Cisco Secure Access Docker

 

sudo apt-get update

sudo apt-get install ca-certificates curl

sudo install -m 0755 -d /etc/apt/keyrings

sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc

sudo chmod a+r /etc/apt/keyrings/docker.asc

echo   "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \

$(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" |   sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

sudo apt-get update

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

sudo docker run hello-world

sudo apt install -y jq

sudo apt install -y runit-daemon daemontools-run

curl -o setup_connector.sh https://us.repo.acgw.sse.cisco.com/scripts/latest/setup_connector.sh 

chmod +x setup_connector.sh

chmod +x setup_connector.sh 

sudo /opt/connector/install/connector.sh launch --name Docker1 --key OTVlMmFiMTczMjliNDUwNGI5ZmE0NzNjNGU3MTBhNzQ6YmJhZDczYjliNzUxNGY5MWFhMDY1MTRlYzJkMDRlYjk=

Running a script at system boot using cron with crontab automation:

sudo crontab -e

@reboot sudo /opt/connector/install/connector.sh launch --name Docker1 --key OTVlMmFiMTczMjliNDUwNGI5ZmE0NzNjNGU3MTBhNzQ6YmJhZDczYjliNzUxNGY5MWFhMDY1MTRlYzJkMDRlYjk=

Docker operations:

docker ps

docker stop 

docker images

docker rmi

docker rmi 2ab00c6e6c94 -f 

Create SSH Key

Reference link

https://docs.digitalocean.com/products/droplets/how-to/add-ssh-keys/create-with-openssh/

https://www.ssh.com/academy/ssh/putty/windows/puttygen

https://docs.sse.cisco.com/sse-user-guide/docs/deploy-connector-vmware#ssh-key-generation

Examples)
ssh-keygen -t ed25519 -C "your_email@example.com"
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

% ssh-keygen -t rsa -b 4096 -C "tkurokaw@xxx.com" 

      

Generating public/private rsa key pair.

Enter file in which to save the key (/Users/taka/.ssh/id_rsa): /Users/taka/.ssh/tk_rsa

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /Users/taka/.ssh/tk_rsa

Your public key has been saved in /Users/taka/.ssh/tk_rsa.pub

The key fingerprint is:

SHA256:OdB5bXaKj4HzBMosVTSTCH5XdG54ntAPjGAHm0jHwy0 tkurokaw@cisco.com

The key's randomart image is:

+---[RSA 4096]----+

|    ...=X=+ .    |

|   . ..*EX.O     |

|    . = Bo= @ .  |

|     = + = O *   |

|    . + S + + .  |

|     .   = +     |

|          o .    |

|                 |

|                 |

+----[SHA256]-----+

% ls -al /Users/taka/.ssh/

<snip>

-rw-------   1 taka  staff   3381 Mar  4 15:47 tk_rsa

-rw-r--r--   1 taka  staff    744 Mar  4 15:47 tk_rsa.pub

 

