I have had to do this a lot. A user has VPN'ed in via remote-access and they have problems. I can find out all about them by looking through the config and knowing what is in their pcf file, but its easier to just use this command below. You can see the command and what information it gives you. Very useful for troubleshooting.
ASA# sh vpn-sessiondb detail ra-ikev1-ipsec filter name shane
Session Type: IKEv1 IPsec Detailed
Username : shane Index : 35708
Assigned IP : 192.168.1.18 Public IP : 4.4.121.188
Protocol : IKEv1 IPsecOverNatT
License : Other VPN
Encryption : 3DES 3DES Hashing : SHA1 SHA1
Bytes Tx : 0 Bytes Rx : 1260
Pkts Tx : 0 Pkts Rx : 21
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : technicalgroup Tunnel Group : technicalgroup
Login Time : 18:43:45 UTC Wed Mar 5 2014
Duration : 0h:02m:27s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
IKEv1 Tunnels: 1
IPsecOverNatT Tunnels: 1
IKEv1:
Tunnel ID : 35708.1
UDP Src Port : 59691 UDP Dst Port : 4500
IKE Neg Mode : Aggressive Auth Mode : preSharedKeys
Friday, May 30, 2014
Thursday, May 29, 2014
Check Point Upgrade Plan Of Action: A Written Plan...
This was our 'written plan' for the night we did this upgrade. We (one of my customers and I) thought it good to write the plan out and just have it by our side, should we need to refer to it. Good idea.
1. Reboot FW1 and push policy to overcome memory leak problem.
2. On both FW1 and FW2, change the CCP method of communication to "broadcast" with the "cphaconf set_ccp broadcast" command.
3. FW2 should be active. (because of the check point settings to keep the active member active, not set by priority)
4. Upgrade FW1.
5. Reboot FW1.
6. On FW1, do "fw ver" (SPLAT)
7. Check SIC on FW1. (restablish if necessary, documentation does not state that it is necessary).
8. In Dashboard, change FWCluster version to R77.10.
9. Push policy and make sure you uncheck "if fail ..."
10. After policy push, "cphado prob stat" to make sure upgrade was successful.
11. Check to make sure Internet, etc is still up.
12. On FW2, do a 'cpstop' (theoretically, this is when traffic should fail over to FW1). ***JUST FYI, WE DID NOT DO THIS STEP***
13. Check FW1 by doing a "cphaprob stat" and look in Tracker to verify traffic is going to FW1.
14. Upgrade FW2.
15. Reboot FW2.
16. On FW2, do "fw ver" (SPLAT)
17. Check SIC on FW2. (restablish if necessary, documentation does not state that it is necessary).
18. Push policy.
19. Test all traffic.
20. On both FW1 and FW2, change the CCP method of communication to "multicast" with the "cphaconf set_ccp multicast" command.
1. Reboot FW1 and push policy to overcome memory leak problem.
2. On both FW1 and FW2, change the CCP method of communication to "broadcast" with the "cphaconf set_ccp broadcast" command.
3. FW2 should be active. (because of the check point settings to keep the active member active, not set by priority)
4. Upgrade FW1.
5. Reboot FW1.
6. On FW1, do "fw ver" (SPLAT)
7. Check SIC on FW1. (restablish if necessary, documentation does not state that it is necessary).
8. In Dashboard, change FWCluster version to R77.10.
9. Push policy and make sure you uncheck "if fail ..."
10. After policy push, "cphado prob stat" to make sure upgrade was successful.
11. Check to make sure Internet, etc is still up.
12. On FW2, do a 'cpstop' (theoretically, this is when traffic should fail over to FW1). ***JUST FYI, WE DID NOT DO THIS STEP***
13. Check FW1 by doing a "cphaprob stat" and look in Tracker to verify traffic is going to FW1.
14. Upgrade FW2.
15. Reboot FW2.
16. On FW2, do "fw ver" (SPLAT)
17. Check SIC on FW2. (restablish if necessary, documentation does not state that it is necessary).
18. Push policy.
19. Test all traffic.
20. On both FW1 and FW2, change the CCP method of communication to "multicast" with the "cphaconf set_ccp multicast" command.
Tuesday, May 27, 2014
Cisco MCS Server: Hardware Specific
I had a MCS Cisco Business Edition server that I was working on recently. I wanted to see if I could put the hard drive of this server (which is mirrored) into another MCS server. I cant recall the model numbers, but they were slightly different. What I found was that the OS does do a hardware check. I put the Business Edition HD into the other server and got this message below.
Monday, May 26, 2014
A Day In The Park
Thank you to the families and to the people who have served and died for this country, the United States of America.
Sunday, May 25, 2014
Mark 10:6
Since Jesus was God in the flesh, it might be important to know what He said about creation. I think it is important to read Mark 10:6 at this point:
"But at the beginning of creation God made them 'male and female.'
