

ESX Enabling Promiscuous Mode

To enable your devices to talk through your vSwitches, they need to allow ‘promiscuous mode‘, below you can see that being done on the vSwitch (in the VI Client).

Check the ‘port group’ as well and ensure that will also accept promiscuous mode.

If you are using the vSphere Web Client here is where promiscuous mode is set on the vSwitch.

And here is where it’s set on the port group.

Unfortunately you can’t change this setting in the new HTML5 management console but you can view it.

Connect Your UNL Lab To the Public Network

Add a new node, and select the ‘Network’ option > When you place it you can select which live network you want to connect to.

WARNING: Connect to live networks as you would in real life, (with a router, firewall, or correctly configured L3 device).

 

Related Articles, References, Credits, or External Links

NA

Unable to Find a Default Server With Active Directory Web Services Running

KB ID 0001275 

Problem

I was trying to get a list of all users on a client’s domain that had either a logon script, profile, or a mapped drive that was being set on their AD user object. But when I ran the command I got this error;

Get-ADUser : Unable to find a default server with Active Directory Web Services running.

Solution

Active Directory Web services was introduced in Server 2008 R2, but I was running the command on a 2012 R2 server? Well the problem is the main server onsite was a Small Business Server. To get this command to run successfully I needed to run it again but target a particular domain controller by adding “-Server {Server-Name}” to the command;

Note: Obviously MAKE SURE that the AD Web Services service is actually running on the server you are targeting (run services.msc).

Related Articles, References, Credits, or External Links

NA

VMware ESXi 6.5 – Setting up ESX Time Sync via Web Client

KB ID 0001274 

Another guest post from Daniel Newton

Problem

Now that we have the web console instead of the VI client, and don’t have a windows machine anymore, it would be better to use the web console.

Also, having your ESXi Server running the correct time/date is very important, before you follow this article I should suggest that by making sure the time is set in the ESX Servers BIOS, e.g. the internal clock is set correctly first!!! The amount of times that Windows Domains fail because the time had not been setup properly on the hosts and DC is more than you think! Last thing you want is a massive pain in the arse from your Boss!

Note: Due to the privacy of the customer, I have blurred out their information.

Solution

Note: For this to work the hosts need to be able to communicate with public time servers over NTP (UDP Port 123), ensure your firewall has this port open or time sync will fail.

Firstly, login into the ESX host itself and click on manage on the left-hand side.

Secondly, click on “Time and Date” and edit the settings.

Now, edit the boxes and dropdowns to look like the screenshot below (I am from the UK and typed in the NTP servers for my country, it will be different in other parts of the world) and then click save.

Now that we completed that, we have to start the service. So, go to Actions > NTP Service > Start.

After 30 seconds, you will have this message saying it has completed successfully.

 

Related Articles, References, Credits, or External Links

NA

Cisco AnyConnect – Allow Domain Password Change via LDAP

KB ID 0001273 

Problem

 

If you have remote users who connect via VPN, and a policy that forces them to change their password periodically, this can result in them getting locked out without the ability to change their password (externally).

If your Cisco ASA is using LDAP to authenticate your users, then you can use your remote AnyConnect VPN solution to let them reset their passwords remotely.

Solution

Standard LDAP runs over TCP port 389, to allow the ASA to reset the password for the users, it needs to be connected via LDAPS ((TCP Port 636). Your AD server needs to be able to authenticate via LDAPS, by default it will not. I’ve already covered how to set that up in another post see the following article.

Windows Server 2012 – Enable LDAPS

So, assuming your AD server(s) that the Cisco ASA is authenticating against is already setup, you need to ensure that your AAA Settings for LDAP is set to use port 636.

Enable LDAPS via Command Line

On my test network I only have one LDAP server in my LDAP AAA group, you may need to repeat this procedure for each one in yours.

[box]

Petes-ASA(config)# aaa-server TEST-LDAP-SERVER (inside) host 192.168.110.10
Petes-ASA(config-aaa-server-host)# server-port 636

[/box]

Enable LDAPS From within the ASDM

Log into the ADSM  > Configuration > Device Management > Users/AAA  > Select the LDAP Server Group > Select the Server > Edit > Enable LDAP over SSL > Server Port = 636.

Note: If you attempt to reset a user password without LDAPS, then you will see the following error;

Unwilling to perform password change

Next you need to edit the AnyConnect connection profile to allow password resets. Or the tunnel-group if you work at command line.

Allow Password Reset via Command Line

[box]

Petes-ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
Petes-ASA(config-tunnel-general)# password-management password-expire-in-days 3

[/box]

Allow Password Reset via ASDM

Connect to the ADSM > Configuration > Remote Access VPN > Network Client remote Access > AnyConnect Connection Profile > Select the one for AnyConnect > Edit > Advanced > General > Password Management > Enable Password Management > Select to notify user the amount of days before his/her password expires > OK > Apply > File > Save running configuration to flash.

Now your users have the ability to reset their password remotely as they are about to expire, and when they have expired.

If you want to test with a particular user you can set his password to ‘expired’ using the following procedure;

Reset an AD Users Password Expiry Date

Related Articles, References, Credits, or External Links

NA

Reset an AD Users Password Expiry Date

KB ID 0001272

Problem

I was setting up a Cisco ASA this week and needed to enable the ability for users to reset their domain passwords when they are about to expire. To actually test that, I needed a test user that had their password either about to expire, or actually expired. As I dint want to wait 42 days, or setup a password policy just for one user, I needed to find a ‘quick and dirty’ fix for one user.

