Friday, July 31, 2015

Brocade ICX6450: Stack Cable Configuration Diagram

I thought I would put together this diagram on how to stack the 6450s as far as the physical cabling goes.  These are 10Gig stacking cables between each.  You run the command "stack enable" in config mode of each switch one at a time.  You also want to configure the stack unit ID priorities,  stack mac address and hitless failover.

Thursday, July 30, 2015

SonicWall: Certification And Support

Im trying to figure out if this is a good thing or not.  With Dell SonicWall, if you want to get to level 2 support, you have to at least be CSSA certified.  Now I do have CSSA, but what if you don't have it and you have a level 2 problem?  It sounds to me that you wont be able to get support from them.  I'm going to have to think about this, but at first glance, I don't like that approach to the level of support you can get to.  I figure if my customer pays for a firewall, they should be able to get support on it.

Tuesday, July 28, 2015

Cisco Nexus: Module Troubleshooting

Sometimes it happens.  I mean, its all electronics, right?  Module 9 in this Nexus 7K went bad at some point and now the only thing we can really do is RMA it.  We re-seated the module with no success.  I created a TAC case and will expect a replacement soon.

Core2# sh module
Mod  Ports  Module-Type                         Model              Status
---  -----  ----------------------------------- ------------------ ----------
1    0      Supervisor Module-2                 N7K-SUP2           active *
2    0      Supervisor Module-2                 N7K-SUP2           ha-standby
3    48     1/10 Gbps Ethernet Module           N7K-F248XP-25E     ok
4    48     1/10 Gbps Ethernet Module           N7K-F248XP-25E     ok
5    12     10/40 Gbps Ethernet Module          N7K-F312FQ-25      ok
7    48     1000 Mbps Optical Ethernet XL Modul N7K-M148GS-11L     ok
8    48     10/100/1000 Mbps Ethernet XL Module N7K-M148GT-11L     ok
9    48     10/100/1000 Mbps Ethernet XL Module N7K-M148GT-11L     powered-dn

Mod  Power-Status  Reason
---  ------------  ---------------------------
9    powered-dn     Reset (powered-down) because module does not boot

Mod  Sw               Hw
---  ---------------  ------
1    7.2(0)D1(1)      3.0
2    7.2(0)D1(1)      3.0
3    7.2(0)D1(1)      1.0
4    7.2(0)D1(1)      1.2
5    7.2(0)D1(1)      1.1
7    7.2(0)D1(1)      2.1
8    7.2(0)D1(1)      2.1

Monday, July 27, 2015

Check Point/Palo Alto/SonicWall: GeoLocation Is A Really Cool Thing

I always like the geolocation feature in a firewall.  Check Point and Palo Alto do this well for both inbound and outbound (separately).  SonicWall is either on or off, meaning I either have to enable it for a country for both inbound and outbound, or I disable it for that country.  I'd like to see inbound/outbound for SonicWall like I do with Check Point and Palo Alto.  Either way, these countries are the ones I block most frequently for customers when I can.  Below is the abbreviations on a Palo unit:
MX  Mexico
BR  Brazil
CF  Central African Republic
CN  China
DE  Germany
EU  European Union
RU  Russian Federation
SE  Sweden
ZA  South Africa
HU  Hungary
IT  Italy
IN  India
RO  Romania
BR  Brazil
TW  Taiwan
TR  Turkey

Sunday, July 26, 2015

Sunday Thought: John 1:1-5

In the beginning was the Word, and the Word was with God, and the Word was God. He was with God in the beginning.Through him all things were made; without him nothing was made that has been made. In him was life, and that life was the light of all mankind. The light shines in the darkness, and the darkness has not overcome it.
There is a lot of neat wonder in the first verses of John. 

