Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About Tim Lewis
Stats
Member since
09-28-2009
20
Posts
5
Helpful
0
Solutions
04-24-2018
06:45 PM
I was able to fix the problem. You can apply this method if it is not in production since we need to whip the config.
1) Remove the problem FTD from FMC
2) Make sure it is no longer registered with FMX, form FTD run "show manager"
3) From FTD, run "configure firewall transparent" to whip the config
4) From FTD, run "configure firewall routed" to back to routed mode
5) Register to FMC
root@FTD02:~# ntpq -np remote refid st t when poll reach delay offset jitter ============================================================================== *127.0.0.2 45.33.84.208 3 u 9 64 273 0.660 3.817 0.578 127.127.1.1 .LOCL. 10 l 764 64 0 0.000 0.000 0.000
Note:
I got the idea how to reset previous config from this link....
https://www.lammle.com/post/reset-cisco-ftd-device-converted-asa-ftd-210041009300-factory-default/
... View more
04-24-2018
06:12 PM
I am having the exactly the same issue. We have FTD01 and FTD02. By my mistake, initially I configured FTD02 managed by local Firewall Device Manager. Then, I converted it to be managed by FMC. Now, FTD02 has NTP sync issue.
If I use time4.google.com instead of FMC, it will work. So, NTPD on the FTD02 is working correctly. I don't know what to do next... I opened a TAC case but no luck... I think the key is that it was used to be managed by a local Firewall Device Manager...
===with google
///NTP status///
root@NYP-EDGE-FW02:~# ntpq -np remote refid st t when poll reach delay offset jitter ============================================================================== 127.127.1.1 .LOCL. 10 l 10 64 37 0.000 0.000 0.000 *216.239.35.12 .GOOG. 1 u 1 32 1 187.033 15.917 0.151
///ntp.conf///
root@FTD02:~# cat /etc/ntp.conf # KP NTPd client configuration file
server time4.google.com prefer burst iburst minpoll 5 maxpoll 6 # Service Manager NTP Server
# Local Clock as Backup server 127.127.1.1 # local clock fudge 127.127.1.1 stratum 10
# default security setting restrict default kod nomodify notrap noquery restrict 127.0.0.1 # allow local access
# The driftfile must remain in a place specific to this # machine - it records the machine specific clock error # driftfile /opt/cisco/platform/logs/ntp.drift driftfile /var/lib/ntp/ntp.drift
logconfig=syncall +clockall +sysall +peerall logfile /opt/cisco/platform/logs/ntp.log
===with FMC
///NTP status///
root@FTD02:~# ntpq -np remote refid st t when poll reach delay offset jitter ============================================================================== 127.0.0.2 .INIT. 16 u - 64 0 0.000 0.000 0.000 *127.127.1.1 .LOCL. 10 l 62 64 377 0.000 0.000 0.000
///ntp.conf///
root@NYP-EDGE-FW02:~# cat /etc/ntp.conf # KP NTPd client configuration file
server 127.0.0.2 prefer burst iburst minpoll 5 maxpoll 6 # Service Manager NTP Server
# Local Clock as Backup server 127.127.1.1 # local clock fudge 127.127.1.1 stratum 10
# default security setting restrict default kod nomodify notrap noquery restrict 127.0.0.1 # allow local access
# The driftfile must remain in a place specific to this # machine - it records the machine specific clock error # driftfile /opt/cisco/platform/logs/ntp.drift driftfile /var/lib/ntp/ntp.drift
logconfig=syncall +clockall +sysall +peerall logfile /opt/cisco/platform/logs/ntp.log
... View more
Created by
Tim Lewis
in Web Security
in Web Security
12-01-2014
10:03 PM
12-01-2014
10:03 PM
After upgrading to 8.0.6 we had lot of users having issues with accessing the Internet. Initially, we thought that it may be WCCP, so we configured manually to use proxy and people didn't had issues after that, so we thought it is WCCP. After taking better look, we realized that actually only HTTPS traffic is having issues, and it is affecting users only if they didn't used HTTP traffic before that, so we unconfigured authentication realm, configured new one (now supporting Kerberos, NTLM and Basic), configured it to support Transparent Authentication, IP address of CDA and pre-shared key and verified that it can communicate with everything OK and all tests ended up being successfull. No help. Identity is configured to use AD realm, Transparent Authentication, and to support "Guest Services", so if IP address/Username mapping can't be found, it should still allow unauthenticated user to access. Now, it doesn't work. When we tailed access-log, we saw being denied by WSA. Also, when we issued authcache command, I saw about 20 usernames, but only 2-3 IP addresses total (like 17 entries had only usernames, 3 of them had username and IP address below). Also, we tried with configuring HTTPS to decrypt authentication, users are prompted to accept self signed certificate and after that it works. Without it, you'll first need to use HTTP in order to get HTTPS working. Both those should be in use if I am using actual authentication (Kerberos, NTLM or Basic), but I don't want to do so, there is not one identity that's using those, and the one I use doesn't have option "Force Authentication" checked, it has "support guest service"... Needless to say, all this worked fine with 7.7.5 version...
