This post deals with a recent issue I had were a Check Point firewall was not encrypting traffic when it need to. Now I like CLI better, as most people know. So I pulled up the CLI to do a packet capture of what was going on. Im on a 4800 Check Point appliance. I want to see if my remote client 192.168.10.X network is getting to the 192.168.7.X remote network. 192.168.7.X network is across a site to site VPN from my Check Point 4800. My mobile client sits at home, VPN'ed into the 4800.
With that said, I found that the traffic was not being encrypted. Below is a snipped of what I saw that tipped me off:
[Expert@CP-N2:0]# fw monitor -e "accept host(192.168.10.1) and ip_p=1;"
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_0] eth1:i[60]: 192.168.10.1 -> 192.168.7.54 (ICMP) len=60 id=13108
ICMP: type=8 code=0 echo request id=1 seq=56
[vs_0][fw_0] eth1:I[60]: 192.168.10.1 -> 192.168.7.54 (ICMP) len=60 id=13108
ICMP: type=8 code=0 echo request id=1 seq=56
[vs_0][fw_0] eth1:o[60]: 192.168.10.1 -> 192.168.7.54 (ICMP) len=60 id=13108
ICMP: type=8 code=0 echo request id=1 seq=56
[vs_0][fw_0] eth1:O[60]: 192.168.10.1 -> 192.168.7.54 (ICMP) len=60 id=13108
ICMP: type=8 code=0 echo request id=1 seq=56
Notice highlighted above, it goes through all four phases of traversing the Check Point. Now, below, you will see that I resolved the issue and the packet capture looks different.
[Expert@CP-N2:0]# fw monitor -e "accept host(192.168.10.1) and ip_p=1;"
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_0] eth1:I[60]: 192.168.10.1 -> 192.168.7.54 (ICMP) len=60 id=15346
ICMP: type=8 code=0 echo request id=1 seq=68
[vs_0][fw_0] eth1:o[60]: 192.168.10.1 -> 192.168.7.54 (ICMP) len=60 id=15346
ICMP: type=8 code=0 echo request id=1 seq=68
[vs_0][fw_0] eth1:I[60]: 192.168.10.1 -> 192.168.7.54 (ICMP) len=60 id=15348
ICMP: type=8 code=0 echo request id=1 seq=69
[vs_0][fw_0] eth1:o[60]: 192.168.10.1 -> 192.168.7.54 (ICMP) len=60 id=15348
ICMP: type=8 code=0 echo request id=1 seq=69
Now, I dont have the problem fixed, but I at least see the traffic being encrypted coming from the mobile client, which is better than before. See above, how it only traverses 2 phases instead of 4.
This is a good way, in CLI, to know if a packet is being encrypted or not on the Check Point appliance.
Tuesday, June 30, 2015
Monday, June 29, 2015
Cisco Nexus: Route-Map Configuration On A 7K
Well, Im not sure this is really worth posting about. But I have had to do several route-maps lately on a Cisco Nexus 7K. Its really the same (except for the ACL) as a Catalyst switch. Nothing really different, but below is an example config that might help you out.
ip access-list 107
deny ip 192.168.0.0 0.0.255.255 4.4.4.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 5.0.0.0 0.255.255.255
deny ip 192.168.0.0 0.0.255.255 33.33.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 66.66.0.0 0.0.255.255
permit tcp 192.168.0.0 0.0.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
deny ip any any
route-map Public_WIFI permit 10
match ip address 107
set ip next-hop 192.168.70.55
interface ethernet 7/15
ip policy route-map Public_WIFI
ip access-list 107
deny ip 192.168.0.0 0.0.255.255 4.4.4.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 5.0.0.0 0.255.255.255
deny ip 192.168.0.0 0.0.255.255 33.33.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 66.66.0.0 0.0.255.255
permit tcp 192.168.0.0 0.0.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
deny ip any any
route-map Public_WIFI permit 10
match ip address 107
set ip next-hop 192.168.70.55
interface ethernet 7/15
ip policy route-map Public_WIFI
Sunday, June 28, 2015
Saturday, June 27, 2015
Friday, June 26, 2015
Cisco Unity Connection: Uploading A Recording For A Call Handler
To me, its easier to just download the recordings from Unity Connection than to just rerecord them. I mean, finding someone to record all prompts over again is just a pain. So, download the wav files from the current UC, and upload them to the new one.
Thursday, June 25, 2015
Cisco Router/Switch: Modifying An ACL By Line Number
I usually tend to clear an ACL and just re-paste it back in. Just my style, I guess. But, there are times when I need to keep it in place and just add in a line. For example, I have one customer that has a bug in a L3 switch. When you clear the ACL and paste back in, it wigs the switch out and you have to reboot it. Cisco says its a bug. So, I either have to take the route map off the vlan, modify the ACL, then put the route map back on the vlan interface. OR, I can just add in by line number. See below, as this is how I do this.
