Cisco ASA: Group-Lock WARNING

KB ID 0001423

Problem

You will see this error if you are pasting configuration into a Cisco firewall. This week I was manually converting an old 8.2 version firewalls configuration, to run on a modern (version 9) firewall, when I saw this;

[box]

Petes-ASA(config)# username fred.bloggs attributes
Petes-ASA(config-username)# group-lock value SOME-VALUE
WARNING: tunnel-group SOME-VALUE does not exist

[/box]

Solution

The reason you are seeing this error is because you are working your way through the config, (from top to bottom), and you have just told the firewall to use a tunnel-group, and that tunnel group is further down in the config, so you have not created it yet on the target firewall!

For the uninitiated: A group-lock is used to define different tunnel-groups for different users.

So on the source configuration, locate the appropriate tunnel-group and put that in first, then retry;

[box]

Petes-ASA(config-username)# tunnel-group SOME-VALUE type remote-access
Petes-ASA(config)# tunnel-group SOME-VALUE general-attributes
Petes-ASA(config-tunnel-general)#  address-pool VPN-POOL
Petes-ASA(config-tunnel-general)#  default-group-policy SOME-VALUE-POLICY
Then try again!

Petes-ASA(config-tunnel-general)# username fred.bloggs attributes
Petes-ASA(config-username)# group-lock value SOME-VALUE

[/box]

 

Related Articles, References, Credits, or External Links

NA

RSS Error – Your feed appears to be encoded as “UTF8”, but your server is reporting “US-ASCII”

KB ID 0000889 

Problem

I don’t validate and check the sites RSS feed as often as I should, but post server migration I got this error;

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
Your feed appears to be encoded as “UTF8”, but your sever is reporting “US-ASCII”

Solution

As you can see by the section I’ve indicated above, I can see where the UTF-8 is being set on the page. I just need my server (CentOS with Apache2) to allow it.

1. Edit (or create a file in the same directory as the RSS XML file) .htaccess and add the following lines to the end.

[box]

# Add the UTF-8 Character Set
AddCharset UTF-8 .xml

[/box]

2. The restart Apache.

[box]

service https restart

[/box]

Related Articles, References, Credits, or External Links

NA

VMware error on HP Proliant “Host Baseboard Management Controller status”

KB ID 0000418 

Problem

Saw this today on a HP Proliant DL380 G7 Server.

Solution

1. It’s a simple one to solve, the server was built with the HP ESXi build, and the management agents are complaining because the iLO is not connected to the network.

2. When you connect the iLO socket to the network the alarm should change as shown below.

3. Once you have connected or disabled it you can reset the alarm.

4. Take the opportunity to log in and configure the iLO. Access via an internet browser (it will get a DHCP address by default, you can set a static IP address by entering the iLO setup at boot (see disabling iLO section below)).

5. The user name is Administrator (capital A) and the password will be either on a pull out tab on the front of the server, or a brown cardboard label tied to the front of the server (you did keep that didn’t you!), or on a brown sticker on top of the server chassis. On certain models HP also stick this information under the server lid.

6. Then you can log in and configure.

Disable the iLO

1. If you do not want to use the iLO then you can disable it (I cant think why you would want to, because its a handy piece of kit, but heres how to do it.)

2. Reboot the server, and when prompted press F8 to enter the iLO setup.

3. Settings > Configure.

4. These are the default settings, use the cursor keys to select and the space bar to enable/disable the options.

5. All disabled.

 

Related Articles, References, Credits, or External Links

NA

Event ID 1014 and 1002 (Windows IIS Web Server)

KB ID 0000808 

Problem

Seen on Server 2003 running IIS 6, about once a week the website would fail, and the client had to reboot the server to bring things back up again. I took a look at the server and noticed that when the failure happened, we had five Event ID 1014 errors;

Source W3SVC
The World Wide Web Publishing Service encountered an internal error in its process management of worker process ‘<value>’ serving application pool ‘DefaultAppPool’. The data field contains the error number.

