book

Cisco Network Security Troubleshooting Handbook

Name: Cisco Network Security Troubleshooting Handbook
Author: Mynul Hoda, - CCIE No. 9159
ISBN: 9781587051890

by Mynul Hoda, - CCIE No. 9159

November 2005

Intermediate to advanced

1152 pages

29h 9m

English

Cisco Press

Read now

Unlock full access

Copyright
Dedications
About the Author
About the Technical Reviewers
Acknowledgments
Icons Used in This Book
Command Syntax Conventions
Introduction
Goals and MethodsWho Should Read This Book?Strategies for Becoming an Efficient TroubleshooterHow This Book Is Organized
I. Troubleshooting Tools and Methodology
1. Troubleshooting Methods
Proactive Actions for Handling Network FailureTypes of FailureProblem-Solving ModelStep 1: Define the ProblemStep 2: Gather the FactsStep 3: Consider Possible ProblemsStep 4: Create an Action PlanStep 5: Implement the Action PlanStep 6: Observe ResultsStep 7: Repeat if NecessaryStep 8: Document the ChangesSummary
2. Understanding Troubleshooting Tools
Using Device Diagnostic Commandsshow Commandsdebug CommandsTest Commandsping Commandtraceroute Commandtelnet Commandnslookup CommandNetwork AnalyzersTrivial File Transfer Protocol (TFTP) ServerFTP ServerSyslog ServerAudit and Attack ToolsCore DumpUsing TFTPUsing FTPUsing rcpUsing a Flash DiskAdditional Configuration“Exception Memory” Commanddebug sanity CommandTesting the Core Dump Setup
II. Troubleshooting Cisco Secure Firewalls

