Friday, June 15, 2007

Missing command on ASA for dynamic VPN.

There seems to be an update on how ASA's handle dynamic IP VPN connections. You used to be able to use the command 'authentication-server-group none' on the DefaultRAGroup general attributes. In the 7.2.2 version, this command is considered deprecated and won't work! This goes for new installs or upgrades.

The key command to add under the DefaultRAGroup is now:
isakmp ikev1-user-authentication (outside) none
outside is the interface name of course. Take note that if you are in the DefaultRAGroup and do a ? after isakmp, you won't see this command, it's hidden. Trying to make it easy for people I suppose...

The guide to configure this can be found here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
The 7.2.2 code should only need the updates listed here to work.

Wednesday, June 06, 2007

BBSM Database fix

I ran into an issue recently when working with a Cisco BBSM server. Apparently, the BBSM doesn't like large subnets. Making changes on the web interface would basically lock up the server. The database was stuck in an 'initializing' state. I'm not sure why but it seemed to be trying to validate each IP in the various DHCP pools one by one. There is a way to force the BBSM back in service though.

Commands to confirm the problem:
First execute the osql utility from the command line of the BBSM.

osql -d atdial -E

You will now see a numbered prompt. Enter the following command to check the Server State:
1> select * from server_configuration
2> go
You will now see a lot of output. Basically you are checking if the Server State is listed as Initializing.

Now to fix the problem:

1> update server_configuration set serverstate="running"
2> go

Confirm that its working:
1> select * from server_configuration
2> go

You will see that the Server State is now running