Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About StevieOliver_2
08-18-2017
Stats
Member since
04-17-2005
78
Posts
10
Helpful
0
Solutions
12-09-2016
10:56 AM
Success.
I created a copy of the IPSec certificate as a Win2003 certificate
In the Subject name tab choose Supply in request
In the Extensions tab Highlight Application Policies - Edit - Add and select IP Security tunnel termination.
Now select that new certificate template to issue.
When I go to the certsrv webpage the template is there at last.
I then cenerated a CSR on the ASA and used this template to sign it. I applied the signed certificate to the crypto map and tunnel group and I could bring the tunnel up without the ignore-ipsec-keyusage line under the CA trustpoint.
So thanks again for the assistance in pointing me in the right direction JP
Stephen.
... View more
12-09-2016
09:15 AM
Actually I think I've just managed to get the new template published and available in the certsrv webpage by using the Windows Server 2003 Enterprise option when duplicating the IPSec template. I think I was using the Windows Server 2008 Enterprise option before which was the default. That seems to have now allowed the template to be available via certsrv. I've still to issue my ASA with a new cert and test but I'll try that and report back on how it goes.
Stephen.
... View more
12-09-2016
09:05 AM
Thanks again JP.
I did manage to copy the existing IPSec template and include IP security tunnel termination as a certificate purpose. That looks promising as a solution.
However, I'm still having trouble getting the certificate template to be offered under the certsrv webpage which I'm trying to resolve. Every suggestion I find on the internet fails to get the CA to offer the copied template.
Stephen.
... View more
12-06-2016
01:49 PM
Thank you for the input JP.
I'm using the IPSec (offline request) cert template which seems to be much the same as the IPSec one. Am I wrong? Is there a significant difference between these templates?
The reason I don't use the IPSec template is I can't seem to get it offered as a choice when I browse to my CA and submit an Advanced request. Only the IPSec (Offline request) is available. So I looked into that and it seemed to be an acceptable alternative.
From here
https://social.technet.microsoft.com/Forums/office/en-US/87454c69-1f4a-4474-bbbf-a6e7d120d3fd/what-for-are-ipsec-and-ipsec-request-offline-certificates-in-ca-certificate-templates-node?forum=winserversecurity
It says
IPSEC(offline Request) certificate template allows the certificate requester to provide the subject name information in the certificate request.
I didn't think that would cause the certificate to be rejected.
Thanks, Stephen.
... View more
Created by
StevieOliver_2
in VPN and AnyConnect
in VPN and AnyConnect
12-05-2016
07:21 AM
12-05-2016
07:21 AM
Hi I'm playing around with IPSec site to site VPN's using certificates. I load the CA root certificate onto each ASA and then enroll manually for an Identity certificate. I have a Win2008 CA and I use the Advanced Certificate request then IPSec (Offline request) template to generate my certificate from the ASA CSR. The Identity certificate gets installed fine and I apply it to the tunnel group and crypto map. However, when the tunnel attempts to come up I get the following in debugs [IKEv1]Group = 192.168.0.250, IP = 192.168.0.250, Certificate Validation Failed and check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2, NOT acceptable I can get round this by doing crypto ca trustpoint My-trust-point ignore-ipsec-keyusage However, I would prefer not to have to do this. Am I using the wrong certificate template to generate the certificate for the ASA and if so what one should I use ? Thanks, Stephen.
... View more
Labels:
03-06-2012
12:44 PM
Many thanks Reza. It seems strange to me that the 16 port card must be put in non-oversubscribed (performance) mode but the 8 port can be used in 2:1 oversubscribed mode. So we are better off using a cheaper 8 port card if we deploy the VSL on it. I'm also puzzled about the Cisco recommendation to put the VSL across the 2 Sup720 ports in each chassis. If the standby Sup720 fails then the VSL fails and a whle chassis is lost. Am I correct in thinking if we split the VSL across a Sup720 and an 8 port card then the VSS can sustain both chassis if the standby Sup720 fails ? The standby Sup goes down but since it only accommodates one of the two VSL ports then the VSL survives via the 8 port module and the cards in the standby chassis stay up (???) Or do the standby chassis modules go down and stay down if their Sup fails ? Thanks again, Stephen.
... View more
03-06-2012
04:16 AM
Hi On http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/qa_cisco_catalyst_6500_series_16port_10gigabit_ethernet_module.html it states that if you put the 16 port card into performance mode only 4 ports are useable. If I read correctly then to use the 16 port card for VSL it needs to be in performance mode and hence we lose 12 ports. With the 8 port card it says on http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product_data_sheet09186a00801dce34.html 8-Port 10 Gigabit Ethernet Fiber Module The 8-port 10 Gigabit Ethernet fiber module (Figure 3) provides up to 66 10 Gigabit Ethernet ports in a single Cisco Catalyst 6509 chassis and 132 10 Gigabit Ethernet ports in a VSS. It supports 64 Gbps of local switching, making it ideal for deployment in the core or aggregation layer of LAN campuses and data centers. All 8 ports can be used to create a virtual switch link in a VSS. This implies that even though the 8 port module is oversubscribed 2:1 it need not be in performance mode to be used for the VSL. So buy an 8 port card for VSL and you keep all 8 ports but buy a 16 port card and you need to disable 12 ports to be able to use it for VSL. While I do not need to use all 8 ports on the 8 port card for VSL I want to use one port and have the remaining 7 also available for other uses. It seems strange that the 16 port card needs to be in a mode that disables 12 ports but the 8 port card does not. Am I missing something here ? Thanks, Stephen.
