Cisco ASA: Keep VPN Always Up

VPN Always UP KB ID 0001839

Problem

This was information that was passed to me by a colleague (Thanks Ajay) this week. If you have a site to site VPN tunnel after a period of inactivity the tunnel will be torn down. In most cases when required it will simply be re-established, but what if you wanted it to be permanently up?

I have had situations where only the ASA side of a tunnel can bring it up (usually because of misconfiguration at the ‘other end‘) and that situation cannot be rectified.

Search for how to do this and the usual answer is to simply set the vpn-idle-timeout on the group policy that applied to the tunnel to none, remember if you haven’t specified a group policy for a tunnel it should take its settings from the DfltGrpPolicy so you would simply do this.

[box]

Petes-HomeASA# conf t
Petes-HomeASA(config)# group-policy DfltGrpPolicy attributes
Petes-HomeASA(config-group-policy)# vpn-idle-timeout none
Petes-HomeASA(config-group-policy)# exit
Petes-HomeASA(config)# wr mem

[/box]

However, I’ve tested that AND IT DOES NOT WORK!

Solution : VPN Always UP

The solution that works, is to use the event manager applet, and schedule an event to happen periodically, (like send some traffic down the tunnel to keep it up).  This is simple to do.

[box]

Petes-HomeASA# conf t
Petes-HomeASA(config)# event manager applet VPN-Always-UP
Petes-HomeASA(config-applet)# event timer watchdog time 1500
Petes-HomeASA(config-applet)# action 1 cli command "ping tcp inside 192.168.100.3 80 source 10.254.254.212 55555 repeat 2"
Petes-HomeASA(config-applet)# output none
Petes-HomeASA(config-applet)# exit
Petes-HomeASA(config)# exit
Petes-HomeASA# write mem
Building configuration...
Cryptochecksum: b81da41e 32a6843e 07680a8f aaacd646

10988 bytes copied in 0.370 secs
[OK]
Petes-HomeASA#

[/box]

To test,simply wait a moment then issue a ‘show cry isa’ command on the firewall. You will see that there is a tunnel established, or if your too lazy, just ping something at the other end of the tunnel in ‘most‘ cases if the first packet times out, then it starts to respond, then that’s a warning the tunnel was NOT up. If it instantly responds that’s a good indicator that the tunnel was already up.

Related Articles, References, Credits, or External Links

Thanks to Ajay Mandava for the article.

Bring up a VPN Tunnel From the ASA

Insufficient access rights Error Code 8344

Error Code 8344 KB ID 0001636

Problem

With Azure AD Replication, you may notice that you have the following error when you take a look at your connector status;

Error: permission-issue
Connected data source error code: 8344
Connected data  source error: Insufficient access rights to perform this operation.

Solution: Error Code 8344

Firstly ensure that the user you are running AAD sync under, has the following permissions on the ‘root’ of your local AD domain.

  • Replicating Directory Changes: Allow
  • Replicating Directory Changes All: Allow

If the problem persists it’s usually because the account that is running the AAD sync does not have the appropriate rights to the mS-DS-ConsitencyGuid attribute for the affected users in the local Active Directory. The following commands will add the appropriate rights you ALL your local users;

[box]

$accountName = "Domain-Name\User-Name" 
$ForestDN = "DC=Domain-Name,DC=Domain-Extension"
$cmd = "dsacls '$ForestDN' /I:S /G '`"$accountName`":WP;ms-ds-consistencyGuid;user'"
Invoke-Expression $cmd

[/box]

Lastly, if you have this problem on some ‘sporadic’ users, check to ensure that their individual user objects and inheritance enabled on their user object, before retrying.

 

If the problem persists use the AD Connect Troubleshooter.

Fix Error Code 8344 with AD Connect Troubleshooter

Open Azure AD Connect > Configure.

Troubleshoot > Next > Troubleshooting > Launch.

Option 4 > Note: At this point you may or may not be asked to install the RTSAT tools, if so enter Y {Enter} > Option 12 > Y {Enter} > E {Enter} > Type in the name of the connector (in the example below that’s pnl.com).

You will be prompted to authenticate with an administrative account > You will then have to accept each change, by typing A {Enter} You will need to do this SEVEN TIMES.

When complete force a full initial replication.

[box]

Start-ADSyncCycle -PolicyType Initial

[/box]

At this point go an have a cup of coffee, then come back and check Synchronisation Service Manager. You should now be error free.

Related Articles, References, Credits, or External Links

NA

PowerShell Inventory Operating Systems in Active Directory

PowerShell Inventory KB ID 0001838

Problem

I needed to get a list of operating systems  ‘in-use‘ in my active directory this week. bear in mind this will pull information from all enables computer accounts in AD, so if you are ‘not good‘ at tidying out old machines and servers you might get a lot of garbage in your output!

Solution: PowerShell Inventory

Use the following PowerShell.

[box]

Get-ADComputer -Filter 'enabled -eq "true"' `
-Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address |
Sort-Object -Property Operatingsystem |
Select-Object -Property Name,Operatingsystem,OperatingSystemVersion,IPv4Address

[/box]

All being well, your output should look something like this.

If you wanted to output that information to CSV then use the following.

[box]

Get-ADComputer -Filter 'enabled -eq "true"' `
-Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address |
Sort-Object -Property Operatingsystem |
Select-Object -Property Name,Operatingsystem,OperatingSystemVersion,IPv4Address |
Export-Csv -Path “C:\Temp\AD-Operating-Systems.csv” -NoTypeInformation

[/box]

If you wanted to output that information to HTML then use the following.

[box]

Get-ADComputer -Filter 'enabled -eq "true"' `
-Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address |
Sort-Object -Property Operatingsystem |
Select-Object -Property Name,Operatingsystem,OperatingSystemVersion,IPv4Address |
ConvertTo-Html | Out-File C:\Temp\AD-Operating-Systems.htm

[/box]

Related Articles, References, Credits, or External Links

NA