Wednesday, December 31, 2014

Packet Capture: How To Graph Time Delay Between Packets

If you dont like to look at the time column in Wireshark, sometimes its helpful to graph it out.  Some people are just visual, and it helps to actually see a graph.  I went to a website and captured it.  Here is how I could read the graphs.
Here is the total graph, as I saw it:


So, I filtered on the packets I wanted to see.  Notice in my filter "tcp.stream eq 21".  When I click on the first dot, notice that it highlights the packet as well.


Then, there is a .06 ms delay to the next packet:


Next, there is about a .02 ms delay to the next packet.  Also, notice the size of the packet in the graph (and the "length" in the column of the capture):


Next packet is microseconds behind:


Next packet:


And the last:


Good stuff.

Tuesday, December 30, 2014

Smartphones And The Fun Things We Use Them For

I have to say that I was one of the last ones to move into the smartphone world.  I really didnt want to.  I was just fine with my little flip phone that I had.  It did all I wanted it to: Text and Talk.
BUT, I have had to move into the real current world (for now).  I have been thinking about what all I actually use my HTC phone for.  I have come up with a list below of things I use regularly.  I'd like to hear your list too.
1. First and foremost, its a clock.
2. Phone.
3. Texting.
4. Alarm.
5. Bible.
6. Email.
7. Wifi Analyzer.
8. SSH client.
9. Internet (general).
10. Camera (which my pic of the week comes from)
11. MP3 player.
12. Reach my stored files when not behind computer.
13. Notepad (for remembering things).
14. Controls my music in my house.
15. Calendar and appointments.
16. Flashlight.
17. Calculator.
18. GPS for getting me places.
19. Camcorder.
20. LinkedIn.  I closed my LinkedIn account, so this no longer applies.
20. Study for certifications and learning new technologies.



Monday, December 29, 2014

Cisco IP Phone: What Does The Circle With A Dot In The Middle Mean

Honestly, I have no idea what that circle with a dot means.  But, here is what I do know.  The port on the switch was not configured correctly for the voice vlan.  I sent out another engineer, and he moved that patch cable to another port that was configured with the voice vlan, and the phone came up at that point.  Chalk this one up to improper configuration of the voice vlan.

Saturday, December 27, 2014

Pic Of The Week: Sanctuatry

Someone's blanket and cardboard padding at one of the downtown churches.


Thursday, December 25, 2014

Merry Christmas To Everyone!

Merry Christmas!  I think this song really sums it up.  Take a few minutes, listen to the lyrics and reflect on your own life.  Think about what the Savior coming into the world really means.  Remember, He is the reason we celebrate this season:
https://www.youtube.com/watch?v=O3wujkozv9E

Wednesday, December 24, 2014

Christmas Eve :)

Thought I would share a Christmas picture from my own home.

Tuesday, December 23, 2014

Palo Alto: Agentless User-ID And Windows 2000 Server Integration

Yes, its 2015.  But, there are some companies out there with Windows 2000 server as their domain controller still.  So at this company, I have installed a Palo Alto (ver 6.0.5-h3) firewall, and one of the last things I implemented (in this case), is user-ID.
Does the Palo Alto agentless user-ID integrate with AD on Windows 2000?  Short answer, NO.  Its supported only from Windows 2008 and above.  How about the agent client version?  Yes, but you have to be running client version 4.0 or earlier.  
So, no worries.  Its just time to upgrade the Windows 2000 server.  

Monday, December 22, 2014

Wireshark: Firewall ACL Rule Help

Have you ever taken a wireshark capture, found the packets that you need to find, and wonder how to block that at your firewall?  Wireshark does make this easy for you, if you know where to go.  In my example, I select the packet I dont want, and go to Tools --> Firewall ACL Rules and it will show you what you should type in for your ACL for denying traffic.  See the screenshot below.  Play around with it if you are the firewall admin.  It can help you out.

Sunday, December 21, 2014

Sunday Thought: Real

You all know that I like Christian music.  Maybe you will like this one.  Its a good December song.  Take a few minutes and carefully listen.

https://www.youtube.com/watch?v=aLQgnYxxMcM&index=4&list=LLg7WaNtHz6oyXJpsDRzFxzQ

Friday, December 19, 2014

Cisco 6509-E Upgrade

I have been working through a problem with a customer that has involved a lot of people in the IT department.  Ill make this story short and really only relate to the "network" portion of this particular day.  I really want to concentrate this post around upgrading the core switches, which happens to be Cisco 6509-E switches (two of them).

On the first core 6509-E, there were no issues at all.  Both blades upgraded and all was done pretty quickly.  We put the code on a compact flash, changed the boot statement in the config, reboot and all was good.  Things should really always go this good, right?

On the second core 6509-E, there were issues.  First, it did continued to boot up on the old code.  It turned out that we had to format the new compact flash card that we received. It never saw the code on the new compact flash card, so it reverted back to the sup-bootflash.  We formatted the flash card, got the new image on, changed the boot statement again, and we were good to go.  Once we booted to the new code, we noticed that one of the fiber modules wouldn't power up after that upgrade.  Why?  Turns out the new IOS that we put on would not support the old fiber module that wouldn't power up.  This 6509-E was older than the first 6509-E that we upgraded.  So, we got on Cisco and downloaded a different (older than we got, but newer than we originally had) and put it on the second 6509-E.  All things seemed to work fine at that point, with the exception that I had to put the config for that module (the fiber module that wouldn't power up) back in.  It seemed to get deleted out when I had the issues on the module (only one module was affected).  Once I cut and pasted that back in, all was good.

It just goes to show that even though an upgrade should be painless, sometimes it can be painful.

Thursday, December 18, 2014

Quick Network Analysis Tool

One tool that I really like using is called Capsa, by Colasoft.  Now please dont think Im advertising for them.  Im not, but if Im being honest, it IS one of my tools in my tool pouch (my laptop).  Its really helpful for quick troubleshooting.
So, with that said, I had a customer ask me about a 97% utilization on the remote site MPLS link.  I told him that I would go figure it out and be right back.
10 minutes later, I come back with the source and destination of the troublemaker (not really).  We found out that a guy was doing legitimate work traffic, but not the way he was supposed to.  Either way, my point is that having the right tools as a network guy can help you troubleshoot problems quickly and effectively.  And yes, sometimes it does require spending some money to get those tools.

Wednesday, December 17, 2014

Cisco ASA: How To View Your Captured Packets In Wireshark From The ASA

Some people just like GUIs.  That is fine.  I can understand that, I guess.  So what can you do when you want to see packet captures on the ASA in Wireshark instead of CLI?  Well, two things.  First, make sure "http server enable" and "http X.X.X.X X.X.X.X inside" is configured.  Then, take your packet capture.  (Click on this link on how to enable a packet capture in CLI.)  Once you have your packet capture going and you have the traffic you want to see, then do the following in your web browser:
https://10.10.2.2/capture/capin/pcap  <-- where 'capin' is the name of the capture I am taking

Rename the file and save it to what you want to save it as.  Then open it up in Wireshark.  You have the .pcap file that you want to see in Wireshark now.

