ASA# show crypto isakmp sa

and

ASA# show crypto ipsec sa

Both of these commands provide you with a wealth of information about the IPSec connection.  However, what about if you start talking about SSL VPN sessions?  Or WebVPN sessions?  Since these technically aren’t IPSec connections, they don’t show up in the ‘show crpypto’ commands.  Below I’ll walk through a couple of commands which show you some more information about all types of VPN connections.

How to see current WebVPN Sessions
ASA# show vpn-sessiondb webvpn
Session Type: WebVPN
Username     : langemakj              Index        : 13
Public IP    : 10.20.30.78
Protocol     : Clientless
License      : SSL VPN
Encryption   : RC4                    Hashing      : SHA1
Bytes Tx     : 147092                 Bytes Rx     : 31993
Group Policy : GP_SSLVPN              Tunnel Group : TG_SSLVPN
Login Time   : 14:04:01 CST Thu Jul 29 2010
Duration     : 0h:00m:11s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none
Notes: So as you can see, this gives you a ton of info on the connection including the users group policy, tunnel group, and their public IP (Note: I’m testing off of the internal ASA interface hence the RFC 1918 addressing).

How to log off current WebVPN Sessions
ASA# vpn-sessiondb logoff name langemakj
Do you want to logoff the VPN session(s)? [confirm]
INFO: Number of sessions with name "langemakj" logged off : 1
Notes: What’s interesting about the log off procedure is that its done by tunnel group or username.  Note in this instance, I don’t even have to note that it’s a WebVPN session that I want to log off.  Conversely, if I wanted to log off all of the WebVPN sessions I could just input ‘vpn-sessiondb logoff webvpn’ which would log off all users connected to WebVPN.

Wrap up
So now that we have an idea of how it works with WebVPN connections, let’s use the trusty ‘?’ to see what else we can do with the ‘vpn-sessiondb’.

ASA# show vpn-sessiondb ?
  detail       Show detailed output
  email-proxy  Email-Proxy sessions
  full         Output formatted for data management programs
  index        Index of session
  l2l          IPsec LAN-to-LAN sessions
  ratio        Show VPN Session protocol or encryption ratios
  remote       IPsec Remote Access sessions
  summary      Show VPN Session summary
  svc          SSL VPN Client sessions
  vpn-lb       VPN Load Balancing Mgmt sessions
  webvpn       WebVPN sessions
  |            Output modifiers
  <cr>

As you can see, you can use the vpn-sessiondb command to look at each type of VPN connection.  While I usually still use the ‘show crypto’ commands for IPSec connections, you HAVE to use the vpn-sessiondb for AnyConnect and WebVPN.  Play around with it, remember, the ‘?’ is your best friend!

After I managed to calm down a bit, I shut down the guest, and put my original VMX file back in place hoping I could get the server to boot with its initial configuration.  After moving the new VMX file out, and putting the old one back in, I tried to boot the server and I was greeted with an error message that looked like this….
 

At this point I immediately realized what had happened and was in absolute horror.  Someone had created a snapshot of the server 3 months ago, and never merged it back into the VM.  When I created the new guest, I had pointed to the disks to original VMDK files (which is your only option) and when I booted the server with them the file became modified which broke the snapshot chain.  I thought I had lost the system.

Before I go any further, I want to point out how I got to this point and things that should have been done to avoid such a catastrophic problem.

Issue - When you create the new VMX file and are asked to select the existing disk, the wizard only shows you the base VMDK file rather than all of the snapshots (even though they end in VMDK as well). 
Lesson Learned – Check the snapshot manager before making ANY changes.  A more thorough look in the data store browser would have point out the snapshot files to me as well

Issue – I had wanted to make a local copy of the guests folder on the data store prior to making ANY changes but was unable due to lack of space. 
Lesson Learned – If you are using local storage, ALWAYS have enough space to make a complete backup of any guest on that system.  If its a SAN, you might be able to get away with just taking a snapshot at the storage level.

Issue – The snapshots in general
Lesson Learned – As a rule, I don’t usually take snapshots in VMWare.  And if I do, I don’t let them hang out there for more than a day.  Keep an eye on the snapshots!

