Category Archives: Cisco

Cisco VPN Client no longer works on Windows 10

After upgrading to Windows 10 (or installing fresh I guess), Cisco VPN Client (the old IKE1 version) no longer works. If you upgraded the “Cisco VPN Client” service is missing and if you type in “VPN” into Cortana the “VPN Client” no longer shows up. Trying to reinstall gives the error

Your app does not work with Windows 10

Ryan Ternier has worked out a fix and I’m publishing it here so it’s easier for me to find…here it is in the long form:

  1. Click on the Start button -> Settings -> System-> Apps and Features -> Uninstall Cisco VPN Client
  2. Now download the Sonicwall VPN Client from http://help.mysonicwall.com/applications/vpnclient/
  3. Install the Sonicwall VPN Client
  4. Extract the vpnclient-winx64-msi-5.0.07.0440-k9.exe and right click vpnclient_setup.msi and select Install
  5. Run through the installer steps
  6. Once done click on Start button and type Regedit as administrator
  7. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA and edit the “DisplayName” REG_SZ object.
  8. Change the contents of DisplayName from “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to “Cisco Systems VPN Adapter for 64-bit Windows”
  9. Either reboot or start up services.msc and start the Cisco VPN service
  10. Open the VPN client as normal and try and connect
  11. It should now work again.

Thanks to Ryan Ternier and OCGrumpa in post http://weblogs.asp.net/rternier/getting-cisco-s-ipsec-vpn-client-working-on-windows-10.

Tagged , ,

Cisco ASDM errors with “javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure” on connecting

After changing the Remote Access -> Advanced -> SSL Settings -> Active Algorithms you are no longer able to connect with ASDM and get this error:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

No help is given by ASDM as to why you are unable to connect. However, the problem is caused by the client not being able to negotiate a common encryption scheme from the “active algorithms” list. To fix:

1. Open SSH to the ASA

2. Type the following:

ciscoasa(config)# ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1
ciscoasa(config)# no http server enable
ciscoasa(config)# http server enable
3. Try and reconnect with ASDM

 

Tagged , ,

Collecting crypto VPN traffic info from Cisco routers

Cisco crypto site to site VPNs are quite useful but it is difficult to collect traffic stats when there is no virtual interface for SNMP to track. Instead the stats are held in the Cisco SNMP mibs in various places and you have to cross-reference between those places to work out which SNMP entry refers to which VPN tunnel. This gets harder the more tunnels you have from your router.

With this in mind I’ve created a WhatsUp performance monitor script to collect the traffic receive (rx) and transmit (tx) stats through SNMP. You’ll need to grab the Cisco router mibs and install them into the WhatsUp mibs directory first before this script will work.

On the Cisco side you’ll be setting up a vpnmap entry such as this one:

crypto map mymap 141 ipsec-isakmp set peer x.x.x.x set transform-set xxxx match address myvpn-acl 

The crypto map number is useful as this is how the script finds the correct VPN tunnel in SNMP:

'The remote peer
strVPNMapNumber="141"

The other variable to alter is whether the statistic to be collected is receive (rx) or transmit (tx) with respect to the router being polled. This is specified by this line:

' The direction of traffic (rx or tx)
strDirection="rx"

How the script works

The script gets a list of all the ipsec tunnels (get_ipsecTunnel_list) which is held at SNMP OID 1.3.6.1.4.1.9.9.172.1.2.1.1.3. It looks down the list for entries which relate to the vpnmap number, 141 in this case and compiles a list of entries. This list is then used to collect the receive or transmit statistics and add the values together for each ipsec tunnel associates with that isakmp tunnel (there can be many ipsec tunnels per isakmp tunnel depending on your match acl setup).

