|
falz posted:Enjoy upgrading ram and flash on most of those so you can upgrade. Amazingly, only about 10% of the total set needs hardware upgrades, looks like. That's still a huge mess of ASAs, but not as bad as I'd expected. Other fun bugs so far: -Customer had a '!' in the middle of their PSK for a VPN. When upgrading from 9.1(6) to 9.1(7), the '!' just vanished. The key on both sides of it was there, the rest of the config was there, just no '!'. PSK mismatch, tunnel down, mass hysteria. -Another customer had a NAT statement translating both local and remote subnets for a VPN that covered a private /16 that overlapped all of their segments. This broke the hell out of their ARP cache (as the ASA apparently tried to route everything through this NAT, and discarded ARP requests/replies for that /16 as they came in from the actual servers). And not a bug, but a possible ITW version of the exploit; we've found a handful of ASAs that suddenly in the last 24 hours picked up local user accounts named 'Administrator'. Our TACACS accounting didn't pick it up when added. Check your local user config lines; the user is added without privileges, (plus if you're only using LOCAL as a fallback they still have to break your primary AAA) but that still gets them into your Client VPNs if they manage to read your PSKs out of the running-config.
|
#
?
Feb 13, 2016 22:35
|
|
|
|
| # ? Apr 24, 2024 10:50 |
|
|
I think this CVE finally pushed our IT folks over the edge as I got a request in my inbox to do a formal security review of Palo Alto's offering. Their app-based firewalling is pretty interesting -- maybe I'm too old fashioned but I have a hard time with that paradigm.
|
|
#
?
Feb 15, 2016 05:10
|
|
|
Anyone who has been lamenting converting to post 8.4 code (don't judge, this is IT, I saw an ASA today in 7 code), Cisco has released an interim 8.2.5 patch that will fix this CVE. It's 8.2.5(59) or something like that. They released it sometime last night with no fanfare or warning. Patch now and convert later. We've seen more devices get hit with exploits today. Release Notes.
|
|
#
?
Feb 15, 2016 05:24
|
|
|
Imagine being in the rear end in a top hat who has to work on the maintenance release for 8.2.Martytoof posted:I think this CVE finally pushed our IT folks over the edge as I got a request in my inbox to do a formal security review of Palo Alto's offering. Palto Alto is great, but their layer 7 throughput is slightly lacking. Still, they're better than their competitors in the same market (lol Fortinet).
|
|
#
?
Feb 15, 2016 06:32
|
|
|
psydude posted:Palto Alto is great, but their layer 7 throughput is slightly lacking. Still, they're better than their competitors in the same market (lol Fortinet).
|
|
#
?
Feb 15, 2016 07:27
|
|
|
Jedi425 posted:Anyone who has been lamenting converting to post 8.4 code (don't judge, this is IT, I saw an ASA today in 7 code), Cisco has released an interim 8.2.5 patch that will fix this CVE. It's 8.2.5(59) or something like that. They released it sometime last night with no fanfare or warning. Patch now and convert later. We've seen more devices get hit with exploits today. Looks like they have 4 released fixed versions: 9.4(2)6 9.1(7) 8.4(7)30 8.2(5)59
|
|
#
?
Feb 15, 2016 15:26
|
|
|
Jedi425 posted:And not a bug, but a possible ITW version of the exploit; we've found a handful of ASAs that suddenly in the last 24 hours picked up local user accounts named 'Administrator'. We had a couple mysteriously reboot on their own before being patched on Thursday, it's definitely out there.
|
|
#
?
Feb 15, 2016 16:23
|
|
|
psydude posted:Imagine being in the rear end in a top hat who has to work on the maintenance release for 8.2. why (lol Fortinet).?
|
|
#
?
Feb 15, 2016 19:28
|
|
|
adorai posted:Yeah but the price. Super expensive but it's not coming out of MY budget so I'm perfectly happy to run it through its paces  DigitalMocking posted:why (lol Fortinet).? I haven't had much fun with Fortinet's application detection. Honestly I prefer to run my Fortinets as bog standard firewalls rather than NGFWs.
|
|
#
?
Feb 17, 2016 04:29
|
|
|
I considered asking this in the home networking thread but thought I'd get more info here. I currently have a Netgear 6300v2 wireless AC router. I am looking at putting in a Cisco 2951 at my home network edge (directly connected to the modem, eventually will put an ASA in front of it) and using the Netgear as a wireless access point through a port in a gigabit switch. What I am not sure of is where will my speeds be capped (beyond the Time Warner modem): at the LAN port of the Netgear, at the wireless HWIC of the router (supports up to 802.11n), or elsewhere? Do I need the wireless HWIC card (NME-AIR-WLC8-K9) to use the Netgear as an access point? I don't have much experience with Cisco enterprise wireless. I'm trying to figure out of this is even worthwhile if I have a 6down/1up internet connection in the first place, or if I should just stick with the Netgear and get an ASA.
|
|
#
?