Thursday, July 23, 2015

Cisco Voice: CUBE Troubleshooting For SIP Calls Inbound

While implementing a Cisco voice solution one weekend, I found that my CUBE was not sending inbound calls to my new CUCM.  Outbound worked fine, but inbound did not.  What we found was that SIP was not enabled on the dial-peer on the CUBE.  I typed the fix in the drawing below, but in case you cant see it:
dial-peer voice 100 voip
session protocol sipv2

Wednesday, July 22, 2015

Check Point: How To Take A CPINFO

Check Point expects you to know how to take a CPInfo, which really drives me nuts.  Not everyone knows how to do this, and I have found that not everyone at Check Point knows how to do this.  Well, I have done it enough to know how, but I run into people a lot that do not know.  This post is just a "how to take a cpinfo" post.  Here is what I did the last time I took one.

CPFW> cpinfo -z -l -o /var/log/gateway.cpinfo
Would you like to download the latest CPinfo package from Check Point Download Center? y/n: [y]y


Verifying CK...

An updated package was found, downloading and installing it

Started downloading updated package
Downloading update package cpinfo_914000118_1.tgz - 3757294/3757294 (100%)
Downloaded package verification succeeded
Starting installation of new CPinfo version
CPinfo update finished successfully!
Launching new version of CPinfo

Would you like to upload CPinfo file securely to Check Point Download Center? y/n: [y]n

                CPinfo Creation...

Collecting information...: 100%
Compressing output file...
Compressing output file - done (/var/log/gateway.cpinfo.gz)

CPFW> expert
Enter expert password:

Warning! All configuration should be done through clish
You are in expert mode now.

[Expert@CPFW:0]# pwd
[Expert@CPFW:0]# cd /var/log
[Expert@CPFW:0]# ls -l *ga*
-rw-r--r-- 1 admin root      511 Jun  4 09:51 gaia_init_config.log
-rw-rw-r-- 1 admin root 56948317 Jul  1 13:30 gateway.cpinfo.gz

Tuesday, July 21, 2015

ACME Packet SBC Firmware Upgrade ~~ By Mike Parks

Mike Parks was generous enough to share his experience in upgrading ACME SBCs and post on the blog about it.  Thank you Mike for participating in the blog.  ~~ Shane Killen

If you want to upgrade your Acme Packet SBC (Oracle Net-Net SBC), hopefully my notes will make the proses smother. If you have an Oracle account, you can obtain the upgrade software here if not, you will need to sign up, and have yourself associated with your company. The best one stop shop for SBC documentation is here and finally, for the Oracle SCX upgrade, look up sbc_scx640_troubleshooting.pdf  The following example was performed on a standalone Acme Packet 3820 SBC.
Preliminary work, back it up!
*acmesbc# show  ver
*acmesbc# verify-config   (Resolve config errors prior to upgrading)
*acmesbc# check-space-remaining code   (Check for at least 8 meg of space)      
*acmesbc# show version boot   (Validate bootloader dated June 21, 2011 or later)
*acmesbc# backup-config (Enter NEW backup name, ex. Backup-config New_Backup)
*acmesbc# display-backups  (New backup will display, if you need to restore your config later type: restore-backup-config FILENAME)

After you download the new software to your PC, you need to FTP the software to the SBC (Filezilla works great). In the Host field, enter the SBC host IP. Unless you changed the login, the default login is, Username: user  /  Password: acme

FTP your file into /code/images directory, it should look like this after loaded /code/images/nnSCX640m6p1.xz
Next, you need to make the file part of your bootupconfig in your SBC.

*acmesbc# configure terminal
*acmesbc# bootparam   (Hit enter until you see file name, type your new filename to the right of your old filename.
file name : /code/images/nnSCX630.gz /code/images/nnSCX640m6p1.xz  (example)

Enter through the reaming commands, and reboot. After the reboot, log back in, and you should see your new firmware.

ACME Net-Net 3820 Firmware SCX6.4.0 MR-6 Patch 1 (Build 547)
Build Date=05/21/15/code/images/nnSCX640m6p1.xz

That’s it, you just completed the upgrade! 