You can go on and read verse 7 as well. I find that interesting. Jesus Himself didn't say anything about evolution, theistic evolution, the gap theory, UFOs planting 'seeds' here on Earth, etc. He simply backs up what the Genesis account says. I guess He would know since He was there.
"But at the beginning of creation God made them 'male and female.'
You can go on and read verse 7 as well. I find that interesting. Jesus Himself didn't say anything about evolution, theistic evolution, the gap theory, UFOs planting 'seeds' here on Earth, etc. He simply backs up what the Genesis account says. I guess He would know since He was there.
Friday, May 23, 2014
Trained Ears???
Have you trained your ears to notice the difference in sound in a data center or server room closet? It seems to me that if you are really paying attention to your equipment, you can tell the difference in the sounds in your closets/data centers.
Thursday, May 22, 2014
Cisco ASA: How To Break Into The ASA And Do A Password Recovery Procedure
For some reason, one of my customer's ASA would not let us log into it. Now maybe someone deliberately went in and changed all the passwords. I dont know for sure. But what I do know is how to break into it and change it back.
First, interrupt the boot to go into ROMMON mode. Here is what I did when I stopped the boot process below. Notice that the original boot config register ends in "01". I dont want that next time it boots. I want it to be "41". You can see that after I changed the config register, I rebooted the ASA.
==============================================================
rommon #0> confreg
Current Configuration Register: 0x00000001
Configuration Summary:
boot default image from Flash
Do you wish to change this configuration? y/n [n]: n
rommon #1> confreg 0x41
Update Config Register (0x41) in NVRAM...
rommon #2>boot
==============================================================
Next, I booted the ASA normally. However, it acts like its never been configured. Notice below, I get the original config back in place by doing the copy start run. Then, I change my enable password and my username password. Then I change the config register back to the way it was before ("01").
==============================================================
ciscoasa> en
Password:
ciscoasa# copy startup-config running-config
Destination filename [running-config]?
..INFO: outside interface address added to PAT pool
INFO: Global 70.43.49.212 will be Port Address Translated
..
Cryptochecksum (unchanged): 04a475a6 81a5f851 a6e7af85 85317660
10169 bytes copied in 4.180 secs (2542 bytes/sec)
ASA#
ASA# config t
ASA(config)# enable password newpassword
ASA(config)# username shane pass shane pri 15
ASA(config)# config-register 0x01
ASA(config)# exit
==============================================================
Before I reload the ASA, notice I do a show version. Notice the highlighted piece of it, just FYI.
==============================================================
ASA# show ver
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 7.1(3)
Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"
ASA up 1 min 34 secs
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
...edited for brevity...
This platform has a Base license.
Serial Number: JMXXXXXX
Configuration register is 0x41 (will be 0x1 at next reload)
Configuration last modified by enable_15 at 11:28:17.629 UTC Wed May 14 2014
ASA#reload
First, interrupt the boot to go into ROMMON mode. Here is what I did when I stopped the boot process below. Notice that the original boot config register ends in "01". I dont want that next time it boots. I want it to be "41". You can see that after I changed the config register, I rebooted the ASA.
==============================================================
rommon #0> confreg
Current Configuration Register: 0x00000001
Configuration Summary:
boot default image from Flash
Do you wish to change this configuration? y/n [n]: n
rommon #1> confreg 0x41
Update Config Register (0x41) in NVRAM...
rommon #2>boot
==============================================================
Next, I booted the ASA normally. However, it acts like its never been configured. Notice below, I get the original config back in place by doing the copy start run. Then, I change my enable password and my username password. Then I change the config register back to the way it was before ("01").
==============================================================
ciscoasa> en
Password:
ciscoasa# copy startup-config running-config
Destination filename [running-config]?
..INFO: outside interface address added to PAT pool
INFO: Global 70.43.49.212 will be Port Address Translated
..
Cryptochecksum (unchanged): 04a475a6 81a5f851 a6e7af85 85317660
10169 bytes copied in 4.180 secs (2542 bytes/sec)
ASA#
ASA# config t
ASA(config)# enable password newpassword
ASA(config)# username shane pass shane pri 15
ASA(config)# config-register 0x01
ASA(config)# exit
==============================================================
Before I reload the ASA, notice I do a show version. Notice the highlighted piece of it, just FYI.
==============================================================
ASA# show ver
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 7.1(3)
Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"
ASA up 1 min 34 secs
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
...edited for brevity...
This platform has a Base license.
