This was information that was passed to me by a colleague (Thanks Ajay) this week. If you have a site to site VPN tunnel after a period of inactivity the tunnel will be torn down. In most cases when required it will simply be re-established, but what if you wanted it to be permanently up?
I have had situations where only the ASA side of a tunnel can bring it up (usually because of misconfiguration at the ‘other end‘) and that situation cannot be rectified.
Search for how to do this and the usual answer is to simply set the vpn-idle-timeout on the group policy that applied to the tunnel to none, remember if you haven’t specified a group policy for a tunnel it should take its settings from the DfltGrpPolicy so you would simply do this.
[box]
Petes-HomeASA# conf t
Petes-HomeASA(config)# group-policy DfltGrpPolicy attributes
Petes-HomeASA(config-group-policy)# vpn-idle-timeout none
Petes-HomeASA(config-group-policy)# exit
Petes-HomeASA(config)# wr mem
[/box]
However, I’ve tested that AND IT DOES NOT WORK!
Solution : VPN Always UP
The solution that works, is to use the event manager applet, and schedule an event to happen periodically, (like send some traffic down the tunnel to keep it up). This is simple to do.
To test,simply wait a moment then issue a ‘show cry isa’ command on the firewall. You will see that there is a tunnel established, or if your too lazy, just ping something at the other end of the tunnel in ‘most‘ cases if the first packet times out, then it starts to respond, then that’s a warning the tunnel was NOT up. If it instantly responds that’s a good indicator that the tunnel was already up.
Related Articles, References, Credits, or External Links
Certified working all the way up to macOS Ventura version 13.6
Certified working all the way up to macOS Sonoma version 14.1
I thought my RoyalTSX had broken today, I upgraded it a couple of weeks ago, and I upgraded to macOS Catalina 10.15 the other day. After this, all my SSH sessions refused to connect with this error;
Unable to negotiate with x.x.x.x port 22: no matching key exchange found. Their offer diffie-hellman-group1-sha1
Note: You may also see the following error;
Unable to negotiate with x.x.x.x port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Update: 10/04/20: With newer equipment you may see the following error;
Unable to negotiate with x.x.x.x port 22: no matching MAC found Their offer: hmac-sha2-256
Update 08/12/21: With newer Cisco equipment you may see the following error;
Unable to negotiate with x.x.x.x.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Mac SSH Error – Fix
WARNING: My usual fix for this is to edit the macs ssh_configfile directly and allow the older (less secure) connection methods. It has been (correctly) pointed out, that this is the ‘least preferred‘ method, as it will allow these less sure methods for ALL SSH connections. The preferred fix, is to create a new file in your own home folder, with the connection settings for EACH SSH CONNECTION. However, I manage hundreds of firewalls. routers and switches so that method is a little unwieldy for me. But I will include it at the end of the article, for the more security conscious of you.
Not Apple’s fault to be fair, it’s OpenSSH version 7. SHA1 is weak, so support for it has been removed. Which is fine, but all my clients Cisco Firewalls, Routers, Switches are probably all using RSA/SHA1. So until they re all updated I’m going to need to re-enable SHA1.
Open a terminal windows and execute the following;
[box]
sudo nano /etc/ssh/ssh_config
ENTER YOUR PASSWORD
[/box]
Locate the line ‘ # MACs hmac-md5,hmac-sha1,hmac-sha2-256,umac-64@openssh.com,hmac-ripemd160′ and remove the Hash/Pound sight from the beginning, and add the extra hashing algorithm that I’ve shown above in red.
Locate the line ‘ # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc’ and remove the Hash/Pound sight from the beginning.
To quit nano, use the Ctrl-X key combination. because you are working on has been modified since the last time you saved it, you will be prompted to save the file first. Type y to save the file.
Theres no reason to reboot, it should work straight away.
But Wait – Theres More!
It’s going to happen every time you upgrade your mac, I’ve started taking a backup of the ssh_config file, then I can just restore it back again, like so;
Using this method you will create a connection (entry) for each asset you want to connect to. This will be saved in your Home directory so if multiple people use the Mac you will need to do this for each user.