Tuesday, December 16, 2014

Cisco Nexus: FEX Phases After Install

Dont forget that when you install a FEX into a Nexus, its going to check to make sure the image matches the 5k/7k.  If not, it will download the image to make sure it matches.  It goes through the process: Image Download --> Offline (reboot) --> Online

N5K-1# sh fex
  FEX         FEX           FEX                       FEX
Number    Description      State            Model            Serial
------------------------------------------------------------------------
112        FEX0112               Image Download    N2K-C2232PP-10GE   SSI17XXXXX

N5K-1# sh fex
  FEX         FEX           FEX                       FEX
Number    Description      State            Model            Serial
------------------------------------------------------------------------
112        FEX0112               Offline    N2K-C2232PP-10GE   SSI17XXXXX

N5K-Backup-1# sh fex
  FEX         FEX           FEX                       FEX
Number    Description      State            Model            Serial
------------------------------------------------------------------------
112        FEX0112                Online    N2K-C2232PP-10GE   SSI17XXXXX

Monday, December 15, 2014

Cisco ASA: Packet Capture On The ASA In CLI

I had to do some remote troubleshooting on an ASA that, according to the customer, was not allowing SIP traffic in on their new SIP services.  In this scenario, CLI was the only option, and really, I just glad about that.  Although, I do also like the GUI form of the packet capture that Cisco has in the ASDM.  Its easy.  Easier than CLI in this case, but I like CLI, so Im OK with it.  Here is the ACL I configured to capture traffic to their phone system's external IP:
CiscoASA# config t
CiscoASA(config)# access-list 188 permit ip any host 5.5.5.250
CiscoASA(config)# exit

Now, lets enable the capture on the outside interface:
CiscoASA# capture capin interface outside access-list 188

So now I run a ping to that 5.5.5.250 IP address.  Then, I make the phone call to see if SIP traffic came to the ASA.  Then, I HTTP'ed to the phone system.  So, how many bytes are captured?
CiscoASA# sho capture
capture capin type raw-data access-list 188 interface outside [Capturing - 360 bytes]

Now, what is in the packet capture log?
See the capture below:
CiscoASA#show capture capin
29 packets captured

   1: 00:41:49.017668 33.33.33.128 > 5.5.5.250: icmp: echo request
   2: 00:41:50.068218 33.33.33.128 > 5.5.5.250: icmp: echo request
   3: 00:41:54.843233 33.33.33.128 > 5.5.5.250: icmp: echo request
   4: 00:41:55.874863 33.33.33.128 > 5.5.5.250: icmp: echo request
   5: 00:45:23.107217 33.33.33.128.2098 > 5.5.5.250.80: S 2929358780:2929358780(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>
   6: 00:45:23.107523 33.33.33.128.2097 > 5.5.5.250.80: S 2605027608:2605027608(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>
   7: 00:45:23.331632 33.33.33.128.2098 > 5.5.5.250.80: . ack 1980576723 win 68
   8: 00:45:23.331846 33.33.33.128.2097 > 5.5.5.250.80: . ack 1928612590 win 68
   9: 00:45:23.335599 33.33.33.128.2097 > 5.5.5.250.80: P 2605027609:2605028002(393) ack 1928612590 win 68
  10: 00:45:23.413201 33.33.33.128.2099 > 5.5.5.250.8080: S 1012239204:1012239204(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>
  11: 00:45:23.413476 33.33.33.128.2100 > 5.5.5.250.8080: S 4230440435:4230440435(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>
  12: 00:45:23.489537 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452080160 win 68
  13: 00:45:23.491628 33.33.33.128.2100 > 5.5.5.250.8080: . ack 1273284172 win 68
  14: 00:45:23.495350 33.33.33.128.2099 > 5.5.5.250.8080: P 1012239205:1012239603(398) ack 1452080160 win 68
  15: 00:45:23.635495 33.33.33.128.2097 > 5.5.5.250.80: . ack 1928612939 win 67
  16: 00:45:23.663829 33.33.33.128.2099 > 5.5.5.250.8080: P 1012239603:1012240043(440) ack 1452080463 win 67
  17: 00:45:23.667690 33.33.33.128.2100 > 5.5.5.250.8080: P 4230440436:4230440774(338) ack 1273284172 win 68
  18: 00:45:23.750037 33.33.33.128.2099 > 5.5.5.250.8080: P 1012240043:1012240578(535) ack 1452080637 win 67
  19: 00:45:23.937359 33.33.33.128.2100 > 5.5.5.250.8080: . ack 1273285310 win 64
  20: 00:45:23.943371 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452083157 win 68
  21: 00:45:24.017333 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452085677 win 68
  22: 00:45:24.201329 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452088197 win 68
  23: 00:45:24.201390 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452090717 win 68
  24: 00:45:24.355709 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452093237 win 68
  25: 00:45:24.355740 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452098277 win 68
  26: 00:45:24.438881 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452103317 win 68
  27: 00:45:24.735542 33.33.33.128.2099 > 5.5.5.250.8080: . ack 1452104344 win 64
  28: 00:45:35.432396 33.33.33.128.2098 > 5.5.5.250.80: F 2929358781:2929358781(0) ack 1980576723 win 68
  29: 00:45:35.621702 33.33.33.128.2098 > 5.5.5.250.80: . ack 1980576724 win 68
29 packets shown
CiscoASA#

So, as you can see, no SIP traffic.  Its not making it to the ASA.  Now lets disable the capture:
CiscoASA# no capture capin interface outside access-list 188

Sunday, December 14, 2014

Sunday Thought: Bless Israel

You know, it seems that every belief causes a separation of people.  In IT, if you believe that Windows is the thing, then the Unix guys are going to think you are full of it.  And probably vice versa.  Same goes for our beliefs in other areas of our lives.
As a Christian, Im fully aware that not everyone believes the same way I do.  People choose to believe what they want to.  Im really only responsible for me and what I believe.  I cant make you believe anything that you dont want to believe.  Although, I am responsible for at least telling you, at least once, about the Messiah (Jesus) and what he has done for us.  Beyond that, its on you.
Same goes for supporting Israel.  I DO support Israel.  I think God is clear that if you bless Israel, you will be blessed.  If you curse Israel, you will be cursed.  I think that Genesis 12:3 is clear about that.  Look it up.
I'd like to have the blessing of God in my life.  So I choose to bless Israel.