% more /Users/taka/.ssh/tk_rsa

-----BEGIN OPENSSH PRIVATE KEY-----

b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn

NhAAAAAwEAAQAAAgEAycvG2kjc+4UIlKM9qroJTKe/YI5DHeeg6hlcUUnYJR8hOVhgbMeE

t5Vz+hpmog0tKBPAVtbqCwKxjtHRO/g/erg9lYYApTLWDXqgDXSzNX7TVkX/WOBAU2vC4N

VFfMSxwQZlyl/PrU7NGTbrdNiQ6LgKEtmQngplJaW5e7IGeQQ7L4aEGiCyfwJR5nifEqdD

1GAq9e1oyGnGdk+MkFehDZq7Za2eQtby+nF+r1CqqEgPl1nxuESAIM5S7Nt4cOymMaRyyx

7K37Na7XtSADzWnADJvhaMjx1DVc2JmI5NcBgas69FI65Jr6MIBxtPheEBr0+MvK9FIVi1

Aq2S8ICckeNBTu2dT8V/qJpMHQeEEHpXvSaV+dXB8aH+p5lkSm8YJe9RZAesGqZAP2aA78

Hfi7ojVuSR0kDoF9iplPlptPbvHT8G7567vo90ZsIvIaIMaGZnIl2rtC/S/Ix99iNUQ7rX

IgEAfmsfzPdOQNRdbDhx4SGADOGxyudC1+M1YKtRJ3lQdZiK9U1SWLsrToj6hvMHfk8vGO

BNRzJaacVD+S6KtmObV3bJq7jumjjzZl72DtP9vaF77DkMzeLZ5bcWBeRcvyzzW6fNftFN

JBmDjIlsYd+UFJKhA/yV+Ko0iTdSUHc++EB2zh/DmGSc5HiXGKhD2/3X+KX1gZ7c8OKl1q

kAAAdIYI+jiWCPo4kAAAAHc3NoLXJzYQAAAgEAycvG2kjc+4UIlKM9qroJTKe/YI5DHeeg

6hlcUUnYJR8hOVhgbMeEt5Vz+hpmog0tKBPAVtbqCwKxjtHRO/g/erg9lYYApTLWDXqgDX

SzNX7TVkX/WOBAU2vC4NVFfMSxwQZlyl/PrU7NGTbrdNiQ6LgKEtmQngplJaW5e7IGeQQ7

L4aEGiCyfwJR5nifEqdD1GAq9e1oyGnGdk+MkFehDZq7Za2eQtby+nF+r1CqqEgPl1nxuE

SAIM5S7Nt4cOymMaRyyx7K37Na7XtSADzWnADJvhaMjx1DVc2JmI5NcBgas69FI65Jr6MI

BxtPheEBr0+MvK9FIVi1Aq2S8ICckeNBTu2dT8V/qJpMHQeEEHpXvSaV+dXB8aH+p5lkSm

8YJe9RZAesGqZAP2aA78Hfi7ojVuSR0kDoF9iplPlptPbvHT8G7567vo90ZsIvIaIMaGZn

Il2rtC/S/Ix99iNUQ7rXIgEAfmsfzPdOQNRdbDhx4SGADOGxyudC1+M1YKtRJ3lQdZiK9U

1SWLsrToj6hvMHfk8vGOBNRzJaacVD+S6KtmObV3bJq7jumjjzZl72DtP9vaF77DkMzeLZ

5bcWBeRcvyzzW6fNftFNJBmDjIlsYd+UFJKhA/yV+Ko0iTdSUHc++EB2zh/DmGSc5HiXGK

hD2/3X+KX1gZ7c8OKl1qkAAAADAQABAAACAAjIGWs+aH95lpoBUJmxZt4zHpzxE/KlNdd6

Kw5OjF1xMVzxf6C8PgZPNrDXnUfIEwL/eQtOZvj7sQZqExTtBLYudl+faT/HKpGDmJt9TJ

8zWbcTbL1NZP88XUqzfUakuKeRw7Q+3ybHmx1RyoVXN1cpSybu2OBHy4cL4zqC0M1LZdf3

nqAUdDAaxb2l2iZRqR4A4V26ayjtkXlslM1jQtr4tNcD6zM1b3V+oui2NfcEy8jmXSKLuJ

e04t7z3hXr9n+KjIRSXrnFcFuNVlA0VZKMZjsjeBJyT4/YVfiRmMUcB21yXyviVcqS6bKF

ebx1wkEC0TkU14lP9vCa5R4aOrX6yPcgSAm0QvD4ewupTRUHVF+bwWP0nhYMtJwKFJF1zV

hUmppnaY7y/h0IF91cMRMTpOj6uYGXy9R4lSxrJgTEFn7HdHIJpP92FoiPXDh6+WC2biPt

egc93RCb7h07uS9G9293FBObRki7+RoksPBqJiYnS3+rpNUwGNqmlSRLv19shlYNFQf1kb

yWajRlaH5E/XSOjjgbJ12BxU/QCZPs6W7aBGR/H/1gnUuZIuxw1RSLOyX48dT3tWZ6QqxW

5UBSA5g9Lllk35jMcLUuuvT/TGiCz1NprwhwH21YGu9XefsZK55gmcP9S0w8/W3CbDeCa9

as9BMAkmT7WautgfyRAAABAQDHb1R01fxvSCFiCZnAETUZhNfAhfF3h5nnBTONBfTn7ulq

6kMqLUQfnoWQbC1dIYQ1cVE1NHECLOTY5fZa/FmMFGOND2leIfu3+bm191CoW5ENi96hnp

RI9WfhD02fhNvAVzQH6uFOTP8yyEW4zgyMhIKaav0o0xuy/2V9DpuhNSNVdCq3qAjbWRQr

e4qQOaN1Dpf8PSv691AkCcLtAHDTPQqS0Cv3Q6DXyTPx/0NgJJo7yZZWmhGGjj4rvGr7I5

