Cisco ASA IKEv2 – ‘Failed To Allocate Memory’

KB ID 0001218 

Problem

This week I was trying to get a VPN tunnel up for a client. They wanted a tunnel from their Cisco ASA into Microsoft Azure. Normally I’d use IKEv1 (because I know how to troubleshoot it!) But the guys running the site in Azure were using policy routing, which needs IKEv2.

So I converted from IKEv2 to IKEv2. As I said I’m used to debugging IKEv1, but not IKEv2, so I was struggling to make sense of what was going on. The ‘interesting traffic’ was spawning a LOT of phase 1 tunnels, but Phase 2 IPSEC refused to pass traffic.

[box]

Clients-ASA(config)# show cry isa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:151, Status:UP-IDLE, IKE count:25, CHILD count:0

Tunnel-id                 Local                Remote     Status         Role
526939783    222.222.222.222/500     123.123.123.123/500      READY    RESPONDER
      Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4423 sec

Tunnel-id                 Local                Remote     Status         Role
3227575251    222.222.222.222/500     123.123.123.123/500      READY    RESPONDER
      Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4425 sec

Tunnel-id                 Local                Remote     Status         Role
3073641799    222.222.222.222/500     123.123.123.123/500      READY    RESPONDER
      Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/4482 sec
-----------------Further Output Removed for the Sake of Brevity------------------

[/box]

 

A debug of IKEv2 was pretty confusing but it did reveal this;

[box]

Decrypted packet:Data: 616 bytes
IKEv2-PROTO-1: Failed to allocate memory
IKEv2-PROTO-1:
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: IDLE Event: EV_DELETE
IKEv2-PROTO-5: Action: Action_Null
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=E212F1C2B09EC680 R_SPI=6F2FE9A86EEDB017 (R) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-3: Abort exchange
IKEv2-PROTO-2: Deleting SA
IKEv2-PROTO-3: Rx [L 222.222.222.222:500/R 123.123.123.123:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:E212F1C2B09EC680 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: E212F1C2B09EC680 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 616

[/box]

Solution

The ASA was running version 8.4(6) which is not listed as being affected by this bug

ASA IKEv2 fails to accept incoming IKEV2 connections
CSCud50997
 
But that’s what the problem was, upgrade to 9.2(4) and the tunnel came straight up without error.

 

(Related Articles, References, Credits, or External Links

NA

GNS3 – Initial Setup, Adding Routers, Hosts, and ASA Firewalls

KB ID 0000927 

NOTE: THIS ARTICLE IS FOR THE OLD VERSION OF GNS3

GO HERE FOR THE NEW ONE

Problem

I dip into GNS3 every so often, (depending on what I’m working on). And each time I install it, I spend just as long remembering how to set it up, as I do using it! So, if for no other reason than I can use this page as a reference in future, here’s how to get it up and running.

Solution

Note: At time of writing he latest version is 8.6

1. Download GNS3, I accept all the defaults (I actually tick to install SuperPuTTy, as tabbed console windows can be handy when using GNS3). Launch the program, you will be greeted with the following setup wizard. Select Option 1.

Note: You can do the same in future, by going to Edit > Preferences

2. Check that the path to the ‘projects’ and your ‘images’ folder are where you want them to be. The defaults are fine but if you run GNS3 on several machines you might want to choose something like Dropbox > Apply > OK.

3. Option 2.

4. Click Test Settings > Have patience, it can take a couple of minutes > Apply > OK.

Adding Router Images to GNS 3

5. Option 3

Note: You can visit the same section in future by clicking Edit > IOS Images and Hypervisors.

6. Image file > Browse to the image you want to import. Here on GNS3 8.6 you can select the filename.bin file, with older versions you need to extract that file to a filename.image file.

Note: You need to legally download these images from Cisco. This means you need a Cisco CCO account, and a valid support agreement. DO NOT email me and ask for Cisco IOS images, (I will just ignore you!).

7. As mentioned above, it will convert my filename.bin image to an extracted filename.image file > Yes.

8. Set the Router platform and model > In the IDLE PC section click Auto calculation > This can take a while.

Note: You can do this later from the main workspace, and test a range of settings. I you don’t do this your virtual network devices will eat all your CPU power!

