|
I'm having a bizzaire issue as of late with my 3845 routers. For some reason, the Gig0/0 interfaces will only show as up up unless I admin shut them. It doesn't matter if there's no cable plugged in, or if the wrong cable is plugged in. It will always show as up/up. The version is up to date on all of them. I've noticed it for about a week now on 4 routers, but it hasn't been an issue up til now because I'm trying to plug something into g0/0. The link lights won't come on for either side of the connection when I plug it into the port that they want me to plug into on their switch. If I plug it into one of the other ports, I get link lights on both sides. But either way, in the router I see up/up. I've tried stright thru and crossover as well. It's from the 3845 to a Juniper switch/firewall thingy that I have no login access to. code:
code:
|
# ¿ Dec 15, 2009 09:57 |
|
|
# ¿ Apr 26, 2024 10:45 |
|
ior posted:Try: That works. I'm still failing to understand how that would cause the interface to think it's up when absolutely nothing is plugged in to it besides a bit bucket. I did figure out why I wasn't getting a connection up to the Juniper tho, apparently it wanted to duplex set to auto instead of full on my interface. Worked fine with duplex full off the old router that was the exact same type of device and configuration.
|
# ¿ Dec 17, 2009 08:34 |
|
If you have devices that require POE, then you should buy something with POE. I couldn't give you exact prices but if you bought something with 12 or 16 ports of POE plus a normal 48 port switch, it'd be more expensive. And if you get 48 ports of POE, then you have plenty of spare slots in case an interface goes bad or something. It's always better to have more than you need vice less. As for what uses POE, all I really know about is phones, which we use so drat many of that all our switches are POE whether it's used or not. (then again, that's military spending for you )
|
# ¿ Jan 6, 2010 16:07 |
|
Usually we use Kiwi Syslog Daemon. It does everything you'd ever really need a syslog to do. Also, it's free unless you pay for a licensed version.
|
# ¿ Jan 13, 2010 15:21 |
|
If you want it to deny all else, just make it explicit deny at the bottom. I've found this method to be less hit or miss than just hoping on the implicit deny.
|
# ¿ Jan 20, 2010 16:59 |
|
Oh, wait a minute. change "ip access-group server_in in" to "ip access-group server_in out" The in/out references which way the traffic is flowing, "in" means anything coming FROM vlan 10 will be applied to the ACL, "out" means anything going TO vlan 10 will hit the ACL. Sorry, I should have noticed that in the first place. Slickdrac fucked around with this message at 17:19 on Jan 20, 2010 |
# ¿ Jan 20, 2010 17:17 |
|
I've been doing network engineering for nearly 18 years now. Got called by another team troubleshooting an old 5510 that would not communicate upstream at all. In the process of going through, fixed about 30 different misconfigs between the 2 devices. Still no good communication. It would talk upstream, but the interface showed 0 input at all. Upstream could see it's MAC, and populated the ARP table, and everything looked solid from that side. Then I shut the interface to see what would happen. Upstream device still said up/up, not terribly odd, seen that before on badly communicating interfaces. ASA's interface, that I had shut, was in Admin Down, Protocol UP status. I have never seen a down/up status in 18 years. I have been told for forever that this was just not possible. I told them their firewall was either cursed, senile, or just broken interface and to get a new one. But I'm not sure how to dispose of this one, does it require a wooden stake, or just to be burned at a stake? Also, am I alone in seeing this mythical interface status?
|
# ¿ Apr 8, 2014 23:04 |
|
Anyone familiar with some kind of spreadsheet/table program that lets multiple people open and edit at the same time? Think like Google Docs, except not hosted on the internet. Need a better app to carry our IP spreadsheet. Since the sheet has to be fairly particular and full of colors. 4 network engineers and we keep stepping on each others toes/leaving document open and locked/being lazy about updating immediately (naturally). I'm sure this has come up somewhere in the past 293 pages, but vvv-We have 7 networks all sitting on the same private network range logically seperate and the same IP ranges don't always map to the same location. Also, we identify the networks by colors. That's an incredibly important aspect of it and needs to be seriously in your face so you know which data network you're dealing with. Slickdrac fucked around with this message at 18:23 on Apr 21, 2014 |
# ¿ Apr 21, 2014 17:53 |
|
Nebulis01 posted:Any version of Excel since 2003/7 will let you do this, it's called a Shared Workbook, you can also do it in Sharepoint if you'd like to host it locally. Yeah, found that about 10 minutes after posting. Thanks
|
# ¿ Apr 21, 2014 22:09 |
|
quote:Hopefully this will save someone some headache (or maybe our sales rep & SE just didn't know), but Cisco 3925/3925E routers won't do more than 85mbps IPSEC VPN out of the box, even though they're marketed/sold as such. You have to buy an additional license (HSECK9) for this. siighhhh Normally, no. You have to specify that license. Gets more fun with the ASRs/ISRs we run with IPSEC and GetVPN, I think there's about a half dozen additional licenses tied to each one (with each needing its own support charge ) Frag Viper posted:I'm pulling my hair out over here with this. That gets me about half the time when I can't transfer. The other half is when people point the tftp source at the wrong interface.
