|
Oh man I didn't even think to go that far. I guess I now have something to do today. When I used to manage CUCM, I set 666 as the internal extension for our linux admin
|
# ? Apr 12, 2017 15:22 |
|
|
# ? Apr 27, 2024 05:13 |
|
I had a client once whose IT lead was English and decided to set their tech support ring group to "999" It turns out that certain systems will autocorrect any common emergency numbers to the correct one for the configured region. IIRC it was the Android SIP client. They had a few users end up connected to 911 when they really wanted IT before we figured out what was going on. edit: Now that I'm thinking about this again I wonder if I'd have the same problem with 01189998819991197253, I may have to add an easter egg to our new PBX platform. wolrah fucked around with this message at 15:39 on Apr 12, 2017 |
# ? Apr 12, 2017 15:35 |
|
Are the Dell S3100-series switches as poo poo as their N-series, or do they simply exist with no reason to choose them over any other switching options?
|
# ? Apr 12, 2017 16:36 |
|
Jumping back into Cisco-land and I'm trying to setup an ipsec tunnel from a CSR 1000V back to a juniper SRX. It's in AWS so there are already multiple tunnels setup on it by Amazon's automation thing. The tunnel's they have established all use protection profiles as opposed to a crytpo map, which is apparently the "new" way to do it. I've never setup a tunnel without a crypto-map, but from what I've read this should do it. I keep failing on Phase 1 with no proposal chosen, even though the proposal's certainly match. Here are my configurations, I'm using dynamic endpoint configuration because the CSR is behind a NAT, though it is a static NAT so in theory it should work even with the traditional way. But I'd just like it to work at all. code:
SRX Log quote:Apr 27 10:41:17 vpn1a.nj01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[186]: IKE Phase-1: (Responder) Policy lookup failed [local_ip=x.x.x.90 remote_ip=x.x.x.220] pre:Apr 27 14:47:15.198: ISAKMP: (0):Created a peer struct for x.x.x.90, peer port 500 Apr 27 14:47:15.198: ISAKMP: (0):New peer created peer = 0x7F195D540EC8 peer_handle = 0x800007CC Apr 27 14:47:15.198: ISAKMP: (0):Locking peer struct 0x7F195D540EC8, refcount 1 for isakmp_initiator Apr 27 14:47:15.198: ISAKMP: (0):local port 500, remote port 500 Apr 27 14:47:15.198: ISAKMP: (0):set new node 0 to QM_IDLE Apr 27 14:47:15.198: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7F18EA831FB0 Apr 27 14:47:15.198: ISAKMP: (0):Can not start Aggressive mode, trying Main mode. Apr 27 14:47:15.198: ISAKMP: (0):found peer pre-shared key matching x.x.x.90 Apr 27 14:47:15.198: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID Apr 27 14:47:15.198: ISAKMP: (0):constructed NAT-T vendor-07 ID Apr 27 14:47:15.198: ISAKMP: (0):constructed NAT-T vendor-03 ID Apr 27 14:47:15.198: ISAKMP: (0):constructed NAT-T vendor-02 ID Apr 27 14:47:15.198: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM Apr 27 14:47:15.198: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1 Apr 27 14:47:15.198: ISAKMP: (0):beginning Main Mode exchange Apr 27 14:47:15.198: ISAKMP-PAK: (0):sending packet to x.x.x.90 my_port 500 peer_port 500 (I) MM_NO_STATE Apr 27 14:47:15.198: ISAKMP: (0):Sending an IKE IPv4 Packet. Apr 27 14:47:15.264: ISAKMP-PAK: (0):received packet from x.x.x.90 dport 500 sport 500 Global (I) MM_NO_STATE Apr 27 14:47:15.264: ISAKMP-ERROR: (0):Couldn't find node: message_id 50916479 Apr 27 14:47:15.265: ISAKMP-ERROR: (0):(0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1 Apr 27 14:47:15.265: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Apr 27 14:47:15.265: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_I_MM1 Apr 27 14:47:15: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at x.x.x.90 Any ideas? I can see that the pre-shared key's match, so they are definitely seeing each other, and as far as I can see my phase1 proposals match.
