Wednesday, February 15, 2012

Cisco TAC Security Podcast

Cisco Security
Sometimes I forget about the simple things that I use to stay current with Cisco technology. One of these 'tools' is the Cisco TAC security podcast.

This podcast is a great source of information if network security, specifically Cisco ASA based network security, is in your job description.

New podcasts are published, generally, on a monthly basis.

I definitely recommend adding it to your list.

Their site is located at

Thursday, June 23, 2011

Boy, I've been busy

I can't believe it's been 4 months, since I wrote my last blog post. I have really been busy managing several projects. And, honestly haven't had much real technical interaction with the Cisco world.

I am nearing the end of a huge project, and will dig back into what I enjoy, soon.

Monday, February 28, 2011

Problems with Windows Authentication over a Site-to-Site VPN

Ever had a problem on a site-to-site VPN where Windows machines took a very long time to authenticate to a domain controller on the other site of the link? It's possible the problem is a need to fragment packets that don't want to be fragmented. The solution could remind you of trying to stuff a fat guy in a Tron suit.

Issues with maximum frame size and don't fragment are common when a IPSec tunnel is between the user's and their resources. The problem is caused by the extra headers that IPSec and GRE add to the original packet, causing the total packet size to exceed the MTU. A good way to troubleshoot this is to run the following ping command on a workstation, with the destination being the domain controller.
Ping -f -l 1472
The -f switch sets the don't fragment flag on the ICMP packet. The -l 1472 switch sends a 1472 byte packet.

With the added IPSec headers, a 1472 byte packet will fail to reach the destination, unless it can fragment the packet.

Below is an example of the results, if the packet cannot be fragmented.
c:>ping -f -l 1472

Pinging with 1472 bytes of data:

Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
The fix? Well, there are a couple of things that can be done to get this working. The first is to use Path MTU Discovery. PMTUD (Path Maximum Transmission Unit Discovery) was developed to avoid fragmentation in the path between the endpoints. It is used to dynamically determine the lowest MTU along the path from a packet's source to its destination. PMTUD tries to determine the largest packet size that can be delivered without fragmentation. When PMTUD works correctly the end stations negotiate a frame size that will not exceed the capacity of the link in the middle. Unfortunately, PMTUD doesn't always work.

There are three things that can break PMTUD, two of which are uncommon and one of which is common.

  • A router can drop a packet and not send an ICMP message. (Uncommon)

  • A router can generate and send an ICMP message but the ICMP message gets blocked by a router or firewall between this router and the sender. (Common)

  • A router can generate and send an ICMP message, but the sender ignores the message. (Uncommon)

The first and last of the three bullets above are uncommon and are usually the result of an error, but the middle bullet describes a common problem. Typically, ICMP packet filters are configured to block most, or all, ICMP message types rather than only blocking certain ICMP message types. A packet filter can block all ICMP message types except those that are "unreachable" or "time-exceeded." The success or failure of PMTUD hinges upon ICMP unreachable messages getting through to the sender of a TCP/IP packet. ICMP time-exceeded messages are important for other IP issues. So, another solution may be required to resolve this problem.

Another solution is to configure the 'crypto ipsec-df bit clear' which will clear the DF bit and allow fragmentation. This will generally solve the problem related to the larger packet sizes, by overriding any existing DF bit flags. Want to read more about this issue? See the following articles:
Enhanced by Zemanta

Tuesday, December 21, 2010

Configure remote access VPN with AD authentication

I created a SlideShare presentation of a step by step configuration of a Cisco ASA remote access VPN configuration with Active Directory Authentication, on a Windows 2003 server.

Using a Windows 2008 server is a little bit different. For example, IAS has been replaced with Network Policy and Access Service.

I have screen shots for a Windows 2008 installation, when I get some time, I'll post them into a SlideShare presentation.

Wednesday, July 7, 2010

I went to Vegas, and all I got was a bunch of t-shirts and a compromised identity.

It was a hectic week in Las Vegas. Sessions and social events from sun up to sun up.

I'll post pictures and videos, shortly. But, I think my identity was compromised!

This evening, I received the following email.

It will be interesting to see if more details surface - to learn what vendor discovered this, how the data was compromised, and what ultimately will be done with the data.

Hopefully, what happens in Vegas, stays in Vegas. No - I doubt it!