Cisco Network Security Troubleshooting Handbook

Cisco Network Security Troubleshooting Handbook

by Mynul Hoda, - CCIE No. 9159
Released November 2005
Publisher(s): Cisco Press
ISBN: 9781587051890

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Identify, analyze, and resolve current and potential network security problems 

  • Learn diagnostic commands, common problems and resolutions, best practices, and case studies covering a wide array of Cisco network security troubleshooting scenarios and products

  • Refer to common problems and resolutions in each chapter to identify and solve chronic issues or expedite escalation of problems to the Cisco TAC/HTTS

  • Flip directly to the techniques you need by following the modular chapter organization

  • Isolate the components of a complex network problem in sequence

  • Master the troubleshooting techniques used by TAC/HTTS security support engineers to isolate problems and resolve them on all four security domains: IDS/IPS, AAA, VPNs, and firewalls

    • With the myriad Cisco® security products available today, you need access to a comprehensive source of defensive troubleshooting strategies to protect your enterprise network. Cisco Network Security Troubleshooting Handbook can single-handedly help you analyze current and potential network security problems and identify viable solutions, detailing each step until you reach the best resolution.

    Through its modular design, the book allows you to move between chapters and sections to find just the information you need. Chapters open with an in-depth architectural look at numerous popular Cisco security products and their packet flows, while also discussing potential third-party compatibility issues. By following the presentation of troubleshooting techniques and tips, you can observe and analyze problems through the eyes of an experienced Cisco TAC or High-Touch Technical Support (HTTS) engineer or determine how to escalate your case to a TAC/HTTS engineer.

    Part I starts with a solid overview of troubleshooting tools and methodologies. In Part II, the author explains the features of Cisco ASA and Cisco PIX® version 7.0 security platforms, Firewall Services Module (FWSM), and Cisco IOS® firewalls. Part III covers troubleshooting IPsec Virtual Private Networks (IPsec VPN) on Cisco IOS routers, Cisco PIX firewalls with embedded VPN functionalities, and the Cisco 3000 Concentrator. Troubleshooting tools and techniques on the Authentication, Authorization, and Accounting (AAA) framework are discussed thoroughly on routers, Cisco PIX firewalls, and Cisco VPN 3000 concentrators in Part IV. Part IV also covers troubleshooting Cisco Secure ACS on Windows, the server-side component of the AAA framework. IDS/IPS troubleshooting on IDS/IPS appliances, IDSM-2 blade, and NM-CIDS blade on Cisco IOS routers are covered in

    Part V. In Part VI, the author examines the troubleshooting techniques for VPN/Security Management Solution (VMS) tools used for managing products from all four security domains in greater detail: IDS/IPS, AAA, VPNs, and firewalls.

    Cisco Network Security Troubleshooting Handbook prepares you to troubleshoot your network’s security devices and presents step-by-step procedures for tackling issues that arise, so that you can protect your network.