1841(config-ext-nacl)#do show access-list 105
Extended IP access list 105
10 permit ip host 192.168.1.27 any (101160908 matches)
20 permit ip host 192.168.1.31 any (83896750 matches)
30 permit ip host 192.168.1.26 any (204856 matches)
40 permit ip host 192.168.1.25 any (824667 matches)
50 permit ip any host 192.168.3.1 (1516 matches)
60 permit tcp host 192.168.1.29 eq 60601 any
70 permit tcp host 192.168.1.29 eq 2031 any (1313543 matches)
80 permit tcp host 192.168.1.30 eq 60601 any
90 permit ip any 10.10.1.0 0.0.0.255 (896443 matches)
100 deny ip 10.1.0.0 0.0.255.255 any (239919692 matches)
110 deny ip 192.168.0.0 0.0.255.255 any (1681992666 matches)
120 deny ip any any (1272384 matches)
1841(config-ext-nacl)#95 deny ip host 192.168.1.242 host 192.168.3.3
1841(config-ext-nacl)#do sh access-l 105
Extended IP access list 105
10 permit ip host 192.168.1.27 any (101165325 matches)
20 permit ip host 192.168.1.31 any (83896763 matches)
30 permit ip host 192.168.1.26 any (204856 matches)
40 permit ip host 192.168.1.25 any (824671 matches)
50 permit ip any host 192.168.3.1 (1516 matches)
60 permit tcp host 192.168.1.29 eq 60601 any
70 permit tcp host 192.168.1.29 eq 2031 any (1313543 matches)
80 permit tcp host 192.168.1.30 eq 60601 any
90 permit ip any 10.10.1.0 0.0.0.255 (896443 matches)
95 deny ip host 192.168.1.42 host 192.168.3.3
100 deny ip 10.1.0.0 0.0.255.255 any (239925676 matches)
110 deny ip 192.168.0.0 0.0.255.255 any (1682023189 matches)
120 deny ip any any (1272385 matches)
1841(config-ext-nacl)#
1841(config-ext-nacl)#do show access-list 105
Extended IP access list 105
10 permit ip host 192.168.1.27 any (101160908 matches)
20 permit ip host 192.168.1.31 any (83896750 matches)
30 permit ip host 192.168.1.26 any (204856 matches)
40 permit ip host 192.168.1.25 any (824667 matches)
50 permit ip any host 192.168.3.1 (1516 matches)
60 permit tcp host 192.168.1.29 eq 60601 any
70 permit tcp host 192.168.1.29 eq 2031 any (1313543 matches)
80 permit tcp host 192.168.1.30 eq 60601 any
90 permit ip any 10.10.1.0 0.0.0.255 (896443 matches)
100 deny ip 10.1.0.0 0.0.255.255 any (239919692 matches)
110 deny ip 192.168.0.0 0.0.255.255 any (1681992666 matches)
120 deny ip any any (1272384 matches)
1841(config-ext-nacl)#95 deny ip host 192.168.1.242 host 192.168.3.3
1841(config-ext-nacl)#do sh access-l 105
Extended IP access list 105
10 permit ip host 192.168.1.27 any (101165325 matches)
20 permit ip host 192.168.1.31 any (83896763 matches)
30 permit ip host 192.168.1.26 any (204856 matches)
40 permit ip host 192.168.1.25 any (824671 matches)
50 permit ip any host 192.168.3.1 (1516 matches)
60 permit tcp host 192.168.1.29 eq 60601 any
70 permit tcp host 192.168.1.29 eq 2031 any (1313543 matches)
80 permit tcp host 192.168.1.30 eq 60601 any
90 permit ip any 10.10.1.0 0.0.0.255 (896443 matches)
95 deny ip host 192.168.1.42 host 192.168.3.3
100 deny ip 10.1.0.0 0.0.255.255 any (239925676 matches)
110 deny ip 192.168.0.0 0.0.255.255 any (1682023189 matches)
120 deny ip any any (1272385 matches)
1841(config-ext-nacl)#
Tuesday, June 23, 2015
More ISP Issues And Ping Plotter Pro
I like finding tools that are handy to use. I think everyone does. I've mentioned ping plotter before, and I use it often for sure. Here is another case where a customer called and said they thought they might be having ISP issues. They were, then it suddenly cleared up.
Monday, June 22, 2015
Cisco ASA: Packet Captures On The Public Internet Side
I was recently asked to help troubleshoot a FTP problem that a customer was having. They have a FTP transaction that they do once a day, and a few days ago, it stopped working. So, of course, the remote end says that everyone else is working and that it must be my customer. So, I have to prove that the traffic is going out to the remote end. Afterall, when you are dealing with larger companies like this one, you always seem to have to do the troubleshooting and proving that your side is ok.
On our ASA, I want to capture the packets actually leaving the firewall. Thats the only way Im going to be able to prove that its leaving our site. Here we go.
First, I have to come up with a capture. I use my ACL to define the traffic I want to see, and then apply it to the OUTSIDE interface.
ASA(config)# access-list 194 permit ip host 20.20.20.194 40.40.40.0 255.255.255.0
ASA(config)# capture capin interface outside access-list 194
ASA(config)#
Now that the config is in, lets have my customer test.
First Try, gets to login but nothing after:
ASA# sh capture capin
3 packets captured
1: 10:44:39.319960 20.20.20.194.33201 > 40.40.40.12.21: S 2922611106:2922611106(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
2: 10:44:39.822894 20.20.20.194.33201 > 40.40.40.12.21: S 2086380860:2086380860(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
3: 10:44:40.327940 20.20.20.194.33201 > 40.40.40.12.21: S 2023625103:2023625103(0) win 8192 <mss 1380,nop,nop,sackOK>
3 packets shown
ASA#
So far, its looking good. Even though the FTP failed, I see my customer's FTP packets going out. Next, my customer tried a different FTP program, Filezilla:
Tested filezilla:
ASA# sh capture capin
9 packets captured
1: 10:44:39.319960 20.20.20.194.33201 > 40.40.40.12.21: S 2922611106:2922611106(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
2: 10:44:39.822894 20.20.20.194.33201 > 40.40.40.12.21: S 2086380860:2086380860(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
3: 10:44:40.327940 20.20.20.194.33201 > 40.40.40.12.21: S 2023625103:2023625103(0) win 8192 <mss 1380,nop,nop,sackOK>
-----
4: 10:47:26.243227 20.20.20.194.25433 > 40.40.40.12.21: S 2515756725:2515756725(0) win 64240 <mss 1380,nop,nop,sackOK>
5: 10:47:26.646923 20.20.20.194.25433 > 40.40.40.12.21: S 2417835985:2417835985(0) win 64240 <mss 1380,nop,nop,sackOK>
6: 10:47:27.193913 20.20.20.194.25433 > 40.40.40.12.21: S 1514131771:1514131771(0) win 64240 <mss 1380,nop,nop,sackOK>
7: 10:47:32.196660 20.20.20.194.57968 > 40.40.40.12.21: S 2153025465:2153025465(0) win 64240 <mss 1380,nop,nop,sackOK>
8: 10:47:32.663173 20.20.20.194.57968 > 40.40.40.12.21: S 1936097903:1936097903(0) win 64240 <mss 1380,nop,nop,sackOK>
9: 10:47:33.210636 20.20.20.194.57968 > 40.40.40.12.21: S 1691218731:1691218731(0) win 64240 <mss 1380,nop,nop,sackOK>
-----
9 packets shown
ASA#
Ok, so now I see more traffic leaving my firewall. Looks good, but the FTP still failed. Upon the recommendation of the larger provider, they want us to send a transaction. Below, they test.
