Cisco Adaptive Security Appliance Software Version 8.2(4)

Similar Messages

• Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

  With Namit Agarwal and Rahul Govindan 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
  This is a continuation of the live webcast.
  Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
  Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.   
  Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
  Remember to use the rating system to let Namit and Govindan know if you have received an adequate response. 
  Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Slides from the live webcast
  Video Recording of the live webcast
  Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.

• Windows 8 64 bit issues with Cisco AnyConnect Secure Mobility Client version 3.1.04072

  I am having an issue with the Cisco AnyConnect Secure Mobility Client version 3.1.04072 on a Windows 8 64 bit laptop.
  I am able to create the VPN connection but the connection will not allow data to be transferred.
  Stats from a manual connection:
  Cisco AnyConnect Secure Mobility Client Version 3.1.04072
  VPN Stats
      Bytes Received:  14375
      Bytes Sent:  0
      Compressed Bytes Received:  0
      Compressed Bytes Sent:  0
      Compressed Packets Received:  0
      Compressed Packets Sent:  0
      Control Bytes Received:  0
      Control Bytes Sent:  0
      Control Packets Received:  0
      Control Packets Sent:  0
      Encrypted Bytes Received:  7820
      Encrypted Bytes Sent:  1207
      Encrypted Packets Received:  9
      Encrypted Packets Sent:  3
      Inbound Bypassed Packets:  0
      Inbound Discarded Packets:  0
      Outbound Bypassed Packets:  0
      Outbound Discarded Packets:  0
      Packets Received:  4
      Packets Sent:  0
      Time Connected:  00:03:01
  Protocol Info
      Inactive Protocol
          Protocol Cipher:  RSA_3DES_168_SHA1
          Protocol Compression:  None
          Protocol State:  Disconnected
          Protocol:  DTLS
      Active Protocol
          Protocol Cipher:  RSA_3DES_168_SHA1
          Protocol Compression:  Deflate
          Protocol State:  Connected
          Protocol:  TLS
  OS Version
      Windows 8 : WinNT 6.2.9200
  Log from the data transmission software:
  24/12/2013 12:51:13 - Application version = 1.11.28.0
  24/12/2013 12:51:13 - Lodgement Library Version =  1.11.28.0
  24/12/2013 12:51:13 - Connection Method =  INTERNET
  24/12/2013 12:51:13 - DIS Connection Type = Automatic
  24/12/2013 12:51:13 - VPN Client =  ACTIVE
  24/12/2013 12:51:13 - Check Available Connections =  NOT ACTIVE
  24/12/2013 12:51:13 - Windows 8 (6.2.9200 SP )
  24/12/2013 12:51:13 - Language: English (Australia)
  24/12/2013 12:51:13 -
  24/12/2013 12:51:13 - Connected to ISP via LAN
  24/12/2013 12:51:13 - Checking for presence of VPN client.
  24/12/2013 12:51:13 - VPN client found. (C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe)
  24/12/2013 12:51:13 - The Cisco AnyConnect Secure Mobility Client application is in use.
  24/12/2013 12:51:18 - Terminating Cisco AnyConnect Secure Mobility Client in progress ...
  24/12/2013 12:51:18 -
  24/12/2013 12:51:18 - Checking Cisco AnyConnect  version.
  24/12/2013 12:51:19 - Cisco AnyConnect Secure Mobility Client (version 3.1.04072) .
  24/12/2013 12:51:19 - Copyright (c) 2004 - 2013 Cisco Systems, Inc.  All Rights Reserved.
  24/12/2013 12:51:19 - Config file directory:C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\
  24/12/2013 12:51:19 -
  24/12/2013 12:51:19 - Loading profile:C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\ELS-IMelAde-TCP.xml
  24/12/2013 12:51:19 -
  24/12/2013 12:51:19 - Initializing the VPN connection.
  24/12/2013 12:51:19 - Ready to connect.
  24/12/2013 12:51:19 - Ready to connect.
  24/12/2013 12:51:19 - Contacting ELS-IMelAde-TCP.
  24/12/2013 12:51:23 - Authenticating user.
  24/12/2013 12:51:23 - Connected to VPN concentrator.
  24/12/2013 12:51:23 - Establishing VPN session...
  24/12/2013 12:51:23 - Checking for profile updates...
  24/12/2013 12:51:23 - Checking for product updates...
  24/12/2013 12:51:23 - Checking for customization updates...
  24/12/2013 12:51:23 - Performing any required updates...
  24/12/2013 12:51:23 - Establishing VPN session...
  24/12/2013 12:51:23 - Establishing VPN - Initiating connection...
  24/12/2013 12:51:24 - Establishing VPN - Examining system...
  24/12/2013 12:51:24 - Establishing VPN - Activating VPN adapter...
  24/12/2013 12:51:24 - Establishing VPN - Configuring system...
  24/12/2013 12:51:24 - Establishing VPN...
  24/12/2013 12:51:24 - Connected to VPN concentrator.
  24/12/2013 12:51:24 - Connected to ELS-IMelAde-TCP.
  24/12/2013 12:51:24 - Connected to VPN concentrator.
  24/12/2013 12:51:24 - Connection to VPN client return code = 0.
  24/12/2013 12:51:24 - Connected to VPN concentrator.
  24/12/2013 12:51:24 - Connecting : Connecting to 203.202.43.2.
  24/12/2013 12:51:45 - Error in ConnectToDIS - Socket Error # 10060
  Connection timed out.
  24/12/2013 12:51:46 -
  24/12/2013 12:51:46 - Disconnecting from the VPN concentrator.
  24/12/2013 12:51:46 - Disconnect in progress, please wait...
  24/12/2013 12:51:46 - Detaching AnyConnect, please wait...
  24/12/2013 12:51:47 - Detached.
  24/12/2013 12:51:47 - Disconnected from VPN concentrator.
  24/12/2013 12:51:47 - *****************************************************
  24/12/2013 12:51:47 -               END OF LODGEMENT PROCESS
  24/12/2013 12:51:47 - *****************************************************
  Issue history:
  - Previously running Cisco VPN client on Windows 8 64 bit laptop (VPN working and able to transmit data over VPN)
  - Upgrade to Windows 8.1 stopped the VPN client working
  - Refreshed system back to Windows 8 and reinstalled all software
  - Cisco VPN client would not install on system
  - Cisco AnyConnect Secure Mobility Client installs and is able to connect to VPN host
  - Cisco AnyConnect Secure Mobility Client downloads and installs software from VPN host
  - Data transmission software returns error code #10060
  Any assistance would be greatly appreciated.