Friday, December 12, 2014

Cisco Nexus 7000 Module Replacement

I wanted to just share a few pictures of an RMA I had to do on an Nexus 7000 blade.  The blade came in bad from the start, so time for an RMA.
The customer told me that he troubleshot as much as possible and asked me to do the RMA.  So I reseated the module myself, put it in another slot, and even put it in another Nexus 7000.  Still same issue, RED light on front and not show up as powered up.
Nexus-1# sh hardware

Module9  powered-dn
  Module type is : 10/100/1000 Mbps Ethernet XL Module
  1 submodules are present
  Model number is N7K-M148GT-11L
  H/W version is 2.1
  Part Number is 73-15230-01
  Part Revision is C0
  Manufacture Date is Year 17 Week 22
  Serial number is XXXXX
  CLEI code is XXXX


So obviously, its not looking good.  So I called up Cisco and got the RMA going.
Blade comes in and I got it replaced.

Good to go!

Thursday, December 11, 2014

Technical Training

I have recently done some 'virtual' technical training on a certain technology.  It always seems to be the same to me.  Now Im not a fan of 'virtual' training.  I need to be there with someone and able to ask questions and interact.  Virtual training does work for some, but not for me.  But one thing I do think is that training should actually prepare you for installing equipment, from start to finish.  It seems like what I typically see is that the trainer will go over what each feature is instead of what it is AND how to implement it.  I mean the labs that they give you just do this 'step 1, do this. step 2, do this'.  It just seems like there is a better way of teaching this stuff.  Maybe this works well for some people, but it doesnt for me.  Im thinking in the future, I might want to be a technical trainer.

Tuesday, December 9, 2014

Palo Alto: In Initial Configuration, Commit Fails Due To Virtual-Wire Config

In the initial configuration of the Palo Alto, I notice that if you do not want to do virtual wire, you have to go into Network --> Virtual Wires and delete the default that is configured to get the commit to succeed.  I dont love that really, but if you are configuring for a Layer 3 firewall, then I have found I have to go delete this out.

Monday, December 8, 2014

ShoreTel Backups: Be Careful To Watch The Services Stop

One thing I notice on a 14.1 to 14.2 upgrade I was doing that I wanted to share with you all.  I notice that when I ran the stop hq services bat file (to stop all services so you can do a backup of the Shoreline Data folder), one service in particular didnt stop.  Make sure you check that all services stop before you copy your Shoreline Data folder to another location.

Sunday, December 7, 2014

Sunday Thought: Will You Be Known?

Matthew 7:15-23
“Beware of false prophets who come disguised as harmless sheep but are really vicious wolves. You can identify them by their fruit, that is, by the way they act. Can you pick grapes from thornbushes, or figs from thistles? A good tree produces good fruit, and a bad tree produces bad fruit. A good tree can’t produce bad fruit, and a bad tree can’t produce good fruit. So every tree that does not produce good fruit is chopped down and thrown into the fire. Yes, just as you can identify a tree by its fruit, so you can identify people by their actions.
“Not everyone who calls out to me, ‘Lord! Lord!’ will enter the Kingdom of Heaven. Only those who actually do the will of my Father in heaven will enter. On judgment day many will say to me, ‘Lord! Lord! We prophesied in your name and cast out demons in your name and performed many miracles in your name.’ But I will reply, ‘I never knew you. Get away from me, you who break God’s laws.’”

Friday, December 5, 2014

Windows: How To Reset The Administrator Password On A PC ~By Babak Hoseini

Babak Hoseini is a friend of mine that I have the privilege of posting some of his IT knowledge on my blog.  He was kind enough to write another post about resetting the Windows administrator password when you dont know it.  Thank you Babak.  ~~Shane Killen

Windows: How To Reset The Administrator Password On A PC
There are several ways to reset the administrator password such as “ERDcommander”, “Hiren’s BootCD and the other repairing CD’s but sometimes you may not have such CD’s.
There is an exploit in Microsoft Windows that you can reset the administrator password without using these CD’s. I strongly advise you to fix this exploit on servers. I’m going to explain how to reset the administrator password and then to close this security breach.

First of all you need to boot your PC with Windows CD in recovery mode. Put the Windows 7 or 2008 CD into the CD Rom and boot your system with the CD and select the “Recovery mode” option.

Then select the time and language and then click next. Click on “Repair your computer” and select “Command prompt”.

It’s better to back up the “Sethc.exe” file in another location. Type this command:
copy  d:\windows\system32\sethc.exe  d:\

Then you must copy the “cmd.exe” file instead of “sethc.exe
copy  d:\windows\system32\cmd.exe  d:\windows\system32\sethc.exe
Type “exit” and restart your system normally. At the “log on” screen, press the “shift key” 5 times. A “Command prompt” will open and you can reset administrator password with the “net user” command.

net user  administrator  123456



And now what should be done to close this exploit? It’s so easy and simple! You can disable “Sticky keys” via this path:
Control Panel –> Ease of Access Center –> Make the keyboard easier to use

Uncheck “Turn on Sticky keys” and from the “Setup Stick keys” section, uncheck the “Turn on Sticky keys when SHIFT is pressed five times”.

Wednesday, December 3, 2014

Runt Packets

Have you ever seen runts on your switch interfaces?  What is that?  A runt is a packet that is less than 64 bytes long.  So, really, this is a problem.  In my case, on the server (which I just inform the server guys at this particular customer).  See below.  Notice that the runts and the input errors line up.  In this case, its a server issue.  But keep in mind, you dont really want to see these runts on the switch.  Call the server guys and get them to figure out what is going on.  They probably want to know about it anyway.

GigabitEthernet1/0/9 is up, line protocol is up (connected)
...edited
     5962915515 packets input, 2654018058090 bytes, 0 no buffer
     Received 1305694 broadcasts (1253405 multicasts)
     60677 runts, 0 giants, 0 throttles
     60677 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 1253405 multicast, 0 pause input
     0 input packets with dribble condition detected
     1181023696 packets output, 913878577075 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets

Tuesday, December 2, 2014

Cisco Nexus: How To Add A FEX Module To Redundant 5000s

Below is a configuration example for adding a FEX to a pair Nexus 5000 for redundancy.  Two 5000s  while adding two 2000 FEX devices.  You have to do basically the same config on both 5000s:

Nexus5000 #1 config:
fex 106
  pinning max-links 1
  description "FEX0106"

interface port-channel106
  switchport mode fex-fabric
  fex associate 106
  vpc 106
speed 10000

interface Ethernet2/15
  description **FEX 106**
  switchport mode fex-fabric
  fex associate 106
  channel-group 106
speed 10000

fex 107
  pinning max-links 1
  description "FEX0107"

interface port-channel107
  switchport mode fex-fabric
  fex associate 107
  vpc 107

interface Ethernet 2/16
  description **FEX 107**
  switchport mode fex-fabric
  fex associate 107
  channel-group 107