... View more
Labels:
Created by
Tim Lewis
in Network Security
in Network Security
09-23-2013
09:53 AM
09-23-2013
09:53 AM
Hi, I have two separate issues where IPS seems to be causing issues for user's traffic and it's reducing the bandwith available. 1) ASA 5515-X with IPS, it is running 7.1(7) software, we configured action filters that filter out every available action, for every signature for very IP address as victim or atacker, and at the end, pretty much any traffic was about 30-40% slower than without IPS inline. Inspection load was about 40-50% on IPS 2) ASA 5545-X with IPS, version 7.2 (1) software, IPS inline is getting about 50% slower file transfers than without forwarding any traffic to IPS. Inspection load is at 7-10%, and we configured same action filters, to make sure no signature will cause any packet drops... Speedtest.net shows eved more drastical change, drop from 88Mbps to 11 Mbps. Anyone?
... View more
Labels:
Created by
Tim Lewis
in Web Security
in Web Security
08-16-2013
12:13 PM
08-16-2013
12:13 PM
We want to use CDA for transparent user authentication. Now, all users have domain credentials and even MAC users need to login with AD credentials to MAC machines. Will CDA be able to see MAC user login to MAC PC (all MAC PSs are part of windows domain (they exchange Kerberos communication)) so I am hoping that Windows Domain controller will generate similar message to normal, windows login, so CDA will be able to pick that information up and forward it to to WSA. Am I right?
... View more
Labels:
Created by
Tim Lewis
in Network Security
in Network Security
07-19-2013
05:49 PM
07-19-2013
05:49 PM
Subject said it all. I have ECLB configured on Catalyst 3850: udld enable udld message time 2 interface TenGigabitEthernet1/1/1 switchport trunk native vlan 4094 switchport trunk allowed vlan 1,1500,4094 switchport mode trunk udld port aggressive channel-group 1 mode on interface TenGigabitEthernet2/1/1 switchport trunk native vlan 4094 switchport trunk allowed vlan 1,1500,4094 switchport mode trunk udld port aggressive channel-group 1 mode on interface Port-channel1 description PORTCHANNELS TO IPS switchport trunk native vlan 4094 switchport trunk allowed vlan 1,1500,4094 switchport mode trunk IPS interfaces are hardcoded to 10Gb. Whenever I reload or power cycle IPS, interface stays up entire time and doesn't get error disabled, which pretty much ends up with black holing almost entire traffic. Can anyone help me with this?
... View more
Labels:
Created by
Tim Lewis
in Network Access Control
in Network Access Control
07-12-2013
08:46 AM
07-12-2013
08:46 AM
I have trust. I can get the user information with cde\user and user@cde.company.com , but authentication is still not working. So, I see the user, but it is still not being authenticated by the policy. Here is log: 11001 Received RADIUS Access-Request 11017 RADIUS created a new session Evaluating Service Selection Policy 15048 Queried PIP 15048 Queried PIP 15004 Matched rule 11507 Extracted EAP-Response/Identity 12300 Prepared EAP-Request proposing PEAP with challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated 12318 Successfully negotiated PEAP version 0 12800 Extracted first TLS record; TLS handshake started 12805 Extracted TLS ClientHello message 12806 Prepared TLS ServerHello message 12807 Prepared TLS Certificate message 12810 Prepared TLS ServerDone message 12305 Prepared EAP-Request with another PEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12304 Extracted EAP-Response containing PEAP challenge-response 12318 Successfully negotiated PEAP version 0 12812 Extracted TLS ClientKeyExchange message 12804 Extracted TLS Finished message 12801 Prepared TLS ChangeCipherSpec message 12802 Prepared TLS Finished message 12816 TLS handshake succeeded 12509 EAP-TLS full handshake finished successfully 12305 Prepared EAP-Request with another PEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12304 Extracted EAP-Response containing PEAP challenge-response 12313 PEAP inner method started 11521 Prepared EAP-Request/Identity for inner EAP method 12305 Prepared EAP-Request with another PEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12304 Extracted EAP-Response containing PEAP challenge-response 11522 Extracted EAP-Response/Identity for inner EAP method 11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 12305 Prepared EAP-Request with another PEAP challenge 11006 Returned RADIUS Access-Challenge 11001 Received RADIUS Access-Request 11018 RADIUS is re-using an existing session 12304 Extracted EAP-Response containing PEAP challenge-response 11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated Evaluating Identity Policy 15006 Matched Default Rule 15013 Selected Identity Store - AD-Suffolk 24430 Authenticating user against Active Directory 24412 User not found in Active Directory 22056 Subject not found in the applicable identity store(s) 22058 The advanced option that is configured for an unknown user is used 22062 The 'Drop' advanced option is configured in case of a failed authentication request 12315 PEAP inner method finished with failure 22028 Authentication failed and the advanced options are ignored
