ASA 8.x – IAS downloadable ACL SSL bug

I was recently configuring an ASA running 8.x software to authenticate and download ACL’s for remote-access users from microsoft IAS. During my testing I changed one of the ACE’s but accidentally used incorrect syntax (tried to match a port number on an “ip” access list):

ip:inacl#100=permit ip 10.1.0.0 255.255.255.0 host 10.2.0.1 eq 3389

Which should have read

ip:inacl#100=permit tcp 10.1.0.0 255.255.255.0 host 10.2.0.1 eq 3389

The end result was that my authentication denied and I received this error on the ASA:

%ASA-3-109032: Unable to install ACL ‘AAA-user-username-ABC12345’, downloaded for user username; Error in ACE: ‘permit ip 10.1.0.0 255.255.255.0 host 10.2.0.1 eq 3389’

No biggie, fixed the syntax and tried to logon again. But then I recieved this interesting error:
%ASA-4-716023: Group <groupName> User <username> IP <x.x.x.x> Session could not be established: session limit of 2 reached.
%ASA-4-716007: Group <groupName> User <username> IP <x.x.x.x> WebVPN Unable to create session

I thought maybe I had some previous sessions still connected:

ASA# sh uauth
Current    Most Seen
Authenticated Users       0          1
Authen In Progress        0          0

ASA# sh vpn-sessiondb webvpn
INFO: There are presently no active sessions of the type specified

It appears that if a SSLvpn connection fails due to an incorrectly configured downloadable ACE it locks out that session. I couldn’t find a command that would return the sessions back to the available pool and had to reload the ASA to correct it.

Now I doubt you would see this issue in a production environment but if anyone knows of a way to correct this without reloading I would love to know.

ASA 8.0(2) – disappearing ISAKMP nat-traversal

Version 8.0(2) contains a bug that involves an inconsistent interpretation of what the default command is for “crypto isakmp nat-traversal 20”. Whilst running, the device appears to have this command on by default but on boot the command is negated by default. The effect of this is nat-traversal is disabled every time you reboot the ASA.

Workaround?

Use a non-default keep-alive interval. I used “crypto isakmp nat-traversal 30” and the command now persists through a reboot.

Note: This issue appears to be fixed in 8.0(3) bug ID CSCsj5258.

ASA 8.x – L2TP & default Tunnel-groups

I recieved a lesson in research first, configure second today.

I was trying to configure l2tp over IPSEC on an ASA 5510 running version 8.0(2) software and for life of me couldn’t work out why it wasn’t working. I kept getting this error every time I tried to create the tunnel:

%ASA-4-713903: Group = x.x.x.x, IP = y.y.y.y, Can’t find a valid tunnel group, aborting…!
%ASA-3-713902: Group = x.x.x.x, IP = y.y.y.y, Removing peer from peer table failed, no match!
%ASA-4-713903: Group = x.x.x.x, IP = y.y.y.y, Error: Unable to remove PeerTblEntry
%ASA-4-713903: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)

Google didn’t really turn much information. OK, time to check cisco.com and I found this article.

I made the mistake of jumping straight down to the configuration example, which still left me stumped for as far as I could tell I had configured the ASA correctly.

Then I noticed this line:

Use only the default tunnel group and default group policy on the Cisco PIX/ASA. User-defined policies and groups do not work.”

Arrrgh! I switched the configuration to “tunnel-group DefaultRAGroup” and everything worked great.

Interestingly though I didn’t switch the group-policy from my user-defined policy and the configuration still worked fine.

WANEM – Bridging Interfaces

I have been having to configure a lot of QoS implemntations in the lab latley and have been needing to simulate WAN links to effectivly test my configurations. I found a great open-source tool called WanEM that works a treat whilst also having great documentation and tutorials. It can be run as a live knoppix CD on commodity hardware and is a piece of cake to configure and manage.

I found an old PC, populated it with old NIC’s lying around and in about 5 minutes I was ready to roll. It also supports NAT so you can set it up a production network without worrying about setting up routing etc.

The big issue I had was the setup wizard and all the tutorials were all geared around each interface being in a different broadcast domain/subnet. The only documented solution I found to emulate a WAN for hosts on the same Subnet was to run WANem “On-a-stick”, this works ok for Linux/Windows hosts but I wasn’t sure how IOS would handle static routes to a connected network via a gateway on THAT same connected network (If that makes sense).

I solved this issue by bridging the interfaces in knoppix and assigning a single IP to the bridge interface so I could still Manage the Web interface.

  • From the Console I executed the command “exit2shell” this dropped me out to the knoppix shell
  • I executed the following commands to remove any existing IP configuration and bring up all the interfaces:

ifconfig eth0 0.0.0.0 up
ifconfig eth1 0.0.0.0 up
ifconfig eth2 0.0.0.0 up
ifconfig eth3 0.0.0.0 up
ifconfig eth4 0.0.0.0 up

  • I created a Bridge-group interface called br0:

brctl addbr br0

  • I added each interface to the bridge-group br0

brctl addif br0 eth0
brctl addif br0 eth1
brctl addif br0 eth2
brctl addif br0 eth3
brctl addif br0 eth4

  • I assigned an ip address to the bridge-group br0 for management

ifconfig br0 10.1.1.254 netmask 255.255.255.0

  • I added a default Route so I could manage the WANem box from another network

route add default gw 10.1.1.1

  • I started the tool again with the command “wanem”

I then connected to http://10.1.1.254/WANem and everything worked a treat!