This is due to Cisco bug ID CSCuh61321 and has been seen in Release 9.x where the ASA pushes the non-default port to the client, but continues to listen to the default port. Consequently, the DTLS is not built and AnyConnect reconnects.
Some VPNs allow split tunneling, however, Cisco AnyConnect and many other solutions offer a way for network administrators to forbid this.When that happens, connecting to the VPN seals off the client from the rest of the LAN.
Oct 23, 2020 By default, FTD and ASA have applications inspection enabled by default in their global policy-map. In most cases scenarios the VPN phones are not able to establish a reliable communication with the CUCM because the AnyConnect headend has an application inspection enabled that modifies the signal and voice traffic. Authentication Port: Port to communicate with the RADIUS server. The default port is 1812. Server Timeout: Time in seconds that Cisco ISE should wait for a response from the RADIUS token server before it determines that the primary server is down. The default timeout value is 5 secs.
Started using docker at work again.
All the previous work is almost outdated and the old scripts are broken.Been getting issues all over the places.
Normally, I connect remotely over VPN using Cisco's AnyConnect Client.
Big one is not being able to connect to the docker-machine (on windows) while connected work's corporate network.`docker-compose` cannot connect to the docker containers.Error message is similar to:
This machine has been allocated an IP address, but Docker Machine could not reach it successfully.SSH for the machine should still work, but connecting to exposed ports, such as the Docker daemon port (usually <ip>:2376), may not work properly.You may need to add the route manually, or use another related workaround.This could be due to a VPN, proxy, or host file configuration issue.
Only solution I found that works is to port-forward then explicily set the DOCKER_HOST.This causes cert issues that can be overcome with env vars.
Using `docker-compose` to manage the containers, I couldn't get `–tls-verify` to do anything.
The one of main advantages of using central point of network access policy management (Cisco ISE) is possibility of keeping common access ports configuration across the network regardless location, switch type and users connected. To configure the switch to act as a radius client and port to be unified follow the below configuration template (with respect to your network details, passwords etc.). This type of configuration enables 802.1X and MAB type access (including wired Guest Portal Authentication).
aaa new-model aaa authentication dot1x default group radius local aaa authorization network default group radius aaa accounting network ISE start-stop group radius
ip radius source-interface Vlan10 radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server dead-criteria time 5 tries 2 radius-server host 10.254.4.22 key Cisco123 radius-server host 10.254.4.23 key Cisco123 radius-server deadtime 5 radius-server vsa send accounting radius-server vsa send authentication dot1x system-auth-control
interface FastEthernet0/1 switchport access vlan 10 switchport mode access authentication event server dead action reinitialize vlan 10 authentication event server alive action reinitialize authentication host-mode multi-auth authentication port-control auto mab dot1x pae authenticator dot1x timeout tx-period 3 spanning-tree portfast end