Cisco ASA Route-based Site-to-Site VPN to Azure

prerequirements: ASA software 9.8.1 (I have tested 9.8.2)

Azure configuration:
add a Virtual network gateway to you azure subnet, I use basic, then adding a connection to the gateway like this:


ASA configuration

Configure VPN interface:

crypto ikev2 policy 3
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 10800


crypto ipsec ikev2 ipsec-proposal Proposal-Azure
  protocol esp encryption aes-256
  protocol esp integrity sha-1


crypto ipsec profile Profile-Azure
  set ikev2 ipsec-proposal Proposal-Azure
  set pfs group2
  set security-association lifetime kilobytes 102400000
  set security-association lifetime seconds 10800


interface Tunnel1
  nameif VPN-AZURE
  ip address 169.254.2.1 255.255.255.0 standby 169.254.2.2
  tunnel source interface outside
  tunnel destination [Azure vpngateway public ip]
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile Profile-Azure


tunnel-group [Azure vpngateway public ip] type ipsec-l2l
tunnel-group [Azure vpngateway public ip] ipsec-attributes
ikev2 remote-authentication pre-shared-key [PreesharedKey]
ikev2 local-authentication pre-shared-key [PreesharedKey]

Configure static route to azure networks:

route VPN-AZURE [local azure subnet scope] 255.255.255.0 [Azure vpngateway public ip] 1

 

Source:
https://supportforums.cisco.com/t5/vpn/route-based-vpn-vti-for-asa-finally-here/td-p/3046928

Client Excluded: MACAddress:2c:be:08:f5:14:d6 Base Radio MAC :2c:d0:2d:91:54:86 Slot: 1 User Name: unknown Ip Address: unknown Reason:Attempted to use IP Address assigned to another device. ReasonCode: 3

When you get

Client Excluded: MACAddress:2c:be:08:f5:14:d6 Base Radio MAC :2c:d0:2d:91:54:86 Slot: 1 User Name: unknown Ip Address: unknown Reason:Attempted to use IP Address assigned to another device. ReasonCode: 3

Client Excluded: MACAddress:2c:be:08:f5:14:d6 Base Radio MAC :2c:d0:2d:91:54:86 Slot: 1 User Name: unknown Ip Address: unknown Reason:Attempted to use IP Address assigned to another device. ReasonCode: 3
you can debug the already used ip by enable dhcp debuging og the wlc controller

you can enable debuging by using the following command

debug dhcp message enable

you can look for the event

*DHCP Socket Task: Oct 11 09:11:56.591: 2c:be:08:f5:14:d6 DHCP option: requested ip = 10.16.0.254

then you know that the ip that is already in use is 10.16.0.254, and you can exclude it on the dhcp server

Howto: Upgrade Cisco Lightweight to Autonomous AP

Upgrade Cisco Lightweight to Autonomous AP

1. telnet to ip
2. default login
Username:cisco
Password: Cisco (capital C)
3. type enable
4. password: Cisco
5. type: debug capwap console cli
6. type: configure terminal
7. Type: end
8. type: archive download-sw /o /f tftp://x.x.x.x/filename
eg. archive download-sw /o /f tftp://x.x.x.x/ap3g2-k9w7-tar.153-3.JAA.tar

 

source: Convert Lightweight to Autonomous AP – Cisco 

Cisco Anyconnect: Failed to initialize connection subsystem windows update

UPDATE: You can use kb3023607

 

This issue was introduced by windows update KB3023607 and KB3034682 and KB3021952

fix1 (work for me)
uninstall KB3023607, KB3034682 , KB3021952
reinstall the cisco anyconnect client (I used version 3.1.06079)

fix option 2:

  1. Close the Cisco AnyConnect Window and the taskbar mini-icon
  2. Right click vpnui.exe in the “Cisco AnyConnect Secure Mobility Client” folder. (I have it in “C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\”
  3. Click on the “Run compatibility troubleshooter” button
  4. Choose “Try recommended settings”.
  5. The wizard suggests Windows 8 compatibility.
  6. Click “Test Program”.  This will open the program.
  7. Close

sources:
1. http://christierney.com/2015/02/11/cisco-anyconnect-failed-to-initialize-connection-subsystem/
2. http://www.reddit.com/r/sysadmin/comments/2vk5w6/cisco_anyconnect_error_failed_to_initialize/

Key Not Valid for Use in Specified State error installing Anyconnect

If you get this error upon trying to install Cisco Anyconnect:
Key Not Valid for Use in Specified State

Danish translation:
Nøglen er ikke gyldig for anvendelse i den angivne tilstand.

Do the following:

Move the folder RSA from

C:\Users\AppData\Roaming\Microsoft\Crypto\RSA to say C:\RSA (just in case there should be a need to restore it) then try installing again.
This folder appears to act as a cache and should be rebuilt automatically as required.

Source https://discussions.apple.com/thread/6514053

How to upgrade Cisco switches in Mixed Stack

How to upgrade cisco switches in Mixed Stack

In this example I upgrade a mixed 2960 stack, mixed with 2960s and 2960x

in order to upgrade the whole stack at once, I have to provide all the different firmwares for the different models X/S series (It has to be the same version eg. version 15.0.2 EX5)

this command will download and distribute the right firmware to the right switch in the stack, and upgrade all switches

archive download-sw tftp://[IP of the tftp server]/c2960x-universalk9-tar.150-2.EX5.tar tftp://10.100.65.230/c2960s-universalk9-tar.150-2.EX5.tar

Sources:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/troubleshooting/switch_stacks.html#wp66853