Tested to the remote endpoint a regular transaction:
ASA# sh capture capin
12 packets FTP captured
1: 10:44:39.319960 20.20.20.194.33201 > 40.40.40.12.21: S 2922611106:2922611106(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
2: 10:44:39.822894 20.20.20.194.33201 > 40.40.40.12.21: S 2086380860:2086380860(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
3: 10:44:40.327940 20.20.20.194.33201 > 40.40.40.12.21: S 2023625103:2023625103(0) win 8192 <mss 1380,nop,nop,sackOK>
4: 10:47:26.243227 20.20.20.194.25433 > 40.40.40.12.21: S 2515756725:2515756725(0) win 64240 <mss 1380,nop,nop,sackOK>
5: 10:47:26.646923 20.20.20.194.25433 > 40.40.40.12.21: S 2417835985:2417835985(0) win 64240 <mss 1380,nop,nop,sackOK>
6: 10:47:27.193913 20.20.20.194.25433 > 40.40.40.12.21: S 1514131771:1514131771(0) win 64240 <mss 1380,nop,nop,sackOK>
7: 10:47:32.196660 20.20.20.194.57968 > 40.40.40.12.21: S 2153025465:2153025465(0) win 64240 <mss 1380,nop,nop,sackOK>
8: 10:47:32.663173 20.20.20.194.57968 > 40.40.40.12.21: S 1936097903:1936097903(0) win 64240 <mss 1380,nop,nop,sackOK>
9: 10:47:33.210636 20.20.20.194.57968 > 40.40.40.12.21: S 1691218731:1691218731(0) win 64240 <mss 1380,nop,nop,sackOK>
----
10: 10:48:32.160407 20.20.20.194.58543 > 40.40.40.12.21: S 2448264669:2448264669(0) win 65535 <mss 1380,nop,nop,sackOK>
11: 10:48:32.655849 20.20.20.194.58543 > 40.40.40.12.21: S 2167152525:2167152525(0) win 65535 <mss 1380,nop,nop,sackOK>
12: 10:48:33.093439 20.20.20.194.58543 > 40.40.40.12.21: S 3432259079:3432259079(0) win 65535 <mss 1380,nop,nop,sackOK>
-----
12 packets shown
ASA#
(Connection was refused by endpoint)
There is goes, packets 10-12. Looks like its getting out of our firewall. Now the girl on the other end decides to reset the FTP service. Even though everyone else is working, she still takes this step, which proved to get this resolved. After she restarted the FTP service on the server, below is what I saw leaving the firewall (packets 13-34).
FTP test AFTER FTP service was restarted on remote end:
ASA# sh capture capin
34 packets captured
1: 10:44:39.319960 20.20.20.194.33201 > 40.40.40.12.21: S 2922611106:2922611106(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
2: 10:44:39.822894 20.20.20.194.33201 > 40.40.40.12.21: S 2086380860:2086380860(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
3: 10:44:40.327940 20.20.20.194.33201 > 40.40.40.12.21: S 2023625103:2023625103(0) win 8192 <mss 1380,nop,nop,sackOK>
4: 10:47:26.243227 20.20.20.194.25433 > 40.40.40.12.21: S 2515756725:2515756725(0) win 64240 <mss 1380,nop,nop,sackOK>
5: 10:47:26.646923 20.20.20.194.25433 > 40.40.40.12.21: S 2417835985:2417835985(0) win 64240 <mss 1380,nop,nop,sackOK>
6: 10:47:27.193913 20.20.20.194.25433 > 40.40.40.12.21: S 1514131771:1514131771(0) win 64240 <mss 1380,nop,nop,sackOK>
7: 10:47:32.196660 20.20.20.194.57968 > 40.40.40.12.21: S 2153025465:2153025465(0) win 64240 <mss 1380,nop,nop,sackOK>
8: 10:47:32.663173 20.20.20.194.57968 > 40.40.40.12.21: S 1936097903:1936097903(0) win 64240 <mss 1380,nop,nop,sackOK>
9: 10:47:33.210636 20.20.20.194.57968 > 40.40.40.12.21: S 1691218731:1691218731(0) win 64240 <mss 1380,nop,nop,sackOK>
10: 10:48:32.160407 20.20.20.194.58543 > 40.40.40.12.21: S 2448264669:2448264669(0) win 65535 <mss 1380,nop,nop,sackOK>
11: 10:48:32.655849 20.20.20.194.58543 > 40.40.40.12.21: S 2167152525:2167152525(0) win 65535 <mss 1380,nop,nop,sackOK>
12: 10:48:33.093439 20.20.20.194.58543 > 40.40.40.12.21: S 3432259079:3432259079(0) win 65535 <mss 1380,nop,nop,sackOK>
------
13: 10:56:12.340070 20.20.20.194.17009 > 40.40.40.12.21: S 3548665372:3548665372(0) win 65535 <mss 1380,nop,nop,sackOK>
14: 10:56:12.346341 20.20.20.194.17009 > 40.40.40.12.21: . ack 723165591 win 65535
15: 10:56:12.355633 20.20.20.194.17009 > 40.40.40.12.21: P 3548665373:3548665389(16) ack 723165636 win 65490
16: 10:56:12.401361 20.20.20.194.17009 > 40.40.40.12.21: P 3548665389:3548665408(19) ack 723165656 win 65470
17: 10:56:12.601195 20.20.20.194.17009 > 40.40.40.12.21: . ack 723165712 win 65414
18: 10:56:12.601455 20.20.20.194.17009 > 40.40.40.12.21: P 3548665408:3548665414(6) ack 723165732 win 65394
19: 10:56:12.607970 20.20.20.194.17009 > 40.40.40.12.21: P 3548665414:3548665419(5) ack 723165742 win 65384
20: 10:56:12.617598 20.20.20.194.17009 > 40.40.40.12.21: P 3548665419:3548665447(28) ack 723165787 win 65339
21: 10:56:12.637708 20.20.20.194.17009 > 40.40.40.12.21: P 3548665447:3548665453(6) ack 723165813 win 65313
22: 10:56:12.681651 20.20.20.194.53132 > 40.40.40.12.20: S 3213895457:3213895457(0) ack 2441606499 win 16384 <mss 1380,nop,wscale 0,nop,nop,sackOK>
23: 10:56:12.745139 20.20.20.194.17009 > 40.40.40.12.21: . ack 723165865 win 65261
24: 10:56:12.745170 20.20.20.194.53132 > 40.40.40.12.20: . ack 2441606803 win 65232
25: 10:56:12.745170 20.20.20.194.53132 > 40.40.40.12.20: F 3213895458:3213895458(0) ack 2441606803 win 65232
26: 10:56:12.789769 20.20.20.194.17009 > 40.40.40.12.21: P 3548665453:3548665481(28) ack 723165865 win 65261
27: 10:56:12.796376 20.20.20.194.17009 > 40.40.40.12.21: P 3548665481:3548665487(6) ack 723165891 win 65235
28: 10:56:12.802860 20.20.20.194.41603 > 40.40.40.12.20: S 3126237913:3126237913(0) ack 666517918 win 16384 <mss 1380,nop,wscale 0,nop,nop,sackOK>
29: 10:56:12.824099 20.20.20.194.41603 > 40.40.40.12.20: . ack 666518222 win 65232
30: 10:56:12.824130 20.20.20.194.41603 > 40.40.40.12.20: F 3126237914:3126237914(0) ack 666518222 win 65232