|
# ¿ May 9, 2014 06:47 |
|
madsushi posted:I have an ASA 5585-X w/ SSP-40 firewall. It is at 100% CPU. I have already opened a case with TAC, but thought I would ask here: What's "sho proc cpu-u" say is maxing?
|
# ¿ May 30, 2014 11:15 |
|
Zuhzuhzombie!! posted:I need to add a 3750 to a stack running Are they both the same model? It should work if they are. If they're different, they both need to be on SE2 vvv-I'm going off the assumption that the obvious solution isn't desired Slickdrac fucked around with this message at 18:20 on Jun 3, 2014 |
# ¿ Jun 3, 2014 17:19 |
|
falz posted:Set VTP to transparent mode and never look back. Yes it will require more work adding vlans to all devices but you will avoid horrendous outages due to silly operator error. Or just disable VTP entirely. Or better, do both. Your future fat finger self will thank you.
|
# ¿ Jun 11, 2014 15:02 |
|
According to snmp logging, we're randomly overclocking the hell out of our 5520s Message: ASA 5520 Adaptive Security Appliance has exceeded threshold: (90%) currently (4294964%) Anyone seen this before? They always start out 42949, just the last two digits change.
|
# ¿ Jun 18, 2014 13:39 |
|
I'm a little lost on the Fortihate, I've never had any problem with any of them ever. They've been one of my favorites
|
# ¿ Jul 4, 2014 15:33 |
|
Having a fun time with ICMP and VPN tunnels over here. Have a setup that looks something like this physically. Remote site net->ISR Router->ISR Router Loopback connection from gig to gig)->MPLS network->ASR Router->Core net And logically. Remote site net->MGMT VRF internal->MGMT VRF external (via loopback cable)->MPLS->MGMT VRF External->MGMT VRF Internal (vasi link)->Core net -VPN between internal VRFs Right now we have a site in Solarwinds that is showing as "down" because ICMP is being blocked on the ASR at the internal VRF vasi. SNMP traffic is just peachy and we are gathering that fine. Loggs say it's the ACL on the vasilink shutting it down because it's not encrypted traffic or traffic we allow through unencrypted. I'm assuming I have to tell the VPN to take ICMP traffic and encrypt it before sending it, but I can't find where that is or would be specified? It also doesn't help that the routers are VRF'd into 20 logical VRFs for 10 logically separated networks and the configs are massive because of it. Edit: It's the return ICMPs which are being blocked, they are going out and all the way to the return site, but get stopped on the way back. Slickdrac fucked around with this message at 03:14 on Jul 27, 2014 |
# ¿ Jul 27, 2014 02:34 |
|
Slickdrac posted:Having a fun time with ICMP and VPN tunnels over here. Have a setup that looks something like this physically. GAH, realizing what I said in my edit, I went to the remote end router and found a DENY icmp packet line in the VPN exclusion ACL. Removed it, all is well.
|
# ¿ Jul 27, 2014 03:21 |
|
Having some fun with a VPN inside a VPN client request. My network has an mGRE tunnel between ASRs/ISRs, tunnels formed between loopback interfaces on the routers on a different VRF than is used for the connection between router nodes on the internal VPN. The client is using Cisco AC to establish a VPN from a demo device down to his lab. We can see the traffic as it hits the front door, goes through the core stack, and arrives at the ASR to be tossed into the VPN, everything looks fine. 1.2.3.4(4369) -> 10.10.10.10(500) Then the next time we can capture it, is when it's egressing the ISR at the lab location. Where it outputs with 1.2.3.4(0) -> 10.10.10.10(0) First I thought it was one of the various things you can accidentally do so ACL logging just ignores some information. But then looking at my ASA at the location, which is on the other side of that interface, I saw nothing hit any trap I setup. Like the traffic was just vanishing after it left. Digging deeper and looking at a full packet capture, Layer 4 is being completely stripped out and is nothing but binary 0 straight across the header. I've done VPNs in VPNs numerous times before, but not across the VPN configuration we have on our network (The particular design of it is the first of it's kind in a production environment designed by a triple CCIE). Has anyone ever seen or heard of this happening?