Nexus5000 #2 config:

fex 106
  pinning max-links 1
  description "FEX0106"

interface port-channel106
  switchport mode fex-fabric
  fex associate 106
  vpc 106
speed 10000

interface Ethernet2/15
  description *** To FEX 106 ****** To FEX 106 ***
  switchport mode fex-fabric
  fex associate 106
  channel-group 106

fex 107
  pinning max-links 1
  description "FEX0107"

interface port-channel107
  switchport mode fex-fabric
  fex associate 107
  vpc 107
speed 10000

interface Ethernet2/16
  description *** To FEX 107 ****** To FEX 107 ***
  switchport mode fex-fabric
  fex associate 107
  channel-group 107
speed 10000

Monday, December 1, 2014

Brocade ICX Switch: Verifying Stack Communication

When you build a stack, you should always check to make sure the stack is communicating the way it should.  Make sure the topology looks the way it should (which I edited out here), but also make sure the communication between CPU to CPU looks good.  What that means is communication across the stacking cables from one CPU to another.  What that boils down to is when a packet traverses from one switch in the stack to the other, switch one processes the packet, forwards across the stacking cable to switch two and on to its CPU for processing.  You need to make sure communication is good, and the way to do that is highlighted below.  Check it using the 'show stack connection' command, as show below:
CORE#show stack connection
edited...

trunk probe results: 4 links
Link 1: u4 -- u1, num=5
  1: 1/2/1 (T0) <---> 4/2/6 (T1)
  2: 1/2/2 (T0) <---> 4/2/7 (T1)
  3: 1/2/3 (T0) <---> 4/2/8 (T1)
  4: 1/2/4 (T0) <---> 4/2/9 (T1)
  5: 1/2/5 (T0) <---> 4/2/10(T1)
Link 2: u2 -- u1, num=5
  1: 1/2/6 (T1) <---> 2/2/1 (T0)
  2: 1/2/7 (T1) <---> 2/2/2 (T0)
  3: 1/2/8 (T1) <---> 2/2/3 (T0)
  4: 1/2/9 (T1) <---> 2/2/4 (T0)
  5: 1/2/10(T1) <---> 2/2/5 (T0)
Link 3: u3 -- u2, num=5
  1: 2/2/6 (T1) <---> 3/2/1 (T0)
  2: 2/2/7 (T1) <---> 3/2/2 (T0)
  3: 2/2/8 (T1) <---> 3/2/3 (T0)
  4: 2/2/9 (T1) <---> 3/2/4 (T0)
  5: 2/2/10(T1) <---> 3/2/5 (T0)
Link 4: u4 -- u3, num=5
  1: 3/2/6 (T1) <---> 4/2/1 (T0)
  2: 3/2/7 (T1) <---> 4/2/2 (T0)
  3: 3/2/8 (T1) <---> 4/2/3 (T0)
  4: 3/2/9 (T1) <---> 4/2/4 (T0)
  5: 3/2/10(T1) <---> 4/2/5 (T0)
CPU to CPU packets are fine between 4 units.

Here is what one looks like when CPU to CPU communication doesnt look good:

*** Error! should have 4 links, but 2: missing u1-u2, u2-u3, .
Link 1: u4 -- u1, num=1
  1: 1/2/1 (T0) <---> 4/2/6 (T1)
Link 2: u4 -- u3, num=1
  1: 3/2/6 (T1) <---> 4/2/1 (T0)
*** Error! no CPU to CPU:  u1 -x- u2,
*** Error! only one directional CPU to CPU: u3 --> u1
*** Error! no CPU to CPU:  u2 -x- u3,
*** Error! no CPU to CPU:  u2 -x- u4,

*** Error! one directional CPU to CPU:  u3 --> u4,

Make sure you check to verify what you think you have is correct.

Wednesday, November 26, 2014

Cisco Router/Switch: "%MV64340_ETHERNET-5-LATECOLLISION: GigabitEthernetX/X, late collision error"

Have you seen this on the console?
"%MV64340_ETHERNET-5-LATECOLLISION: GigabitEthernetX/X, late collision error"

Turns out its a speed/duplex mismatch issue.  This issue was slow internet and I found out that the ISP changed their side without letting my customer know.  Just not cool, so I changed my customer switch side so that they could get their full speed back.  ISPs can be a little frustrating.  Reminds me of Brad's post here.  

Tuesday, November 25, 2014

Packet Capture Section Of The Blog

I have decided to add a section on this blog called "Packet Capture".  Really, it will be places where we can see packet captures of different kinds or how to use packet captures.  Im not sure how this section will go, but lets see.

Monday, November 24, 2014

Brocade ICX6450/6430: How To Configure An LACP LAG (Link Aggregation)/Bonding Two Ports

I did this not long ago when connecting a ICX6450's four 1G ports to a stack of ICX6610s for a 4 Gig uplink.  Worked pretty good too.  Here is the config for the ICX6450 (running 7400 code) side for an dynamic LAG:
ICX6450-48 Switch(config)#lag LAG01 dynamic id 1
ICX6450-48 Switch(config-lag-LAG01)#ports eth 1/2/1 to eth 1/2/4
ICX6450-48 Switch(config-lag-LAG01)#prim 1/2/1
ICX6450-48 Switch(config-lag-LAG01)#deploy
LAG LAG01 deployed successfully!
ICX6450-48 Switch(config-lag-LAG01)#

Sunday, November 23, 2014

Sunday Thought: Dont Be Caught Up

Dont be caught up in who your not.  You were not made to sin.  You were made to live for the Lord.  For His purpose, in His plan.  You wont be disappointed if you do.

Friday, November 21, 2014

Dell 62XX Switch: CLI Configuration Of A LACP LAG (Link Aggregation) For Uplinks

Dell switches are pretty much at the bottom of my list of switches to use in an enterprise environment.  I have just seen too many issues with them.  Performance being one, reliability being the other.  But, they are out there in the world and you have to work with them at times.  So, I had to configure a LAG between this Dell 6200 to a Brocade ICX using LACP.  Here is the Dell side of the config in CLI

interface port-channel 1
switchport mode trunk
switchport trunk allowed vlan add 10,15
exit

interface ethernet 1/g47
channel-group 1 mode auto
switchport mode general
switchport general pvid 10
switchport general allowed vlan add 10
switchport general allowed vlan add 15 tagged
exit
!
interface ethernet 1/g48
channel-group 1 mode auto
switchport mode general
switchport general pvid 10
switchport general allowed vlan add 10
switchport general allowed vlan add 15 tagged
exit

Now verify:
console#show interfaces port-channel 1

Channel   Ports                         Hash Algorithm Type
-------   ----------------------------- -------------------
ch1       Inactive: 1/g47, 1/g48        3

