If you see this message, just run the tftp command again. I have no idea why the "TFTP to Flash Error - code 5" happens. I have no reason and no solution, except just run it again. It will work the second time if this happens.
ICX6610-48 Switch#copy tftp flash 10.10.10.1 grz07302.bin boot
ICX6610-48 Switch#Load to buffer (8192 bytes per dot)
...................Write to boot flash......................................
TFTP to Flash Error - code 5
ICX6610-48 Switch#copy tftp flash 10.10.10.1 grz07302.bin boot
ICX6610-48 Switch#Load to buffer (8192 bytes per dot)
.....................Write to boot flash.........................................
TFTP to Flash Done.
ICX6610-48 Switch#
Friday, October 31, 2014
Thursday, October 30, 2014
Brocade ICX Switch: STP/Blocked Ports/Forwarding Ports
On occasion, when troubleshooting a network, it is important to see if the port (or ports) is in forwarding or blocking mode. This can be important, especially if you cant get to something. In this case below, Im looking at Vlan 1 to see if a few ports are in the right mode or not. The first two ports is what Im concerned about. Looks like they are forwarding, so I guess I have to look elsewhere.
Core6610#sh 802 vlan 1
--- VLAN 1 [ STP Instance owned by VLAN 1 ] ----------------------------
Bridge IEEE 802.1W Parameters:
Bridge Bridge Bridge Bridge Force tx
Identifier MaxAge Hello FwdDly Version Hold
hex sec sec sec cnt
0400748ef8ffb655 20 2 15 Default 3
RootBridge RootPath DesignatedBri- Root Max Fwd Hel
Identifier Cost dge Identifier Port Age Dly lo
hex hex sec sec sec
0400748ef8ffb655 0 0400748ef8ffb655 Root 20 15 2
Port IEEE 802.1W Parameters:
<--- Config Params --><-------------- Current state ----------------->
Port Pri PortPath P2P Edge Role State Designa- Designated
Num Cost Mac Port ted cost bridge
1/1/1 128 20000 F F DESIGNATED FORWARDING 0 0400748ef8ffb655
1/1/2 128 20000 F F DESIGNATED FORWARDING 0 0400748ef8ffb655
1/1/3 128 200000 F F DESIGNATED FORWARDING 0 0400748ef8ffb655
1/1/4 128 2000000 F F DESIGNATED FORWARDING 0 0400748ef8ffb655
1/1/5 128 20000 F F DESIGNATED FORWARDING 0 0400748ef8ffb655
1/1/6 128 20000 F F DESIGNATED FORWARDING 0 0400748ef8ffb655
Core6610#sh 802 vlan 1
--- VLAN 1 [ STP Instance owned by VLAN 1 ] ----------------------------
Bridge IEEE 802.1W Parameters:
Bridge Bridge Bridge Bridge Force tx
Identifier MaxAge Hello FwdDly Version Hold
hex sec sec sec cnt
0400748ef8ffb655 20 2 15 Default 3
RootBridge RootPath DesignatedBri- Root Max Fwd Hel
Identifier Cost dge Identifier Port Age Dly lo
hex hex sec sec sec
0400748ef8ffb655 0 0400748ef8ffb655 Root 20 15 2
Port IEEE 802.1W Parameters:
<--- Config Params --><-------------- Current state ----------------->
Port Pri PortPath P2P Edge Role State Designa- Designated
Num Cost Mac Port ted cost bridge
1/1/1 128 20000 F F DESIGNATED FORWARDING 0 0400748ef8ffb655
1/1/2 128 20000 F F DESIGNATED FORWARDING 0 0400748ef8ffb655
1/1/3 128 200000 F F DESIGNATED FORWARDING 0 0400748ef8ffb655
1/1/4 128 2000000 F F DESIGNATED FORWARDING 0 0400748ef8ffb655
1/1/5 128 20000 F F DESIGNATED FORWARDING 0 0400748ef8ffb655
1/1/6 128 20000 F F DESIGNATED FORWARDING 0 0400748ef8ffb655
Wednesday, October 29, 2014
Brocade ICX Switch: "Show Link-aggregation" Command
I always do link-aggregation if possible with Brocade. Better throughput and redundancy. Its just my preference for the customer when it makes sense. And hey, when does better throughput and better redundancy not make sense???
