Friday, October 31, 2014

Brocade Switch: "TFTP to Flash Error - code 5"

If you see this message, just run the tftp command again.  I have no idea why the "TFTP to Flash Error - code 5" happens.  I have no reason and no solution, except just run it again.  It will work the second time if this happens.

ICX6610-48 Switch#copy tftp flash grz07302.bin boot
ICX6610-48 Switch#Load to buffer (8192 bytes per dot)
...................Write to boot flash......................................
TFTP to Flash Error - code 5
ICX6610-48 Switch#copy tftp flash grz07302.bin boot
ICX6610-48 Switch#Load to buffer (8192 bytes per dot)
.....................Write to boot flash.........................................
TFTP to Flash Done.
ICX6610-48 Switch#

Thursday, October 30, 2014

Brocade ICX Switch: STP/Blocked Ports/Forwarding Ports

On occasion, when troubleshooting a network, it is important to see if the port (or ports) is in forwarding or blocking mode.  This can be important, especially if you cant get to something.  In this case below, Im looking at Vlan 1 to see if a few ports are in the right mode or not.  The first two ports is what Im concerned about.  Looks like they are forwarding, so I guess I have to look elsewhere.

Core6610#sh 802 vlan 1

--- VLAN 1 [ STP Instance owned by VLAN 1 ] ----------------------------

Bridge IEEE 802.1W Parameters:

Bridge           Bridge Bridge Bridge Force    tx
Identifier       MaxAge Hello  FwdDly Version  Hold
hex              sec    sec    sec             cnt
0400748ef8ffb655 20     2      15     Default  3

RootBridge       RootPath  DesignatedBri-   Root   Max Fwd Hel
Identifier       Cost      dge Identifier   Port   Age Dly lo
hex                        hex                     sec sec sec
0400748ef8ffb655 0         0400748ef8ffb655 Root   20  15  2

Port IEEE 802.1W Parameters:

       <--- Config Params --><-------------- Current state ----------------->
Port   Pri PortPath P2P Edge Role       State       Designa-  Designated
Num        Cost     Mac Port                        ted cost  bridge
1/1/1  128 20000    F   F    DESIGNATED FORWARDING  0         0400748ef8ffb655
1/1/2  128 20000    F   F    DESIGNATED FORWARDING  0         0400748ef8ffb655
1/1/3  128 200000   F   F    DESIGNATED FORWARDING  0         0400748ef8ffb655
1/1/4  128 2000000  F   F    DESIGNATED FORWARDING  0         0400748ef8ffb655
1/1/5  128 20000    F   F    DESIGNATED FORWARDING  0         0400748ef8ffb655
1/1/6  128 20000    F   F    DESIGNATED FORWARDING  0         0400748ef8ffb655

Wednesday, October 29, 2014

Brocade ICX Switch: "Show Link-aggregation" Command

I always do link-aggregation if possible with Brocade.  Better throughput and redundancy.  Its just my preference for the customer when it makes sense.  And hey, when does better throughput and better redundancy not make sense???
Anyway, I like to check my connections to make sure my trunks look ok.  I use the "show link-agg" command below.  You can see the keys match each other to tell you which links go together.  Ill color code these below to show you.

6610#sh link-agg
System ID: 748e.f8ff.XXXX
Long  timeout: 120, default: 120
Short timeout: 3, default: 3
Port  [Sys P] [Port P] [  Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope]
1/1/1       1        1    10013   Yes   L   Agg  Syn  Col  Dis  No   No   Ope
1/1/2       1        1    10014   Yes   L   Agg  Syn  Col  Dis  No   No   Ope
1/3/1       1        1    10001   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
1/3/2       1        1    10002   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
1/3/3       1        1    10003   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
1/3/4       1        1    10004   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
1/3/5       1        1    10005   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
1/3/6       1        1    10006   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
1/3/7       1        1    10007   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
1/3/8       1        1    10008   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
2/1/1       1        1    10013   Yes   L   Agg  Syn  Col  Dis  No   No   Ope
2/1/2       1        1    10014   Yes   L   Agg  Syn  Col  Dis  No   No   Ope
2/1/3       1        1    10015   Yes   L   Agg  Syn  Col  Dis  No   No   Ope
2/1/4       1        1    10016   Yes   L   Agg  Syn  Col  Dis  No   No   Ope
2/3/1       1        1    10001   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
2/3/2       1        1    10002   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
2/3/3       1        1    10003   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
2/3/4       1        1    10004   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
2/3/5       1        1    10009   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
2/3/6       1        1    10010   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
2/3/7       1        1    10011   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
3/1/3       1        1    10015   Yes   L   Agg  Syn  Col  Dis  No   No   Ope
3/1/4       1        1    10016   Yes   L   Agg  Syn  Col  Dis  No   No   Ope
3/3/1       1        1    10009   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
3/3/2       1        1    10010   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
3/3/3       1        1    10011   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
3/3/5       1        1    10005   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
3/3/6       1        1    10006   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
3/3/7       1        1    10007   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn
3/3/8       1        1    10008   Yes   S   Agg  Syn  Col  Dis  Def  No   Dwn