    This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

    Table of contents

    1. Copyright
      1. Dedications
    2. About the Author
      1. About the Technical Reviewers
    3. Acknowledgments
    4. Icons Used in This Book
    5. Command Syntax Conventions
    6. Introduction
      1. Goals and Methods
      2. Who Should Read This Book?
      3. Strategies for Becoming an Efficient Troubleshooter
      4. How This Book Is Organized
    7. I. Troubleshooting Tools and Methodology
      1. 1. Troubleshooting Methods
        1. Proactive Actions for Handling Network Failure
        2. Types of Failure
        3. Problem-Solving Model
          1. Step 1: Define the Problem
          2. Step 2: Gather the Facts
          3. Step 3: Consider Possible Problems
          4. Step 4: Create an Action Plan
          5. Step 5: Implement the Action Plan
          6. Step 6: Observe Results
          7. Step 7: Repeat if Necessary
          8. Step 8: Document the Changes
        4. Summary
      2. 2. Understanding Troubleshooting Tools
        1. Using Device Diagnostic Commands
          1. show Commands
          2. debug Commands
        2. Test Commands
          1. ping Command
          2. traceroute Command
          3. telnet Command
          4. nslookup Command
        3. Network Analyzers
        4. Trivial File Transfer Protocol (TFTP) Server
        5. FTP Server
        6. Syslog Server
        7. Audit and Attack Tools
        8. Core Dump
          1. Using TFTP
          2. Using FTP
          3. Using rcp
          4. Using a Flash Disk
          5. Additional Configuration
            1. “Exception Memory” Command
            2. debug sanity Command
          6. Testing the Core Dump Setup
    8. II. Troubleshooting Cisco Secure Firewalls
      1. 3. Troubleshooting Cisco Secure PIX Firewalls
        1. Overview of PIX Firewall
          1. ASA
          2. PIX Packet Processing
          3. File System Overview
          4. Access-List
            1. time-range Keyword
            2. Enable/Disable
            3. Outbound ACL
          5. nat-control
          6. Modular Policy Framework (MPF) Objective
          7. Transparent Firewall
        2. Diagnostic Commands and Tools
          1. show Commands
            1. show xlate [detail]
            2. show connection [detail]
            3. show local-host
            4. show service-policy
            5. show asp drop
            6. show cpu usage
            7. show traffic
            8. show blocks
            9. show output filters
            10. show tech-support
          2. Debug Commands
            1. debug icmp trace
            2. debug application_protocol
            3. debug pix process
            4. debug fixup tcp | udp
          3. capture Command
          4. Sniffer Capture
          5. Syslog
          6. Traceback/Crashinfo
          7. Other Tools
        3. Problem Areas Breakdown
          1. Licensing Issues
          2. Password Recovery Issue
          3. Software Upgrade and Downgrade Issues
            1. Standard Upgrade Procedure
            2. Upgrade using ROM Monitor Mode
            3. Downgrade Procedure
            4. Upgrading PIX Firewall in a Failover Setup
          4. Connection Issues Across PIX Firewall
            1. Configuration Steps
            2. Troubleshooting Steps
          5. Transparent Firewall Issues
            1. Configuration Steps
            2. Troubleshooting Steps
          6. Virtual Firewall
            1. Security Context
            2. How the Virtual Firewall Works
            3. Limitations of Virtual Firewall
            4. Configuration Steps
            5. Troubleshooting Steps
          7. Quality of Service (QoS) Issues
            1. Policing
            2. Low Latency Queuing (LLQ)
            3. Troubleshooting Steps
          8. Performance Issues
            1. High CPU Utilization
            2. High Memory Utilization
            3. Large ACL
            4. Reverse DNS & IDENT Protocol
        4. Case Studies
          1. Active/Standby Model
          2. Active/Active Model
          3. Hardware and License Requirements
          4. System and User Failover Group
          5. Initialization, Configuration Synchronization/Command Replication
          6. Configuration Examples
          7. Asymmetrical Routing Support
          8. Troubleshooting Steps
        5. Common Problems and Resolutions
        6. Best Practices
          1. Protecting the PIX Firewall Itself
          2. Protecting Network Resources
      2. 4. Troubleshooting Firewall Services Module
        1. Overview of FWSM Firewall
          1. FWSM Architecture
            1. Control Plane (CP)
            2. Network Processors (NP)
              1. EtherChannel
          2. Packet Flows
        2. Diagnostic Commands and Tools
          1. Show Commands
            1. show Commands on the Switch
            2. show Commands on the FWSM
          2. Debug Commands
          3. Sniffer on the FWSM
          4. Syslog on the FWSM
          5. Sniffer Capture
        3. Analysis of Problem Areas
          1. Licensing Issues
          2. Hardware Issues
          3. Firewall Module Administration Issues
            1. Flash
            2. Setting the Boot Device (Route Processor)
            3. Maintenance Partition
            4. Password Recovery Procedure
            5. Upgrading a New Image
              1. Upgrading the Maintenance Partition
            6. Upgrading Software Images
          4. Connection Problems
            1. Configuration Steps
            2. Troubleshooting Steps
          5. AAA Issues
          6. Virtual and Transparent Firewall
          7. High CPU Issues
          8. Intermittent Packet Drops Issues
          9. Failover Issues
            1. Failover Operations
              1. Initialization Phase
              2. Failover Conditions
              3. Forced Reboot Conditions
              4. Monitoring
            2. Configuration Steps
            3. Troubleshooting Steps
        4. Case Studies
          1. Case Study 1: Multiple SVI for FWSM
            1. Why Change the Existing Model?
            2. Scenario One: DHCP Helper with FWSM 1.1(x)
            3. Scenario Two: Alternate Configuration
          2. Case Study 2: Understanding Access-List Memory Utilization
            1. The Compilation Process: Active and Backup Trees
            2. How Memory Is Allocated: Release 1.1(x) or 2.2(1) in Single Mode
            3. How memory is Allocated: Release 2.2(1) in Multiple Mode
            4. Trees and contexts: A Matter of Mapping
            5. FWSM Release 2.3: The ACL Partition Manager
            6. Examples of ACL Compilation
            7. Access-lists: Best Practices
        5. Common Problems and Resolutions
        6. Best Practices
      3. 5. Troubleshooting an IOS Firewall
        1. Overview of IOS Firewall (CBAC)
          1. Single Channel Protocol Inspection
            1. UDP and CBAC
            2. ICMP and CBAC
            3. Application Layer Protocol (TCP-based) and CBAC
              1. Preventing from Invalid Command Execution
              2. Protection from Malicious Java Applets
              3. URL Filtering
          2. Multi-Channel Protocol Inspection
          3. NAT/PAT and CBAC
          4. Port Application Mapping (PAM) and CBAC
          5. Denial of Service (DoS) Detection And Prevention