31: 10:56:12.824145 20.20.20.194.17009 > 40.40.40.12.21: . ack 723165943 win 65183
32: 10:56:12.831866 20.20.20.194.17009 > 40.40.40.12.21: P 3548665487:3548665493(6) ack 723165943 win 65183
33: 10:56:12.838594 20.20.20.194.17009 > 40.40.40.12.21: . ack 723165953 win 65174
34: 10:56:12.838625 20.20.20.194.17009 > 40.40.40.12.21: F 3548665493:3548665493(0) ack 723165953 win 65174
--------
34 packets shown
ASA#
Now, here is the frustrating part. After all was said and done, one of the guys on the remote end made the statement that this customer stopped working on a particular night and that happened to be the same time when THEY had restarted the FTP service on their side on their server. I guess it doesnt occur to everyone that when a customer calls with a problem, that "Oh yeah, we restarted the FTP service about that same time" just doesnt come to mind for some reason.
On our ASA, I want to capture the packets actually leaving the firewall. Thats the only way Im going to be able to prove that its leaving our site. Here we go.
First, I have to come up with a capture. I use my ACL to define the traffic I want to see, and then apply it to the OUTSIDE interface.
ASA(config)# access-list 194 permit ip host 20.20.20.194 40.40.40.0 255.255.255.0
ASA(config)# capture capin interface outside access-list 194
ASA(config)#
Now that the config is in, lets have my customer test.
First Try, gets to login but nothing after:
ASA# sh capture capin
3 packets captured
1: 10:44:39.319960 20.20.20.194.33201 > 40.40.40.12.21: S 2922611106:2922611106(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
2: 10:44:39.822894 20.20.20.194.33201 > 40.40.40.12.21: S 2086380860:2086380860(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
3: 10:44:40.327940 20.20.20.194.33201 > 40.40.40.12.21: S 2023625103:2023625103(0) win 8192 <mss 1380,nop,nop,sackOK>
3 packets shown
ASA#
So far, its looking good. Even though the FTP failed, I see my customer's FTP packets going out. Next, my customer tried a different FTP program, Filezilla:
Tested filezilla:
ASA# sh capture capin
9 packets captured
1: 10:44:39.319960 20.20.20.194.33201 > 40.40.40.12.21: S 2922611106:2922611106(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
2: 10:44:39.822894 20.20.20.194.33201 > 40.40.40.12.21: S 2086380860:2086380860(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
3: 10:44:40.327940 20.20.20.194.33201 > 40.40.40.12.21: S 2023625103:2023625103(0) win 8192 <mss 1380,nop,nop,sackOK>
-----
4: 10:47:26.243227 20.20.20.194.25433 > 40.40.40.12.21: S 2515756725:2515756725(0) win 64240 <mss 1380,nop,nop,sackOK>
5: 10:47:26.646923 20.20.20.194.25433 > 40.40.40.12.21: S 2417835985:2417835985(0) win 64240 <mss 1380,nop,nop,sackOK>
6: 10:47:27.193913 20.20.20.194.25433 > 40.40.40.12.21: S 1514131771:1514131771(0) win 64240 <mss 1380,nop,nop,sackOK>
7: 10:47:32.196660 20.20.20.194.57968 > 40.40.40.12.21: S 2153025465:2153025465(0) win 64240 <mss 1380,nop,nop,sackOK>
8: 10:47:32.663173 20.20.20.194.57968 > 40.40.40.12.21: S 1936097903:1936097903(0) win 64240 <mss 1380,nop,nop,sackOK>
9: 10:47:33.210636 20.20.20.194.57968 > 40.40.40.12.21: S 1691218731:1691218731(0) win 64240 <mss 1380,nop,nop,sackOK>
-----
9 packets shown
ASA#
Ok, so now I see more traffic leaving my firewall. Looks good, but the FTP still failed. Upon the recommendation of the larger provider, they want us to send a transaction. Below, they test.
Tested to the remote endpoint a regular transaction:
ASA# sh capture capin
12 packets FTP captured
1: 10:44:39.319960 20.20.20.194.33201 > 40.40.40.12.21: S 2922611106:2922611106(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
2: 10:44:39.822894 20.20.20.194.33201 > 40.40.40.12.21: S 2086380860:2086380860(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
3: 10:44:40.327940 20.20.20.194.33201 > 40.40.40.12.21: S 2023625103:2023625103(0) win 8192 <mss 1380,nop,nop,sackOK>
4: 10:47:26.243227 20.20.20.194.25433 > 40.40.40.12.21: S 2515756725:2515756725(0) win 64240 <mss 1380,nop,nop,sackOK>
5: 10:47:26.646923 20.20.20.194.25433 > 40.40.40.12.21: S 2417835985:2417835985(0) win 64240 <mss 1380,nop,nop,sackOK>
6: 10:47:27.193913 20.20.20.194.25433 > 40.40.40.12.21: S 1514131771:1514131771(0) win 64240 <mss 1380,nop,nop,sackOK>
7: 10:47:32.196660 20.20.20.194.57968 > 40.40.40.12.21: S 2153025465:2153025465(0) win 64240 <mss 1380,nop,nop,sackOK>
8: 10:47:32.663173 20.20.20.194.57968 > 40.40.40.12.21: S 1936097903:1936097903(0) win 64240 <mss 1380,nop,nop,sackOK>
9: 10:47:33.210636 20.20.20.194.57968 > 40.40.40.12.21: S 1691218731:1691218731(0) win 64240 <mss 1380,nop,nop,sackOK>
----
10: 10:48:32.160407 20.20.20.194.58543 > 40.40.40.12.21: S 2448264669:2448264669(0) win 65535 <mss 1380,nop,nop,sackOK>
11: 10:48:32.655849 20.20.20.194.58543 > 40.40.40.12.21: S 2167152525:2167152525(0) win 65535 <mss 1380,nop,nop,sackOK>
12: 10:48:33.093439 20.20.20.194.58543 > 40.40.40.12.21: S 3432259079:3432259079(0) win 65535 <mss 1380,nop,nop,sackOK>
-----
12 packets shown
ASA#
(Connection was refused by endpoint)
There is goes, packets 10-12. Looks like its getting out of our firewall. Now the girl on the other end decides to reset the FTP service. Even though everyone else is working, she still takes this step, which proved to get this resolved. After she restarted the FTP service on the server, below is what I saw leaving the firewall (packets 13-34).