Anyway, I like to check my connections to make sure my trunks look ok. I use the "show link-agg" command below. You can see the keys match each other to tell you which links go together. Ill color code these below to show you.
6610#sh link-agg
System ID: 748e.f8ff.XXXX
Long timeout: 120, default: 120
Short timeout: 3, default: 3
Port [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope]
1/1/1 1 1 10013 Yes L Agg Syn Col Dis No No Ope
1/1/2 1 1 10014 Yes L Agg Syn Col Dis No No Ope
1/3/1 1 1 10001 Yes S Agg Syn Col Dis Def No Dwn
1/3/2 1 1 10002 Yes S Agg Syn Col Dis Def No Dwn
1/3/3 1 1 10003 Yes S Agg Syn Col Dis Def No Dwn
1/3/4 1 1 10004 Yes S Agg Syn Col Dis Def No Dwn
1/3/5 1 1 10005 Yes S Agg Syn Col Dis Def No Dwn
1/3/6 1 1 10006 Yes S Agg Syn Col Dis Def No Dwn
1/3/7 1 1 10007 Yes S Agg Syn Col Dis Def No Dwn
1/3/8 1 1 10008 Yes S Agg Syn Col Dis Def No Dwn
2/1/1 1 1 10013 Yes L Agg Syn Col Dis No No Ope
2/1/2 1 1 10014 Yes L Agg Syn Col Dis No No Ope
2/1/3 1 1 10015 Yes L Agg Syn Col Dis No No Ope
2/1/4 1 1 10016 Yes L Agg Syn Col Dis No No Ope
2/3/1 1 1 10001 Yes S Agg Syn Col Dis Def No Dwn
2/3/2 1 1 10002 Yes S Agg Syn Col Dis Def No Dwn
2/3/3 1 1 10003 Yes S Agg Syn Col Dis Def No Dwn
2/3/4 1 1 10004 Yes S Agg Syn Col Dis Def No Dwn
2/3/5 1 1 10009 Yes S Agg Syn Col Dis Def No Dwn
2/3/6 1 1 10010 Yes S Agg Syn Col Dis Def No Dwn
2/3/7 1 1 10011 Yes S Agg Syn Col Dis Def No Dwn
3/1/3 1 1 10015 Yes L Agg Syn Col Dis No No Ope
3/1/4 1 1 10016 Yes L Agg Syn Col Dis No No Ope
3/3/1 1 1 10009 Yes S Agg Syn Col Dis Def No Dwn
3/3/2 1 1 10010 Yes S Agg Syn Col Dis Def No Dwn
3/3/3 1 1 10011 Yes S Agg Syn Col Dis Def No Dwn
3/3/5 1 1 10005 Yes S Agg Syn Col Dis Def No Dwn
3/3/6 1 1 10006 Yes S Agg Syn Col Dis Def No Dwn
3/3/7 1 1 10007 Yes S Agg Syn Col Dis Def No Dwn
3/3/8 1 1 10008 Yes S Agg Syn Col Dis Def No Dwn
6610#
Anyway, I like to check my connections to make sure my trunks look ok. I use the "show link-agg" command below. You can see the keys match each other to tell you which links go together. Ill color code these below to show you.