md+BjIRr+GJzFKW4dIX9j0hQwJBjKBuKxu5xNfly1lCPEtvlf1ZUdYOCZastv2pukXekaM

iJ+yhizgykp7/60/AAABAQDmslGb1OCH8Qwx18zOA98m11Qw7HmL+hsON5dw215x1j4+tC

s9hOT0OaBPhlX0JmDRQ+V6mA+Z89NdaY7vAjXqGGX8Bx2pnuQJp9wyZVwBGWfZOj0xhMhx

p/HS9/ncga/Htbgowp4gQ/akbxR1f/7dPicFHIPcD/FezlhFr0depYyM8nRBekmmLmcHtz

0JWgcT4Mp0pT5X9Qz0h6vQtc+nQpfYrjlidazrIFv2D283cR3g0vPUx/b3jeXCQlKKAwZL

GB8LENmQ0w0fNXKUlaoDyNzuZevZMZLjcvooqaM3aRiaQb0ttCDOsa4apnGyMqXHmSgoqo

VZPO+YvSDTAIG7AAABAQDf7fcakJqofrPMRIwne1Diop1eafnTHLFYS9fn2huHmPY8YP25

o/IlLzEGBfW24oYK+8Bv2zaB2DzniNHzNODhdeAEmEflZrfG92OdXKLfnZPHFbRgZbCCif

ebHnnHJOOk+VdOxKL0KKwc2ZkAKLpGJbJw+bWe5lpY4K8PXDDqrjFfdoxX3ZesA8ug5DKQ

yAYFmAW3Gk91XNX3MncaIV/hR8gP11ldh6ckdHZpzNhMXVKVH+irVEeyvecUo+h8/64pQN

UzmtOpvUGUg/rQrOwDia9hN6dgiAaJh8EmrcaL0gIVHZXkbj+IbVWeMF32r6zOafnGkaDX

L/5MnkjGQEDrAAAAEnRrdXJva2F3QGNpc2NvLmNvbQ==

-----END OPENSSH PRIVATE KEY-----

% more /Users/taka/.ssh/tk_rsa.pub 

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJy8baSNz7hQiUoz2quglMp79gjkMd56DqGVxRSdglHyE5WGBsx4S3lXP6GmaiDS0oE8BW1uoLArGO0dE7+D96uD2VhgClMtYNeqANdLM1ftNWRf9Y4EBTa8Lg1UV8xLHBBmXKX8+tTs0ZNut02JDouAoS2ZCeCmUlpbl7sgZ5BDsvhoQaILJ/AlHmeJ8Sp0PUYCr17WjIacZ2T4yQV6ENmrtlrZ5C1vL6cX6vUKqoSA+XWfG4RIAgzlLs23hw7KYxpHLLHsrfs1rte1IAPNacAMm+FoyPHUNVzYmYjk1wGBqzr0UjrkmvowgHG0+F4QGvT4y8r0UhWLUCrZLwgJyR40FO7Z1PxX+omkwdB4QQele9JpX51cHxof6nmWRKbxgl71FkB6wapkA/ZoDvwd+LuiNW5JHSQOgX2KmU+Wm09u8dPwbvnru+j3Rmwi8hogxoZmciXau0L9L8jH32I1RDutciAQB+ax/M905A1F1sOHHhIYAM4bHK50LX4zVgq1EneVB1mIr1TVJYuytOiPqG8wd+Ty8Y4E1HMlppxUP5Loq2Y5tXdsmruO6aOPNmXvYO0/29oXvsOQzN4tnltxYF5Fy/LPNbp81+0U0kGYOMiWxh35QUkqED/JX4qjSJN1JQdz74QHbOH8OYZJzkeJcYqEPb/df4pfWBntzw4qXWqQ== tkurokaw@xxx.com

Cisco Secure Access Link

 Useful links

Troubleshooting for ThousandEyes

https://www.cisco.com/c/en/us/support/docs/security/secure-access/222271-troubleshoot-secure-access-missing-metri.html

Client Certificate

https://amod-kadam.medium.com/how-to-set-up-private-ca-and-use-the-certificates-issued-by-private-ca-da55941c51ee

Step1: Generate private key for CA

openssl genrsa -des3 -out CA.key 2048

openssl genrsa -des3 -out ca.key 4096

openssl genrsa -aes256 -out ca.key 2048

openssl genrsa -aes256 -out lab.key 2048

Generating RSA private key, 2048 bit long modulus (2 primes)

.......................................+++++

..........................................+++++

e is 65537 (0x010001)

Enter pass phrase for lab.key:

Verifying - Enter pass phrase for lab.key: aruba123

cisco123

.........................................

