Fortigate: Web Filtering is “Unreachable”

Came across this problem that I am unable to use "Web  Filtering" feature on my Fortigate 200B on Firmware 5.2.11 Web Filter error shows the following error before you can create a profile. Licensing information on Fortigate Portal shows I am licensed to use Web Filtering, but on my local firewall error shows "Unreachable" Things … Continue reading Fortigate: Web Filtering is “Unreachable”

UniFi: Run the Controller as a Windows service

Here is a useful guide from Ubiquiti with regards to running the Controller service as a Windows Service. This is essential when running a centralized controller for your APs and to make sure you contoller would run automatically after a restart rather than enabling it to run maunally.   Originally posted at: https://help.ubnt.com/hc/en-us/articles/205144550-UniFi-Run-the-Controller-as-a-Windows-service Readers will learn … Continue reading UniFi: Run the Controller as a Windows service

Fortigate: How to allow (or deny) wildcard FQDN (Domains) in Policy

The answer is No. It won't work. As we all know, Wildcard FQDN firewall address should not be used in a firewall policy (Full details here). Simple explanation is that because the Firewall wont be able to query on to *.example.com when it tests the policy. There, however is a workaround. Use WEB-POLICY. In my … Continue reading Fortigate: How to allow (or deny) wildcard FQDN (Domains) in Policy

Tricks: How to debug a specific IPSec VPN Tunnel on Cisco.

Let’s say you’ve got a router with well over 100 IPSec VPN peers, and you’ve got this one tunnel that just won’t form correctly. Your not sure why and want nothing more than to debug the IPSec process for this one peer but you know if you debug the isakmp or ipsec process your going … Continue reading Tricks: How to debug a specific IPSec VPN Tunnel on Cisco.

Restarting VPN Tunnels on Cisco

In some rare cases, VPN Tunnels hang-up randomly and needs to be bounced or restarted to restart the VPN Tunnel negotiate that on some cases the easiest fix on VPN Down issues Check Phase 1 Status of the Tunnel: show crypto ipsec sa Normal/UP status should show: QM_IDLE (More info on Status here) Restarting VPN … Continue reading Restarting VPN Tunnels on Cisco

How to Clear IPSec VPN Remote Peer on Cisco IOS

The following command clears the crypto sessions for a remote IKE peer. You can use context sensitive help ?to find other options. This command will also reset encap/decap counters on the show crytpo ipsec sa peer <PEER_IP_ADDRESS>  output Syntax clear crypto session remote IP_ADDRESS Example: clear crypto session remote 1.1.1.1

Troubleshooting Cisco VPN Phase 2

Problem It’s been over two years since I wrote Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels. I’ve always meant to come back and write the ‘Phase 2’ article but never got around to it. This article is NOT intended to be a ‘fix all” for phase 2 problems, it’s designed to point you in the … Continue reading Troubleshooting Cisco VPN Phase 2

Troubleshooting Cisco VPN Phase 1

Problem Site to Site VPN’s either work faultlessly straight away, or involve head scratching and a call to Cisco TAC, or someone like me to come and take a look. If I’m honest, the simplest and best answer to the problem is “Remove the Tunnel from both ends and put it back again”. Just about every VPN tunnel … Continue reading Troubleshooting Cisco VPN Phase 1

Useful Cisco Site-to-Site VPN Phase 1 and 2 Status Troubleshooting Commands

One way is to display it with the specific peer ip. Check Phase 1 Tunnel ASA#show crypto isakmp sa detail | b [peer IP add] Check Phase 2 Tunnel ASA#show crypto ipsec sa peer [peer IP add] Display the PSK ASA#more system:running-config | b tunnel-group [peer IP add] Display Uptime, etc. ASA#sh vpn-sessiondb detail l2l … Continue reading Useful Cisco Site-to-Site VPN Phase 1 and 2 Status Troubleshooting Commands

Issue: Android users cannot connect to Wireless on Cisco Meraki APs

This article is to be used as a short reference guide on how to manually set up a WPA2-Enterprise with RADIUS Authentication (IEEE 802.1X) wireless profile on Android devices. This profile will allow the client devices to connect to the SSIDs configured with WPA2-Enterprise with 802.1X authentication as the association requirement. 1. At the home page, navigate … Continue reading Issue: Android users cannot connect to Wireless on Cisco Meraki APs