Download VMware Converter

KB ID 0001778

Problem

NOTE Conveter 6.3 can now be downloaded directly from VMware!

If you try and Download VMware Converter, you will find VMware ‘pulled‘ the files because of a zero day exploit that’s associated with the software, the VMware official posting you can find here. (they are working on publishing a replacement.)

Download VMware Converter

If you are adamant you want to use this tool and accept the risks associated with doing so Download the newest version here.

Related Articles, References, Credits, or External Links

NA

Unable to Access ASDM – “Unable to launch device manager from…”

KB ID 0000915

Problem

A colleague of mine was trying to connect to a firewall via ASDM last week, and was greeted by an error like this.

Now this is a pretty standard error, and usually means you haven’t been allowed access, or there isn’t a firewall at that address, but in this case I knew that a) he did have access, b) that was the correct IP address, and c) it worked fine on my machine, so it was setup correctly.

As I said above this is a pretty generic error make sure your ASDM is configured correctly. If no one else can access it then run though the article below.

Cannot Access / Open ASDM

Solution 1 (Oct 2018)

This stung me once again today! Windows 10, latest version of Java 8, and ASDM version 7.6(1) and 7.9(2). In the debug I was seeing;

[box]%ASA-7-725014: SSL lib error. Function: SSL3_SEND_SERVER_KEY_EXCHANGE Reason: missing tmp dh key[/box]

Fixed by running;

[box]ssl encryption aes256-sha1[/box]

Solution 2 (circa 2015)

I saw this very problem again today, while hardening a firewall I had disabled some SSL encryption ciphers, I had left aes256-sha1 active, and removed the others. Took me a while to realise, but if you only have one (or both), of the following ciphers enabled, ASDM won’t load;

  • aes-256-sha1
  • dhe-aes256sha1

If you have any of the following ASDM should load normally;

  • aes128-sha1
  • dhe-aes128-sha1
  • rc4-sha1
  • 3des-sha1

At this point I would consider the problem ‘fixed’ and move on, but the client I’m installing the firewall for wanted some clarification as to why it would not work. “Was it a bug?” So I opened a TAC call, and did some Googling. I came across an excellent article. And found I could replicate it exactly;

Log output

[box]%ASA-6-302013: Built inbound TCP connection 2698 for inside:192.168.100.10/52674 (192.168.100.10/52674) to identity:192.168.100.1/2456 (192.168.100.1/2456)
%ASA-6-725001: Starting SSL handshake with client inside:192.168.100.10/52674 for TLS session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : AES256-SHA
%ASA-7-725008: SSL client inside:192.168.100.10/52674 proposes the following 14 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA256
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA256
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA256
%ASA-7-725011: Cipher[4] : AES128-SHA
%ASA-7-725011: Cipher[5] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[7] : AES128-GCM-SHA256
%ASA-7-725011: Cipher[8] : DHE-RSA-AES128-GCM-SHA256
%ASA-7-725011: Cipher[9] : DHE-DSS-AES128-GCM-SHA256
%ASA-7-725011: Cipher[10] : DES-CBC3-SHA
%ASA-7-725011: Cipher[11] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[12] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[13] : RC4-SHA
%ASA-7-725011: Cipher[14] : RC4-MD5
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
%ASA-6-302014: Teardown TCP connection 2695 for inside:192.168.100.10/52671 to identity:192.168.100.1/2456 duration 0:00:00 bytes 7 TCP FINs[/box]

Note: the Client (My machine running ASDM) offers 14 cipher sets and theres no match.

By this time I had reply from TAC

————————————–

“The ciphers depends on the client, which in this case is ASDM launcher. ASDM launcher depends on ASDM version installed, latest available launcher is 1.5(73) – ASDM 7.4.1.
I did some tests with the latest software (ciphers741.png) but AES256 was still not proposed by the launcher.

I found a bug opened back in 2012 for exactly same issue, which was closed due to inactivity. Developers mentioned there that launcher is using all the ciphers supported by Java installed on client PC.
https://tools.cisco.com/bugsearch/bug/CSCtx78540/

Please refer to:
https://en.wikipedia.org/wiki/Java_Cryptography_Extension

JCE adds additional ciphers support for a Java client.
I downloaded the JCE for Java 7 

Then I copied local_policy.jar and US_export_policy.jar to the $JAVA_HOME/jre/lib/security (these jars were already there so I had to overwrite them).

