Archive for category Cisco

QM FSM error

Getting “QM FSM error” while establishing a Cisco VPN?  Particularly site-to-site and even more particularly with IOS on one end and a Pix/ASA on the other?

Go to the Pix/ASA side and remove Perfect Forward Secrecy (PFS).  Rather than tell you it’s incompatible, it just barfs because it can’t read it (because it’s you know… encrypted).

no cryptomap outside 1 set pfs group2

If anyone finds a better error message than the ubiquitous “QM FSM error” let me know and I will post it.


, , , , , , , ,


Migrating from Cisco Pix to Cisco ASA

One of the most notable differences between Cisco ASA devices  and Cisco Pix devices  to be aware of is that the  ASA devices don’t  support the PPTP  protocol, (think of it as sanity catching up to your organization) and that the ASA5505 doesn’t support EZVpn server mode. While these may sound trivial, suddenly changing the way employees connect can feel like a cultural issue.

Another difference and one I wouldn’t  have guessed until I saw it on a customer system was that capitalization alone is not enough to distinguish names on the ASA, you cannot assign Test1 to an IP address and TEST1 to a different address, they are the same reference.  Again think of it as sanity enforcement, your organization should not be using the caplock key as an address discriminator.  The PDM “name” function is not supported at all as well as a handful of other warnings when importing.

There is a utility from Cisco available to assist in importing, alas I have never used it because I like to know exactly what is changing. Yes this can be a big  job when working with 20,000 lines of configuration but the last job I did of that size was 100% successful, not just 99%,  due to understanding the details of each conversion issue. My process is to reflect the changes back into the source and then re-import until there is a completely  clean import.

VPN organization is also very different, there are tunnel groups, isakmp definitions and group policies, these require an understanding of the intent and the security policies behind your VPN rules.

For those needing help with converting from Pix to ASA you may want to get an expert involved, especially to understand the impact on security policy as after all the firewall device is meant to be the implementation of a security policy, it should not be the security policy itself.

For help in migrating or configuring Cisco ASA security appliances or VPN connectivity and architecture email security @

I also recommend a followup security scan if ever there is any doubt, one should be done periodically anyways so post conversion is an ideal time.

Bil Herd


, , , , , , , , , , , ,

No Comments

Make life more orderly while picking through large Cisco ASA firewalls

Need to see everything as IP numbers when searching and scrolling through Cisco ASA security Appliances? (Firewalls) Run the following command from the configuration mode prompt:

no names

Don’t forget to set it back when done!



(Mostly) No split-tunnel on Cisco VPN Clients

Split tunnel is where the person connected to your corporate network via their VPN can also go willy-nilly to the Internet at the same time.  This is generally considered to be a bad thing, though I have heard a “security consultant” recommend to the customer with me in the room to go ahead and do this because it made it easier for him to connect.

Bad consultant. He should learn about ‘bots, back-doors and virus/worms in general.

However there is an issue with no-split tunnel in the Cisco world, or at least using the VPN client version 5 and the ASA, and at least for trying to be selective.  By that I mean, what if I want to get to one thing locally and tunnel the rest.

The problem appears to be as soon as you don’t “Tunnel Everything” as your selection, and instead use “Tunnel Network List Below” trying to tell it to tunnel “any”, or even something like a wont stop traffic from going to everything behind the local interface.It seems that the /24 of the local wins the most specific route contest against the  ” tunnel this specific /8″ command that gets pushed down.

To use “Tunnel Network List Below” to prevent local traffic, add an entry in the ACL that matches the /24 of the local LAN (assuming it’s a /24, you get the idea).  Now when you display the routing table while the VPNs connected (netstat -nr in windows or unix) you will see the local LAN but also a matching route form the VPN, and it now stands a chance of winning.

See my next post aboput why the access list seemes to be reversed when applying an ACL to a VPN as either a tunnel list or filter list.



Trunking on Home and Small Office Switches

I bought a couple of the Cisco/Linksys  SLM200x series switches (SLM2005 ,SLM2008) gig switches, for under $100 each.  I wasn’t going to go for hundreds of dollars to get an IOS switch like I am used to plus the IOS stuff is still 10/100 for the bulk of the ports.

I was real happy to see the “Enable Jumbo Frames” check-box, I started to suspect that I could use one wire to connect two networks while keeping them separate.  Jumbo frames means a packet that is 4 bytes bigger than a standard Ethernet packet can still get through.

Whats 4 bytes bigger?  A packet that has been tagged with 802.1q trunking protocol headers. Whats interesting about 802.1q is that the native VLAN is still the normal size, I suspect there is a lot of equipment out there that works because the native packet makes it through and the trunked packets appear to alien too get any further.  Cisco’s trunking protocol InterSwitch Linking(ISL) encapsulates every VLAN and means that you cant be flipping and trunking the interconnects between two switches without running to each side of the connection or being very careful in the order you do things.

In my case I have a business vlan I wanted separate from a test vlan and then on top of that I had VOIP. To do trunking I made sure the native vlans lined up on both ends and then selected a 2nd vlan on both sides of the link between the two switches using the vlan selector in the web based configuration.  I checked “allow jumbo frames” and for good measure I disabled the egress filters that select tagged packets, even though there was a setting for “all” packets.

Now you can break out a single port by making it be just a member of the 2nd VLAN.  In my case I spent $20 for a new gig Intel Ethernet card for the desktop and brought the trunk right into the desktop.  Again made the native line up and selected the next vlan.  My system now shows a total of three connectoids in Windows, one for natural interface and one each for each VLAN. I get IP addresses and DNS from 2 DHCP servers on two separate networks.

Oh yeah, you have to boot the switches after doing this much to them , I suspect that they need to build some forwarding tables from scratch.

Other nice things about the SLM series other than they are manageable in general: There are several ways to set up for QOS, port based or traffic type, and you can modify the priority mechanism a little or go to strict priority.  Just setting the port my phone was plugged into to be a hi priority port yielded the first 98% of the results I was looking for using strict priority.

They also do port monitoring for sniffiing and have a full multi-VLAN Spanning Tree implementation including portfast.  The device is sold as a Light Managed switch but for SoHo it’s as managed as I needed, especially VLANs at gig speeds I am cutting down on a few cables by sharing.


, , , , , , , , ,

No Comments

PDM to Cisco Pix not working

First pointed out to me by my tech Rob, some of the Cisco PIX/PDM combinations won’t make a connection on the outside interface in spite of being properly configured.  Try SSH ing to the external interface anc check the PDM again.  I have seen this almost half a dozen times in the last couple of years, the last was PIX software version 6.3(5) running PDM 3.0(1).


, , , ,

No Comments