  anyone found the fix for this?

• SunBlade 100 to Cisco PIX Security Appliance

  I have a problem connecting a SunBlade 100 workstation with Cisco Routers, and the PIX Security Appliance at the Console ports of both a Cisco router and the Cisco PIX Security Appliance. This should be out of the serial port of the SunBlade 100 workstation..
  I have tried to use the UNIX command tip hardwire. No luck connecting to the console port. I also tried to use the UNIX cu command again no response from the console port. I tried connecting a modem temporarily to the SunBlade 100 workstation and was successful in echoing a phone number to a modem. However, I need to use a direct connection from the SunBlade 100 workstation.
  Currently, Windows 2000 workstations are used with
  Hyperterminal to connect to routers and the PIX Security Appliance. I have 24 SunBlade workstations in my classroom and need to use them to connect to the console port on Cisco routers, and the PIX Security Appliance. I would appreciate any help anyone might be able to give on this subject.

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.

• Network becomes limited or unavailable as soon as i connect to cisco anyconnect secure mobility client, version - 3.1.05170

  Hiee,
  I am using cisco anyconnect secure mobility client, version - 3.1.05170 , in my windows 8.1 PC to access vpn to my office desktop. But as soon as i connect cisco anyconnect client, my wifi networks becomes limited or unavailable. Thus, i am not able to get remote access to my office desktop. And not even able to access any other websites also. But as soon as i disconnect from the cisco anyconnect vpn client, every thing becomes normal, and the exclamation mark from the network icon also disappears.
  kindly help me in this regard.
  Thanks and regards
  Neeraj

  There are a few things to consider here:
  - The IPSec VPN client is EoL, so even if we consider this as a bug, it wouldn't be fixed
  - fixing the file server access would break the DHCP renew which means there is no completely clean way to fix this, at least not at the IP level since the client can't route to the same destination using 2 different paths.
  Is there any chance we could do a static policy NAT for the DHCP traffic so it appears to come from another IP? It's twisted and it may not work (the client might use the DHCP server IP embedded inside the payload and not the source IP) but if it does, then we'd fix the overlap.
  Could the server use another IP address for the DHCP service (much like using a loopback for a certain service on a router?)
  A third solution would be to NAT the destination server IP on the ASA for traffic from the IP pool going to the server. We'd need DNS doctoring as well to resolve the server's name to the NATted IP. This way the server would appear from the VPN client as being at a different IP, thereby fixing the overlap.
  All these potential solutions are quite involved... you may be better off wityh a simpler design: splitting of your server into 2 or using something else to do DHCP for the VPN clients.