Customer Care: Jerry MaGuire Movie And The IT Services Business

There is this movie that I really like called Jerry MaGuire.  I think I have the all of the movie lines memorized, but there is one in particular that really stands out to me.  Its become my 'personal motto in the business world'.  "If this (tapping on his heart) is empty, then this (pointing to his head) doesn't matter ".  I couldn't agree more.  Treat your customers good, plus some.  Take a genuine interest in your customers.  Take good care of them.

Tuesday, October 28, 2014

Cisco UC: How To Power Down Gracefully The CUCM/UC Servers

Basically, here is an email I sent to my customer on how to shutdown his CUCM/UC environment:
SSH into the servers below:
ssh into  login XXXXX/XXXXXX
ssh into  login XXXXX/XXXXXX
ssh into  login XXXXX/XXXXXX

Run this command on the servers above after you login"
"utils system shutdown"

That will shut the servers all the was down gracefully.

Sunday, October 26, 2014

Acts: He Did Rise Again

If you don't believe the Jesus rose from the dead, maybe you should read these things:
Acts 2:32
And from Acts 2:32, the crowd knew Peter was right:
Acts 2:37
More eyewitness account :
Acts 3:15
Acts 5:29-32
Acts 13:30-31

Even after being flogged, they still went out and proclaimed the good news of the gospel. Do you know what flogging means? Give that some thought. Why would they continue to proclaim that Jesus was raised from the dead after this if it were not true?
Acts 5:40-42

Just a few verses to think about if you don't know Jesus is alive and well today.

Friday, October 24, 2014

Certifications - For The Network Guy

There are times when I am asked by people the following question:
What certifications should I pursue to get ahead in the IT career? 
Now, there are some variations to that questions, but essentially, that is the gist of it.  I have to go back, somewhat, to a post I wrote on this blog.  Click here to see that post.  It depends on what you like to do.  For me, its the network stuff.  Yes, I do get into other things like VoIP, security, and wireless.  It just seems part of my job.  But, generally speaking, I am a 'network guy' in the career.
So, what certifications are important for the network guy?  Well, I supposed everyone has an opinion about this, but I think that Cisco certifications are the most recognized certs on the market.  Even though, as far as network equipment is concerned, I dont think they are number 1 for performance.  If you do a job search on something like or, what is the most sought after from employers?  CCNA and CCNP.  Sometimes you will see others, but you mostly see Cisco.
If you are looking to start off in networking and want to build your certifications, I would recommend starting with Cisco's CCNA.
With that said, I then think you should focus on what you work on.  If you work on HP equipment regularly, then get good at that.  If its Brocade, then shoot for BCNE.  If you do a lot of security, then go for the Cisco CCNP Security cert.  But try to focus on the things you like to do.  Ultimately, when you get good at the things you like to do, your career will kindof take you in that direction, which is probably what you will want.

Thursday, October 23, 2014

Palo Alto Firewalls: Check Point's Biggest Threat

There seems to be a lot of mis-information about Palo Alto firewalls out there.  I remember about a year ago, I went to a Check Point function, and the engineer that was teaching the class kept on saying negative things about Palo Alto firewalls.  He even went as far as saying that Palo Alto firewalls do not do stateful inspection.  I remember thinking that he had obviously never either read anything about Palo firewall or never installed/managed a Palo firewall.  He must have just heard that somewhere and just repeated it (many times in that class).  That guy lost all credibility with me.

