Saturday, October 31, 2015

Friday, October 30, 2015

Cisco ASA: VPN Lifetime Count

Did you know that VPNs resend their information after a certain amount of time?  Yep, its true.  After the lifetime expires, they resend their SA info.  You can see the remaining times when you do a show crypto isakmp sa detail on the Cisco ASA.

asa# sh cryp isa sa det
   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer:
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : SHA
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 42302
2   IKE Peer:
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
    Encrypt : aes             Hash    : SHA
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 28616

Thursday, October 29, 2015

Home Projects: Stablizing Old Floors

It never fails, I always come out bleeding when I go under my house. Since we were having a lot of people over, I needed to make sure my floors were stable and supported well. I've been underneath the house and done this before, but over time, things just settle in. So now I'm back underneath the house again to make sure all is sturdy again.
Now I don't like confined spaces, but someone had to do this. Might as well be me.

And, it never fails:

Wednesday, October 28, 2015

Switch Banners

I get on a lot of switches during a weeks time.  Although rare, I do, occasionally, see a creative banner.  Most of the time people want you to know they are monitoring your session and are going to prosecute you to the fullest extent when they catch you.  Below is the latest one that was a little different than the norm.  I found it on a Cisco switch.


        Speak friend and enter
                else leave


Tuesday, October 27, 2015

Palo Alto: 7.X and ACC

Update on this 11/13/15: Palo got in touch with me about this and walked me through the new way of doing things. It's not as bad as I thought. You can still see what you want to see, you just have to create your own search for it via filters. I'm ok with this. However for people who don't know or understand the Palo, this might be a little more difficult for some. I, however, am ok with this now that I understand what Palo is trying to do. 

So most people know I'm a fan of Palo Alto firewalls.  But, I came across something today that I didn't like.  ACC used to have a great console for finding out info fast.  That is, in 6.X and below.  Now, in 7.X, its harder to dig down without having to go through the logs.  Why would Palo do this?  I have no idea.  But I'm not happy about this change.  I doubt it will change, but I made it a point to talk to TAC about this when I called about a support issue.

Monday, October 26, 2015

Home Projects: Stairs

I like home projects, especially if they are outside. I had a few things I needed to do before my daughter's wedding, and I thought I would post a few of them in the next few days.  One of these was fixing some steps on the side of my house. I didn't get a good before pic, but did of the process.

Finished product:

Sunday, October 25, 2015

Sunday Thought: Two Wolves

I watched a movie last night called Tomorrowland.  Nothing special about it really, but they did make mention of something interesting.  They mention the two wolves story. One filled with darkness and the other filled with light. Both of them always fighting each other. The question was asked, "Which wolf wins the fighting?"  The answer: "The one you feed."
It seems to me that we who are Christians are the same. We have an "old self" and a "new self". I think our old self is the sinful nature that we were born into. The new self being what God would have us be, turning away from our sinful desires. The new self being the transformation into what God would have us to be.  So which one do we feed? The sinful nature or our new self?

Thursday, October 22, 2015

The Hunt For The Rogue DHCP Server

Man, I hate these things.  You know, when someone plugs in a device that gives out DHCP by default, just so they can have more than one port to plug into for their devices?  I had this happen on a network, where the 10.254.236.X address was being given out to some clients.  This turned a little ugly, since the whole network (including remotes) reside on a single vlan with L2 across to the remote sites.  I was able to track it down though.  I had to ping the default gateway (which was the rogue dhcp server) to get an mac address entry on the PC.  Once I had that (by doing arp -a on the PC on the command prompt), then I was able to find the mac address on the switching gear.  I tracked it down through several switches (across the MPLS network) and shut down the port.  When I went onsite to find it, it lead me to the place below.  Where it goes, no one knows.

Wednesday, October 21, 2015

Whats Under The Hood: Your Network Gear

(Be patient in this post, its really about network switches.)
You know, when you are looking for a car to buy, what are some of the things you look for?  I suppose the answers are different for each person.
Here is what I don't do though.  I don't say to myself for criteria:
1.  Will this car do 80 mph?
2.  How much does this car cost?

I tend to ask more questions than that:
1.  Is the engine a V8, V6?
2.  How any mpg does it get?
3.  What are the safty ratings?
4.  Yes, how much does it cost?
5.  Has this car been taken care of? (oil changes, gaskets, etc)
6.  Is the body in good shape?
7.  Does the engine feel good when driving?
Etc, etc.

