Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Sepist
Dec 26, 2005

FUCK BITCHES, ROUTE PACKETS

Gravy Boat 2k

abigserve posted:

They really disabled the password recovery? I mean I always knew it was doable but holy poo poo lmao

A bank had this enabled on a bunch of their poo poo and had 3 mergers in a year. No one remaining at the company knew the passwords we just had to e-waste them and start from scratch.

Adbot
ADBOT LOVES YOU

the spyder
Feb 18, 2011
It's in production at a remote site. The good news is I was successful in generating a wordlist with combos of similar passwords the guy used. Now on to the N6004 and 4506-E.... No config backups either.

Partycat
Oct 25, 2004

mythicknight posted:

Sanity check since I haven't dealt with switch stacks in a long while. I have a 2960 that I want to add another 2960 to to make a stack. The current switch has priority 10 and is already operating and the one being prepped is wiped/at default (1). Am I wrong in thinking I just rack the second switch, hook up the stack cables, and power the switch up?

That is fine as long as the code version is the same, or near enough in the same train that the auto copy will function and adjust the other one.

You can run a "switch 2 provision ws-c2960...." command first if you want to set it up ahead of time in the configuration .

e:

whoops I was way behind.

Bonus content: try this while the switches are powered up and see which one reloads first and if the stack ever reconverges. Enjoy possible blank configuration!

Partycat fucked around with this message at 22:58 on Feb 3, 2017

n0tqu1tesane
May 7, 2003

She was rubbing her ass all over my hands. They don't just do that for everyone.
Grimey Drawer

psydude posted:

Since November, and no.

I've still got to double check on Monday, but I'm pretty sure I took delivery on some 4321s last week that are the version affected by the faulty part.

Pile Of Garbage
May 28, 2007



psydude posted:

The most secure switch is one which isn't plugged-in

ftfy

Nuclearmonkee
Jun 10, 2009


psydude posted:

Happy Thursday! Your Cisco equipment may die after 18 months in production:

http://www.cisco.com/c/en/us/support/web/clock-signal.html#~overview,

Ughhh this is literally every ASA I have.

Also I just pulled a pair out of the box from CDW and put them in and...

code:
rew-fw1# sh inventory
Name: "Chassis", DESCR: "ASA 5508-X with FirePOWER services, 8GE, AC, DES"
PID: ASA5508           , VID: V02
so I assume folks at CDW and where ever don't give a single gently caress and are just selling their existing inventory anyways.

single-mode fiber
Dec 30, 2012

Apparently the part in question is the Intel Atom C2000 series, so there may be quite a few things that'll be toast if there's no way to do a firmware patch.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010
Which of you nerds are at NANOG69?

CrazyLittle
Sep 11, 2001





Clapping Larry

falz posted:

Which of you nerds are at NANOG69?

me me me me me (not me)

Kazinsal
Dec 13, 2011



single-mode fiber posted:

Apparently the part in question is the Intel Atom C2000 series, so there may be quite a few things that'll be toast if there's no way to do a firmware patch.

There isn't. Intel's put out errata says it'll be fixed in a silicon revision. It's anyone guess as to how much stock of the old busted ones they have.

This affects pretty much every Synology NAS too. :stare:

Thanks Ants
May 21, 2004

#essereFerrari


This is going to be loving fantastic

n0tqu1tesane
May 7, 2003

She was rubbing her ass all over my hands. They don't just do that for everyone.
Grimey Drawer

Nuclearmonkee posted:

Ughhh this is literally every ASA I have.

Also I just pulled a pair out of the box from CDW and put them in and...

code:
rew-fw1# sh inventory
Name: "Chassis", DESCR: "ASA 5508-X with FirePOWER services, 8GE, AC, DES"
PID: ASA5508           , VID: V02
so I assume folks at CDW and where ever don't give a single gently caress and are just selling their existing inventory anyways.

Toss your serial numbers in the order spreadsheet, your particular hardware may not have the faulty part, even if the VID matches.

I'm seeing that if it's got a manufacture date newer than November, it's not affected.

Of course, I sent a big list in that spreadsheet off to Cisco just to verify that the routers I've got aren't affected.

Nuclearmonkee
Jun 10, 2009


n0tqu1tesane posted:

Toss your serial numbers in the order spreadsheet, your particular hardware may not have the faulty part, even if the VID matches.

I'm seeing that if it's got a manufacture date newer than November, it's not affected.

Of course, I sent a big list in that spreadsheet off to Cisco just to verify that the routers I've got aren't affected.

It is. I RMA'd it and sent in my spreadsheet with 52 entries :suicide:

wolrah
May 8, 2006
what?

Kazinsal posted:

This affects pretty much every Synology NAS too. :stare:

All of the official pfSense boxes too except the brand new ARM device and the big ones that are just rackmount servers with a sticker on 'em.

Miguel Prado
Nov 5, 2008

Don't worry, like they say " It's all good! "

Hi,

Does anyone have experience with a catalyst 2960-CX? I am at a work site and we are having a double NAT problem. Everything works but the printer takes about 1-5 minutes of spooling before paper comes out.