9. When complete click Close > Save > Close.

10. You can now start that model router to the workspace and use it. Repeat for each model of router you want to add.

Adding a Host to GNS3

Having a host machine for you labs is handy, usually you just need to be able to ping, or perform tracerts. So you can download a small Linux image from GNS3. There are a few options but I prefer linux-microcode.

11. Edit > Preferences.

n

12. Quemu > Quemu Guest > Give it an identifier name (can be anything) > Browse to, and select the image you downloaded.

13. Save > OK > Apply.

14. You can now drag a Quemu Guest machine onto the work space, and console into it.

Adding a Cisco ASA to GNS3

Yes you can add Cisco PIX as well, but there’s not many of them left in the wild.

15. Edit > Preferences > Quemu > ASA > Give it an identifier name (can be anything) > Set the RAM to 1024 > Set the Qemu options to;

[box]

-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

[/box]

Set the Kernel cmd line option to;

[box]

-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

[/box]

16. You need two files to run the ASA, an initrd file and a kernel file. You need to create these from a legally obtained copy of the asa843-k8.bin file.</p?

Should you wish to locate these files form a less reputable source you are looking for
asa842-initrd.gz and asa842-vmlinuz, again don’t email me for them! If you are too stupid to use a search engine, then technical ninjary is not the correct career choice for you.

17. Finally select the vmlunuz file > Open.

18. Save > OK > Apply.

19. You can now drag an ASA onto the workspace and console into it (it takes a while, be patient). When the ASA starts it has all the licenses disabled, to add them you need to change the ASA’s activation key. An ASA Activation key is usually linked to the serial number of the ASA, in this case we don’t have a serial number, (that’s not strictly true, if you check, it’s something like 12345678). So I will publish a working activation key*

*Disclaimer, this will only work on this virtual ASA, and it’s published elsewhere on the Internet, if I receive a request to remove it I will do so.

Another ‘quirk’ is every time you add a new ASA to the workspace, you need to go through this process, if you enter the commands below you can issue a reload and also save the ASA, without the need to re-enter the activation key.

[box]

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
{This can take 5-10 minutes}
copy running-config startup-config
{Enter}
copy startup-config disk0
{Enter}

[/box]

20. When it comes back up, (again it will take a few minutes). Your can check your ASA’s licensed features.

Related Articles, References, Credits, or External Links

Connecting GNS3 to VMware Workstation

GNS3 – Initial Setup, Adding Routers, Hosts, and ASA Firewalls

KB ID 0001079 

Problem

I dip into GNS3 every so often, (depending on what I’m working on). And each time I install it, I spend just as long remembering how to set it up, as I do using it! So, if for no other reason than I can use this page as a reference in future, here’s how to get it up and running.</p?

Solution

Note: At time of writing the latest version is 1.3.6</p?

1. Download GNS3, I usually accept all the defaults.

2. Edit > Preferences > Check that the path to the ‘projects’ and your ‘images’ folder are where you want them to be. The defaults are fine but if you run GNS3 on several machines you might want to choose something like Dropbox > Apply > OK.

Adding Router Images to GNS 3

3. Dynamips > IOS Routers > New > Add in your route images > Follow instructions.</p?

Note: DONT Email me and ask for router images, go to Cisco and get them legally, (or use Google).

4. Make sure you take the time to calculate the ‘Idle-PC finder’ value for each router, or in large topologies you might quickly eat all your CPU power!

5. Continue adding routers as required.</p?

6. You can now drag a router onto the workspace and power it on.

Adding a Cisco ASA to GNS3

Yes you can add Cisco PIX as well, but there’s not many of them left in the wild.

7. Edit > Preferences > Qemu > Qemu VMs > Add > Set the type to ASA 8.4(2).

8. You need two files to run the ASA, an initrd file and a kernel file. You need to create these from a legally obtained copy of the asa843-k8.bin file.</p?

Should you wish to locate these files form a less reputable source you are looking for
asa842-initrd.gz and asa842-vmlinuz, again don’t email me for them! If you are too stupid to use a search engine, then technical ninjary is not the correct career choice for you.

9. You can now drag an ASA onto the workspace and console into it (it takes a while, be patient). When the ASA starts it has all the licenses disabled, to add them you need to change the ASA’s activation key. An ASA Activation key is usually linked to the serial number of the ASA, in this case we don’t have a serial number, (that’s not strictly true, if you check, it’s something like 12345678). So I will publish a working activation key*

*Disclaimer, this will only work on this virtual ASA, and it’s published elsewhere on the Internet, if I receive a request to remove it I will do so.</p?

