Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



Powercrazy posted:

Does anyone actually use Ciscoworks?

If by 'use' you mean 'rue the very existence of', we do. It's actually supposed to be the way us NOC guys check configs and such, but half the time we can't get into anything, and the other half we can't find what we need in all the badly written menus. It's apparently memory-leaky as gently caress too, from what the guys administering the server tell us.

Thank god I passed my CCNA, time to get out of this place.

Adbot
ADBOT LOVES YOU

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



jwh posted:

It's dumb, bad, terrible terminology that Cisco desperately needs to stop using.

gently caress yes. I'm studying for my CCNP Firewall right now, and that poo poo is stupid.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



bort posted:

Run multiple version 8 point releases in production and we'll discuss stupid.

I'm about to. I work at a big hosting provider, and we're about to start selling ASA-Xs. Alongside ASAs running pre-8.2. Alongside PIXes.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



Nebulis01 posted:

I recently into a new environment that's running all cisco 3750/2960 for their switching and and an ASA5510 firewall and 2800 routers. My previous envionrment was dell switches and pix 515E and 2600 series routers. I'm looking for a book, or website that can help me better understand the ASA and any differences between the 2600 and 2800 series routers.

What code version is it running? Post-8.4 code introduces some very different syntax for NAT.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



abigserve posted:

I've got three ASAs to update on Tuesday, and I'll be doing all our other firewalls that don't run IKE later in the same week. poo poo sucks, of course it happens before my project to re-do our ipsec topology removes the need for them.

As I've posted before, I work for a company that hosts, lets say, a 'fuckton' of ASAs. Many of them are pre-8.3 code. All of them need to be updated.

The first batch update is tonight. My night off.

I feel like I just became the lead character in the Cisco version of Final Destination. Like the updates are going to find me.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



Antillie posted:

I am fairly certain that the issue applies even you don't have any sort of IPSec VPN configured on the ASA as the advisory on Cisco's website does not list any workarounds (like disabling ISAKMP): https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

I upgraded three ASAs from pre 8.3 to 9.1(7) on the fly today for different clients. The first wave of mass upgrades starts tonight. Much like Jedi425, we have a "fuckton" of these things deployed, with a pretty diverse spread of code versions. Fun times.

Yeah the way it was told to me was: "Do a 'sh run | i crypto-map', did you get output? If so, you're hosed."

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



falz posted:

Enjoy upgrading ram and flash on most of those so you can upgrade.

Amazingly, only about 10% of the total set needs hardware upgrades, looks like. That's still a huge mess of ASAs, but not as bad as I'd expected.

Other fun bugs so far:

-Customer had a '!' in the middle of their PSK for a VPN. When upgrading from 9.1(6) to 9.1(7), the '!' just vanished. The key on both sides of it was there, the rest of the config was there, just no '!'. PSK mismatch, tunnel down, mass hysteria.

-Another customer had a NAT statement translating both local and remote subnets for a VPN that covered a private /16 that overlapped all of their segments. This broke the hell out of their ARP cache (as the ASA apparently tried to route everything through this NAT, and discarded ARP requests/replies for that /16 as they came in from the actual servers).


And not a bug, but a possible ITW version of the exploit; we've found a handful of ASAs that suddenly in the last 24 hours picked up local user accounts named 'Administrator'. Our TACACS accounting didn't pick it up when added. Check your local user config lines; the user is added without privileges, (plus if you're only using LOCAL as a fallback they still have to break your primary AAA) but that still gets them into your Client VPNs if they manage to read your PSKs out of the running-config.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



Anyone who has been lamenting converting to post 8.4 code (don't judge, this is IT, I saw an ASA today in 7 code), Cisco has released an interim 8.2.5 patch that will fix this CVE. It's 8.2.5(59) or something like that. They released it sometime last night with no fanfare or warning. Patch now and convert later. We've seen more devices get hit with exploits today.

Release Notes.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



I know in my limited experience with them the Brocade switches are generally solid products.

