|
abigserve posted:They really disabled the password recovery? I mean I always knew it was doable but holy poo poo lmao A bank had this enabled on a bunch of their poo poo and had 3 mergers in a year. No one remaining at the company knew the passwords we just had to e-waste them and start from scratch.
|
# ? Feb 3, 2017 15:40 |
|
|
# ? Mar 29, 2024 13:47 |
|
It's in production at a remote site. The good news is I was successful in generating a wordlist with combos of similar passwords the guy used. Now on to the N6004 and 4506-E.... No config backups either.
|
# ? Feb 3, 2017 22:11 |
|
mythicknight posted:Sanity check since I haven't dealt with switch stacks in a long while. I have a 2960 that I want to add another 2960 to to make a stack. The current switch has priority 10 and is already operating and the one being prepped is wiped/at default (1). Am I wrong in thinking I just rack the second switch, hook up the stack cables, and power the switch up? That is fine as long as the code version is the same, or near enough in the same train that the auto copy will function and adjust the other one. You can run a "switch 2 provision ws-c2960...." command first if you want to set it up ahead of time in the configuration . e: whoops I was way behind. Bonus content: try this while the switches are powered up and see which one reloads first and if the stack ever reconverges. Enjoy possible blank configuration! Partycat fucked around with this message at 22:58 on Feb 3, 2017 |
# ? Feb 3, 2017 22:56 |
|
psydude posted:Since November, and no. I've still got to double check on Monday, but I'm pretty sure I took delivery on some 4321s last week that are the version affected by the faulty part.
|
# ? Feb 4, 2017 03:21 |
|
psydude posted:The most secure switch is one which isn't plugged-in ftfy
|
# ? Feb 4, 2017 12:14 |
psydude posted:Happy Thursday! Your Cisco equipment may die after 18 months in production: Ughhh this is literally every ASA I have. Also I just pulled a pair out of the box from CDW and put them in and... code:
|
|
# ? Feb 7, 2017 00:02 |
|
Apparently the part in question is the Intel Atom C2000 series, so there may be quite a few things that'll be toast if there's no way to do a firmware patch.
|
# ? Feb 7, 2017 00:13 |
|
Which of you nerds are at NANOG69?
|
# ? Feb 7, 2017 00:32 |
|
falz posted:Which of you nerds are at NANOG69? me me me me me (not me)
|
# ? Feb 7, 2017 00:41 |
|
single-mode fiber posted:Apparently the part in question is the Intel Atom C2000 series, so there may be quite a few things that'll be toast if there's no way to do a firmware patch. There isn't. Intel's put out errata says it'll be fixed in a silicon revision. It's anyone guess as to how much stock of the old busted ones they have. This affects pretty much every Synology NAS too.
|
# ? Feb 7, 2017 00:53 |
|
This is going to be loving fantastic
|
# ? Feb 7, 2017 01:55 |
|
Nuclearmonkee posted:Ughhh this is literally every ASA I have. Toss your serial numbers in the order spreadsheet, your particular hardware may not have the faulty part, even if the VID matches. I'm seeing that if it's got a manufacture date newer than November, it's not affected. Of course, I sent a big list in that spreadsheet off to Cisco just to verify that the routers I've got aren't affected.
|
# ? Feb 7, 2017 02:05 |
n0tqu1tesane posted:Toss your serial numbers in the order spreadsheet, your particular hardware may not have the faulty part, even if the VID matches. It is. I RMA'd it and sent in my spreadsheet with 52 entries
|
|
# ? Feb 7, 2017 02:41 |
|
Kazinsal posted:This affects pretty much every Synology NAS too. All of the official pfSense boxes too except the brand new ARM device and the big ones that are just rackmount servers with a sticker on 'em.
|
# ? Feb 7, 2017 03:56 |
|
Hi, Does anyone have experience with a catalyst 2960-CX? I am at a work site and we are having a double NAT problem. Everything works but the printer takes about 1-5 minutes of spooling before paper comes out. Miguel Prado fucked around with this message at 13:39 on Feb 7, 2017 |
# ? Feb 7, 2017 13:26 |
|
Miguel Prado posted:Hi, I have one at home but if you're having printing issues then it's more than likely a Layer 4/7 issue.