Another ‘quirk’ is every time you add a new ASA to the workspace, you need to go through this process, if you enter the commands below you can issue a reload and also save the ASA, without the need to re-enter the activation key.

[box]

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
{This can take 5-10 minutes}
copy running-config startup-config
{Enter}
copy startup-config disk0:
{Enter}

[/box]

10. When it comes back up, (again it will take a few minutes). Your can check your ASA’s licensed features.</p?

Adding a Host to GNS3

Having a host machine for you labs is handy, usually you just need to be able to ping, or perform tracerts. So you can download a small Linux image from GNS3. There are a few options but I prefer linux-microcode.

11. Edit > Preferences > Qemu > Qemu VMs > Add > Set the type to default.

n

12. Give it a sensible name.

13. Navigate to, and select the disk image you downloaded above.

14. You can now drag a Qemu Guest machine onto the work space, and console into it.

Related Articles, References, Credits, or External Links

Connecting GNS3 to VMware Workstation

GNS3 ASA Error – ‘ASDM did not recognize device model ASA5520’

KB ID 0001028 

Problem

Apart from the fact that’s an appalling spelling of recognise, I got bitten by this last weekend.

I don’t use the ADSM as a rule so it would not normally be a problem, the only thing I do use the ASDM for is certificates, (it’s just easier).

Solution

Last time I saw an error like this I had to use a fiddler script to embed the firewall model in the https traffic, however now there’s a much easier fix!

I had installed ASDM 7.1(3) that was giving me the error, if you simply downgrade to 7.1(1) the problem goes away.

Related Articles, References, Credits, or External Links

NA

Cisco ASA Redundant or Backup ISP Links with VPNs

KB ID 0000544

Problem

This method provides failover to a redundant ISP link should your primary network connection go down. IT IS NOT going to load balance the traffic across both interfaces. In this example I’ve also got a VPN to a remote site and some port forwarding to contend with as well.

Where we are at the start.

Where we want to be

 

Solution

Before you go any further the ASA that will have the backup ISP line, needs a Security Plus Licence or it’s not going to work.

Setup Backup ISP Links at the Main Site

1. Log into the firewall and setup the IP address on your backup interface.

[box]

PetesASA>
PetesASA> en
Password: *******
PetesASA#
PetesASA# configure terminal
PetesASA(config)# interface Ethernet0/3
PetesASA(config-if)# nameif backup
PetesASA(config-if)# security-level 0
PetesASA(config-if)# ip address 234.234.234.234 255.255.255.248
PetesASA(config-if)# no shutdown
PetesASA(config-if)# exit
PetesASA(config)#

[/box]

2. In a ‘Failed Over’ state your traffic needs to then be NATTED to the backup interface, then setup a new route for the outside interface, and finally one for the backup interface. Note: The new primary route will be “Tracked” based on an SLA we will configure in a minute.

[box]

Configure NAT for a firewall running an OS NEWER than 8.3

PetesASA(config)# object network obj_any-01
PetesASA(config-network-object)# subnet 0.0.0.0 0.0.0.0 
PetesASA(config-network-object)# nat (inside,backup) dynamic interface
Configure NAT for a firewall running an OS OLDER than 8.3

PetesASA(config)# global (backup) 1 interface
INFO: backup interface address added to PAT pool

Configure the Routes

PetesASA(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.124 1 track 1
PetesASA(config)# route backup 0.0.0.0 0.0.0.0 234.234.234.235 2

[/box]

3. Now we are going to setup a new SLA that maintains connectivity to an IP address (In this case 4.2.2.2 via ICMP, then we are going to tie that SLA to “track 1”, )which you will remember is what keeps the default route on the Primary ISP), if that route fails, it swaps to the backup route.