            1. TCP Syn Flood and DoS Attack Launched by UDP
            2. Fragmentation
          6. Real-Time Alerts and Audit Trails
          7. Interaction of CBAC with IPsec
          8. Transparent Cisco IOS Firewall
        2. Diagnostic Commands and Tools
          1. show Commands
          2. debug commands
          3. Syslog
          4. Packet Capture (Sniffer Traces)
        3. Categories of Problem Areas
          1. Selection of Software for IOS Firewall Issues
          2. Unable to Connect (Inbound and Outbound) across CBAC
            1. Packet Failure to Reach the Router’s Incoming Interface
            2. Misconfigured ACL
            3. Misconfigured NAT and Routing
            4. IP Inspection Applied In the Wrong Direction
            5. UDP Inspection Is Not Configured
            6. Return Traffic Might Not Be Coming Back to the Router
            7. ICMP Traffic Is Not Inspected
            8. There Is a Problem with Inspecting Single Channel Protocol
            9. Required Multi-Channel Protocol is Not Inspected
            10. IP URL Filtering Blocking The Connection
            11. Redundancy or Asymmetric Routing Problems
          3. Performance Issues
            1. Timeouts for TCP, UDP, and DNS
            2. Short Threshold Values for Half-open and New Connections
            3. HTTP Inspection Dilemma
            4. Switching Path
            5. Large ACL
            6. Reverse DNS and IDENT Protocols
            7. Running Older Code
          4. Intermittent Packet Drops
          5. IP URL Filtering Is Not Working
        4. Case Studies
          1. How auth-proxy Works
          2. Method of Authentication
          3. Supported Platform
          4. Configuration Steps
          5. Troubleshooting auth-proxy
        5. Common Problems and Resolutions
        6. Best Practices
          1. Basic Router Security
          2. Anti-spoofing Configuration
    9. III. Troubleshooting Virtual Private Networks
      1. 6. Troubleshooting IPsec VPNs on IOS Routers
        1. Overview of IPsec Protocol
          1. Encryption and Decryption
            1. Symmetric Algorithms
            2. Asymmetric Algorithms
            3. Digital Signatures
          2. Security Protocols
            1. Authentication Header (AH)
            2. Encapsulating Security Header (ESP)
            3. Transport Mode
            4. Tunnel Mode
          3. Security Associations (SAs)
          4. SA and Key Management with IKE Protocol
            1. IKE Phase 1
              1. Main Mode Negotiation
              2. Aggressive Mode Negotiation
              3. IKE Phase 2
        2. Diagnostic Commands and Tools
          1. show Commands
            1. show Command for Phase I
            2. show Commands for Phase II
            3. show Commands for Interface Counters
            4. show Command for Verifying IPsec Configuration
            5. Commands for Tearing Down Tunnel
          2. debug Commands
        3. Analysis of Problem Areas
          1. Basic LAN-to-LAN Troubleshooting
            1. Successful LAN-to-LAN Tunnel Establishment Process
            2. Tunnel Establishment Fails at Phase I
            3. Tunnel Establishment Fails at Phase II
            4. Tunnel Is Established but Unable To Pass Traffic
          2. GRE over IPsec
            1. Configuration Steps
            2. Troubleshooting Steps
          3. Public Key Infrastructure (PKI) Troubleshooting
            1. Configuration Steps
            2. Troubleshooting Steps
              1. Certificate Enrollment Process Failure
              2. Certificate Enrollment Is Fine but IKE Authentication Still Fails
          4. Remote Access Client VPN Connection
            1. Configuration Steps
            2. Troubleshooting Steps
        4. Case Studies
          1. DMVPN Architecture
            1. Multipoint GRE Tunnel Interface (mGRE Interface)
            2. Next Hop Resolution Protocol (NHRP)
          2. Configuration Steps
          3. Troubleshooting DMVPN
            1. NHRP Mapping Problem
            2. Crypto Socket Creation Problem
            3. Crypto VPN problem
              1. Dynamic Routing Protocol Problem
            4. Passing Data Across an Established Tunnel Problem
        5. Common Problems and Resolutions
          1. NAT With IPsec Issues
            1. NAT in the Tunnel End Points
            2. NAT in the Middle
          2. Firewall and IPsec Issues
          3. Maximum Transmission Unit (MTU) Issues
          4. Split Tunneling Issues
        6. Best Practices
          1. Stateful Failover
          2. Stateless Failover
            1. Loss of Connection Detection Mechanism
            2. Stateless Failover Mechanism Options
              1. Backup Peer for Basic LAN-to-LAN IPsec
              2. Hot Standby Routing Protocol (HSRP) and Reverse Route Injection (RRI)
              3. Generic Routing Encapsulation (GRE) Tunnels over IPsec
      2. 7. Troubleshooting IPsec VPN on PIX Firewalls
        1. Overview of IPsec Protocol
        2. Diagnostic Commands and Tools
          1. show Commands
          2. debug Commands
        3. Categorization of Problem Areas
          1. LAN-to-LAN Troubleshooting
            1. Configuration Steps
            2. Troubleshooting Steps
              1. Tunnel Is Not Established: Phase I Failure
              2. Tunnel Is Not Established: Phase II Failure
              3. Tunnel Is Established Completely But Cannot Pass Data
          2. Remote Access VPN Troubleshooting
            1. Configuration Steps
            2. Troubleshooting Steps
              1. Tunnel Is Not Established
              2. Tunnel Is Established Completely But Unable to Pass Data
        4. Case Studies
        5. Common Problems and Resolutions
          1. NAT with IPsec Issues
            1. NAT in the tunnel End Point
            2. NAT Device In the Middle of Tunnel End Points
              1. IPsec over NAT Transparency (NAT-T)
              2. IPsec over TCP
              3. When to Use NAT-T or IPsec over TCP/UDP?
          2. Firewall and IPsec
          3. Maximum Transmission Unit (MTU) Issues
          4. Split Tunneling Issues
        6. Best Practices
          1. Dead Peer Discovery (DPD)
          2. Reverse Route Injection (RRI)
          3. Stateful Failover For VPN Connections
      3. 8. Troubleshooting IPsec VPNs on VPN 3000 Series Concentrators
        1. Diagnostic Commands and Tools
          1. Debug Tool
          2. Monitoring Tool
          3. Administer Sessions
          4. Configuration Files
          5. LED Indicators
          6. Crash Dump File
          7. VPN Client Log
        2. Analysis of Problem Areas
          1. LAN-to-LAN Tunnel Issues
            1. Configuration Steps
            2. Troubleshooting Steps
              1. Tunnel Not Established
              2. Tunnel is Established but Unable to Pass Traffic
              3. Interpretability issues with other vendors
          2. Remote Access VPN Connection
            1. Configuration Steps
              1. VPN Concentrator Configuration
              2. VPN Client Configuration
            2. Troubleshooting Steps
              1. VPN Client Cannot Connect
              2. VPN Client can Connect but Tunnel Is Not Passing Traffic
              3. VPN Client can connect but User Cannot Access the Internet
              4. VPN Client Can Connect But Users Cannot Access the Local LAN