Serial Number: JMXXXXXX
Configuration register is 0x41 (will be 0x1 at next reload)
Configuration last modified by enable_15 at 11:28:17.629 UTC Wed May 14 2014
ASA#reload
==============================================================
Wednesday, May 21, 2014
Cisco Switch: How To Remove A Switch From A Stack (3750-X In This Example)
The other day, I needed to remove two switches from a stack of Cisco 3750-Xs. Not hard to do really, but most people think you can just unconnect the stack cables on the back of the units and reconfigure the last cable to go back to the master. Well, that is ok to do, somewhat, and will work, but the master still thinks the switches will come back sometime. They do show as removed, but what we really want to do is to 'completly' remove them. You do this with the 'no switch member# provision' command. Below, I removed switch 5 and 6 from the stack. Dont forget to do a 'wr mem' when you are done. The config will still be there until you do. You wont want that.
SwitchStack#sh switch
Switch/Stack Mac Address : 10f3.11cb.0700
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
*1 Master 10f3.11cb.0700 15 3 Ready
2 Member 7cad.7494.7a80 10 3 Ready
3 Member 7cad.748a.b300 9 3 Ready
4 Member 7cad.7472.9b00 8 3 Ready
5 Member 0000.0000.0000 0 0 Removed
6 Member 0000.0000.0000 0 0 Removed
SwitchStack(config)#no switch 6 provision
SwitchStack(config)#exit
SwitchStack#sh switch
Switch/Stack Mac Address : 10f3.11cb.0700
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
*1 Master 10f3.11cb.0700 15 3 Ready
2 Member 7cad.7494.7a80 10 3 Ready
3 Member 7cad.748a.b300 9 3 Ready
4 Member 7cad.7472.9b00 8 3 Ready
5 Member 0000.0000.0000 0 0 Removed
SwitchStack#
SwitchStack#sh switch
Switch/Stack Mac Address : 10f3.11cb.0700
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
*1 Master 10f3.11cb.0700 15 3 Ready
2 Member 7cad.7494.7a80 10 3 Ready
3 Member 7cad.748a.b300 9 3 Ready
4 Member 7cad.7472.9b00 8 3 Ready
5 Member 0000.0000.0000 0 0 Removed
SwitchStack#config t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchStack(config)#no switch 5 provision
SwitchStack(config)#exit
SwitchStack#sh switch
Switch/Stack Mac Address : 10f3.11cb.0700
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
*1 Master 10f3.11cb.0700 15 3 Ready
2 Member 7cad.7494.7a80 10 3 Ready
3 Member 7cad.748a.b300 9 3 Ready
4 Member 7cad.7472.9b00 8 3 Ready
SwitchStack#
SwitchStack#sh switch
Switch/Stack Mac Address : 10f3.11cb.0700
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
*1 Master 10f3.11cb.0700 15 3 Ready
2 Member 7cad.7494.7a80 10 3 Ready
3 Member 7cad.748a.b300 9 3 Ready
4 Member 7cad.7472.9b00 8 3 Ready
5 Member 0000.0000.0000 0 0 Removed
6 Member 0000.0000.0000 0 0 Removed
SwitchStack(config)#no switch 6 provision
SwitchStack(config)#exit
SwitchStack#sh switch
Switch/Stack Mac Address : 10f3.11cb.0700
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
*1 Master 10f3.11cb.0700 15 3 Ready
2 Member 7cad.7494.7a80 10 3 Ready
3 Member 7cad.748a.b300 9 3 Ready
4 Member 7cad.7472.9b00 8 3 Ready
5 Member 0000.0000.0000 0 0 Removed
SwitchStack#
SwitchStack#sh switch
Switch/Stack Mac Address : 10f3.11cb.0700
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
*1 Master 10f3.11cb.0700 15 3 Ready
2 Member 7cad.7494.7a80 10 3 Ready
3 Member 7cad.748a.b300 9 3 Ready
4 Member 7cad.7472.9b00 8 3 Ready
5 Member 0000.0000.0000 0 0 Removed
SwitchStack#config t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchStack(config)#no switch 5 provision
SwitchStack(config)#exit
SwitchStack#sh switch
Switch/Stack Mac Address : 10f3.11cb.0700
H/W Current
Switch# Role Mac Address Priority Version State
----------------------------------------------------------
*1 Master 10f3.11cb.0700 15 3 Ready
2 Member 7cad.7494.7a80 10 3 Ready
3 Member 7cad.748a.b300 9 3 Ready
4 Member 7cad.7472.9b00 8 3 Ready
SwitchStack#
Tuesday, May 20, 2014
Network Admin Guide To Deploying Thin-Clients -- By Peter Banda
Peter Banda has been kind enough to give us some education on thin-clients. Very good info here, see below. Thank you Peter. ~~Shane
Network Admin Guide To Deploying Thin-Clients -- By Peter Banda
Deploying thin-clients to connect to a remote desktop server (RDP) automatically can be a challenging task for network administrators who have little or no knowledge of how windows servers work. When writing this guide I used a Microsoft windows 2008 server because at least it is common and it shares some common features with the new 2012 server while the thin client, an hp t5000 was running Debian, a Linux distribution. That is the minimum of what you need to deploy thin-clients plus a local area network. Make sure that the server and the thin-client can ping each other and activate RPD on the windows server.