... View more
Labels:
01-26-2012
02:00 PM
Hi I have an ASA between a client and server hosting an https page. When I rowse from some subnets all is ok. I get the page delivered. The beginning of this capture is below. The session continues successfully. 1: 13:47:24.578049 10.200.205.42.57648 > 10.192.0.20.443: S 812340862:812340862(0) win 8192 <mss 1260,nop,wscale 2,nop,nop,sackOK> 2: 13:47:24.579651 10.192.0.20.443 > 10.200.205.42.57648: S 2345509625:2345509625(0) ack 812340863 win 8192 <mss 1380,nop,wscale 8> 3: 13:47:24.581207 10.200.205.42.57648 > 10.192.0.20.443: . ack 2345509626 win 4410 4: 13:47:24.584503 10.200.205.42.57648 > 10.192.0.20.443: P 812340863:812341069(206) ack 2345509626 win 4410 5: 13:47:24.587555 10.192.0.20.443 > 10.200.205.42.57648: P 2345509626:2345509712(86) ack 812341069 win 260 6: 13:47:24.587555 10.192.0.20.443 > 10.200.205.42.57648: P 2345509712:2345509718(6) ack 812341069 win 260 7: 13:47:24.587722 10.192.0.20.443 > 10.200.205.42.57648: P 2345509718:2345509771(53) ack 812341069 win 260 However some other clients get a reset when browsing. That capture is below 1: 21:27:31.347684 10.64.144.10.3608 > 10.192.0.20.443: S 1469452352:1469452352(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> 2: 21:27:31.356930 10.192.0.20.443 > 10.64.144.10.3608: S 3634167830:3634167830(0) ack 1469452353 win 8192 <mss 1380,nop,wscale 8> 3: 21:27:31.357372 10.64.144.10.3608 > 10.192.0.20.443: . ack 3634167831 win 64000 4: 21:27:31.357449 10.64.144.10.3608 > 10.192.0.20.443: P 1469452353:1469452527(174) ack 3634167831 win 64000 5: 21:27:34.309905 10.64.144.10.3608 > 10.192.0.20.443: P 1469452353:1469452527(174) ack 3634167831 win 64000 6: 21:27:34.309996 10.192.0.20.443 > 10.64.144.10.3608: R 3634167831:3634167831(0) ack 1469452527 win 64000 Probably not ASA related but has anyone seen anything like this ? The sent window size is very different in each case but don't know if it's related to the issue. There is a SSM module in the ASA but I have turned off inspection for troubleshooting purposes. Any input appreciated. Thanks, Stephen.
... View more
Labels:
01-22-2012
01:44 AM
For a bit of clarification on what my customer is looking for here maybe this helps On the Egress of a single Gigabit interface there are multiple point to point VLANs. These go to a outdoor wireless device that has 2 or 4 point to point wireless links. So each Wireless link takes some of the point to point VLANs from a single Gig interface and each wireless link can be a different speed. Can we mark on an egress direction prior to queueing the traffic through one of the 4 egress queues ? So routing decides that the traffic will go via VLAN 10. Mark CoS 1 for example. Traffic going via VLAN 20 mark CoS 2 for example. Then based on these CoS values place the traffic into one of the 4 egress queues which have shaping applied to limit the bandwidth such that the downstream wireless links do not get overloaded. Marking on the ingress does not help because we do not know at this point what VLAN, and hence what wireless link, the traffic will exit on. For the same reason policing on the ingress cannot be used because there is a possibility that the same ingress traffic may go via the fastest Wireless link normally but be routed over the slowest link under a wireless link failure scenario. Having read all the relevant QoS documentation for the 3560 I cannot imagine a way this can be done. Any input would be appreciated even if it is a suggestion we can consider and possibly discount. Thanks again, Stephen.
... View more
01-18-2012
01:06 PM
Hi I have a customer who requires to identify and police traffic on egress on a 3560 trunk link. I cannot use ingress classifications because we do not know what route the traffic will take yet. The egress interface connects to multipoint wireless equipment with 4 different bandwidth point to point links. So the ingress traffic may be routed via any one of 4 point to point wireless links connected to the single egress interface. Am I correct in assuming we cannot mark on the egress direction then put the traffic in a SRR shaped egress queue based on the marking ? So we would only have the option to egress queue based on markings applied or trusted on the inbound direction ? I had thought of some kind of policy map/aggregate policer configuration based on the exit VLAN but it seems we can only apply this type of config inbound. From reading the 3560 configuration guides it seems the 3560 cannot deploy the kind of requirements this customer needs. Perhaps they should have deployed some kind of Metro switch ? Thanks again for any input. Stephen.
