Cisco ASA: ‘Received an un-encrypted INVALID_COOKIE notify message, dropping’
Apr06

Cisco ASA: ‘Received an un-encrypted INVALID_COOKIE notify message, dropping’

KB ID 0001421 Problem Saw this in a forum today, and knew what it was straight away! While attempting to get a VPN tunnel up from a Cisco ASA (5508-x) to a Sonicwall firewall this was there debug output; Apr 06 00:45:21 [IKEv1]IP = x.x.x.x, IKE Initiator: New Phase 1, Intf Lan, IKE Peer x.x.x.x local Proxy Address 192.168.90.150, remote Proxy Address 10.252.1.1, Crypto map (Internet_map) Apr 06 00:45:21 [IKEv1 DEBUG]IP = x.x.x.x,...

Read More
Implementing GDOI into DMVPN
Nov17

Implementing GDOI into DMVPN

KB ID 0000956  Problem Just recently I covered DMVPN, which is a great scalable system for adding new sites to your network infrastructure and have them join an existing VPN solution without the need to add extra config at the ‘hub’ site. One of the advantages of DMVPN is it maintains VPN connections from your ‘Spoke’ sites back to the ‘Hub’ site, but if a spoke site needs to speak to another spoke...

Read More
Cisco PIX 500 – IPSEC Site to Site VPNs (v6)
Nov17

Cisco PIX 500 – IPSEC Site to Site VPNs (v6)

KB ID 0000611  Problem Note: This is for firewalls running an operating system BEFORE version 7, if you have an PIX running version 7 or above go here instead. I’ll run though he commands first and then the configuration from PDM at the end. Solution PIX 500: Configure a site to site VPN from command line 1. Connect to the PIX, go to “enable mode”, then to “Configure terminal mode” User Access...

Read More
Cisco ASA Site to Site VPN’sSite to Site ISAKMP VPN (Main Mode)
Nov17

Cisco ASA Site to Site VPN’sSite to Site ISAKMP VPN (Main Mode)

KB ID 0000213 Problem As with most things, before you have a hope of fixing something, you will stand a better chance if you know how it works in the first place. Below is a quick run though of what’s happening with your site to site VPN’s and how they work. For the entire process we will have two Cisco ASA 5500 firewalls and a site to site VPN. Solution What’s an Initiator and a Responder? 1. Our Laptop 192.168.1.50...

Read More
Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels
Nov17

Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

KB ID 0000216 Problem Site to Site VPN’s either work faultlessly straight away, or involve head scratching and a call to Cisco TAC, or someone like me to come and take a look. If I’m honest, the simplest and best answer to the problem is “Remove the Tunnel from both ends and put it back again”. Just about every VPN tunnel I’ve put in that did not work, was a result of my fat fingers putting in the wrong...

Read More