ASA – Memory Error (Post upgrade to version 8.3)
KB ID 0000553 Problem I’ve split this article away from this one, as it tripped me up this week again, so I think it deserves an article of its own. Some ASA firewalls that shipped prior to February 2010 may need a hardware memory upgrade, before you can update them to version 8.3 and beyond. If not you will see the following; Memory Error as seen on an ASA5510 ************************************************************* ** **...
Cisco ASA 5500 – Reset / Recycle VPN Tunnels
KB ID 0000586 Problem I’ve been asked this before and it came up on EE today, basically you have a site to site VPN tunnel and you either want to restart it or reset it. Solution Cisco ASA Reset ALL VPN Tunnels 1. Connect to your ASA, then to reset ALL your ISAKMP VPN tunnels use the following command; clear crypto isakmp sa In the example below I’ve reset ALL my tunnels. I had a constant ping running across the VPN, and...
IP Address Conflicts with VMware ESX and Cisco ASA
KB ID 0000635 Problem My colleague was setting up a DMZ server for one of our clients, it was a virtual server that was presented to the DMZ of a Cisco ASA 5510. Every time he gave it a static IP address it popped up an IP address conflict (no matter what the IP address was). Windows has detected an IP address conflict Another computer on this network has the same IP address as this computer. Contact your network administrator for...
Update Cisco ASA – Directly from Cisco (via ASDM)
KB ID 0000636 Problem Warning: Before upgrading/updating the ASA to version 8.3 (or Higher) Check to see if you have the correct amount of RAM in the firewall (“show version” command will tell you). This is VERYIMPORTANT if your ASA was shipped before February 2010. See the link below for more information. ASA – Memory Error (Post upgrade to version 8.3) Warning 2: Be aware, if you are upgrading to an OS of...
Windows Server Setup RADIUS for Cisco ASA 5500 Authentication
KB ID 0000685 Problem Note: The procedure is the same for Server 2016 and 2019 This week I was configuring some 2008 R2 RADIUS authentication, so I thought I’d take a look at how Microsoft have changed the process for 2012. The whole thing was surprisingly painless. I will say that Kerberos Authentication is a LOT easier to configure, but I’ve yet to test that with 2012, (watch this space). Solution Step 1 Configure the...
Cisco ASA 5500 – Using a Third Party Digital Certificate
(For Identification, AnyConnect, and SSL VPN) KB ID 0000694 Problem A client asked me how to do this, so off I went to the test bench to work it out. Note: I’m this example In going to submit the request to, and issue the certificate from, my own windows domain certificate authority, you would send your request to a third party certificate authority, here’s a direct link to the certificate type you require. To use your own...
ASA 5505 Determine Your License Version
KB ID 0000701 Problem If you are having problems with internal clients NOT getting through the firewall, the license on your ASA 5505 may be ‘to small’. ASA 5505 License Differences Essentially the licenses come in 10 user, 50 user, and unlimited*. You can also have a Security Plus License, this increases IPSEC VPN’s from 10 to 25, and adds Active/Standby failover, Dual ISP Support, and DMZ Support. *Note: These...
Cisco ASA – Using ‘logging’ to see what ports are being blocked
KB ID 0000702 Problem If you look after a firewall, sooner or later something will fail, and the blame (rightly or wrongly), will be leveled at the firewall. I came back from holiday this week to find a client had got a problem with secure POP email. The problem had been fixed (temporarily) by dropping the affected users into a group, and opening all ports. As this had fixed the problem then it’s fair to say that the ASA was...
Cisco ASA to Juniper SRX Site to Site VPN
KB ID 0000710 Problem You want to establish a site to site VPN from a site with a Cisco ASA firewall, to another site running a Juniper SRX firewall. I had to do this this week, and struggled to find any good information to help. In the example below I’m configuring the whole thing from a laptop (172.16.254.206) that’s on the Juniper’s site. Use the diagram below, and substitute your own IP addresses and subnet...
Cisco ASA 5500 Active/Standby – Zero Downtime Upgrade
KB ID 0000733 Problem You have two ASA firewalls deployed in Active/Standby failover configuration, and need to upgrade either the operating system or the ASDM. As you already have a high availability solution you do not want any downtime. Before we start, we need to make sure we know the difference between primary, secondary, active and standby. From the rear (Active=Green, Standby=Amber) The Primary and Secondary firewalls are...