In case RDP is a nightmare to you! To activate it, login to the server and open server manager. On the right hand side of the server manager window, click configure remote desktop and select the second option, that says allow connections from computers running any version of remote desktop. Click select users to add users that will be allowed to RDP (administrator is added by default), then click apply and ok.
Our main goal is to make sure that the thin-client connects to the windows server at startup, without your intervention. To achieve that we need to develop a script that do the work for us, every time the thin-client starts up. So lets go for a short description of the main linux commands that we will be using.
1. cp: it’s a short name for copy. Its used to copy a file/folder from one location to another, the same as copy and paste in GUI
2. chmod: this changes file/folder access privileges. Its used to define who should have read, write and execute privileges in linux.
3. rdesktop: this is our command of the day! Its what actually initiates a remote desktop from the thin-client to the server.
Copy the script bellow and paste it onto notepad on the server. Or, alternatively, if you are viewing this page on the thin-client you can just open text editor and paste it there, then save it as auto_rdesktop.sh. But I will assume that you are viewing this page on the windows server or any other computer running windows and that you have a flash drive.
#!/bin/bash
i=5
c=192.168.0.1
while [ "$i" == 5 ]
do
ping -q -c 1 $c
ping_result=$?
if [ $ping_result == 0 ]
then
rdesktop -f -u "" 192.168.0.1;
else
i=10
fi
done
sudo shutdown -h now
Its a simple script but it should do the work that we want. Note that when you copy and save the script on a windows computer as auto_rdesktop.sh, windows will not recognise the file extension sh. Don’t worry, just send the file to your flash drive and plug it on the thin-client.
Ok, lets see how we should configure the script to work as we expect on the thin-client.
First things first, this is what you need to know when transferring the script to linux computer, in this case Debian. Root user, is the super user on unix/linux distros , like administrator in windows environment. No one is allowed to login using root, but only execute commands as root.
To execute a command as root, type sudo before the command, sudo means super-user -do the system may or may not ask for password depending on its configurations.
When the script is configured, it will load at start-up and when it does not find an RDP server or RDP port has some problems, the thin-client will be forced to shut down. To avoid this open the script and remove the last line that says ‘sudo shutdown –h now’ and save, when something is wrong with the configurations or RDP server, the thin-client will not shutdown. Below are instructions on how to load and configure the script.
1. Copy the script to this location on the thin client (or it can be copied to any location as long as it doesn’t get mixed up with text documents, but this location is the safest dir for scripts): /etc/init.d
If the script is on a usb drive, insert it on the thin-client and note the name of the usb drive,
It should be in the range usb0, usb1, usb2 ....
Open xterminal and issue this command, replacing usb0 with whatever name the thin-client has given your usb drive. cp /media/usb0/auto_rdesktop.sh /etc/init.d
Assuming that you want to copy the script to the init.d directory, or if its a different directory replace the /etc/init.d in the command with whatever directory path you select.
2. To make sure that you (any user or group) can edit the script on the thin-client, on the xterminal type: chmod 777 /etc/init.d/auto_rdesktop.sh and press enter.
Replace any occurrence of 192.168.0.1 in the script with your RDP server’s ip address
The script connects to RDP server in full screen mode to disable that, remove –f in the
rdesktop -f -u "" 192.168.0.1;
After editing type 755 /etc/init.d/auto_rdesktop.sh and press enter
Mode 755 will only allow root user to edit and execute and all other users and groups to only execute. Exit xterminal.
3. Press Alt+F2
A small windows shows, then type: gnome-session-properties and press enter
4. Click startup programs, then add
Browse to /etc/init.d (or to anywhere you copied the script), select the script and click OK, then close.
5. Restart the thin-client to connect to RDP server
6. To alternate between remote desktop and gnome just press ctrl+alt+enter
You can copy the script to as many as thin-clients you want.
Network Admin Guide To Deploying Thin-Clients -- By Peter Banda
Deploying thin-clients to connect to a remote desktop server (RDP) automatically can be a challenging task for network administrators who have little or no knowledge of how windows servers work. When writing this guide I used a Microsoft windows 2008 server because at least it is common and it shares some common features with the new 2012 server while the thin client, an hp t5000 was running Debian, a Linux distribution. That is the minimum of what you need to deploy thin-clients plus a local area network. Make sure that the server and the thin-client can ping each other and activate RPD on the windows server.
In case RDP is a nightmare to you! To activate it, login to the server and open server manager. On the right hand side of the server manager window, click configure remote desktop and select the second option, that says allow connections from computers running any version of remote desktop. Click select users to add users that will be allowed to RDP (administrator is added by default), then click apply and ok.
