cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21962
Views
48
Helpful
112
Replies

ASK THE EXPERTS - TROUBLESHOOTING ASA, PIX, and FWSM

ciscomoderator
Community Manager
Community Manager

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address and troubleshoot common problems with Adaptive Security Appliances, Private Internet Exchange and Firewall Service Modules with Kureli Sankar.  Kureli is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software.

Remember to use the rating system to let Kureli know if you have received an adequate response.

Kureli might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 30, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

112 Replies 112

Diane,

I hope you enjoy the session and learn from it.  When I checked with our folks yesterday they were making final touches and said it would be online yesterday.  I was going to send you the link once it was online. Looks like you have found it yourself.

-Kureli

jill.johnson
Level 1
Level 1

Kureli,

Thanks for the previous answer.  I have a couple of questions:

1. When I configure Split-tunnel on the ASA, do I also need configure Split-DNS and Split-WINS?

2. If I configure Split-DNS for Split-tunnel, when I login to Cisco VPN client, which DNS servers that the Cisco VPN client will check first?  Does the client check the DNS servers setup in Split-tunnel first or the client checks the DNS servers setup at user's computer (TCP/IP properties)?

3. If I configure  full-tunnel, when I login to Cisco VPN client, which DNS servers does the client check first?  Does the client check the DNS servers setup under group-policy of the ASA first or the client checks with the DNS servers setup at the user's computer (TCP/IP properties)?

4.  Is there a way to find out which DNS servers the client checks first when logging to Cisco VPN client?

Please let me know if you have any questions or need additional information.  Thanks.

Jill

Jill,

Answer to No: 1 is - optional

Answer to No:2 and No:3 - is as follows

Split Domain Name System (DNS) allows DNS queries for certain domain names to be resolved to internal DNS servers over the VPN tunnel, while all the other DNS queries are resolved to the Internet Service Provider's (ISP) DNS servers. A list of internal domain names is "pushed" to the VPN Client during initial tunnel negotiation. The VPN Client then determines whether DNS queries should be sent over the encrypted tunnel or sent unencrypted to the ISP. Split DNS is only used in split-tunneling environments, since traffic is sent both over the encrypted tunnel and unencrypted to the Internet.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngrp.html#wp1135689
check there for "Defining a List of Domains for Split Tunneling"


You define the list on headend vpn-server and this domain list is pushed to the vpn client upon connection
so what all domains are listed there, dns queries for those would resolve over split-tunnel others will resort to ISP dns server
hence priority for split dns is higher, its first checked that to which domain the query is destined for.
If you use tunnel all then, if you have split-dns domains those would be resolved using dns servers "behind" the vpn-server/ASA.
Other dns queries would go to the VPN-server, due to tunnel all, but from there, the DNS query would be sent to the ISP DNS servers.

Answer to No:4 - you can collect packet captures on the PC (vpn client) to see which DNS server the client is using.

-Kureli

Kureli,

Thanks for your prompt response and information.  Sorry for the late reply.  I was looking for this post and realize that tomorrow is the last day of your day.

So, the VPN client always looks for the DNS entries setup either in split-tunnel or tunnel-all first.  The VPN client does not check with the DNS servers setup on the PC.

We have the same IP addresses setup on the servers at the Head Quarter and Remote Site.  So, my concern was if I login through Cisco VPN client and want to go to the servers at the Remote Site, I want to make sure that I am connected to the servers at the Remote Site and not the servers at the Head Quarter.

For question #4, how do you setup the packet captures on the PC?

Thanks.

Jill

Jill,

So, the VPN client always looks for the DNS entries setup either in split-tunnel or tunnel-all first.  The VPN client does not check with the DNS servers setup on the PC.

       - Yes that is correct.

We have the same IP addresses setup on the servers at the Head Quarter and Remote Site.  So, my concern was if I login through Cisco VPN client and want to go to the servers at the Remote Site, I want to make sure that I am connected to the servers at the Remote Site and not the servers at the Head Quarter.