Firstly create a config file in you home directory.
[box]
sudo nano ~/ssh/config
[/box]
What this does is create a blank file that you can then create an entry for each of the assets you want to connect to. Firstly specify the hostname, then the settings for that particular asset, like so:
[box]
Host YOUR-SWITCH
User YOUR-USER
port 22
KexAlgorithms +diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
Ciphers +aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
PubkeyAcceptedAlgorithms +ssh-rsa
HostkeyAlgorithms +ssh-rsa
[/box]
Note: Simply add new host entries at a new line in the SAME config file.
Related Articles, References, Credits, or External Links
Can you install ASDM on Windows 11? yes, but as usual there’s some pre requisites. Someone asked this question on EE today, so I thought I’d check.
ASDM on Windows 11 Solution
ASDM requires Java, theres an open Java version, but to be honest, most people (and certainly most older firewalls) are using the Oracle JRE so make sure you have that installed before you do anything.
Note: Some older versions of ASDM may require older versions of Java, I like to keep my ASDM images up to date, so this never trips me up. Consider updating your firewalls OS and ASDM images (I’ll put instructions at the bottom of the page – if you unsure how to do that).
Browse to the interface on the firewall you have ASDM working on, and add /admin to the end of the URL, i.e. https://192.168.1.1/admin or https://10.1.1.1:444/admin (if you have ASDM on a non standard port). From there select Install ASDM Launcher.
Note: If you DON’T know how to enable ADSM then read this article.
The installer (.msi) will open and load to your default browsers download directory.
Run the installer.
Accept all the defaults.
Open the shortcut
Note: At this point if you get an error that says “This app can’t run on your PC” then see this article.
All being well, your ASDM will open.
Related Articles, References, Credits, or External Links
Out of the blue this started happening (to a previously working AnyConnect deployment).
Cannot connect to this gateway. Please choose another gateway and try again
I upgraded the client, the AnyConnect package in the firewall, the OS on the firewall and the ADSM! The error would not go away.
AnyConnect Error: Solution
Sadly I’d also blown away the Anyconenct config on the firewall, and rebuilt it from scratch, (because that caused a boatload of other problems down the line). Before I finally realised what the problem was.
The previous week I’d been doing some work on my public DNS and had incorrectly set the IP address of my AnyConect (the IP should have been x.x.x.6 and I’d changed it to x.x.x.5 How did I find out? I simply opened a browser and went to the AnyConnect URL and instead of looking at the firewall I was greeted with the logon screen for my exchange server!
So make sure you have NOT got a static NAT on your firewall set to the public IP of the firewall, or you have not PORT forwarded https (TCP Port 443) to an internal IP.
Related Articles, References, Credits, or External Links
A colleague messaged me last week because he could not import a certificate on a FortiGate (that had been exported from a Cisco ASA). He was seeing this error;
Incorrect certificate file format for CA/LOCAL/CRL/REMOTE cert.
FortiGate Certificate Problems
A brief Google led me to ask “Is the FortGate licensed or on a Free/Trial license?” As that can produce this error {apparently}. But for us this was not the problem.
This was happening because the ASA (like Windows) exports its certificates in ‘base64‘ encoding and the FortiGate does not like that, so it throws its toys out of the pram. Firstly ENSURE you exported the certificate as a PKCS12 file like so,
Otherwise the certificate will NOT be exported with its private key, and if you import a certificate into a FortiGate without the private key you will get this error;
Certificate file is duplicated for CA/LOCAL./REMOTE/CRL cert.
We now have a copy of our exported ‘base64 encoded’ certificate. (Note: It has no file extension, don’t panic!) If it was extracted from Windows, it might have a .PFX extension. If yours does, simply use the following commands with that file extension.
And put it on a machine that has OpenSSL installed, or if like me you’re a macOS user copy it there, (OpenSSL is installed by default). Firstly we have to decode the extracted certificate;
Bah what the hell is ‘show run‘? If you’ve spent years on Cisco IOS and ASA/Firepower, then FortiGate can be a little confusing. Hopefully this Cisco to FortiGate list below will make it a little easier.