          3. Digital Certificate Issues
            1. Digital Certificate on the VPN Client
            2. Digital Certificate on the VPN Concentrator
              1. Troubleshooting Steps
        3. Case Studies
          1. Clientless SSL VPN
            1. Configuration Steps for Basic SSL VPN Connection
            2. Troubleshooting Steps for Basic SSL VPN Connection
              1. Inability to Establish SSL Session with VPN 3000 Concentrator
              2. Inability to Log in to VPN 3000 Concentrator
            3. Configuration Steps for Web Server Access
            4. Troubleshooting Steps For Web Server Access
              1. Turning on WEBVPN Event Class for Logging
              2. Inability to Browse to Website
              3. Website Displays Incorrectly
            5. Configuration Steps for CIFS Access
            6. Troubleshooting Steps for CIFS Access
          2. Thin Client
            1. Configuration Steps for Port Forwarding
            2. Java Applet Debugging
            3. Troubleshooting Steps for Port Forwarding
            4. Configuration Steps for MAPI Proxy
            5. Troubleshooting Steps for MAPI Proxy
            6. Configuration Steps for E-mail Proxy
            7. Troubleshooting Steps for E-mail Proxy
          3. Thick Client (SSL VPN Client)
            1. Configuration Steps for SSL VPN Client
            2. Troubleshooting Steps for SSL VPN Client (SVC)
              1. SSL VPN Client Establishment Issues
              2. SSL VPN Client Installation Issues
        4. Common Problems and Resolutions
        5. Best Practices
          1. Redundancy Using VRRP
          2. Redundancy and Load Sharing Using Clustering
          3. Redundancy Using IPsec Backup Servers
    10. IV. Troubleshooting Network Access Control
      1. 9. Troubleshooting AAA on IOS Routers
        1. Overview of Authentication, Authorization, and Accounting (AAA)
          1. AAA Architecture
          2. AAA Communication Protocols
            1. TACACS+
              1. TACACS+ Operation for Authentication
              2. TACACS+ Operation for Authorization
              3. TACACS+ Operation for Accounting
            2. RADIUS
              1. RADIUS Operation for Authentication and Authorization
              2. RADIUS Operation for Accounting
          3. Difference between RADIUS and TACACS+
        2. Diagnostic Commands and Tools
          1. show Commands
          2. debug Commands
        3. Analysis of Problem Areas
          1. Router Management Troubleshooting
            1. Login Authentication
            2. Configuration Steps
            3. Troubleshooting Steps
            4. Enable Password Authentication
            5. Exec Authorization
          2. Command Authorization
          3. Accounting
          4. Dialup Networking Troubleshooting
            1. Authentication and Authorization for Dialup Networking
              1. Downloading ACL per User Basis Using Filter-id
              2. Downloading ACL/ROUTES, WINS, and DNS IP Using AV Pair
            2. Accounting for Dialup Networking
          5. X-Auth Troubleshooting for IPsec
          6. Auth-proxy Troubleshooting
        4. Case Studies
          1. Router Configuration
          2. LAC Configuration
          3. RADIUS Server Configuration
            1. LAC RADIUS Configuration
            2. LNS RADIUS Configuration
          4. Troubleshooting Steps
            1. LAC Router Troubleshooting
            2. LNS Router Troubleshooting
        5. Common Problems and Resolutions
        6. Best Practices
      2. 10. Troubleshooting AAA on PIX Firewalls and FWSM
        1. Overview of Authentication, Authorization, and Accounting (AAA)
          1. Authentication
          2. Authorization
            1. Authorization for an Administrative Session
            2. Authorization for VPN Connection (X-Auth)
          3. Accounting
        2. Diagnostic Commands and Tools
          1. show commands
          2. debug Commands
          3. Syslog
          4. Other Useful Tools
        3. Problem Areas Analysis
          1. Firewall Management with AAA Troubleshooting
            1. Login Authentication Issues
              1. Configuring Basic Authentication with Different Communication Methods on the Firewall
              2. Configuring Local User Database Authentication
              3. Configuring External AAA Server Authentication
              4. Configuring Fallback Method for Authentication
              5. Troubleshooting Login Authentication
            2. Enable Authentication
              1. Configuring Enable Authentication
              2. Troubleshooting Enable Authentication
            3. Command Authorization
              1. Command Authorization Based on Enable Password Privilege Level
              2. Command Authorization Using Local User Database
              3. Command Authorization Using an External AAA Server
            4. Troubleshooting Steps
            5. Accounting
          2. Cut-Through Proxy Authentication
            1. Authentication for Cut-Through Proxy
              1. Cut-Through Proxy Authentication with Local User Database
              2. Cut-Through Proxy Authentication Using RADIUS or TACACS+ Protocol
            2. Troubleshooting Cut-Through Proxy Authentication
            3. Authorization for Cut-Through Proxy
              1. Configuring Cut-through Proxy Authorization using the TACACS+ Protocol
              2. Troubleshooting Cut-Through Proxy Authorization using the TACACS+ Protocol
              3. Configuring Cut-through Proxy Authorization using the RADIUS Protocol
              4. Troubleshooting Cut-Through Proxy Authorization using the RADIUS Protocol
            4. Accounting for Cut-Through Proxy
          3. Extended Authentication (X-Auth) Issues for Remote Access VPN Connection
            1. Configuration Steps
            2. Troubleshooting Techniques
        4. Case Studies
          1. Case Study 1: AAA Exemption
            1. IP Exemption
            2. MAC Exemption
          2. Case Study 2: Virtual Telnet
            1. Configuring Virtual Telnet
            2. Troubleshooting Virtual Telnet
          3. Case Study 3: Virtual HTTP
        5. Common Problems and Resolutions
        6. Best Practices
      3. 11. Troubleshooting AAA on the Switches
        1. Overview of AAA
          1. Switch Management
          2. Identity-Based Network Services (IBNSs)
            1. IEEE 802.1x Framework
              1. EAP encapsulation over LANs (EAPOL)
              2. Standard 802.1x Operation
            2. Extensible Authentication Protocol (EAP)
            3. RADIUS IN 802.1x
            4. What Is Authenticated
            5. Machine Authentication
            6. Authorization
            7. Accounting
              1. RADIUS Accounting Session Start/Stop Records
              2. RADIUS Accounting and Attribute-Value Pairs
            8. Extension of IEEE 802.1x Standard by Cisco IBNS Initiative
              1. 802.1x with VLAN Assignment
              2. 802.1x with Port Security
              3. 802.1x with Voice VLAN ID
              4. 802.1x Guest VLAN
              5. High Availability for 802.1x
              6. 802.1x with ACL Assignment
              7. Access Restrictions for 802.1x
        2. Diagnostic Commands and Tools
          1. Switch Management