FTP test AFTER FTP service was restarted on remote end:
ASA# sh capture capin
34 packets captured
1: 10:44:39.319960 20.20.20.194.33201 > 40.40.40.12.21: S 2922611106:2922611106(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
2: 10:44:39.822894 20.20.20.194.33201 > 40.40.40.12.21: S 2086380860:2086380860(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
3: 10:44:40.327940 20.20.20.194.33201 > 40.40.40.12.21: S 2023625103:2023625103(0) win 8192 <mss 1380,nop,nop,sackOK>
4: 10:47:26.243227 20.20.20.194.25433 > 40.40.40.12.21: S 2515756725:2515756725(0) win 64240 <mss 1380,nop,nop,sackOK>
5: 10:47:26.646923 20.20.20.194.25433 > 40.40.40.12.21: S 2417835985:2417835985(0) win 64240 <mss 1380,nop,nop,sackOK>
6: 10:47:27.193913 20.20.20.194.25433 > 40.40.40.12.21: S 1514131771:1514131771(0) win 64240 <mss 1380,nop,nop,sackOK>
7: 10:47:32.196660 20.20.20.194.57968 > 40.40.40.12.21: S 2153025465:2153025465(0) win 64240 <mss 1380,nop,nop,sackOK>
8: 10:47:32.663173 20.20.20.194.57968 > 40.40.40.12.21: S 1936097903:1936097903(0) win 64240 <mss 1380,nop,nop,sackOK>
9: 10:47:33.210636 20.20.20.194.57968 > 40.40.40.12.21: S 1691218731:1691218731(0) win 64240 <mss 1380,nop,nop,sackOK>
10: 10:48:32.160407 20.20.20.194.58543 > 40.40.40.12.21: S 2448264669:2448264669(0) win 65535 <mss 1380,nop,nop,sackOK>
11: 10:48:32.655849 20.20.20.194.58543 > 40.40.40.12.21: S 2167152525:2167152525(0) win 65535 <mss 1380,nop,nop,sackOK>
12: 10:48:33.093439 20.20.20.194.58543 > 40.40.40.12.21: S 3432259079:3432259079(0) win 65535 <mss 1380,nop,nop,sackOK>
------
13: 10:56:12.340070 20.20.20.194.17009 > 40.40.40.12.21: S 3548665372:3548665372(0) win 65535 <mss 1380,nop,nop,sackOK>
14: 10:56:12.346341 20.20.20.194.17009 > 40.40.40.12.21: . ack 723165591 win 65535
15: 10:56:12.355633 20.20.20.194.17009 > 40.40.40.12.21: P 3548665373:3548665389(16) ack 723165636 win 65490
16: 10:56:12.401361 20.20.20.194.17009 > 40.40.40.12.21: P 3548665389:3548665408(19) ack 723165656 win 65470
17: 10:56:12.601195 20.20.20.194.17009 > 40.40.40.12.21: . ack 723165712 win 65414
18: 10:56:12.601455 20.20.20.194.17009 > 40.40.40.12.21: P 3548665408:3548665414(6) ack 723165732 win 65394
19: 10:56:12.607970 20.20.20.194.17009 > 40.40.40.12.21: P 3548665414:3548665419(5) ack 723165742 win 65384
20: 10:56:12.617598 20.20.20.194.17009 > 40.40.40.12.21: P 3548665419:3548665447(28) ack 723165787 win 65339
21: 10:56:12.637708 20.20.20.194.17009 > 40.40.40.12.21: P 3548665447:3548665453(6) ack 723165813 win 65313
22: 10:56:12.681651 20.20.20.194.53132 > 40.40.40.12.20: S 3213895457:3213895457(0) ack 2441606499 win 16384 <mss 1380,nop,wscale 0,nop,nop,sackOK>
23: 10:56:12.745139 20.20.20.194.17009 > 40.40.40.12.21: . ack 723165865 win 65261
24: 10:56:12.745170 20.20.20.194.53132 > 40.40.40.12.20: . ack 2441606803 win 65232
25: 10:56:12.745170 20.20.20.194.53132 > 40.40.40.12.20: F 3213895458:3213895458(0) ack 2441606803 win 65232
26: 10:56:12.789769 20.20.20.194.17009 > 40.40.40.12.21: P 3548665453:3548665481(28) ack 723165865 win 65261
27: 10:56:12.796376 20.20.20.194.17009 > 40.40.40.12.21: P 3548665481:3548665487(6) ack 723165891 win 65235
28: 10:56:12.802860 20.20.20.194.41603 > 40.40.40.12.20: S 3126237913:3126237913(0) ack 666517918 win 16384 <mss 1380,nop,wscale 0,nop,nop,sackOK>
29: 10:56:12.824099 20.20.20.194.41603 > 40.40.40.12.20: . ack 666518222 win 65232
30: 10:56:12.824130 20.20.20.194.41603 > 40.40.40.12.20: F 3126237914:3126237914(0) ack 666518222 win 65232
31: 10:56:12.824145 20.20.20.194.17009 > 40.40.40.12.21: . ack 723165943 win 65183
32: 10:56:12.831866 20.20.20.194.17009 > 40.40.40.12.21: P 3548665487:3548665493(6) ack 723165943 win 65183
33: 10:56:12.838594 20.20.20.194.17009 > 40.40.40.12.21: . ack 723165953 win 65174
34: 10:56:12.838625 20.20.20.194.17009 > 40.40.40.12.21: F 3548665493:3548665493(0) ack 723165953 win 65174
--------
34 packets shown
ASA#
Now, here is the frustrating part. After all was said and done, one of the guys on the remote end made the statement that this customer stopped working on a particular night and that happened to be the same time when THEY had restarted the FTP service on their side on their server. I guess it doesnt occur to everyone that when a customer calls with a problem, that "Oh yeah, we restarted the FTP service about that same time" just doesnt come to mind for some reason.