And finally we had an Event ID 1002;

Source W3SVC
Application pool ‘DefaultAppPool’ is being automatically disabled due to a series of failures in the process(es) serving that application pool

Solution

1. Before you proceed make sure this is not the problem.

2. Open the Internet Information Services (IIS) Manager > {Servername} > Application Pools > DefaultAppPool (unless your error is for another app pool) > Properties > Health.

3. Rapid-Fail Protection: You may wish to troubleshoot by simply increasing the thresholds, (the frequency of your 1002 events should give you a pointer). Though from what I’ve read this system tends to cause more problems than it cures, in the end I disabled it completely.

Warning: Disabling a system that is designed to protect you inherently has dangers.

If you suddenly get an unstable server, or memory leak problems you might want to reinstate this, and start checking the code in your website!

Related Articles, References, Credits, or External Links

NA

Update Cisco ASA – Directly from Cisco (via ASDM)

KB ID 0000636 

Problem

Warning:

Before upgrading/updating the ASA to version 8.3 (or Higher) Check to see if you have the correct amount of RAM in the firewall (“show version” command will tell you). This is VERYIMPORTANT if your ASA was shipped before February 2010. See the link below for more information.

ASA – Memory Error (Post upgrade to version 8.3)

Warning 2:

Be aware, if you are upgrading to an OS of 8.4(2) or newer you can no longer access the device via SSH when using the default username of “pix” you need to enable AAA authentication for SSH, do this before you reboot/reload the firewall or you may lock yourself out.

ASA Enable AAA LOCAL Authentication for SSH

Its been a while since I wrote how to update the ASA by command line, and how to update the ASA from the ASDM. Now you can update the ASA directly from Cisco, providing you have a valid cisco CCO account.

Solution

1. Connect to the the ASDM on the ASA > Tools > Check for ASA/ASDM Updates.

2. Supply your Cisco CCO account information.

3. Next.

4. Decide if you want to update the OS of the ASA or the ASDM, or both.

5. Next.

6. The software will download. (The OS is downloading here), Note: it will get downloaded to the machine that the ASDM is running on first.

7. Then the ASDM software will download.

8. You may find that there is not enough room in flash memory, if so you will see this error. (if it does not error skip to step 11).

9. If you are stuck for room you can delete some items from your flash memory > Tools > File Management.

10. Here you can see I’m deleting and old version of the ASDM. Note you could delete the live version of the ASDM and Operating system if you had no choice (THOUGH DONT REBOOT THE FIREWALL until the new ones have uploaded, or you will be loading the files in in ROMMON mode!)

11. Once all the files have been downloaded to your location, they will be uploaded to the firewalls flash memory.

12. Next.

13. Finish.

Note: What happens now is the following commands are issued in the background automatically; (Note the versions numbers may be different in your case).

[box]

asdm image disk0:/asdm-649.bin
no boot system disk0:/asa843-k8.bin
boot system disk0:/asa844-1-k8.bin
boot system disk0:/asa843-k8.bin

[/box]

14. After the firewall reboots, it should come back up with the new OS and ASDM version.

Related Articles, References, Credits, or External Links

Cisco ASA5500 Update System and ASDM (From CLI)

Cisco ASA5500 Update System and ASDM (From ASDM)

Cisco ASA – ‘access-group’ Warning

KB ID 0001035

Problem

I’ve been writing Cisco ASA walkthroughs for years, and littered all over PeteNetLive you will see me warning readers every time I use access-group commands. So I’ve finally got round to putting this article up so I can reference it in future.

What is an Access-Group command?

You use an access-group command to apply an access-list to an interface, in a particular direction (in or out). Although I always apply access-groups in an interface to avoid confusion.