6610#sh link-agg
System ID: 748e.f8ff.XXXX
Long timeout: 120, default: 120
Short timeout: 3, default: 3
Port [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope]
1/1/1 1 1 10013 Yes L Agg Syn Col Dis No No Ope
1/1/2 1 1 10014 Yes L Agg Syn Col Dis No No Ope
1/3/1 1 1 10001 Yes S Agg Syn Col Dis Def No Dwn
1/3/2 1 1 10002 Yes S Agg Syn Col Dis Def No Dwn
1/3/3 1 1 10003 Yes S Agg Syn Col Dis Def No Dwn
1/3/4 1 1 10004 Yes S Agg Syn Col Dis Def No Dwn
1/3/5 1 1 10005 Yes S Agg Syn Col Dis Def No Dwn
1/3/6 1 1 10006 Yes S Agg Syn Col Dis Def No Dwn
1/3/7 1 1 10007 Yes S Agg Syn Col Dis Def No Dwn
1/3/8 1 1 10008 Yes S Agg Syn Col Dis Def No Dwn
2/1/1 1 1 10013 Yes L Agg Syn Col Dis No No Ope
2/1/2 1 1 10014 Yes L Agg Syn Col Dis No No Ope
2/1/3 1 1 10015 Yes L Agg Syn Col Dis No No Ope
2/1/4 1 1 10016 Yes L Agg Syn Col Dis No No Ope
2/3/1 1 1 10001 Yes S Agg Syn Col Dis Def No Dwn
2/3/2 1 1 10002 Yes S Agg Syn Col Dis Def No Dwn
2/3/3 1 1 10003 Yes S Agg Syn Col Dis Def No Dwn
2/3/4 1 1 10004 Yes S Agg Syn Col Dis Def No Dwn
2/3/5 1 1 10009 Yes S Agg Syn Col Dis Def No Dwn
2/3/6 1 1 10010 Yes S Agg Syn Col Dis Def No Dwn
2/3/7 1 1 10011 Yes S Agg Syn Col Dis Def No Dwn
3/1/3 1 1 10015 Yes L Agg Syn Col Dis No No Ope
3/1/4 1 1 10016 Yes L Agg Syn Col Dis No No Ope
3/3/1 1 1 10009 Yes S Agg Syn Col Dis Def No Dwn
3/3/2 1 1 10010 Yes S Agg Syn Col Dis Def No Dwn
3/3/3 1 1 10011 Yes S Agg Syn Col Dis Def No Dwn
3/3/5 1 1 10005 Yes S Agg Syn Col Dis Def No Dwn
3/3/6 1 1 10006 Yes S Agg Syn Col Dis Def No Dwn
3/3/7 1 1 10007 Yes S Agg Syn Col Dis Def No Dwn
3/3/8 1 1 10008 Yes S Agg Syn Col Dis Def No Dwn
6610#
Customer Care: Jerry MaGuire Movie And The IT Services Business
There is this movie that I really like called Jerry MaGuire. I think I have the all of the movie lines memorized, but there is one in particular that really stands out to me. Its become my 'personal motto in the business world'. "If this (tapping on his heart) is empty, then this (pointing to his head) doesn't matter ". I couldn't agree more. Treat your customers good, plus some. Take a genuine interest in your customers. Take good care of them.
Tuesday, October 28, 2014
Cisco UC: How To Power Down Gracefully The CUCM/UC Servers
Basically, here is an email I sent to my customer on how to shutdown his CUCM/UC environment:
SSH into the servers below:
ssh into 192.168.2.5 login XXXXX/XXXXXX
ssh into 192.168.2.6 login XXXXX/XXXXXX
ssh into 192.168.2.7 login XXXXX/XXXXXX
Run this command on the servers above after you login"
"utils system shutdown"
That will shut the servers all the was down gracefully.
Monday, October 27, 2014
Sunday, October 26, 2014
Acts: He Did Rise Again
If you don't believe the Jesus rose from the dead, maybe you should read these things:
Acts 2:32
And from Acts 2:32, the crowd knew Peter was right:
Acts 2:37
More eyewitness account :
Acts 3:15
Acts 5:29-32
Acts 13:30-31
Even after being flogged, they still went out and proclaimed the good news of the gospel. Do you know what flogging means? Give that some thought. Why would they continue to proclaim that Jesus was raised from the dead after this if it were not true?
Acts 5:40-42
Just a few verses to think about if you don't know Jesus is alive and well today.
Acts 2:32
And from Acts 2:32, the crowd knew Peter was right:
Acts 2:37
More eyewitness account :
Acts 3:15
Acts 5:29-32
Acts 13:30-31
Even after being flogged, they still went out and proclaimed the good news of the gospel. Do you know what flogging means? Give that some thought. Why would they continue to proclaim that Jesus was raised from the dead after this if it were not true?
