Tag Archives: Cisco ASA

Cisco Firepower Forbidden- you don’t have permission to access

Leave a reply

After re-image FPR2110 from FTD to ASA9.8.2, the chassis (FXOS) mgmt interface UI become unaccesible giving the following error “Forbidden- you don’t have permission to access / on this server”.

In a nutshell, i could access FXOS via SSH and ASA (SSH & HTTPS) but the FXOS Chassis Management was broken. After spend some time, the only way to get this sorted was upgrade for the version 9.9.x

After upgrade, everything was working again.

 

Tags: , , , ,

AnyConnect Package on the secure gateway could not be located

1 Reply

This error message is because your Cisco ASA doesn’t have the AnyConnect image for your WebVPN profile. These images can be downloaded from cisco.com .This example is for ASDM 7.6, but if you run version 6.x you can do using ASDM Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization > Binary

anyconnect_package_error

anyconnect_package_error4  anyconnect_package_error2

anyconnect_package_error3

Tags: , , , , ,

Mate’s license (Licensed Cores ) is not compatible with my license (Licensed Cores )

Leave a reply

I’ve configured many clusters using Cisco ASA gear, but this time i got a strange message bringing the cluster UP (active/passive) using a pair of 5510 (code asa842-k8.bin).

Error message:

Mate’s license (Licensed Cores ) is not compatible with my license (Licensed Cores ). Failover will be disabled.
Understanding Licensing models it´s always hard, because of the product evolution. But i was wondering even with same License (Security Plus) could be because of having different AnyConnect seats? After generate a demo license didn’t work, so my last guess was look to release notes and Bingo! Affected by CSCtj87870

After upgrade to 8.4(7) it worked!

Firewall 1

FW1# show activation-key
Serial Number: JMXyyyyyyyy
Running Permanent Activation Key: 0x0f19ee7b 0x2cf2fb8c 0x4ce23d7c 0xb0d4587c 0x013d09beLicensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5510 Security Plus license.

The flash permanent activation key is the SAME as the running permanent key.

Firewall 2

FW2# show activation-key
Serial Number: JMXxxxxxxx
Running Permanent Activation Key: 0xfe13ca68 0xd8bc8063 0x697114e4 0xccd4b0c0 0x4004cbb6Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 50 perpetual
AnyConnect Essentials : 250 perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5510 Security Plus license.

The flash permanent activation key is the SAME as the running permanent key.

FW1/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER Ethernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 0 of 110 maximum
failover replication http
Version: Ours 8.4(7), Mate 8.4(7)
Last Failover at: 19:24:17 GMT/BDT Jul 13 2015
This host: Primary – Active
Active time: 72212 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(7)) status (Up Sys)
Interface outside (185.11.166.209): Normal (Not-Monitored)
Interface inside (10.1.1.254): Normal (Not-Monitored)
slot 1: empty
Other host: Secondary – Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.4(7)) status (Up Sys)
Interface outside (0.0.0.0): Normal (Not-Monitored)
Interface inside (0.0.0.0): Normal (Not-Monitored)
slot 1: emptyStateful Failover Logical Update Statistics
Link : FAILOVER Ethernet0/3 (up)
Stateful Obj    xmit       xerr       rcv        rerr
General         10714600   0          9605       1
sys cmd         9605       0          9605       1
up time         0          0          0          0
RPC services    0          0          0          0
TCP conn        265004     0          0          0
UDP conn        9540443    0          0          0
ARP tbl         488430     0          0          0
Xlate_Timeout   0          0          0          0
IPv6 ND tbl     0          0          0          0
VPN IKEv1 SA    3          0          0          0
VPN IKEv1 P2    146        0          0          0
VPN IKEv2 SA    0          0          0          0
VPN IKEv2 P2    0          0          0          0
VPN CTCP upd    0          0          0          0
VPN SDI upd     0          0          0          0
VPN DHCP upd    0          0          0          0
SIP Session     410969     0          0          0
Route Session   0          0          0          0
User-Identity   0          0          0          0

Logical Update Queue Information
Cur     Max     Total
Recv Q:         0       8       9606
Xmit Q:         0       122     10979540

Tags: , , ,

Cisco ASA Compatibility Matrix

Leave a reply

This is the amazing Matrix for Cisco ASA wicht  has compatibility about ASA OS, ASDM, Modules, Memory Kits with new and old boxes. I would add a Licensing bullet on this Cisco Doc, but is just my opinion.

This document lists the Cisco ASA software and hardware compatibility and requirements.

 

ASA and ASDM Compatibility

This section lists ASA and ASDM compatibility for current and lecisco asagacy ASA models.

References:

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

Tags: , , , , ,

Upgrade Cisco ASA 8.3

Leave a reply

Efectuar upgrade de firmware nos Cisco ASA para a versão superior à 8.3 não é uma tarefa fácil devido ás diversas dependências existentes: memória RAM, Configs (ACL, NATs), Steps entre versões.

Aqui ficam alguns links para analisar antes de efectuar o Upgrade:

https://supportforums.cisco.com/docs/DOC-12690

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Tags: , , ,