The script in full

'The remote peer
strVPNMapNumber="141"

' The direction of traffic (rx or tx)
strDirection="rx"

ipSecVPNMapIndex = "1.3.6.1.4.1.9.9.172.1.2.1.1.3"
ipSecInOct              = "1.3.6.1.4.1.9.9.171.1.3.2.1.26"
ipSecOutOct             = "1.3.6.1.4.1.9.9.171.1.3.2.1.39"

set objSNMPReq = CreateObject("CoreAsp.SnmpRqst")
strDeviceID = Context.GetProperty("DeviceID")
set objSNMPInit = objSNMPReq.Initialize(strDeviceID)

if objSNMPInit.Failed then
    '.
else
    ' Get a list of indexes which match the VPN map number
    arrIpsecIndex = split(get_ipsecTunnel_list(ipSecVPNMapIndex,strVPNMapNumber),",")

    intFirstReading = get_TrafficSum()
    context.logmessage "FirstReading=" & intFirstReading 
    sleep(1)
    intSecondReading = get_TrafficSum()
    context.logmessage "SecondReading=" & intSecondReading 
    intTotalTrafficReading = intSecondReading - intFirstReading
    'value is in bytes
    Context.SetValue (intTotalTrafficReading * 8)/1000
    context.logmessage "Total=" & (intTotalTrafficReading * 8)/1000
end if

function get_TrafficSum()
    inttmpTotalTrafficReading=0
    context.logmessage ubound(arrIpsecIndex)
    for each ipsecTunnelID in arrIpsecIndex
        context.logmessage "Processing Tunnel ID " & ipsecTunnelID
        if string_compare(strDirection,"rx") then
            strtmpOID=ipSecInOct
        else
            strtmpOID=ipSecOutOct
        end if
        inttmpResult=get_SNMPget(strtmpOID & "." & ipsecTunnelID)
        context.logmessage ipsecTunnelID & "=" & inttmpResult
        inttmpTotalTrafficReading = inttmpTotalTrafficReading + inttmpResult
    next
    get_TrafficSum = inttmpTotalTrafficReading
end function

function get_ipsecTunnel_list (strOID,strtmpTargetValue)
    tmpReturnValue=""
    boolExitWhile=0

    set objtmpSNMPResult = objSNMPReq.GetNext(strOID)

                context.logmessage "Looking for entry index OID for target " & strtmpTargetValue

    While boolExitWhile <> 1
        currSNMPPayload = objtmpSNMPResult.GetValue
        currSNMPIndex=objtmpSNMPResult.GetOID
        context.logmessage currSNMPIndex & "=" & currSNMPPayload 

        if currSNMPPayload = strtmpTargetValue then 
                                    context.logmessage currSNMPPayload & "=" & strtmpTargetValue
            currIndexNum=get_indexFromOID(currSNMPIndex)
            if tmpReturnValue = "" then
                tmpReturnValue=currIndexNum
                                                '    context.logmessage "ipsec index num is " & currIndexNum
            else 
                tmpReturnValue = tmpReturnValue & "," & currIndexNum
                                                '                   context.logmessage "ipsec index num is " & currIndexNum
            end if
            context.logmessage "index num is " & tmpReturnValue
        end if

        if string_compare(strOID,currSNMPIndex) then
            'context.logmessage "Setting next entry after " & currSNMPIndex
            set objtmpSNMPResult = objSNMPReq.GetNext(currSNMPIndex)
        else
            'context.logmessage currSNMPIndex & " isn't in OID " & strOID
            'context.logmessage "Didn't find match for target " & strtmpTargetValue 
            boolExitWhile=1
        end if
    wend
    context.logmessage "Got value=" &  tmpReturnValue
    get_ipsecTunnel_list = tmpReturnValue
end function

function get_SNMPget(strtmpOID)
    set objtmpSNMPResult = objSNMPReq.Get(strtmpOID)
    strtmpValue=objtmpSNMPResult.GetPayload
    context.logmessage strtmpOID & " returned value " & strtmpValue
    get_SNMPget=strtmpValue
end function

private function string_compare(expression,targetstring)
    set oreg= new regexp
    oReg.pattern=expression
    oReg.IgnoreCase = TRUE
    if ("" = expression OR "" = targetstring) then
        boolSearchResult=0
    end if
    if oReg.test (targetstring) then
        boolSearchResult=1
    else
        boolSearchResult=0
    end if
    string_compare=boolSearchResult
end function

function sleep(intseconds)
    intstarttime = timer()
    while timer() < intstarttime+intseconds
        '.
    wend
end function

function get_indexFromOID(strtmpOID)
    strtmpValue=""

    arrtmpOID=split(strtmpOID,".")
    inttmpSize=ubound(arrtmpOID)
    strtmpValue=arrtmpOID(inttmpSize)
    context.logmessage "get_indexFromOID=" & strtmpValue

    get_indexFromOID=strtmpValue
end function

Download the script (rename to zip)

Tagged , , , , , , , ,