          2. Identity-Based Network Services (IBNSs)
        3. Categorization of Problem Areas
          1. Switch Management Troubleshooting
            1. Login Authentication
              1. Configuration Steps
              2. Troubleshooting Steps
            2. Enable Password Authentication
              1. Configuration Steps
              2. Troubleshooting Steps
            3. Authorization
              1. Configuration Steps
              2. Troubleshooting Steps
            4. Accounting
              1. Configuration Steps
              2. Troubleshooting Steps
          2. Identity-Based Network Services (IBNSs)
            1. Configuration Steps
              1. Installation of Certificate
              2. Configuration of Authenticator (Switch)
              3. Configuration of Supplicant
              4. Configuration of ACS Server
          3. Authorization
            1. Troubleshooting Steps
              1. On the Windows Client
              2. On the Authenticator (Switch) Side
              3. On the Authentication Server Side
        4. Case Studies
          1. Configuring Automatic Client Enrollment on AD and Installing a Machine Certificate on a Windows Client
          2. Generating and Installing the CA Root Certificate on the ACS Server
          3. Generating and Installing an ACS Server Certificate on the ACS Server
        5. Common Problems and Resolutions
        6. Best Practices
          1. For Switch Management
          2. For Identity-Based Network Services (IBNSs)
      4. 12. Troubleshooting AAA on VPN 3000 Series Concentrator
        1. AAA Implementation on the Concentrator
          1. VPN Concentrator Management
          2. Tunnel Group and User Authentication
        2. Diagnostic Commands and Tools
        3. Analysis of Problem Areas
          1. VPN Concentrator Management Troubleshooting
            1. Configuration Steps
              1. Configuration on the Cisco Secure ACS
              2. Configuration on the VPN 3000 Concentrator
              3. Troubleshooting Steps
          2. Group/User Authentication (X-Auth) Troubleshooting
            1. Both Group and User Authentication Are Performed Locally on the VPN 3000 Concentrator
            2. Group Authentication Is Done Locally and No User Authentication Is Done
            3. Group Authentication Is Done Locally on VPN 3000 Concentrator and User Authentication Is Done with RADIUS Server
            4. Group Authentication Is Done with a RADIUS Server and User Authentication Is Done Locally
            5. Both Group and User Authentications Are Performed with the RADIUS Server
            6. User Is Locked to a Specific Group
            7. Dynamic Filters on the VPN 3000 Concentrator
            8. Configuration of Dynamic Filters on CiscoSecure ACS
              1. Using Cisco IOS/PIX RADIUS Attributes
              2. Using Downloadable PIX/IP ACLs
            9. Troubleshooting Steps
        4. Case Studies
          1. VPN 3000 Concentrator Configuration
            1. Group Configuration on the VPN 3000 Concentrator
            2. Defining the CS ACS RADIUS Server on VPN 3000 Concentrator
          2. CS ACS Windows Configuration
            1. AAA Client Definition for VPN 3000 Concentrator
            2. Configuring the Unknown User Policy for Windows NT/2000 Domain Authentication
            3. Testing the NT/RADIUS Password Expiration Feature
        5. Common Problems and Resolutions
        6. Best Practices
      5. 13. Troubleshooting Cisco Secure ACS on Windows
        1. Overview of CS ACS
          1. CS ACS Architecture
          2. The Life of an AAA Packet in CS ACS
        2. Diagnostic Commands and Tools
          1. Reports and Activity (Real-time Troubleshooting)
          2. Radtest and Tactest
          3. Package.cab File
        3. Categorization of Problem Areas
          1. Installation and Upgrade Issues
            1. CS ACS on Windows Platform
          2. CS ACS with Active Directory Integration
            1. Configuration Steps
            2. Troubleshooting Steps
              1. Windows Group to CS ACS Group Mapping Problems
              2. CS ACS Maps User to Wrong Group of CS ACS (Default Group)
          3. CS ACS with Novell NDS Integration
            1. Configuration Steps
            2. Troubleshooting Steps
              1. Novell Client Is Not Installed
              2. Revise the Configuration on CS ACS
              3. Check Admin Username
              4. Perform Group Mapping
              5. Authentication Failure with a Bad Password
              6. Authentication Failure When the User Does Not Exist
              7. Wrong Group Mapping
          4. CS ACS with ACE Server (Secure ID [SDI]) Integration
            1. Installation and Configuration Steps
            2. Troubleshooting Steps
          5. Replication Issues
            1. Configuration
            2. Troubleshooting Steps
          6. Network Access Restrictions (NARs) Issues
            1. Configuration Steps
            2. Troubleshooting Steps
          7. Downloadable ACL Issues
            1. Downloading ACL per User Basis Using Filter-id
            2. Using Cisco AV-Pair
            3. Using Shared Profile Components
            4. Troubleshooting Steps
        4. Case Studies
          1. Back Up and Restore the CS ACS Database
          2. Creating a Dump Text File
        5. User/NAS Import Options
          1. Import User Information
          2. Import NAS Information
          3. Compact User Database
          4. Export User and Group Information
        6. Common Problems and Resolutions
        7. Best Practices
    11. V. Troubleshooting Intrusion Prevention Systems
      1. 14. Troubleshooting Cisco Intrusion Prevention System
        1. Overview of IPS Sensor Software
          1. IPS Deployment Architecture
          2. IPS Software Building Blocks
            1. MainApp
            2. AnalysisEngine
            3. CLI
          3. Communication Protocols
          4. Modes of Sensor Operation
            1. Inline Mode
            2. Inline Bypass Mode
            3. Promiscuous Mode
            4. Combined Modes
          5. Hardware and Interfaces Supported
        2. Diagnostic Commands and Tools
          1. show Commands
            1. show version
            2. show configuration
            3. show events
            4. show statistics service
            5. show interfaces
            6. show tech-support
          2. cidDump Script
          3. tcpdump command
          4. iplog
          5. packet Command
        3. Classification of Problem Areas
          1. Initial Setup Issues
          2. User Management Issues
            1. Creation and Modification of User Profiles
            2. Creating the Service Account
          3. Software Installation and Upgrade Issues
            1. Obtaining Sensor Software
            2. IPS Software Image Naming Conventions
              1. Platform-Dependent Image
              2. Platform-Independent Image
            3. Installing or Re-imaging the IPS Appliances System Image
              1. Using a CD-ROM
              2. Using TFTP Server
            4. Disaster Recovery Plan
              1. Recovering the Application Partition
              2. Upgrading the Recovery Partition Image
            5. Upgrading Major/Minor Software or Service Pack/Signature Update
              1. Automatic Upgrade Using the CLI of the Sensor