|
# ? Feb 7, 2017 14:45 |
|
cheese-cube posted:I have one at home but if you're having printing issues then it's more than likely a Layer 4/7 issue. I know some networking but this is a tad too advanced for me. I talked to the ISP and he could not help me. When printing locally It is slightly quicker than when printing from our citrix connection. If the file is 1,77mb It will first load 225 kbs, print one page, stop and then continue to 660 kbs, printe page two, stop and so forth. Any idea what I can do to speed the process up? This might be the wrong thread, sorry.
|
# ? Feb 7, 2017 15:15 |
|
I suspect that you are running into a TCP windowing issue. Do a packet capture and compare your RTTs. (Higher RTT => lower goodput)
|
# ? Feb 7, 2017 15:34 |
|
Miguel Prado posted:If the file is 1,77mb It will first load 225 kbs, print one page, stop and then continue to 660 kbs, printe page two, stop and so forth. Any idea what I can do to speed the process up? This might be the wrong thread, sorry. That's definitely a Layer 7 issue/feature, depends entirely on the protocol you're using. It's obviously spooling one page at a time or something. This isn't the right thread but I'm not sure which one to recommend. Update drivers on the client and pray?
|
# ? Feb 7, 2017 15:33 |
|
tortilla_chip posted:I suspect that you are running into a TCP windowing issue. Do a packet capture and compare your RTTs. (Higher RTT => lower goodput) Or possibly MTU mismatch? That'll trigger some really bizarre poo poo.
|
# ? Feb 7, 2017 16:08 |
|
falz posted:Which of you nerds are at NANOG69? I'm here. Forgot to check the thread before tonight. I blame massive hangovers.
|
# ? Feb 8, 2017 05:40 |
|
Those massive hangovers have influenced me to bail early tonight.
|
# ? Feb 8, 2017 06:11 |
|
falz posted:Which of you nerds are at NANOG69? ME e; just kidding no I'm not I'm dumb sorry. I googled it and saw 6-8 and DC and thought it was the thing I was going to. What I'm going to is march 6-8 in DC Methanar fucked around with this message at 06:29 on Feb 8, 2017 |
# ? Feb 8, 2017 06:25 |
|
How are you guys getting the correct PIDs for your ASA's for this spreadsheet? I know for a fact at least one of them was ordered as a ASA5516-FPWR-BUN, but when i do a "show inventory" it just says the PID is "ASA5516". Same with all my other ones, they all just say "ASA5508" but they must be at least ASA5508-K9 because they all do AES. Please dont make me go back to the sales team and find all the orders for ASA's over the last 18 months
|
# ? Feb 8, 2017 11:04 |
Ahdinko posted:How are you guys getting the correct PIDs for your ASA's for this spreadsheet? I know for a fact at least one of them was ordered as a ASA5516-FPWR-BUN, but when i do a "show inventory" it just says the PID is "ASA5516". Same with all my other ones, they all just say "ASA5508" but they must be at least ASA5508-K9 because they all do AES. I just matched the hardware and the serial in show inventory, cried a little at the size of the list, and hit submit. Aren't all of the different PIDs just mostly license bundles with the base hardware being the same? Unless you are dealing with like the babby ones which can have wireless or whatever inside. Depending on how you are doing licensing it may be a goddamn nightmare for you to migrate them individually from all of the appliances with Cisco though. Worst part for me will be getting firepower back in order afterwards. It takes fuckin forever to go from the 5.4 whatever base they come with to 6.2 and I will need to do it 52 times.
|
|
# ? Feb 8, 2017 18:13 |
|
I was going to be at NANOG but then I had Jury Duty Be sure to post about any good talks from there.
|
# ? Feb 8, 2017 18:16 |
|
https://www.youtube.com/watch?v=99jHvkVM0Dk https://www.youtube.com/watch?v=5fVBB84OiAo https://www.youtube.com/watch?v=JHEE6QU3J6M Of the ones uploaded these are the best ones. I'm mostly here for operational content so this is biased towards that. There was a ROADM talk this morning that was pretty good as well. There has been a bit too much academic/fluff at this one compared to the one I went to last year. If you have a MPLS network in production the MPLS one is likely going to be 100% review. It's a good listen for people who are looking to learn about it.