Acts 5:40-42
Just a few verses to think about if you don't know Jesus is alive and well today.
Saturday, October 25, 2014
Friday, October 24, 2014
Certifications - For The Network Guy
There are times when I am asked by people the following question:
What certifications should I pursue to get ahead in the IT career?
Now, there are some variations to that questions, but essentially, that is the gist of it. I have to go back, somewhat, to a post I wrote on this blog. Click here to see that post. It depends on what you like to do. For me, its the network stuff. Yes, I do get into other things like VoIP, security, and wireless. It just seems part of my job. But, generally speaking, I am a 'network guy' in the career.
So, what certifications are important for the network guy? Well, I supposed everyone has an opinion about this, but I think that Cisco certifications are the most recognized certs on the market. Even though, as far as network equipment is concerned, I dont think they are number 1 for performance. If you do a job search on something like Monster.com or indeed.com, what is the most sought after from employers? CCNA and CCNP. Sometimes you will see others, but you mostly see Cisco.
If you are looking to start off in networking and want to build your certifications, I would recommend starting with Cisco's CCNA.
With that said, I then think you should focus on what you work on. If you work on HP equipment regularly, then get good at that. If its Brocade, then shoot for BCNE. If you do a lot of security, then go for the Cisco CCNP Security cert. But try to focus on the things you like to do. Ultimately, when you get good at the things you like to do, your career will kindof take you in that direction, which is probably what you will want.
What certifications should I pursue to get ahead in the IT career?
Now, there are some variations to that questions, but essentially, that is the gist of it. I have to go back, somewhat, to a post I wrote on this blog. Click here to see that post. It depends on what you like to do. For me, its the network stuff. Yes, I do get into other things like VoIP, security, and wireless. It just seems part of my job. But, generally speaking, I am a 'network guy' in the career.
So, what certifications are important for the network guy? Well, I supposed everyone has an opinion about this, but I think that Cisco certifications are the most recognized certs on the market. Even though, as far as network equipment is concerned, I dont think they are number 1 for performance. If you do a job search on something like Monster.com or indeed.com, what is the most sought after from employers? CCNA and CCNP. Sometimes you will see others, but you mostly see Cisco.
If you are looking to start off in networking and want to build your certifications, I would recommend starting with Cisco's CCNA.
With that said, I then think you should focus on what you work on. If you work on HP equipment regularly, then get good at that. If its Brocade, then shoot for BCNE. If you do a lot of security, then go for the Cisco CCNP Security cert. But try to focus on the things you like to do. Ultimately, when you get good at the things you like to do, your career will kindof take you in that direction, which is probably what you will want.
Thursday, October 23, 2014
Palo Alto Firewalls: Check Point's Biggest Threat
There seems to be a lot of mis-information about Palo Alto firewalls out there. I remember about a year ago, I went to a Check Point function, and the engineer that was teaching the class kept on saying negative things about Palo Alto firewalls. He even went as far as saying that Palo Alto firewalls do not do stateful inspection. I remember thinking that he had obviously never either read anything about Palo firewall or never installed/managed a Palo firewall. He must have just heard that somewhere and just repeated it (many times in that class). That guy lost all credibility with me.
With that said, what methods do Palo Alto firewalls use to secure a company? Here are the methods I know of:
1. stateful inspection
2. signatures database
3. regular expressions
4. heuristics
5. known protocol decoder
6. unknown protocol decoder
Below is where they line up on Gartner's magic quadrant. Also, notice the other competitors.
With that said, what methods do Palo Alto firewalls use to secure a company? Here are the methods I know of:
1. stateful inspection
2. signatures database
3. regular expressions
4. heuristics
5. known protocol decoder
6. unknown protocol decoder
Below is where they line up on Gartner's magic quadrant. Also, notice the other competitors.
Wednesday, October 22, 2014
Tuesday, October 21, 2014
Cisco ASA: "Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete."
Well, I did see this message on a ASA 5505.
Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
So how do you fix this? Well, Im sure there are several potential fixes for this, depending on what you have configured for the VPN. Im assuming you are working on VPN if you are getting this message. Anyway, I happened to forget to enable ISAKMP on the outside interface, which did cause this. Sometimes you just forget some config.
crypto isakmp enable outside
Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
So how do you fix this? Well, Im sure there are several potential fixes for this, depending on what you have configured for the VPN. Im assuming you are working on VPN if you are getting this message. Anyway, I happened to forget to enable ISAKMP on the outside interface, which did cause this. Sometimes you just forget some config.
crypto isakmp enable outside
Monday, October 20, 2014
Cisco Switch/Router/ASA: "Exec-timeout 0 0"
What is the security implications of the following on a Cisco device:
line vty 0 4
exec-timeout 0 0
login local
transport input ssh
First, here is what Cisco's documentation says about the exec-timeout command (I gathered the important information (to me)):
To set the interval that the EXEC command interpreter waits until user input is detected, use the exec-timeout line configuration command. To remove the timeout definition, use the no form of this command.
If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.
To specify no timeout, enter the exec-timeout 0 0 command.
Seems like "0 0" might not be a good idea, especially for console access, which I did get in on recently into a core switch without having to login. Just be aware of the security implications of the configs you do.
line con 0
exec-timeout 0 0
login local
line vty 0 4
exec-timeout 0 0
login local
transport input ssh
First, here is what Cisco's documentation says about the exec-timeout command (I gathered the important information (to me)):
To set the interval that the EXEC command interpreter waits until user input is detected, use the exec-timeout line configuration command. To remove the timeout definition, use the no form of this command.
If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.
To specify no timeout, enter the exec-timeout 0 0 command.
Seems like "0 0" might not be a good idea, especially for console access, which I did get in on recently into a core switch without having to login. Just be aware of the security implications of the configs you do.
line con 0
exec-timeout 0 0
login local
Sunday, October 19, 2014
Sunday Thought: Dont
Don't let your view of God be the same as your view of God's people.
God's people fall.
God's people fail.
God's people are not perfect.
But God does not fall.
God does not fail.
And God is perfect.
We, as humans, do not understand perfection. Although we try, we just have never been perfect.
God's people fall.
God's people fail.
God's people are not perfect.
But God does not fall.
God does not fail.
And God is perfect.
We, as humans, do not understand perfection. Although we try, we just have never been perfect.
Saturday, October 18, 2014
Friday, October 17, 2014
Cisco 2960: How To Configure A Port-Channel For LACP
I had this need when I replaced a core not long ago. I ended up needing dual fiber back to redundant cores and LACP was being used. Here is how I did in on the access switches, which were Cisco 2960Gs.
int port-ch 1
switch mode trunk
int gig 1/0/49
channel-gr 1 mode active
int gig 1/0/50
channel-gr 1 mode active
exit
exit
wr mem
Now, lets check to make sure it looks good:
2960S-POE-48#sh etherchannel 1 sum
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Gi1/0/49(P) Gi1/0/50(P)
2960S-POE-48#
int port-ch 1
switch mode trunk
int gig 1/0/49
channel-gr 1 mode active
int gig 1/0/50
channel-gr 1 mode active
exit
exit
wr mem
Now, lets check to make sure it looks good:
2960S-POE-48#sh etherchannel 1 sum
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Gi1/0/49(P) Gi1/0/50(P)
2960S-POE-48#
Wednesday, October 15, 2014
Cisco ASA: How To Remove/Delete The Default-RSA-Key .server Certificate
Have you ever seen on a penetration test, where you get a weak key on an ASA? And they want you to take care of it? I have recently, and I found that the weak key was the <Default-RSA-Key>.server certificate that is created by default on the Cisco ASA. So here is what I did to remove this and get it taken care of:
ASA(config)# sh cryp key mypubkey rsa
Key pair was generated at: 18:34:10 UTC Sep 23 2014
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:
Key pair was generated at: 18:34:10 UTC Sep 23 2014
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:
XXXX
Key pair was generated at: 01:37:31 UTC Sep 30 2014
Key name: <Default-RSA-Key>.server
Usage: Encryption Key
Modulus Size (bits): 768
Key Data:
Key pair was generated at: 01:37:31 UTC Sep 30 2014
Key name: <Default-RSA-Key>.server
Usage: Encryption Key
Modulus Size (bits): 768
Key Data:
XXXX
See that 768 bit key? We dont want that, so lets get rid of it.