Miguel Prado fucked around with this message at 13:39 on Feb 7, 2017

Pile Of Garbage
May 28, 2007



Miguel Prado posted:

Hi,

Does anyone have experience with a catalyst 2960-CX? I am at a work site and we are having a double NAT problem. Everything works but the printer takes about 1-5 minutes of spooling before paper comes out.

I have one at home but if you're having printing issues then it's more than likely a Layer 4/7 issue.

Miguel Prado
Nov 5, 2008

Don't worry, like they say " It's all good! "

cheese-cube posted:

I have one at home but if you're having printing issues then it's more than likely a Layer 4/7 issue.

I know some networking but this is a tad too advanced for me. I talked to the ISP and he could not help me. When printing locally It is slightly quicker than when printing from our citrix connection.

If the file is 1,77mb It will first load 225 kbs, print one page, stop and then continue to 660 kbs, printe page two, stop and so forth. Any idea what I can do to speed the process up? This might be the wrong thread, sorry.

tortilla_chip
Jun 13, 2007

k-partite
I suspect that you are running into a TCP windowing issue. Do a packet capture and compare your RTTs. (Higher RTT => lower goodput)

Pile Of Garbage
May 28, 2007



Miguel Prado posted:

If the file is 1,77mb It will first load 225 kbs, print one page, stop and then continue to 660 kbs, printe page two, stop and so forth. Any idea what I can do to speed the process up? This might be the wrong thread, sorry.

That's definitely a Layer 7 issue/feature, depends entirely on the protocol you're using. It's obviously spooling one page at a time or something. This isn't the right thread but I'm not sure which one to recommend. Update drivers on the client and pray?

Docjowles
Apr 9, 2009

tortilla_chip posted:

I suspect that you are running into a TCP windowing issue. Do a packet capture and compare your RTTs. (Higher RTT => lower goodput)

Or possibly MTU mismatch? That'll trigger some really bizarre poo poo.

FatCow
Apr 22, 2002
I MAP THE FUCK OUT OF PEOPLE

falz posted:

Which of you nerds are at NANOG69?

I'm here. Forgot to check the thread before tonight. I blame massive hangovers.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010
Those massive hangovers have influenced me to bail early tonight.

Methanar
Sep 26, 2013

by the sex ghost

falz posted:

Which of you nerds are at NANOG69?

ME

e;

just kidding no I'm not I'm dumb sorry. I googled it and saw 6-8 and DC and thought it was the thing I was going to. What I'm going to is march 6-8 in DC

Methanar fucked around with this message at 06:29 on Feb 8, 2017

Ahdinko
Oct 27, 2007

WHAT A LOVELY DAY
How are you guys getting the correct PIDs for your ASA's for this spreadsheet? I know for a fact at least one of them was ordered as a ASA5516-FPWR-BUN, but when i do a "show inventory" it just says the PID is "ASA5516". Same with all my other ones, they all just say "ASA5508" but they must be at least ASA5508-K9 because they all do AES.

Please dont make me go back to the sales team and find all the orders for ASA's over the last 18 months :(

Nuclearmonkee
Jun 10, 2009


Ahdinko posted:

How are you guys getting the correct PIDs for your ASA's for this spreadsheet? I know for a fact at least one of them was ordered as a ASA5516-FPWR-BUN, but when i do a "show inventory" it just says the PID is "ASA5516". Same with all my other ones, they all just say "ASA5508" but they must be at least ASA5508-K9 because they all do AES.

Please dont make me go back to the sales team and find all the orders for ASA's over the last 18 months :(

I just matched the hardware and the serial in show inventory, cried a little at the size of the list, and hit submit. Aren't all of the different PIDs just mostly license bundles with the base hardware being the same? Unless you are dealing with like the babby ones which can have wireless or whatever inside.

Depending on how you are doing licensing it may be a goddamn nightmare for you to migrate them individually from all of the appliances with Cisco though.

Worst part for me will be getting firepower back in order afterwards. It takes fuckin forever to go from the 5.4 whatever base they come with to 6.2 and I will need to do it 52 times.

ate shit on live tv
Feb 15, 2004

by Azathoth
I was going to be at NANOG but then I had Jury Duty :( Be sure to post about any good talks from there.

FatCow
Apr 22, 2002
I MAP THE FUCK OUT OF PEOPLE
https://www.youtube.com/watch?v=99jHvkVM0Dk

https://www.youtube.com/watch?v=5fVBB84OiAo

https://www.youtube.com/watch?v=JHEE6QU3J6M

Of the ones uploaded these are the best ones. I'm mostly here for operational content so this is biased towards that. There was a ROADM talk this morning that was pretty good as well. There has been a bit too much academic/fluff at this one compared to the one I went to last year. If you have a MPLS network in production the MPLS one is likely going to be 100% review. It's a good listen for people who are looking to learn about it.

Ahdinko
Oct 27, 2007

WHAT A LOVELY DAY

Nuclearmonkee posted:

I just matched the hardware and the serial in show inventory, cried a little at the size of the list, and hit submit. Aren't all of the different PIDs just mostly license bundles with the base hardware being the same? Unless you are dealing with like the babby ones which can have wireless or whatever inside.