Feb 23, 2016 14:51
|
|
|
All those gungho "we patch critical security vulnerabilities" people who installed ASA 9.1(7) can now install 9.1(7.4) to avoid a bug where ASDM/SSL VPNs shuts down completely. 9.1(7) received the vote of no confidence and was pulled from Cisco's site.
|
|
#
?
Feb 23, 2016 15:19
|
|
|
There was a lot of rumblings about an SNMP bug in one of the CVE-fix updates that had IOS reloading again and again -- any news on whether that's been fixed?
|
|
#
?
Feb 23, 2016 15:24
|
|
|
Martytoof posted:There was a lot of rumblings about an SNMP bug in one of the CVE-fix updates that had IOS reloading again and again -- any news on whether that's been fixed? Fixed in the interim release, and also the newest 9.1(6) interim. 9.1(6) interim didn't have the SSL fix, possibly because it wasn't broken in 9.1(6). The SNMP bug could be mitigated--as long as you didn't poll a specific OID, it didn't trigger.
|
|
#
?
Feb 23, 2016 17:34
|
|
|
Bigass Moth posted:I considered asking this in the home networking thread but thought I'd get more info here. Assuming you are talking about a 2951 G2 this should answer your question: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf Even the ancient 1720 could handle a 6mpbs WAN link so I think you are going to be fine. I am wondering why you want a 2951 on the edge though for a home connection. The only reasons I can think of are GRE tunneling or IPv6 prefix delegation. Personally I am a big fan of the ASA. You can pick up an old 5505 or 5510 for cheap if you don't mind an old non PCI complaint (but still reasonably secure) TLS stack or get a modern 5506 if you have a bit more to spend and want a better/modern TLS implementation for AnyConnect VPN. Antillie fucked around with this message at 18:08 on Feb 23, 2016 |
|
#
?
Feb 23, 2016 17:58
|
|
|
I want gigabit routing within my house but the netgear can already basically do it, however it only has 10/100 LAN ports so there's a bottleneck into the switch. The 2851 has two gig ports and I can get one for $50 or so on eBay.
|
|
#
?
Feb 23, 2016 18:09
|
|
|
Contingency posted:All those gungho "we patch critical security vulnerabilities" people who installed ASA 9.1(7) can now install 9.1(7.4) to avoid a bug where ASDM/SSL VPNs shuts down completely. 9.1(7) received the vote of no confidence and was pulled from Cisco's site. Have a DDTS for this? I had to pull 9.1(7) from some hosts due to the proxy ARP regression but we haven't hit this one yet.
|
|
#
?
Feb 23, 2016 20:57
|
|
|
RIP XO. http://www.hngn.com/articles/181499/20160223/verizon-xo-communications-deal-purchase-fiber-optic-network-1-8.htm
|
|
#
?
Feb 23, 2016 22:22
|
|
|
Contingency posted:All those gungho "we patch critical security vulnerabilities" people who installed ASA 9.1(7) can now install 9.1(7.4) to avoid a bug where ASDM/SSL VPNs shuts down completely. 9.1(7) received the vote of no confidence and was pulled from Cisco's site. I've been running 9.1(7) for a week now on three concentrators (3k~ unique logins) and have not had this issue, but my boxes are pretty simple (no NAT, no routing protocols, etc.). If you have a link to the bug report I'd like to read it.
|
|
#
?
Feb 23, 2016 22:25
|
|
|
abigserve posted:I've been running 9.1(7) for a week now on three concentrators (3k~ unique logins) and have not had this issue, but my boxes are pretty simple (no NAT, no routing protocols, etc.). If you have a link to the bug report I'd like to read it. Looking at resolved for 9.1(7.2-4) I see: CSCux45179 CSCus70693 CSCuy28710 As being the 3 big ones that'll bite people. There's also some nice Sev1s if you still use the IPsec RA client (bypass XAUTH using crafted ISAKMP packet).
|
|
#
?
Feb 23, 2016 23:58
|
|
|
Bigass Moth posted:What I am not sure of is where will my speeds be capped (beyond the Time Warner modem): at the LAN port of the Netgear, at the wireless HWIC of the router (supports up to 802.11n), or elsewhere? The NME is a controller for Cisco access points, so it's not really useful for you. Unless you want to put a bunch of cisco access points in your house, which, while pricey, do work really well.
|
|
#
?
Feb 24, 2016 00:37
|
|
|
abigserve posted:I've been running 9.1(7) for a week now on three concentrators (3k~ unique logins) and have not had this issue, but my boxes are pretty simple (no NAT, no routing protocols, etc.). If you have a link to the bug report I'd like to read it. SNMP: https://tools.cisco.com/bugsearch/bug/CSCuy27428 SSL: https://tools.cisco.com/bugsearch/bug/CSCux45179
|
|
#
?