See that 768 bit key? We dont want that, so lets get rid of it.
ASA(config)# cryp key zer rsa label <Default-RSA-Key>.server
WARNING: Keys to be removed are named '<Default-RSA-Key>.server'.
WARNING: All device certs issued using these keys will also be removed and
the associated trustpoints may not function correctly.
WARNING: Keys to be removed are named '<Default-RSA-Key>.server'.
WARNING: All device certs issued using these keys will also be removed and
the associated trustpoints may not function correctly.
Do you really want to remove these keys? [yes/no]: yes
ASA(config)# show cryp key mypubkey RSA
Key pair was generated at: 18:34:10 UTC Sep 23 2014
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data: xxxxx
ASA(config)# show cryp key mypubkey RSA
Key pair was generated at: 18:34:10 UTC Sep 23 2014
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data: xxxxx
ASA(config)#
Now, for whatever reason, it will create that <Default-RSA-Key>.server certificate again. So we better make sure its 2048 instead of 768.
UPDATE:
So, just FYI. Even after the upgrade, the problem of the cert and the weak key came back. No resolution at this point and Cisco TAC says there is no answer.
Now, for whatever reason, it will create that <Default-RSA-Key>.server certificate again. So we better make sure its 2048 instead of 768.
ASA(config)# cryp key gen rsa label <Default-RSA-Key>.server mod 2048
INFO: The name for the keys will be: <Default-RSA-Key>.server
Keypair generation process begin. Please wait...
ASA(config)# sho cryp key mypubkey rsa
Key pair was generated at: 18:34:10 UTC Sep 23 2014
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:
INFO: The name for the keys will be: <Default-RSA-Key>.server
Keypair generation process begin. Please wait...
ASA(config)# sho cryp key mypubkey rsa
Key pair was generated at: 18:34:10 UTC Sep 23 2014
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:
XXXXX
Key pair was generated at: 02:01:28 UTC Sep 30 2014
Key name: <Default-RSA-Key>.server
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:
Key pair was generated at: 02:01:28 UTC Sep 30 2014
Key name: <Default-RSA-Key>.server
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:
XXXXX
ASA(config)#
ASA(config)#
So, what I have found is that the next day I did this, the 768 bit key was back again, as a third certificate. After contacting Cisco TAC, this is what they responded back with:
"Thank you for the information. I found a bug that was filed for this behavior. Unfortunately it is not publically visible bug. Here are some details from that bug:
PIX software may generate a self-signed RSA key on bootup that is 768 bits, even if a user-generated key already exists. Vulnerability scanners can identify this as a security risk.
When the default RSA key is deleted, the ASA will regenerate a 768-bit RSA key on a subsequent bootup even if a user-created RSA key exists. This causes the ASA to fail a vulnerability scan because the 768-bit key is visible to a client that is trying to connect via SSH. The Qualys scanner specifically identifies this as 38477.
The ASA will retain all keys over a reboot as long as a "write mem" is done after the keys are created. This applies to the "<Default-RSA-Key>" that is created by "crypto key generate rsa" and the "<Default-RSA-Key>.server" key that is created upon the first ssh connection to the ASA. Tested this behavior on 8.0(4.33) and the key is not automatically generated.
Basically what this means is, to fix the issue, an upgrade to a newer code is required. The best code to upgrade to without major config modifications would be 8.2.5"
Tuesday, October 14, 2014
Cisco ASA: Downgrade From 9.0(3) To 8.4(5)
While at a customer site late night, we were going to do an upgrade on the cluster of ASAs from 8.4(5) to 9.0(3). However, because we interrupted a project implementation that we didnt know about, we had to revert back. Mainly because the upgrade interrupted their anyconnect VPN access and brought it down completely. So after some troubleshooting, I found that the webvpn config got taken out when either when I reverted back to 8.4(5) or when the upgrade was done. Im not sure when it was, but I do know that when we were back to the original 8.4(5) code, the webvpn config was missing. Interesting for sure, but that was an experience to be aware of for me.