|
# ? Feb 8, 2017 19:01 |
|
Nuclearmonkee posted:I just matched the hardware and the serial in show inventory, cried a little at the size of the list, and hit submit. Aren't all of the different PIDs just mostly license bundles with the base hardware being the same? Unless you are dealing with like the babby ones which can have wireless or whatever inside. Yeah I think they pretty much are just different licensing bundles. Just figuring out the easiest way to find out what each one has rather than going into every single one and doing a sh act and then logging into each firepower and checking the licence out there. All those firepower licences, sec plus licences, additional anyconnect licences... ughhhhh. I've found the easiest way to go from the old rear end version they ship with to the latest version is to replace the boot image and install the FPWR software bit from a fresh rather than getting it setup and doing the upgrades through the firepower GUI. Still takes a good hour per box though. At least if you can just throw them all into a build network together with a TFTP and FTP server, you can smash the lot out in one go. Ahdinko fucked around with this message at 19:04 on Feb 8, 2017 |
# ? Feb 8, 2017 19:02 |
Ahdinko posted:Yeah I think they pretty much are just different licensing bundles. Just figuring out the easiest way to find out what each one has rather than going into every single one and doing a sh act and then logging into each firepower and checking the licence out there. All those firepower licences, sec plus licences, additional anyconnect licences... ughhhhh. Yeah it takes about an hour just to get the drat thing ready to begin and then I have to put them all back in the management center and put them in their groups and associate the correct policies and
|
|
# ? Feb 8, 2017 20:56 |
|
You should be able to request 6.0 as the base image on your RMA boxes. BTW, 5500-Xs are going end of sale and are going to be replaced by a new line of small firewalls, the 2100s. ASA operating system is going away completely, and all VPN features (including AnyConnect) should be migrated to FXOS by Q3.
|
# ? Feb 9, 2017 06:02 |
|
psydude posted:You should be able to request 6.0 as the base image on your RMA boxes. Considering how much time I spend on ASAs, I'm very fine with this. Death to the ASA OS.
|
# ? Feb 9, 2017 06:07 |
|
I think you mean pixos. Is the image still named that?
|
# ? Feb 9, 2017 15:11 |
|
falz posted:I think you mean pixos. Is the image still named that? Not last time I checked. code:
|
# ? Feb 9, 2017 16:52 |
I would like to run the unified image but they still don't have freaking anyconnect support on there yet. Supposedly coming SOON.
|
|
# ? Feb 9, 2017 18:51 |
|
Nuclearmonkee posted:I would like to run the unified image but they still don't have freaking anyconnect support on there yet. Supposedly coming SOON. Q3-4, supposedly.
|
# ? Feb 9, 2017 19:06 |
|
This is only tangentially Cisco related. We got a new model of laptop in and it won't PXE boot. Other devices, both UEFI and BIOS, boot fine. The PXE server is located across a layer 3 boundary. When we wireshark the new laptop, it pulls a DHCP address and gets the correct PXE information. Then it ARPs for the 10.5.12.5 PXE address from its 10.5.56.X/24 address rather than sending traffic to its gateway. Is this just a broken PXE client? Again, other models work fine. I turned on ip proxy-arp for the isolated imaging network and it fixed it instantly, so my real Cisco question: how bad of a security risk is this? My impression is "not much" when I'm doing it on one vlan interface and there are <5 ports on my entire network in that vlan.
|
# ? Feb 9, 2017 23:27 |
|
You probably just want to configure DHCP relay/ip helper instead.
|
# ? Feb 9, 2017 23:43 |
|
Nuclearmonkee posted:I would like to run the unified image but they still don't have freaking anyconnect support on there yet. Supposedly coming SOON. Ahh yes the "unified" image, which is actually: - ASA OS handling the routing and interface configuration - Sourcefire OS handling everything else - Glue code in the middle The firepower stuff will be good eventually but right now it's pretty rough.
|
# ? Feb 10, 2017 01:12 |
|
tortilla_chip posted:You probably just want to configure DHCP relay/ip helper instead. Sounds like DHCP is working (presumably via helper), but the client isn't honoring the gateway address in DHCP. In which case proxy-arp is probably the best solution.
|
# ? Feb 10, 2017 02:52 |
|
|
# ? Mar 29, 2024 13:47 |
|
ignore me.
|
# ? Feb 10, 2017 03:04 |