AnyConnect – ‘VPN establishment capability for a remote user..

KB ID 0000546 

Problem

If you connect to to a client via RDP then try and run the AnyConnect client, you will see one of these errors;

VPN establishment capability for a remote user is disabled. A VPN connection will not be established

 

VPN establishment capability from a Remote Desktop is disabled. A VPN connection will not be established

This, behaviour is default, and despite me trawling the internet to find a solution (most posts quote changing the local AnyConnectProfile.tmpl  file, this file does not exist using Version 3 (I was using v 3.0.4235).

Update: With Early versions of AnyConnect version 4 it does not tell you what’s wrong, the VPN appears to connect and then disconnect quickly. If you have debugging on the firewall you will see the following;

Profile settings do not allow VPN initiation from a remote desktop.

Note: This is fixed in version 4.8 and you will se the error at the top of the page.

Solution

To solve this problem we need to create an AnyConnect profile, load the profile into the firewall, then associate that profile with your AnyConnect group policy. With modern versions of AnyConnect you can do that in the ASDM. With older versions you need to use the stand alone profile editor (see below)

Edit AnyConnect Profile With ASDM

Connect to the ADSM > Configuration > Remote Access VPN > Network Client remote Access > AnyConnect Client Profile.

Give the profile a name  > Select a group policy to apply it to > OK.

AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.

SingleLocalLogon: Allows multiple remote logons but only one local logon.

OR (older versions)

 

Apply the changes, and then save to the running configuration.

 

Edit AnyConnect Profile With Stand-Alone Profile Editor

1. First download the AnyConnect Profile Editor from Cisco. (Note: You will need a valid CCO account and a registered support agreement/SmartNet).

Update: The AnyConnect Profile Editor is now built into the ADSM, it becomes available once you have enabled any AnyConnect image. Once you have a profile created you can skip straight to  step 3, and skip all the other steps.

If you cannot download the software here’s a profile (I’ve already created) you can use. If you are going to use this, jump to step 5.

2. Once you have installed the profile editor, launch the “VPN Profile Editor”.

3. The setting we want is listed under Windows VPN Establishment, and needs setting to “AllowRemoteUsers”, In addition I’m going to set Windows Logon Enforcement to “SingleLocalLogon”.

AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.

SingleLocalLogon: Allows multiple remote logons but only one local logon.

4. Save the profile somewhere you can locate it quickly.

5. Connect to the firewalls ASDM > Tools > File Management > File Transfer > Between Local PC and Flash.

6. Browse your local PC for the profile you created earlier > Hit the “Right Arrow” to upload it > This can take a few minutes, depending on your proximity to the firewall.

7. Make sure the file uploads correctly > Close.

8. To associate this profile with your AnyConnect//SSL Group Policy, click Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Locate the policy in use for your AnyConnect clients > Edit > Advanced > SSL VPN Client > Locate the “Client Profile to Download” section and uncheck the inherit button.

9. Click New > Browse Flash > Locate the profile you uploaded earlier.

10. OK > OK > Apply > Save the changes by clicking File > Save running configuration to flash.

11. Then reconnect with your AnyConnect Mobility Client software.

Related Articles, References, Credits, or External Links

Install and Configure Cisco ASA5500 AnyConnect SSL VPN 

Microsoft Teams: Custom Background Images

KB ID 0001669

Problem

With the current lockdown and everyone working from home, I’m using Teams a lot. I use one of the images that I use here at PNL as one of the background images that ‘appear’ behind me when I’m using the webcam in Teams. I was asked today how I did that, so I thought I’d write it up here.

Solution

I’m using Teams on my MacBook but the procedure it pretty much the same in Windows, if you can’t see the options I’m mentioning, you might want to simply update your copy of Microsoft Teams.

Firstly: You need to actually be in a call before you can change your background! On your options bar, (if you cant see it, click on the Teams window). Click the elippses (3 dots) and select ‘Show Background Effects‘. 

You can then simply select one of the Microsoft Included backgrounds, and apply them, (theres a long list scroll down!)

Adding Your Own Custom Image To Teams Backgrounds

This is pretty easy, but you will find that the image will be ‘flipped horizontally’ when other users see it like so;

So if it’s a landscape or an office backdrop that’s probably not going to bother you, but if you have text on the image, it will be back to front, or like me it just makes your OCD itch! Then simply use your favourite graphics editing software to flip the image before you put it in the correct folder.