Cisco to Fortigate Translation
Cisco Command
FortiGate Command
Basic commands
show run
show full-config
show version
get system status
show ip interface brief
show system interface
show run interface x/x
show system interface <port #>
show interface x/x
get hardware nic <port #> / diagnose hardware deviceinfo nic
show ip arp
diagnose ip arp list
show mac address-table
diagnose switch mac-address list | grep -i mac
show lldp neighbor
diagnose lldprx neighbor summary
show ip nat translation
get system session list
show vlan
diagnose switch vlan list
show failover
diagnose system ha status
copy running-configuration startup-configuration
execute backup config
reload
execute reboot
ping x.x.x.x
execute ping x.x.x.x
Basic Routing Commands
show ip route
get router info routing-table all
show ip route x.x.x.x
get router info routing-table details x.x.x.x
sh ip route summary
get router info routing-table all
show run | sec route-map
show router route-map
show run | sec ip prefix-list
show router prefix-list
OSPF Commands
show ip ospf neighbor
get router info ospf neighbor
show ip ospf neighbor details
get router info ospf neighbor detail all
BGP Commands
show ip bgp summary
get router info bgp summary
show run | sec router bgp
show router bgp
show ip bgp neighbor x.x.x.x routes
get router info bgp neighbors x.x.x.x routes
show ip bgp neighbor x.x.x.x advertised-routes
get router info bgp neighbors x.x.x.x advertised-routes
show ip bgp neighbor x.x.x.x received-routes
get router info bgp neighbors x.x.x.x received-routes
show ip bgp x.x.x.x
get router info bgp network x.x.x.x
VPN Commands
show crypto isakmp
diagnose vpn ike gateway list
show crypto ipsec sa
diagnose vpn tunnel list
Please comment below if you want to add any I’ve missed.
Related Articles, References, Credits, or External Links
Note: This procedure is to re-image a Cisco Firepower device from FTD to ASA code, (in this example a Cisco FPR 1010).
Why would you want to do this? Well to be frank FTD is bobbins, so if you have a device running FTD code you might want to ‘convert’ it to ASA code. If you tried to do this with an older firewall (ASA 5500-X) then you needed to go to Cisco TAC and try and get them to give you an activation code for the ASA. But if you are using an FPR device then YOU DON’T NEED TO DO THAT.
You might also want to do this because, (at time of writing) buying a Cisco FPR device running ASA code, the lead times in the UK are eye wateringly long (200-300 days!) But you can buy a chassis running FTD code and then convert that to ASA code with the following procedure.
Solution
Connect to your FPR device with a console cable, and log on as admin (the default password is Admin123, unless you have changed it of course!) Download the latest version of ASA code for your device from Cisco, in my case (at time of writing) that’s cisco-asa-fp1k.9.14.3.15.SPA. Copy that onto a USB drive (WARNING: The drive needs to be formatted with FAT32, the firewall will not recognise or mount the drive unless it is!) Finally insert the USB drive into the firewall, and issue the following commands.
[box]
FTD-1# scope firmware
FTD-1 /firmware # download image usbA:/cisco-asa-fp1k.9.14.3.15.SPA
Please use the command 'show download-task' or 'show download-task detail' to check download progress.
FTD-1 /firmware # show download-task
Download task:
File Name Protocol Server Port Userid State
--------- -------- --------------- ---------- --------------- -----
cisco-asa-fp1k.9.14.3.15.SPA
Usb A 0 Downloading
% Download-task cisco-asa-fp1k.9.14.3.15.SPA : completed successfully.
[/box]
Note: If it says, ‘failed. Download failure – USB drive is not mounted‘ the drive is probably formatted incorrectly. If it says ‘Download-task failed. Failed signature validation‘, then the image is probably corrupt, try again, or use a different version.
Verify the file has downloaded correctly.