After that I tried once again and it worked.

————————————–

OK, that seems fair enough, and Kudos to the TAC engineer who had really gone the extra mile. So I thought I’d try and replicate it on the test bench.

Then it worked fine, so I logged the results once again;

[box] %ASA-6-302013: Built inbound TCP connection 2900 for inside:192.168.100.10/63760 (192.168.100.10/63760) to identity:192.168.100.1/2456 (192.168.100.1/2456)
%ASA-6-725001: Starting SSL handshake with client inside:192.168.100.10/63760 for TLS session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : AES256-SHA
%ASA-7-725008: SSL client inside:192.168.100.10/63760 proposes the following 23 cipher(s).
%ASA-7-725011: Cipher[1] : AES256-SHA256
%ASA-7-725011: Cipher[2] : DHE-RSA-AES256-SHA256
%ASA-7-725011: Cipher[3] : DHE-DSS-AES256-SHA256
%ASA-7-725011: Cipher[4] : AES256-SHA
%ASA-7-725011: Cipher[5] : DHE-RSA-AES256-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : AES128-SHA256
%ASA-7-725011: Cipher[8] : DHE-RSA-AES128-SHA256
%ASA-7-725011: Cipher[9] : DHE-DSS-AES128-SHA256
%ASA-7-725011: Cipher[10] : AES128-SHA
%ASA-7-725011: Cipher[11] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[12] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[13] : AES256-GCM-SHA384
%ASA-7-725011: Cipher[14] : DHE-RSA-AES256-GCM-SHA384
%ASA-7-725011: Cipher[15] : DHE-DSS-AES256-GCM-SHA384
%ASA-7-725011: Cipher[16] : AES128-GCM-SHA256
%ASA-7-725011: Cipher[17] : DHE-RSA-AES128-GCM-SHA256
%ASA-7-725011: Cipher[18] : DHE-DSS-AES128-GCM-SHA256
%ASA-7-725011: Cipher[19] : DES-CBC3-SHA
%ASA-7-725011: Cipher[20] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[21] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[22] : RC4-SHA
%ASA-7-725011: Cipher[23] : RC4-MD5
%ASA-7-725012: Device chooses cipher : AES256-SHA for the SSL session with client inside:192.168.100.10/63760
%ASA-6-725002: Device completed SSL handshake with client inside:192.168.100.10/63760
[/box]

Note: We now have 23 cipher proposals from the client.

Solution 3

Java 7 Update 51

Java Version 7 update 51 (Released Jan 2014) does not play nice with the Cisco ASDM.

Note: This is NOT the case if the ASDM presents a known, trusted, (not self signed) digital certificate.

Option 1

The easiest option is simply remove Java and downgrade to Java Version 7 Update 45

OR

You can also upgrade your ASDM to version 7.1(5.100) or later, and use the Java Web Start Option.

java

OR

Create a Java site exception. Note: This DID NOT WORK for me with Java version 7 update 51 to both ASDM Versions 7.1(1) and 7.1(5.100). I only put it here for completeness, because Cisco say it’s a solution.

Related Articles, References, Credits, or External Links

Original Article Written 11/02/14

Kudos and thanks to Michal Kunikowski from Cisco TAC for his assistance.

 

VMware: Depreciated VFMS Volume(s) Found On This Host

KB ID 0001383

Problem

Well there is a bug on ESX version 6.0.0 that causes this error message, in my case the client had VFMS3 volumes.


Depreciated VFMS volume(s) found on the host. Please consider upgrading volumes(s) to the latest version.

That’s what was causing the error in my case!

Solution

I chose to simply update the VFMS3 volumes to VFMS5 > Right click the volume > Upgrade to VFMS5.

Select the volume(s) > OK.

Note: The upgrade is non-destructive, and does not require you to power off any virtual machines etc. (It’s also usually very quick)

Be Aware: While upgrading a datastore to VFMS5 it still retains its original block size and restrictions. To fully appreciate the benefits of VFMS5 a better approach is to create a new VFMS5 volume, then migrate your machines into it, then delete your VFMS3 volume(s) and recreate them as VFMS5.

