Azure to Cisco VPN – ‘Failed to allocate PSH from platform’
KB ID 0001219 Problem It’s been a week for strange VPN shenanigans with Cisco and Azure. I was liaising with an Azure service provider for a customer this week, and trying to get a VPN up from a Cisco ASA in one of our data centres in the UK. This is what we were seeing; And I could see the same error in the debugs; Decrypted packet:Data: 616 bytes IKEv2-PROTO-1: Failed to allocate PSH from platform IKEv2-PROTO-1: IKEv2-PROTO-5:...
Cisco ASA – Packet Tracer Fails VPN:Encrypt:Drop
KB ID 0001198 Problem Sometimes when troubleshooting VPN traffic, you may choose to use the ‘packet-tracer’ command to simulate interesting traffic. I did this today and got; Phase: {number} Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Result: Drop-reason: (acl-drop) Flow is denied by configured rule I replicated the error on the test bench. Solution Below is the full packet trace;...
Cisco – Cannot Connect to the ASA FirePOWER Module
KB ID 0001182 Problem There’s an alarming amount of people who have contacted me about this error; Cannot connect the the ASA FirePOWER module. Cannot connect the the ASA FirePOWER module.. Check that it is correctly configured and on the network. It’s also possible that the management address is being translated by NAT. Please verify the IP address/Hostname and port. Note: If you have just updated or re-imaged the SFR...
Cisco ASA – Active / Active Failover
KB ID 0001114 Usually when I’m asked to setup Active/Active I cringe, not because its difficult, its simply because people assume active/active is better than active/standby. I hear comments like ‘we have paid for both firewalls lets use them’, or ‘I want to sweat both assets’. The only real practical use cases I can think of for Active /Active are; You have a multi-tenancy environment and want to offer...
VMware VI Client Error ‘Call “ServiceInstance.RetrieveContent” for object “ServiceInstance” on Server “IP-Address” failed’
KB ID 0000870 Problem This is a pretty generic error. It basically means “I cant connect to what you are asking me to connect to, on TCP Port 443 (https)”. Solution Internet searching for this error is very frustrating, everyone who was posting this error was seeing it because, instead of putting the IP address or name in the box (that actually tells you to put in the IP address or name (see image above)). If you put in...