FortiGate LDAPS Authentication Failure
KB ID 0001733 Problem Here’s a brief one that tripped me up a couple of weeks ago, I was deploying FortiGate LDAPS authentication for some FortiClient SSL VPN connections into a FortiGate firewall like so; Despite my best efforts I was getting authentication failures? If I tested the username and password in the GUI web management portal, that worked fine? Testing FortiGate LDAPS First step is to test authentication at command...
Cisco ASA VPN to Cisco Router “MM_WAIT_MSG3”
KB ID 0001531 Problem While migrating a VPN tunnel from an ASA 5520 firewall to a new 5516-X I got this problem. The other end was a Cisco router (2900). As soon as I swapped it over, it was stuck at MM_WAIT_MSG3, and phase 1 would not establish; NUFC-ASA5516x(config-tunnel-ipsec)# show crypto isa IKEv1 SAs: Active SA: 6 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 6 1 IKE Peer: 1.1.1.1 Type :...
Cisco ASA No Debug Output?
KB ID 0001477 Problem I see this get asked in forums A LOT, typically the poster has another problem they are trying to fix, someone has asked them to debug the problem and they cant see any debug output. Solution Firstly you need to understand what logging is, and how debugging fits within it. (Bear with me, this is good knowledge to have). The firewall saves logs in syslog format, and there are 8 Levels of logs, the one with the...
Cisco ASA: ‘Received an un-encrypted INVALID_COOKIE notify message, dropping’
KB ID 0001421 Problem Saw this in a forum today, and knew what it was straight away! While attempting to get a VPN tunnel up from a Cisco ASA (5508-x) to a Sonicwall firewall this was there debug output; Apr 06 00:45:21 [IKEv1]IP = x.x.x.x, IKE Initiator: New Phase 1, Intf Lan, IKE Peer x.x.x.x local Proxy Address 192.168.90.150, remote Proxy Address 10.252.1.1, Crypto map (Internet_map) Apr 06 00:45:21 [IKEv1 DEBUG]IP = x.x.x.x,...
Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels
KB ID 0000216 Problem Site to Site VPN’s either work faultlessly straight away, or involve head scratching and a call to Cisco TAC, or someone like me to come and take a look. If I’m honest, the simplest and best answer to the problem is “Remove the Tunnel from both ends and put it back again”. Just about every VPN tunnel I’ve put in that did not work, was a result of my fat fingers putting in the wrong...