AnyConnect Error: ‘The AnyConnect package on the secure gateway could not be located’

KB ID 0000406 

Problem

While attempting to connect to a Cisco firewall with a Linux client (In my case Ubuntu 10.10,) using AnyConnect you see the following error.

Or on MAC OSX

Error:
Cisco AnyConnect VPN Client
The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again.

Note: You may also see this error on a Mac OSX, or a Windows CE machine.

Solution

Package location (ASDM version 6.2)

Package location (ASDM version 7.1)

Related Articles, References, Credits, or External Links

NA

Cisco CSC Module Error – Activation Warning

KB ID 0000392 

Problem

You try to connect to your Cisco CSC module, and see the following error.

Error: Activation Warning CSC is not activated. Please run setup wizard under Configuration > Trend Micro Content Security > CSC Setup > Wizard Setup to perform setup process. Click OK button to to to Trend Micro Content Security Setup wizard.

Naturally if you’ve never setup the CSC you are going to see this, but what if it suddenly starts doing this?

Solution

1. Connect to the ASA that the CSC module is in.

2. Issue the following command,

[box]sh modu 1 det[/box]

3. This ones unresponsive, it probably just need restarting, to do that issue the following command.

[box]hw-module module 1 reset[/box]

4. They can take a little while to come up (apply the cup of coffee rule). Then to see if it’s back up again use the same command you used earlier.

[box]sh mod 1 det[/box]

That didn’t work! Sometimes CSC modules do fail!, I had one client go through three in a year, If doing the above or running through the setup wizard (you did write down the licence numbers that came with the CSC didn’t you?) doesn’t work then you need to log a call to TAC.

 

Related Articles, References, Credits, or External Links

Cisco CSC Module stop it scanning its own update traffic

Cisco Remote (IPSEC) VPN Clients Timeout / Disconnect

KB ID 0000309 

Problem

By default, your remote VPN clients will timeout their connections after 300 seconds of inactivity, should you wish to increase that you can, on a user by user basis, however sometimes that does not work. To fix the problem you need to disable ISAKMP monitoring at the “Head End”.

Solution

Enable via Command Line

(see below for ASDM instructions)

1. Connect to the the firewall (see here for instructions).

2. Login and go to enable mode.

[box]

User Access Verification

Password: Type help or ‘?’ for a list of available commands. PetesASA> en Password: ********

[/box]

3. We need to change the remote access IPSEC VPN tunnel group, to find out what its called issue a “show running-config tunnel-group” command.

The tunnel group we want will have an “ipsec-attributes” entry AND a “remote-access” entry, so in the example below the tunnel group we want is called “IPSEC-VPN-GROUP” (Yours may not be as well named!).

[box]

PetesASA# show running-config tunnel-group
tunnel-group IPSEC-VPN-GROUP type remote-access <<< Here's a remote access group
tunnel-group IPSEC-VPN-GROUP general-attributes
address-pool IPSEC-VPN-DHCP-POOL
authentication-server-group PNL-KERBEROS LOCAL
default-group-policy IPSEC-VPN-POLICY
tunnel-group IPSEC-VPN-GROUP ipsec-attributes <<< Its an IPSEC tunnel :)
pre-shared-key *****
tunnel-group SSL-VPN-POLICY type remote-access <<< Here's a remote access group
tunnel-group SSL-VPN-POLICY general-attributes
address-pool SSL-VPN-DHCP-POOL
default-group-policy SSL-VPN-GROUP-POLICY
tunnel-group SSL-VPN-POLICY webvpn-attributes <<< this ones an SSL group :(
group-alias PNL enable
PetesASA#

[/box]

4. Enter configuration mode (conf t) > Then to add the new attribute issue a “tunnel-group {tunnel group name} ipsec-attributes” > then to disable the keepalives, issue the following command “isakmp keepalive threshold infinite“.

Finally save your hard work with a “write mem” command.

[box]

PetesASA# conf t PetesASA(config)# tunnel-group IPSEC-VPN-GROUP ipsec-attributes PetesASA(config-tunnel-ipsec)# isakmp keepalive threshold infinite PetesASA(config-tunnel-ipsec)# PetesASA(config-tunnel-ipsec)# write mem Building configuration… Cryptochecksum: 5417d5a1 bee8b082 16c6f19d b3839f13

9379 bytes copied in 1.410 secs (9379 bytes/sec) [OK] PetesASA(config-tunnel-ipsec)#

 

[/box]

Do the same from ASDM.

1. Connect to the ASDM

2. Click Configuration > Remote Access VPN > IPSEC Connection Profiles > {Your IPSEC Policy} > Edit.

2. Select Advanced > IPSEC > and tick “Headend will never initiate keepalive monitoring” > OK > Apply.

3. Finally click File > “Save Running Configuration to Flash”.

Related Articles, References, Credits, or External Links

NA

Upgrade Cisco PIX 515E to Version 8.0(4)

and ASDM version 6.1(5)

KB ID 0000424

Problem

I had to update a Cisco PIX 515E last week, Cisco 500 firewalls are a bit thin on the ground these days, and most of my corporate clients have replaced then with Cisco ASA 5500 firewalls. So as these units are now getting retired, or moved to the test bench, or sold on ebay. I thought I’d document probably the last one I did for posterity, and to help anyone else out.

Note: Cisco 506E and 501 firewall cannot be updated past version 6.3(5) see here.

Solution

Related Articles, References, Credits, or External Links

Also see Connecting to and Managing Cisco Firewalls.

For information on 3CDaemon TFTP Server click here.