[box]
show download-task
Download task:
File Name Protocol Server Port Userid State
--------- -------- --------------- ---------- --------------- -----
cisco-asa-fp1k.9.14.3.15.SPA
Usb A 0 Downloaded
[/box]
Then make sure the package is listed with a show package command.
[box]
FTD-1 /firmware # show package
Name Package-Vers
--------------------------------------------- ------------
cisco-asa-fp1k.9.13.1.2.SPA 9.13.1.2
cisco-asa-fp1k.9.14.3.15.SPA 9.14.3.15
cisco-ftd-fp1k.6.6.0-90.SPA 6.6.0-90
[/box]
Note: You can see (above) there’s an ASA code version from a previous install and it shows the current running FTD code also. To re-image the firewall execute the following commands. (Note: you enter the VERSION NOT THE FILENAME!)
[box]
FTD-1 /firmware # scope auto-install
FTD-1 /firmware/auto-install # install security-pack version 9.14.3.15
The system is currently installed with security software package 6.6.0-90, which has:
- The platform version: 2.8.1.105
- The CSP (ftd) version: 6.6.0.90
If you proceed with the upgrade 9.14.3.15, it will do the following:
- upgrade to the new platform version 2.8.1.172
During the upgrade, the system will be reboot
Do you want to proceed ? (yes/no):yes {Enter}
This operation upgrades firmware and software on Security Platform Components
Here is the checklist of things that are recommended before starting Auto-Install
(1) Review current critical/major faults
(2) Initiate a configuration backup
Do you want to proceed? (yes/no):yes {Enter}
Triggered the install of software package version 9.14.3.15
Install started. This will take several minutes.
For monitoring the upgrade progress, please enter 'show' or 'show detail' command.
FTD-1 /firmware/auto-install #
[/box]
Now go and have a coffee, it will take 20 minutes, and a few reboots before it’s finished. When completed you should see a login prompt, login with admin/Admin123 and reset the password.
[box]
firepower-1010 login: admin
Password: Admin123
Successful login attempts for user 'admin' : 1
Last failed login: Sun Nov 21 16:55:16 UCT 2021 on ttyS0
There was 1 failed login attempt since the last successful login.
Hello admin. You must change your password.
Enter new password: password123
Confirm new password: password123
Your password was updated successfully.
[/box]
Then connect to the ASA CLI with the connect asa command. Go to enable mode, and set the enable password. Finally, save the config.
[box]
firepower-1010# connect asa
firepower-1010# Verifying signature for cisco-asa.9.14.3.15 ...
Verifying signature for cisco-asa.9.14.3.15 ... success
ciscoasa>
ciscoasa> enable
The enable password is not set. Please set it now.
Enter Password: password123
Repeat Password: password123
Note: Save your configuration so that the password can be used for FXOS failsafe access and persists across reboots
("write memory" or "copy running-config startup-config").
ciscoasa# write memory
Building configuration...
Cryptochecksum: a607255a a64f2898 97bb6b40 9a8ff25c
[/box]
You will now be running ASA code with the factory settings (Inside 192.168.1.1/24, Management 192.168.45.1/24 (with DHCP enabled), Outside set to get IP dynamically, and all traffic allowed out).
Remember if you’re a ‘light weight’ and cant use command line, then you will need to install and configure the ASDM 🙂
Related Articles, References, Credits, or External Links
I was in a forum last week and someone asked, “Can I enable Azure MFA, on my RADIUS server, to secure access to my switches and routers etc”. It turns out if you want to enable Azure MFA with Microsoft NPS it’s actually quite simple.
So, I’m using RADIUS auth (above) on my NPS server, and it’s simply checking the authenticating user is a member of a domain security group. Once it has satisfied that requirement, it will authenticate against my Azure AD, which will trigger an MFA event, (in my case send a request to the Microsoft Authenticator Application on my Android Phone).
Azure MFA With Microsoft NPS Pre-Requisites
The remote user needs EITHER an Azure P1 License, or a Microsoft 365 license.
“But I can use the Authenticator App with my Office 365 subscription?”