Where to Save your Teams Custom Backgrounds

For macOS: In finder > Go > Got to Folder > ~/Library/Application Support/Microsoft/Teams/Backgrounds/Uploads

For Windows Clients: In Windows explorer > %AppData%\Microsoft\Teams\Backgrounds\Uploads

Don’t forget to restart Teams before they will appear.

Related Articles, References, Credits, or External Links

NA

Install and Use a Windows TFTP Server

Windows TFTP KB ID 0000063 

Problem

Note: If you are using a mac, then seee the following link; MAC OS X TFTP Software

There are many free tftp applications, my personal favourite is 3Cdaemon, as it also has a built in syslog server and an FTP server. heres how to install it on your computer.

There are a number of places you can download 3CDeamon or just  CLICK HERE

Deploy a windows TFTP Server

Download the files and extract them to your PC, then run the setup.exe file > At the Welcome screen > Next.

At the license screen > Yes.

Either accept the default location or choose your own > Next.

5. Leave it on the default > Next.

When its done > OK.

Launch the application.

9.Ensure the “TFTP Server” section is selected > Click the “Pen knife” Icon labelled “Configure TFTP Server”.

10. Change the Upload / Download directory to something you will find easliy (I usually create a “TFTP Root” folder on the C: drive.

Related Articles, References, Credits, or External Links

Backup and Restore a Cisco Firewall with TFTP

FortiGate TFTP : Backup To & Restore From

Backup and Restore Cisco IOS (Switches and Routers)

Backup and Restore a Cisco Firewall

CentOS – Install and Configure a TFTP Server

Updating the AnyConnect client for Deployment from the Cisco ASA 5500

KB ID 0000704 

Problem

Your ASA will (by default) update your AnyConnect clients to the latest client software when they connect. However you need to supply the ASA with the updated packages first.

Solution

1. Download the latest AnyConnect client package, from Cisco. The one you want will have a file extension of .pkg

AnyConnect 4

AnyConnect 3

2. Connect to the ASDM > Configuration > Remote Access VPN > Network (Client) access > AnyConnect Client Software > Add.

 

Note: On older versions of the ASDM you will find the option under > Network (Client) access > Advanced > SSL VPN > Client Settings > Add.

3. Select Upload > Browse to the software you downloaded > Select.

 

4. The file should upload to flash memory.

 

5. And it will tell you if it has been successful.

 

6. Select the new software and, using the ‘up arrow’ move it to the top of the list > Apply.

Note: At this point I also delete the old software packages.

7. Don’t forget to upload the packages for Linus and MacOS of you may see the following error;

The AnyConnect package on the secure gateway could not be located.

 

 

8. Remember to save the changes. File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Cisco ASA5500 AnyConnect SSL VPN 

Original article written: 02/11/12

VMware ESX – When Deploying a Template ‘Network interface {name} uses network {name} which is not accessible’

KB ID 0000846 

Problem

I tried to deploy a VM Template today and was greeted with this error, I had renamed all the networks in this environment since I created this template, so I know why I was getting this error.

But there seems to be no way to edit the template itself to change the value to the correct network.

Solution

In the procedure below I will be jumping backwards and forwards between Hosts and Clusters view and VMs and Templates view. I’m assuming you know the difference between them, and how to switch between. Note: If you can’t see the templates then switch to VMs and Templates If you can’t see the storage then switch to Hosts and Clusters.

1. Browse your datastore(s), and locate the filename.vmtx that is associated with your ‘problem’ template, and download it to your PC/Laptop.

2. Open the vmtx file with a text editor, and locate the entry that refers to the ‘old network’.

3. Get the correct name of the new network from an existing working VM like so.

4. Change the entry in the vmtx file to the new name, then save the changes.

5. Now upload the edited file, to over-write the one in your datastore.

At this point you would thing that’s all you need to do. However before the change is recognised by Virtual Center, you need to remove then re-register it again.

6. Locate the template and remove it from the inventory.

7. Then right click your edited vmtx file and add it back to the inventory.

8. Now your template should deploy correctly.

Related Articles, References, Credits, or External Links

NA

Cisco PIX (500 Series) Password Recovery / Reset

KB ID 0000064 

Problem

If you are locked out of your PIX firewall then you will need to do some password recovery, this procedure will reset the enable password and remove any AAA username and password settings on the PIX.

Note: If you have a PIX 520 (This has a floppy drive, and the process is different) CLICK HERE

Solution

Before You Start !

1. You need to know the software version that is running on the PIX e.g 6.3(5) or 7.0(1)

2. You need a TFTP server set up and running CLICK HERE for instructions.

3. You need to be connected to the PIX via its console cable CLICK HERE for instructions.

4. You need to download the “PIX Password Lockout Utility” that’s appripriate for your PIX i.e if your running 6.3(5) download , np63.bin or version 7.0(1) download np70.bin etc, you get get them HERE Put the file in the root directory of your TFTP server.