Our main goal is to make sure that the thin-client connects to the windows server at startup, without your intervention. To achieve that we need to develop a script that do the work for us, every time the thin-client starts up. So lets go for a short description of the main linux commands that we will be using.
1. cp: it’s a short name for copy. Its used to copy a file/folder from one location to another, the same as copy and paste in GUI
2. chmod: this changes file/folder access privileges. Its used to define who should have read, write and execute privileges in linux.
3. rdesktop: this is our command of the day! Its what actually initiates a remote desktop from the thin-client to the server.
Copy the script bellow and paste it onto notepad on the server. Or, alternatively, if you are viewing this page on the thin-client you can just open text editor and paste it there, then save it as auto_rdesktop.sh. But I will assume that you are viewing this page on the windows server or any other computer running windows and that you have a flash drive.
#!/bin/bash
i=5
c=192.168.0.1
while [ "$i" == 5 ]
do
ping -q -c 1 $c
ping_result=$?
if [ $ping_result == 0 ]
then
rdesktop -f -u "" 192.168.0.1;
else
i=10
fi
done
sudo shutdown -h now
Its a simple script but it should do the work that we want. Note that when you copy and save the script on a windows computer as auto_rdesktop.sh, windows will not recognise the file extension sh. Don’t worry, just send the file to your flash drive and plug it on the thin-client.
Ok, lets see how we should configure the script to work as we expect on the thin-client.
First things first, this is what you need to know when transferring the script to linux computer, in this case Debian. Root user, is the super user on unix/linux distros , like administrator in windows environment. No one is allowed to login using root, but only execute commands as root.
To execute a command as root, type sudo before the command, sudo means super-user -do the system may or may not ask for password depending on its configurations.
When the script is configured, it will load at start-up and when it does not find an RDP server or RDP port has some problems, the thin-client will be forced to shut down. To avoid this open the script and remove the last line that says ‘sudo shutdown –h now’ and save, when something is wrong with the configurations or RDP server, the thin-client will not shutdown. Below are instructions on how to load and configure the script.
1. Copy the script to this location on the thin client (or it can be copied to any location as long as it doesn’t get mixed up with text documents, but this location is the safest dir for scripts): /etc/init.d
If the script is on a usb drive, insert it on the thin-client and note the name of the usb drive,
It should be in the range usb0, usb1, usb2 ....
Open xterminal and issue this command, replacing usb0 with whatever name the thin-client has given your usb drive. cp /media/usb0/auto_rdesktop.sh /etc/init.d
Assuming that you want to copy the script to the init.d directory, or if its a different directory replace the /etc/init.d in the command with whatever directory path you select.
2. To make sure that you (any user or group) can edit the script on the thin-client, on the xterminal type: chmod 777 /etc/init.d/auto_rdesktop.sh and press enter.
Replace any occurrence of 192.168.0.1 in the script with your RDP server’s ip address
The script connects to RDP server in full screen mode to disable that, remove –f in the
rdesktop -f -u "" 192.168.0.1;
After editing type 755 /etc/init.d/auto_rdesktop.sh and press enter
Mode 755 will only allow root user to edit and execute and all other users and groups to only execute. Exit xterminal.
3. Press Alt+F2
A small windows shows, then type: gnome-session-properties and press enter
4. Click startup programs, then add
Browse to /etc/init.d (or to anywhere you copied the script), select the script and click OK, then close.
5. Restart the thin-client to connect to RDP server
6. To alternate between remote desktop and gnome just press ctrl+alt+enter
You can copy the script to as many as thin-clients you want.
Monday, May 19, 2014
ShoreTel: Using The Phone To Record Auto Attendants
I have always said that using the phone to record an AA, instead of the PC, will give you the best recorded sound. I think if you do record using both the phone in one recording and the PC in another, then you will see for yourself that the phone does the best job. Here below is where you go and do that. Put in the extension to where you want to do the recording, and then go to the AA and press record when you are ready. It will ring the phone. Pick it up and listen to the girl give you instructions.
Sunday, May 18, 2014
Its A Small World Afterall...
A couple of weeks ago, I took my family to Disney World in Orlando, FL. I love going there, because just about every nation in the world is represented here between the workers and the visitors. I just happen to love that. Now, I'm not an advocate for diversity, I just like to see more of the world. But as I told someone who went with us on this trip, Disney is a lot like heaven. Not in the rides or anything like that, but in that all of your brothers and sisters in Jesus Christ in THIS world, from many different locations, will one day BE in heaven (in one place together) with me/you. The United States, Japan, China, Israel, India, Bolivia, Brazil, Saskatchewan, you name it. Where else can you go here on this earth and see a fragment of what heaven might be like with all the different kinds of people in one place? And sometimes, you might catch a glimpse of a random act of kindness between cultures and language barriers. Something as simple as taking a picture for a couple who don't speak your language. Or a man giving his seat on the bus to an elderly lady, who didn't speak his language, who was standing up. Or even when you see someone drop something when they have their hands full, and a stranger picks it up for them and hands it back. Those are the moments I love. I guess that is called random acts of kindness. I think that ultimately those little things may fall under the 'love your neighbor as yourself'.
