cisco, linux, networking

Upload files to your Cisco ASA via pscp – no password prompt

by tini

– make sure you have defined user on ASA with privilege 15
– make sure you have ssh scopy enable configured
– on your linux host enter pscp -pw <password> <filename> <username>@<ASA IP>:<location/filename>

something like: pscp -pw THISisp4ssw0rdf anyconnectfile.pkg adminusername@8.8.8.8:disk0:/anyconnectfile.pkg

if you want to use scp with password prompt use: scp anyconnectfile.pkg adminusername@8.8.8.8:disk0:/anyconnectfile.pkg

PSCP client available here.

cisco, networking

BGP cannot connect

by tini

Simple configuration in GNS3 won’t work. All I get from debug is:

went from nsf_not_active to nsf_not_active

The solution is quite simple: under BGP process and neighbor statement add “disable-connected-check

cisco, networking

Remote access VPN not working with Cisco router and iPhone

by tini

Recently I had a situation where customer asked me to configure remote access VPN on his old Cisco 871. Configuration was quite simple but I had problem with connecting iPhone to his network.

The solution is quite simple: apparently Apple doesn’t like 3des so I had to configure transformset like this:

crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac

cisco, networking

BGP session flapping

by tini

my customer is peering with 2 ISP’s and has configuration with 2 BGP routers mutually connected with iBGP.
routers are reciving full tables from ISP’s and has 4 byte AS (XXXXXX).

recently we noticed that BGP session between customer and ISP2 is constantly flapping each 3 minutes. logs didn’t show anything useful

%BGP-4-MSGDUMP: unsupported or mal-formatted message received from X.X.X.X

I searched cisco forums and tried to isolate problem by inserting hidden command “neighbor X.X.X.X dont-capability-negotiate”.

%BGP-3-NOTIFICATION: received from neighbor X.X.X.X active 2/2 (peer in wrong AS) 2 bytes 5BA0

by reading this article I assumed that ISP is announcing itself with wrong AS.

problem was finally solved by entering command in global configuration mode (and removing dont-capability-negotiate)

ip tcp mss 1440

To learn something more about TCP MSS go here.