              2. Manual Upgrade With the CLI of the Sensor
            6. Upgrading to IPS 5.0
              1. Using System Image
              2. Using a Major Software Update
          4. Licensing Issues
            1. How Do I Know if I have A Valid License?
              1. Using CLI
              2. Using IDM
            2. How to Procure The License Key From Cisco.com
            3. Licensing the Sensor
              1. Using IDM
              2. Using CLI
          5. Communication Issues
            1. Basic Connectivity Issues
            2. Connectivity Issues Between IPS Sensor and IPS MC or IDM
            3. Connectivity Issues Between IPS Sensor and Security Monitor
          6. Issues with Receiving Events on Monitoring Device
            1. SensorApp Is Not Running
            2. Physical Connectivity, SPAN, or VACL Port Issues
            3. Unable to See Alerts
          7. Blocking Issues
            1. Types of Blocking
            2. ACL or VACL Consideration on the Managed Devices
            3. Supported Managed Devices and Versions
            4. Proper Planning for Blocking
            5. Master Blocking Sensor (MBS)
            6. Configuration Steps for Blocking
            7. Configuring Steps for the Master Blocking Sensor (MBS)
            8. Troubleshooting Steps for Blocking
              1. Verifying that Blocking is Functioning Correctly
              2. Network Access Controller (NAC) is not running
              3. Sensor is Unable to Connect to the Managed Devices
              4. Blocking is Not Occurring for a Specific Signature
              5. Master Blocking is Not Working
          8. TCP Reset Issues
          9. Inline IPS Issues
            1. Configuration Steps
              1. Switch Configuration Running Catalyst Software
              2. Switch Configuration Running Cisco IOS Software
              3. IPS Sensor Configuration
            2. Troubleshooting Steps
        4. Case Studies
          1. Capturing IPS Traffic with a Hub
          2. Capturing IPS Traffic with SPAN
            1. SPAN Terminology
            2. SPAN Traffic Types
            3. SPAN on Catalyst 2900/3500XL
              1. Configuration Steps
              2. Limitations
            4. SPAN on Catalyst 2950, 3550 and 3750
              1. Configuration Steps
              2. Limitations
            5. SPAN on Catalyst 4000/6000 with Cat OS
              1. Configuration Steps
            6. SPAN on Catalyst 4000/6000 with Native IOS
              1. Configuration Steps
          3. Capturing IPS Traffic with Remote SPAN (RSPAN)
            1. Hardware Requirements
            2. Configuration Steps
          4. Capturing IPS Traffic with VACL
          5. Capturing IPS Traffic with RSPAN and VACL
          6. Capturing IPS Traffic with MLS IP IDS
        5. Common Problems and Their Resolution
        6. Best Practices
          1. Preventive Maintenance
            1. Creation of Service Account
            2. Back up a Good Configuration
              1. Backup Locally on the Sensor
              2. Backup in Remote Server
          2. Recommendation on Connecting Sensor to the Network
            1. Recommendation on Connecting the Sniffing Interface of the Sensor to the Network
            2. Rating IPS Sensor
            3. Recommendation on Connecting Command and Control Interface
          3. Recommendation on Settings of Signature on Sensor
          4. Recommendation on Inline-Mode Deployment
      2. 15. Troubleshooting IDSM-2 Blade on Switch
        1. Overview of IDSM-2 Blade on the Switch
          1. Software and Hardware Requirements
          2. Slot Assignment on the Switch
          3. Front Panel Indicator Lights and How to Use Them
          4. Installing the IDSM-2 Blade on the Switch
          5. Removing the IDSM-2 Blade from the Switch
          6. Ports Supported on IDSM-2 Blade
        2. Diagnostic Commands and Tools
          1. show Commands in Both Modes
          2. show Commands in CatOS
          3. show Commands in Native IOS
        3. Common Problems and Resolutions
          1. Hardware Issues
            1. IDSM-2 Hardware Issues on Native IOS
              1. Verify Hardware Operation
              2. Troubleshooting Steps
            2. IDSM-2 HW Issue on CatOS
              1. Verify Hardware Operation
              2. Troubleshooting Steps
          2. Communication Issues with IDSM-2 Command and Control Port
            1. Configuration Steps
              1. Switch Configuration
              2. IDSM-2 Configuration
            2. Troubleshooting Steps
          3. Failing to Get Traffic from the Switch with Promiscuous Mode
            1. Configuration Steps
              1. SPAN Configuration on Switch Running Native IOS
              2. VACL Configuration on Switch Running Native IOS
              3. MLS IP IDS Configuration on Switch Running Native IOS
              4. SPAN Configuration on Switch Running CatOS
              5. VACL Configuration on Switch Running CatOS
              6. MLS IP IDS Configuration on a Switch Running CatOS
              7. IDSM-2 Blade Configuration
            2. Troubleshooting Steps
          4. Issues with Inline Mode
          5. Not Generating Events Issues
          6. TCP Reset Issues
        4. Case Study
          1. How to Re-image the IDSM-2 with System Image
          2. How to Upgrade the Maintenance Partition
          3. How to Upgrade the Signature/Service Packs/Minor/Major Software Upgrade
          4. How to Upgrade the IDSM-2 Blade from IDSM 4.x to 5.x
        5. Common Problems and Resolutions
        6. Best Practices
      3. 16. Troubleshooting Cisco IDS Network Module (NM-CIDS)
        1. Overview of NM-CIDS on the Router
          1. Software and Hardware Requirements
            1. Front Panel Indicator Lights and How to Use Them
            2. Slot Assignment on the Router
            3. Installing NM-CIDS Blade on the Router
            4. Removing NM-CIDS Blade from the Router
          2. Ports Supported on NM-CIDS
        2. Diagnostic Commands and Tools
        3. Common Problems and Resolutions
          1. Hardware Issues
          2. NM-CIDS Console Access Issues
            1. Assigning IP Address to the IDS-Sensor Interface on the Router
            2. Connecting to NM-CIDS
              1. Using the service-module Command
              2. Using Telnet
            3. Disconnecting from NM-CIDS
              1. Suspending a Session and Returning to the Router
              2. Closing an Open Session
            4. Troubleshooting Console Access Issues
          3. Communication Issues with NM-CIDS Command and Control Port
            1. Configuration Steps
            2. Troubleshooting Steps
          4. Issues with Not Receiving Traffic from the Router Using the Sniffing Port
            1. Configuration Steps
            2. Troubleshooting Steps
          5. Managing NM-CIDS from an IOS Router
          6. Software Installation and Upgrade Issues
        4. Case Studies
          1. CEF Forwarding Path
          2. IPS Insertion Points
          3. Network Address Translation (NAT)
          4. Encryption
          5. Access List Check
          6. IP Multicast, UDP Flooding, IP Broadcast
          7. Generic Routing Encapsulation (GRE) Tunnels
          8. Address Resolution Protocol (ARP) Packets
          9. Packets Dropped by the IOS
