VMware – {hostname} could not reach isolation address: none specified

KB ID 0000445 

Problem

Seen on vSphere:

Error Host {hostname} could not reach isolation address:none specified.

Solution

1. In my case the host did NOT have a default gateway, (this had occurred because the subnet mask of the server had been entered incorrectly when the server was built. So the default gateway appeared to be on a different network).

2. With the offending host selected, Configuration > DNS and Routing > Properties > Routing > Put in the correct default gateway > OK.

 

Related Articles, References, Credits, or External Links

NA

Cisco ASA – Changing VPN IP Addresses

KB ID 0000391

Problem

I had a client the other week with about 25 sites, his core site was changing ISP and therefore changing its IP address. On the main site this is pretty straightforward, just change the outside interfaces IP address, sub net mask and the default route (That’s the default gateway for non cisco-ites).

All well and good, but what about his other 24 sites? They all had VPN’s back to the main site, and all these VPN’s were “hairpinned” together for “spoke to spoke” communication.

Well you can simply delete the VPNs and recreate them, but multiply that by 24 – then add on all the extra config for the hairpins and that’s a massive amount of work (and for the client a LOT of downtime.) So a swift config change on the remote sites is a much better idea.

For Cisco PIX firewalls running version 6 click here.

Solution

Option 1 From Command Line (for ASDM see below)

In this example my main site (123.123.123.123) has changed its IP address to (234.234.234.234), and I need to reconfigure the remote site(s).

1. First – you need to understand a couple of things, for a VPN to work, it needs the IP address of the “Other End” of the tunnel in two places.

a. In the Cryptomap.
b. In a Tunnel Group.

2. First lets find the cryptomap, connect to the ASA, log in go to enable mode then configuration mode.

[box]

RemoteSite>
RemoteSite> enable
Password: ***********
RemoteSite# configure terminal
RemoteSite(config)#[/box]

3. To see all the cryptomaps issue a “show run crypto map” command. (you may see more or less depending on the amount of VPN tunnels you have.

[box]

RemoteSite(config)# show run crypto map
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 111.111.111.111
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 123.123.123.123 <<<< Here it is!!!
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 133.133.133.133
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 144.144.144.144
crypto map outside_map 4 set transform-set ESP-3DES-SHA
RemoteSite(config)#[/box]

4. From the example above we can see the tunnel we want to change is using “outside_map 2” so lets remove the entry for the old IP address and put one in for the new IP address.

[box]

RemoteSite(config)# no crypto map outside_map 2 set peer 123.123.123.123
WARNING: The crypto map entry will be incomplete!
RemoteSite(config)# crypto map outside_map 2 set peer 234.234.234.234
RemoteSite(config)#[/box]

5. That’s the cryptomap changed, now for the tunnel group. You can see all your tunnel groups with a “sho run tun” command.

[box]

RemoteSite(config)# sho run tun
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 ipsec-attributes
pre-shared-key *****
tunnel-group 123.123.123.123 type ipsec-l2l <<<< Here it is!!!
tunnel-group 123.123.123.123 ipsec-attributes
pre-shared-key *****
tunnel-group 133.133.133.133 type ipsec-l2l
tunnel-group 133.133.133.133 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 20 retry 2
tunnel-group 144.144.144.144 type ipsec-l2l
tunnel-group 144.144.144.144 ipsec-attributes
pre-shared-key *****[/box]

6. To delete a tunnel group, you use the “clear config tunnel-group” command.

Note: Before you delete it, make sure you know the pre shared key / shared secret – to see this, issue a “more system:running-config” command.

[box]

RemoteSite(config)# clear config tunnel-group 123.123.123.123
RemoteSite(config)#[/box]

7. Then simply create a new tunnel group, with the new IP address, and the same shared secret / pre shared key as the old one.

[box]

RemoteSite(config)# tunnel-group 234.234.234.234 type ipsec-l2l
RemoteSite(config)# tunnel-group 234.234.234.234 ipsec-attributes
RemoteSite(config-tunnel-ipsec)# pre-shared-key 123456789
[/box]

8. Save the new config with a “write mem” command

[box]

RemoteSite(config)# write mem

Building configuration...