Sunday, June 21, 2015
Sunday Thought: Shem
Did you know that Shem, in the Old Testament Scriptures, personally knew at least two people that personally knew Adam? These where his family members. Don't you think Adam handed down the creation story to his kids, grandkids, etc? Of course he did. And Shem would have heard this story from Methuselah and Lemech, two people who would have heard it first-hand from Adam himself. There just isn't that much distance in time as we might think. Shem survived the flood, along with Noah and a very few others. Seems like he would have passed this story on as well, and he did.
This is just an interesting chart to me.
This is just an interesting chart to me.
Saturday, June 20, 2015
Friday, June 19, 2015
HD Phone Calls?
Yes, HD phone calls. I noticed that when I talk to "Eric" on the my cell phone, he always sounds like he is standing right in front of me. On my screen, his calls always say as HD on it.
There was atime when I first noticed this "HD" on his calls, and that I didn't get that with anyone else, that I was aware of. I also noticed the quality of the call. It was crisp and very clear. I didn't know at the time, but T-Mobile added this HD service, and it does sound great. I don't get this on all calls now, but on some, I do.
So I looked it up, and sure enough, T-Mobile advertises this.
So I looked it up, and sure enough, T-Mobile advertises this.
Thursday, June 18, 2015
Cisco Voice: UC500 Troubleshooting
In troubleshooting the other nigh a UC500, I couldn't find anything wrong with the phone system. I called in, let it ring through both lines, and the voicemail out of office picked up. See below. You can see that the first line rings in, then it forwards to the second line when it has a CallFwdNoAnswer.
Before I call in, 0/1/2 and 0/1/3 are idle.
UC520#sh voice call summ
PORT CODEC VAD VTSP STATE VPM STATE
============== ========= === ==================== ======================
0/0/0 - - - FXSLS_ONHOOK
0/0/1 - - - FXSLS_ONHOOK
0/0/2 - - - FXSLS_ONHOOK
0/0/3 - - - FXSLS_ONHOOK
0/1/0 - - - FXOLS_ONHOOK
0/1/1 *shutdown*
0/1/2 - - - FXOLS_ONHOOK
0/1/3 - - - FXOLS_ONHOOK
When I call in, the first line "rings" on 0/1/2:
UC520#
sh voice call summ
PORT CODEC VAD VTSP STATE VPM STATE
============== ========= === ==================== ======================
0/0/0 - - - FXSLS_ONHOOK
0/0/1 - - - FXSLS_ONHOOK
0/0/2 - - - FXSLS_ONHOOK
0/0/3 - - - FXSLS_ONHOOK
0/1/0 - - - FXOLS_ONHOOK
0/1/1 *shutdown*
0/1/2 g711ulaw n S_ALERTING FXOLS_PROCEEDING
0/1/3 - - - FXOLS_ONHOOK
No one answers, so it rolls to the second line, 0/1/3:
UC520#sh voice call summ
PORT CODEC VAD VTSP STATE VPM STATE
============== ========= === ==================== ======================
0/0/0 - - - FXSLS_ONHOOK
0/0/1 - - - FXSLS_ONHOOK
0/0/2 - - - FXSLS_ONHOOK
0/0/3 - - - FXSLS_ONHOOK
0/1/0 - - - FXOLS_ONHOOK
0/1/1 *shutdown*
0/1/2 - - - FXOLS_ONHOOK
0/1/3 g711ulaw n S_ALERTING FXOLS_PROCEEDING
Voicemail picks up on 0/1/3:
UC520#sh voice call summ
PORT CODEC VAD VTSP STATE VPM STATE
============== ========= === ==================== ======================
0/0/0 - - - FXSLS_ONHOOK
0/0/1 - - - FXSLS_ONHOOK
0/0/2 - - - FXSLS_ONHOOK
0/0/3 - - - FXSLS_ONHOOK
0/1/0 - - - FXOLS_ONHOOK
0/1/1 *shutdown*
0/1/2 - - - FXOLS_ONHOOK
0/1/3 g711ulaw n S_CONNECT FXOLS_CONNECT
Wednesday, June 17, 2015
Mid Week Pic: New Style Fences
How about a pic of the mid-week. My wife asked me to make these for some privacy. I'm done with this walkway.
Tuesday, June 16, 2015
Cisco Nexus: How To Create An ACL On A Nexus 7K
It sortof stumped me at first, when I started doing ACLs on the Nexus. After all, I was used to, in the Catalyst line (as well as Brocade and everything else I worked on), doing ACLs a certain way. I prefer doing the whole line at a time. Like this:
ip access-list 107 deny ip 192.168.0.0 0.0.255.255 4.4.4.0 0.0.0.255
However, the Nexus doesnt let you work this way. While the Catalyst and Cisco routers do allow the kind of config that the Nexus requires, I just wasnt used to doing it that way. But, sometimes you have to learn new things. Here is how you create an ACL on the Nexus. Below was on a 7K.
Notice that I start off (in config mode) with "ip access-list 107". After hitting enter, then I do my deny/permit statements.
ip access-list 107
deny ip 192.168.0.0 0.0.255.255 4.4.4.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 5.0.0.0 0.255.255.255
deny ip 192.168.0.0 0.0.255.255 33.33.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 66.66.0.0 0.0.255.255
permit tcp 192.168.0.0 0.0.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
deny ip any any
ip access-list 107 deny ip 192.168.0.0 0.0.255.255 4.4.4.0 0.0.0.255
However, the Nexus doesnt let you work this way. While the Catalyst and Cisco routers do allow the kind of config that the Nexus requires, I just wasnt used to doing it that way. But, sometimes you have to learn new things. Here is how you create an ACL on the Nexus. Below was on a 7K.