3. Troubleshooting Cisco Secure PIX Firewalls
Overview of PIX FirewallASAPIX Packet ProcessingFile System OverviewAccess-Listtime-range KeywordEnable/DisableOutbound ACLnat-controlModular Policy Framework (MPF) ObjectiveTransparent FirewallDiagnostic Commands and Toolsshow Commandsshow xlate [detail]show connection [detail]show local-hostshow service-policyshow asp dropshow cpu usageshow trafficshow blocksshow output filtersshow tech-supportDebug Commandsdebug icmp tracedebug application_protocoldebug pix processdebug fixup tcp | udpcapture CommandSniffer CaptureSyslogTraceback/CrashinfoOther ToolsProblem Areas BreakdownLicensing IssuesPassword Recovery IssueSoftware Upgrade and Downgrade IssuesStandard Upgrade ProcedureUpgrade using ROM Monitor ModeDowngrade ProcedureUpgrading PIX Firewall in a Failover SetupConnection Issues Across PIX FirewallConfiguration StepsTroubleshooting StepsTransparent Firewall IssuesConfiguration StepsTroubleshooting StepsVirtual FirewallSecurity ContextHow the Virtual Firewall WorksLimitations of Virtual FirewallConfiguration StepsTroubleshooting StepsQuality of Service (QoS) IssuesPolicingLow Latency Queuing (LLQ)Troubleshooting StepsPerformance IssuesHigh CPU UtilizationHigh Memory UtilizationLarge ACLReverse DNS & IDENT ProtocolCase StudiesActive/Standby ModelActive/Active ModelHardware and License RequirementsSystem and User Failover GroupInitialization, Configuration Synchronization/Command ReplicationConfiguration ExamplesAsymmetrical Routing SupportTroubleshooting StepsCommon Problems and ResolutionsBest PracticesProtecting the PIX Firewall ItselfProtecting Network Resources
4. Troubleshooting Firewall Services Module
Overview of FWSM FirewallFWSM ArchitectureControl Plane (CP)Network Processors (NP)EtherChannelPacket FlowsDiagnostic Commands and ToolsShow Commandsshow Commands on the Switchshow Commands on the FWSMDebug CommandsSniffer on the FWSMSyslog on the FWSMSniffer CaptureAnalysis of Problem AreasLicensing IssuesHardware IssuesFirewall Module Administration IssuesFlashSetting the Boot Device (Route Processor)Maintenance PartitionPassword Recovery ProcedureUpgrading a New ImageUpgrading the Maintenance PartitionUpgrading Software ImagesConnection ProblemsConfiguration StepsTroubleshooting StepsAAA IssuesVirtual and Transparent FirewallHigh CPU IssuesIntermittent Packet Drops IssuesFailover IssuesFailover OperationsInitialization PhaseFailover ConditionsForced Reboot ConditionsMonitoringConfiguration StepsTroubleshooting StepsCase StudiesCase Study 1: Multiple SVI for FWSMWhy Change the Existing Model?Scenario One: DHCP Helper with FWSM 1.1(x)Scenario Two: Alternate ConfigurationCase Study 2: Understanding Access-List Memory UtilizationThe Compilation Process: Active and Backup TreesHow Memory Is Allocated: Release 1.1(x) or 2.2(1) in Single ModeHow memory is Allocated: Release 2.2(1) in Multiple ModeTrees and contexts: A Matter of MappingFWSM Release 2.3: The ACL Partition ManagerExamples of ACL CompilationAccess-lists: Best PracticesCommon Problems and ResolutionsBest Practices
5. Troubleshooting an IOS Firewall
Overview of IOS Firewall (CBAC)Single Channel Protocol InspectionUDP and CBACICMP and CBACApplication Layer Protocol (TCP-based) and CBACPreventing from Invalid Command ExecutionProtection from Malicious Java AppletsURL FilteringMulti-Channel Protocol InspectionNAT/PAT and CBACPort Application Mapping (PAM) and CBACDenial of Service (DoS) Detection And PreventionTCP Syn Flood and DoS Attack Launched by UDPFragmentationReal-Time Alerts and Audit TrailsInteraction of CBAC with IPsecTransparent Cisco IOS FirewallDiagnostic Commands and Toolsshow Commandsdebug commandsSyslogPacket Capture (Sniffer Traces)Categories of Problem AreasSelection of Software for IOS Firewall IssuesUnable to Connect (Inbound and Outbound) across CBACPacket Failure to Reach the Router’s Incoming InterfaceMisconfigured ACLMisconfigured NAT and RoutingIP Inspection Applied In the Wrong DirectionUDP Inspection Is Not ConfiguredReturn Traffic Might Not Be Coming Back to the RouterICMP Traffic Is Not InspectedThere Is a Problem with Inspecting Single Channel ProtocolRequired Multi-Channel Protocol is Not InspectedIP URL Filtering Blocking The ConnectionRedundancy or Asymmetric Routing ProblemsPerformance IssuesTimeouts for TCP, UDP, and DNSShort Threshold Values for Half-open and New ConnectionsHTTP Inspection DilemmaSwitching PathLarge ACLReverse DNS and IDENT ProtocolsRunning Older CodeIntermittent Packet DropsIP URL Filtering Is Not WorkingCase StudiesHow auth-proxy WorksMethod of AuthenticationSupported PlatformConfiguration StepsTroubleshooting auth-proxyCommon Problems and ResolutionsBest PracticesBasic Router SecurityAnti-spoofing Configuration
III. Troubleshooting Virtual Private Networks
6. Troubleshooting IPsec VPNs on IOS Routers