Example

[box]

Create an access list first

access-list outbound permit tcp host 192.168.1.1 any eq www

Then nothing will happen unless you apply that ACL to an interface with an 
access-group command.

access-group outbound in interface inside

[/box]

Solution

So Why The Access-Group Warning?

Reason 1

When I post articles and direct you to allow traffic though a firewall, I make the assumption that you do not have any ACL’s already applied with access-group commands. if you did, and followed my tutorials blindly then you would overwrite your access-groups, and any existing ACLs would stop working! (The ACL would still be there, you would need to reapply them though).

Reason 2

By default traffic will flow though the ASA from interfaces that have a higher (more secure) security level, to interfaces with a lower security level. Thats why you can get out though a new firewall without adding any rules. However every ACL has an implicit deny on the end of it. So if you have a mail server and allow out SMTP for example, as soon as you apply the ACL with your access-group command you STOP ALL OTHER OUTBOUND COMMUNICATION until that is allowed also.

So How Can You Make Sure I’m Not About to Break Anything?

Easy, your firewall will tell you if you have any access-groups already in use, with a ‘show run access-group‘ command. Below you can see theres three and what interface they are applied to.

[box]

User Access Verification

Password: ******** Type help or ‘?’ for a list of available commands. PetesASA> enable Password: ******** PetesASA# show run access-group access-group inside-in in interface outside access-group outside-in in interface inside access-group DMZ-in in interface DMZ PetesASA#

[/box]

I’ve deliberately shown a naming convention I don’t usually use, I typically have an ACL called outbound for outgoing traffic, and inbound for incoming traffic. If your firewall has different named ACLs applied with access-group commands USE YOUR ACL NAME, NOT THE ONES IN MY ARTICLES!

I’ve followed Your Article and It Works But Everything Else Has Stopped Working!

OK remember (Reason 2) above, you need to allow the traffic out again. The simplest way to do that is with a permit ip any any command which is what you had originally*, (I prefer to only allow out what traffic needs to go out, but I’m a firewall nut!)

*Note: To avoid emails form the pedants, you actually had all protocols open, not just IP.

[box]

Assuming the last commands you issued looked something a little like..

access-list outbound permit tcp host 192.168.1.1 any eq www
access-group outbound in interface inside

Now that works, but everything else does not, you have fallen foul of the ‘implicit deny’, so allow out the traffic you want to allow out i.e.

access-list outbound permit ip any any

 

[/box]

 

Related Articles, References, Credits, or External Links

NA

 

iPhone – Bluetooth Problem

KB ID 0000374 

Problem

I wrote an article yesterday about tethering via bluetooth, and had a few problems, sorry to say the web was not much help at all 🙁

Basically the iPhone was marked with a yellow warning triangle, and when clicking the troubleshooting option you see the following,

Error: Bluetooth Peripheral Device doesn’t have a driver.

2. I read some forum posts and the general advice was to download iTunes, extract the driver msi out of it and use those drivers, but that didn’t work either.

Error: Bluetooth Peripheral Device – No driver found.

Solution

The reason this is happening, is by default your iPhone installs with the “Wireless iAP” Service enabled. Click Start > Devices and Printers >Locate your iPhone > Right click > Properties > Services > Untick Wireless iAP > Apply > OK.

Note: You can still use the phone as an internet access point.

 

Related Articles, References, Credits, or External Links

NA

 

iPhone – Update Warning “There are items purchased on the iPhone that have not been transferred”

KB ID 0000435 

Problem

Seen when attempting to update your iPhone.

iTunes
There are purchased items on the iPhone “{name of phone}” that have not been transferred you your iTunes library, You should transfer these items to your iTunes library before updating this iPhone. Are you sure you want to continue?

Solution

1. Firstly remove the warning by clicking “Cancel”.

2. With iTunes running and your iPhone connected, locate the phone which should be listed on the menu on the left hand side, Right click the phone and select “Transfer Purchases”.

3. Wait for it to complete then re-try the update process.

Related Articles, References, Credits, or External Links

NA