|
# ? Apr 27, 2017 15:58 |
|
Can you show your st0.13 config? Is it in a zone? Does it have MTU set?
|
# ? Apr 27, 2017 17:57 |
|
I worked on this all yesterday. Apparently the problem was configuring ikev1 phase 1 for aggressive mode which the CSR refused to do for whatever reason. It showed up in the syslog occasionally when I enabled debugging, but I assumed it was a one-off thing and that it would try again in aggressive mode, since I specifically configured aggressive mode. Well it doesn't. And as I just relearned, both sides have to agree on aggressive vs main for it to work. So I finally changed my SRX config to main-mode, and put in the ike-identity of the private IP and found the address the tunnel was coming from, and viola! For posterity sake: pre:CISCO crypto isakmp policy 999 encr aes 256 hash sha256 authentication pre-share group 24 lifetime 28800 crypto isakmp profile isakmp-vpn1a-nj01 keyring keyring-vpn1a-nj01 self-identity address match identity address x.x.x.90 255.255.255.255 local-address GigabitEthernet1 crypto keyring keyring-vpn1a-nj01 local-address GigabitEthernet1 pre-shared-key address x.x.x.90 key PASSWORD crypto ipsec transform-set TRANSFORM-NJ01 esp-aes 256 esp-sha-hmac crypto ipsec profile IPSEC-PROFILE-NJ01 set transform-set TRANSFORM-NJ01 set pfs group2 interface Tunnel13 description vpn1a.nj01:st0.13 ip vrf forwarding vpn0 ip address 10.21.0.34 255.255.255.252 ip tcp adjust-mss 1387 tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination x.x.x.90 tunnel protection ipsec profile IPSEC-PROFILE-NJ01 ip virtual-reassembly end SRX set security ike policy ike-pol-vpn-csr1-azv mode main set security ike policy ike-pol-vpn-csr1-azv proposals IAS-AWS-IKE-SHA2 set security ike policy ike-pol-vpn-csr1-azv pre-shared-key PASSWORD set security ike gateway gw-vpn-csr1-azv ike-policy ike-pol-vpn-csr1-azv set security ike gateway gw-vpn-csr1-azv address x.x.x.220 set security ike gateway gw-vpn-csr1-azv dead-peer-detection set security ike gateway gw-vpn-csr1-azv local-identity inet x.x.x.90 set security ike gateway gw-vpn-csr1-azv remote-identity inet IP_OF_CSR_Gig1 set security ike gateway gw-vpn-csr1-azv external-interface lo0.0 set security ike gateway gw-vpn-csr1-azv local-address x.x.x.90 set security ipsec policy ipsec-pol-csr1-azv perfect-forward-secrecy keys group2 set security ipsec policy ipsec-pol-csr1-azv proposals IAS-AWS-IPSEC-SHA2 set security ipsec vpn vpn-csr1-azv bind-interface st0.13 set security ipsec vpn vpn-csr1-azv df-bit clear set security ipsec vpn vpn-csr1-azv ike gateway gw-vpn-csr1-azv set security ipsec vpn vpn-csr1-azv ike ipsec-policy ipsec-pol-csr1-azv set security ipsec vpn vpn-csr1-azv establish-tunnels immediately set security zones security-zone AWS interfaces st0.13 Yay!
|
# ? Apr 27, 2017 18:09 |
|
madsushi posted:Can you show your st0.13 config? Is it in a zone? Does it have MTU set? Yea that is required for phase1 I'm told. I put it in the security zone for all the other AWS tunnels we have.
|
# ? Apr 27, 2017 18:10 |
|
We're trying to reconfigure our internet edge at a new site as pictured below. "After" has worked at a bunch of other sites, but it's not working here (a WISP in Mexico). When set up, .98 can ping .99 and vice versa, but neither can ping .97. Both .98 and .99 can ping .97 when direct attached. Their CPE is a Cisco switch that breaks out an internet circuit and a voip circuit on two ports, so this deals with the internet port only. I'm thinking they could have a maximum # of mac addresses allowed, or bpduguard enabled. Anything else I'm missing that I could maybe point them towards? Will fall back to natting addresses on the ASA, but losing uniformity kinda sucks
|
# ? Apr 27, 2017 23:44 |
|
Does the providers interface show in the MAC table in the switch and the ARP table on your router/firewall?