Overview of IPsec ProtocolEncryption and DecryptionSymmetric AlgorithmsAsymmetric AlgorithmsDigital SignaturesSecurity ProtocolsAuthentication Header (AH)Encapsulating Security Header (ESP)Transport ModeTunnel ModeSecurity Associations (SAs)SA and Key Management with IKE ProtocolIKE Phase 1Main Mode NegotiationAggressive Mode NegotiationIKE Phase 2Diagnostic Commands and Toolsshow Commandsshow Command for Phase Ishow Commands for Phase IIshow Commands for Interface Countersshow Command for Verifying IPsec ConfigurationCommands for Tearing Down Tunneldebug CommandsAnalysis of Problem AreasBasic LAN-to-LAN TroubleshootingSuccessful LAN-to-LAN Tunnel Establishment ProcessTunnel Establishment Fails at Phase ITunnel Establishment Fails at Phase IITunnel Is Established but Unable To Pass TrafficGRE over IPsecConfiguration StepsTroubleshooting StepsPublic Key Infrastructure (PKI) TroubleshootingConfiguration StepsTroubleshooting StepsCertificate Enrollment Process FailureCertificate Enrollment Is Fine but IKE Authentication Still FailsRemote Access Client VPN ConnectionConfiguration StepsTroubleshooting StepsCase StudiesDMVPN ArchitectureMultipoint GRE Tunnel Interface (mGRE Interface)Next Hop Resolution Protocol (NHRP)Configuration StepsTroubleshooting DMVPNNHRP Mapping ProblemCrypto Socket Creation ProblemCrypto VPN problemDynamic Routing Protocol ProblemPassing Data Across an Established Tunnel ProblemCommon Problems and ResolutionsNAT With IPsec IssuesNAT in the Tunnel End PointsNAT in the MiddleFirewall and IPsec IssuesMaximum Transmission Unit (MTU) IssuesSplit Tunneling IssuesBest PracticesStateful FailoverStateless FailoverLoss of Connection Detection MechanismStateless Failover Mechanism OptionsBackup Peer for Basic LAN-to-LAN IPsecHot Standby Routing Protocol (HSRP) and Reverse Route Injection (RRI)Generic Routing Encapsulation (GRE) Tunnels over IPsec
7. Troubleshooting IPsec VPN on PIX Firewalls
Overview of IPsec ProtocolDiagnostic Commands and Toolsshow Commandsdebug CommandsCategorization of Problem AreasLAN-to-LAN TroubleshootingConfiguration StepsTroubleshooting StepsTunnel Is Not Established: Phase I FailureTunnel Is Not Established: Phase II FailureTunnel Is Established Completely But Cannot Pass DataRemote Access VPN TroubleshootingConfiguration StepsTroubleshooting StepsTunnel Is Not EstablishedTunnel Is Established Completely But Unable to Pass DataCase StudiesCommon Problems and ResolutionsNAT with IPsec IssuesNAT in the tunnel End PointNAT Device In the Middle of Tunnel End PointsIPsec over NAT Transparency (NAT-T)IPsec over TCPWhen to Use NAT-T or IPsec over TCP/UDP?Firewall and IPsecMaximum Transmission Unit (MTU) IssuesSplit Tunneling IssuesBest PracticesDead Peer Discovery (DPD)Reverse Route Injection (RRI)Stateful Failover For VPN Connections
8. Troubleshooting IPsec VPNs on VPN 3000 Series Concentrators
Diagnostic Commands and ToolsDebug ToolMonitoring ToolAdminister SessionsConfiguration FilesLED IndicatorsCrash Dump FileVPN Client LogAnalysis of Problem AreasLAN-to-LAN Tunnel IssuesConfiguration StepsTroubleshooting StepsTunnel Not EstablishedTunnel is Established but Unable to Pass TrafficInterpretability issues with other vendorsRemote Access VPN ConnectionConfiguration StepsVPN Concentrator ConfigurationVPN Client ConfigurationTroubleshooting StepsVPN Client Cannot ConnectVPN Client can Connect but Tunnel Is Not Passing TrafficVPN Client can connect but User Cannot Access the InternetVPN Client Can Connect But Users Cannot Access the Local LANDigital Certificate IssuesDigital Certificate on the VPN ClientDigital Certificate on the VPN ConcentratorTroubleshooting StepsCase StudiesClientless SSL VPNConfiguration Steps for Basic SSL VPN ConnectionTroubleshooting Steps for Basic SSL VPN ConnectionInability to Establish SSL Session with VPN 3000 ConcentratorInability to Log in to VPN 3000 ConcentratorConfiguration Steps for Web Server AccessTroubleshooting Steps For Web Server AccessTurning on WEBVPN Event Class for LoggingInability to Browse to WebsiteWebsite Displays IncorrectlyConfiguration Steps for CIFS AccessTroubleshooting Steps for CIFS AccessThin ClientConfiguration Steps for Port ForwardingJava Applet DebuggingTroubleshooting Steps for Port ForwardingConfiguration Steps for MAPI ProxyTroubleshooting Steps for MAPI ProxyConfiguration Steps for E-mail ProxyTroubleshooting Steps for E-mail ProxyThick Client (SSL VPN Client)Configuration Steps for SSL VPN ClientTroubleshooting Steps for SSL VPN Client (SVC)SSL VPN Client Establishment IssuesSSL VPN Client Installation IssuesCommon Problems and ResolutionsBest PracticesRedundancy Using VRRPRedundancy and Load Sharing Using ClusteringRedundancy Using IPsec Backup Servers
IV. Troubleshooting Network Access Control
9. Troubleshooting AAA on IOS Routers