          10. Forwarding the Packets to the IDS at a Rate Higher Than the Internal Interface Can Handle
        5. Common Problems and Resolutions
          1. Re-imaging the NM-CIDS Application Partition
            1. Performing the Re-image of Application Partition
            2. Troubleshooting Steps
          2. Configuring Time on the NM-CIDS
            1. Default Behavior for Time Setting on NM-CIDS
            2. Using Network Time Protocol (NTP) Server
        6. Best Practices
      4. 17. Troubleshooting CiscoWorks Common Services
        1. Overview of CiscoWorks Common Services
          1. Communication Architecture
          2. User Management on CiscoWorks Common Services
        2. Diagnostic Commands and Tools
          1. How to Collect mdcsupport on a Windows Platform
          2. Categorization and Explanation of MDCSupport-Created Log Files
        3. Categorization of Problem Areas
          1. Licensing Issues
            1. Registration for CiscoWorks Common Services
            2. Installing/Upgrading the License Key for CiscoWorks Common Services
            3. Registration for the Management Center for Cisco Security Agents (CSA MC)
            4. Installing the License Key for the Management Center for Cisco Security Agents (CSA MC)
            5. Common Licensing Issues and Work-Arounds
          2. Installation Issues
            1. Installation Steps
            2. Troubleshooting Installation Problems
            3. User Management Issues
          3. Database Management Issues
            1. CiscoWorks Common Services Backup
            2. CiscoWorks Common Services Restore
        4. Case Studies
        5. Common Problems and Resolutions
        6. Best Practices
      5. 18. Troubleshooting IDM and IDS/IPS Management Console (IDS/IPS MC)
        1. Overview of IDM and IDS/IPS Management Console (IDS/IPS MC)
          1. IDS/IPS MC and Security Monitor Processes
          2. Communication Architecture
        2. Diagnostic Commands and Tools
          1. Audit Reports
          2. MDCSupport File
            1. How to Collect MDCSupport on a Windows Platform
            2. What to Look for and What Is Important in the MDCSupport File
          3. Enable Additional Debugging on IDS/IPS MC
        3. Analysis of Problem Areas
          1. Important Procedures and Techniques
            1. Verifying Allowed Hosts on the Sensor
            2. Adding Allowed Hosts on the Sensor
              1. Adding an Allowed Host By Running setup Command on a Sensor
            3. Adding an Allowed Host Manually on a Sensor
            4. Verifying the SSH and SSL Connection Between IDS/IPS MC and a Sensor
            5. Resolving SSH and SSL Connection Problems Between IDS/IPS MC and a Sensor
            6. Verifying If the Sensor Processes Are Running
            7. Verifying That the Service Pack or Signature Level Sensor Is Running
            8. Verifying the Service Pack or Signature Level on IDS/IPS MC
            9. Verifying That the IDS/IPS MC (Apache) Certificate Is Valid
            10. Regenerating IDS/IPS MC (Apache) Certificate
            11. Resolving Issues with the IDS/IPS Sensor Being Unable to Get the Certificate
            12. Changing the VMS Server IP Address
            13. Manually Updating the Signature Level on the Sensor
              1. Creating a Service Account
              2. Update Locally Over ftp/scp
          2. Unable to Access the Sensor Using IDM
          3. IDS/IPS MC Installation and Upgrade Issues
          4. IDS/IPS MC Licensing Issues
            1. Corrupted License
            2. Determining If a License Is Expired
          5. Importing Sensor Issues with IDS/IPS MC
            1. Configuration Steps
            2. Troubleshooting Steps
          6. Signature or Service Pack Upgrade Issues with IDS/IPS MC
            1. Upgrade Procedure
            2. Troubleshooting Steps
          7. Configuration Deployment Issues with IDS/IPS MC
            1. Configuration Steps
            2. Troubleshooting Steps
          8. Database Maintenance (Pruning) Issues
        4. Case Study
          1. Launch the Attack and Blocking
          2. Troubleshooting Steps
        5. Common Problems and Resolutions
        6. Best Practices
      6. 19. Troubleshooting Firewall MC
        1. Overview of Firewall MC
          1. Firewall MC Processes
          2. Communication Architecture
        2. Diagnostic Commands and Tools
          1. Collecting the Debug Information (Diagnostics)
            1. Using GUI
            2. Using CLI
          2. What Does the CiscoWorks MDCSupport Utility Generate?
          3. Other Useful Log Files Not Collected by mdcsupport
        3. Analysis of Problem Areas
          1. Installation Issues
            1. Installation Verifications
            2. Installation Troubleshooting
          2. Initialization Issues
          3. Browser Issues
          4. Authentication Issues
            1. Firewall MC Authenticated by the Firewall During Configuration Import and Deployment
            2. Firewall MC Authenticated by the Auto Update Server During Configuration Deployment
            3. Firewalls Authenticated by the Auto Update Server During Configuration or Image Pulling
          5. Activity and Job Management Issues
            1. Unlocking of an Activity
              1. Using Firewall MC GUI
              2. Using Firewall MC Server CLI
            2. Stopping a Job from Being Deployed
          6. Device Import Issues
          7. Configuration Generation and Deployment Issues
            1. Firewall MC is Unable To Push the Configuration to the AUS
            2. Getting “Incomplete Auto Update Server contact info.” Message when Pushing The Configuration to AUS
            3. Memory Issues with Firewall Services Module (FWSM) during Deployment
          8. Database Management Issues
            1. Backing up and Restoring Databases
              1. Database Backup Procedure
              2. Database Restore Procedure
            2. Scheduling Checkpoint Events for the Database
            3. Compacting a Database for Performance Improvement
            4. Disaster Recovery Plan
              1. Configuring the Recovery Server
              2. Enabling the Recovery Server
        4. Common Problems and Resolutions
        5. Best Practices
      7. 20. Troubleshooting Router MC
        1. Overview of Router MC
          1. Router MC Processes
          2. Communication Architecture
          3. Features Introduced on Different Versions of Router MC
        2. Diagnostic Commands and Tools
          1. Setting the Logging Level
          2. Collecting the Debug Information (Diagnostics)
            1. Using a Graphic User Interface
            2. Using a Command Line Interface
            3. Collecting the Router MC Database
          3. Using the Log Files
          4. Reports
        3. Analysis of Problem Areas
          1. Installation and Upgrade Issues
          2. Initialization Issues
          3. Browser Issues
          4. Authentication Issues
            1. Authentication Issues with the Router MC
            2. Authentication Issues with the Managed Device Using SSH
          5. Activity and Job Management Issues
          6. Device Import Issues
          7. Configuration Generation and Deployment Issues
          8. Database Management Issues