|
# ? Apr 27, 2017 23:50 |
|
No. Ooh. Turned off spanning tree on my switch and it immediately started working. They must have had portfast/bpduguard facing us.
|
# ? Apr 28, 2017 00:02 |
|
I had an HA pair of ASAs go so wacko on me I feel like the only way I can explain it is to the tune of the Gilligan's Island theme song. So, sit right back and I'll tell a tale, A tale of two ASAs! Who after a minor code update, Fell into a malaise. The active member of the pair, He worked without a hitch. The standby peer, though online still, Became a total bitch. Oh, the standby IP pinged away, Through SSH, logged in. Though TACACS gave the enable prompt, No command auth was within! The admin sat upon the prompt of this busted ASA, With no commands! No show run too. Show interface, oh, yeah right. Not even quit, Nor exit nor log off ran! All "command authorization failed!" Yes, you heard me, the thing would log me in against our TACACS system, give me enable, and then fail command authorization for any command. I couldn't even exit the drat prompt. The active peer? Totally fine, not a hitch. I cannot wait to hear back from Cisco on this TAC case.
|
# ? Apr 28, 2017 06:26 |
|
Ugh. ASA code upgrades expose the most hosed up bugs. We patched a 5508-X from 9.6.2 to 9.6.3(1) because of the 213 days of uptime drop bug and now every five days or so the drat thing stops receiving EIGRP updates from adjacencies but continues to transmit them. This leaves the site in a weird spot where the router attached to it knows how to send traffic to the ASA's connected networks but the ASA doesn't know what to do with the return traffic other than "0.0.0.0/0 lol". The solution? Copy the EIGRP configs, no router eigrp <asn>, paste the configs back in.
|
# ? Apr 28, 2017 06:34 |
|
I've dealt with something similar. I can't remember if it was NX-OS or IOS-XR but after an update some of the config was correct but wouldn't apply. TAC had me run "configure reload ascii" to reload the box with a ascii converted config, as the normal file is apparently binary.
|
# ? Apr 28, 2017 12:12 |
|
Kazinsal posted:Ugh. ASA code upgrades expose the most hosed up bugs. We patched a 5508-X from 9.6.2 to 9.6.3(1) because of the 213 days of uptime drop bug and now every five days or so the drat thing stops receiving EIGRP updates from adjacencies but continues to transmit them. This leaves the site in a weird spot where the router attached to it knows how to send traffic to the ASA's connected networks but the ASA doesn't know what to do with the return traffic other than "0.0.0.0/0 lol". Good to know there is a patch for that now, but gently caress what a lovely another bug.
|
# ? Apr 28, 2017 13:14 |
|
Sepist posted:I've dealt with something similar. I can't remember if it was NX-OS or IOS-XR but after an update some of the config was correct but wouldn't apply. TAC had me run "configure reload ascii" to reload the box with a ascii converted config, as the normal file is apparently binary. This was probably NX-OS, just had to do this recently at TAC's suggestion for a totally different bug on the 7K platform. When we did that reload, it destroyed all config in the VDC below a certain point, which conveniently included all the routing config.
|
# ? Apr 28, 2017 20:35 |
|
Anyone here managed to get ASAv running on ESXi 6.5 in a Workstation VM? A colleague of mine is having issues, "Failed to deploy VM: postNFCData failed." error.
|
# ? May 1, 2017 13:56 |
|
Anyone at Networking@scale this week?
|
# ? May 1, 2017 19:20 |
|
cheese-cube posted:Anyone here managed to get ASAv running on ESXi 6.5 in a Workstation VM? A colleague of mine is having issues, "Failed to deploy VM: postNFCData failed." error. Pretty much all Cisco products aren't officially supported on 6.5 yet, and I've heard of all sorts of issues with it more generally.