With that said, what methods do Palo Alto firewalls use to secure a company?  Here are the methods I know of:
1. stateful inspection
2. signatures database
3. regular expressions
4. heuristics
5. known protocol decoder
6. unknown protocol decoder

Below is where they line up on Gartner's magic quadrant.  Also, notice the other competitors.

Tuesday, October 21, 2014

Cisco ASA: "Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete."

Well, I did see this message on a ASA 5505.
 Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

So how do you fix this?  Well, Im sure there are several potential fixes for this, depending on what you have configured for the VPN.  Im assuming you are working on VPN if you are getting this message.  Anyway, I happened to forget to enable ISAKMP on the outside interface, which did cause this.  Sometimes you just forget some config.

crypto isakmp enable outside

Monday, October 20, 2014

Cisco Switch/Router/ASA: "Exec-timeout 0 0"

What is the security implications of the following on a Cisco device:

line vty 0 4
 exec-timeout 0 0
 login local
 transport input ssh

First, here is what Cisco's documentation says about the exec-timeout command (I gathered the important information (to me)):

To set the interval that the EXEC command interpreter waits until user input is detected, use the exec-timeout line configuration command. To remove the timeout definition, use the no form of this command.
If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.
To specify no timeout, enter the exec-timeout 0 0 command.

Seems like "0 0" might not be a good idea, especially for console access, which I did get in on recently into a core switch without having to login.  Just be aware of the security implications of the configs you do.

line con 0
 exec-timeout 0 0
 login local

Sunday, October 19, 2014

Sunday Thought: Dont

Don't let your view of God be the same as your view of God's people.
God's people fall.
God's people fail.
God's people are not perfect.

But God does not fall.
God does not fail.
And God is perfect.

We, as humans, do not understand perfection. Although we try, we just have never been perfect.

Friday, October 17, 2014

Cisco 2960: How To Configure A Port-Channel For LACP

I had this need when I replaced a core not long ago.  I ended up needing dual fiber back to redundant cores and LACP was being used.  Here is how I did in on the access switches, which were Cisco 2960Gs.

int port-ch 1
switch mode trunk
int gig 1/0/49
channel-gr 1 mode active
int gig 1/0/50
channel-gr 1 mode active
wr mem

Now, lets check to make sure it looks good:
2960S-POE-48#sh etherchannel 1 sum
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator

        M - not in use, minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port

Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
1      Po1(SU)         LACP      Gi1/0/49(P) Gi1/0/50(P)


Wednesday, October 15, 2014

Cisco ASA: How To Remove/Delete The Default-RSA-Key .server Certificate

Have you ever seen on a penetration test, where you get a weak key on an ASA?  And they want you to take care of it?  I have recently, and I found that the weak key was the <Default-RSA-Key>.server certificate that is created by default on the Cisco ASA.  So here is what I did to remove this and get it taken care of:

ASA(config)# sh cryp key mypubkey rsa
Key pair was generated at: 18:34:10 UTC Sep 23 2014
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:
Key pair was generated at: 01:37:31 UTC Sep 30 2014
Key name: <Default-RSA-Key>.server
Usage: Encryption Key
Modulus Size (bits): 768
Key Data:

See that 768 bit key?  We dont want that, so lets get rid of it.

ASA(config)# cryp key zer rsa label <Default-RSA-Key>.server
WARNING: Keys to be removed are named '<Default-RSA-Key>.server'.
WARNING: All device certs issued using these keys will also be removed and
the associated trustpoints may not function correctly.
Do you really want to remove these keys? [yes/no]: yes

ASA(config)# show cryp key mypubkey RSA
Key pair was generated at: 18:34:10 UTC Sep 23 2014
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data: xxxxx

Now, for whatever reason, it will create that <Default-RSA-Key>.server certificate again.  So we better make sure its 2048 instead of 768.

