Blog Entries

HTTPS and Fragmentation

HTTPS, Fragmentation, and MTU Size I faced a situation where a server had been migrated to a public cloud provider, and suddenly certain services were no longer working. Looks like we’ve got an MTU problem!   In particular, we found that accessing a particular third-party finance service over SSL was failing. We also found that we could not access their website. On deeper inspection, we also found that we were having trouble getting to various other websites, but only the ones that used HTTPS. This error only happened when we used our WAN connection to the provider. If we used the provider’s native internet link, everything was fine.     What Was The Issue? I’ll get straight to the point …

ASA VPN Troubleshooting

ASA VPN Troubleshooting Yesterday, I assisted with troubleshooting ASA VPN issues. A local ASA needed to build a site-to-site (aka L2L) IPSec VPN tunnel to a non-ASA third-party. The tunnel was not coming up. The config all appeared to be there, and the third-party said their config was in place too. It’s time to troubleshoot. Here are the steps I followed.   Check if SA’s are Forming This is always my first step when troubleshooting. There should be phase-1 SA’s and phase-2 SA’s for the ASA VPN to work. You can find phase-1 SA’s with: show crypto isakmp sa And phase-2 SA’s with: show crypto ipsec sa   In my case, there were no phase-1 SA’s, so there was no point …

AWS to ASA VPN Issues

I needed to build a VPN tunnel from Threat Defence to AWS, which seemed to work fine. Until the VPN had been up for an hour that is…
After an hour, I was getting reports of tunnel traffic dropping out. This happened regularly every hour.
After a few hours of watching debugs and discussions with TAC, the answer presented itself.

Getting Started with IPv6 Migration

As IPv6 gets more popular, it becomes more important to know how to migrate to it. This includes getting addresses, getting an ASN, and planning a strategy.

High CPU in Firepower

I use Firepower Management Center quite a bit. Recently, I started getting health monitoring alerts telling me that CPU was at a critically high level.
These alerts were spamming me every 5 minutes for a few hours. One of our ASA’s running Firepower Services was having a bad time.