I go through a lengthy check of what I know to check on the car as well.  I check everything I can on the engine.  I look at the gaskets, boots, fluid leaks, check for stains, hose condition, wear on critical parts, etc, etc.  I take a good look at the vehicle.
The reality is that on cars, most calls, if not all, will do 80 mph.  Now, lets compare for a minute.  My Dodge 1500 will do 80 without issue.  RPMs are low during that time as well.  My engine doesnt even think about it.  However, I had a Honda Civic at one point in life where it would do 80 mph, but the engine was obviously struggling.  Which one would I prefer?  Obviously my truck.
Now, on to the switch conversation.  Whats under the hood?  I hear so often IT Directors, when deciding what switch gear to buy, say things like this: "Its a gig speed to the desktop".  "Its cheaper than the other brand".  "This brand is what we know how to manage".
It amazes me that people who are making device decisions are actually uneducated on how to make good decisions.  I mean, you take your next five year investment and you base your decision on price?  Or, you make an uninformed decision based on what the sales guy told you?  Its time to get informed folks.
So, what do you look for?  I always say three things are what you look for:
1.  Yes, price is something to look at.  But not the most important.
2.  Performance of the equipment.  Most companies need performance in the network.  Switching backplane, forwarding rate, stacking bandwidth, number of switches allowed in a stack, memory, SDN capable.  These are important in the decision making comparisons.
3.  Features of the equipment.  Most companies now a days just need QoS, routing and number of 10gig ports, switching, and maybe PoE.  However, you also need SDN capability for the future.  Other than that and other common to all vendor features, thats mostly it.
4.  I'm going to add this in, although I don't normally tell people this.  But product support is important also.  How good is the vendor support when you call in?

I always compare switch vendors in performance.  If you think that all you need is gig speed to the desktop, you are setting yourself up for potential planning failure for your network needs for not only now, but for the next five years.  Even though my old Civic would do 80 mph, it wouldn't be the best option for performance, comfort or other options I needed for daily use of a vehicle.  Same thing with switches.  You have to know what you are looking at when you make decisions that affect your company.
Now, with that said, the next statements are for the IT consultant.  Its YOUR responsibility to educate your customers.  Its YOUR responsibility to let them know how to make good decisions.

Tuesday, October 20, 2015

Unfortunate Experience

The day after my daughter's wedding, my wife and I thought we would go to the beach for a couple of days. About an hour and a half into the drive, we didn't make it.  We threw a rod, which leads us to the below pic.  And, if you want a good laugh at my expense, the video below the pic is sure to make you laugh, at least a little.

Monday, October 19, 2015

Brocade Fiber SFP Connected To Cisco Fiber SFP: No Link

I ran into this the other day.  My customer had a Brocade ICX6450 acting as the core (I know, don't say it) and was trying to connect a Cisco 2960 via fiber to it.  Well, the fiber link just wouldn't come up.
But, I knew there was something special that you did have to do when connecting a Cisco and Brocade together (sometimes) when you have issues like this.  Turns out that I had to run this command on the Cisco port: "speed nonegotiate"
That resolved my problem and the link came right up.

Saturday, October 17, 2015

Pic Of The Week: Wedding Day

Today my daughter is getting married. So we have been preparing.

Friday, October 16, 2015

SonicWall: Dual-ISP Configuration

All firewalls I know have dual-ISP backup configuration availability.  SonicWall is no different.  If you have dual-ISPs, then certainly set it up.  Its on the Failover and LB (Load Balancing) page.  Its easy and works well.

Wednesday, October 14, 2015

Packet Capture: More Proving Whats There

More packet captures on the ASA.  Sometimes you just have to know how far the packet is getting.  This time its across a VPN.  I need to see what the packets actually are getting across, and not just look at the counters.  Im trying to see if one DNS server is sending traffic back.  Yep, the DNS server is sending traffic back.  I see this on the inside interface of the ASA.  Looks good.

ASA# sh capture
capture capin type raw-data access-list 191 interface inside [Capturing - 28987 bytes]
ASA# sh capture capin

143 packets captured

   1: 14:03:29.546663 >  udp 373
   2: 14:24:47.714761 >  udp 55
   3: 14:24:47.717064 >  udp 55
   4: 14:24:47.931943 >  udp 35
   5: 14:24:47.932340 >  udp 90
   6: 14:24:47.970271 >  udp 32
   7: 14:24:47.970683 >  udp 79
   8: 14:24:48.015196 >  udp 45
   9: 14:24:48.015853 >  udp 98
  10: 14:24:48.059841 >  udp 39
  11: 14:24:48.090159 >  udp 39
  12: 14:24:48.135307 >  udp 42
  13: 14:24:48.136025 >  udp 111
  14: 14:24:48.172140 >  udp 35
  15: 14:24:48.174566 >  udp 110
143 packets shown

Tuesday, October 13, 2015

Cisco ASA: Troubleshooting With Logs

I was having to troubleshoot a VPN between a Check Point and an ASA the other day.  I came up with this message in the ASA logs:

%ASA-7-713222: Group =, IP =, Static Crypto Map check, map = BHM, seq = 30, ACL does not match proxy IDs src: dst:
%ASA-7-713221: Group =, IP =, Static Crypto Map check, checking map = BHM, seq = 40...

It appears that the Check Point is trying to use the public address instead of the non-NAT'ed address.  My point here is that the ASA logs are very important for troubleshooting issues.  Maybe you can look at the config and just find the solution.  Maybe you need the logs.  Either way, setting the appropriate log levels in troubleshooting is important.  It helped me determine that the ASA was fine and that the Check Point needed some work.

