Solved: Re: Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote ... - Page 7

ciscomoderator · ‎04-03-2020

This event continues the conversation of our recent Community Ask Me Anything event "Secure Remote Workers".

Here’s your chance to discuss more about the configuration, troubleshooting and best practices for AnyConnect secure mobility client on a Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) and its integration with other Cisco security portfolio devices and technologies like ISE and Duo.

This session provides an opportunity to learn and ask questions about various aspects of AnyConnect implementation (using SSL and Ikev2) including (but not limited to) emergency licenses, configuration, deployment and troubleshooting AnyConnect that provides the security necessary to help ensure that your organization is safe and protected in such critical situation.

To participate in this event, please use the button below to ask your questions

Ask questions from Monday 6 to Friday, April 17, 2020

Featured experts

Dinesh Moudgil is a High Touch Technical Support (HTTS) Engineer with the Security team at Cisco. He has been working on Cisco technologies for more than 6 years focusing on Cisco Next Generation Firewalls, Intrusion Prevention Systems, Identity Management and Access Control (AAA) and VPNs. He holds a CCNP, CCDP and CCIE #58881 certifications, and multiple vendors certifications such as ACE, PCNSE and VCP.

Pulkit Saxena works as High Touch Technical Support (HTTS) Engineer in Security Domain with Cisco bring nearly 7 years of experience in the industry to the team. He has hands on experience with multiple firewalls, different VPN solutions, AAA and Next Generation IPS along with delivering multiple trainings. Pulkit holds certifications from multiple vendors, namely Cisco and Juniper, (CCIE Security and JNCIA).

Jason Grudier is the Technical leader on the VPN TAC team in Raleigh, NC. He has been working for Cisco on the VPN team for six years. Prior to joining the team, he was a network engineer at Labcorp. He works primarily with AnyConnect troubleshooting and configuration across all Cisco platforms as well as DMVPN, GETVPN, Radius, LDAP and Certificate authentications.

Gustavo Medina is a Systems Sales Engineer with the Enterprise Networking Sales team. He has more than 10 years of experience in security and enterprise networking. In his career he has focused on different tasks from technical escalations and partner adoption to the revision of Cisco Certification evaluations. Gustavo holds a CCNA, CCNP CCSI, and a CCIE in security (#51487).

Due to the anticipated volume for this high in-demand event, Dinesh, Pulkit, Jason and Gustavo might not be able to answer each question. Thus, remember that you can continue the conversation directly in the Security community.

By posting a question on this event you're giving permission to be translated in all languages we have in the community.

Find further events on https://community.cisco.com/t5/custom/page/page-id/Events?categoryId=technology-support

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

Sheraz.Salim · ‎04-11-2020

Hi Danish,

could you recommend some link to understand this.

openssl is new to me and i am learning this.

please do not forget to rate.

Dinesh Moudgil · ‎04-11-2020

Hi Sheraz,

Sure. Here are few documents that will help you understand OpenSSL and its usage:
https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs
https://wiki.openssl.org/index.php/Command_Line_Utilities
https://www.freecodecamp.org/news/openssl-command-cheatsheet-b441be1e8c4a/
https://www.sslshopper.com/article-most-common-openssl-commands.html

Regards,
Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

kapydan88 · ‎04-12-2020

Hello for everybody.

I asked this question in the topic about network security, but I will duplicate it here.

I recently had discussion with a colleague about the possible implementation of the next scheme. There are two devices that stand in HA, for example two asa 5508-x or two firepower 1140. Is it possible to implement on a network that and NAT, and DMZ, and anyconnect configured on the same pair of devices?

If yes - what is the correct way to do in this situation - configure two external interfaces, one for NAT (for example, outside_nat), the second for the external interface of anyconnect (for example, outside_anyconnect), or it is more correct to configure everything for the same interface (for example, outside)...

If we consider the first way, configure both devices in HA, configure the portchannel, and split it into 5 subs-outside_nat, inside_nat, DMZ, outside_anyconnect, inside_anyconnect. But in this case, the question arises with two routes on the external interfaces - is it possible to configure two default routes on the asa or firepower?...

Gustavo Medina · ‎04-12-2020

Hello @kapydan88

It is definitely possible. The most common scenario is a single interface handling everything and for customers that have Dual ISP for redundancy the secondary interface is not passing any traffic, IF the Primary link goes down then the secondary interface takes over and handles all the traffic.

However, we do have CUs that don't want that secondary dual ISP just be there idle so they balance the traffic. As you mentioned on ASA we cannot have more than one route with the same metric; so long time ago the only way to accomplish this was with NAT tricks but since we introduced PBR in 9.4.1 this is very easy to accomplish.

In the case of Anyconnect specifically, we also have CUs do what you intend. Have a dedicated interface which is not the default for Anyconnect users so that they don't eat the primary link bandwidth. How it works is that you simply add a secondary default route with a higher metric and configure Anyconnect on that secondary interface. When Anyconnect connections hit that interface, the ASA or FTD will be able to reply using that secondary route as it was a connection to-the-box.

Once the Anyconnect connection is established, a host route for that connection will be installed using the correct next hop.

Things to keep in mind:

Run a code that has the fix to https://bst.cloudapps.cisco.com/bugsearch/bug/CSCun65747/?reffering_site=dumpcr
Make sure RPF is not configured on that interface.

*Not sure what will be the use case for the anyconnect-inside interface in your diagram though. If you want to expand I can assist.

Regards,

-Gustavo

giovanni.augusto · ‎04-12-2020

Hi Again,

I am hitting a very strange bug I believe:

I am testing a remote access deployment on a FTDv in KVM and strangely the deployment kept on failing with quite long time to give an error (Deployment failed due to configuration error...)