Green – Console output
Blue – My values, you’ll need to insert your own
Normal text – What I entered
Bold – Parts I’m trying to point out in the output

How I got out of this mess
After doing some research, I determined that the issue was with what VMWare calls the CID chain.  The CID value is used to link snapshots to parent VMDK files and when you load the parent file when there are snapshots present, you screw up this chain.  I didn’t have a backup of the system (at the VMWare level) and even though I had found steps online on how to try to fix this.  I let the experts at VMWare do it for me.  Afterwards, I recreated the scenario at home for the purpose of making this blog entry.  The steps below are offered at your own risk and there is no guarantee that they will work.

Step 1
BACKUP EVERYTHING.  Backup as much as you can, these steps will outline making direct edits to VMDK files which ,if done incorrectly, can cause corruption.  Also, try not to make ANY changes on the VMWare guest when you boot the parent VMDK.  I realized my mistake, and shut it down as soon as I could.

Step 2 
If you haven’t done so already, put the original VMX file back in place.  We’ll be using it to try to boot the system.  If you deleted it (for some silly reason) you may be able to make a new one but I haven’t tried that.

Step 3
Enable SSH on the ESX box if you haven’t already.  I’m running ESXi 3.5 in this test but you can very easily google how to enable SSH on your ESX version.  Using SSH just makes this a lot easier (especially if you are remote as I was).  In this example I’ll actually be using telnet.

Step 4
Figure out what the CID values are for each of the snapshots.  To do this we need to log in to the console (via SSH) and find the value on each of the files.  To do this, I entered the following commands.  Note the server I am running this test on is called UberServ01. 

Change to the guest directory
~ # cd /vmfs/volumes
/vmfs/volumes # ls
0016047d-c4d39b6a-ec38-631130484fa9  Hypervisor1
3abb47ef-875ea67c-c948-7bf6ff8d3c38  Hypervisor2
4af76f09-2611a4b1-ea7e-000f1ff86fb0  Hypervisor3
4af76f0b-0ba64946-17d8-000f1ff86fb0  datastore1
931ac070-8437760b-9dcc-b0a7dbce2d74
/vmfs/volumes # cd ./datastore1/
/vmfs/volumes/4af76f0b-0ba64946-17d8-000f1ff86fb0 # ls
ISO                    UberServ01 
/vmfs/volumes/4af76f0b-0ba64946-17d8-000f1ff86fb0 # cd ./UberServ01/
/vmfs/volumes/4af76f0b-0ba64946-17d8-000f1ff86fb0/UberServ01 # ls -ltr *.vmdk
-rw——-    1 root     root          255 Jul 15 21:34 UberServ01-000001.vmdk
-rw——-    1 root     root     67131904 Jul 15 21:36 UberServ01-000001-delta.vmdk
-rw——-    1 root     root          262 Jul 15 21:42 UberServ01-000002.vmdk
-rw——-    1 root     root     67131904 Jul 15 21:44 UberServ01-000002-delta.vmdk
-rw——-    1 root     root          532 Jul 15 21:48 UberServ01.vmdk
-rw——-    1 root     root    10758666240 Jul 15 21:52 UberServ01-flat.vmdk

The last command outputs the name of all of the files in the directory with the VMDK file extension.  As you can see, we have two snapshot files here.  One called UberServer01-000001.vmdk and the other UberServ02-000002.vmdk.  To return the CID values enter the following commands.

/vmfs/volumes/4af76f0b-0ba64946-17d8-000f1ff86fb0/UberServ01 # grep CID ./UberServ01-000001.vmdk
CID=986a79c0
parentCID=4fc239f6

/vmfs/volumes/4af76f0b-0ba64946-17d8-000f1ff86fb0/UberServ01 # grep CID ./UberServ01-000002.vmdk
CID=1df04fbb
parentCID=986a79c0

/vmfs/volumes/4af76f0b-0ba64946-17d8-000f1ff86fb0/UberServ01 # grep CID ./UberServ01.vmdk
CID=0db4eee2
parentCID=ffffffff

Note that the parent file (the original VMDK) will always have the parentCID value of ‘ffffffff’ since its the parent.