Now, if the guy offers you an ADX, you make him pay you.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



Eletriarnation posted:

For CCNA it's relatively easy because there's one official book that covers the whole thing. There are some free materials out there too but they're more likely to be on a topic by topic basis - most people who put together a full course guide seem to want to get paid for it. I also enjoyed the Sybex guide written by Todd Lammle when I was working towards the CCNA and it seemed like a good number of people preferred it to the official one. Make sure that anything you buy is for the most recent version of the test, though - they usually change the test number for a new revision, so just be sure that matches.

If you specifically want ASA knowledge you may need to work towards the CCNA Security since the classic cert is just for the fundamental routing and switching topics. Having that basic R&S knowledge will help you with any networking task though.

It's worth noting that the CCNA Security (at least when I took it in the previous revision) is very heavily focused on the GUI Cisco pooped out for the ASA, the ASDM. If you're hoping to get a ton of ASA-applicable command-line knowledge from studying for the CCNASec, welp. I'd like to think the ASDM has gotten better since the last time I looked at it, but I'm not hopeful.

The good news is a lot of the basic stuff you'll learn in the CCNA will apply to the ASA, there's just a lot of weird little differences in the syntax and such, because the ASA doesn't run IOS, it runs its' own thing. For example, ASA Access Control Lists use subnet masks, not wildcard masks like IOS ACLs do. Why? 'gently caress you, that's why' is the best answer I ever came up with.

(The real answer probably has to do with how Cisco bought the company that made the firewalls that later became the ASAs and just borrowed their code wholesale or something, but I don't know.)

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



Fudge posted:

Anyone ever seen someone manually load geographically based IP ranges into an ASA to block access from certain countries plus any known bogons? And does Firepowers geo location database work pretty well for blocking access from countries of your choice?

As a side note... Is geo ip blocking even worth a poo poo?

At my work, customers ask us to do geo-blocking on ASAs all the time. We do it the first way you mention; we have object-groups pre-written for all the classics and we update them periodically. I haven't used Firepower's geo-ip functions, so I can't speak to that.

In my own, likely poorly-qualified opinion, geo-blocking is poo poo. It's poo poo because with IPv4 scarcity where it is, you will probably have blocks moving from place to place as people buy/sell IP space, which means those manual groups have to be updated regularly or you end up potentially blocking desired traffic. It's poo poo because it doesn't stop attacks from determined bad guys at all; if they have even an eighth of a brain, they'll just buy time on a botnet composed of IPs in another region, or on AWS in some other region, or some other Cloud provider with data centers worldwide, probably with a stolen credit card they bought for pennies on the dollar. And it's poo poo because it, like so many firewall-based security solutions, is only as good as the hardware you run it on. I don't care how big your list of blocked regions is, all you're buying yourself is a DDOS when whoever wants to gently caress with you decides to SYN flood your goddamn ASA 5505 that you refuse to upgrade, because the firewall still has to process those packets against your now bloated million-line ACLs.

EDIT: Glad to see someone beat me to the same answer.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



CrazyLittle posted:

I think if I saw that at a customer site, I'd immediately turn out the door and take up smoking.

Oh god, I just saw the Netgear labels.

I mean, sure, it's just for management, but still, gross.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



Contingency posted:

ASA VPN tunnels are built on demand. Receiving a VPN encrypt subtype drop message is expected behavior when there isn't a currently active SA. If you do see that subphase, you've sent interesting traffic which will kickstart the tunnel generation process. You should run packet-tracer 5-10 seconds later to see if the result changes from drop to allow.

If it doesn't, you need to run a debug and pay close attention to the SA in question, not any SA, as establishing a SA between your network and remote network A doesn't automatically include remote network B. Phase 2 errors to look for if your side initiates the tunnel:
Invalid ID info: network mismatch.
No proposal chosen: phase 2 settings mismatch (hashing, encryption, etc). This is unlikely to happen on a tunnel with a already working SA.

If there is a network mismatch, people are bad at ASAs and can't provide correct information. Having them initiate tunnel generation while you run a debug will allow you to observe the networks they are proposing in their SA (look for "proxy") and has the advantage of performing hole matching on your side, so you can verify it is being matched to the correct VPN (overlap scenario like Sepist proposed).