Matthew 22:36-40 goes like this in the NIV:
36 “Teacher, which is the greatest commandment in the Law?”
37 Jesus replied: “‘Love the Lord your God with all your heart and with all your soul and with all your mind.’[a] 38 This is the first and greatest commandment. 39 And the second is like it: ‘Love your neighbor as yourself.’[b] 40 All the Law and the Prophets hang on these two commandments.”
This is really the kind of man I would like to be. I'm working on it.
Matthew 22:36-40 goes like this in the NIV:
36 “Teacher, which is the greatest commandment in the Law?”
37 Jesus replied: “‘Love the Lord your God with all your heart and with all your soul and with all your mind.’[a] 38 This is the first and greatest commandment. 39 And the second is like it: ‘Love your neighbor as yourself.’[b] 40 All the Law and the Prophets hang on these two commandments.”
This is really the kind of man I would like to be. I'm working on it.
Friday, May 16, 2014
Brocade Switch: "TFTP to Flash Error - code 17"
I have gotten this error at various times. See below in yellow. I dont know what causes this, but do the copy again and it resolves it every time. That is exactly what I do. Is it network related? Switch related? I dont know. I just know when I redo the copy, it works every time.
telnet@6610#copy tftp flash 10.21.158.158 FCXR08010.bin primary
telnet@6610#Flash Memory Write (8192 bytes per dot)
Automatic copy to member units: 2 3
......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
TFTP to Flash Error - code 17
telnet@6610#^C
telnet@6610#copy tftp flash 10.21.158.158 FCXR08010.bin primary
telnet@6610#Flash Memory Write (8192 bytes per dot)
Automatic copy to member units: 2 3
......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
TFTP to Flash Done.
telnet@6610#
telnet@6610#copy tftp flash 10.21.158.158 FCXR08010.bin primary
telnet@6610#Flash Memory Write (8192 bytes per dot)
Automatic copy to member units: 2 3
......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
TFTP to Flash Error - code 17
telnet@6610#^C
telnet@6610#copy tftp flash 10.21.158.158 FCXR08010.bin primary
telnet@6610#Flash Memory Write (8192 bytes per dot)
Automatic copy to member units: 2 3
......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
TFTP to Flash Done.
telnet@6610#
Thursday, May 15, 2014
Wireless: It Always Amazes Me...
It always amazes me how quickly these kids find wireless. I was doing an install of an Aruba wireless and within 10 minutes of getting some APs up and going, 54 clients had gotten connected already. And this was at a 6th grade only school. Amazing.
Wednesday, May 14, 2014
Brocade vs Juniper vs Cisco: 1U Core Switches For Small/Medium Business Sites
I like to compare other brands just to make sure I'm giving my customers the right solutions. Performance is important to me (for my customers). That means I have to be checking around. I looked at Juniper's EX4300 compared to Brocade's ICX6610 and Cisco's 3750-X. Check it out yourself on the spec sheets. Below are a couple of comparison examples for the three:
Juniper's EX4300 backplane speed for 48 port: 496 Gbps
Brocade's ICX6610 backplane speed for 48 ports: 576 Gbps
Cisco's 3750-X backplane speed for 48 ports: 160 Gbps
Juniper's EX4300 forwarding rate for 48 ports: 369 Mpps
Brocade's ICX6610 forwarding rate for 48 ports: 432 Mbps
Cisco's 3750-X forwarding rate for 48 ports: 101.2 Mbps
Go over the rest of the specs and do the comparisons.
Juniper's EX4300 backplane speed for 48 port: 496 Gbps
Brocade's ICX6610 backplane speed for 48 ports: 576 Gbps
Cisco's 3750-X backplane speed for 48 ports: 160 Gbps
Juniper's EX4300 forwarding rate for 48 ports: 369 Mpps
Brocade's ICX6610 forwarding rate for 48 ports: 432 Mbps
Cisco's 3750-X forwarding rate for 48 ports: 101.2 Mbps
Go over the rest of the specs and do the comparisons.
Tuesday, May 13, 2014
Cisco ASA: 8.3 And After Dynamic NAT Configuration
There is always more than one way to "skin a cat". In this case, I need to NAT internal 10.0.0.0 traffic to the external ASA interface IP. Keep in mind, you have to create the object, etc. How is one way to do it:
ASA(config)# object network obj-10.0.0.0
ASA(config-network-object)# nat (inside,outside) dynamic interface
ASA(config)# object network obj-10.0.0.0
ASA(config-network-object)# nat (inside,outside) dynamic interface
Monday, May 12, 2014
Cisco ASA: Allowing Ping Through The ASA 8.3 And After
I had a customer request that ICMP be allowed out their Cisco ASA. He needed it quick and so instead of doing a quick ACL to allow that traffic, I decided to go this way. Below works well for allowing ICMP.
