Cisco – Testing AAA Authentication (Cisco ASA and IOS)
KB ID 0001175 Problem I always forget the syntax for this, and I’ve been meaning to publish this for a while so here you go. If you have AAA setup and people can’t log in, then the ability to test authentication against a user’s username and password is a good troubleshooting step! Usually I’m on a Cisco ASA but I’ll tag on the syntax for IOS as well. Solution Cisco ASA Test AAA Authentication From...
Cisco FirePOWER SFR Module Cannot Ping
KB ID 0001174 Problem On a newly deployed FirePOWER service module I wanted to test connectivity and attempted to ping a public IP address. This is what happened; > expert admin@Petes-SFR:~$ ping 8.8.8.8 ping: icmp open socket: Operation not permitted My first though was, “Well you have to set a default gateway on the SFR when you set it up, so the firewall is probably blocking ICMP”. So I checked the default policy...
Cisco Firepower Services – Change IP and DNS Addresses
KB ID 0001173 Problem If you change your internal LAN addresses its easy to re-ip the firewall but what about the FirePOWER module? If you manage your SFR from the ASDM it will tell you what the IP is, but it won’t let you change it? Solution Change the FirePOWER Module IP Address Log into the firewall, then open a session with the SFR module. find the physical address of the module (usually eth0, but check). Petes-ASA#...
Cisco FirePOWER – Adding a Static Route
KB ID 0001172 Problem Routing traffic back from the ASA , in most cases you will have a static route (or routes) tied to the inside interface of the firewall. Or you may have dynamic routing if your network is a little more complex. But your FirePOWER module is essentially a small Linux box sat inside the firewall, it has its own network connection and maintains its own routing table. You may have already noticed if your FirePOWER...
Cisco IOS – DHCP Helper (DHCP Relay) – IP-Helper Setup
KB ID 0001168 Problem Cisco documentation calls this a ‘DHCP Relay’, and uses the command IP-Helper, and I usually call this DHCP Helper, just to confuse everyone. To be fair the term DHCP Relay is an industry standard, it’s not particular to Cisco (as you will see later when I Wireshark the traffic). So If you are reading this you have a DHCP server and you want to use it to lease addresses to clients that are on a...
Cisco IOS – An interface whose trunk encapsulation is “Auto” can not be configured to “trunk” mode.
KB ID0001167 Problem If you try and change a ports status, to make it a trunk port, you may see this error; Petes-Switch(config-if)#switchport mode trunk Command rejected: An interface whose trunk encapsulation is “Auto” can not be configured to “trunk” mode. Trunk Settings I don’t know if this is a throwback to when we had ISL trunking and 802.1q, but you need to specify the encapsulation before you can...
Re-Image and Update the Cisco FirePOWER Services Module
KB ID 0001164 Problem This takes ages! Seriously, if it’s late in the afternoon you might want to do this tomorrow morning, or leave the re-imaging running overnight. (Remember if you set the FirePOWER module to ‘fail-closed’, you will lose internet access, so you might want to change that to ‘fail-open’ as well). The process is a LOT EASIER to do in the ASDM, I’m not usually an advocate of the GUI,...
Cisco FirePOWER – Update Fails ‘Peer Registration Failed: Registration in Progress’
KB ID 0001162 Problem If you attempt to perform an update on the FirePOWER services module in your firewall, you may see the following error; Error Installation Failed: Peer registration in progress. Please retry in a few moments I found myself in this situation because I’d attempted to register the firewall in the FirePOWER Management Center Appliance, and the process failed, (because the versions were different). So when I...
Cisco Small Business (SG500) Link Aggregation (LAG) With LACP
KB ID 0001277 Problem At work a client was having trouble with a NAS Drive (Buffalo Terastation). It was being used as a backup target and some of the servers were dropping connections. I knew the client had some Catalist 3750’s So I suggested going and creating an Ether Channel to the two NICs in the NAS box, to try and cure the problem. However when I went onsite, I noticed the 3750 didn’t have any spare Gigabit ports...
ASA Setup FirePOWER Services (for ASDM)
KB ID 0001107 Problem Both the 5506-X (rugged version and wireless), and 5508-X now come with a FirePOWER services module inside them. This can be managed from either ASDM* (with OS and ASDM upgraded to the latest version), and via the FireSIGHT management software/appliance. Related Articles, References, Credits, or External Links *UPDATE: All ASA ‘Next-Gen’ firewalls can now have their Firepower Service Module managed...