If you've verified a SA can be established using the new network (the second packet-tracer run would confirm), things to check on your side:
1) sysopt connection permit-vpn--if it's disabled, you need to have an ACL entry for their incoming traffic. You will see decaps on the SA stats even if the traffic is dropped by your firewall.
2) Is traffic from your side being routed to the ASA? Run something like "telnet 10.2.2.2 445" on your host (anything that causes a successful connection timeout rather than a fast fail) and see if it makes an entry in your connection table. If not, you should run a traceroute on your host. Remember, VPN traffic is encrypted, so if you see Internet hops, your traffic isn't encrypted/on the VPN. If they send you TCP traffic, a good hint that your reply traffic isn't making it back to them is checking the connection status--I believe an incomplete handshake originating from their side would be SaAB.
3) If you are seeing a VPN subtype phase when testing you>them traffic packet tracer, your NAT is probably set up correctly, but it wouldn't hurt to see if there are any NAT statements in place for remote network A that aren't in place for B, and at the appropriate priority.

Protip when debugging if you have multiple VPN tunnels:

debug crypto condition reset (this clears the filter)
debug crypto condition peer A.B.C.D (this filters by the peer IP of the VPN you're working on)

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



psydude posted:

You should be able to request 6.0 as the base image on your RMA boxes.

BTW, 5500-Xs are going end of sale and are going to be replaced by a new line of small firewalls, the 2100s. ASA operating system is going away completely, and all VPN features (including AnyConnect) should be migrated to FXOS by Q3.

Considering how much time I spend on ASAs, I'm very fine with this. Death to the ASA OS.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



Kazinsal posted:

What the unholy gently caress

Probably works at a big hosting provider or colo or something, like me, though as far as I've heard we only have a handful of 5508-Xs in use; we mostly pushed people to the 5515-X as our entry level. Whatever the case, godspeed, 5508 guy. Godspeed.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



tadashi posted:

I have a Cisco ASA 5510 with a primary and secondary internet connections configured and connected. Should I be able to pass packets on the secondary connection to devices in my network (assuming they are setup correctly) even while I'm using the primary internet connection? I thought this worked in the past but I'm not able to do it at the moment. The gateway device for the secondary connection is up.

How is your routing set up? If you only want to hit some specific subsets over the secondary, just slap a static route on there for them and specify the secondary interface.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



GreenNight posted:

God damnit.

Great. Wonderful. At least we have all the automation we used the last time we had to reboot or patch thousands of ASAs.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



I had an HA pair of ASAs go so wacko on me I feel like the only way I can explain it is to the tune of the Gilligan's Island theme song.

So, sit right back and I'll tell a tale,
A tale of two ASAs!
Who after a minor code update,
Fell into a malaise.

The active member of the pair,
He worked without a hitch.
The standby peer, though online still,
Became a total bitch.

Oh, the standby IP pinged away,
Through SSH, logged in.
Though TACACS gave the enable prompt,
No command auth was within!

The admin sat upon the prompt of this busted ASA,
With no commands!
No show run too.
Show interface, oh, yeah right.
Not even quit,
Nor exit nor log off ran!
All "command authorization failed!"



Yes, you heard me, the thing would log me in against our TACACS system, give me enable, and then fail command authorization for any command. I couldn't even exit the drat prompt. The active peer? Totally fine, not a hitch. I cannot wait to hear back from Cisco on this TAC case.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



Fun facts about the ADX:

-Before 12.5 firmware, High Availability setups didn't sync the full configuration. Notably, you had to manually copy SSL certs/keys/profiles to both units. If your co-worker wasn't paying attention when he or she added an SSL profile to the primary unit, you'd end up with a lot of broken sites in a failover scenario.

-When TLS rollout became a Big Deal after Heartbleed and all that mess, it took Brocade something like a year (?) to release firmware that supported higher-end ciphers. This is because (I was told) the ADX is built on some kind of godawful PowerPC chip, and they literally could not find anyone who knew how to code on it anymore.

-Speaking of bad chips, the SSL accelerator on the ADX is so lovely that the loving thing could barely do upward of like 200 TPS or some god awful number when they first rolled out the new EC ciphers. They had to add code so that new ciphers used the regular processor cores in addition to the SSL processor to get decent TPS out of it.