ASA# config t
ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# inspec icmp
ASA(config-pmap-c)# exit
ASA(config-pmap)# exit
ASA# config t
ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# inspec icmp
ASA(config-pmap-c)# exit
ASA(config-pmap)# exit
Sunday, May 11, 2014
A Lesson From Ozzy???
Im going out on a limb here on this one. This may show my age, but have you ever heard the song "Crazy Train" by Ozzy? And I mean have you really listened to the words? Look, I know Ozzy does not offer the world a lot of wisdom, but that song, I think, starts to scratch the surface of the human condition. Take 5 minutes and listed to the words to that song, or at least read the lyrics. Its not my style of music really, but I have to hand it to Ozzy on that one in that he really nailed it.
In the end of that song, he asks a question that doesn't get answered in that song. He asks:
"what and who is to blame?"
Im going to say the sinful nature is the 'what'.
Im going to say Adam and Eve (and Satan) is the 'who'.
Give it a listen, see what you think.
In the end of that song, he asks a question that doesn't get answered in that song. He asks:
"what and who is to blame?"
Im going to say the sinful nature is the 'what'.
Im going to say Adam and Eve (and Satan) is the 'who'.
Give it a listen, see what you think.
Friday, May 9, 2014
Aruba Wireless: How To Check The Status Of An AP Upgrade
Sometimes in the past, I have needed to know the status of an AP while its going through the upgrade (getting it from the virtual controller). In CLI, this is how you do it:
18:64:72:c8:55:44# show upgrade info
Image Upgrade Progress
----------------------
Mac IP Address AP Class Status Image Info Error Detail
--- ---------- -------- ------ ---------- ------------
18:64:72:c8:55:44 172.16.1.17 Centaurus upgrading image file none
Auto reboot :enable
Use external URL :disable
18:64:72:c8:55:44#
18:64:72:c8:55:44# show upgrade info
Image Upgrade Progress
----------------------
Mac IP Address AP Class Status Image Info Error Detail
--- ---------- -------- ------ ---------- ------------
18:64:72:c8:55:44 172.16.1.17 Centaurus upgrading image file none
Auto reboot :enable
Use external URL :disable
18:64:72:c8:55:44#
Thursday, May 8, 2014
Check Point Gaia: Three Useful Commands
How to check Check Point versions and the policy that is installed. These are a few I verify when I need to. I did these commands on Gaia in CLI on a pair of 4600s.
Wednesday, May 7, 2014
Aruba Wireless: How To Factory Reset An Aruba AP
I have come across one instance in particular where I needed to reset a few Aruba APs to factory default. You have to break the boot sequence and you have a three second window to do this. Connect your console cable up and boot the AP. Wait until you see the following, then hit the enter key:
Hit <Enter> to stop autoboot: 3
apboot> factory_reset
Clearing state... Checking OS image and flags
Image is signed; verifying checksum... passed
Preserving image partition 0
Erasing flash sector @ 0xefe80000.... done
Erased 1 sectors
Erasing flash sector @ 0xefea0000.... done
Erased 1 sectors
Erasing flash sector @ 0xefee0000.... done
Erased 1 sectors
Erasing flash sector @ 0xeff00000.... done
Erased 1 sectors
Erasing flash sector @ 0xeff20000.... done
Erased 1 sectors
done
Purging environment... Un-Protected 1 sectors
. done
Erased 1 sectors
Writing 9....8....7....6....5....4....3....2....1....
done
apboot>
Hit <Enter> to stop autoboot: 3
apboot> factory_reset
Clearing state... Checking OS image and flags
Image is signed; verifying checksum... passed
Preserving image partition 0
Erasing flash sector @ 0xefe80000.... done
Erased 1 sectors
Erasing flash sector @ 0xefea0000.... done
Erased 1 sectors
Erasing flash sector @ 0xefee0000.... done
Erased 1 sectors
Erasing flash sector @ 0xeff00000.... done
Erased 1 sectors
Erasing flash sector @ 0xeff20000.... done
Erased 1 sectors
done
Purging environment... Un-Protected 1 sectors
. done
Erased 1 sectors
Writing 9....8....7....6....5....4....3....2....1....
done
apboot>
Tuesday, May 6, 2014
Check Point Gaia: How Long Does A Snapshot Generally Take?
I was asked recently the following question about Check Point: "How Long Does A Snapshot Generally Take?"
I just did a few of these recently and I have seen it take anywhere from 5 minutes to 30 - 40 minutes. In the latter, they were concerned that something didn't go right during the snapshot because of the amount of time it took. But unfortunately, sometimes it just takes some time to do a snapshot.