So as of right now here is the info we have….
Correct Parent CID – 0db4eee2
Snapshot 1 Parent CID – 4fc239f6
Snapshot 1 CID -986a79c0
Snapshot 2 Parent CID – 986a79c0
Snapshot 2 CID - 1df04fbb

The issue should be apparent at this point.  The CIDs need to reference each other in the correct order.  So this is what we currently have…..

Do you see the issue?  The 1st snapshot references the wrong CID value for the parent.  To fix this, we need to edit the parent VMDK file to reference the new CID value of 4fc239f6.  To to do this, enter the following commands….

/vmfs/volumes/4af76f0b-0ba64946-17d8-000f1ff86fb0/UberServ01 # vi ./UberServ01.vmdk

Now this is the tricky part.  I absolutely hate vi, I just can’t seem to get the hang of it.  But here’s what I did to edit the file.  Keep in mind that if the file is large, it can take some time to load, so if you get a black screen for a period of time, just hang tight.

-Use the arrow keys to arrow down to the beginning of the line that starts with ‘CID=’.  This line should list the incorrect SID which you pulled earlier.  Rather than deleting the value we are just going to comment it out.
-Press the insert key once
-Press enter to insert a new line
-Type a # to comment out the original CID line
-Arrow up one to start entering text on your new blank line
-Type in the new CID value prefaced by ‘CID=’
-When you are done, the lines should look something like this….

-Press the escape key once. 
-Type in ‘:wq’ (minus the single quotes)
-This should kick you back out to the command line

At this point I would verify the chain one more time to ensure that you have the CIDs correct.

/vmfs/volumes/4af76f0b-0ba64946-17d8-000f1ff86fb0/UberServ01 # grep CID ./UberServ01.vmdk
CID=4fc239f6
#CID=0db4eee2
parentCID=ffffffff
/vmfs/volumes/4af76f0b-0ba64946-17d8-000f1ff86fb0/UberServ01 # grep CID ./UberServ01-000001.vmdk
CID=986a79c0
parentCID=4fc239f6
/vmfs/volumes/4af76f0b-0ba64946-17d8-000f1ff86fb0/UberServ01 # grep CID ./UberServ01-000002.vmdk
CID=1df04fbb
parentCID=986a79c0

So now it looks like….

 
If you are confident with your changes, try to fire up the VM now.  With any luck, it will boot correctly and your current data will be back where it should be.  After you make sure that it boots correctly, I would shut it down and delete the snapshots to merge everything back into one file.  If you booted up the parent file and made changes the chances that some sort of corruption occurred is high.  In my case, I had to rebuild the server WMI namespace which wasn’t that big of a deal.  But all I did was boot the server up!

Notes
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them

Configure your interfaces
Inside Interface
ASA(config)# interface Vlan1
ASA(config-if)#description Inside Interface
ASA(config-if)# nameif inside
ASA(config-if)# ip address <Inside IP> <Inside Mask>

Outside Interface
ASA(config)# interface Vlan2
ASA(config-if)# description Primary ISP
ASA(config-if)# nameif outside
ASA(config-if)# ip address <ISP 1 IP> <ISP 1 Mask>

Backup ISP Interface
ASA(config)# interface Vlan3
ASA(config-if)# description Backup ISP
ASA(config-if)# nameif backupisp
ASA(config-if)# security-level 0
ASA(config-if)# ip address <ISP 2 IP> <ISP 2 Mask>

Assign them to switchports
ASA(config)# interface Ethernet0/0
ASA(config-if)# switchport access vlan 2
ASA(config)# interface Ethernet0/1
ASA(config-if)# switchport access vlan 3
Notes: VLAN 1 is the default so I’m not assigning it, just use one of the other ports for it.

Configure NAT
Define your Global pools
ASA(config)# global (outside) 1 <An IP in your Primary ISPs pool that you want to use for NAT/PAT>
ASA(config)# global (backupisp) 1 <An IP in your Backup ISPs pool that you want to use for NAT/PAT>
Notes: You need to define both the primary and backup address as global pools to match up against the NAT pool.  I totally forgot about that during the install and couldn’t figure out why I wasn’t passing traffic.