Now looking at the FTD in bash with :

tail -f /ngfw/var/log/messages

I noticed that there were a progression of the copy of the anyconnect package but as soon as it gets to 70%-72% it just stops and does not continue with the deployment

Apr 13 01:57:36 FTD-1 SF-IMS[9624]: [9624] sftunneld:control_services [INFO] FSTREAM_STATUS: Sending back task status 'Processing'
Apr 13 01:57:37 FTD-1 SF-IMS[9624]: [9624] sftunneld:stream_file [INFO] task_id=6
Apr 13 01:57:37 FTD-1 SF-IMS[9624]: [9624] sftunneld:stream_file [INFO] peer=a1f1e77e-44e0-11e9-a967-39f0b3b399ab
Apr 13 01:57:37 FTD-1 SF-IMS[9624]: [9624] sftunneld:stream_file [INFO] ELASTIC_FSTREAM status: curr_read=32385024, curr_write=32385024, total_bytes=46197839, stream_id_src=0, stream_id_dest=6, seq_id_src=4518, seq_id_dest=4518, state =Processing, started:2020 04 13 01:51:55 UTC, expires:2020 04 13 01:58:38 UTC
Apr 13 01:57:37 FTD-1 SF-IMS[9624]: [9624] sftunneld:stream_file [INFO]  ELASTIC_FSTREAM status:: File copy 70 % completed, 32385024 bytes of file copied out of 46197839

I am surprised because I have plenty of bandwidth and the copy was quite fast until it stops, and we are talking about less than 50 MB file, not 500 MB.

Is there a way to manually copy the anyconnect package in bash similarly as it can be done with the FTD update packages?

Thanks!

EDIT:

I noticed the copy path of the Anyconnect package is into this folder :

/ngfw/var/cisco/deploy/pkg/var/cisco/packages/lina/domain/AnyConnect Image/111/

so I just downloaded the package there via wget, and launched again the policy push, it did take some time but the copy was always at 0%, then it went on and processed the rest of the policy, thank God :)

Would it be easier to just have a chance to upload these packages manually? I think is possible with FDM via REST api but not with FMC managed devices?

PS : is there a bug filed for this?

Gustavo Medina · ‎04-12-2020

Hi @giovanni.augusto

Before that snippet you shared, did you see the cgroups process killing the process?

When a process consumes more memory than it was prescribed, the cgroups process will detect this condition and terminate the process. When a process is terminated, the features and capabilities that rely on that process may fail.

How much memory did you allocate for the FMCv?

These are the requirements:

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fmcv/fpmc-virtual/fpmc-virtual-vmware.html#id_82840

Regards,

-Gustavo

giovanni.augusto · ‎04-13-2020

Hi @Gustavo Medina

I am using a physical FMC2500, version 6.5.0.4. I wouldn't expect a capacity problem.

The logs I shared are from the FTD, that is virtualized in KVM.

FTD has 4 vCPU and 8GB of RAM, server is running only this VM at the moment, as a test FTD image.

version of the FTD is 6.5.0 (no hotfixes installed yet).

About cgroups , honestly I haven't noticed but I will try again with another image to upload so I expect a similar behavior.

would cgroups drop a log message into the FMC or FTD? any specific logfile or the usual messages?

Rohitmanoharan · ‎04-13-2020

What are the best or ideal configuration for an ASA before entering the production network

Pulkit Saxena · ‎04-13-2020

Hi Rohit,

So there can be lot of things that one might need to check before getting a device in production and it will depend on multiple factors, starting from harding of firewall to best practices.

I would suggest you to review the below links and then let us know if you have any specific query :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/200150-Cisco-Guide-to-Harden-Cisco-ASA-Firewall.html

https://tools.cisco.com/security/center/resources/firewall_best_practices

-

Pulkit

patelvc7601 · ‎04-13-2020

Any recomendation of Cisco ASA Version related to RA VPN ?

Sincerely

Viral Patel

Dinesh Moudgil · ‎04-13-2020

Hi Viral,

There are certain recommended ASA OS releases that are posted on CCO. You can navigate to the following link to see the suggested releases for an 5585-X firewall.
https://software.cisco.com/download/home/283123066/type/280775065/release/9.8.4%20Interim

Thanks,
Dinesh Moudgil

Gustavo Medina · ‎04-13-2020

Currently development recommends:

9.8(4.latest) for conservative CUs that require longevity.
9.12(2.latest) for customers that require feature velocity.

These are the starred releases right now on cisco.com. Recommended releases are based on telemetry so we need some time for newest to be deployed. Once we gather feedback from real and working installations, we make informed decisions based on facts (Customer Found Defects, TAC Cases, Escalations, etc).

BasavarajNingappa6558 · ‎04-14-2020

Hi Team,

I have another query

In my case, we have cisco FTD as a perimeter firewall

we want to create the anyconnect remote access VPN

but we don't want to use outside interface IP for terminating our anyconnect VPN, when we have got the internet connection we have got /28 subnet, we have a free public IP address which I want to use it for terminating the VPN.

Could you please guide how can I achieve this requirement with Cisco FTD

Thanks

Basavaraj

jgrudier · ‎04-14-2020

You can certainly do this, you would set up a second interface with the new IP and configure anyconnect as normal. As long as that IP address is reachable from the clients, and the ISP is forwarding traffic to your FTD device, it should work as normal.

BasavarajNingappa6558 · ‎04-14-2020

Since I have one internet connection if I set up the second interface and configure the IP address where should I connect another end?

I can not connect one more interface to the provider right?

I didn't understand your solution, can you please be more specific and give me an idea of how would I do that

Thanks
Basavaraj

Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote Access VPN on ASA and FTD.