Overview of Authentication, Authorization, and Accounting (AAA)AAA ArchitectureAAA Communication ProtocolsTACACS+TACACS+ Operation for AuthenticationTACACS+ Operation for AuthorizationTACACS+ Operation for AccountingRADIUSRADIUS Operation for Authentication and AuthorizationRADIUS Operation for AccountingDifference between RADIUS and TACACS+Diagnostic Commands and Toolsshow Commandsdebug CommandsAnalysis of Problem AreasRouter Management TroubleshootingLogin AuthenticationConfiguration StepsTroubleshooting StepsEnable Password AuthenticationExec AuthorizationCommand AuthorizationAccountingDialup Networking TroubleshootingAuthentication and Authorization for Dialup NetworkingDownloading ACL per User Basis Using Filter-idDownloading ACL/ROUTES, WINS, and DNS IP Using AV PairAccounting for Dialup NetworkingX-Auth Troubleshooting for IPsecAuth-proxy TroubleshootingCase StudiesRouter ConfigurationLAC ConfigurationRADIUS Server ConfigurationLAC RADIUS ConfigurationLNS RADIUS ConfigurationTroubleshooting StepsLAC Router TroubleshootingLNS Router TroubleshootingCommon Problems and ResolutionsBest Practices
10. Troubleshooting AAA on PIX Firewalls and FWSM
Overview of Authentication, Authorization, and Accounting (AAA)AuthenticationAuthorizationAuthorization for an Administrative SessionAuthorization for VPN Connection (X-Auth)AccountingDiagnostic Commands and Toolsshow commandsdebug CommandsSyslogOther Useful ToolsProblem Areas AnalysisFirewall Management with AAA TroubleshootingLogin Authentication IssuesConfiguring Basic Authentication with Different Communication Methods on the FirewallConfiguring Local User Database AuthenticationConfiguring External AAA Server AuthenticationConfiguring Fallback Method for AuthenticationTroubleshooting Login AuthenticationEnable AuthenticationConfiguring Enable AuthenticationTroubleshooting Enable AuthenticationCommand AuthorizationCommand Authorization Based on Enable Password Privilege LevelCommand Authorization Using Local User DatabaseCommand Authorization Using an External AAA ServerTroubleshooting StepsAccountingCut-Through Proxy AuthenticationAuthentication for Cut-Through ProxyCut-Through Proxy Authentication with Local User DatabaseCut-Through Proxy Authentication Using RADIUS or TACACS+ ProtocolTroubleshooting Cut-Through Proxy AuthenticationAuthorization for Cut-Through ProxyConfiguring Cut-through Proxy Authorization using the TACACS+ ProtocolTroubleshooting Cut-Through Proxy Authorization using the TACACS+ ProtocolConfiguring Cut-through Proxy Authorization using the RADIUS ProtocolTroubleshooting Cut-Through Proxy Authorization using the RADIUS ProtocolAccounting for Cut-Through ProxyExtended Authentication (X-Auth) Issues for Remote Access VPN ConnectionConfiguration StepsTroubleshooting TechniquesCase StudiesCase Study 1: AAA ExemptionIP ExemptionMAC ExemptionCase Study 2: Virtual TelnetConfiguring Virtual TelnetTroubleshooting Virtual TelnetCase Study 3: Virtual HTTPCommon Problems and ResolutionsBest Practices
11. Troubleshooting AAA on the Switches
Overview of AAASwitch ManagementIdentity-Based Network Services (IBNSs)IEEE 802.1x FrameworkEAP encapsulation over LANs (EAPOL)Standard 802.1x OperationExtensible Authentication Protocol (EAP)RADIUS IN 802.1xWhat Is AuthenticatedMachine AuthenticationAuthorizationAccountingRADIUS Accounting Session Start/Stop RecordsRADIUS Accounting and Attribute-Value PairsExtension of IEEE 802.1x Standard by Cisco IBNS Initiative802.1x with VLAN Assignment802.1x with Port Security802.1x with Voice VLAN ID802.1x Guest VLANHigh Availability for 802.1x802.1x with ACL AssignmentAccess Restrictions for 802.1xDiagnostic Commands and ToolsSwitch ManagementIdentity-Based Network Services (IBNSs)Categorization of Problem AreasSwitch Management TroubleshootingLogin AuthenticationConfiguration StepsTroubleshooting StepsEnable Password AuthenticationConfiguration StepsTroubleshooting StepsAuthorizationConfiguration StepsTroubleshooting StepsAccountingConfiguration StepsTroubleshooting StepsIdentity-Based Network Services (IBNSs)Configuration StepsInstallation of CertificateConfiguration of Authenticator (Switch)Configuration of SupplicantConfiguration of ACS ServerAuthorizationTroubleshooting StepsOn the Windows ClientOn the Authenticator (Switch) SideOn the Authentication Server SideCase StudiesConfiguring Automatic Client Enrollment on AD and Installing a Machine Certificate on a Windows ClientGenerating and Installing the CA Root Certificate on the ACS ServerGenerating and Installing an ACS Server Certificate on the ACS ServerCommon Problems and ResolutionsBest PracticesFor Switch ManagementFor Identity-Based Network Services (IBNSs)
12. Troubleshooting AAA on VPN 3000 Series Concentrator