Define your inside NAT
ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0
Notes: Some people use a specific network here, I always just use 0 0 if its a small setup

Configure the SLA Monitor
ASA(config)# sla monitor 10
ASA(config-sla-monitor)# type echo protocol ipIcmpEcho 4.2.2.2 interface outside
ASA(config-sla-monitor-echo)# num-packets 3
ASA(config-sla-monitor-echo)# timeout 1000
ASA(config-sla-monitor-echo)# frequency 3
ASA(config)# sla monitor schedule 10 life forever start-time now
Notes: Ok, so here is the actual ‘failover’ piece of all of this. So I’ll break it down piece by piece. 
Line 1 – Configures a SLA monitor with the ID of 10
Line 2 – Configures the monitoring protocol and the target of the monitoring probe.  In this case I chose 4.2.2.2 since I have been able to ping that magical IP address since the beginning of time.  You also need to tell it which interface to source the ICMP traffic from.  In this case, it would be the outside interface. 
Line 3 – Sets the number of packets to be sent in each probe.
Line 4 – Configures the timeout period in milliseconds. 
Line 5 – Configures the frequency of the probe in seconds. 
Line 6 – Instructs the ASA to start SLA monitor 10 now and let it run for forever. 

Configure the Route tracking
ASA(config)#route outside 0.0.0.0 0.0.0.0 <ISP 1 Default route> 1 track 1
ASA(config)#route backupisp 0.0.0.0 0.0.0.0 <ISP 2 Default route> 254
Notes: Here we define the default network routes out to the internet.  Notice that we define out normal default route with an administrative distance of 1.  However, we also add the ‘track 1’ statement at the end.  This means that this route being in the routing table is dependant on tracked item 1 (If you don’t know what that means hold on, we’ll get there soon enough).  We also install a second route for the backup ISP which HAS to have a higher administrative distance than the primary ISP’s default route. 

ASA(config)# track 1 rtr 10 reachability
Notes: This is where the magic happens.  The above statement reads like this in plain English.  “Keep an eye on SLA monitor 10 and when it fails any routes associated with me also fail”.  So what happens is when the SLA monitor fails, the tracked route gets removed from the routing table, and the route with the higher administrative distance comes in and takes its place since its the best available route. 

Summary
So it’s a pretty cool setup if you are ONLY looking for outbound internet failover.  Keep in mind that all of your static NATs, external DNS entries, VPNs, etc won’t work when your primary ISP fails (assuming that’s the IP they are all assigned on).  This particular client had me make a primary and a backup PCF file for their Cisco VPN clients so that they could access the VPN when they were in a failover state.  Then I just added the backup ISP interface to the crypto map for their client VPN and turned on ISAKMP on the backup ISP interface.  Keep in mind though that the backup VPN will only work when the backup ISP circuit is live and the primary VPN will only work when the primary ISP circuit is live.  Both will never work at the same time.

Display your network adapters (Without going to the network and sharing center first!!!)
My biggest pet peeve with server 08 is that it takes more than 2 clicks to see your actual adapters. Not anymore, this shortcut loads the adapter screen in one command!
Command: ncpa.cpl
Usage: Start Menu,  Run, Type  ‘ncpa.cpl’ – Press <Enter>

Display Add/Remove Program (program and features)
Not a huge breakthrough, but it saves time all the same
Command: appwiz.cpl
Usage: Start Menu,  Run, Type  ‘appwiz.cpl’ – Press <Enter>

Show IIS (7)
Another time savor
Command: inetmgr
Usage: Start Menu,  Run, Type  ‘inetmgr’ – Press <Enter>

I’m mostly on the network side, so the first command is most useful to me.  Nonetheless its useful to know some shortcuts even with a GUI OS like Windows.  As a side note you can also run all of these commands out of command prompt but for shortcuts that don’t have the ‘.cpl’ extension you need to preface the command with the word ‘start’ (EG: ‘start inetmgr’)

What is svchost.exe?
As it turns out, not all applications and services in windows have the ‘exe’ file extension.  Some of them are actually DLLs (Dynamic-Link Library) files that need a means to run.  Windows (unlike other operating systems) doesn’t have a way to run a DLL directly as a service.  Svchost acts as a platform (a separate EXE) from which to launch these DLLs are services.  So when you see a ton of svchost.exe processes running under task manager, they aren’t actually the same program. 

