Cisco NEM VPN Client Config for IOS

The following config is a basic template for configuring an IOS router as a network extension mode VPN client.

crypto ipsec
 connect auto
 group <group name> key <key>
 mode network-extension
 peer <remote VPN peer>
 xauth userid mode interactive

Then to force a connection attempt issue the following command from enabled prompt:

crypto ipsec client ezvpn connect 

Adding a Custom Web Authentication Page to Cisco WLCs using WCS

This assumes you use WCS to manage your WLC’s. If you don’t then it’s still possible to add a custom WebAuth page to your WLC but we wont be covering that today!

First off build your custom authentication page! You can download a bundle of example’s from Cisco here, you’ll need these as they have the authentication script embedded.

Here’s one I made earlier:

Custom WebAuth Page with KittyGuard1.0

If you’d prefer you can download my custom page here it’s had most of the junk removed compared to the Cisco one.

Once you have your custom page (with or without cats) you need to compress it along with any images into a tar file called WebAuth.tar.

Next login to your WCS and navigate to Configure -> Controller Template Launch Pad -> Security -> Web Auth Configuration

 

Web Auth Configuration

 

Click on the template name or create a new one.

Under general settings name your template and choose “Customized Web Auth” as the Web Auth Type.

 

Web Auth Template

 

Select “Apply to Controllers” and select the WLC’s you wish to apply this template/custom page to.

 

wcs-webauth-3

 

Once you have selected controllers you will be prompted to download the new WebAuth.tar bundle to the WCS. You can do this directly from your local machine using the “browse” button or you can upload your .tar file to a TFTP server and copy it across from there.

 

wcs-webauth-4
When your are ready press the Download button the WCS will then load your custom page to each of the controllers.

Your done, if you like you can now preview the new page by logging into a WLC going to Security->WebAuth and selecting preview.

How to Identify the cause of a Cisco Tomcat memory leak using the heap dump file.

If Tomcat has used up all its allocated memory (aka heap) and is unable to free up space then the process will generate a heap dump and crash out.

Heapdumps are useful as they are a snapshot of all the objects in the processes heap when it died. The heapdump can be identified as a .hprof file and will typically be ~500MB.

You can download the dump file by using RTMT. Simply goto:

Trace & Log Central -> Remote Browse -> Trace Files -> Cisco CallManager -> Cisco Tomcat, then select the CCM server on which Cisco Tomcat crashed, drill down into System -> Cisco Tomcat -> Logs, there you should see the .hprof file in the file list.

 

 

 

 

 

 

Download the file to your PC ensuring you choose the option to zip the file before downloading.

Once you have the file you need to analyse it, for this you need a program called “Eclipse Memory Analyser Tool (MAT)” this is a free program available here.

NOTE: Ensure you have the correct java JRE version installed, i.e. if you downloaded the 64bit version of MAT make sure you have the 64bit JRE installed (64bit JRE can be downloaded here if you need it!). 

Once you have MAT running choose the option to “Open a Heap Dump”:

Select the .hprof file you downloaded earlier. It will take some time to import. Once it’s ready it will present you with the “Getting Started Wizard”, from choose the “Leak Suspects Report” and click finish. Once the report is generated it will identify the likely source objects of the leak as well as their heap utilisation, it should look something like this:

You can see in this case the issue was with com.rsa.sslj.x.cu, this corresponds with a known bug CSCty36110 due to an issue with AXL’s interaction with Tomcat. AXL was being used by their PhoneX One system.

Configure ASDM access on Cisco ASA

Cisco ASDM or Adaptive Security Device Manager is a Java based GUI for Cisco ASA devices.

To enable ASDM access on a device you must first ensure an ASDM image is loaded to the devices flash. To check if you have an ASDM image in flash enter the following command at your routers exec prompt: “show flash“, you are looking for a file named asdm-###.bin where the #’s are the ASDM version. If you don’t have the file you’ll need to download an appropriate version of ASDM this will require a valid CCO ID or some Google foo.

Once your image is in flash simply enter the following config via the CLI exchanging the IP addresses for your own. This config also assumes you want to use a local authentication, if this isn’t the case then you’ll need to modify the AAA config to meet your requirements:

  • aaa authentication http console LOCAL
    username <YOUR USER> password <YOUR PASSWORD>    
    
    interface <Inside Int>
    nameif inside
    ip address 192.168.1.1 255.255.255.0
    no shutdown
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    
    asdm image <FLASH LOCATION>:/asdm-<VER>.bin