Hash Algorithm Type
1 - Source MAC, VLAN, EtherType, source module and port Id
2 - Destination MAC, VLAN, EtherType, source module and port Id
3 - Source IP and source TCP/UDP port
4 - Destination IP and destination TCP/UDP port
5 - Source/Destination MAC, VLAN, EtherType, source MODID/port
6 - Source/Destination IP and source/destination TCP/UDP port

console#

Thursday, November 20, 2014

Brocade ICX6610: How To Put An IP Address On The Management Port

Sometimes I do put an ip address on the management interface of the ICX6610s.  Not always, but sometimes, depending on the environment and customer desires, I will do this.  Here is how you put a management IP address (using that management port by the console port):
6610(config)#interface management 1
6610(config-if-mgmt-1)#ip add 10.10.10.3 255.255.255.0
6610(config-if-mgmt-1)#enable
6610(config-if-mgmt-1)#exit
6610(config)#

In the 'show run', you will see the interface like this:
!
interface management 1
 ip address 10.10.10.3 255.255.255.0

Tuesday, November 18, 2014

ShoreTel: Hunt Group Not CallFwd No Answer To Voicemail

I got a call from a customer and said that his hunt group was not going to voicemail when no one answered.  See below, make sure you fill in this field:

Monday, November 17, 2014

Cisco ASA: How To See Who Is SSH'ed Into Your ASA

Just to see the SSH sessions that are connected, you can take a look with the 'show ssh sessions' command.  It will show you who is logged in, plus the encryption standards used.  Pretty good for verification.

ASA# show ssh sessions

SID Client IP       Version Mode Encryption Hmac     State            Username
1   4.2.2.194  2.0     IN   aes256-cbc sha1     SessionStarted   skillen
                            OUT  aes256-cbc sha1     SessionStarted   skillen
ASA#

Friday, November 14, 2014

Cisco ASA: Changes In The DHCP DNS Settings

Sometimes you just have to change the DNS settings that DHCP gives out.  I can understand that, since sometimes DNS server IPs actually do change.  Here is how you do this on the ASA when it acts as the DNS server:

ASA(config)# no dhcpd dns 4.2.2.2 192.168.168.2
ASA(config)# dhcpd dns 192.168.168.2 10.10.10.10
ASA(config)# exit

Wednesday, November 12, 2014

Cisco ASA: Memory Usage

I read recently that if the ASA is using 80% or more utilization, then you need to upgrade the memory in the box.  I agree, although I might have said 75%.  So how do you see how much memory usage is taking place?

assa# sh memory
Free memory:       334483928 bytes (63%)
Used memory:       195206568 bytes (37%)
-------------     ----------------
Total memory:      529690496 bytes (100%)
asa#

Monday, November 10, 2014

Cisco CUCM: LDAP Configuration On The CUCM Server

I just took some screenshots for myself of this config.  I tend to forget at times, so this is a helpful reminder.  Maybe it will help you too.

Sunday, November 9, 2014

Sunday Thought: Are You Worldly?

1 Corinthians 3:1-3 kind of grabbed my attention recently. Now I do understand the context of what was happening in this passage, but could this have meaning in other areas of our lives as well? I don't want to be worldly.  I do want to be godly.

Friday, November 7, 2014

Brocade Switch: 3 System Commands You Should Run On Your ICX6610

***ADDED NOTE 6-18-2015***
Ok, so based on the comments below, Im going to have to say I was wrong about making sure you set these.  I have learned from these guys below that changing these settings certainly affects how much of system resources is set aside and can negatively affect performance.  Thank you guys for bringing this up.  Very much appreciated.

*** Original Post ***
Just as the title implies, there are three commands I always run on a new install that I do.  I always want to max out the number of arp entry count, number of vlans, and increase the potential static routes I can put in (although Im hoping not to put in 2048 of them).  In the static route case, I have had to increase the number  I wanted in on the switch (I think the default is 64).  Just to me, maybe not you, but its worth up'ing these defaults to the max, just in case.

Core6610(config)#system ip-arp 64000
Reload required.  Please write memory and then reload or power cycle.
Core6610(config)#system vlan 4095
Reload required.  Please write memory and then reload or power cycle.
Core6610(config)#system ip-static-route 2048
Reload required.  Please write memory and then reload or power cycle.

Thursday, November 6, 2014

Cisco RV042G: VPN Configuration Made Easy

So Im not a fan of small business products, period.  Its not me, its them.  I have just had too many bad experiences with them.  Performance problems, downtime, you name it.  It all comes with the territory of small business products that is 'designed' to save a company money.  Im just against it.
So I got a call from a customer asking me to get the VPN back up.  Some other company bought them this Cisco RV042G router (with some limited firewall capability) and couldnt get the VPN up.  No big deal.  Everyone has different experiences in life, and IT is no different.
There is a VPN page that really makes the config simple.  Yes, its a GUI, which you all know I dont love.  This box doesnt have a CLI (that Im aware of).  Here is a look at the VPN page.  Its easy to setup and will walk you through the parameters you need for Phase I, Phase II, and the interesting traffic ACL.  It does the nonat for you without asking you, which can be a bad thing, since some VPNs you do want to NAT.  Either way, this was pretty simple on the VPN page.  Just click on the add VPN button.

Wednesday, November 5, 2014

Check Point: Inside The Nokia IP440

Just had one laying around and thought I would take a picture.  Yes, basically a PC.

Tuesday, November 4, 2014

ShoreTel: Version 14 and Stats

ShoreTel 14 has some pretty cool statistic pages.  For the guy who manages the ShoreTel phone system, but really is not a phone system guy, this is pretty good.  Take a look at a page with some stats.  In this screenshot, most people really want to know how many calls come in on the PRI per hour, or day.  This screen really helps.

Monday, November 3, 2014

Cisco ASA: Adding Routes In By Network ID Up To A Certain IP Address

Sometimes you get special scenario situations where it just takes some creative thought.  Routing, sometimes, is not different.  In this case, I had a management VLAN that needed to be accessed from remote-access client.  There was an IP address on the ASA also on that management VLAN.  So that meant that any ping, etc, trying to get to the management network would do what?  Yes, go to the management interface, since it was a directly connected route.  However, in this case, that was undesirable.
No worries.  Ill just add network routes in for up to the IP that I need.  He requested any IP below the ASA IP should be fine.  That means any IP below 192.168.50.125, in this case.  So what is the easiest way to do this?  See below.