So which one is which?
So lets walk through an example of how to determine which svchost process is linked to a particular program.  So lets say that the DHCP client service on my windows server locked up and during the service restart the service hung in the dreaded ‘Attempting to stop’ state (Yes, I realize its highly unlikely that your DHCP client service would be a critical service on a server with a static IP, just bear with me as the concept is the same for any service).  So I open up the services MMC and check the properties of the service to find out what EXE the service is running.  The properties screen looks like this…

As you can see, the service runs under the svchost.exe process.  A look at my task manager on the server gives me this…
 

Notice that I have not one, but fifteen svchost.exe processes running.  So which one do I kill?  After some googling I found the answer.  The key to making this determination is the PID (Process ID).  If you cant see the PID in your task manager go to View – Select Columns – And Select PID (For Server 08).   You should now see the PID listed next to each process.  Now go to the command prompt and enter in this magic command…

tasklist /svc

Or if you just want to see the svchost.exe processes…

tasklist /svc /fi "imagename eq svchost.exe"

The output from the second command looks like this…

A quick review of the output reveals that DHCP is running over svchost.exe at PID 956.  Taking a look back at the task manager I locate PID 956 and kill the process.  Pretty slick huh?

Beware!
I view this way of starting and stopping windows services as a last resort.  Often times multiple services run under the same svchost which can cause issues if you start killing them.  Additionally, a lot of windows services that run as svchost.exe don’t like being killed.  For instance, the DHCP client I used in this example when killed just started right back up again.  If you can do a server reboot to clear the hung process that’s usually the best approach.  But if you can’t, and need a quick fix, use this with caution.

1 – Connect to the router with your console cable

2 – Power up the router and start pressing the ‘Break’ key on your keyboard

3 – If the router detects you pushing the ‘Break’ key it should put the router into ROMMON

4 – When the router enters ROMMON mode you should be presented with a ‘rommon’ numbered prompt.  Enter the following commands…

monitor: command "boot" aborted due to user interrupt
rommon 1 > confreg 0×2142

You must reset or power cycle for new config to take effect

rommon 2 > reset

Essentially this tells the router to ignore its startup-config when booting.  The reset command reboots the router.

5 – When the router finishes loading you should receive the standard ‘first boot’ prompts asking you about entering the initial configuration dialog.  Say no to any prompts.

6 – At this point, I usually plug a ethernet interface on the router into my network and configure an IP address on the router so that I can copy the current config off.  Its important to note here that all we did was tell the router to ignore it’s startup config.  Its still fully intact at this point.

Router> enable
Router# config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# int faste0/0
Router(config-if)# ip address 10.20.30.23 255.255.255.0
Router(config-if)# no shut
Router(config-if)# exit
Router(config)# exit
Router# copy startup-config tftp
Address or name of remote host []? 10.20.30.51                                             
Destination filename [8772106002209363-confg]? 1841-Original-Config                                                              
.!!  
2666 bytes copied in 3.104 secs (859 bytes/sec)

7 – Now that we have a good copy of the original config I reset the config register, wipe nvram, and reload the router.  When it comes back online it will be like a brand new router.

Router# config t
Router(config)# config-register 0×2102                                              
Router(config)# exit                            
Router(config)# write erase
*May 12 23:00:00.891: %SYS-5-CONFIG_I: Configured from console by console
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]    
[OK]   
Erase of nvram: complete                                       
*May 12 23:00:10.531: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvr   
Router# reload                      

System configuration has been modified. Save? [yes/no]: n                                                        
Proceed with reload? [confirm]    

Summary                        
Im sure there are tons of documents out there that tell you how to do this, it just helps me remember when I write it all down.  It should be noted that this is usually used as a password recovery procedure.  In that case the startup-config is copied in the running-config after you enter enable mode.  Once the startup-config is loaded you can enter config mode and reset the enable and line passwords since you were in enable mode prior to loading the original config. 