Monday, July 20, 2015

Cisco ASA: 5505 ASA Config Template

Below is a template I created while doing an ASA 5505 (directly out of box) for a remote site.  It had one VPN and the rest was a just plane Jane config.  Below is my template for such a config.  Its a pre8.3 config.  Make sure you upgrade something like this before you send it onsite:

ASA(config)# username shane pass password
ASA(config)# enable pass apasswordthatissecret
ASA(config)# hostname ASA
ASA(config)# aaa authentication ssh con LOCAL
ASA(config)# crypto key generate rsa mod 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ASA(config)# ssh outside
WARNING: This command will not take effect until interface 'outside' has been assigned an IPv4 address
ASA(config)# route outside
ASA(config)#  int vlan 2
ASA(config-if)# ip add
ASA(config-if)# no shut
ASA(config)# no dhcpd enable inside
ASA(config)# no dhcpd address inside
ASA(config)# no dhcpd enable inside
ASA(config)# no dhcpd address inside
ASA(config)# interface Vlan1
ASA(config-if)# no ip add
ASA(config-if)# ip add
ASA(config-if)# no shut
ASA(config-if)# route inside
ASA(config)# route inside
ASA(config)# aaa authentication serial console LOCAL
ASA(config)# crypto isakmp policy 10
ASA(config-isakmp-policy)#  authentication pre-share
ASA(config-isakmp-policy)#  encryption aes-256
ASA(config-isakmp-policy)#  hash sha
ASA(config-isakmp-policy)#  group 2
ASA(config-isakmp-policy)#  lifetime 86400
ASA(config-isakmp-policy)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
ASA(config)# access-list 2HQ permit ip
ASA(config)# access-list 2HQ permit ip
ASA(config)# access-list 2HQ permit ip
ASA(config)# access-list 2HQ permit ip
ASA(config)# access-list nonat permit ip
ASA(config)# access-list nonat permit ip
ASA(config)# access-list nonat permit ip
ASA(config)# access-list nonat permit ip
ASA(config)# nat (inside) 0 access-list nonat
ASA(config)# tunnel-group type ipsec-l2l
ASA(config)# tunnel-group ipsec-attributes
ASA(config-tunnel-ipsec)#  pre-shared-key veryprivatevpnkeynothisisnotwhatiuse
ASA(config-tunnel-ipsec)# exit
ASA(config)# crypto map outside_map 10 match address 2HQ
ASA(config)# crypto map outside_map 10 set peer
ASA(config)# crypto map outside_map 10 set transform-set ESP-3DES-SHA
ASA(config)# crypto map outside_map interface outside
ASA(config)# crypto isakmp enable outside

Friday, July 17, 2015

Palo Alto: What Is Licensed, What Is Not

There seems to be some confusion around what you need a license for on the Palo Alto and what you don't need a license for.  I thought I would put some things down I had from my own notes.

App-ID: free with the purchase of the Palo unit.
VPN global protect client: no licensing required for global protect client.  There are some connection limitations based on the model of the unit.

URL filtering: requires a license.
Wildfire:  With subscription, it takes about 15 minutes to get an update for infected file types  Customers without Wildfire subscription get the fix in the next day update.
Threat Prevention: (IPS, Spyware, AV)  requires a license.
For VPN - Posture assessment (hip check) is a "paid for" solution.  Mobile client is a "paid for" solution.  This is called "global protect gateway".

Thursday, July 16, 2015

The Dad Moments

Its the Daddy moments.  My daughter is older now, but Im still a Dad.  I helped her put a light bar on her SUV.  It was some work and very hot outside (in the 90s), but the few moments she expresses thankfulness for my time and effort is worth the several hours of working on something she wanted.

Wednesday, July 15, 2015

Cisco Voice: Putting An IP Address In VMware

In the new world of technology, it seems now when Im doing a voice install, its on top of VMware.  So, to get this thing started, I need an IP address for the host.  Here are the steps get to that.

Step 1:

Step 2:

Step 3:

Step 4:

Step 5:

Tuesday, July 14, 2015

Cisco ASA: Activating The AnyConnect License

How to activate an anyconnect mobile license key on the Cisco ASA.

ASA(config)# activation-key 9f9k7747 38hghfd5 kf74jhtr 9ceffc1c 7764e4a6
Validating activation key. This may take a few minutes...

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Enabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has an ASA 5520 VPN Plus license.

Both running and flash activation keys were updated with the requested key.