[box]

PetesASA(config)# sla monitor 100
PetesASA(config-sla-monitor)# type echo protocol ipIcmpEcho 4.2.2.2 interface outside
PetesASA(config-sla-monitor-echo)# num-packets 3
PetesASA(config-sla-monitor-echo)# frequency 10
PetesASA(config-sla-monitor-echo)# sla monitor schedule 100 life forever start-time now
PetesASA(config)# track 1 rtr 100 reachability
PetesASA(config)#

[/box]

4. Any port forwarding getting done on the outside interface needs a mirror entry for the backup interface. and also will need matching ACL’s

[box]

PetesASA(config)# static (inside,backup) tcp interface www 10.0.0.5 www netmask 255.255.255.255
PetesASA(config)# static (inside,backup) tcp interface smtp 10.0.0.3 smtp netmask 255.255.255.255
PetesASA(config)# access-list backup permit tcp any interface backup eq www
PetesASA(config)# access-list backup permit tcp any interface backup eq smtp PetesASA(config)# access-group backup in interface backup

[/box]

5. Lets test it, issue a “show route” command, then disconnect your primary ISP then issue another “show route” command and it should have failed over like so;

[box]

PetesASA(config)# show route
 
 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
 * - candidate default, U - per-user static route, o - ODR
 P - periodic downloaded static route
 
 Gateway of last resort is 123.123.123.124 to network 0.0.0.0
 
 C 234.234.234.0 255.255.255.248 is directly connected, backup
 C 123.123.123.0 255.255.255.240 is directly connected, outside
 C 10.0.0.0 255.255.255.0 is directly connected, inside
 S* 0.0.0.0 0.0.0.0 [1/0] via 123.123.123.124, outside
 PetesASA(config)#
 
 
Now Disconnect the Primary line
 
 PetesASA(config)# show route
 
 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
 * - candidate default, U - per-user static route, o - ODR
 P - periodic downloaded static route
 
 Gateway of last resort is 234.234.234.235 to network 0.0.0.0
 
 C 234.234.234.0 255.255.255.248 is directly connected, backup
 C 10.0.0.0 255.255.255.0 is directly connected, inside
 S* 0.0.0.0 0.0.0.0 [254/0] via 234.234.234.235, backup
 PetesASA(config)#

[/box]

6. To enable this firewall to accept the existing VPN on its backup interface, you need to add the backup interface to that cryptomap (issue a show run crypto if your unsure). Then you need to enable ISAKMP on the backup Interface.

[box]

PetesASA(config)# crypto map outside_map interface backup
 PetesASA(config)# crypto isakmp enable backup

[/box]

7. Save the changes with a write mem command.

[box]

PetesASA(config)# wr mem
 Building configuration...
 Cryptochecksum: 91d190ba 2a3eb9c4 244d8c88 0da54e36
 
 10220 bytes copied in 3.740 secs (3406 bytes/sec)
 [OK]
 PetesASA(config)#

[/box]

Change the ASA at the Remote VPN Site

1. Connect to the firewall at the remote site, find the cryptomap that points to the main site (show run crypto). find the one that pointing to the IP at the main site, then add the new IP address as an alternate peer address.

[box]

RemoteSite(config)# crypto map outside_map 2 set peer 123.123.123.123 234.234.234.234

[/box]

2. Then create a tunnel group for the new backup address with the same shared secret as tunnel group to the primary IP.

[box]

RemoteSite(config)# tunnel-group 234.234.234.234 type ipsec-l2l
RemoteSite(config)# tunnel-group 234.234.234.234 ipsec-attributes
RemoteSite(config-tunnel-ipsec)# pre-shared-key 123456789

[/box]

3. Save the changes with a “write mem” command.

[box]

RemoteSite(config-tunnel-ipsec)#write mem
 Building configuration...
Cryptochecksum: 7a455ca7 3b637757 cd40aa82 7f3a22d8
 
7842 bytes copied in 1.530 secs (7842 bytes/sec)
[OK]
RemoteSite(config-tunnel-ipsec)#

[/box]

To test the VPN fails over, at the remote site issue a “show cry isa” command, then get someone at the primary site to disconnect the primary ISP, wait a few seconds and then re-issue a “show cry isa” command and it should have flipped over.

[box]

Failover-FWall# show cry isa
 
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
 
1 IKE Peer: 123.123.123.123
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
 
Now Disconnect the Primary line at the Main site
 
Failover-FWall# show cry isa
 
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
 
1 IKE Peer: 234.234.234.234
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

[/box]

Related Articles, References, Credits, or External Links

Original article written 12/12/11