So if someone from Cisco is reading this and wants to send me a Security Plus activation code so I can blog about it that would be cool : )

Determine the number of inside hosts being used on a ASA
ASA# show local-host brief
Detected interface ‘outside’ as the Internet interface. Host limit applies to all other interfaces.
Current host count: 2, towards licensed host limit of: 50
<output ommitted>

What is a wild card mask?
Wild card masks are used for a variety of different tasks.  OSPF area definitions and some access lists use them to define a certain part of the network.  They work much like subnet masks but in reverse.  For instance, take this Class C subnet.

192.168.127.1 /24
Network – 192.168.127.1
Subnet mask – 255.255.255.0
Wild Card Mask – 0.0.0.255

Pretty straightforward right?  The wild card mask is essentially the reverse of the subnet mask.  So if the binary subnet mask looked like……

11111111.11111111.11111111.00000000

The wild card mask would look like this…..

00000000.00000000.00000000.11111111

That’s all fairly easy to understand, however when you start using VLSM it can get a little trickier.  For instance, take this class C subnet.

192.168.127.1 /27
Network – 192.168.127.1
Subnet mask – 255.255.255.224
Wild Card Mask – 0.0.0.31

The binary would look like this…..

11111111.11111111.11111111.11100000

The wild card mask would look like this…..

00000000.00000000.00000000.00011111

Now that’s a little more confusing isn’t it?  What might even be harder to understand is if you were simply given this…

access-list 1 permit 192.168.127.1 0.0.0.31

The Cisco book I read suggested that you do the binary conversion to figure out what exact network that ACL represented.  That seems like a waste of time to me.  Why not just subtract the wild card octets from 255.255.255.255.  In other words….

     255.255.255.255
   –     0.     0.     0.  31
—————————
     255.255.255.224

Then to convert a mask from standard notation to wild card you simply subtract the subnet mask from 255.255.255.255. 

    255.255.255.255 
-  255.255.255.224
————————— 
          0.     0.     0.  31

Wasn’t that easy?  Now I know some of you sitting out there reading this are thinking to yourself “Wow, we all knew that already”.  But for someone who has just be introduced to wild card masks this could be a huge help.  If someone would have just told me that I could just subtract as shown above it would have saved me one or two nights of frustration.  I think the Cisco press books meant well by trying to show you the full binary math behind wild card masks – and I’m not saying you should learn the binary way of doing this as well – but knowing the quickest way to do something is often far more helpful (especially on exams!).

Personally I never use it.  Why?  Since I started Cisco it has been beaten into my head that trunks use crossover cables.  That’s just how it was.  Truthfully, most trunk links these days are going to be fiber but if we do run across a copper trunk we’ll use a crossover cable.

So why would we still mess around with using crossover cables when managed switches can flip the pairs for us?  Because there are a few things that you might not know about the auto-mdix feature on Cisco switches that can leave you perplexed if you don’t fully understand it.

The one big problem with auto-mdix is that you HAVE to use auto duplex and auto speed settings on the trunk ports.  Let’s take a look at an example of an auto-mdix configuration.

2940# config t
Enter configuration commands, one per line.  End with CNTL/Z.
2940(config)# int faste0/4
2940(config-if)# mdix auto
2940(config-if)#
1w6d: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to up
1w6d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to up
2940(config-if)# duplex full
1w6d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to down
1w6d: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to down
2940(config-if)#

I start by configuring the port for auto-mdix.  As you can see, the instant I configure the option, the interface loads and comes up.  However, the instant I hard code the port to a duplex of full, the interface goes down.  A documented requirement of the auto-mdix feature is that you have to let both sides do auto duplex and speed negotiation.  So, if your company standard is to hard code speed and duplex on trunk ports, then you’ll be using a cross over cable.

I will admit that it’s a great feature to use in a pinch.  Sometime I just don’t have a crossover cable with me and in those cases I’ll use it temporarily.  But I always go back and put a crossover cable in its place.  That’s just me though.  I know some people that use it religiously, and other that won’t touch it.  I see it as an unnecessary complication that can cause issues down the road.  If an engineer doesn’t see the auto-mdix configuration and sets the speed or duplex they can end up stumped for days.  You should be aware that its an option, but be aware of its limitations.