            1. Backing up and Restoring Database
              1. Database Backup Procedure
              2. Database Restore Procedure
            2. Troubleshooting Router MC Backup/Restore Operations
        4. Case Study
          1. Understanding User Permissions
            1. CiscoWorks Server Roles and Router MC Permissions
            2. ACS Roles and Router MC Permissions
          2. Setting up Router MC to Work with ACS
            1. Step 1: Define the Router MC Server in ACS
            2. Step 2: Define the Login Module in CiscoWorks as TACACS+
            3. Step 3: Synchronize CiscoWorks Common Services with the ACS Server Configuration
            4. Step 4: Define Usernames, Device Groups, And User Groups in ACS
        5. Best Practices
      8. 21. Troubleshooting Cisco Security Agent Management Console (CSA MC) and CSA Agent
        1. Overview of CSA MC and Agent
          1. Management Model for CSAgent
          2. CSA MC Directory Structure
          3. Communication Architecture
          4. How Cisco Security Agents Protect Against Attacks
        2. Diagnostic Commands and Tools
          1. CSA MC Log
            1. Windows System Information
            2. Server Selftest Information
            3. CSA MC Log Directory
          2. CSA Agent Log
            1. CSA Agent Log Directory
            2. Turning on Debug Mode
            3. Details Log—csainfo.log file
            4. Logs for Blue Screen
            5. Rtrformat Utility
            6. Additional Logs Controlled by the Sysvars.cf file
        3. Categorization of Problem Areas
          1. Installation and Upgrade Issues
            1. New Installation Issues with CSA MC
              1. Local Database Installation
              2. Remote Database Installation with One CSA MC
              3. Remote Database Installation with two CSA MCs
              4. CSA MC Prerequisites
              5. Manually Remove CSA MC
              6. CSA MC Installation Troubleshooting
            2. New Installation Issues with CSAgent
              1. Procuring CSAgent Software
              2. CSAgent Prerequisites
              3. Manual Removal of the CSAgent on Windows
              4. CSAgent Installation Troubleshooting
            3. Upgrade Issues with CSA MC
              1. CSA MC Upgrade Process on the Same System
              2. CSA MC Upgrade Process on a Separate System
              3. Naming Convention—After Upgrade
            4. CSAgent Update Issues
          2. Licensing Issues
            1. How to Procure the License
            2. How to Import the License
              1. Using a GUI
              2. Alternate Method
            3. Determining the Number of Desktop/Server Licenses That Are in Use
            4. Troubleshooting Licensing Issues
          3. CSA MC Launching Issues
            1. CSA MC Not Launching
              1. DNS Issue
              2. CSA Agent May Block Access
              3. No Free Disk Space
              4. Web Server is Running on CSA MC Server
              5. Other Management Consoles Are Installed
              6. Licensing Problems
              7. Browser and Java Issues
              8. Certificate Problem
            2. CSA MC Is Launching, but Slowly
              1. Database Size Is High
              2. Unsupported Installation
              3. Look for Possible Bugs
          4. CSAgent Communication, Registration, and Polling Issues with CSA MC
          5. Application Issues with CSAgent
            1. How to Create Exceptions
            2. How to Disable Individual CSAgent Shims
            3. Disabling csauser.dll
            4. Creating Buffer Overflow Exclusions
            5. Troubleshooting Steps
          6. Report Generation Issues
          7. Profiler Issues
          8. Database Maintenance Issues
            1. Disaster Recovery Plan (DRP) for CSA MC
              1. Back up the CSA MC Database
              2. Restore the CSA MC Database on the Same Server
              3. Restore the CSA MC Database on a Different Server with a Different Name and IP Address
            2. Purging Events from the Database
              1. Automatic Purging
              2. On-demand Purging
              3. Purging Using CLI
            3. Compacting the Database
              1. Compacting MSDE (CSA MC Built-in Database)
              2. Compacting Full Version Of SQL Server 2000
            4. Checking and Repairing the CSA MC MSDE Database
        4. Common Problems and Resolutions
        5. Best Practices
          1. Recommendation on Installation
          2. Test Mode
          3. Disaster Recovery for CSA
      9. 22. Troubleshooting IEV and Security Monitors
        1. Overview of IEV and Security Monitor
          1. Communication Architecture
          2. How Does It Work?
            1. RDEP/SDEE Collector Management
              1. Connection Status
              2. How Often Does Security Monitor Poll a Sensor?
            2. XML Parsing
            3. Alert Inserter
          3. IDS/IPS MC and Security Monitor Processes
          4. User Management for Security Monitor
        2. Diagnostic Commands and Tools
        3. Categorization of Problem Areas
          1. Installation Issues
          2. Issues with Launching
            1. DNS Issues
            2. Issues with Enabling SSL
            3. Getting Internal Server Error While Opening Security Monitor
            4. Security Monitor Takes a Long Time to Launch
            5. Page Cannot Be Found Error While Trying to Launch Security Monitor
            6. IDS/IPS MC Launches But Security Monitor Does Not
            7. Security Monitor Behaves Strangely
          3. Licensing Issues
          4. Device Management Issues
            1. Importing IDS Sensors from IDS/IPS MC
            2. Adding Other Devices
            3. IEV and Security Monitor Connect with Sensor
          5. Notification Issues
          6. Event Viewer Issues
            1. Launching the Event Viewer
            2. Using the Event Viewer
            3. Generating Events for Test
            4. Troubleshooting Steps
              1. Cannot Load Security Event Viewer
              2. No Events on Event Viewer from IDS/IPS Sensor Are Visible
              3. No Syslog Events from PIX Firewall Or IOS Router in Security Monitor Event Viewer Are Visible
          7. Report Generation Issues
            1. Report Generation Fails
            2. Report Fails to Complete
          8. Database Maintenance Issues
            1. Proactive Measures Immediately After Installing the Security Monitor
              1. Redirect Archive Files Away from the Database Disk
              2. Redirect Backup Files Away from the Database Disk
              3. Create a New Database Rule
            2. Reactive Measures During Run Time
              1. Flow Rates of Events and Syslog Messages
              2. Monitoring the Size of Log Files
              3. Monitoring Database File Size
              4. Pruning
              5. DB Compact
              6. Database Rules
        4. Case Study
          1. Configuration Steps
          2. Troubleshoot E-mail Notification
        5. Common Problems and Resolutions
        6. Best Practices

    Product information

    • Title: Cisco Network Security Troubleshooting Handbook
    • Author(s): Mynul Hoda, - CCIE No. 9159
    • Release date: November 2005
    • Publisher(s): Cisco Press
    • ISBN: 9781587051890