5520ASA# config t
5520ASA(config)# route inside 192.168.50.0 255.255.255.192 192.168.6.4
5520ASA(config)# route inside 192.168.50.64 255.255.255.224 192.168.6.4
5520ASA(config)# route inside 192.168.50.96 255.255.255.240 192.168.6.4
5520ASA(config)# route inside 192.168.50.112 255.255.255.248 192.168.6.4
5520ASA(config)# route inside 192.168.50.120 255.255.255.252 192.168.6.4
5520ASA(config)# route inside 192.168.50.124 255.255.255.255 192.168.6.4
5520ASA(config)#exit

Sunday, November 2, 2014

Sunday Thought: Be Nice

Be nice. Keep your promises. Say thank you. Put people before your career.

Friday, October 31, 2014

Brocade Switch: "TFTP to Flash Error - code 5"

If you see this message, just run the tftp command again.  I have no idea why the "TFTP to Flash Error - code 5" happens.  I have no reason and no solution, except just run it again.  It will work the second time if this happens.

ICX6610-48 Switch#copy tftp flash 10.10.10.1 grz07302.bin boot
ICX6610-48 Switch#Load to buffer (8192 bytes per dot)
...................Write to boot flash......................................
TFTP to Flash Error - code 5
ICX6610-48 Switch#copy tftp flash 10.10.10.1 grz07302.bin boot
ICX6610-48 Switch#Load to buffer (8192 bytes per dot)
.....................Write to boot flash.........................................
TFTP to Flash Done.
ICX6610-48 Switch#

Thursday, October 30, 2014

Brocade ICX Switch: STP/Blocked Ports/Forwarding Ports

On occasion, when troubleshooting a network, it is important to see if the port (or ports) is in forwarding or blocking mode.  This can be important, especially if you cant get to something.  In this case below, Im looking at Vlan 1 to see if a few ports are in the right mode or not.  The first two ports is what Im concerned about.  Looks like they are forwarding, so I guess I have to look elsewhere.

Core6610#sh 802 vlan 1

--- VLAN 1 [ STP Instance owned by VLAN 1 ] ----------------------------

Bridge IEEE 802.1W Parameters:

Bridge           Bridge Bridge Bridge Force    tx
Identifier       MaxAge Hello  FwdDly Version  Hold
hex              sec    sec    sec             cnt
0400748ef8ffb655 20     2      15     Default  3

RootBridge       RootPath  DesignatedBri-   Root   Max Fwd Hel
Identifier       Cost      dge Identifier   Port   Age Dly lo
hex                        hex                     sec sec sec
0400748ef8ffb655 0         0400748ef8ffb655 Root   20  15  2

Port IEEE 802.1W Parameters:

       <--- Config Params --><-------------- Current state ----------------->
Port   Pri PortPath P2P Edge Role       State       Designa-  Designated
Num        Cost     Mac Port                        ted cost  bridge
1/1/1  128 20000    F   F    DESIGNATED FORWARDING  0         0400748ef8ffb655
1/1/2  128 20000    F   F    DESIGNATED FORWARDING  0         0400748ef8ffb655
1/1/3  128 200000   F   F    DESIGNATED FORWARDING  0         0400748ef8ffb655
1/1/4  128 2000000  F   F    DESIGNATED FORWARDING  0         0400748ef8ffb655
1/1/5  128 20000    F   F    DESIGNATED FORWARDING  0         0400748ef8ffb655
1/1/6  128 20000    F   F    DESIGNATED FORWARDING  0         0400748ef8ffb655

Wednesday, October 29, 2014

Brocade ICX Switch: "Show Link-aggregation" Command

I always do link-aggregation if possible with Brocade.  Better throughput and redundancy.  Its just my preference for the customer when it makes sense.  And hey, when does better throughput and better redundancy not make sense???
Anyway, I like to check my connections to make sure my trunks look ok.  I use the "show link-agg" command below.  You can see the keys match each other to tell you which links go together.  Ill color code these below to show you.

6610#sh link-agg
System ID: 748e.f8ff.XXXX
Long  timeout: 120, default: 120
Short timeout: 3, default: 3
Port  [Sys P] [Port P] [  Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope]
1/1/1       1        1    10013   Yes   L   Agg  Syn  Col  Dis  No   No   Ope
1/1/2       1        1    10014   Yes   L   Agg  Syn  Col  Dis  No   No   Ope
1/3/1       1        1    10001   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
1/3/2       1        1    10002   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
1/3/3       1        1    10003   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
1/3/4       1        1    10004   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
1/3/5       1        1    10005   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
1/3/6       1        1    10006   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
1/3/7       1        1    10007   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
1/3/8       1        1    10008   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
2/1/1       1        1    10013   Yes   L   Agg  Syn  Col  Dis  No   No   Ope
2/1/2       1        1    10014   Yes   L   Agg  Syn  Col  Dis  No   No   Ope
2/1/3       1        1    10015   Yes   L   Agg  Syn  Col  Dis  No   No   Ope
2/1/4       1        1    10016   Yes   L   Agg  Syn  Col  Dis  No   No   Ope
2/3/1       1        1    10001   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
2/3/2       1        1    10002   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
2/3/3       1        1    10003   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
2/3/4       1        1    10004   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
2/3/5       1        1    10009   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
2/3/6       1        1    10010   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
2/3/7       1        1    10011   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
3/1/3       1        1    10015   Yes   L   Agg  Syn  Col  Dis  No   No   Ope
3/1/4       1        1    10016   Yes   L   Agg  Syn  Col  Dis  No   No   Ope
3/3/1       1        1    10009   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
3/3/2       1        1    10010   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
3/3/3       1        1    10011   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
3/3/5       1        1    10005   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
3/3/6       1        1    10006   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
3/3/7       1        1    10007   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
3/3/8       1        1    10008   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
6610#

Customer Care: Jerry MaGuire Movie And The IT Services Business

There is this movie that I really like called Jerry MaGuire.  I think I have the all of the movie lines memorized, but there is one in particular that really stands out to me.  Its become my 'personal motto in the business world'.  "If this (tapping on his heart) is empty, then this (pointing to his head) doesn't matter ".  I couldn't agree more.  Treat your customers good, plus some.  Take a genuine interest in your customers.  Take good care of them.

Tuesday, October 28, 2014

Cisco UC: How To Power Down Gracefully The CUCM/UC Servers

Basically, here is an email I sent to my customer on how to shutdown his CUCM/UC environment:
SSH into the servers below:
ssh into 192.168.2.5  login XXXXX/XXXXXX
ssh into 192.168.2.6  login XXXXX/XXXXXX
ssh into 192.168.2.7  login XXXXX/XXXXXX

Run this command on the servers above after you login"
"utils system shutdown"

That will shut the servers all the was down gracefully.

Sunday, October 26, 2014

Acts: He Did Rise Again

If you don't believe the Jesus rose from the dead, maybe you should read these things:
Acts 2:32
And from Acts 2:32, the crowd knew Peter was right:
Acts 2:37
More eyewitness account :
Acts 3:15
Acts 5:29-32
Acts 13:30-31

Even after being flogged, they still went out and proclaimed the good news of the gospel. Do you know what flogging means? Give that some thought. Why would they continue to proclaim that Jesus was raised from the dead after this if it were not true?
Acts 5:40-42

Just a few verses to think about if you don't know Jesus is alive and well today.