... View more
Labels:
Created by
StevieOliver_2
in Policy and Access
in Policy and Access
01-11-2012
01:27 PM
01-11-2012
01:27 PM
Thanks Carlos, very helpful advice. I'll let you know how I get on. Regards, Stephen.
... View more
Created by
StevieOliver_2
in Policy and Access
in Policy and Access
01-11-2012
12:02 PM
01-11-2012
12:02 PM
Thanks again Carlos. I intend to set up a test device and authenticate it an see if we can determine the appropriate Radius attribute from the logs. If I recall last time I looked at remote access radius logs on ACS 5.1 they were pretty detailed. Failing that I'll work on those two attributes 30 and 31 to get the proper setup. A last thing if you don't mind. Is it possible to hold back the DHCP address until authentication has completed ? I have been asked about this but can't think of any way the APN, which will be the DHCP server, could hold back address assignment pending successful authentication. Regards, Stephen.
... View more
Created by
StevieOliver_2
in Policy and Access
in Policy and Access
01-11-2012
12:23 AM
01-11-2012
12:23 AM
Many thanks Carlos Is there a way we can create a list of acceptable IMEI numbers that we can check against similar to the internal users database ? So somehow record the IMEI number as the device is allocated and check against this list as the request comes in ? Also, how does the DHCP operate now ? Wasn't the ACS 4 solution based on allocating the address after successful authentication. Do we now return a DHCP server address as part of a successful authentication rather than the actual address in a Radius attribute ? Thanks again, Stephen.
... View more
Created by
StevieOliver_2
in Policy and Access
in Policy and Access
01-10-2012
02:27 PM
01-10-2012
02:27 PM
Hi I'm trying to find out the options for authenticating remote users via IMEI and MISDN values via ACS 5.3 I'm unfamiliar with the Radius attribute options here and what kind of request/response we can utilise. Also previously I could define IP pools on ACS 4 but can't seem to do that now. Is there a way have ACS 5.3 to provide a DHCP server address for the connection ? This question was prevously asked in relation to ACS 5.2 but no answer was provided via the forum discussion hence the reposting. Thanks, Stephen.
... View more
Labels:
Created by
StevieOliver_2
in VPN and AnyConnect
in VPN and AnyConnect
11-28-2011
02:14 AM
11-28-2011
02:14 AM
Thanks for all your replies but this has been a red herring. My customer has just told be it is a different VPN that we should have applied the config to. Thanks again, Stephen.
... View more
12-09-2016
Success. I created a copy of the IPSec certificate as a Win2003
certificate In the Subject name tab ...
12-09-2016
Actually I think I've just managed to get the new template published and
available in the certsrv we...
12-09-2016
Thanks again JP. I did manage to copy the existing IPSec template and
include IP security tunnel ter...
12-06-2016
Thank you for the input JP. I'm using the IPSec (offline request) cert
template which seems to be mu...
12-05-2016
HiI'm playing around with IPSec site to site VPN's using certificates.I
load the CA root certificate...
03-06-2012
Many thanks Reza.It seems strange to me that the 16 port card must be
put in non-oversubscribed (per...
03-06-2012
Hi On
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/qa_cisco_catalyst_6500_series...
01-26-2012
HiI have an ASA between a client and server hosting an https page.When I
rowse from some subnets all...
01-22-2012
For a bit of clarification on what my customer is looking for here maybe
this helpsOn the Egress of ...
01-18-2012
HiI have a customer who requires to identify and police traffic on
egress on a 3560 trunk link. I ca...
Created by
StevieOliver_2
in Policy and Access
01-11-2012
01-11-2012
Thanks Carlos, very helpful advice. I'll let you know how I get
on.Regards, Stephen.
Created by
StevieOliver_2
in Policy and Access
01-11-2012
01-11-2012
Thanks again Carlos.I intend to set up a test device and authenticate it
an see if we can determine ...
Created by
StevieOliver_2
in Policy and Access
01-11-2012
01-11-2012
Many thanks CarlosIs there a way we can create a list of acceptable IMEI
numbers that we can check a...
Created by
StevieOliver_2
in Policy and Access
01-10-2012
01-10-2012
HiI'm trying to find out the options for authenticating remote users via
IMEI and MISDN values via A...
Created by
StevieOliver_2
in VPN and AnyConnect
11-28-2011
11-28-2011
Thanks for all your replies but this has been a red herring. My customer
has just told be it is a di...
Public Statistics
| Date Registered | 04-17-2005 05:53 AM |
| Date Last Visited | 08-18-2017 03:57 AM |
| Total Messages Posted | 78 |
| Total Helpful Votes Received | 10 |
Helpful Votes Given To
.jpg "Hall of Fame Expert"){kind=icon}