Step2: Generate CA certificate

openssl req -x509 -new -nodes -key CA.key -sha256 -days 1825 -out CA.pem

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

openssl req -x509 -new -nodes -key ca.key -sha256 -days 1825 -out ca.pem

.........................................

openssl req -new -key client1.key -out client1.csr -config client.conf.

openssl genrsa -aes256 -out client1.key 2048

openssl genrsa -aes256 -out client2.key 2048

(openssl req -new -key ca.key -out client1.csr)

openssl req -new -key client1.key -out client1.csr

openssl req -new -key client2.key -out client2.csr

.........................................

openssl req -in client1.csr -noout -text

.........................................

openssl x509 -req -in client1.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out client1.crt -days 500 -sha256 -extfile client.conf -extensions req_ext.

openssl x509 -req -days 3650 -in acme.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out acme.crt -sha256 

openssl x509 -req -in client1.csr -CA ca.pem -days 3650 -CAkey ca.key -set_serial 01 -out client1.pem

openssl x509 -req -in client2.csr -CA ca.pem -days 3650 -CAkey ca.key -set_serial 02 -out client2.pem

.........................................

openssl x509 -in client1.pem -text -noout

.........................................

https://stackoverflow.com/questions/808669/convert-a-cert-pem-certificate-to-a-pfx-certificate

openssl pkcs12 -inkey bob_key.pem -in bob_cert.cert -export -out bob_pfx.pfx

openssl pkcs12 -inkey client1.key -in client1.pem -export -out client1_pfx.pfx

openssl pkcs12 -inkey client2.key -in client2.pem -export -out client2.pfx

.........................................

openssl pkcs12 -in example.pfx -info

.........................................

.........................................

Reference:

https://www.javaxt.com/wiki/Tutorials/Windows/How_to_Enable_LDAPS_in_Active_Directory

https://knowledge.digicert.com/general-information/openssl-quick-reference-guide

https://amod-kadam.medium.com/how-to-set-up-private-ca-and-use-the-certificates-issued-by-private-ca-da55941c51ee

https://mcilis.medium.com/how-to-create-a-client-certificate-with-configuration-using-openssl-89214dca58ec

https://docs.microfocus.com/SM/9.60/Hybrid/Content/security/concepts/example_generating_a_client_certificate_with_openssl.htm

https://techdocs.akamai.com/iot-edge-connect-msg-store/docs/create-client-certificate

https://techdocs.akamai.com/iot-edge-connect-msg-store/docs/create-root-certificate

PFX file

https://superuser.com/questions/1352171/certificate-validation-failure-while-using-cisco-anyconnect-with-pfx-certificate

https://stackoverflow.com/questions/808669/convert-a-cert-pem-certificate-to-a-pfx-certificate

.........................................