AAA Implementation on the ConcentratorVPN Concentrator ManagementTunnel Group and User AuthenticationDiagnostic Commands and ToolsAnalysis of Problem AreasVPN Concentrator Management TroubleshootingConfiguration StepsConfiguration on the Cisco Secure ACSConfiguration on the VPN 3000 ConcentratorTroubleshooting StepsGroup/User Authentication (X-Auth) TroubleshootingBoth Group and User Authentication Are Performed Locally on the VPN 3000 ConcentratorGroup Authentication Is Done Locally and No User Authentication Is DoneGroup Authentication Is Done Locally on VPN 3000 Concentrator and User Authentication Is Done with RADIUS ServerGroup Authentication Is Done with a RADIUS Server and User Authentication Is Done LocallyBoth Group and User Authentications Are Performed with the RADIUS ServerUser Is Locked to a Specific GroupDynamic Filters on the VPN 3000 ConcentratorConfiguration of Dynamic Filters on CiscoSecure ACSUsing Cisco IOS/PIX RADIUS AttributesUsing Downloadable PIX/IP ACLsTroubleshooting StepsCase StudiesVPN 3000 Concentrator ConfigurationGroup Configuration on the VPN 3000 ConcentratorDefining the CS ACS RADIUS Server on VPN 3000 ConcentratorCS ACS Windows ConfigurationAAA Client Definition for VPN 3000 ConcentratorConfiguring the Unknown User Policy for Windows NT/2000 Domain AuthenticationTesting the NT/RADIUS Password Expiration FeatureCommon Problems and ResolutionsBest Practices
13. Troubleshooting Cisco Secure ACS on Windows
Overview of CS ACSCS ACS ArchitectureThe Life of an AAA Packet in CS ACSDiagnostic Commands and ToolsReports and Activity (Real-time Troubleshooting)Radtest and TactestPackage.cab FileCategorization of Problem AreasInstallation and Upgrade IssuesCS ACS on Windows PlatformCS ACS with Active Directory IntegrationConfiguration StepsTroubleshooting StepsWindows Group to CS ACS Group Mapping ProblemsCS ACS Maps User to Wrong Group of CS ACS (Default Group)CS ACS with Novell NDS IntegrationConfiguration StepsTroubleshooting StepsNovell Client Is Not InstalledRevise the Configuration on CS ACSCheck Admin UsernamePerform Group MappingAuthentication Failure with a Bad PasswordAuthentication Failure When the User Does Not ExistWrong Group MappingCS ACS with ACE Server (Secure ID [SDI]) IntegrationInstallation and Configuration StepsTroubleshooting StepsReplication IssuesConfigurationTroubleshooting StepsNetwork Access Restrictions (NARs) IssuesConfiguration StepsTroubleshooting StepsDownloadable ACL IssuesDownloading ACL per User Basis Using Filter-idUsing Cisco AV-PairUsing Shared Profile ComponentsTroubleshooting StepsCase StudiesBack Up and Restore the CS ACS DatabaseCreating a Dump Text FileUser/NAS Import OptionsImport User InformationImport NAS InformationCompact User DatabaseExport User and Group InformationCommon Problems and ResolutionsBest Practices
V. Troubleshooting Intrusion Prevention Systems
14. Troubleshooting Cisco Intrusion Prevention System
Overview of IPS Sensor SoftwareIPS Deployment ArchitectureIPS Software Building BlocksMainAppAnalysisEngineCLICommunication ProtocolsModes of Sensor OperationInline ModeInline Bypass ModePromiscuous ModeCombined ModesHardware and Interfaces SupportedDiagnostic Commands and Toolsshow Commandsshow versionshow configurationshow eventsshow statistics serviceshow interfacesshow tech-supportcidDump Scripttcpdump commandiplogpacket CommandClassification of Problem AreasInitial Setup IssuesUser Management IssuesCreation and Modification of User ProfilesCreating the Service AccountSoftware Installation and Upgrade IssuesObtaining Sensor SoftwareIPS Software Image Naming ConventionsPlatform-Dependent ImagePlatform-Independent ImageInstalling or Re-imaging the IPS Appliances System ImageUsing a CD-ROMUsing TFTP ServerDisaster Recovery PlanRecovering the Application PartitionUpgrading the Recovery Partition ImageUpgrading Major/Minor Software or Service Pack/Signature UpdateAutomatic Upgrade Using the CLI of the SensorManual Upgrade With the CLI of the SensorUpgrading to IPS 5.0Using System ImageUsing a Major Software UpdateLicensing IssuesHow Do I Know if I have A Valid License?Using CLIUsing IDMHow to Procure The License Key From Cisco.comLicensing the SensorUsing IDMUsing CLICommunication IssuesBasic Connectivity IssuesConnectivity Issues Between IPS Sensor and IPS MC or IDMConnectivity Issues Between IPS Sensor and Security MonitorIssues with Receiving Events on Monitoring DeviceSensorApp Is Not RunningPhysical Connectivity, SPAN, or VACL Port IssuesUnable to See AlertsBlocking IssuesTypes of BlockingACL or VACL Consideration on the Managed DevicesSupported Managed Devices and VersionsProper Planning for BlockingMaster Blocking Sensor (MBS)Configuration Steps for BlockingConfiguring Steps for the Master Blocking Sensor (MBS)Troubleshooting Steps for BlockingVerifying that Blocking is Functioning CorrectlyNetwork Access Controller (NAC) is not runningSensor is Unable to Connect to the Managed DevicesBlocking is Not Occurring for a Specific SignatureMaster Blocking is Not WorkingTCP Reset IssuesInline IPS IssuesConfiguration StepsSwitch Configuration Running Catalyst SoftwareSwitch Configuration Running Cisco IOS SoftwareIPS Sensor ConfigurationTroubleshooting StepsCase StudiesCapturing IPS Traffic with a HubCapturing IPS Traffic with SPANSPAN TerminologySPAN Traffic TypesSPAN on Catalyst 2900/3500XLConfiguration StepsLimitationsSPAN