Cisco VPN – Split Tunnel Not Working?
KB ID 0001239 Problem Here I’m dealing with AnyConnect VPNs, but the principles are exactly the same for both remote IPSEC and L2TP VPNs. You connect to your VPN and can no longer browse the internet from your remote location. You can confirm that split-tunnelling is working or not by connecting with your VPN client and looking at the routing information. Solution Before proceeding are you sure Split-Tunnelling has ever been...
Cisco ASA – Allowing Microsoft Activation
KB ID 0001237 Problem Activation occurs over TCP 80 and 443, so usually this will not trip you up. However if you are on a site with a very restrictive firewall config, then you might want to add the following. Solution I’ll break with the norm, and just post the config in its entirety, (just remove the comments in red.) !The Firewall needs a domain name of its own. ! domain-name petenetlive.com ! !Setup DNS Lookups so the...
AnyConnect – The VPN Connection Failed (Domain Name Resolution)
KB ID 0001236 Problem This is a pretty generic error to be honest. AnyConnect Secure Mobility Client VPN The VPN connection failed due to unsuccessful domain name resolution. Solution Firstly, (and obviously) the name you are typing in the AnyConnect window can be resolved can’t it? If not then you might want to consider some employment that does not involve computers. Secondly (this is what usually trips me up) did you copy...
Cisco – Dissolve / Break ASA Failover Firewall Configuration
KB ID 0001234 Problem I’ve written at length about setting up failover firewall configurations. But what if you already have a working pair, and you need to remove one? There’s plenty of reasons to do this, i.e. another site needs a firewall in a hurry, you’re replacing failover firewalls with a single firewall, or you just need to do sone testing and don’t have a spare. Solution It goes without saying, before...
Cisco VPN Client Connects but no traffic will Pass
Note: May also be asked as, Client VPN connects but cannot ping anything behind the Firewall. KB ID 0000199 Problem If I had a pound for every time I’ve seen this either in the wild, or asked in a forum, I would be minted! In nearly every case the problem is NAT related. In most cases, If the person launching the VPN client is behind a device that is performing NAT, (Home Router, Access Point, Firewall, etc) then the device will...
AnyConnect – ‘Your environment does not meet the criteria’
KB ID 0001232 Problem For an existing client, I was setting up a new user. I connected their laptop though my mobile phone and attempted to connect. This is the error I got. Cisco AnyConnect Logon denied: Your environment does not meet the access criteria defined by your administrator. Solution A cursory glance over the firewall config didn’t yield anything in their AAA settings that was odd, they were simply using LDAP for...
Azure to Cisco VPN – ‘Failed to allocate PSH from platform’
KB ID 0001219 Problem It’s been a week for strange VPN shenanigans with Cisco and Azure. I was liaising with an Azure service provider for a customer this week, and trying to get a VPN up from a Cisco ASA in one of our data centres in the UK. This is what we were seeing; And I could see the same error in the debugs; Decrypted packet:Data: 616 bytes IKEv2-PROTO-1: Failed to allocate PSH from platform IKEv2-PROTO-1: IKEv2-PROTO-5:...
Cisco ASA IKEv2 – ‘Failed To Allocate Memory’
KB ID 0001218 Problem This week I was trying to get a VPN tunnel up for a client. They wanted a tunnel from their Cisco ASA into Microsoft Azure. Normally I’d use IKEv1 (because I know how to troubleshoot it!) But the guys running the site in Azure were using policy routing, which needs IKEv2. So I converted from IKEv2 to IKEv2. As I said I’m used to debugging IKEv1, but not IKEv2, so I was struggling to make sense of...
Device Boots to ROMMON (Cisco ASA)
KB ID 0001199 Problem After recently picking up some second hand ASA5512-X firewalls, I went to run them up, and make sure they were ok, however on boot up they went straight to ROMMON like so; Use ? for help. rommon #0> Now I know what ROMMON is, it’s the base operating system of the device, its job is a bit like the BIOS on a PC, it locates and loads the operating system. The only time you should ever see a rommon prompt...
Cisco ASA – Packet Tracer Fails VPN:Encrypt:Drop
KB ID 0001198 Problem Sometimes when troubleshooting VPN traffic, you may choose to use the ‘packet-tracer’ command to simulate interesting traffic. I did this today and got; Phase: {number} Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Result: Drop-reason: (acl-drop) Flow is denied by configured rule I replicated the error on the test bench. Solution Below is the full packet trace;...