Friday, October 24, 2014

Certifications - For The Network Guy

There are times when I am asked by people the following question:
What certifications should I pursue to get ahead in the IT career? 
Now, there are some variations to that questions, but essentially, that is the gist of it.  I have to go back, somewhat, to a post I wrote on this blog.  Click here to see that post.  It depends on what you like to do.  For me, its the network stuff.  Yes, I do get into other things like VoIP, security, and wireless.  It just seems part of my job.  But, generally speaking, I am a 'network guy' in the career.
So, what certifications are important for the network guy?  Well, I supposed everyone has an opinion about this, but I think that Cisco certifications are the most recognized certs on the market.  Even though, as far as network equipment is concerned, I dont think they are number 1 for performance.  If you do a job search on something like Monster.com or indeed.com, what is the most sought after from employers?  CCNA and CCNP.  Sometimes you will see others, but you mostly see Cisco.
If you are looking to start off in networking and want to build your certifications, I would recommend starting with Cisco's CCNA.
With that said, I then think you should focus on what you work on.  If you work on HP equipment regularly, then get good at that.  If its Brocade, then shoot for BCNE.  If you do a lot of security, then go for the Cisco CCNP Security cert.  But try to focus on the things you like to do.  Ultimately, when you get good at the things you like to do, your career will kindof take you in that direction, which is probably what you will want.

Thursday, October 23, 2014

Palo Alto Firewalls: Check Point's Biggest Threat

There seems to be a lot of mis-information about Palo Alto firewalls out there.  I remember about a year ago, I went to a Check Point function, and the engineer that was teaching the class kept on saying negative things about Palo Alto firewalls.  He even went as far as saying that Palo Alto firewalls do not do stateful inspection.  I remember thinking that he had obviously never either read anything about Palo firewall or never installed/managed a Palo firewall.  He must have just heard that somewhere and just repeated it (many times in that class).  That guy lost all credibility with me.

With that said, what methods do Palo Alto firewalls use to secure a company?  Here are the methods I know of:
1. stateful inspection
2. signatures database
3. regular expressions
4. heuristics
5. known protocol decoder
6. unknown protocol decoder

Below is where they line up on Gartner's magic quadrant.  Also, notice the other competitors.


Tuesday, October 21, 2014

Cisco ASA: "Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete."

Well, I did see this message on a ASA 5505.
 Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

So how do you fix this?  Well, Im sure there are several potential fixes for this, depending on what you have configured for the VPN.  Im assuming you are working on VPN if you are getting this message.  Anyway, I happened to forget to enable ISAKMP on the outside interface, which did cause this.  Sometimes you just forget some config.

crypto isakmp enable outside

Monday, October 20, 2014

Cisco Switch/Router/ASA: "Exec-timeout 0 0"

What is the security implications of the following on a Cisco device:

line vty 0 4
 exec-timeout 0 0
 login local
 transport input ssh

First, here is what Cisco's documentation says about the exec-timeout command (I gathered the important information (to me)):

To set the interval that the EXEC command interpreter waits until user input is detected, use the exec-timeout line configuration command. To remove the timeout definition, use the no form of this command.
If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.
To specify no timeout, enter the exec-timeout 0 0 command.

Seems like "0 0" might not be a good idea, especially for console access, which I did get in on recently into a core switch without having to login.  Just be aware of the security implications of the configs you do.

line con 0
 exec-timeout 0 0
 login local

Sunday, October 19, 2014

Sunday Thought: Dont

Don't let your view of God be the same as your view of God's people.
God's people fall.
God's people fail.
God's people are not perfect.

But God does not fall.
God does not fail.
And God is perfect.

We, as humans, do not understand perfection. Although we try, we just have never been perfect.

Friday, October 17, 2014

Cisco 2960: How To Configure A Port-Channel For LACP

I had this need when I replaced a core not long ago.  I ended up needing dual fiber back to redundant cores and LACP was being used.  Here is how I did in on the access switches, which were Cisco 2960Gs.

int port-ch 1
switch mode trunk
int gig 1/0/49
channel-gr 1 mode active
int gig 1/0/50
channel-gr 1 mode active
exit
exit
wr mem

Now, lets check to make sure it looks good:
2960S-POE-48#sh etherchannel 1 sum
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator

        M - not in use, minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port


Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)         LACP      Gi1/0/49(P) Gi1/0/50(P)


2960S-POE-48#

Wednesday, October 15, 2014

Cisco ASA: How To Remove/Delete The Default-RSA-Key .server Certificate

Have you ever seen on a penetration test, where you get a weak key on an ASA?  And they want you to take care of it?  I have recently, and I found that the weak key was the <Default-RSA-Key>.server certificate that is created by default on the Cisco ASA.  So here is what I did to remove this and get it taken care of:


ASA(config)# sh cryp key mypubkey rsa
Key pair was generated at: 18:34:10 UTC Sep 23 2014
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:
  XXXX
Key pair was generated at: 01:37:31 UTC Sep 30 2014
Key name: <Default-RSA-Key>.server
Usage: Encryption Key
Modulus Size (bits): 768
Key Data:
XXXX

See that 768 bit key?  We dont want that, so lets get rid of it.

ASA(config)# cryp key zer rsa label <Default-RSA-Key>.server
WARNING: Keys to be removed are named '<Default-RSA-Key>.server'.
WARNING: All device certs issued using these keys will also be removed and
the associated trustpoints may not function correctly.
Do you really want to remove these keys? [yes/no]: yes

ASA(config)# show cryp key mypubkey RSA
Key pair was generated at: 18:34:10 UTC Sep 23 2014
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data: xxxxx
ASA(config)#

Now, for whatever reason, it will create that <Default-RSA-Key>.server certificate again.  So we better make sure its 2048 instead of 768.


ASA(config)#  cryp key gen rsa label <Default-RSA-Key>.server mod 2048
INFO: The name for the keys will be: <Default-RSA-Key>.server
Keypair generation process begin. Please wait...
ASA(config)# sho cryp key mypubkey rsa
Key pair was generated at: 18:34:10 UTC Sep 23 2014
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:
  XXXXX
Key pair was generated at: 02:01:28 UTC Sep 30 2014
Key name:
<Default-RSA-Key>.server
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:
XXXXX
ASA(config)#

So, what I have found is that the next day I did this, the 768 bit key was back again, as a third certificate. After contacting Cisco TAC, this is what they responded back with:
"Thank you for the information. I found a bug that was filed for this behavior. Unfortunately it is not publically visible bug. Here are some details from that bug:

PIX software may generate a self-signed RSA key on bootup that is 768 bits, even if a user-generated key already exists. Vulnerability scanners can identify this as a security risk.
When the default RSA key is deleted, the ASA will regenerate a 768-bit RSA key on a subsequent bootup even if a user-created RSA key exists.  This causes the ASA to fail a vulnerability scan because the 768-bit key is visible to a client that is trying to connect via SSH.  The Qualys scanner specifically identifies this as 38477.