Monday, July 13, 2015

I Dont Want You To Miss This

This is worth repeating! If you missed yesterday's post, go back to yesterday's post, click on the link, and listen to the words.

Saturday, July 11, 2015

Pic Of The Week: Closed...

We came to this place to see what their hours of operation was, so that we could come back the next day.

Wednesday, July 8, 2015

Palo Alto: Software Upgrades

One thing you have to remember when upgrading the software to the latest version: download the base image first, then the latest upgrade.  It needs that base image first before the latest.  See below.  I downloaded the 6.1 image before I downloaded the 6.1.4.

Tuesday, July 7, 2015

Packet Capture: Check Point CLI To Wireshark Dump

It always helpful taking a packet capture from a firewall when you need to.  Here on a Check Point 2200 firewall, I needed to see what was going on during a trouble call.  So I wanted to take a packet capture into a wireshark readable format.  Here is how I did that.

[Expert@CPFW:0]# fw monitor -i -p all -o capture2.cap
 monitor: getting filter (from command line)
 monitor: compiling
Compiled OK.
 monitor: loading
in chain (16):
        0: -7f800000 (f2768890) (ffffffff) IP Options Strip (in) (ipopt_strip)
        1: -7d000000 (f14e5690) (00000003) vpn multik forward in
        2: - 2000000 (f14bda30) (00000003) vpn decrypt (vpn)
        3: - 1fffffa (f14d6070) (00000001) l2tp inbound (l2tp)
        4: - 1fffff8 (f276a040) (00000001) Stateless verifications (in) (asm)
        5: - 1fffff7 (f27a9500) (00000001) fw multik misc proto forwarding
        6: - 1fffff2 (f14f65c0) (00000003) vpn tagging inbound (tagging)
        7: - 1fffff0 (f14bc5f0) (00000003) vpn decrypt verify (vpn_ver)
        8: - 1000000 (f28493a0) (00000003) SecureXL conn sync (secxl_sync)
        9:         0 (f270d390) (00000001) fw VM inbound  (fw)
        10:   2000000 (f14bbc60) (00000003) vpn policy inbound (vpn_pol)
        11:  10000000 (f2847420) (00000003) SecureXL inbound (secxl)
        12:  7f600000 (f275de30) (00000001) fw SCV inbound (scv)
        13:  7f730000 (f2966080) (00000001) passive streaming (in) (pass_str)
        14:  7f750000 (f2b76c90) (00000001) TCP streaming (in) (cpas)
        15:  7f800000 (f2768c30) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (14):
        0: -7f800000 (f2768890) (ffffffff) IP Options Strip (out) (ipopt_strip)
        1: -78000000 (f14e5670) (00000003) vpn multik forward out
        2: - 1ffffff (f14bb520) (00000003) vpn nat outbound (vpn_nat)
        3: - 1fffff0 (f2b76ec0) (00000001) TCP streaming (out) (cpas)
        4: - 1ffff50 (f2966080) (00000001) passive streaming (out) (pass_str)
        5: - 1ff0000 (f14f65c0) (00000003) vpn tagging outbound (tagging)
        6: - 1f00000 (f276a040) (00000001) Stateless verifications (out) (asm)
        7:         0 (f270d390) (00000001) fw VM outbound (fw)
        8:   2000000 (f14bb740) (00000003) vpn policy outbound (vpn_pol)
        9:  10000000 (f2847420) (00000003) SecureXL outbound (secxl)
        10:  1ffffff0 (f14d6c20) (00000001) l2tp outbound (l2tp)
        11:  20000000 (f14be470) (00000003) vpn encrypt (vpn)
        12:  7f700000 (f2b770b0) (00000001) TCP streaming post VM (cpas)
        13:  7f800000 (f2768c30) (ffffffff) IP Options Restore (out) (ipopt_res)
 monitor: monitoring (control-C to stop)
15752  monitor: caught sig 2
 monitor: unloading
[Expert@CPFW:0]# ls -l
total 48240
-rw-rw-r-- 1 admin root 29636521 Jun  3 10:10 CPFWCPinfo.tgz.gz
-rw-r----- 1 admin root  5738635 Jun  1 14:52 CPFW_1_6_2015_14_50.CPViewDB.dat.gz
-rw-r--r-- 1 admin root  5735899 Jun  3 10:10 CPFW_3_6_2015_10_08.CPViewDB.dat.gz
-rw-rw---- 1 admin root  2655555 Jun 11 13:50 capture.test.txt
-rw-rw---- 1 admin root     1480 Jun 11 13:39 capture1
-rw-rw---- 1 admin root  5517380 Jun 11 14:00 capture2.cap
-rwxrwx--- 1 admin root    13894 Apr 21 12:53 crypt.def
[Expert@CPFW:0]# ftp
Connected to (
220-GuildFTPd FTP Server (c) 1997-2002
220-Version 0.999.14
220 Please enter your name:
Name ( shane
331 User name okay, Need password.
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bi
200 Type set to I.
ftp> put capture2.cap
local: capture2.cap remote: capture2.cap
227 Entering Passive Mode (192,168,50,60,201,12)
150 Opening binary mode data connection for /capture2.cap.
226 Transfer complete. 5517380 bytes in 2 sec. (2758.69 Kb/s).
5517380 bytes sent in 1.56 secs (3.5e+03 Kbytes/sec)
ftp> bye
221 Goodbye.  Control connection closed.