<?xml version="1.0" encoding="UTF-8"?><CISCO_WT_ARTIFACTS version="1.0"><CISCO_WT_LICENSE version="1.0"><FEATURE_NAME>isrv_ax_2500M</FEATURE_NAME><FEATURE_VERSION>1.0</FEATURE_VERSION><UDI><PID>CSR1000V</PID><SN>9TH7THPKTT1</SN></UDI><SOURCE>Cisco HQ</SOURCE><CREATE_DATE>2024-08-07T21:15:32</CREATE_DATE><LICENSE_LINE_HASH hashAlgo="SHA1">JBvrqjBdFJT20G0r1k+HIKCCc2w=</LICENSE_LINE_HASH><TYPE>PERMANENT</TYPE><EXPIRATION><END_DATE>2024-10-06T00:00:00</END_DATE></EXPIRATION><EULA>YES</EULA><LICENSE_LINE><![CDATA[12 isrv_ax_2500M 1.0 LONG NORMAL STANDALONE EXCL INFINITE_KEYS INFINITE_KEYS NEVER 6 OCT 2024 0 NiL SLM_CODE CL_ND_LCK NiL *16TCG9NNFN3G7NB400 NiL NiL NiL 5_MINS <UDI><PID>CSR1000V</PID><SN>9TH7THPKTT1</SN></UDI><T></T> g1vN31TW:J1oxPN,my80fXjZhLpsIKAemgCQWu7QO:3CTbzuOlwc3o:Ek:JBvVmjLP2x8eaaDknlXLsCY9sTB13nG4DG1,Bwtnvt4JJVuTD:VdVmhrGPnS8eIAuqwaYtOXVf$<WLC>AQEBISAB//+MlxSL+JEtsz69sAok+UgcaAQrPyL4yPhKhHwtX5bmbzFZXBZo8M5Y0j9gHdCXtUfuqTEyF3Qjv6OgUxqCBLxC39awh+4AFpeUpMd2eIwjYyY4xDkAF4R5JxWFrounhiN89CsmPogG23Og4EJ0yZfQDhXzY00o7+ZWZVe61YQ1M11MRJGkwS1ELz8crBZnBZo=</WLC>]]></LICENSE_LINE><USER_MODIFIABLE_COMMENT fieldRestrictions="Max 99 ASCII characters in length."></USER_MODIFIABLE_COMMENT></CISCO_WT_LICENSE>

</CISCO_WT_ARTIFACTS>

.........................................

Debugging for Cisco Secure Access SWG

--------------------------------------------------------------------------------------------------------------------

2.Traceroute:

tracert swg-url-proxy-https-sse.sigproxy.qq.opendns.com

tracert 208.67.222.222

tracert 208.67.220.220

tracert 146.112.255.50

--------------------------------------------------------------------------------------------------------------------

% tracert swg-url-proxy-https-sse.sigproxy.qq.opendns.com 

zsh: command not found: tracert

taka@TKUROKAW-M-607Q ~ % traceroute swg-url-proxy-https-sse.sigproxy.qq.opendns.com

traceroute to k8s-sigproxy-sigproxy-5a5a348834-00d20179cbb1ae5c.elb.ap-east-1.amazonaws.com (18.167.154.183), 64 hops max, 40 byte packets

 1  10.130.0.1 (10.130.0.1)  8.488 ms  1.690 ms  1.542 ms

 2  bb116-14-127-252.singnet.com.sg (116.14.127.252)  3.198 ms  2.677 ms  2.379 ms

 3  165.21.193.22 (165.21.193.22)  7.728 ms  3.635 ms  3.410 ms

 4  165.21.193.21 (165.21.193.21)  5.629 ms  3.386 ms  3.082 ms

 5  165.21.138.245 (165.21.138.245)  5.122 ms  4.209 ms  5.617 ms

 6  sn-sinqt1-bo403-ae1.singnet.com.sg (165.21.138.85)  5.473 ms  3.508 ms  3.268 ms

 7  203.208.177.213 (203.208.177.213)  6.860 ms  3.988 ms  3.307 ms

 8  * * *

 9  * * *

<snip>

--------------------------------------------------------------------------------------------------------------------

% traceroute 208.67.222.222

traceroute to 208.67.222.222 (208.67.222.222), 64 hops max, 40 byte packets

 1  10.130.0.1 (10.130.0.1)  7.411 ms  1.922 ms  2.280 ms

 2  bb116-14-127-252.singnet.com.sg (116.14.127.252)  8.785 ms  2.767 ms  3.154 ms

 3  165.21.193.22 (165.21.193.22)  6.570 ms  8.376 ms  3.809 ms

 4  165.21.193.21 (165.21.193.21)  8.729 ms  3.705 ms  3.367 ms

 5  165.21.138.245 (165.21.138.245)  5.008 ms  3.908 ms  4.014 ms

 6  sn-sinqt1-bo403-ae1.singnet.com.sg (165.21.138.85)  4.369 ms  3.352 ms  3.254 ms