Cryptochecksum: f3645705 ae6bafda c5606697 ecd61948
9830 bytes copied in 1.550 secs (9830 bytes/sec)
[OK]
RemoteSite(config)#

[/box]

9. Job done!

Well that didn’t seem very quick? No, but for the sake of explanation I did go a little deep, if you have multiple sites, just have the following in notepad.

configure terminal
no crypto map outside_map 2 set peer 123.123.123.123
crypto map outside_map 2 set peer 234.234.234.234
clear config tunnel-group 123.123.123.123
tunnel-group 234.234.234.234 type ipsec-l2l
tunnel-group 234.234.234.234 ipsec-attributes
pre-shared-key 123456789
write mem

Then simply jump from site to site changing the cryptomap name and shared secret for each one. If you get all this info first, you can migrate hundreds of sites in minutes, (That’s why I prefer command line to GUI ASDM).

Option 2 From ASDM

1. Connect to the ASDM, Configuration > Site-to-Site VPN > Advanced > Crypto Maps > Select the cryptomap going to 123.123.123.123 > Edit > Add the new IP Address.

2. Remove the old one > OK > Apply.

3. Configuration > Site-to-Site VPN > Advanced > Tunnel Groups > Select the old one > Delete > Apply.

4. Then to add a new one > Add > Set the Tunnel group name to the new IP > Enter the shared secret > OK > Apply.

5. Finally Save the changes > File > Save running configuration to Flash.

Cisco PIX (Version 6)

For older firewalls you will notice there is no “Tunnel-Group”, these came in with version 7. The process is similar, again you have to change the peer entry in the cryptomap, but you also need to set an isakmp peer.

no crypto map outside_map 20 set peer 123.123.123.123
crypto map outside_map 20 set peer 234.234.234.234
no isakmp key ******** address 123.123.123.123 netmask 255.255.255.255
isakmp key 123456789 address 234.234.234.234 netmask 255.255.255.255

 

Related Articles, References, Credits, or External Links

NA

AnyConnect Error ‘The secure gateway has rejected the connection attempt, No assigned address’

KB ID 0000876 

Problem

I upgraded a clients ASA5510 firewall(s) yesterday. Post upgrade he got this error;

The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway: No assigned address.

Solution

Thankfully the error is pretty descriptive, the remote client can not get an IP address. So I’m missing an ip local pool command, or that pool is missing from the AnyConnect tunnel-group. To Test;

[box]

WHAT IT SHOULD LOOK LIKE

Petes-ASA# show run | incl pool ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0 address-pool SSL-POOL Petes-ASA#

[/box]

In the example above, I have my address pool, and the second line is that pool being applied to the tunnel-group I’m using for AnyConnect.

If you are missing both (I was post upgrade)

Note: Change the subnet to match your requirements, and DONT use addresses that are in use INSIDE your LAN.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0

[/box]

If you are missing the address-pool command

The IP pool used, is defined in the tunnel group, (in the general-attributes section).

[box]

HERE THE POOL REFERENCE IS MISSING;

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run tunnel-group
tunnel-group SSL-PROFILE type remote-access
tunnel-group SSL-PROFILE general-attributes
authentication-server-group Windows-IAS
default-group-policy SSL-POLICY
tunnel-group SSL-PROFILE webvpn-attributes
group-alias PROFILE enable
Petes-ASA#

TO ADD IT IN (Take note of the tunnel group name SSL-PROFILE (above))

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# tunnel-group SSL-PROFILE general-attributes
Petes-ASA(config)# address-pool SSL-POOL
Petes-ASA(config)#

WHAT IT SHOULD LOOK LIKE

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run tunnel-group
tunnel-group SSL-PROFILE type remote-access
tunnel-group SSL-PROFILE general-attributes
address-pool SSL-POOL
authentication-server-group Windows-IAS
default-group-policy SSL-POLICY
tunnel-group SSL-PROFILE webvpn-attributes
group-alias PROFILE enable
Petes-ASA#

[/box]

 

Finally, don’t forget to save the changes.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

Afterthoughts

This happened because (pre migration) I had the following command in the firewall config;

[box]

ip local pool SSL-POOL 172.16.33.1 mask 255.255.255.0

[/box]

 

The firewall was (at that time) running version 8.2, in the past that syntax was fine, now you would need to specify the mask as 255.255.255.255 (to lease one address). During conversion this command was dropped, so it was never added to the tunnel-group either.

Related Articles, References, Credits, or External Links

NA