Monday, October 13, 2014
Brocade Switch: Verifying What SFP Is In The ICX6610
This is an interesting command. Need to know what hardware the GBIC is? How about anything else? Use the 'show media' command.
6610#show media et 3/3/1
6610#
Port 3/3/1: Type : 10G XG-LR(SFP +)
Vendor: FiberStore Version: 1.0
Part# : SFP-10G31-10-BR Serial#: WDFXXXXXXF0016
6610#
6610#show media et 2/2/1
6610#
Port 2/2/1:Type: 40G QSFP Module
Vendor Name: BROCADE Serial Num: PXXXXXX830XXXX520 Revision: A
6610#
6610#show media et 3/3/1
6610#
Port 3/3/1: Type : 10G XG-LR(SFP +)
Vendor: FiberStore Version: 1.0
Part# : SFP-10G31-10-BR Serial#: WDFXXXXXXF0016
6610#
6610#show media et 2/2/1
6610#
Port 2/2/1:Type: 40G QSFP Module
Vendor Name: BROCADE Serial Num: PXXXXXX830XXXX520 Revision: A
6610#
Sunday, October 12, 2014
Thank You God
Thank you God. God bless Israel.
http://www.ijreview.com/2014/08/167229-rocket-cause-worst-terror-attack-israels-history-miracle-happened/
http://www.ijreview.com/2014/08/167229-rocket-cause-worst-terror-attack-israels-history-miracle-happened/
Saturday, October 11, 2014
Pic Of The Week: "A Little Carried Away" In The Attic
Its a funny story really, but my contractor got carried away when doing some re-insulation work.
Friday, October 10, 2014
Brocade Switch: How To Tell What Licenses Are On The Switch
When I get a new switch in to get it ready for a customer, one thing I do is look at what license came on it. Just to make sure Im on the same page. Below, I have a temp license and a premium license on a stack.
telnet@6610>sh lic
Index License Name Lid License Type Status License Period License Capacity
Stack unit 1:
1 ICX6610-PREM-LIC-SW xxxxxxxxxI Trial Active 45 days 1
2 ICX6610-PREM-LIC-SW xxxxxxxxxI Normal Active Unlimited 1
Stack unit 2:
1 ICX6610-PREM-LIC-SW xxxxxxxxxF Trial Active 45 days 1
2 ICX6610-PREM-LIC-SW xxxxxxxxxF Normal Active Unlimited 1
telnet@6610>
Thursday, October 9, 2014
Cisco Voice: Call Being Blocked By Telco When CallFwdAll Externally On CUCM
I had a customer call me up and tell me they couldn't do a call forward all out to their cell phone when they left for the day. Im a big fan of voicemail myself, when it comes to after hours, but sometimes you just don't have that option. The Telco wouldn't accept anything except the DID range that was allocated to the company. So when you do a call forward externally, and it shows up as the originating caller, it would get dropped. So I had to set this where the callerID was actually the original DID being called, not the original calling number ID. Below is the topology of how the call flow was, and the gateway screen where I made the change. Select "Last Redirect Number (External)" under "Calling Party Selection".
Wednesday, October 8, 2014
Technology, Communication and Clients
I was thinking the other day, while working with two customers at the same time, of all the different ways that I do communicate with my customers. It is interesting to me, because most customers that I have, I go onsite and probably talk on the phone with them. But, I have some that I/they only text message their requests. I have others that I/they only email requests. While some of these customers, I never go onsite (and wouldn't know their face if I saw them), I guess it has become accepted to do business that way. I can name one customer in particular that I do a lot of phone work for, but if they were standing in front of me now, I wouldn't know them. Others, I might know their voice, but that is all. Still others, I have only seen emails from, so I wouldn't know either one. Its just interesting how technology has come to a place were you can be so impersonal and still get the job done.
I guess Im from the old school. I like talking to people. I like seeing them and having conversations with them. Sure, I can text and email and get whatever you need done, done. But I like the personal relationships. It seems with social media these days, and even work life, it appears to be going in that direction. Maybe slowly, but I think it is for sure. I hope I'm out of the IT field all together before that happens.