on Catalyst 2950, 3550 and 3750Configuration StepsLimitationsSPAN on Catalyst 4000/6000 with Cat OSConfiguration StepsSPAN on Catalyst 4000/6000 with Native IOSConfiguration StepsCapturing IPS Traffic with Remote SPAN (RSPAN)Hardware RequirementsConfiguration StepsCapturing IPS Traffic with VACLCapturing IPS Traffic with RSPAN and VACLCapturing IPS Traffic with MLS IP IDSCommon Problems and Their ResolutionBest PracticesPreventive MaintenanceCreation of Service AccountBack up a Good ConfigurationBackup Locally on the SensorBackup in Remote ServerRecommendation on Connecting Sensor to the NetworkRecommendation on Connecting the Sniffing Interface of the Sensor to the NetworkRating IPS SensorRecommendation on Connecting Command and Control InterfaceRecommendation on Settings of Signature on SensorRecommendation on Inline-Mode Deployment
15. Troubleshooting IDSM-2 Blade on Switch
Overview of IDSM-2 Blade on the SwitchSoftware and Hardware RequirementsSlot Assignment on the SwitchFront Panel Indicator Lights and How to Use ThemInstalling the IDSM-2 Blade on the SwitchRemoving the IDSM-2 Blade from the SwitchPorts Supported on IDSM-2 BladeDiagnostic Commands and Toolsshow Commands in Both Modesshow Commands in CatOSshow Commands in Native IOSCommon Problems and ResolutionsHardware IssuesIDSM-2 Hardware Issues on Native IOSVerify Hardware OperationTroubleshooting StepsIDSM-2 HW Issue on CatOSVerify Hardware OperationTroubleshooting StepsCommunication Issues with IDSM-2 Command and Control PortConfiguration StepsSwitch ConfigurationIDSM-2 ConfigurationTroubleshooting StepsFailing to Get Traffic from the Switch with Promiscuous ModeConfiguration StepsSPAN Configuration on Switch Running Native IOSVACL Configuration on Switch Running Native IOSMLS IP IDS Configuration on Switch Running Native IOSSPAN Configuration on Switch Running CatOSVACL Configuration on Switch Running CatOSMLS IP IDS Configuration on a Switch Running CatOSIDSM-2 Blade ConfigurationTroubleshooting StepsIssues with Inline ModeNot Generating Events IssuesTCP Reset IssuesCase StudyHow to Re-image the IDSM-2 with System ImageHow to Upgrade the Maintenance PartitionHow to Upgrade the Signature/Service Packs/Minor/Major Software UpgradeHow to Upgrade the IDSM-2 Blade from IDSM 4.x to 5.xCommon Problems and ResolutionsBest Practices
16. Troubleshooting Cisco IDS Network Module (NM-CIDS)
Overview of NM-CIDS on the RouterSoftware and Hardware RequirementsFront Panel Indicator Lights and How to Use ThemSlot Assignment on the RouterInstalling NM-CIDS Blade on the RouterRemoving NM-CIDS Blade from the RouterPorts Supported on NM-CIDSDiagnostic Commands and ToolsCommon Problems and ResolutionsHardware IssuesNM-CIDS Console Access IssuesAssigning IP Address to the IDS-Sensor Interface on the RouterConnecting to NM-CIDSUsing the service-module CommandUsing TelnetDisconnecting from NM-CIDSSuspending a Session and Returning to the RouterClosing an Open SessionTroubleshooting Console Access IssuesCommunication Issues with NM-CIDS Command and Control PortConfiguration StepsTroubleshooting StepsIssues with Not Receiving Traffic from the Router Using the Sniffing PortConfiguration StepsTroubleshooting StepsManaging NM-CIDS from an IOS RouterSoftware Installation and Upgrade IssuesCase StudiesCEF Forwarding PathIPS Insertion PointsNetwork Address Translation (NAT)EncryptionAccess List CheckIP Multicast, UDP Flooding, IP BroadcastGeneric Routing Encapsulation (GRE) TunnelsAddress Resolution Protocol (ARP) PacketsPackets Dropped by the IOSForwarding the Packets to the IDS at a Rate Higher Than the Internal Interface Can HandleCommon Problems and ResolutionsRe-imaging the NM-CIDS Application PartitionPerforming the Re-image of Application PartitionTroubleshooting StepsConfiguring Time on the NM-CIDSDefault Behavior for Time Setting on NM-CIDSUsing Network Time Protocol (NTP) ServerBest Practices
17. Troubleshooting CiscoWorks Common Services
Overview of CiscoWorks Common ServicesCommunication ArchitectureUser Management on CiscoWorks Common ServicesDiagnostic Commands and ToolsHow to Collect mdcsupport on a Windows PlatformCategorization and Explanation of MDCSupport-Created Log FilesCategorization of Problem AreasLicensing IssuesRegistration for CiscoWorks Common ServicesInstalling/Upgrading the License Key for CiscoWorks Common ServicesRegistration for the Management Center for Cisco Security Agents (CSA MC)Installing the License Key for the Management Center for Cisco Security Agents (CSA MC)Common Licensing Issues and Work-AroundsInstallation IssuesInstallation StepsTroubleshooting Installation ProblemsUser Management IssuesDatabase Management IssuesCiscoWorks Common Services BackupCiscoWorks Common Services RestoreCase StudiesCommon Problems and ResolutionsBest Practices
18. Troubleshooting IDM and IDS/IPS Management Console (IDS/IPS MC)