... View more
Created by
Tim Lewis
in Network Access Control
in Network Access Control
07-11-2013
02:12 PM
07-11-2013
02:12 PM
Hi, I need to authenticate wireless network users from two different domains abc.company.com cde.company.com There is trust between domains and ISE joined abc.company.com and it can authenticate and authorize users without issues. Users from cde.company.com cannot be authenticated (I don't even get to authorization part). My identity source list has only External ID listed and when I see what is the reason of failure, message states that Authentication has failed (not authorization) because user cannot be found in any identity listed. Now, users from abc and cde companies are logging with their usernames only. Should they try to login with cde.company\username or something? Has anyone done this before? Thanks.
... View more
Labels:
Created by
Tim Lewis
in Network Access Control
in Network Access Control
06-25-2013
06:59 AM
06-25-2013
06:59 AM
Hi, I have an issue with Apple desktop computers running 10.7 and 10.8 MacOS. The problem is that we have only 2950 switches and we are very limited with what we can do on them, so we wanted basic DOT1X user authentication and VLAN placement. Those two are working great, except when user logs off, Mac stops sending DOT1X and port becomes unauthenticated. We alleviated that issue by using guest-vlan for failed dot1x authentications, but now we have a problem that once user logs in, there is no session change on 2950 and it doesn’t even try to authenticate user until we bounce the port. Is there any way to fix this, on Cisco switch or Mac computer? One of the things that crossed my mind is bouncing port on Mac PC using some kind of logon script? Has anyone else had this issue and was able to solve it? Thanks.
... View more
Labels:
01-22-2013
01:14 PM
Hi Nilesh, I might be wrong, but there has to be the way for WSA to differentiate which users should be authenticated and which not. When you are creating identities, try adding IP address of that machine and create separate policy using that identity. Let me know if it helps.
... View more
12-17-2012
11:59 AM
Hi, I want to setup ISE for certificate authentication of the device + AD credentials (PEAP+TLS) as far as I understood it. I can't find any good example of how to setup ISE policies for this scenario. Client will use Microsoft CA and he will deploy certificates on the domain computers before they can join wireless, so I don't need self enrollment and hopefully no any kind of supplicant (just windows native one). If you can point me to some design or configuration guide, I would be thankful. Best regards, Michael
... View more
Labels:
Created by
Tim Lewis
in Network Access Control
in Network Access Control
12-11-2012
07:52 AM
12-11-2012
07:52 AM
I've searched forum, community but I couldn't find exactly what I need: I have a client that want's to use two step authentication on wireless: first machine authentication to make sure that device is on the domain and then username/password authentication. Now, I've read about MAR, EAP chaining, and I understood it all, only thing I didn't understand is: If I configure ISE to authenticate machine, it will allow limited access to DC (for example). Then, after that AuthZ profile is applied, what will do new authorization? My understanding is once MAR is done, AuthZ profileis applied and authorization is finished. Now, I am not asking about turning on laptop, getting PC on the network, then logging in and then providing the user/credentials, etc. I am asking for this scenario: How ISE policy and AuthZ profile should look like, for example, I come in the office, my wireless card is disabled, I login to my laptop, then I notice that my wireless card is disabled and now I enable it. I need to have Machine authentciation happening at that point + prompting user for username/password to complete registration on wireless. NAM is already refused by client, so I need something that will work on plain Windows 7. Thanks.