Monday, July 6, 2015

Cisco CUCM: Security Password Reset

I have, very rarely, had to change the security password on a CUCM before.  This is not an account in particular, but in this case, it was for restoring from a backup.  For whatever reason, the backup password was not working.  So, I needed to reset this to try to match what we thought it was.  Here is the process I went through on the Publisher to get this reset:

admin:set password user security
Please enter the old password: **********
   Please enter the new password: *********
Reenter new password to confirm: *********
The Disaster Recovery System is dependent on this security password you are attempting to change.
If you need to use any of the older backup archive to restore this system, you need to remember the
older security  password. To avoid this scenario, we recommend you to conduct a DRS Backup of your
system/cluster immediately after this password change.
Please make sure that the security password on the publisher is changed first.
The security password needs to be the same on all cluster nodes,
or the publisher and subscriber(s) will not communicate.
After changing the security password on a cluster node, please restart that node.

Continue (y/n)?y

Please wait...

Password updated successfully.

Sunday, July 5, 2015

Sunday Thought: Outsiders

You know, we are literally, the outsiders in this.  We were the ones that sinned.  We are the ones that are on the outside, until we come to know Jesus anyway.  Outsiders

Friday, July 3, 2015

Patch Cable Condition

Its always a good idea to check the condition of the cabling that you are using.  I can tell you from  first hand experience, that having a patch cable in poor condition will slow your connection speeds down.  I initially had this long patch cable that had some places that made me a little concerned.  It would connect me just fine, but when I ran a speed test from my cable provider, all I got was 9 Meg or so down.  I went down and re-crimped the cabling and now I get 84 Meg down.  Interesting.
You might as well forget that convenient wireless.  Its half the wired speed.

Thursday, July 2, 2015

Check Point: The Sometimes Quirky

If you read my blog, you know that I do like Check Point firewalls.  They are one of the top two, if you ask me (and Gartner).  But, I have seen some flakiness that I don't like on occasion.  This troubleshooting time was one of those times.  I was on this problem for a while before I got any resolution.  Check Point TAC didnt know the answer, and I just happened to come upon a fix for it.  See below, the screenshot.  What real sense does this make, when a packet is accepted and sent across the VPN, and the next packet is dropped.  UDP_10001, for a Shoretel packet traversing a to a remote-access client.  This kind of issue will drive you crazy.
I know I'm going to catch some flack for this, but sometimes Check Point is just down right flaky.

Wednesday, July 1, 2015

SDN: The Game Changer

I saw a demo of what the capabilities of SDN is going to be like. I have a feeling that was just the tip of the iceberg.  I saw a packet get routed from one vlan to another in a L2 switch.  Not L3, L2! I'm thinking William at probably had some good info on this. But I'm planning on diving in. More to come.