Overview of IDM and IDS/IPS Management Console (IDS/IPS MC)IDS/IPS MC and Security Monitor ProcessesCommunication ArchitectureDiagnostic Commands and ToolsAudit ReportsMDCSupport FileHow to Collect MDCSupport on a Windows PlatformWhat to Look for and What Is Important in the MDCSupport FileEnable Additional Debugging on IDS/IPS MCAnalysis of Problem AreasImportant Procedures and TechniquesVerifying Allowed Hosts on the SensorAdding Allowed Hosts on the SensorAdding an Allowed Host By Running setup Command on a SensorAdding an Allowed Host Manually on a SensorVerifying the SSH and SSL Connection Between IDS/IPS MC and a SensorResolving SSH and SSL Connection Problems Between IDS/IPS MC and a SensorVerifying If the Sensor Processes Are RunningVerifying That the Service Pack or Signature Level Sensor Is RunningVerifying the Service Pack or Signature Level on IDS/IPS MCVerifying That the IDS/IPS MC (Apache) Certificate Is ValidRegenerating IDS/IPS MC (Apache) CertificateResolving Issues with the IDS/IPS Sensor Being Unable to Get the CertificateChanging the VMS Server IP AddressManually Updating the Signature Level on the SensorCreating a Service AccountUpdate Locally Over ftp/scpUnable to Access the Sensor Using IDMIDS/IPS MC Installation and Upgrade IssuesIDS/IPS MC Licensing IssuesCorrupted LicenseDetermining If a License Is ExpiredImporting Sensor Issues with IDS/IPS MCConfiguration StepsTroubleshooting StepsSignature or Service Pack Upgrade Issues with IDS/IPS MCUpgrade ProcedureTroubleshooting StepsConfiguration Deployment Issues with IDS/IPS MCConfiguration StepsTroubleshooting StepsDatabase Maintenance (Pruning) IssuesCase StudyLaunch the Attack and BlockingTroubleshooting StepsCommon Problems and ResolutionsBest Practices
19. Troubleshooting Firewall MC
Overview of Firewall MCFirewall MC ProcessesCommunication ArchitectureDiagnostic Commands and ToolsCollecting the Debug Information (Diagnostics)Using GUIUsing CLIWhat Does the CiscoWorks MDCSupport Utility Generate?Other Useful Log Files Not Collected by mdcsupportAnalysis of Problem AreasInstallation IssuesInstallation VerificationsInstallation TroubleshootingInitialization IssuesBrowser IssuesAuthentication IssuesFirewall MC Authenticated by the Firewall During Configuration Import and DeploymentFirewall MC Authenticated by the Auto Update Server During Configuration DeploymentFirewalls Authenticated by the Auto Update Server During Configuration or Image PullingActivity and Job Management IssuesUnlocking of an ActivityUsing Firewall MC GUIUsing Firewall MC Server CLIStopping a Job from Being DeployedDevice Import IssuesConfiguration Generation and Deployment IssuesFirewall MC is Unable To Push the Configuration to the AUSGetting “Incomplete Auto Update Server contact info.” Message when Pushing The Configuration to AUSMemory Issues with Firewall Services Module (FWSM) during DeploymentDatabase Management IssuesBacking up and Restoring DatabasesDatabase Backup ProcedureDatabase Restore ProcedureScheduling Checkpoint Events for the DatabaseCompacting a Database for Performance ImprovementDisaster Recovery PlanConfiguring the Recovery ServerEnabling the Recovery ServerCommon Problems and ResolutionsBest Practices
20. Troubleshooting Router MC
Overview of Router MCRouter MC ProcessesCommunication ArchitectureFeatures Introduced on Different Versions of Router MCDiagnostic Commands and ToolsSetting the Logging LevelCollecting the Debug Information (Diagnostics)Using a Graphic User InterfaceUsing a Command Line InterfaceCollecting the Router MC DatabaseUsing the Log FilesReportsAnalysis of Problem AreasInstallation and Upgrade IssuesInitialization IssuesBrowser IssuesAuthentication IssuesAuthentication Issues with the Router MCAuthentication Issues with the Managed Device Using SSHActivity and Job Management IssuesDevice Import IssuesConfiguration Generation and Deployment IssuesDatabase Management IssuesBacking up and Restoring DatabaseDatabase Backup ProcedureDatabase Restore ProcedureTroubleshooting Router MC Backup/Restore OperationsCase StudyUnderstanding User PermissionsCiscoWorks Server Roles and Router MC PermissionsACS Roles and Router MC PermissionsSetting up Router MC to Work with ACSStep 1: Define the Router MC Server in ACSStep 2: Define the Login Module in CiscoWorks as TACACS+Step 3: Synchronize CiscoWorks Common Services with the ACS Server ConfigurationStep 4: Define Usernames, Device Groups, And User Groups in ACSBest Practices
21. Troubleshooting Cisco Security Agent Management Console (CSA MC) and CSA Agent