• Cisco Email Security Appliance (ESA) - Reporting

  In previous versions on ESA you could export data and reports in CSV formats using an API. Is that still available?
  >From the following document :
  IRONPORT ASYNCOS 6.4 REPORTING API FOR IRONPORT APPLIANCES
  REPORTING API OVERVIEW
  The Reporting API feature allows you to download the same data collected by the Email Security Monitor component of the IronPort Email Security appliance or Security Management appliance in a comma separated value (CSV) format. This format allows users to integrate the IronPort appliance's data gathering capabilities into other IT and business reporting systems. 
  DOWNLOADING REPORTING DATA
  You can retrieve the data used to build the charts and graphs in the Email Security Monitor feature via HTTP. This is useful if you plan to perform further analysis on the data via other tools. The data is available in standard comma separated value (CSV) format. The easiest way to get the HTTP query you will need is to configure one of the Email Security Monitor pages to display the type of data you want. You can then simply click the Export... link to initiate the download process.

  It went away, there's a new one (RESTful) in 9.0/9.1
  http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-0/ESA_API_1-0_Getting_Started_Guide.pdf

• Clearing tcp sessions on the cisco acs secure appliance

  Hello,
  is there a possibility to view the number of tcp-session which are active on an acs secure appliance?
  Due to these hangups we have no connection to the appliance through web or console. So we are also interested in clearing the tcp-session instead of rebooting the appliance.
  Could somebody help us.
  thnx
  Torsten Waibel

  What is the acs software ver ?

• Cisco Web Security Appliance Slowness issue

  Hello,
  I have a slowness issue on an Existing WSA-S170-K9 appliance , when issuing the command Rate/proxystat it displays unresponsive sometimes screenshot attached.
  software version is 8.5, i was suspecting that this issue is related to access policies applied on end users ; so i created a test policy to bypass all checks and disable all malware/antivirus checks on users flows however, the same issue is still there.
  Appreciate any assisstance,
  Thanks,
  Muayad Jallad,

  Does this happen every time you run the rate command and at the beginning of the command's output rows?
  You may want to look at your proxylogs to see what activity is occurring while the proxy is unresponsive.

• BUG #CSCur27131 - Evaluation of CVE-2014-3566 on Cisco Email Security Appliance

  I have raised a support case with TAC to try and get more information on the preferred config as well as what Ciphers then become available. Points raised in the support case are as follows:
  Current config based from existing artilce pre-POODLE > MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
  Should the new config be > MEDIUM:HIGH:-SSLv2:-SSLv3:-aNULL:@STRENGTH
  Use of strength meaning that the Ciphers are ordered and presented strongest to weakest as negotiation should occur at the first mutually accepted cipher.
  What are the TLSv1 Ciphers used by Ironport (verify under sslconfig CLI appears only to list SSL ciphers)
  Finally, does the Ironport support or plan to support in the future TLSv1.1 and TLSv1.2 ciphers?
  Response from TAC so far is the same as the referenced article - https://tools.cisco.com/bugsearch/bug/CSCur27131 which doesn't address all my points
  Paul

  Negating SSLv2 and SSLv3 in the cipher suite has no effect as long as only enabled TLSv1 is enabled.
  And reordering ciphers by strength won't bring anything since the client's ciphers order will always be preferred.
  Also, MD5 should be disabled as it's widely considered too weak for the job.
  My recommendation would be to use the following suite > HIGH:MEDIUM:!aNULL:!MD5

• P2P blocking on ASA 5525 with Software Version 8.6(1)2

  Hello,
  We have Cisco ASA 5525 with Software Version 8.6(1)2. We have permitted all the traffic from inside to outside.
  Now we want to block P2P sharing Bit torrent to internet sites. Please help me with the configuration.
  We have DMZ setup & also inline IPS module.
  Thanks in advance.
  Regards,
  Sandeshc Chavan.

  Hi Chavan , 
  You can try to block this by port. 
  The well known TCP port for BitTorrent traffic is 6881-6889 (and 6969 for the tracker port). 
  The config is
  Access-list BLOCK-P2P-TRAFFIC deny tcp any any range  6881 6889 log 
  And applies to the desire interface with the "Access-group command"
  For example:
  Access-group  BLOCK-P2P-TRAFFIC outbound interface DMZ
  However Blocking Bittorrent is challenging, and can't really be done effectively with port blocks. The standard ports are 6881-6889 TCP, but the protocol can be run on any port, and the peer-to-peer nature of the protocol means that discovering peers that use unblocked ports is simple.
  Also you can execute  from the cmd on windows  the command  netstat -a and check the port Bit torrent is using .
  Hope this helps.