Procedure

1. Connect to the Firewall via console cable, then power cycle the firewall, as the firewall reboots press BREAK or ESC to interrupt the boot sequence and get to the monitor prompt.

[box]

monitor> 

[/box]

2. Now the firewall has no config loaded, so you need to tell it everything it needs to know, firstly we need to set up the inside interface so we can load in the password reset utility. Use the interface command (PIX’s with only two interfaces it will default to the inside interface).

[box]

monitor> interface 1
0: i8255X @ PCI(bus:0 dev:17 irq:9 )
1: i8255X @ PCI(bus:0 dev:18 irq:10) 

Using 1: i82557 @ PCI(bus:0 dev:18 irq:10), MAC: 0012.daf1.5185
monitor>

[/box]

3. You need to tell it what its inside IP address is, use the address command.

[box]

monitor> address 192.168.1.1
address 192.168.1.1 

[/box]

4. Now you need to give it the IP address of the TFTP server you set up ealier, use the server command.

[box]

monitor> server 192.168.1.2
server 192.168.1.2 

[/box]

5. The last thing the PIX needs is the name of the password unlock file for this example I’ll use np63.bin, you will need to use the file command.

[box]

monitor> file np63.bin
file np63.bin

[/box]

6. To start the process, issue the tftp command.

[box]

monitor> tftp
tftp np63.bin@192.168.1.2.......................................................
................................................................................
..............................................
Received 92160 bytes 

Cisco Secure PIX Firewall password tool (3.0) #0: Thu Jul 17 08:01:09 PDT 2003
Flash=E28F640J3 @ 0x3000000
BIOS Flash=E28F640J3 @ 0xD8000

[/box]

7. Confirm by pressing y then {enter}.

[box]

Do you wish to erase the passwords? [yn] y

[/box]

8. Confirm by pressing y then {enter} again.

[box]

Do you want to remove the commands listed above from the configuration? [yn] y Passwords and aaa commands have been erased.

Rebooting..

 

[/box]

9. The Firewall will reboot and the passwords will be blanked.

[box]

Type help or '?' for a list of available commands.
Firewall> en
Password:
firewall#

[/box]

Related Articles, References, Credits, or External Links

Factory Reset a Cisco Firewall

Cisco Catalyst Password Recovery / Reset

Cisco ASA – Password Recovery / Reset

Cisco Router – Password Recovery /Bypass

 

Update Cisco ASA – Directly from Cisco (via ASDM)

KB ID 0000636 

Problem

Warning:

Before upgrading/updating the ASA to version 8.3 (or Higher) Check to see if you have the correct amount of RAM in the firewall (“show version” command will tell you). This is VERYIMPORTANT if your ASA was shipped before February 2010. See the link below for more information.

ASA – Memory Error (Post upgrade to version 8.3)

Warning 2:

Be aware, if you are upgrading to an OS of 8.4(2) or newer you can no longer access the device via SSH when using the default username of “pix” you need to enable AAA authentication for SSH, do this before you reboot/reload the firewall or you may lock yourself out.

ASA Enable AAA LOCAL Authentication for SSH

Its been a while since I wrote how to update the ASA by command line, and how to update the ASA from the ASDM. Now you can update the ASA directly from Cisco, providing you have a valid cisco CCO account.

Solution

1. Connect to the the ASDM on the ASA > Tools > Check for ASA/ASDM Updates.

2. Supply your Cisco CCO account information.

3. Next.

4. Decide if you want to update the OS of the ASA or the ASDM, or both.

5. Next.

6. The software will download. (The OS is downloading here), Note: it will get downloaded to the machine that the ASDM is running on first.

7. Then the ASDM software will download.

8. You may find that there is not enough room in flash memory, if so you will see this error. (if it does not error skip to step 11).

9. If you are stuck for room you can delete some items from your flash memory > Tools > File Management.

10. Here you can see I’m deleting and old version of the ASDM. Note you could delete the live version of the ASDM and Operating system if you had no choice (THOUGH DONT REBOOT THE FIREWALL until the new ones have uploaded, or you will be loading the files in in ROMMON mode!)

11. Once all the files have been downloaded to your location, they will be uploaded to the firewalls flash memory.

12. Next.

13. Finish.

Note: What happens now is the following commands are issued in the background automatically; (Note the versions numbers may be different in your case).