Notice that I start off (in config mode) with "ip access-list 107". After hitting enter, then I do my deny/permit statements.
ip access-list 107
deny ip 192.168.0.0 0.0.255.255 4.4.4.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 5.0.0.0 0.255.255.255
deny ip 192.168.0.0 0.0.255.255 33.33.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 66.66.0.0 0.0.255.255
permit tcp 192.168.0.0 0.0.255.255 any
permit ip 192.168.0.0 0.0.255.255 any
deny ip any any
Monday, June 15, 2015
Check Point GAIA: GUI Bug For Routing Table
Most of you know I'm not a GUI person. Well, here is another reason that I'm not. Its called poor programming. Or, otherwise known as a "software bug". I mean, really, what is a "software bug"? Its poor programming, right?
So Check Point has not escaped this either. I've been fighting with an issue at a customer dealing with trying to get traffic to do what I want it to do, instead of what it wants it to do.
So here is what I wanted:
So as you can imagine, this was a little frustrating, thinking I cant resolve a simple routing problem. However, what I found was that when I went into the CLI and looked at the routing table, the route for 10.1.1.0/24 was not in the routing table. See the route command in CLI:
[Expert@CPfirewall:0]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
20.20.20.20 * 255.255.255.248 U 0 0 0 eth2
192.168.5.0 * 255.255.255.0 U 0 0 0 eth3
172.16.1.0 * 255.255.255.0 U 0 0 0 eth1
default - 0.0.0.0 UGD 0 0 0 eth2
[Expert@CPfirewall:0]#
See, the route to 10.1.1.0/24 is just not there. It is taking the default route instead. However, it IS in the WebUI in GAIA:
So, as you can see, it is in there. So, I decided to add the second route you see above in CLI. It wasnt there at first. But for a test, I wanted to add it to see what it would do in CLI. I added the route to 10.1.1.5/32 in CLI. And, as you see below, I also am able to ping 10.1.1.5 after I add the static route:
CPfirewall> set static-route 10.1.1.5/32 nexthop gateway address 192.168.5.1 on
CPfirewall> ping 10.1.1.5
PING 10.1.1.5 (10.1.1.5) 56(84) bytes of data.
64 bytes from 10.1.1.5: icmp_seq=1 ttl=124 time=46.9 ms
64 bytes from 10.1.1.5: icmp_seq=2 ttl=124 time=44.0 ms
--- 10.1.1.5 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 44.024/45.487/46.950/1.463 ms
[Expert@CPfirewall:0]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.1.1.5 192.168.5.1 255.255.255.255 UGHD 0 0 0 eth3
20.20.20.20 * 255.255.255.248 U 0 0 0 eth2
192.168.5.0 * 255.255.255.0 U 0 0 0 eth3
172.16.1.0 * 255.255.255.0 U 0 0 0 eth1
default - 0.0.0.0 UGD 0 0 0 eth2
[Expert@CPfirewall:0]#
What??? Now I can see 10.1.1.5 in the routing table AND it pings. How is it that I can now ping 10.1.1.5, but not get 10.1.1.60 (which is what I really want to get to). So I decide to go in and delete the 10.1.1.0/24 route out of the WebUI in GAIA, and add it in CLI.
CPfirewall> set static-route 10.1.1.0/24 nexthop gateway address 192.168.5.1 on
CPfirewall> save config
CPfirewall> expert
Enter expert password:
Warning! All configuration should be done through clish
You are in expert mode now.
[Expert@CPfirewall:0]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.1.1.5 192.168.5.1 255.255.255.255 UGHD 0 0 0 eth3
20.20.20.20 * 255.255.255.248 U 0 0 0 eth2
192.168.5.0 * 255.255.255.0 U 0 0 0 eth3
10.1.1.0 192.168.5.1 255.255.255.0 UGD 0 0 0 eth3
172.16.1.0 * 255.255.255.0 U 0 0 0 eth1
default 0.0.0.0 UGD 0 0 0 eth2
[Expert@CPfirewall:0]#
CPfirewall> ping 10.1.1.60
PING 10.1.1.60(10.1.1.60) 56(84) bytes of data.
64 bytes from 10.1.1.60: icmp_seq=1 ttl=124 time=47.9 ms
64 bytes from 10.1.1.60: icmp_seq=2 ttl=124 time=42.0 ms
--- 10.1.1.60 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 47.024/45.487/46.950/1.463 ms
So, I chalk this up to a bug in the software. You have to think that when you are in the GUI, you are banking that the translation is going to be correct to CLI. Who does that? Programmers. You have to code right to make the translation work right into CLI.
Sunday, June 14, 2015
Sunday Thought: Live
I saw this in concert. If you don't know Jesus as your personal Savior from all the things you ever did in this life that was against what God's standards of right and wrong, just know a couple of things:
1. It's not too late.
2. Even you can be saved. Yes, even you are forgivable.
3. God does want a relationship with you. That happens through Jesus.
This link below is my prayer for you.
Live
1. It's not too late.
2. Even you can be saved. Yes, even you are forgivable.
3. God does want a relationship with you. That happens through Jesus.
This link below is my prayer for you.
Live
Saturday, June 13, 2015
Pic Of The Week: NYC 1956 Skyline
Came across this picture on the Internet. I imagine people would come unglued today.
Friday, June 12, 2015
Cisco Nexus: Dual 7K And 5K Double Sided vPC Configuration
I have been working on a data center change of equipment for a customer here recently. One of the things we are doing is replacing the Cisco 6500s and putting in Nexus 7Ks, along with 5Ks and FEXs. The purpose of this post is to show how to configure the vPC between dual 7Ks and dual 5Ks. I did a lot of research on this topic, and there appears to be more than one way to do this. However, from what I could tell, the best way, in my situation, was to configure one vPC for all connections involved. Here is the topology that we have put in:
Here is the config template I wrote up to get this going:
One difference is that I have multiple connections to each device. So I will have multiple ports on each device for the single virtual port-channel in this case.
Also note: I have confirmed that the domain ID for the 7Ks has to be a different ID number than on the 5Ks. So, in my case, the 7Ks have a domain ID of 10. My 5Ks have a domain ID of 5.