Solution

You need to open Active Directory Users and Computers, and you need to have ‘Advanced options’ enabled. Locate your user and open their properties > Attribute Editor > Attributes > pwdLastSet.

If you want to set it to expired, then set its value to Zero.

It should change to <never>, which is not strictly true, it actually changes to 12:00AM January 1st 1601.

Note: If you set its value to -1 and apply the change it resets the attribute to the current day and time (you may need to close and reopen the property dialog to see the change).

Related Articles, References, Credits, or External Links

NA

Cisco – LDAP AAA Error ‘AAA Server has been removed”

KB ID 0001271 

Problem

Seen while attempting to test AAA authentication via LDAP to a Windows domain Controller.

Authentication test to host {IP-Address} failed. Following error occurred – 

ERROR: Authentication Server not responding: AAA Server has been removed

Solution

This is a terribly ambiguous error! What it means is that the ASA cannot bind to active directory, either because;

  • The ASA bind account password is wrong.
  • The ASA bind username, (or path to the user object) is wrong.
  • You have set the LDAP server group to use LDAPS (port 636) and the server specified as an LDAP  host is not authenticating via LDAPS.
  • There is no connectivity between the ASA and the LDAP server.

You can narrow it down by running the following debug;

[box]debug ldap 255[/box]

In the following output you can see either the username or the password is wrong;

[box]

Petes-ASA(config)# debug ldap 255
debug ldap  enabled at level 255
[-2147483629] Session Start
[-2147483629] New request Session, context 0x00007fffbcc69c88, reqType = Authentication
[-2147483629] Fiber started
[-2147483629] Creating LDAP context with uri=ldap://192.168.110.10:389
[-2147483629] Connect to LDAP server: ldap://192.168.110.10:389, status = Successful
[-2147483629] supportedLDAPVersion: value = 3
[-2147483629] supportedLDAPVersion: value = 2
[-2147483629] Binding as asa
[-2147483629] Performing Simple authentication for asa to 192.168.110.10
[-2147483629] Simple authentication for asa returned code (49) Invalid credentials
[-2147483629] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[-2147483629] Fiber exit Tx=207 bytes Rx=720 bytes, status=-2
[-2147483629] Session End

[/box]

In the following output you can see the firewall is trying to connect over LDAPS but the server is not configured, (or not answering on TCP 636);

[box]

Petes-ASA(config)# debug ldap 255
debug ldap  enabled at level 255
[-2147483625] Session Start
[-2147483625] New request Session, context 0x00007fffbcc69c88, reqType = Authentication
[-2147483625] Fiber started
[-2147483625] Creating LDAP context with uri=ldaps://192.168.110.10:636
[-2147483625] Connect to LDAP server: ldaps://192.168.110.10:636, status = Failed
[-2147483625] Unable to read rootDSE. Can't contact LDAP server.
[-2147483625] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[-2147483625] Session End

[/box]

 

Related Articles, References, Credits, or External Links

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

Cisco ASA – AnyConnect Authentication via LDAP and Domain User Groups

Cisco Licence Differences LAN-Lite / LAN Base / IP Base / IP Services

KB ID 0001270 

Problem

Actually finding the answer to this question is far more challenging than it needs to be! As usual Cisco can change this on a whim so before you purchase any equipment it’s still a good policy to check on the feature navigator.

Solution

This is about the best reference I’ve found. Although anyone who can tell me what the correct Layer 2 differences between Enterprise Access and Complete Access are, please do so!

Related Articles, References, Credits, or External Links

NA

Managing IE Settings via GPO

KB ID 0001269

Problem

There used to be a GPO called  “Internet Explorer Maintenance” that you could set your Internet Explorer settings, i.e. Proxy server settings, home pages etc.

This has now gone, and has been replaced with a group policy preference.

 

Solution

From the Group Policy Management Console > Locate the OU containing the USERS  you want to link the policy to and create a new policy, then give it a sensible name.

Edit the policy.

Navigate to;

[box]User Configuration > Preferences > Control Panel Settings > Internet Settings[/box]

Select > New > “Internet Explorer {version}”.

Note: Internet Explorer 10 settings, will also apply to Internet Explorer 11.

This takes a little bit of getting used to, things underlined in GREEN will be enforced with the policy, things underlined in RED will not be enforced. For each change you make you need to press F5 to make it ‘go green’, (or F6 makes all settings on the current TAB go green).

Manage IE Proxy Settings via GPO

Connections > LAN Settings > Enable ‘Use a proxy server…’  > Put in the proxy IP/Name and port number > Tick bypass proxy server for local addresses > If you need to add proxy exemptions you can go to advanced settings.

Ensure all settings are underlined green before you exit.

Manage IE Home Page(s) Settings via GPO

General Tab > Home Page > Add each new page as a new line.

Note: I like to open Tabs and set each new tab to open the first home page as well.

Again ensure all settings are underlined green before you exit.

Apply  > OK  >You will see there is now a configuration entry > Close and exit the policy editor.

You can then force a policy update on the OU you have deployed the policy to. Or run gpupdate /force on a test client.

Related Articles, References, Credits, or External Links

Defining / Locking and Managing Proxy Settings