 7  203.208.177.213 (203.208.177.213)  8.059 ms  3.171 ms  3.690 ms

 8  xn-lhrcl1-bo706.ix.singtel.com (203.208.183.81)  5.836 ms  4.380 ms  4.088 ms

 9  203.208.158.9 (203.208.158.9)  7.494 ms

    203.208.172.106 (203.208.172.106)  41.574 ms

    203.208.171.229 (203.208.171.229)  39.886 ms

10  203.208.154.14 (203.208.154.14)  78.489 ms  40.237 ms  42.193 ms

11  203.208.151.122 (203.208.151.122)  53.342 ms

    203.208.154.14 (203.208.154.14)  46.588 ms

    203.208.178.229 (203.208.178.229)  46.363 ms

12  203.208.178.229 (203.208.178.229)  39.314 ms  45.246 ms  40.317 ms

13  * xe-3-4-1-2.a00.newthk04.hk.ce.gin.ntt.net (203.131.241.46)  45.080 ms *

14  * * *

<snip>

--------------------------------------------------------------------------------------------------------------------

% traceroute 208.67.220.220

traceroute to 208.67.220.220 (208.67.220.220), 64 hops max, 40 byte packets

 1  10.130.0.1 (10.130.0.1)  8.677 ms  2.382 ms  2.394 ms

 2  bb116-14-127-252.singnet.com.sg (116.14.127.252)  4.687 ms  3.321 ms  2.766 ms

 3  165.21.193.22 (165.21.193.22)  6.131 ms  3.680 ms  5.547 ms

 4  165.21.193.21 (165.21.193.21)  7.892 ms  3.580 ms  3.352 ms

 5  165.21.138.245 (165.21.138.245)  6.021 ms  4.359 ms  7.403 ms

 6  165.21.139.118 (165.21.139.118)  8.727 ms  3.845 ms  3.508 ms

 7  165.21.139.134 (165.21.139.134)  5.921 ms  4.572 ms  5.047 ms

 8  unknown.telstraglobal.net (210.57.30.65)  45.862 ms  39.708 ms  37.830 ms

 9  i-92.sgcn-core01.telstraglobal.net (202.84.219.174)  41.318 ms *  39.083 ms

10  i-93.istt04.telstraglobal.net (202.84.224.190)  125.209 ms  38.010 ms  53.270 ms

11  i-91.istt04.telstraglobal.net (202.84.224.197)  47.025 ms

    unknown.telstraglobal.net (202.127.73.50)  48.208 ms  50.623 ms

12  unknown.telstraglobal.net (202.127.73.50)  56.407 ms *  46.342 ms

13  * * *

14  * * *

<snip>

--------------------------------------------------------------------------------------------------------------------

% traceroute 146.112.255.50

traceroute to 146.112.255.50 (146.112.255.50), 64 hops max, 40 byte packets

 1  10.130.0.1 (10.130.0.1)  8.720 ms  1.954 ms  3.073 ms

 2  bb116-14-127-252.singnet.com.sg (116.14.127.252)  8.597 ms  2.375 ms  2.454 ms

 3  165.21.193.22 (165.21.193.22)  10.124 ms  282.606 ms  7.634 ms

 4  165.21.193.21 (165.21.193.21)  6.764 ms  3.604 ms  3.988 ms

 5  165.21.138.245 (165.21.138.245)  15.043 ms  3.983 ms  3.794 ms

 6  sn-sinqt1-bo403-ae1.singnet.com.sg (165.21.138.85)  4.938 ms  2.978 ms  2.771 ms

 7  203.208.177.213 (203.208.177.213)  13.649 ms  10.204 ms  3.884 ms

 8  xn-lhrcl1-bo706.ix.singtel.com (203.208.183.81)  27.494 ms *  7.412 ms

 9  203.208.152.194 (203.208.152.194)  47.812 ms

    203.208.171.229 (203.208.171.229)  42.616 ms  36.318 ms

10  203.208.158.206 (203.208.158.206)  15.053 ms

    203.208.154.14 (203.208.154.14)  56.055 ms

    203.208.178.17 (203.208.178.17)  62.593 ms

11  203.208.154.14 (203.208.154.14)  42.300 ms  45.868 ms

    203.208.178.229 (203.208.178.229)  46.825 ms

12  203.208.178.229 (203.208.178.229)  45.777 ms  57.698 ms

    xe-3-4-1-2.a00.newthk04.hk.ce.gin.ntt.net (203.131.241.46)  49.709 ms

13  203.208.178.17 (203.208.178.17)  40.206 ms

    146.112.251.27 (146.112.251.27)  45.923 ms

    146.112.251.28 (146.112.251.28)  52.339 ms

14  146.112.251.28 (146.112.251.28)  46.799 ms  40.328 ms

    203.208.154.14 (203.208.154.14)  40.605 ms

15  203.208.178.229 (203.208.178.229)  53.644 ms *  40.729 ms

16  * * *

17  146.112.251.25 (146.112.251.25)  47.123 ms  40.681 ms *

18  * * *

19  * * *

<snip>

--------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------------------------

