Saturday, September 29, 2007

CISCO ASA and Getting Mac/Windows L2TP To Work

Symptom:

You used the VPN Wizard in CISCO ASA's ASDM to create an L2TP configuration, but it does not work.

You look at the ASA Log and it says something to the effect that no acceptable SAs.

What Fixed:

Know that the Mac and PC will connect through the DefaultRAGroup therefore if you are doing a pre-shared key, it must be set right there. If you are not going through Phase 1, check that first.

If you are going through the Pase 1 then you are likely that the TRANSPORT mode of IPSec is not included in your Dynamic IPSec policy.

Check the following,

crypto dynamic-map Extranet_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA ESP-AES-256-MD5 ESP-3DES-SHA

Finally if you are using the user account with the ASA itself, then the user password must be encrypted using nt-encrypted keyword. I would just telnet to the ASA and type that in. I am not sure if you are using both the CISCO client and L2TP, both ASA native mode of encryption and the nt encryption are allowed, so I have created a second user name for the purpose of logging on via L2TP.

username bozo password xyzzy nt-encrypted

Total Time To Figure Out This Issue

Approximately 4 hours.

Tuesday, September 25, 2007

Microsoft IIS SMTP Server Does Not Relay or Send Emails

Symptom:

You've installed the SMTP server (Default SMTP Virtual Server) as a part of the IIS on Microsoft Windows Server 2003, but nothing get relayed.

What Fixed:

The no hosts, including the local ones are by default not being relayed out of the box. You need to go to Default SMTP Virtual Server Properties, go in the Access tab and Press the Relay... button.

You should grant the relay permission to the server or all the IP addresses in your local network.

Total research fix time: About 30 minutes.

CISCO ASA Error construct_ipsec_delete(): No SPI to identify Phase 2 SA!

 This article is the most popular article on this blog as of July 2012.

Another one of those very cryptic CISCO log message. I guess these messages deserve to be cryptic, since my IOS code has a lot of "crypto" all over the place ;-)

Symptom:

When configuring for Site-to-Site VPN network, the IKE negotiation (Phase 1) works but Phase 2 results in a message like
  • construct_ipsec_delete(): No SPI to identify Phase 2 SA!
What Fixed It:

It appears that this occurs when there is a significant mismatch in the VPN Tunnel IPSec configuration parameters. IPSec is also know as Phase 2. If you have come this far in your connection then Phase 1, or the IKE step is complete so do not go down the pass of "fixing" the Phase 1, for example, Shared Key mismatch. You are OK there, and focus on fixing this Phase 2 issue.

If you are using like me the ASDM, this information is in VPN->IPSec->IPSec Rules section.
  • Be sure that the Network Address and Netmasks of End Points are properly set on both ends. For your end this is found at IPSec->IPSecRules->Traffic Selection. You could also be using Static NAT, so check to make sure that the NAT tables are correct. This is especially important if you are NATTing to external routable addresses to avoid non-routable IP address conflicts (this is a very very advanced topic and I don't even know what I am talking about so if this does not make sense, you do have to go to a CISCO professional for help. I am just a surfer with this job dropped on my lap.)
  • Speaking of the NAT, you are likely that you have NATTed your inside address pool to a set of private addresses you have. If that is the case, then you DO have to make a NAT exception. The VPN wiz does that, but if you add another host in the same tunnel then you cannot use the Wiz any more so you'd forget this. Simply look in the NAT on the left control navigation bar and follow other examples in there that are working. I almost always forget this and scratch my heads for about an hour before I realize I have forgotten it (and even blogged about it!) If Phase 1 and 2 go OK but there still is no connection, then check the NAT table. Since there are a lot of people like me, they have forgotten the NAT exception too on their end. Be sure to ask them too.
  • Be sure that PFS (Perfect Forwarding Secrecy) mode are matched on both ends. This is at the bottom of the Tunnel Policy (Crypto Map) - Basic panel.
  • Also be sure that the traffic rules and netmasks match between two servers identically. If other side is going for 255.255.255.255 on individual IP address than you have do that on your end as well.You cannot use a wider mask on one end even the range includes the address you are accessing. The traffic access lists from both ends must match exactly.
  • Now would also be a good time to download a TFTP client (may of them are out there), and backup your config on your local disk. Keep that config in Goodle Drive or somewhere with a descriptive file name (like ASA-5505-120605-AddedBostonOffice.txt) out in the cloud so that you won't lose it.

Thursday, September 13, 2007

CISCO ASA 5510, 5505 VPN Removing peer from peer table failed, no match! Error

Symptom

When you try to connect CISCO VPN client you get this error in the log and it will not connect.

4 Sep 13 2007 11:05:12 713903 Group = DefaultRAGroup, IP = xxx.xxx.xxx.xxx, Error: Unable to remove PeerTblEntry

3 Sep 13 2007 11:05:12 713902 Group = DefaultRAGroup, IP = xxx.xxx.xxx.xxx, Removing peer from peer table failed, no match!

Possible Cause

This error message is misleading and leads you to beleive there is something really wrong about your configuration.

But it could simply mean that there is a mismatch, miss-spelling or missing entry the Group ID that is configured on the CISCO VPN client and the Group ID on the Tunnel Group setting.

I guess that the ASA is picking up the default group policy as it is not finding the correct one.

Solution

Check under the tunnel group in your running configuration.

tunnel-group type ipsec-ra

Go to the CISCO VPN client, go to the Authentication tab and the Name field must match what you used in

Monday, September 10, 2007

Windows .NET Service Program Does Not Fire Timer

Scenario:

  • You started to write a Windows Service using C# and Visual Studio 2005.
  • You dragged a Timer object into the service component's design surface.
  • You wrote a Timer handler object.
  • Timer never fires.

Solutions:

The fact that VS 2005 allows you to drag the timer (or other objects) is very misleanding. It actually never works because timer event will never be fired. In theory they (Visual Studio) should not allow you to do that. (I swear it worked in 2003 but that's the past.)

There are numerous postings, messages and such all over the places on this. It took me half a day to figure this out.

But the reason why the timer event does not fire is because under the Service execution model, it does have a "message pump" executing like in windows desktop apps.

The only way that I know it works is to use System.Threading object, launch a thread and then you block the thread by N milliseconds using the sleep function within the thread to achive the same result.

If you want an example of this, I can elaborate here. Just write a comment.

Windows .NET Programmatically Configure Network Interface with C#

Problem: I want to write a C# program that will configure IP address(es).

Why this is useful?

You may have one server and a backup server (say a web server) and you would want to write a program to automatically move the second IP address of an interface from the master to the backup server.

Solutions:

This article on Code Project gives seems to be right on http://www.codeproject.com/cs/system/cstcpipwmi.asp

Also helpful is to look at MSDN on the Network Adapter Configuration win32 class page.

http://msdn2.microsoft.com/en-us/library/aa394217.aspx

You would access each of the item in this Win32 class by named array index into the
ManagementObjectCollection object using the member name exactly spelled out.

e.g., string description = objeMO["Description"];