I guess Im from the old school. I like talking to people. I like seeing them and having conversations with them. Sure, I can text and email and get whatever you need done, done. But I like the personal relationships. It seems with social media these days, and even work life, it appears to be going in that direction. Maybe slowly, but I think it is for sure. I hope I'm out of the IT field all together before that happens.
Tuesday, October 7, 2014
Brocade Switch: How To Unconfigure An ICX6450 Switch From A Stack
I have run into this a few times. I simply needed to take a switch out of a stack and re-purpose it for something else. Sometimes it happens. Not often, but it does. Here is what I did to unconfigure the ICX6450 from the stack.
[MEMBER]local-3@ICX6450-48P Switch#stack unconfig clean
This unit will delete all config files and boot up as a clean unit. Are you sure? (enter 'y' or 'n'): y
Remove startup config and stacking files. Will reload as a clean unit
[MEMBER]local-3@ICX6450-48P Switch#Halt and reboot
[MEMBER]local-3@ICX6450-48P Switch#stack unconfig clean
This unit will delete all config files and boot up as a clean unit. Are you sure? (enter 'y' or 'n'): y
Remove startup config and stacking files. Will reload as a clean unit
[MEMBER]local-3@ICX6450-48P Switch#Halt and reboot
Monday, October 6, 2014
SonicWall: tcp-seq-num-approximation Causing Penetration Test To Fail
I have this pen test that keeps coming up with this severe event: tcp-seq-num-approximation vulnerability?
Well, in this case, I have a sonic wall at this customer and I have one setting that, according to SonicWall TAC, should resolve this issue:
Turns out, in this scenario, its a false positive. Im glad to hear it.
Sunday, October 5, 2014
Sunday Thought: "Dry Times" And The Desperation For God
I have to admit that lately, I have been going through a "dry time", as a friend of mine called it. I guess to me, what I mean is that sometimes... God is just silent...
I don't remember the last time I was in this much turmoil about it. And honestly, I don't really know why God chooses to be silent sometimes.
If you are a Christian, and you are going through a time of desperation for God, Id like to give you this song in the link below. Hang in there. God is not silent forever. Its less than 4 minutes.
https://www.youtube.com/watch?v=cvytewIxll0
I don't remember the last time I was in this much turmoil about it. And honestly, I don't really know why God chooses to be silent sometimes.
If you are a Christian, and you are going through a time of desperation for God, Id like to give you this song in the link below. Hang in there. God is not silent forever. Its less than 4 minutes.
https://www.youtube.com/watch?v=cvytewIxll0
Saturday, October 4, 2014
Friday, October 3, 2014
ShoreTel: Default Password For The 930D Base
Im sure its out there somewhere, but I didnt find it. If you need to login to the base unit for the wireless 930D, its userID= admin and password is the last four of the base's mac address. Hopefully this will work out for you. It did for me. See the screenshot below of the "Web Password". In my case, you see e038.
Thursday, October 2, 2014
Check Point: Fresh Installs Are Always Simple
A customer and I just did a fresh install of Gaia the other day to R77.20. We booted off a thumb drive and the install went flawlessly. It seems Check Point has it down for fresh installs. It always seems to go smoothly. Thats a real good thing.
Wednesday, October 1, 2014
Brocade Switch: DHCP and the 'ip helper-address' Command
Dont forget. When you need to use a DHCP server that is NOT on the same VLAN as your DHCP clients, you have to use the helper-address command. See below. Here is a config from one of my customers that is using two different DHCP servers (with two different ranges that are split in the subnet, for redundancy).
The config on an ICX6610:
interface ve 21
ip address 10.11.0.1 255.255.255.0
ip helper-address 1 10.3.0.125
ip helper-address 2 10.1.0.125
The config on an ICX6610:
interface ve 21
ip address 10.11.0.1 255.255.255.0
ip helper-address 1 10.3.0.125
ip helper-address 2 10.1.0.125
Subscribe to:
Posts (Atom)