|
# ? May 3, 2017 16:14 |
|
In this modern day of system and infrastructure automation, is there a way to manage non-stacked switches in a unified way? The way I've done it in the past is to use a handful of expect scripts that allow me to do things across multiple switches without having to login and apply the config each time but is there a way to do this better now? I've got an assortment of switches 2960s, 3560s, 3750s and a few others, I was wondering if I still have to manage them the way I used to or is there is a tool or management interface that would allow me to manage these in a more unified way. I know there are some automation/scripting features with NX-OS but I'm not about to replace a bunch of perfectly workable hardware just so that it's a little less of a pain to manage. Anyone have any suggestions?
|
# ? May 3, 2017 22:19 |
|
Ansible has modules for Cisco switches: http://networklore.com/ansible-cisco-snmp/ https://docs.ansible.com/ansible/list_of_network_modules.html#ios
|
# ? May 3, 2017 22:36 |
|
SamDabbers posted:Ansible has modules for Cisco switches: Nice! I like Ansible but didn't even consider it when looking into this problem. I'll check that out.
|
# ? May 3, 2017 23:23 |
|
You can use a NMS with SNMP, that's fairly universal if not a pain in the rear end. With macros and templates now, there's not a lot of reason to be having individual port configs anymore.
|
# ? May 4, 2017 01:26 |
|
Our marketing team wants to move our website to AWS and said it would be like $300/mo. We have other servers out there and I ran the numbers and it's more like $2 grand a month. Now they're throwing a fit saying IT always ruins their projects and we're why nothing gets done. Good times
|
# ? May 4, 2017 01:27 |
|
We had someone try that once. It's a simple service lets just put it in AWS you say? So I checked how much it would cost to replicate it 1:1 with t1.medium reserved instances and it would've cost 60-70k a year. Unfortunately instead of just buying new servers for 1/3 that price we are still running the same old hardware cause gently caress everything (The AWS thing was in lieu of trying to fix one of the servers having hardware issues).
|
# ? May 4, 2017 04:02 |
|
The problem is that they're blaming all the issues the website has on our infrastructure where the problem is that the website is programmed by loving morons. I wish I knew whose dick they've been sucking not to get fired. Our infrastructure is not the problem and it's like pulling teeth trying to explain that. Also they insist on full MS SQL on AWS and don't understand why it costs so much and don't even know what RDS is. Argh.
|
# ? May 4, 2017 04:07 |
|
psydude posted:Pretty much all Cisco products aren't officially supported on 6.5 yet, and I've heard of all sorts of issues with it more generally. Cool thanks mate. Good to know.
|
# ? May 4, 2017 06:23 |
|
GreenNight posted:Also they insist on full MS SQL on AWS and don't understand why it costs so much and don't even know what RDS is. Argh. All potential economic advantages disappearing when people don't really use it properly and instead just treat it as a place to run VMs? Crazy talk.
|
# ? May 4, 2017 07:59 |
|
Partycat posted:With macros and templates now, there's not a lot of reason to be having individual port configs anymore. How else are you going to piss off your coworkers then? Old network guy here would randomly have trunk ports configured in the middle of access switches.
|
# ? May 4, 2017 14:19 |
|
PoE question. This is for a finger print reader (well 4 of them) when I do show log I can see ILPOWER-7-DETECT: interface gi1/0/1 power device detected: IEEE PD ILPOWER-5-POWER_GRANTED: interface gi1/0/1 power granted ILPOWER-5-IEEE_DISCONNECT: interface gi1/0/1 PD Removed. and it just keeps looping and looping constantly. Show power inline displays that everything is configured to auto - if you keep press up enter to repeat the command you can see the device is sometimes on running at 15.4 watts but mostly off -either way the actual device never comes on. I've cable tested the cable and that's all fine, I've tried the device on different ports and another switch Is there anything I can do to force power to stay on or something like that? I'm not sure why it's finding the devices then instantly removing it.