Feb 24, 2016 03:59
|
|
|
I have a second hand 2900XL Switch. For some reason I cannot save to the startup config? In privileged exec mode, I would normally type the command copy running-config startup-config. However I cant even autofill the startup-config part. It gives me an invalid command message. Also I cannot change my config-register using the config-register command in global config mode. That command also gives me an invalid command message (and doesnt even show up in the ? help menu) does anyone know whats going on?
|
|
#
?
Mar 1, 2016 05:24
|
|
|
Give "write memory" a try instead. Cisco catalyst switches don't use configuration registers, the routers do. If you want to do a password recovery on a switch then you need to hold in the mode button on the front while you power up the switch or just hold it in when it's booted up which will cause it to reset and in both ways the configuration file gets renamed and so doesn't get loaded into the running configuration.
|
|
#
?
Mar 1, 2016 08:24
|
|
|
Which led to this hilarity http://www.cisco.com/c/en/us/support/docs/field-notices/636/fn63697.html
|
|
#
?
Mar 1, 2016 09:19
|
|
|
The express setup can be disabled. Press the mode button when it comes up in console about the flash geometry. About 8 seconds after power on, to enter rommon. Then you can flash_init, etc and manipulate files.
|
|
#
?
Mar 1, 2016 13:06
|
|
|
Thanks Ants posted:Which led to this hilarity Hah I was reminded of that advisory when I was off-shore on a deep-sea pipe-lay vessel about two weeks ago. Both switches in the main stack had cables in Gi1/0/1 and the boots were pressing the button. I'm amazed that it never caused an issue but at the same time I didn't give a gently caress as the vessel finishes its campaign in three weeks... Edit: hang on I've just re-read that advisory, is the issue not present on 3750 switches? Because that would explain why we never had any issues on the vessel in question. Also I'm probably an idiot. Pile Of Garbage fucked around with this message at 14:26 on Mar 1, 2016 |
|
#
?
Mar 1, 2016 13:31
|
|
|
"no setup express" saves you on that one. AFAIK with the button just held in the switch will eventually boot up. I poo poo you not we had a janitor cart in one room that aligned itself exactly with that button and reset a switch and looped a building up for us once when we were deploying 3750s. This was on the "that'll never happen " list up until that point.
|
|
#
?
Mar 1, 2016 14:19
|
|
|
Is there any (free) place I can get historical peering information for a specific AS. Starting Mar 1st, we just had a significant amount of traffic sourced from AS7922 (Comcast) hit our anycast blocks in Amsterdam, whereas before it was hitting our New York sourced block. This may cause latency issues for our platform. I suspect Comcast just turned up some new peering, but I'd like to be sure and see who they peered with recently. Anyone know?
|
|
#
?
Mar 2, 2016 18:28
|
|
|
Powercrazy posted:Is there any (free) place I can get historical peering information for a specific AS. At least it's only latency issues. Our public net either got dumped or rerouted so badly we lost all internet for a good few minutes. Long enough to generate about 40 tickets. Of course, ISP just threw their hands in the air and exclaimed "Routing!".
|
|
#
?
Mar 2, 2016 19:07
|
|
|
I actually reached out to the Comcast tech contact and he got back to me pretty quickly. Looks like it wasn't anything Comcast did, so now I'm looking at Zayo.
|
|
#
?
Mar 2, 2016 19:28
|
|
|
http://bgplay.routeviews.org
|
|
#
?
Mar 2, 2016 19:44
|
|
|
I can't get that to work. After reinstalling java, whitelisting everything, low-security, etc, I finally got the option to put in the prefix I'm looking for, butI never get a second popup which is supposed to show the visualization.
|
|
#
?
Mar 2, 2016 22:16
|
|
|
H.R. Paperstacks posted:Anyone have suggestions on handing change control approval / peer-review? Maybe check out Oxidized or Sweet?
|
|
#
?
Mar 3, 2016 03:39
|
|
|
More patching, thanks Cisco: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-n3k Nexus 3K
|
|
#
?
Mar 3, 2016 04:04
|
|
|
madsushi posted:More patching, thanks Cisco: You can mitigate by disabling telnet.
|
|
#
?
Mar 3, 2016 04:21
|
|
|
https://stat.ripe.net/special/bgplay
|
|
#
?
Mar 3, 2016 04:51
|
|
|
Thanks. That's exactly what I'm looking for.
|
|
#
?
Mar 3, 2016 05:45
|
|
|
adorai posted:You can mitigate by disabling telnet. Unless you're running a 3500 on 6.0(2)A6(1). I'll give you one guess as to which 3K model/version I'm running.
|
|
#
?
Mar 3, 2016 07:38
|
|
|
This is great, we ordered 100Gb EPAs for our ASR1k's and the hardware arrives before Cisco can release the Engineering code for the ESP200's to support the EPA's.. nevermind that they knew we were going to order these since last year.
Sepist fucked around with this message at 22:49 on Mar 3, 2016 |
|
#
?
Mar 3, 2016 22:10
|
|
|
|
| # ? Apr 24, 2024 10:50 |
|
|
This is what you get for running CGNAT 
|
|
#
?
Mar 4, 2016 16:28
|
|