ASA(config)#  cryp key gen rsa label <Default-RSA-Key>.server mod 2048
INFO: The name for the keys will be: <Default-RSA-Key>.server
Keypair generation process begin. Please wait...
ASA(config)# sho cryp key mypubkey rsa
Key pair was generated at: 18:34:10 UTC Sep 23 2014
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:
Key pair was generated at: 02:01:28 UTC Sep 30 2014
Key name:
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:

So, what I have found is that the next day I did this, the 768 bit key was back again, as a third certificate. After contacting Cisco TAC, this is what they responded back with:
"Thank you for the information. I found a bug that was filed for this behavior. Unfortunately it is not publically visible bug. Here are some details from that bug:

PIX software may generate a self-signed RSA key on bootup that is 768 bits, even if a user-generated key already exists. Vulnerability scanners can identify this as a security risk.
When the default RSA key is deleted, the ASA will regenerate a 768-bit RSA key on a subsequent bootup even if a user-created RSA key exists.  This causes the ASA to fail a vulnerability scan because the 768-bit key is visible to a client that is trying to connect via SSH.  The Qualys scanner specifically identifies this as 38477.

The ASA will retain all keys over a reboot as long as a "write mem" is done after the keys are created.  This applies to the "<Default-RSA-Key>" that is created by "crypto key generate rsa" and the "<Default-RSA-Key>.server" key that is created upon the first ssh connection to the ASA. Tested this behavior on 8.0(4.33) and the key is not automatically generated.

Basically what this means is, to fix the issue, an upgrade to a newer code is required. The best code to upgrade to without major config modifications would be 8.2.5"

So, just FYI.  Even after the upgrade, the problem of the cert and the weak key came back. No resolution at this point and Cisco TAC says there is no answer. 

Tuesday, October 14, 2014

Cisco ASA: Downgrade From 9.0(3) To 8.4(5)

While at a customer site late night, we were going to do an upgrade on the cluster of ASAs from 8.4(5) to 9.0(3).  However, because we interrupted a project implementation that we didnt know about, we had to revert back.  Mainly because the upgrade interrupted their anyconnect VPN access and brought it down completely.  So after some troubleshooting, I found that the webvpn config got taken out when either when I reverted back to 8.4(5) or when the upgrade was done.  Im not sure when it was, but I do know that when we were back to the original 8.4(5) code, the webvpn config was missing.  Interesting for sure, but that was an experience to be aware of for me.

Monday, October 13, 2014

Brocade Switch: Verifying What SFP Is In The ICX6610

This is an interesting command.  Need to know what hardware the GBIC is?  How about anything else?  Use the 'show media' command.

6610#show media et 3/3/1
Port  3/3/1: Type  : 10G XG-LR(SFP +)
             Vendor: FiberStore         Version: 1.0
             Part# : SFP-10G31-10-BR    Serial#: WDFXXXXXXF0016
6610#show media et 2/2/1
Port  2/2/1:Type: 40G QSFP Module
Vendor Name: BROCADE  Serial Num: PXXXXXX830XXXX520 Revision: A

Saturday, October 11, 2014

Pic Of The Week: "A Little Carried Away" In The Attic

Its a funny story really, but my contractor got carried away when doing some re-insulation work.

Friday, October 10, 2014

Brocade Switch: How To Tell What Licenses Are On The Switch

When I get a new switch in to get it ready for a customer, one thing I do is look at what license came on it.  Just to make sure Im on the same page.  Below, I have a temp license and a premium license on a stack.

telnet@6610>sh lic
Index      License Name              Lid          License Type    Status     License Period  License Capacity
Stack unit 1:
1          ICX6610-PREM-LIC-SW       xxxxxxxxxI  Trial           Active     45         days            1
2          ICX6610-PREM-LIC-SW       xxxxxxxxxI  Normal          Active     Unlimited                  1
Stack unit 2:
1          ICX6610-PREM-LIC-SW       xxxxxxxxxF  Trial           Active     45         days            1
2          ICX6610-PREM-LIC-SW       xxxxxxxxxF  Normal          Active     Unlimited                  1

Thursday, October 9, 2014

Cisco Voice: Call Being Blocked By Telco When CallFwdAll Externally On CUCM

I had a customer call me up and tell me they couldn't do a call forward all out to their cell phone when they left for the day.  Im a big fan of voicemail myself, when it comes to after hours, but sometimes you just don't have that option.  The Telco wouldn't accept anything except the DID range that was allocated to the company.  So when you do a call forward externally, and it shows up as the originating caller, it would get dropped.  So I had to set this where the callerID was actually the original DID being called, not the original calling number ID.  Below is the topology of how the call flow was, and the gateway screen where I made the change.  Select "Last Redirect Number (External)" under "Calling Party Selection".