Depending on how you are doing licensing it may be a goddamn nightmare for you to migrate them individually from all of the appliances with Cisco though.

Worst part for me will be getting firepower back in order afterwards. It takes fuckin forever to go from the 5.4 whatever base they come with to 6.2 and I will need to do it 52 times.

Yeah I think they pretty much are just different licensing bundles. Just figuring out the easiest way to find out what each one has rather than going into every single one and doing a sh act and then logging into each firepower and checking the licence out there. All those firepower licences, sec plus licences, additional anyconnect licences... ughhhhh.

I've found the easiest way to go from the old rear end version they ship with to the latest version is to replace the boot image and install the FPWR software bit from a fresh rather than getting it setup and doing the upgrades through the firepower GUI. Still takes a good hour per box though. At least if you can just throw them all into a build network together with a TFTP and FTP server, you can smash the lot out in one go.

Ahdinko fucked around with this message at 19:04 on Feb 8, 2017

Nuclearmonkee
Jun 10, 2009


Ahdinko posted:

Yeah I think they pretty much are just different licensing bundles. Just figuring out the easiest way to find out what each one has rather than going into every single one and doing a sh act and then logging into each firepower and checking the licence out there. All those firepower licences, sec plus licences, additional anyconnect licences... ughhhhh.

I've found the easiest way to go from the old rear end version they ship with to the latest version is to replace the boot image and install the FPWR software bit from a fresh rather than getting it setup and doing the upgrades through the firepower GUI. Still takes a good hour per box though. At least if you can just throw them all into a build network together with a TFTP and FTP server, you can smash the lot out in one go.

Yeah it takes about an hour just to get the drat thing ready to begin and then I have to put them all back in the management center and put them in their groups and associate the correct policies and :suicide:

psydude
Apr 1, 2008

Heartache is powerful, but democracy is *subtle*.
You should be able to request 6.0 as the base image on your RMA boxes.

BTW, 5500-Xs are going end of sale and are going to be replaced by a new line of small firewalls, the 2100s. ASA operating system is going away completely, and all VPN features (including AnyConnect) should be migrated to FXOS by Q3.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT

psydude posted:

You should be able to request 6.0 as the base image on your RMA boxes.

BTW, 5500-Xs are going end of sale and are going to be replaced by a new line of small firewalls, the 2100s. ASA operating system is going away completely, and all VPN features (including AnyConnect) should be migrated to FXOS by Q3.

Considering how much time I spend on ASAs, I'm very fine with this. Death to the ASA OS.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010
I think you mean pixos. Is the image still named that?

CrazyLittle
Sep 11, 2001





Clapping Larry

falz posted:

I think you mean pixos. Is the image still named that?

Not last time I checked.

code:
Cisco Adaptive Security Appliance Software Version xxxx
System image file is "disk0:/asaxxxxxxx.bin"

Nuclearmonkee
Jun 10, 2009


I would like to run the unified image but they still don't have freaking anyconnect support on there yet. Supposedly coming SOON.

psydude
Apr 1, 2008

Heartache is powerful, but democracy is *subtle*.

Nuclearmonkee posted:

I would like to run the unified image but they still don't have freaking anyconnect support on there yet. Supposedly coming SOON.

Q3-4, supposedly.

KS
Jun 10, 2003
Outrageous Lumpwad
This is only tangentially Cisco related.

We got a new model of laptop in and it won't PXE boot. Other devices, both UEFI and BIOS, boot fine.

The PXE server is located across a layer 3 boundary. When we wireshark the new laptop, it pulls a DHCP address and gets the correct PXE information. Then it ARPs for the 10.5.12.5 PXE address from its 10.5.56.X/24 address rather than sending traffic to its gateway. Is this just a broken PXE client? Again, other models work fine.

I turned on ip proxy-arp for the isolated imaging network and it fixed it instantly, so my real Cisco question: how bad of a security risk is this? My impression is "not much" when I'm doing it on one vlan interface and there are <5 ports on my entire network in that vlan.

tortilla_chip
Jun 13, 2007

k-partite
You probably just want to configure DHCP relay/ip helper instead.

abigserve
Sep 13, 2009

this is a better avatar than what I had before

Nuclearmonkee posted:

I would like to run the unified image but they still don't have freaking anyconnect support on there yet. Supposedly coming SOON.

Ahh yes the "unified" image, which is actually:

- ASA OS handling the routing and interface configuration
- Sourcefire OS handling everything else
- Glue code in the middle

The firepower stuff will be good eventually but right now it's pretty rough.

ragzilla
Sep 9, 2005
don't ask me, i only work here


tortilla_chip posted:

You probably just want to configure DHCP relay/ip helper instead.

Sounds like DHCP is working (presumably via helper), but the client isn't honoring the gateway address in DHCP. In which case proxy-arp is probably the best solution.

Adbot
ADBOT LOVES YOU

adorai
Nov 2, 2002

10/27/04 Never forget
Grimey Drawer
ignore me.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply