Cisco ASA – Adding New Networks to Existing VPNs
KB ID 0001240 Problem Note: To add new subnets to an AnyConnect Remote Access VPN, see the following article instead; Cisco ASA – Adding New Networks to AnyConnect VPNs I see this get asked in forums A LOT, so I though I’d get around to getting it written up. If you have an existing VPN to a remote site and then need to add another network how do you do it? Well that depends on where the new network is, and how it’s...
Cisco VPN – Split Tunnel Not Working?
KB ID 0001239 Problem Here I’m dealing with AnyConnect VPNs, but the principles are exactly the same for both remote IPSEC and L2TP VPNs. You connect to your VPN and can no longer browse the internet from your remote location. You can confirm that split-tunnelling is working or not by connecting with your VPN client and looking at the routing information. Solution Before proceeding are you sure Split-Tunnelling has ever been...
Cisco ASA – Allowing Microsoft Activation
KB ID 0001237 Problem Activation occurs over TCP 80 and 443, so usually this will not trip you up. However if you are on a site with a very restrictive firewall config, then you might want to add the following. Solution I’ll break with the norm, and just post the config in its entirety, (just remove the comments in red.) !The Firewall needs a domain name of its own. ! domain-name petenetlive.com ! !Setup DNS Lookups so the...
AnyConnect – The VPN Connection Failed (Domain Name Resolution)
KB ID 0001236 Problem This is a pretty generic error to be honest. AnyConnect Secure Mobility Client VPN The VPN connection failed due to unsuccessful domain name resolution. Solution Firstly, (and obviously) the name you are typing in the AnyConnect window can be resolved can’t it? If not then you might want to consider some employment that does not involve computers. Secondly (this is what usually trips me up) did you copy...
Cisco – Dissolve / Break ASA Failover Firewall Configuration
KB ID 0001234 Problem I’ve written at length about setting up failover firewall configurations. But what if you already have a working pair, and you need to remove one? There’s plenty of reasons to do this, i.e. another site needs a firewall in a hurry, you’re replacing failover firewalls with a single firewall, or you just need to do sone testing and don’t have a spare. Solution It goes without saying, before...
Cisco VPN Client Connects but no traffic will Pass
Note: May also be asked as, Client VPN connects but cannot ping anything behind the Firewall. KB ID 0000199 Problem If I had a pound for every time I’ve seen this either in the wild, or asked in a forum, I would be minted! In nearly every case the problem is NAT related. In most cases, If the person launching the VPN client is behind a device that is performing NAT, (Home Router, Access Point, Firewall, etc) then the device will...
AnyConnect – ‘Your environment does not meet the criteria’
KB ID 0001232 Problem For an existing client, I was setting up a new user. I connected their laptop though my mobile phone and attempted to connect. This is the error I got. Cisco AnyConnect Logon denied: Your environment does not meet the access criteria defined by your administrator. Solution A cursory glance over the firewall config didn’t yield anything in their AAA settings that was odd, they were simply using LDAP for...
Setting Up Meraki MDM
KB ID 0001226 Problem As is usually the case with Meraki this is pretty simple to setup. If you are familier with Meraki and have not deployed MDM before then stop a second. I mistakenly setup a dashboard for a client recently, (like I usually do with Meraki deployments). Then could not work out how to add the MDM component without an order number! Meraki MDM is free (up to 100 devices) which is great, but BE WARNED, register 101...
Microsoft Azure To Cisco ISR Router Site to Site VPN
KB ID 0001220 Problem Last week I was having problems getting a VPN up from a client’s Cisco ASA into Azure. This was because the Azure estate was using ‘route-based’ or a ‘dynamic routing VPN’. See the following article; Azure to Cisco VPN – ‘Failed to allocate PSH from platform’ So the firewall was a non-starter, but Cisco ISR routers are supported, and they can handle virtual tunnel interfaces...
Azure to Cisco VPN – ‘Failed to allocate PSH from platform’
KB ID 0001219 Problem It’s been a week for strange VPN shenanigans with Cisco and Azure. I was liaising with an Azure service provider for a customer this week, and trying to get a VPN up from a Cisco ASA in one of our data centres in the UK. This is what we were seeing; And I could see the same error in the debugs; Decrypted packet:Data: 616 bytes IKEv2-PROTO-1: Failed to allocate PSH from platform IKEv2-PROTO-1: IKEv2-PROTO-5:...