Related Articles, References, Credits, or External Links

NA

Ubuntu: Setting Up a WordPress Website with LEMP – Part 3

KB ID 0001320 

Problem

So you want your own web server running WordPress? Previously in Parts One and Two, we setup a new Linux box, and got all the prerequisites installed. Now it’s time to deploy WordPress.

Solution

There are a few extra bits we need to add to the PHP installation before we setup WordPress, to get those installed run the following command;

[box]sudo apt-get install php-curl php-gd php-mbstring php-mcrypt php-xml php-xmlrpc[/box]

Then restart PHP;

[box]sudo systemctl restart php7.0-fpm[/box]

Download and Install WordPress.

We are going to use the /tmp directory and download wordpress into that, you don’t need to worry about what version to download because the good folk at WordPress use the same URL for the latest version and keep it updated.

[box]

cd /tmp
curl -O https://wordpress.org/latest.tar.gz

[/box]

If you didn’t already guess from the file extension, the WordPress files are compressed, we need to ‘extract’ them.

[box]tar xzvf latest.tar.gz[/box]

WordPress has a file called wp-config.php in the root of the website that we will be editing in a while, so we are going to create that file by using the ‘sample’ file provided.

[box]cp /tmp/wordpress/wp-config-sample.php /tmp/wordpress/wp-config.php[/box]

And, to save you hassle, (in future) we will pre-create the folder that WordPress will need when you eventually come to upgrade it, it will also, (after we have moved it in a minute),  have the correct permissions.

[box]mkdir /tmp/wordpress/wp-content/upgrade[/box]

Now we have all the files, but they are in the WRONG PLACE, they are all sat in the /tmp directory, but we want them in the root of your website, i.e. the  /var/www/html  directory. So to copy them (in bulk).

[box]sudo cp -a /tmp/wordpress/. /var/www/html[/box]

You won’t see anything happen, but if you have a look in your /var/www/html directory, the files will be there.

To set the correct permissions, execute the following commands;

[box]

sudo chown -R www-data /var/www/html
sudo find /var/www/html -type d -exec chmod g+s {} \;
sudo chmod g+w /var/www/html/wp-content
sudo chmod -R g+w /var/www/html/wp-content/themes
sudo chmod -R g+w /var/www/html/wp-content/plugins

[/box]

Configuring WordPress

Run the following, and it will return a large block of incomprehensible text; 

[box]curl -s https://api.wordpress.org/secret-key/1.1/salt/[/box]

COPY THAT TEXT TO THE CLIPBOARD (Yours will look different to the one above!)

Now edit the wp-config.php file, when its open go the the section that ‘looks like’ the text you copied above and paste your text over the top.

[box]nano /var/www/html/wp-config.php[/box]

While you are still in the file, you need to enter the database settings you setup in Part One. Near the top of the file you will see there’s a space for database name, username and password.

Enter your settings;

Save and close the file.

Now if you browse to your website, you should see the WordPress language selection, select your language and enter the settings and logon details for your website.

You will be logged into your sites admin panel (http://your-site/wp-admin). From here you can install new themes, add new plugins, and create new posts. Your website will now be ‘live’.

You may want to consider raising the maximum upload limit before proceeding;

Nginx Error – 413 Request Entity Too Large

If you are migrating data from another WordPress site into this one, see the following article;

Migrating WordPress From One Server To Another

If you are unsure on how to setup DNS records for your website see the following article;

Setting up the Correct DNS Records for your Web or Mail Server

Related Articles, References, Credits, or External Links

NA

Upgrade Cisco PIX 515E to Version 8.0(4)

and ASDM version 6.1(5)

KB ID 0000424

Problem

I had to update a Cisco PIX 515E last week, Cisco 500 firewalls are a bit thin on the ground these days, and most of my corporate clients have replaced then with Cisco ASA 5500 firewalls. So as these units are now getting retired, or moved to the test bench, or sold on ebay. I thought I’d document probably the last one I did for posterity, and to help anyone else out.

Note: Cisco 506E and 501 firewall cannot be updated past version 6.3(5) see here.

Solution

Related Articles, References, Credits, or External Links

Also see Connecting to and Managing Cisco Firewalls.

For information on 3CDaemon TFTP Server click here.