[box]

asdm image disk0:/asdm-649.bin
no boot system disk0:/asa843-k8.bin
boot system disk0:/asa844-1-k8.bin
boot system disk0:/asa843-k8.bin

[/box]

14. After the firewall reboots, it should come back up with the new OS and ASDM version.

Related Articles, References, Credits, or External Links

Cisco ASA5500 Update System and ASDM (From CLI)

Cisco ASA5500 Update System and ASDM (From ASDM)

Boot Cisco ASA From TFTP (Upgrade from ROMMON)

KB ID 0000792

Problem

If your firewall wont boot, either because the OS is corrupt, or you have a faulty flash memory. You can get up and running by booting the device from a TFTP server instead.

Solution

Before you start make sure you have your TFTP server running and the operating system in its root folder.

Install and Use a TFTP Server

1. Power on the firewall, during the boot phase press ESC to boot to ROMMOM mode.

2. The following commands will set the firewall’s IP address, default gateway, and the IP address of the device running the TFTP server. (Note: unless you are on a different network segment gateway and server address should be set the same).

[box]

Use ? for help.
ROMMON #0> ADDRESS=172.16.254.150
ROMMON #1> SERVER=172.16.254.207
ROMMON #2> GATEWAY=172.16.254.207

[/box]

3. You will need to specify the name of the operating system file to load, and which interface the firewall should use, this is a 5505 and I’m using Ethernet0/1 (the interface that’s usually the inside one).

[box]

ROMMON #3> IMAGE=asa911-k8.bin
ROMMON #4> PORT=Ethernet0/1
 Ethernet0/1
 MAC Address: b0fa.eb21.378e
 Link is UP
ROMMON #5>

[/box]

4. You can check the settings with a ‘set’ command.

[box]

ROMMON #5> set
ROMMON Variable Settings
ADDRESS=172.16.254.150
SERVER=172.16.254.207
GATEWAY=172.16.254.207
PORT=Ethernet0/1
VLAN=untagged
IMAGE=asa911-k8.bin
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20

ROMMON #6>

[/box]

5. Start the process with a ‘tftp’ command.

[box]

 

ROMMON #6> tftp

tftp asa911-k8.bin@172.16.254.207 via 172.16.254.207

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

<Output removed for the sake of space>

[/box]

6. The firewall will load the operating system and boot. WARNING the operating system at this point is running in memory, NOT from flash, if you reboot it will attempt to load from flash memory again. (If you can access the flash memory ‘show flash’), then copy in the operating system from your TFTP server.

[box]

Petes-ASA# copy tftp disk0

Address or name of remote host []? 172.16.254.207

Source filename []? asa911-k8.bin

Destination filename [disk0]? asa911-k8.bin

Accessing tftp://172.16.254.207/asa911-k8.bin..
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!
 
 <Output removed for the sake of space>
 
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!
 Writing file disk0:asa911-k8.bin...
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!
 
 <Output removed for the sake of space>
 
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!
 
 8312832 bytes copied in 70.230 secs (118754 bytes/sec)

[/box]

7. Make sure you can see the file in flash memory.

[box]

Petes-ASA# show flash
 Initializing disk0: cache, please wait....Done.
 -#- --length-- -----date/time------ path
 6 6764544 Jan 01 2003 00:05:22 asa911-k8.bin <<<<
 7 1868412 Jan 01 2003 00:05:48 securedesktop-asa-3.1.1.29-k9.pkg
 8 398305 Jan 01 2003 00:06:04 sslclient-win-1.1.0.154.pkg
 9 7495680 Apr 25 2007 14:41:54 asdm711-k8.bin
 12 8312832 May 21 2007 13:29:08 asa722-k8.bin
 13 5623108 May 21 2007 13:31:26 asdm-522.bin

224886784 bytes available (30539776 bytes used)
 

[/box]

8. Set the new file as the default boot OS, and save the changes, then finally reboot the firewall.

[box]

Petes-ASA# configure terminal
 Petes-ASA(config)# boot system disk0:/asa911-k8.bin
 Petes-ASA(config)# write mem
 Building configuration...
 Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96

3965 bytes copied in 1.490 secs (3965 bytes/sec)
[OK]

Petes-ASA(config)# reload
Proceed with reload? [confirm]{Enter}
Petes-ASA#

***
*** — START GRACEFUL SHUTDOWN —
Shutting down isakmp
Shutting down webvpn
Shutting down License Controller
Shutting down File system

 

***
*** — SHUTDOWN NOW —

[/box]

9. The firewall will reboot, and load the new OS.

Related Articles, References, Credits, or External Links

NA