       - well do these subnet completely overlap ?or can they be broken ?
        if they completely overlap then it wont work.  I suggest to open a TAC case with our VPN team and address this issue with them. As today this thread will be locked around 1:00 PM PST, we cannot discuss this further on this thread.  You are welcome to post the same question on our support forum. https://supportforums.cisco.com/community/netpro/security/firewall

Regarding packet captures on the PC.  You can download wireshark here: http://www.wireshark.org/download.html

install it on the PC and choose the VPN client adapter and start the packet captures and view them.

-Kureli

lmn20176
Level 5
Level 5

Hello,

Is there a way to push out a new pcf profile to VPN client from the Cisco ASA?

Currently the VPN clients are using IP address of the ASA.  I'd like to change this to DNS name and want to push out the vpn profile from the ASA when the client connects.

Thanks.

-lmn

Yes, you can push out a new pcf profile to VPN client from the Cisco ASA.

Follow the procedure in this link: http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/administration/5vcAch6.html#wp1178809

-Kureli

Thanks.  But that seems like for the VPN concentrator only.  There is the update client for ASA, http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/administration/5vcAch3.html#wp1264776

but it doesn't mention anything about using a new pcf file?

-Lmn

ASA 5520 FAILOVER.

We are planning to use ASA in 2 different data centers ( one in each center ) . I would like to do failover between the 2 ASAs. What is best way to do failover. Please can you give me any link that uses ASA FAILOVER between two data centers.

Thanks,

Smail,

Yes, it is possible to configure failover between ASAs in geographically different locations. The configuration will be just the same as if the two ASAs were located in the same location. We need layer 2 adjacency with low latency.

Here is the link with sample configuration: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1028629

You may refer this link: http://www.gossamer-threads.com/lists/cisco/nsp/115904

-Kureli

I checked with our VPN engineer.  I believe this link has what you are looking for.

http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/administration/5vcAch2.html#wpxref15873

You can configure the ASA to enable client updates under the ipsec connection profiles.

Being a Firewall engineer, I have not done this myself so, if you have trouble configuring this, pls. open a case with our VPN team.

-Kureli

scootertgm
Level 1
Level 1

I have a ASA 5510 and I am trying to get it setup to use a windows 2003 server for radius authentication.  There is no active directory on this server.  I would like the server to return the group the user is a member of and have that match up to a group policy for the VPN.  For example, if a user is a memeber of devteam on the server, when they connect to the vpn they would get the VPN group policy devteam on the ASA.

Currently I get the assigned IP and I can authenticate, but I'm not getting the group coming across.


Scootertgm,

I believe this can be done through LDAP group mapping. To put user into specific group-policy, we can only do ldap attribute mapping.

This link should help you: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

-Kureli

t_c_anderson
Level 1
Level 1

for ASA 5520's - 8.0(3) ... When our H.R. department attempts to do a payroll transmit (source via SSL 443) to our payroll hosting service (destination), the SSL connection is dropped.

The error in ASA log is
"443 Dropping TCP packet from ... 204.112.7.222/443, reason: MSS exceeded, MSS 512, data 536"

Our firm's payroll hosting service had a simple test for connectivity; browse to their receiving server with SSL connection:
https://secure.telpay.ca.

What would cause this and on whose side is the issue / error? Ours (the source)?

Or the payroll hosting company (the destination)?

Thank you.

Trevor,

I discussed this issue in my webcast.  This is not a problem with the ASA.  It is just that the one of the units engaged in the conversation does not honor the MSS sent by the other unit. You would find the following in my webcast which you can view here: https://supportforums.cisco.com/community/netpro/ask-the-expert/webcasts

In a normal TCP session, the client sends a SYN packet to the server, with the MSS included within the TCP options of the SYN packet. The server, upon receipt of the SYN packet, should recognize the MSS value sent by the client and then send its own MSS value in the SYN-ACK packet. Once both the client and the server are aware of each other's MSS, neither peer should send a packet to the other that is greater than that peer's MSS.

Verify from syslogs that the flow is not failing due to mss issues.

%ASA-4-419001: Dropping TCP packet from outside:172.18.25.60/443 to inside:10.110.61.153/61312, reason: MSS exceeded, MSS 1380, data 1460

Pls. read about it here and apply the fix for it if this is the case.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml

-Kureli