The ASA will retain all keys over a reboot as long as a "write mem" is done after the keys are created.  This applies to the "<Default-RSA-Key>" that is created by "crypto key generate rsa" and the "<Default-RSA-Key>.server" key that is created upon the first ssh connection to the ASA. Tested this behavior on 8.0(4.33) and the key is not automatically generated.

Basically what this means is, to fix the issue, an upgrade to a newer code is required. The best code to upgrade to without major config modifications would be 8.2.5"

UPDATE:
So, just FYI.  Even after the upgrade, the problem of the cert and the weak key came back. No resolution at this point and Cisco TAC says there is no answer. 

Tuesday, October 14, 2014

Cisco ASA: Downgrade From 9.0(3) To 8.4(5)

While at a customer site late night, we were going to do an upgrade on the cluster of ASAs from 8.4(5) to 9.0(3).  However, because we interrupted a project implementation that we didnt know about, we had to revert back.  Mainly because the upgrade interrupted their anyconnect VPN access and brought it down completely.  So after some troubleshooting, I found that the webvpn config got taken out when either when I reverted back to 8.4(5) or when the upgrade was done.  Im not sure when it was, but I do know that when we were back to the original 8.4(5) code, the webvpn config was missing.  Interesting for sure, but that was an experience to be aware of for me.

Monday, October 13, 2014

Brocade Switch: Verifying What SFP Is In The ICX6610

This is an interesting command.  Need to know what hardware the GBIC is?  How about anything else?  Use the 'show media' command.

6610#show media et 3/3/1
6610#
Port  3/3/1: Type  : 10G XG-LR(SFP +)
             Vendor: FiberStore         Version: 1.0
             Part# : SFP-10G31-10-BR    Serial#: WDFXXXXXXF0016
6610#
6610#show media et 2/2/1
6610#
Port  2/2/1:Type: 40G QSFP Module
Vendor Name: BROCADE  Serial Num: PXXXXXX830XXXX520 Revision: A
6610#

Saturday, October 11, 2014

Pic Of The Week: "A Little Carried Away" In The Attic

Its a funny story really, but my contractor got carried away when doing some re-insulation work.

Friday, October 10, 2014

Brocade Switch: How To Tell What Licenses Are On The Switch

When I get a new switch in to get it ready for a customer, one thing I do is look at what license came on it.  Just to make sure Im on the same page.  Below, I have a temp license and a premium license on a stack.

telnet@6610>sh lic
Index      License Name              Lid          License Type    Status     License Period  License Capacity
Stack unit 1:
1          ICX6610-PREM-LIC-SW       xxxxxxxxxI  Trial           Active     45         days            1
2          ICX6610-PREM-LIC-SW       xxxxxxxxxI  Normal          Active     Unlimited                  1
Stack unit 2:
1          ICX6610-PREM-LIC-SW       xxxxxxxxxF  Trial           Active     45         days            1
2          ICX6610-PREM-LIC-SW       xxxxxxxxxF  Normal          Active     Unlimited                  1
telnet@6610>


Thursday, October 9, 2014

Cisco Voice: Call Being Blocked By Telco When CallFwdAll Externally On CUCM

I had a customer call me up and tell me they couldn't do a call forward all out to their cell phone when they left for the day.  Im a big fan of voicemail myself, when it comes to after hours, but sometimes you just don't have that option.  The Telco wouldn't accept anything except the DID range that was allocated to the company.  So when you do a call forward externally, and it shows up as the originating caller, it would get dropped.  So I had to set this where the callerID was actually the original DID being called, not the original calling number ID.  Below is the topology of how the call flow was, and the gateway screen where I made the change.  Select "Last Redirect Number (External)" under "Calling Party Selection".



Wednesday, October 8, 2014

Technology, Communication and Clients

I was thinking the other day, while working with two customers at the same time, of all the different ways that I do communicate with my customers.  It is interesting to me, because most customers that I have, I go onsite and probably talk on the phone with them.  But, I have some that I/they only text message their requests.  I have others that I/they only email requests.  While some of these customers, I never go onsite (and wouldn't know their face if I saw them), I guess it has become accepted to do business that way.  I can name one customer in particular that I do a lot of phone work for, but if they were standing in front of me now, I wouldn't know them.  Others, I might know their voice, but that is all.  Still others, I have only seen emails from, so I wouldn't know either one.  Its just interesting how technology has come to a place were you can be so impersonal and still get the job done.
I guess Im from the old school.  I like talking to people.  I like seeing them and having conversations with them.  Sure, I can text and email and get whatever you need done, done.  But I like the personal relationships.  It seems with social media these days, and even work life, it appears to be going in that direction.  Maybe slowly, but I think it is for sure.  I hope I'm out of the IT field all together before that happens.

Tuesday, October 7, 2014

Brocade Switch: How To Unconfigure An ICX6450 Switch From A Stack

I have run into this a few times.  I simply needed to take a switch out of a stack and re-purpose it for something else.  Sometimes it happens.  Not often, but it does.  Here is what I did to unconfigure the ICX6450 from the stack.

[MEMBER]local-3@ICX6450-48P Switch#stack unconfig clean
This unit will delete all config files and boot up as a clean unit. Are you sure? (enter 'y' or 'n'): y
Remove startup config and stacking files. Will reload as a clean unit
[MEMBER]local-3@ICX6450-48P Switch#Halt and reboot



Monday, October 6, 2014

SonicWall: tcp-seq-num-approximation Causing Penetration Test To Fail

I have this pen test that keeps coming up with this severe event: tcp-seq-num-approximation vulnerability?
Well, in this case, I have a sonic wall at this customer and I have one setting that, according to SonicWall TAC, should resolve this issue:

Turns out, in this scenario, its a false positive.  Im glad to hear it.

Sunday, October 5, 2014

Sunday Thought: "Dry Times" And The Desperation For God

I have to admit that lately, I have been going through a "dry time", as a friend of mine called it.  I guess to me, what I mean is that sometimes... God is just silent...

I don't remember the last time I was in this much turmoil about it. And honestly, I don't really know why God chooses to be silent sometimes.

If you are a Christian, and you are going through a time of desperation for God, Id like to give you this song in the link below.  Hang in there.  God is not silent forever.  Its less than 4 minutes.

https://www.youtube.com/watch?v=cvytewIxll0