I just did a few of these recently and I have seen it take anywhere from 5 minutes to 30 - 40 minutes. In the latter, they were concerned that something didn't go right during the snapshot because of the amount of time it took. But unfortunately, sometimes it just takes some time to do a snapshot.
Monday, May 5, 2014
How Can You Test If A Port On Your Firewall Is Open?
When I dont know for sure, I just run a scan against it. There are several out there, like NMAP, etc, but they are easy to use. Keep those firewalls secure. Below, you see me trying to determine if SSH is open or not, using NMAP via CLI.
In CLI, this is what I did. For a closed SSH port:
-------------------------------------------------------------------------------------------
C:\NMAP\nmap-6.40-win32\nmap-6.40>nmap -p 22 5.5.5.5
Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-18 09:53 Central Daylight Time
Nmap scan report for 5.5.5.5
Host is up (0.0059s latency).
PORT STATE SERVICE
22/tcp closed ssh
Nmap done: 1 IP address (1 host up) scanned in 2.08 seconds
-------------------------------------------------------------------------------------------
For an open SSH port:
-------------------------------------------------------------------------------------------
C:\NMAP\nmap-6.40-win32\nmap-6.40>nmap -p 22 97.97.97.97
Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-18 09:56 Central Daylight Time
Nmap scan report for 97.97.97.97
Host is up (0.0046s latency).
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 2.18 seconds
C:\NMAP\nmap-6.40-win32\nmap-6.40>
-------------------------------------------------------------------------------------------
In CLI, this is what I did. For a closed SSH port:
-------------------------------------------------------------------------------------------
C:\NMAP\nmap-6.40-win32\nmap-6.40>nmap -p 22 5.5.5.5
Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-18 09:53 Central Daylight Time
Nmap scan report for 5.5.5.5
Host is up (0.0059s latency).
PORT STATE SERVICE
22/tcp closed ssh
Nmap done: 1 IP address (1 host up) scanned in 2.08 seconds
-------------------------------------------------------------------------------------------
For an open SSH port:
-------------------------------------------------------------------------------------------
C:\NMAP\nmap-6.40-win32\nmap-6.40>nmap -p 22 97.97.97.97
Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-18 09:56 Central Daylight Time
Nmap scan report for 97.97.97.97
Host is up (0.0046s latency).
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 2.18 seconds
C:\NMAP\nmap-6.40-win32\nmap-6.40>
-------------------------------------------------------------------------------------------
Sunday, May 4, 2014
Church
My wife told me something interesting the other day that might be worth repeating. She had been listening to a guy talking about 'if you wonder if your church is doing right or not'. She said something like this:
"If you ever wonder if your church is doing what is right (or wrong), take everything you have been taught about church and forget it. Then, do it the way they did it in the Bible."
I think there is some wisdom in this.
"If you ever wonder if your church is doing what is right (or wrong), take everything you have been taught about church and forget it. Then, do it the way they did it in the Bible."
I think there is some wisdom in this.
Friday, May 2, 2014
Cisco ASA: More 8.3 Site To Site VPN Config
I know I have a lot of VPN configs on this blog, but VPNs are everywhere. I don't know any company that doesn't have a site to site VPN. I did this on a ASA 5505 and the remote end looks the same (except the ACLs being reversed and the peer address). Anyway, here is what I put in for the config:
access-list interestingACL extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
tunnel-group 5.5.5.46 type ipsec-l2l
tunnel-group 5.5.5.46 ipsec-attributes
pre-shared-key passphrase
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto map outside_map 10 match address interestingACL
crypto map outside_map 10 set peer 5.5.5.46
crypto map outside_map 10 set transform-set ESP-3DES-SHA
nat (inside) 0 access-list nonat
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp nat-traversal 10
access-list interestingACL extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
tunnel-group 5.5.5.46 type ipsec-l2l
tunnel-group 5.5.5.46 ipsec-attributes
pre-shared-key passphrase
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto map outside_map 10 match address interestingACL
crypto map outside_map 10 set peer 5.5.5.46
crypto map outside_map 10 set transform-set ESP-3DES-SHA
nat (inside) 0 access-list nonat
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp nat-traversal 10
Thursday, May 1, 2014
Aruba Wireless: "AP Vendor Name Not Match"
One of the problems I encountered lately is the re-branding of the Aruba AP by Dell. In one instance, I upgraded the primary AP to be on the latest code. However, I used the 'Aruba' IOS as opposed to the 'Dell' IOS. Again, this was on a Dell AP hardware. As it turns out, Dell has their own version of the Aruba software and Aruba has their own version of the Aruba software. Enough of a difference that they are not compatible. Here, in the screenshot below, was how I found this out.
Subscribe to:
Posts (Atom)