Wednesday, October 8, 2014

Technology, Communication and Clients

I was thinking the other day, while working with two customers at the same time, of all the different ways that I do communicate with my customers.  It is interesting to me, because most customers that I have, I go onsite and probably talk on the phone with them.  But, I have some that I/they only text message their requests.  I have others that I/they only email requests.  While some of these customers, I never go onsite (and wouldn't know their face if I saw them), I guess it has become accepted to do business that way.  I can name one customer in particular that I do a lot of phone work for, but if they were standing in front of me now, I wouldn't know them.  Others, I might know their voice, but that is all.  Still others, I have only seen emails from, so I wouldn't know either one.  Its just interesting how technology has come to a place were you can be so impersonal and still get the job done.
I guess Im from the old school.  I like talking to people.  I like seeing them and having conversations with them.  Sure, I can text and email and get whatever you need done, done.  But I like the personal relationships.  It seems with social media these days, and even work life, it appears to be going in that direction.  Maybe slowly, but I think it is for sure.  I hope I'm out of the IT field all together before that happens.

Tuesday, October 7, 2014

Brocade Switch: How To Unconfigure An ICX6450 Switch From A Stack

I have run into this a few times.  I simply needed to take a switch out of a stack and re-purpose it for something else.  Sometimes it happens.  Not often, but it does.  Here is what I did to unconfigure the ICX6450 from the stack.

[MEMBER]local-3@ICX6450-48P Switch#stack unconfig clean
This unit will delete all config files and boot up as a clean unit. Are you sure? (enter 'y' or 'n'): y
Remove startup config and stacking files. Will reload as a clean unit
[MEMBER]local-3@ICX6450-48P Switch#Halt and reboot

Monday, October 6, 2014

SonicWall: tcp-seq-num-approximation Causing Penetration Test To Fail

I have this pen test that keeps coming up with this severe event: tcp-seq-num-approximation vulnerability?
Well, in this case, I have a sonic wall at this customer and I have one setting that, according to SonicWall TAC, should resolve this issue:

Turns out, in this scenario, its a false positive.  Im glad to hear it.

Sunday, October 5, 2014

Sunday Thought: "Dry Times" And The Desperation For God

I have to admit that lately, I have been going through a "dry time", as a friend of mine called it.  I guess to me, what I mean is that sometimes... God is just silent...

I don't remember the last time I was in this much turmoil about it. And honestly, I don't really know why God chooses to be silent sometimes.

If you are a Christian, and you are going through a time of desperation for God, Id like to give you this song in the link below.  Hang in there.  God is not silent forever.  Its less than 4 minutes.

Friday, October 3, 2014

ShoreTel: Default Password For The 930D Base

Im sure its out there somewhere, but I didnt find it.  If you need to login to the base unit for the wireless 930D, its userID= admin and password is the last four of the base's mac address.  Hopefully this will work out for you.  It did for me.  See the screenshot below of the "Web Password".  In my case, you see e038.

Thursday, October 2, 2014

Check Point: Fresh Installs Are Always Simple

A customer and I just did a fresh install of Gaia the other day to R77.20.  We booted off a thumb drive and the install went flawlessly.  It seems Check Point has it down for fresh installs.  It always seems to go smoothly.  Thats a real good thing.

Wednesday, October 1, 2014

Brocade Switch: DHCP and the 'ip helper-address' Command

Dont forget.  When you need to use a DHCP server that is NOT on the same VLAN as your DHCP clients, you have to use the helper-address command.  See below.  Here is a config from one of my customers that is using two different DHCP servers (with two different ranges that are split in the subnet, for redundancy).

The config on an ICX6610:
interface ve 21
 ip address
 ip helper-address 1
 ip helper-address 2