|
# ¿ Sep 17, 2014 14:51 |
|
I could understand that from an application or just from the router. I binary packet captured it with nothing but 0s where the header should be. The ASA is giving it a WTF is this response and dropping it.
|
# ¿ Sep 17, 2014 21:34 |
|
Anyone found anything about whether the Shellshock exploit is vulnerable on Cisco gear?
|
# ¿ Sep 25, 2014 17:23 |
|
They really can't fly with that answer. Every other vender we have in our environment has already identified which devices are vulnerable, which vectors are potentially open, and tossed patches over. Granted, most venders likely already knew about this and were being gagged by 3 letter agencies. But even then, Cisco almost certainly should have known about it. They at least have the resources to ID things quicker than this. I'm already having to run a total outage, a mostly outage, and 30+ individual site outages tonight, I would have liked to not have to (potentially) do poo poo on the weekend for once.
|
# ¿ Sep 26, 2014 06:03 |
|
All Checkpoint firewalls as well are vulnerable. Though if you restrict your source IPs for management, you're okay. They have a patch out as well already.
|
# ¿ Sep 26, 2014 06:45 |
|
Does anyone have a recommendation for any device (preferably a full firewall) that has full RSA integration? That can pop up a splash page with login and things for next pin, reset pin, create pin, etc.?
|
# ¿ Oct 6, 2014 16:13 |
|
H.R. Paperstacks posted:Are you looking to use RSA for management of the firewall or authenticate VPN connections? Auth for inbound connections to private public facing IPs for Web, FTP, SSH, etc. that doesn't go via our VPN. Firewall functionality is more a perk as we need a new pair of Non Checkpoint firewalls to replace the CPs in that zone.
|
# ¿ Oct 6, 2014 20:37 |
|
ior posted:Out of curiosity - why replace Check point? That's a much nicer way of asking that than I did. It probably would have gotten about the same amount of non answer that I got though. H.R. Paperstacks posted:For instances like that, you would install the RSA agents on the systems, not the firewall. The firewall would just handle the standard src/dst filtering, the actual authentication is going to be handled by the system itself. We must proxy it through a "Pane of glass"
|
# ¿ Oct 6, 2014 20:55 |
|
Auth at the device and then something with it, the RSA internal service, and Ping Federate are all working together or something to pass the authed user into the destination. I'm not actually the one running the whole idea, just got asked if I could find out about such a firewall device. Right now these pages are authing inside and are privatized by white listing IPs, which isn't really ideal.
|
# ¿ Oct 7, 2014 10:52 |
|
Funny, that's exactly who they were calling this morning. I'm trying to just stay out of the way of this now so I don't end up in the blast zone when this idea blows up.
|
# ¿ Oct 7, 2014 15:48 |
|
H.R. Paperstacks posted:Yeah, I could be misunderstanding him as well, but to me it sounds like he wants to perform authentication at the firewall, and if successful, be forwarded on to the actual system hosting the destination service. Are the services behind setup without any authentication mechanism of their own? I could see that with HTTP/HTTPS but not SSH/FTP like he mentions, since you have to provide UN/PW/keys for authentication on the system hosting the actual destination service as well. Inet -> Firewall -> Proxy -> Web Portal At present the firewall is just white listing IPs who are permitted to get to the proxy. The proxy does absolutely nothing besides relay the webpage. The user sends their creds (u/p for now), and then gets whatever access on that login. The desired end state is to have RSA integration at a higher point so we can remove the whitelist. With what's in place/designed so far for that it's basically the same pathway as above, with the proxy being a Fortiweb. The Fortiweb can do RSA authing, but it's authing is limited to sending the auth request to the RSA server, getting the yea verily, and then passing them to the portal, where they have to login again because Fortiweb isn't tagging username along with request. This is all for our userbase who do not use the VPN to log in because they
|
# ¿ Oct 10, 2014 16:54 |
|
Richard Noggin posted:You'll need a USB-->Serial adapter to plug into the console cable that they give you On the topic of these, has anyone else run into an issue with these where they'll work for a bit, then just completely stop? My old laptop, it would work for 5-10 minutes, then console would stop working, if you reseated the USB portion, it would remove it from devices and not even acknowledge it was connected until a reboot. On my new one, I'm lucky if I get 30 seconds of console before it happens.
|
# ¿ Nov 24, 2014 17:50 |
|
FatCow posted:Giving Huawei money is literally supporting the theft of American IP. Also there is a very high likelihood that you'd be installing a backdoor into your network.
|
# ¿ Jan 12, 2015 15:10 |
|
Anyone seen any oddities between Cisco 2960 and Check Point, particularly a Power One? We can only get it up in half duplex 10Mb. No combination of force setting and/or auto detect is working and just shuts down the interface in any other configuration.
|
# ¿ Mar 30, 2015 21:34 |
|
ior posted:Not really. Do keep in mind the Power-1 is a X86 server running Linux with Intel NICs. Login to expert mode and use ethtool to make sure the NICs are setup properly. Found the issue. The cross connect between the two goes from copper to fiber to copper. The converters were inexplicably set to 10meg by Equinox
|
# ¿ Mar 31, 2015 20:26 |
|
ior posted:It's always the firewalls fault! From experience I usually assume it's a Cisco problem. (Especially ASA) Slickdrac fucked around with this message at 21:08 on Mar 31, 2015 |
# ¿ Mar 31, 2015 20:59 |
|
along the way posted:What is the best solution for a scenario where you need to establish a B2B tunnel with an outside vendor who needs a non-RFC 1918 from your end so that there isn't a conflict on their firewall with the private addresses of other companies they connect to? Nat your internal to the new public IP, as you say, using an ACL and just set the crypto map for their internal or NATted addresses. It will only go to the tunnel if it matches the Crypto Map ACL, otherwise it just goes to internet. You should be able to use the same ACL for both the NAT filter and the Crypto Map. AFAIK, you can only apply the tunnel endpoint to an interface, so you'd have to make a different logical interface to tie it to, which it won't let you do unless you do some subnetting and break your public range into pieces. But you can NAT the traffic to the 2nd IP and not apply it to the interface and it should work providing your ISP is pointing the entire range down to your gateway.
|
# ¿ Jun 1, 2015 15:58 |
|
Bob Morales posted:I shouldn't have any problems with getting an IPSec VPN working site to site between two different vendors, right? (Adtran and Fortinet) In theory, no. But VPN is always a bastard that takes a bit of smacking around when you pair devices you've not done before. the real blah posted:This seems like the best thread for a network documentation question. Visio isn't too bad once you've put a few hundred hours into it. With multivendor, you're not likely to get a decent layout from any auto mapping device (especially with hosed configs/vlan), and depending on how anal you or your boss is on layout, it might be more tedious to edit what some tool spits out. You SHOULD be able to pull down configs at least from most with any non vendor specific config management software. You are running some sort of central login, I hope, worst case same local account? Nab a trial if you need to of a high end config manager, just make sure it allows enough devices. Slickdrac fucked around with this message at 03:32 on Jun 15, 2015 |
# ¿ Jun 15, 2015 03:23 |
|
FatCow posted:Just applied for a /40 of IPv6 space from ARIN. Time to enter a completely new world of bugs. And exploits
|
# ¿ Jun 21, 2015 01:20 |
|
Weatherman posted:Does longest-match prefix processing work in the following situation? Possibly confused trying to follow that, but if the upstream router does not have a direct connection, or a route entry in it's table for 10.0.199.0/24 network, it's not going to work. You can route a supernet to an address inside the supernet, but it needs to know how to get to that address first, otherwise it will just use whatever default route it has configured.
|
# ¿ Jun 25, 2015 15:19 |
|
Looking for some upgrade recommendations. We're looking to replace our 1 gig ASA 5525X with something 10gig, and preferably not the 50+K that Cisco wants for their 10 gig version. We're just doing basic ACL filtering on these ones, so usability is more important than features outside of at least 8 gig capable throughput. We've used Juniper as our 10G switch in places, but none of us have tinkered with a Juni firewall to know how usable it is. Only one of us actually is good at the CLI on the Juni switches, the rest of us are only capable enough to fumble around and get whatever working in 3x as much time otherwise. Right now we're looking at: Juniper, Cisco, and Checkpoint We're also looking to replace our Pulse VPN device, and really coming up blank with options. Cisco is out due to conflicts of running two Anyconnects at the same time. Juniper is out since they split Pulse off and any issues would require hitting two teams then. And Checkpoint is out because we need multiple realms and two realms need to have multiple VPN Pools. The only thing we have right now to look at is F5, and in theory Juniper. All the needs we have in a VPN concentrator make this one hard.
|
# ¿ Jul 1, 2015 18:54 |
|
psydude posted:I thought Juniper was discharging its firewall branch? Are you sure you don't have that confused with them and Pulse (SSL VPN) splitting? Because seriously, WTF if they are breaking even more poo poo off.
|
# ¿ Jul 1, 2015 21:18 |
|
|
# ¿ Apr 26, 2024 10:45 |
|
psydude posted:Hah dude, I routinely see mission critical firewalls running pre-8.4 code. Usually because the owners brought me in to update them to 9.X and migrate their configs in TYOOL 2015. I recently helped a large financial organization everyone is familiar with the name of to migrate off their PIX firewalls at HQ.
|
# ¿ Jul 9, 2015 04:18 |