... View more
Labels:
04-20-2012
07:33 AM
I am not sure why route-lookup is neceserry? Instead of pointing to documents, is there any actual example when we should configure route-lookup on the end? For example, I have network 10, everywhere. Also, my VPN users are coming to ASA, and then going out to the Internet. Inside network: 10.1.0.0/16 DMZ: 10.2.0.0/16 VPN users: 10.250.0.0/16 EZVPN users: 10.251.0.0/16 so, my twice nat looks like this: obj-10_8 subnet 10.0.0.0 255.0.0.0 obj-ins-net subnet 10.1.0.0 255.255.0.0 nat (inside,outside) dynamic interface obj-ins-net subnet 10.2.0.0 255.255.0.0 nat (outside,outside) dynamic interface nat (outside,outside) source static obj-10_8 obj-10_8 destination static obj-10_8 obj-10_8 nat (inside, outside) source static obj-10_8 obj-10_8 destination static obj-10_8 obj-10_8 So, nat idea is simple, anytime VPN user tries to access anyone in company, no matter if that is another VPN users, or EZVPN user, it should ne nated to itself. Is this something where I should be use route-lookup on the end? Thanks.
... View more
Labels:
02-27-2012
07:49 AM
Hi, I have C370 with Internal SPAM quarantine up and working. Now, we need to use M160 as external SPAM, I have configured both devices and we are waiting for maintenance window to cutover. I have one question about it: Documents are saying that I need to disable local one (easy, under C370 quarantines, I will go to SPAM and uncheck enable box) but it is a little unclear what comes after that. My mail policy will change to deliver or not? If it does, should I put IP address of M160 to Alternate Host, and if I do, will it use port 6025 as configured or 25 for SMTP? Since I have external SPAM already configured, shouldn't my mail policy stay that all SPAM & SPAM suspected should still be quarantined? Bottom line is, what should be in my mail policy? Thanks. David
... View more
Labels:
Created by
Tim Lewis
in Email Security
in Email Security
02-27-2012
07:44 AM
02-27-2012
07:44 AM
I just noticed that 7.6 is available as upgrade on my C370 Appliances... Is that safe to do go there or that is still in "early deployment" phase? I am currently running 7.5.1 Thanks.
... View more
04-24-2018
I was able to fix the problem. You can apply this method if it is not in
production since we need to...
04-24-2018
I am having the exactly the same issue. We have FTD01 and FTD02. By my
mistake, initially I configur...
Created by
Tim Lewis
in Web Security
12-01-2014
12-01-2014
After upgrading to 8.0.6 we had lot of users having issues with
accessing the Internet.Initially, we...
Created by
Tim Lewis
in Network Security
09-23-2013
09-23-2013
Hi,I have two separate issues where IPS seems to be causing issues for
user's traffic and it's reduc...
08-16-2013
We want to use CDA for transparent user authentication. Now, all users
have domain credentials and e...
Created by
Tim Lewis
in Network Security
07-19-2013
07-19-2013
Subject said it all.I have ECLB configured on Catalyst 3850:udld
enableudld message time 2 interface...
Created by
Tim Lewis
in Network Access Control
07-12-2013
07-12-2013
I have trust. I can get the user information with cde\user and
user@cde.company.com, but authenticat...
Created by
Tim Lewis
in Network Access Control
07-11-2013
07-11-2013
Hi,I need to authenticate wireless network users from two different
domainsabc.company.comcde.compan...
Created by
Tim Lewis
in Network Access Control
06-25-2013
06-25-2013
Hi, I have an issue with Apple desktop computers running 10.7 and 10.8
MacOS.The problem is that we ...
01-22-2013
Hi Nilesh,I might be wrong, but there has to be the way for WSA to
differentiate which users should ...
12-17-2012
Hi,I want to setup ISE for certificate authentication of the device + AD
credentials (PEAP+TLS) as f...
12-11-2012
I've searched forum, community but I couldn't find exactly what I need:
I have a client that want's ...
04-20-2012
I am not sure why route-lookup is neceserry?Instead of pointing to
documents, is there any actual ex...
02-27-2012
Hi,I have C370 with Internal SPAM quarantine up and working.Now, we need
to use M160 as external SPA...
Created by
Tim Lewis
in Email Security
02-27-2012
02-27-2012
I just noticed that 7.6 is available as upgrade on my C370 Appliances...
Is that safe to do go there...
Public Statistics
| Date Registered | 09-28-2009 06:53 AM |
| Date Last Visited | 04-05-2019 03:23 AM |
| Total Messages Posted | 20 |
| Total Helpful Votes Received | 5 |