Overview of CSA MC and AgentManagement Model for CSAgentCSA MC Directory StructureCommunication ArchitectureHow Cisco Security Agents Protect Against AttacksDiagnostic Commands and ToolsCSA MC LogWindows System InformationServer Selftest InformationCSA MC Log DirectoryCSA Agent LogCSA Agent Log DirectoryTurning on Debug ModeDetails Log—csainfo.log fileLogs for Blue ScreenRtrformat UtilityAdditional Logs Controlled by the Sysvars.cf fileCategorization of Problem AreasInstallation and Upgrade IssuesNew Installation Issues with CSA MCLocal Database InstallationRemote Database Installation with One CSA MCRemote Database Installation with two CSA MCsCSA MC PrerequisitesManually Remove CSA MCCSA MC Installation TroubleshootingNew Installation Issues with CSAgentProcuring CSAgent SoftwareCSAgent PrerequisitesManual Removal of the CSAgent on WindowsCSAgent Installation TroubleshootingUpgrade Issues with CSA MCCSA MC Upgrade Process on the Same SystemCSA MC Upgrade Process on a Separate SystemNaming Convention—After UpgradeCSAgent Update IssuesLicensing IssuesHow to Procure the LicenseHow to Import the LicenseUsing a GUIAlternate MethodDetermining the Number of Desktop/Server Licenses That Are in UseTroubleshooting Licensing IssuesCSA MC Launching IssuesCSA MC Not LaunchingDNS IssueCSA Agent May Block AccessNo Free Disk SpaceWeb Server is Running on CSA MC ServerOther Management Consoles Are InstalledLicensing ProblemsBrowser and Java IssuesCertificate ProblemCSA MC Is Launching, but SlowlyDatabase Size Is HighUnsupported InstallationLook for Possible BugsCSAgent Communication, Registration, and Polling Issues with CSA MCApplication Issues with CSAgentHow to Create ExceptionsHow to Disable Individual CSAgent ShimsDisabling csauser.dllCreating Buffer Overflow ExclusionsTroubleshooting StepsReport Generation IssuesProfiler IssuesDatabase Maintenance IssuesDisaster Recovery Plan (DRP) for CSA MCBack up the CSA MC DatabaseRestore the CSA MC Database on the Same ServerRestore the CSA MC Database on a Different Server with a Different Name and IP AddressPurging Events from the DatabaseAutomatic PurgingOn-demand PurgingPurging Using CLICompacting the DatabaseCompacting MSDE (CSA MC Built-in Database)Compacting Full Version Of SQL Server 2000Checking and Repairing the CSA MC MSDE DatabaseCommon Problems and ResolutionsBest PracticesRecommendation on InstallationTest ModeDisaster Recovery for CSA
22. Troubleshooting IEV and Security Monitors
Overview of IEV and Security MonitorCommunication ArchitectureHow Does It Work?RDEP/SDEE Collector ManagementConnection StatusHow Often Does Security Monitor Poll a Sensor?XML ParsingAlert InserterIDS/IPS MC and Security Monitor ProcessesUser Management for Security MonitorDiagnostic Commands and ToolsCategorization of Problem AreasInstallation IssuesIssues with LaunchingDNS IssuesIssues with Enabling SSLGetting Internal Server Error While Opening Security MonitorSecurity Monitor Takes a Long Time to LaunchPage Cannot Be Found Error While Trying to Launch Security MonitorIDS/IPS MC Launches But Security Monitor Does NotSecurity Monitor Behaves StrangelyLicensing IssuesDevice Management IssuesImporting IDS Sensors from IDS/IPS MCAdding Other DevicesIEV and Security Monitor Connect with SensorNotification IssuesEvent Viewer IssuesLaunching the Event ViewerUsing the Event ViewerGenerating Events for TestTroubleshooting StepsCannot Load Security Event ViewerNo Events on Event Viewer from IDS/IPS Sensor Are VisibleNo Syslog Events from PIX Firewall Or IOS Router in Security Monitor Event Viewer Are VisibleReport Generation IssuesReport Generation FailsReport Fails to CompleteDatabase Maintenance IssuesProactive Measures Immediately After Installing the Security MonitorRedirect Archive Files Away from the Database DiskRedirect Backup Files Away from the Database DiskCreate a New Database RuleReactive Measures During Run TimeFlow Rates of Events and Syslog MessagesMonitoring the Size of Log FilesMonitoring Database File SizePruningDB CompactDatabase RulesCase StudyConfiguration StepsTroubleshoot E-mail NotificationCommon Problems and ResolutionsBest Practices

Content preview from Cisco Network Security Troubleshooting Handbook

Chapter 7. Troubleshooting IPsec VPN on PIX Firewalls

Virtual Private Network (VPN) implementation on the PIX Firewall is very similar to the IOS Router with a few exceptions. This chapter examines the difference in detail and explores both LAN-to-LAN and Remote Access VPN implementations and troubleshooting using IP Security Protocol (IPsec) on the PIX Firewall. The discussion of this chapter is based on PIX Firewall version 7.0. The same code which runs on ASA 5500 Series Appliances has some additional VPN features (for example, secure sockets layer [SSL] VPN), and will not be discussed in this chapter, as these features are not available on the PIX firewall platforms. The case study section contains a new feature called Hairpinning, which allows ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Cisco Networks: Engineers' Handbook of Routing, Switching, and Security with IOS, NX-OS, and ASA

Publisher Resources

ISBN: 1587051893Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Cisco Network Security Troubleshooting Handbook

by Mynul Hoda, - CCIE No. 9159

Chapter 7. Troubleshooting IPsec VPN on PIX Firewalls

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.