|
# ? May 4, 2017 15:09 |
|
Does your switch support high power PoE? (802.11at)? It's possible you're booting at lower power, then the device requests full power, can't get it, and reboots. Edit: I suppose it's possible it's rebooting for another reason. Is there any kind of serial or debug port on these devices?
|
# ? May 4, 2017 16:43 |
|
Mirror that port and grab a capture of the LLDP messages
|
# ? May 4, 2017 16:53 |
|
angry armadillo posted:PoE question. This is for a finger print reader (well 4 of them) Does that IOS still have "power inline delay shutdown"? I remember using that to keep ports up on prestandard POE switches with 3af devices.
|
# ? May 4, 2017 22:12 |
|
ragzilla posted:Does that IOS still have "power inline delay shutdown"? I remember using that to keep ports up on prestandard POE switches with 3af devices. nah - I had to update IOS just to remote into the switch, there was some kind of bug so it's on a recent version.
|
# ? May 5, 2017 08:27 |
|
.
pctD fucked around with this message at 02:09 on May 9, 2017 |
# ? May 6, 2017 04:26 |
|
ate poo poo on live tv posted:And as I just relearned, both sides have to agree on aggressive vs main for it to work. As a note for the future, never ever use aggressive mode unless you have to. Its pretty much an instant fail on any PCI-DSS or other security scans. Ahdinko fucked around with this message at 14:56 on May 8, 2017 |
# ? May 8, 2017 14:53 |
|
Kazinsal posted:Ugh. ASA code upgrades expose the most hosed up bugs. We patched a 5508-X from 9.6.2 to 9.6.3(1) because of the 213 days of uptime drop bug and now every five days or so the drat thing stops receiving EIGRP updates from adjacencies but continues to transmit them. This leaves the site in a weird spot where the router attached to it knows how to send traffic to the ASA's connected networks but the ASA doesn't know what to do with the return traffic other than "0.0.0.0/0 lol". You aren't running in multiple context mode are you? I've had some funky poo poo happen with routing protocols in multiple context. A good one I had last month was with 6 firewalls in 3 pairs, all running multiple context & OSPF. Routing absolutely poo poo itself when a context became the DR because intra-context multicast on the same box doesn't work.
|
# ? May 8, 2017 15:01 |
|
Also I have a pair of Nexus 5010's in a VPC pair, with half a dozen dual homed 2K FEX's. The 5K's are running the following ancient version and I want to upgrade to get nice features like config sync: boot kickstart bootflash:/n5000-uk9-kickstart.4.2.1.N1.1.bin boot system bootflash:/n5000-uk9.4.2.1.N1.1.bin Feature Ins Lic Status Expiry Date Comments Count -------------------------------------------------------------------------------- FM_SERVER_PKG No - Unused - ENTERPRISE_PKG No - Unused - FC_FEATURES_PKG No - Unused - -------------------------------------------------------------------------------- I've not had much exposure to Nexus, are there any gotcha's when upgrading from such an old version to a new version like 5.2(1)N1(9a)? I see that the version I'm on 4.2(1)N1(1) was the first version to get ISSU, I've never had to use it before so don't know too much about it. I've found this guide, will the FEX's go down when I do the primary switch? http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/upgrade/503_N1_1/n5k_upgrade_downgrade_503.html#pgfId-1001382 Edit: Welp upon further reading because the 5K's connect to a pair of blade chassis switches running STP and in a vPC, ISSU is a no go. Hooray here comes another 2am upgrade. Ahdinko fucked around with this message at 16:07 on May 8, 2017 |
# ? May 8, 2017 15:35 |
|
Ahdinko posted:As a note for the future, never ever use aggressive mode unless you have to. Its pretty much an instant fail on any PCI-DSS or other security scans. How do you do dynamic end-point tunnels without aggressive mode?
|
# ? May 8, 2017 17:48 |
|
ate poo poo on live tv posted:How do you do dynamic end-point tunnels without aggressive mode? Certificates or plain RSA keys if you don't want to roll a CA.
|
# ? May 8, 2017 17:57 |
|
|
# ? Apr 27, 2024 05:13 |
|
Or IKEv2
|
# ? May 8, 2017 18:00 |