3.nslookup

nslookup swg-url-proxy-https-sse.sigproxy.qq.opendns.com 208.67.222.222

nslookup swg-url-proxy-https-sse.sigproxy.qq.opendns.com localDNS configured in the NIC

nslookup swg-url-proxy-https-sse.sigproxy.qq.opendns.com 127.0.0.1

nslookup -type=TXT debug.sigproxy.qq.opendns.com

nslookup -type=TXT debug.opendns.com

--------------------------------------------------------------------------------------------------------------------

% nslookup swg-url-proxy-https-sse.sigproxy.qq.opendns.com 208.67.222.222

Server: 208.67.222.222

Address: 208.67.222.222#53

Non-authoritative answer:

swg-url-proxy-https-sse.sigproxy.qq.opendns.com canonical name = swg-proxy_ap-southeast-1_1_1n.sigproxy.aws.umbrella.com.

swg-proxy_ap-southeast-1_1_1n.sigproxy.aws.umbrella.com canonical name = k8s-sigproxy-sigproxy-0beb0c6be5-2ecb15868b8331c4.elb.ap-southeast-1.amazonaws.com.

Name: k8s-sigproxy-sigproxy-0beb0c6be5-2ecb15868b8331c4.elb.ap-southeast-1.amazonaws.com

Address: 3.0.236.175

--------------------------------------------------------------------------------------------------------------------

% nslookup swg-url-proxy-https-sse.sigproxy.qq.opendns.com 165.21.100.88

Server: 165.21.100.88

Address: 165.21.100.88#53

Non-authoritative answer:

swg-url-proxy-https-sse.sigproxy.qq.opendns.com canonical name = swg-proxy_ap-southeast-1_1_1n.sigproxy.aws.umbrella.com.

swg-proxy_ap-southeast-1_1_1n.sigproxy.aws.umbrella.com canonical name = k8s-sigproxy-sigproxy-0beb0c6be5-2ecb15868b8331c4.elb.ap-southeast-1.amazonaws.com.

Name: k8s-sigproxy-sigproxy-0beb0c6be5-2ecb15868b8331c4.elb.ap-southeast-1.amazonaws.com

Address: 3.0.236.175

--------------------------------------------------------------------------------------------------------------------

% nslookup swg-url-proxy-https-sse.sigproxy.qq.opendns.com 127.0.0.1

Server: 127.0.0.1

Address: 127.0.0.1#53

Non-authoritative answer:

swg-url-proxy-https-sse.sigproxy.qq.opendns.com canonical name = swg-proxy_ap-southeast-1_1_1n.sigproxy.aws.umbrella.com.

swg-proxy_ap-southeast-1_1_1n.sigproxy.aws.umbrella.com canonical name = k8s-sigproxy-sigproxy-0beb0c6be5-2ecb15868b8331c4.elb.ap-southeast-1.amazonaws.com.

Name: k8s-sigproxy-sigproxy-0beb0c6be5-2ecb15868b8331c4.elb.ap-southeast-1.amazonaws.com

Address: 3.0.236.175

--------------------------------------------------------------------------------------------------------------------

% nslookup -type=TXT debug.sigproxy.qq.opendns.com

Server: 165.21.100.88

Address: 165.21.100.88#53

Non-authoritative answer:

debug.sigproxy.qq.opendns.com text = "DATACENTER = hkg"

debug.sigproxy.qq.opendns.com text = "CLIENT_COUNTRY = SG"

debug.sigproxy.qq.opendns.com text = "CLIENT_ORG_ID = 8206400"

debug.sigproxy.qq.opendns.com text = "SOURCE_IP = 67.215.82.78"

debug.sigproxy.qq.opendns.com text = "CLIENT_IP = 220.255.190.244"

debug.sigproxy.qq.opendns.com text = "SERVICE_ZONE = sigproxy.qq.opendns.com"

debug.sigproxy.qq.opendns.com text = "QUADRA_SLUG = zeus-dnslb-d84cd7e65211.signginx.hkg"

debug.sigproxy.qq.opendns.com text = "SWG URL = swg-url-proxy-https.sigproxy.qq.opendns.com."

debug.sigproxy.qq.opendns.com text = "SSE URL = swg-url-proxy-https-sse.sigproxy.qq.opendns.com."

Authoritative answers can be found from:

--------------------------------------------------------------------------------------------------------------------

% nslookup -type=TXT debug.opendns.com

;; Truncated, retrying in TCP mode.

Server: 165.21.100.88

Address: 165.21.100.88#53

Non-authoritative answer:

debug.opendns.com text = "server m45.hkg"

debug.opendns.com text = "device 0101cce9112df3f6"

debug.opendns.com text = "organization id 8206400"

debug.opendns.com text = "user id b2ad6de34dbbb52cf4c6d4a600661b0d"

debug.opendns.com text = "remoteip 10.130.0.23"

debug.opendns.com text = "flags 10A040034 0 0 180000000000000000003800000000000000000"

debug.opendns.com text = "device orgid 8206400"

debug.opendns.com text = "device originid 635704254"

debug.opendns.com text = "originid 635704254"

debug.opendns.com text = "orgid 8206400"

debug.opendns.com text = "orgflags 37B7E750F59028E6"

debug.opendns.com text = "actype 0"

debug.opendns.com text = "bundle 14293004"

debug.opendns.com text = "rules based policy enabled"

debug.opendns.com text = "source 220.255.190.244:60972"

debug.opendns.com text = "dnscrypt enabled (ES1, qSL81ju1)"

Authoritative answers can be found from:

--------------------------------------------------------------------------------------------------------------------

4.dig

dig swg-url-proxy-https-sse.sigproxy.qq.opendns.com +nsid +short @208.67.222.222

dig swg-url-proxy-https-sse.sigproxy.qq.opendns.com +nsid +short @local resolver IP

 

--------------------------------------------------------------------------------------------------------------------

% dig swg-url-proxy-https-sse.sigproxy.qq.opendns.com +nsid +short @208.67.222.222

swg-proxy_ap-southeast-1_1_1n.sigproxy.aws.umbrella.com.

k8s-sigproxy-sigproxy-0beb0c6be5-2ecb15868b8331c4.elb.ap-southeast-1.amazonaws.com.

3.0.236.175

 % dig swg-url-proxy-https-sse.sigproxy.qq.opendns.com +nsid +short @165.21.100.88

swg-proxy_ap-southeast-1_1_1n.sigproxy.aws.umbrella.com.

k8s-sigproxy-sigproxy-0beb0c6be5-2ecb15868b8331c4.elb.ap-southeast-1.amazonaws.com.

3.0.236.175

Cisco Secure Client Modules

 

How do I migrate to Cisco Secure Client with the Umbrella Module? (Manual Install)

https://support.umbrella.com/hc/en-us/articles/17890678933012-How-do-I-migrate-to-Cisco-Secure-Client-with-the-Umbrella-Module-Manual-Install

Cisco Secure Client for Umbrella:
https://docs.umbrella.com/deployment-umbrella/docs/deploy-umbrella-for-cisco-secure-client

Installation:

https://support.umbrella.com/hc/en-us/articles/18584514390932-Umbrella-Module-for-Cisco-Secure-Client-Command-Line-installation-and-RMM-reference

Migration from Umbrella Roaming Client

https://docs.umbrella.com/deployment-umbrella/docs/migration-from-umbrella-roaming-client

How to Keep the Cisco Secure Client up to Date

https://support.umbrella.com/hc/en-us/articles/22558435463956-How-to-Keep-the-Cisco-Secure-Client-up-to-Date

Cisco Secure Access debugging

Speedtest tool can be used by customers with RAVPN/IPSec Tunnel/Roaming agent connections to measure the speed and performance of a connection from the client to Secure Access DC. It evaluates several key metrics to report on connectivity. Enhanced version of the Speedtest tool gives an option to bypass any of Firewall, SWG enforcement on the data path. Also, it is Security+SOC2 compliant with new developments as an official tool that can be used by clients.  

 

Tool is accessible at below URLS:

• https://speed.test.sse.cisco.com (General)

• https://speedy-u.test.sse.cisco.com (Bypassed)

• https://speedy-s.test.sse.cisco.com (Secured)