Monday, October 12, 2015

Brocade Switch: Brief Interface Status

Sometimes I just need to see if a port is up or not.  I dont need all the statistics.  So when I do a show interface eth 1/2/2 on the switch, I dont want to wait for the console to scroll down.  I just want a short answer, is the port up or not.  Here is the commmand to do just that.
ICX6450#sh int bri eth 1/2/2

Port    Link    State   Dupl Speed Trunk Tag Pvid Pri MAC            Name
1/2/2   Down    None    None None  None  Yes N/A  0   cc4e.2463.xxxx

Friday, October 9, 2015

Targus Backpack 2

A few years ago, I wrote a post about my Targus backpack vs a Swiss backpack I had. It's been 10 years now, and the zipper finally broke on that old Targus. Man, that was a great backpack.
Link to that post
So now I had to buy a new one.  I chose Targus again, and I'm glad I did.  Very comfortable and lightweight, I chose the Targus Legend. I'm looking forward to using this thing.  Below, I already have all my gear inside it.

Thursday, October 8, 2015

Colasoft Freeware Tools

Colasoft has some pretty neat freeware tools that might come in handy for you ( But, what is most interesting to me is that they have a free version of one of my favorite network analysis tools: Capsa   I have not looked at this freeware yet, but from reading the details of it, I think this freeware will be worth looking at.  Check it out here.

Wednesday, October 7, 2015

Check Point Packet Captures In CLI

I think most of you know Im a fan of packet captures when you need to do prove the packet is making it.  I needed to do this again on a Check Point firewall and they do make it easy if you know the commands.  Below, I need to know if a packet is making it to with a destination port of 25.  Looks like its making it.

CP1> fw monitor -e "host ( and port (25), accept;"
 monitor: getting filter (from command line)
 monitor: compiling
Compiled OK.
 monitor: loading
 monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth1:o[60]: -> (TCP) len=60 id=17090
TCP: 55906 -> 25 .S.... seq=fa7cc851 ack=00000000
[vs_0][fw_1] eth1:O[60]: -> (TCP) len=60 id=17090
TCP: 55906 -> 25 .S.... seq=fa7cc851 ack=00000000
[vs_0][fw_1] eth1:i[60]: -> (TCP) len=60 id=0
TCP: 25 -> 55906 .S..A. seq=8bc062bf ack=fa7cc852
[vs_0][fw_1] eth1:I[60]: -> (TCP) len=60 id=0
TCP: 25 -> 55906 .S..A. seq=8bc062bf ack=fa7cc852
[vs_0][fw_1] eth1:o[52]: -> (TCP) len=52 id=17091
TCP: 55906 -> 25 ....A. seq=fa7cc852 ack=8bc062c0
[vs_0][fw_1] eth1:O[52]: -> (TCP) len=52 id=17091
TCP: 55906 -> 25 ....A. seq=fa7cc852 ack=8bc062c0
[vs_0][fw_1] eth1:i[89]: -> (TCP) len=89 id=16339
TCP: 25 -> 55906 ...PA. seq=8bc062c0 ack=fa7cc852
[vs_0][fw_1] eth1:I[89]: -> (TCP) len=89 id=16339
TCP: 25 -> 55906 ...PA. seq=8bc062c0 ack=fa7cc852
[vs_0][fw_1] eth1:o[52]: -> (TCP) len=52 id=17092
TCP: 55906 -> 25 ....A. seq=fa7cc852 ack=8bc062e5
[vs_0][fw_1] eth1:O[52]: -> (TCP) len=52 id=17092
TCP: 55906 -> 25 ....A. seq=fa7cc852 ack=8bc062e5
[vs_0][fw_1] eth1:o[77]: -> (TCP) len=77 id=17093
TCP: 55906 -> 25 ...PA. seq=fa7cc852 ack=8bc062e5
 monitor: caught sig 2
 monitor: unloading

Monday, October 5, 2015

Cisco Voice: Image Boot For New Install

VMWare is pretty cool, I must admit.  There have been times when I needed to do a fresh install to be able to accomplish some of the goals I needed to accomplish in the voice world.  Especially when I dont want to do an install from scratch and input all the info that I could just do a backup and restore on a new install with.  Below is where you go to tell VMWare where the image is to boot up to.

Sunday, October 4, 2015

Sunday Thought: Fame

I'm not a big fan of fame.  Have you seen people change with fame?   Only to get ripped apart later?  This song is about Britney Spears, but you can fill in the blank with many names.  Listen to this song, and I'm sure you will think of others besides Britney.  You know grace is extended to us all through Jesus.

Friday, October 2, 2015

Thursday, October 1, 2015

Cisco Switch: Fiber Transceiver Signal

This is a good command for determining if your signal in your fiber is good or not.  There are limits to everything, and fiber signal is no different.  There is a command "show interface gig 1/1 trans detail" that I use to help determine this.  Plug in what interface you want to monitor to check this.
Notice below, my actual reading is on the left.  -24.9dBm.  The range for warnings are between 0 and -23, so Im obviously out of the range of the warning level.  But, Im still above the low reading of -26.0dBm.