Booches.nl

ASDM Error: Unconnected socket not implemented

When you receive the following error, while starting ASDM:

ASDM Error: Unconnected socket not implemented

You should look at your Java versions. When you are using Java 6 Update 10 or higher and ASDM 6.1.5 or lower, you will receive this error. There are two workarounds for this problem:

1. Downgrade Java to Java 6 Update 7 or lower;
2. Upgrade ASDM software;

Cisco released an Interim Release (6.1.5.57), which resolves the problem above.

Netstat on IOS router

I often use the netstat command on a Windows machine to check on which IP and/or ports the servers or workstation is listening or established connection.

By accident I found the same kind of command for a Cisco IOS router, while I was looking through the CLI. Check out the output below:

Router#sh control-plane host open-ports
Active internet connections (servers and established)
Prot        Local Address      Foreign Address                  Service    State
tcp                 *:22                  *:0               SSH-Server   LISTEN
tcp                 *:23                  *:0                   Telnet   LISTEN
tcp                 *:23     10.10.8.181:3682                   Telnet ESTABLIS
udp                 *:67                  *:0            DHCPD Receive   LISTEN
udp              *:50015                  *:0                  IP SNMP   LISTEN
udp                *:161                  *:0                  IP SNMP   LISTEN
udp                *:162                  *:0                  IP SNMP   LISTEN

GRE over IPsec with Cisco ASA

In different scenario’s it is required to configure some kind of routing protocol between two offices, but the routers should be configured to look directly connected to each other. Normally I always configure an IPsec VPN between the two offices and configure an additional GRE tunnel over the IPsec VPN tunnel. In that way the routers look directly connected and adding a routing protocol is no problem.

In the past I noticed several times that the GRE tunnel doesn’t come up, when using a Cisco PIX firewall or a Cisco ASA firewall. When using IOS 6.x on the PIX or 7.x on both hardware platforms, there is a workaround by using the following command:

clear local-host <remote peer>

Cisco has reported this bug in BugID CSCse36327:

The IPSEC tunnel was previously working and either one of the following events occured:
1. the crypto map and/or isakmp has been removed and reapplied to the interface
2. the PIX/ASA is upgraded from version 6.x to version 7.x
3. the PIX/ASA is rebooted
4. The remote IPSEC peer/s is rebooted

 

All events except 1 occur when a dynamic crypto map is used without a match address statement.
This typically affects only GRE traffic.

 

In PIX/ASA 7.x, GRE encryption may stop working (GRE packets are sent in clear) after removing and reapplying the encryption. This behaviour is by design in 7.x. If encryption is disabled but GRE packets are coming to the PIX in this time, GRE session is created on the PIX and marked as clear-text one (“do not encrypt”). When encryption is applied back, non-encrypted GRE session still exists on PIX and GRE packets that should be encrypted still bypass crypto map until old session is timed out or deleted. If there is a dynamic routing (OSPF/EIGRP/etc) running over GRE, this GRE session may never timeout and should be cleared manually.

 

In PIX/ASA 8.0.2, new functionality was introduced with new CLI command: “sysopt connection reclassify-vpn”. Default state is disabled. If this command is enabled, then enabling encryption causes non-encryption sessions to be dropped and reestablished with encryption.

Looks like there is a new command introduced in IOS 8.0.2 as mentioned above, by using sysopt connection reclassify-vpn.

There is also an entry on the Cisco SupportWiki about this problem. So the next time I will try this new command.