Basically if the ADX is dead, I will dance on its' grave.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



ate poo poo on live tv posted:

Have there been any advancements in load-balancing specifically SSL Termination/Offload?

We've looked into f5 and they claim they can do around 400k SSL cps with their BIG-IP i5800, but I feel that is too low for our peak traffic and I'm afraid of what will happen if we exceed the LBs.

What are other people doing for large amounts of SSL traffic?

I can tell you from experience that what happens when you exceed your configured maximum SSL TPS on an F5 (afaik the max value an F5 will take is a license thing and a hardware thing) is that the connections just start getting dropped. It does tell you itís doing it in the logs at least.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



So at $NewJob we're swapping out a bunch of end of life Nexus 5010s and FEXs, and to replace the FEX units' 1GB ports we're standing up a stack of 3850s, each with a 4-port 10G fiber module for uplink. One of them wouldn't light... until we started to unscrew the module to swap it out. Tighten it down, everything dies. Loosen it up, the ports light up. We're replacing the chassis because that's stupid, but all the same. Anyone seen this before?

Cisco: it only works when you don't secure it.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



Docjowles posted:

Iíll cop to never having used FC of any kind, including Brocade, so I canít speak to that. Their Ethernet switching and routing, though,

The happiest moment in my career so far was in my last job switch, knowing I'd never have to work on an ADX (the Brocade load balancer, basically a dollar-store F5 LTM but somehow even worse) again. I almost want to buy one to take out to the desert and shoot. gently caress those things.

Their FCs were solid as hell, though. I'll bet places I worked at 10 years ago are still running those things without a blip.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



Thanks Ants posted:

I haven't seen anything that requires a switch to be reloaded other than a software update. Perhaps if you were changing stack topology then you would, but something basic like a hostname won't involve any downtime.

Yeah, if you are renumbering switches in a stack, you have to reload them. License changes typically also require a reload.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



uhhhhahhhhohahhh posted:

I have to look after a cluster of 5525Xs and they're such loving garbage. It just inexplicably stops forwarding traffic if one specific firewall becomes the master, but it works fine when it's not. Also gently caress ASDM forever.

Check the syslog settings. Are you forwarding syslog to a TCP port? If the host is unreachable, the ASA stops forwarding. Could be you have some kind of issue reaching it from one and not the others?

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



uhhhhahhhhohahhh posted:

Syslog is UDP and it's done over the OOB management, so it's always reachable. We also only recently got a SIEM anyway and it was happening before.


All the documentation for clustering on ASAs is filled with notes saying TAC don't support this configuration at all. My boss wanted it this way for zero reason, we gain nothing doing it this way over a HA pair because our internet connections are 1gig and we can't active/active them either. He knows that because he was on all the same phone calls as me with our ISP saying we couldn't do that, but acts surprised 1+ years later when it's ever mentioned they aren't active/active or I have to correct him on a phone call.

Also, the audacity on you to assume we pay for TAC, or even software updates, on our edge firewall.

Sorry for your loss, I guess. I only mention the syslog thing because it's caused massive production network failures at two jobs in a row.

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



So I'm going to be starting a new job shortly that will make use of Aruba hardware (specifically their mobility controllers and possibly ClearPass), which I don't have any experience on. Any good literature out there to familiarize myself with them, or am I stuck with the company's website?

\/\/\/ EDIT: Thanks, Thanks Ants.

Jedi425 fucked around with this message at 18:57 on Apr 12, 2021

Adbot
ADBOT LOVES YOU

Jedi425
Dec 6, 2002

THOU ART THEE ART THOU STICK YOUR HAND IN THE TV DO IT DO IT DO IT



GreenNight posted:

Supply chain issues with Cisco switches is eating my rear end. Meraki or Cisco, maybe 4 months out? So I'm setting up a stack of old rear end 3560-X series switches for a new office because we're bringing everyone back, yipee.

Yeah I'm on a project right now where they still haven't finalized the POs, and they think we'll have the hardware on site in 4-8 weeks from when they do. I'm guessing they'll be lucky to see these 9300s this side of Thanksgiving.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply