turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About Marvin Rhoads
Marvin Rhoads
Member since
06-28-2001
.jpg){kind=icon}
Hall of Fame Master
CCNP Security (CCIE Sec. written June 2017, one lab attempt so far!), Fire Jumper, Cisco Support Community Hall of Fame and VIP x6. Passionate about solving problems in network security and helping others learn to do the same.
15323
Posts
13829
Helpful
2881
Solutions
Recent Badges
Awards
Created by
Marvin Rhoads
in VPN and AnyConnect
Marvin Rhoads
in VPN and AnyConnect
02-14-2019
03:54 AM
02-14-2019
03:54 AM
@Mountain Man,
As @stsargen noted, it seems the DTLS 1.2 is supported in native ASA 9.10.1. However my testing shows it does NOT appear to be supported in FTD 6.3.0 that includes ASA 9.10.1-3 in the LINA (ASA) subsystem.
I just upgraded my ASAv to 9.10.1 and got the following:
ccielab-asa# show vpn-sessiondb detail anyconnect
Session Type: AnyConnect Detailed
Username : user1 Index : 7
Assigned IP : 172.31.1.200 Public IP : 192.168.0.105
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384
Bytes Tx : 27511 Bytes Rx : 31112
Pkts Tx : 100 Pkts Rx : 225
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GroupPolicy_ccielab Tunnel Group : ccielab
Login Time : 19:46:04 MYT Thu Feb 14 2019
Duration : 0h:02m:44s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : ac1f0115000070005c6554fc
Security Grp : none
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 7.1
Public IP : 192.168.0.105
Encryption : none Hashing : none
TCP Src Port : 13976 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes
Client OS : win
Client OS Ver: 10.0.17134
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136
Bytes Tx : 8087 Bytes Rx : 0
Pkts Tx : 6 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 7.2
Assigned IP : 172.31.1.200 Public IP : 192.168.0.105
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: TLSv1.2 TCP Src Port : 13979
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136
Bytes Tx : 8228 Bytes Rx : 388
Pkts Tx : 7 Pkts Rx : 7
Pkts Tx Drop : 0 Pkts Rx Drop : 0
DTLS-Tunnel:
Tunnel ID : 7.3
Assigned IP : 172.31.1.200 Public IP : 192.168.0.105
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384
Encapsulation: DTLSv1.2 UDP Src Port : 56578
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.7.00136
Bytes Tx : 11580 Bytes Rx : 31050
Pkts Tx : 90 Pkts Rx : 223
Pkts Tx Drop : 0 Pkts Rx Drop : 0
ccielab-asa#
... View more
02-14-2019
01:33 AM
The underlying problem should be addressed. or it will eventually cause the SFP to fail prematurely.
In my experience however that's a very unusual situation for a multimode fiber connection. Usually the transmit power isn't such that it will over-run a receiver.
Can you share the output of "show interface transceiver detail" for the affected interface?
... View more
Created by
Marvin Rhoads
in Intrusion Prevention and Detection Systems (IPS - IDS)
Marvin Rhoads
in Intrusion Prevention and Detection Systems (IPS - IDS)
02-12-2019
08:02 PM
02-12-2019
08:02 PM
You cannot mix and match interface modes on an ASA with Firepower service module since a single service-policy governs the traffic redirection.
With FTD the multiple interfaces can be in different modes and there are other options with your policy that can be used as well. But the migration from ASA with Firepower to FTD potentially introduces other issues depending on how the ASA is being used.
... View more
02-12-2019
07:39 PM
The username is saved in the preferences.xml profile (in C:\Users\<username>\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client) vs. the connection-specific ones (which are found in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile) and will always update to the last-used.
I have the same issue since I work with VARs and have multiple AC profiles with variations on my username to account for each customer's naming convention for accounts.
... View more
02-07-2019
07:40 PM
You have the extremely old (>10 years) ASDM image version 6.3(4) installed.
It won't support the modern ciphers that are required by any modern browser (even though you have the 3DES-AES license on the ASA).
You either have to get a new ASDM image or use cli to configure.
... View more
02-07-2019
07:27 PM
Is this the same ASA you posted about before that was wiped clean and then recovered?
Most likely you don't have the free 3DES-AES license on the ASA. Please share the output of "show version | i 3DES". If it show the license is not present then you need to get a license / activation key from software.cisco.com and install it.
... View more
Created by
Marvin Rhoads
in VPN and AnyConnect
Marvin Rhoads
in VPN and AnyConnect
02-07-2019
07:13 PM
02-07-2019
07:13 PM
The only way to avoid separate connection profiles and associated group policies would be to have something external like ISE dynamically change the authorization (CoA) - i.e. switch the session to a separate connection profile automatically based on the user's contextual information post-initial login.
It would still use separate connection profiles but you would not have to publish them in the dropdown list and would not have to require users to choose among them.
... View more
02-07-2019
07:09 PM
Your defined gateway is the ASA inside address. The laptop address is on the same subnet. Just point ASDM to the ASA's address of 10.1.1.1.
It is allowed ASDM access by virtue of the command "http 10.0.0.0 255.0.0.0 inside" which grants access to any address in the 10.0.0.0/8 supernet.
... View more
Created by
Marvin Rhoads
in Firewalls
Marvin Rhoads
in Firewalls
02-07-2019
07:06 PM
02-07-2019
07:06 PM
The Firepower appliances running FTD there is no Active/Active HA per se since that was a construct from ASA software that relied on multiple contexts. Straight HA on FTD uses an Active/Standby scheme.
You can run a 2-unit cluster which is sort of like Active-Active but very few customers bother to do that.
In any case, separate licenses (IPS subscription, URL Filtering and or Malware (AMP)) are required for each physical appliance.
... View more
02-07-2019
07:03 PM
ASDM should be reachable from any of the subnets specified in the "http x.x.x.x" commands.
You remove those commands by entering configuration mode ("conf t" which is itself entered from enable mode - i.e # in the command line prompt) and using the command "no http x.x.x.x" for each line (substituting the actual addresses for x.x.x.x).
... View more
Created by
Marvin Rhoads
in Firewalls
Marvin Rhoads
in Firewalls
02-07-2019
07:00 PM
02-07-2019
07:00 PM
Actually, if there's a published security advisory you may be eligible to get the patched software free of charge and without having a contract from Cisco.
You should call the TAC and have the security advisory number on hand to cite. They may give you some push back but stick to your rights and cite the language in the PSIRT. For example:
" Cisco has released free software updates that address the vulnerability described in this advisory. "
Source:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd
... View more
Created by
Marvin Rhoads
in Firewalls
Marvin Rhoads
in Firewalls
02-07-2019
05:07 AM
02-07-2019
05:07 AM
Yeah it's too bad your vendor wasn't able to give you better advice. Maybe it's time to consider using another partner.
... View more
Created by
Marvin Rhoads
in Firewalls
Marvin Rhoads
in Firewalls
02-06-2019
06:48 PM
02-06-2019
06:48 PM
The ASA 5506 is not yet discontinued. Only new Firepower Threat Defense and Firepower service module 6.3 is not available for them. New ASA software will continue to be made available as will maintenance releases of the 6.2.x Firepower train.
Once the hardware EoX announcement is made it will follow standard Cisco policy for support timelines.
... View more
Created by
Marvin Rhoads
in Other Security Subjects
Marvin Rhoads
in Other Security Subjects
02-05-2019
07:46 PM
02-05-2019
07:46 PM
It's still not supported as of the current FMC/FTD release 6.3
No mention of it was made during the public presentations at Cisco Live Europe last week.
I'd reach out to your Cisco Account Manager if it's an important feature for you or your customers. That raises the priority within Cisco.
... View more
Created by
Marvin Rhoads
in Firewalls
Marvin Rhoads
in Firewalls
02-04-2019
07:48 PM
02-04-2019
07:48 PM
I don't think the old style IPS is included on any of the current certification blueprints. It is past end-of-life.
You shouldn't spend too much time studying it.
That said, the commands you cited should be available. Here is the output from one of my ASAs:
asa-5512(config-pmap)# class-map IPS
asa-5512(config-cmap)# match any
asa-5512(config-cmap)# policy-map global_policy
asa-5512(config-pmap)# class IPS
asa-5512(config-pmap-c)# ?
MPF policy-map class configuration commands:
cluster Specify actions related to clustering
csc Content Security and Control service module
cxsc Send traffic to CXSC blade
exit Exit from MPF class action configuration mode
flow-export Configure filters for NetFlow events
help Help for MPF policy-map class/match submode commands
inspect Protocol inspection services
ips Intrusion prevention services
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
set Set connection values
sfr Send traffic to SFR blade
user-statistics configure user statistics for identity firewall
asa-5512(config-pmap-c)# ips ?
mpf-policy-map-class mode commands/options:
inline Inline mode IPS
promiscuous Promiscuous mode IPS
configure mode commands/options:
df-bit Set IPsec DF policy
fragmentation Set IPsec fragmentation policy
ikev1 Set IKEv1 settings
ikev2 Set IKEv2 settings
inner-routing-lookup Enable IPsec inner routing lookup
profile Set ipsec profile settings
security-association Set security association parameters
asa-5512(config-pmap-c)# ips inline ?
mpf-policy-map-class mode commands/options:
fail-close Block traffic if IPS card fails
fail-open Permit traffic if IPS card fails
asa-5512(config-pmap-c)#
... View more
Created by
Marvin Rhoads
in Cisco Cafe Blogs
a month ago
a month ago
My most sincere congratulations. Welcome Peter to the Hall of Fame.
Created by
Marvin Rhoads
in Security Blogs
09-08-2018 11:32 PM
09-08-2018 11:32 PM
@Arne Bier the 2.4 Patch 3 release notes don't mention fixing that bug.
https://www.cisco.com/c/en/u...
Created by
Marvin Rhoads
in Security Blogs
09-06-2018 10:23 AM
09-06-2018 10:23 AM
@iseman-18 it's a bit too soon to tell after only 24 hours or so. I can
confirm that it installed fi...
Created by
Marvin Rhoads
in Security Blogs
08-30-2018 10:44 PM
08-30-2018 10:44 PM
Patch installation should not require a hotfix rollback. Generally the
Patch should include hotfixes...
Created by
Marvin Rhoads
in Security Blogs
08-30-2018 09:19 PM
08-30-2018 09:19 PM
I applied the Struts v2 hotfix and it works fine. Unless you really need
that fix, I'd wait until it...
Created by
Marvin Rhoads
in Security Blogs
08-03-2018 09:50 PM
08-03-2018 09:50 PM
Thanks for the update Hsing-Tsu - I see the new file is posted. I think
I'll wait a week or so to tr...
Created by
Marvin Rhoads
in Security Blogs
08-02-2018 01:27 AM
08-02-2018 01:27 AM
@Istvan Matyasovszki Friday 3 August is the latest projection. It could
be late in the day San Jose ...
Created by
Marvin Rhoads
in Security Blogs
07-31-2018 05:54 AM
07-31-2018 05:54 AM
@Istvan Matyasovszki I've been told to expect it in the coming few days.
I'm sure Cisco will want to...
Created by
Marvin Rhoads
in Security Blogs
07-29-2018 08:00 PM
07-29-2018 08:00 PM
CSCvk57963 was filed as a result of a case I was working with TAC.
Basically the installation fails ...
Created by
Marvin Rhoads
in Cisco Cafe Blogs
01-27-2018 07:47 PM
01-27-2018 07:47 PM
Thank you Monica and the rest of the Cisco Support Community Team. We
appreciate your continued supp...
Created by
Marvin Rhoads
in Cisco Cafe Blogs
09-19-2017 06:21 PM
09-19-2017 06:21 PM
@andrew333. Thank you.
Created by
Marvin Rhoads
in Cisco Cafe Blogs
09-16-2017 05:24 AM
09-16-2017 05:24 AM
@Mark Malone, Thanks Mark.
09-12-2017 08:35 AM
@Becky Scott, Yes - I would expect it to spell check incrementally just
as it does in most other web...
09-11-2017 08:11 PM
@Becky Scott, I am using Chrome Version 61.0.3163.79 (Official Build)
(64-bit) on Windows 10 Pro. I ...
Public Statistics
| Date Registered | 06-28-2001 03:55 PM |
| Date Last Visited | 02-14-2019 11:15 PM |
| Total Messages Posted | 15,323 |
| Total Helpful Votes Received | 13829 |
Helpful Votes Given To
| User | Helpful Count |
|---|---|
| 35 | |
| 45 | |
| 5 | |
| 40 | |
| 10 |
.jpg "VIP Advocate"){kind=icon}
Helpful Votes From
Awards
Hall of Fame
Cisco Designated VIPs
2018 FirePOWER Firewalling VPN
Cisco Designated VIPs
2017 Firewalling Network Management VPN
Cisco Designated VIPs
2016 Firewalling Network Management VPN
Cisco Designated VIPs
2015 Security
Cisco Designated VIPs
2014 Network Management Security
Cisco Designated VIPs
2013 Network Management Security
Cisco Designated VIPs
2019 Firewalls, Firepower, Security