Well yes you can, but we are not authenticating to office 365 are we?
Below you can prove the licence is allocated in Office 365
And the same in Azure AD.
Now your user needs to have MFA enabled, (this should be pretty obvious), to use the Microsoft authenticator application the USER chooses that method of authentication, when you enable MFA for them (the first time they login). You can re-force that, from the following screen if you wish.
Now for some reason installing NPS does not open the correct ports on the Windows Firewall? So issue the following command;
[box]
Get-NetFirewallRule -DisplayGroup "Network Policy Server" | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service Any
[/box]
Azure MFA With Microsoft NPS: Domain (on Premises and Azure AD)
You will need to know what your Azure Tenant ID is, keep a copy of this handy either in notepad or on the clipboard because you will need it in a minute.
Below you can see I’ve got my domain user, their remote access (Dial In Tab) is set to control access though policy, and I’ve placed them in a security group called SG-Azure-MFA.
Configure NPS for RADIUS Access
Note: You may already have this configured, if so please skip to the next section.
The first task is to define the RADIUS CLIENT, in my case it will be a Cisco firewall, yours could be any device that requires RADIUS authentication. Locate REDIUS Clients > New > Provide a ‘Friendly Name’ (REMEMBER WHAT IT IS) > Enter its IP address > Then provide and confirm a shared secret (think of it like a password, you will need to add this to the radius clients config) > OK
Policies > Network Policies > New > Give it a sensible name > Next.
Add in a ‘Condition‘ for User Group, then add in the user group you created/used above.
Add in another ‘Condition‘ > Set the friendly name to the one you used when you created your RADIUS client.
Accepts all the defaults until you get to Configure Authentication Methods > Tick ‘Unencrypted Authentication (PAP, SPAP)’> Click yes if you want to read the warning > Next > Accept all the defaults from this point forward.
Remember to RAISE the RADIUS timeout, by default its 10 seconds, I raised it to 30 seconds.
And on my phone I get prompted to allow
Authentication successful!
Troubleshooting (NPS Azure MFA Not Working)
Event ID 6274: The Request Was Discarded by a third-party extension DLL file.
This happens when the user you are authenticating does not have the correct license in Azure (or you have just allocated the license and have not waited for a while).
Full Error
[box]
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 15/07/2021 16:42:58
Event ID: 6274
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: PKI-02.pnl.com
Description:
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: PNL\tanya.long
Account Name: tanya.long
Account Domain: PNL
Fully Qualified Account Name: pnl.com/PNL/Users/Tanya Long
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 192.168.254.254
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 6
RADIUS Client:
Client Friendly Name: Firewall
Client IP Address: 192.168.254.254
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: NP-Azure-MFA
Authentication Provider: Windows
Authentication Server: PKI-02.pnl.com
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Reason Code: 9
Reason: The request was discarded by a third-party extension DLL file.
[/box]
Event ID 6273: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection
In my case I had re-install the NPS Azure extension.
Full Error
[box]
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 15/07/2021 17:24:39
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: PKI-02.pnl.com
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: tanya.long
Account Domain: PNL
Fully Qualified Account Name: PNL\tanya.long
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 192.168.254.254
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 10
RADIUS Client:
Client Friendly Name: Firewall
Client IP Address: 192.168.254.254
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: PKI-02.pnl.com
Authentication Type: Extension
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 21
Reason: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.
[/box]
Related Articles, References, Credits, or External Links
We have been asking for this for years! Even on my home network I’ve not been able to allocate an ASADHCP reservation for my laptop and my MyCloud drive. I’ve been in discussions in forums with people who are convinced that putting a static ARP entry into the ASA would solve the problem (it doesn’t – I tested it extensively!)
But finally in version 9.13(1) we can now add a static DHCP reservation (MAC address to IP address).
Then simply add the reservation, you need to specify the MAC address as xxxx.xxxx.xxxx (that’s with full stops not colons), if in doubt, ping the existing IP address then execute a ‘show arp’ command to show you all the MAC addresses the firewall can see, so you can copy/paste it into the following command;