Here is the config template I wrote up to get this going:
On each 7K:
interface port-channel50
description vPC50-7k-5k
switchport
switchport mode trunk
speed 10000
vpc 50
interface Ethernet3/5
description *** To 5K-5 ***
switchport mode trunk
speed 10000
channel-group 50 mode active
no shutdown
interface Ethernet4/5
description *** To 5K-5 ***
switchport mode trunk
speed 10000
channel-group 50 mode active
no shutdown
interface Ethernet3/6
description *** To 5K-6 ***
switchport mode trunk
speed 10000
channel-group 50 mode active
no shutdown
interface Ethernet4/6
description *** To 5K-6 ***
switchport mode trunk
speed 10000
channel-group 50 mode active
no shutdown
On each 5K:
interface port-channel50
description vPC50-7k-5k
switchport
switchport mode trunk
speed 10000
vpc 50
interface Ethernet1/7
description *** To 7K-1 ***
switchport mode trunk
speed 10000
channel-group 50 mode active
no shutdown
interface Ethernet1/8
description *** To 7K-1 ***
switchport mode trunk
speed 10000
channel-group 50 mode active
no shutdown
interface Ethernet1/9
description *** To 7K-2 ***
switchport mode trunk
speed 10000
channel-group 50 mode active
no shutdown
interface Ethernet1/10
description *** To 7K-2 ***
switchport mode trunk
speed 10000
channel-group 50 mode active
no shutdown
interface port-channel50
description vPC50-7k-5k
switchport
switchport mode trunk
speed 10000
vpc 50
interface Ethernet3/5
description *** To 5K-5 ***
switchport mode trunk
speed 10000
channel-group 50 mode active
no shutdown
interface Ethernet4/5
description *** To 5K-5 ***
switchport mode trunk
speed 10000
channel-group 50 mode active
no shutdown
interface Ethernet3/6
description *** To 5K-6 ***
switchport mode trunk
speed 10000
channel-group 50 mode active
no shutdown
interface Ethernet4/6
description *** To 5K-6 ***
switchport mode trunk
speed 10000
channel-group 50 mode active
no shutdown
On each 5K:
interface port-channel50
description vPC50-7k-5k
switchport
switchport mode trunk
speed 10000
vpc 50
interface Ethernet1/7
description *** To 7K-1 ***
switchport mode trunk
speed 10000
channel-group 50 mode active
no shutdown
interface Ethernet1/8
description *** To 7K-1 ***
switchport mode trunk
speed 10000
channel-group 50 mode active
no shutdown
interface Ethernet1/9
description *** To 7K-2 ***
switchport mode trunk
speed 10000
channel-group 50 mode active
no shutdown
interface Ethernet1/10
description *** To 7K-2 ***
switchport mode trunk
speed 10000
channel-group 50 mode active
no shutdown
Wednesday, June 10, 2015
Cisco CUCM: Bad Upgrade Images
So this was a little frustrating. When you just cant get that upgrade to work, it may not be your fault. I went through 4 upgrade images before I got one that would work. I kept getting the error message below, and man was this frustrating. This cost me a lot of time trying to figure out what was going on. But, it definitely was bad images that I downloaded from Cisco. If you run into this, dont necessarily think its you. It may be the image.
Tuesday, June 9, 2015
Cisco CUCM: Back And Restore
I do like doing voice projects. There is a lot to it, and configuration can take some time to get a whole project done. But, I also like doing backup and restores for minimum work on a project as well.
I have projects where when I want to an upgrade, its easier to install a lower version of CUCM and go from there. This means I install an exact version of what the current production box is, on the new equipment, and do a restore of the database. It makes things faster and easier to accomplish the goal.
I have projects where when I want to an upgrade, its easier to install a lower version of CUCM and go from there. This means I install an exact version of what the current production box is, on the new equipment, and do a restore of the database. It makes things faster and easier to accomplish the goal.
Monday, June 8, 2015
Cisco Unity Express: Call Forward To Voicemail
I like use CLI as much as possible, except in Unity Express. Its just easier and by the time Im done with a CME, Im ready to be done with the project and ready to move on. So I do typically use the CUE GUI for configuration.
When you want to send traffic directly to voicemail, make sure you have the DID in the "Primary E.164 Number".
When you want to send traffic directly to voicemail, make sure you have the DID in the "Primary E.164 Number".
Sunday, June 7, 2015
Sunday Thought: Bless Me Indeed
May you, who are reading this post now, be blessed by the Lord our God.
Bless me - Mercy Me
Bless me - Mercy Me
Saturday, June 6, 2015
Friday, June 5, 2015
Brocade Switch: How Long To Wait While Upgrading The POE
I dont like waiting much. It takes a few minutes to do an upgrade of the POE on a Brocade switch. So I wondered when is it that I could disconnect from the console and go on to the next one. See below, I marked when you can disconnect. Its after the TFTP is successful.
Thursday, June 4, 2015
Tools All Network Guys Need
This is one of them. I use this tool all the time. Knife, saw, scissors, screw driver, and cutters. And fits in your pocket or in your bag. I have this small one and one larger one. If you are a network admin, you need one of these.
Wednesday, June 3, 2015
Cisco TAC
I don't know about your experience with TACs, but my personal opinion is that Cisco's TAC is second to none. Sure, I have come across a bad apple every now and then. But 99% of the time, I always get a really good technical resource that knows what they are doing and is very eager to get your problem solved!
Now this post is more about RMA replacements. I did create a case to get a router that had died replaced. I created this around 10AM. Even though the customer had next day business support on replacements, they got the 3825 router replacement by 3:30PM the same day. Now that is really very cool.
I have seen that several times in my career when Cisco has done better than the expected timeframe promised. I put that under the 'great customer service' category.
Tuesday, June 2, 2015
Quote Of The Day
I'm not a big quote guy. But this one was just too good. Quote of the day by a SIP provider I had to deal with on a troubleshooting call.
"We don't guarantee that any call will get through."
Imagine, a Telco saying this to you.
Imagine, a Telco saying this to you.
Monday, June 1, 2015
From Server Room To Storage Room
I think every IT guy will get this. This is a small case of it, but when the server room becomes the storage room, I just have to shake my head.
Subscribe to:
Posts (Atom)