Posts

Troubleshoot FTD - CDO Registration

// Check pigtail for errors connect to expert mode sudo pigtail  ======================= //Capture from  FTD cli connect to expert mode tcpdump -n -i management0 host 1.1.1.1     <-- Destination ctrl c to stop

IPsec Troubleshooting

After an upgrade cisco router couldnt establish ipsec tunnel During debugs i see the below logs # debug cry isa sa *Jun 16 19:47:12.296 EEST: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE... *Jun 16 19:47:12.296 EEST: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 *Jun 16 19:47:12.296 EEST: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE *Jun 16 19:47:12.296 EEST: ISAKMP-PAK: (0):sending packet to 88.28.206.154 my_port 500 peer_port 500 (I) MM_NO_STATE *Jun 16 19:47:12.296 EEST: ISAKMP: (0):Sending an IKE IPv4 Packet. *Jun 16 19:47:12.296 EEST: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE... *Jun 16 19:47:12.296 EEST: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 From the logs the issue seems to be phase 1. If you see there are increment attempts. Which means PH1 is cannot be established As we know isakmp is the PH1 of the IKEv1 IPsec.   Cisco deprecated DH group 5 form supported algorithms on XE...

SMA - System Administration Tab was missing

Image
  The issue was licensing The issue was the license under >Management Appliance> System administration > Smart licensing   There was an error there stating that sma stopped communication with smart account for more than 90 days. Go to    sma cli and run >Grep >16 " Tue Jan 14 00:24:08 2025 Warning: Failed to renew certificate of the product with Smart Software Manager due to {"product_instance_identifier":["ProductInstance '870ae19a-351-4bbc-a73a-b8b9aef26166' is not valid"]} " "To resolve this you need to go and re-register the SMA to smart account (smart license > Action > Reregister. Need to create token) " Mon Jan 20 12:20:35 2025 Info: Renew authorization of the product with Smart Software Manager is successful. “

Domains over Split tunnel RA VPN

Use case: Split tunnel remote access VPN   In split tunnel VPN most of the times we are passing clients networks (most of the times private addresses) over the tunnel. That means that the remote workers they are using their local internet line to access the internet.   What if they want to “pass” some urls over the tunnel? Most of the cases that happens if the specific destination need to be accessed from the gateway address.     The solution for this is Dynamic split tunnelling.   This can be configured from group-policy > Anyconnect   > Custom Attributes > +   Select Dynamic Split tunnelling And then Add the url need to be accessed over the split tunnel. *Reminder to allow this traffic from VPN filter if used and access controll used if  sysopt connection permit-vpn is enabled Documentation

WSA Troubleshooting

  grep "212.77" Access_Logs    //Search in access Logs for specific IP grep  1 facebook grep 1 403  <- deny connections Enter the number of the log you wish to grep.      ####edo evalle to expression pou theli na kami match. []> 1 Enter the regular expression to grep. []> gmama  ||facebook  ||  Do you want this search to be case insensitive? [Y]>  Do you want to search for non-matching lines? [N]>  Do you want to tail the logs? [N]> Y Do you want to paginate the output? [N]> tail Access_Logs Live search by using ip and domain as filter grep "10.20.210.52.*box.com" Access_Logs -t

FTD Port-channel troubleshoot

  #Show fault  To display fault information  # connect fxos To connect to the FXOS command shell(4100/9300). (fxos) # show interface ethernet X/Y To view Ethernet interface status. (fxos) # show port-channel summary To display summarised information about configured port channels. (fxos) # show lacp counters interface port-channel X Displays LACP traffic statistics for a particular portchannel (fxos) # show lacp interface ethernet X/Y Displays LACP information for the Ethernet interfaces. (fxos) # show lacp internal event-history interface ethernet X/Y Displays internal LACP events for the specified Ethernet interface

FTD CLUSTER BUG

 FTD Version 7.2.5 when trying to create a cluster  FTD CLI sec-dcfw-01#  Detected Cluster Master. Beginning configuration replication from Master. .. Cryptochecksum (changed): 2f2f9cae ea5dbc33 a1eb4bda 3379b6fb  End configuration replication from Master. Unit is kicked out from cluster because of interface health check failure. Cluster disable is performing cleanup..done. All data interfaces have been shutdown due to clustering being disabled. To recover either enable clustering or remove cluster group configuration. Searching the error i found the bug https://bst.cisco.com/quickview/bug/CSCus54932 Upgrade to 7.4.2 (currently recommended) the cluster builded as expected.