• Cisco AnyConnect Secure Mobility Client with IPsec

  Hello,
  Current equipment
  ASA 5520
  ASA Version 8.4(6)
  ASDM Version 7.1(3)
  IPsec(IKEv1)
  Cisco VPN Client
  Cisco AnyConnect Secure Mobility Client
  Version 3.1.04072
  I need to configure the vpn client with ipsec using the version of the vpn client what i'm talk.
  The first time I complete all the parameters. I note what file was edit. The file what was edit is this file "preferences.xml"
  c:\users\user\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client
  If I edit this file "preference.xml" all setting change but not help me in made a solution.
  The file contains this
  <?xml version="1.0" encoding="UTF-8"?>
  <AnyConnectPreferences>
  <DefaultUser>user</DefaultUser>
  <DefaultSecondUser></DefaultSecondUser>
  <ClientCertificateThumbprint></ClientCertificateThumbprint>
  <ServerCertificateThumbprint></ServerCertificateThumbprint>
  <DefaultHostName>server</DefaultHostName>
  <DefaultHostAddress></DefaultHostAddress>
  <ProxyHost></ProxyHost>
  <ProxyPort></ProxyPort>
  <SDITokenType>none</SDITokenType>
  <ControllablePreferences>
  <LocalLanAccess>false</LocalLanAccess>
  <AutoConnectOnStart>false</AutoConnectOnStart>
  <BlockUntrustedServers>false</BlockUntrustedServers></ControllablePreferences>
  </AnyConnectPreferences>
  What i need to know is the "sentence" or line of configuration what i have to introduce in this file to reference the different ipsec profile. If I am told that I must update the handle or asdm version. I can do it.
  Somebody can help me please

  Here is a link to an example of configuring AnyConnect to use IKEv2. According to this ASA 8.4 and AnyConnect 3.1 should be ok.
  http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/113692-ac-ikev2-ca-00.html
  HTH
  Rick

• Issues reconnecting with cisco anyconnect secure mobility client when plugged in via ethernet

  Hi,
  I have a laptop running Windows 8 x64 with the Cisco AnyConnect Secure Mobility Client version 3.1.02040.  Ethernet and Wireless enabled.  by default, ethernet works primarily until the system detects that ethernet is down, i.e. undocked from docking station, it should switch to wireless.
  Problem:  When connected to vpn via ethernet card, it connects without any issues, but when i disconnect it takes a few seconds to disconnect, like 10+ seconds.  I try to reconnect to vpn but it says something is wrong with the vpn client and to restart the OS.  I restart and my system just takes forever to restart and eventually it will restart, but the OS will generate a MS crash dump. 
  If i undock my laptop and connect to vpn via my wireless card, everything works fine.  i can disconnect from vpn and it does it in a few seconds, I can reconnect without any issues.
  please advise...thanks.
  dan

  anyone found the fix for this?

• Cisco ACS Engine appliance 1120 software upgrade

  I want to upgrade my Cisco ACS Engine appliance 1120 from software version 3.3 to the latest version (5.x). How do I go about this? Someone should help please.

  It is highly suspicious that you would have a 1120 appliance that is running 3.3
  ACS 3.3 was with the ACS solution engine 1111, 1112 and 1113.
  ACS 5 requires the appliance 1120/1121 so it requires an appliance change. I'm puzzled about how you could be running 3.3 for 1120 since there is no installation DVD for that.
  As a general thing, one has to follow the ACS 5 migration guide on cisco.com that explains the process quite well. You need to go to acs 4.1/4.2 to migrate to 5.
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/migrate.html
  Nicolas

• Error "Version 3.1.04063 of the Cisco AnyConnect Secure Mobility Client is already installed" - help !

  hi,
  I've tried to install AnyConnect Secure Mobility Client on my computer (Mac OS 10.6.8), I've never installed it before on this computer, however when I want to install  i got the message
  "Version 3.1.04063 of the Cisco AnyConnect Secure Mobility Client is already installed"
  I would be thankful if anyone could help me with this problem !!!

  Would I be correct in assuming that you are trying to do a manual install of the AnyConnect client when you get this error? Have you ever used this MAC to connect to an ASA and to establish a VPN? If so it is quite likely that AnyConnect was installed in that on line session and does not require a manual install.
  HTH
  Rick

• Cisco AnyConnect Secure Mobility client software has VERY slow file transfers from system on the VPN, about 1/10 of non-VPN.

  I'm running Win7, and with the Software only AnyConnect Security Mobility client Version 3.1.04072
  I've found that copying a file from a system on the VPN runs at about 1/10 the speed of getting a file from a system that is NOT on the VPN.

  first poster -
  "Downloads from random internet sites are 5-10 times faster than anything from a server on the VPN."
  Your corporate network may just have too little bandwidth, your taking a poor internet route between carriers (ISP's are often maxed out believe it or not), there is a speed an duplex problem or you have a bad MTU. test all of them. your pc's MTU should be 1300. MAX on all interfaces. use the setmtu.exe tool.
  Jcohen - if you disable the IPS on the ASA does the slow transfer problem go away?