Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
  • Post
  • Reply
BaseballPCHiker
Jan 16, 2006



Anyone here have much experience with the new SourceFire web interface? When I login now and go to the summary dashboards I just see every metric as "loading..." and nothing ever displays.

Adbot
ADBOT LOVES YOU

BaseballPCHiker
Jan 16, 2006



Has anyone here ever enabled storm-control in their environment?

Doing some testing in the lab with it and having a hell of a time actually getting it to shut down a port at what appears to be the correct utilization of the interface. If I hard set and interface to have %30 upper and lower it seems like the switch will still go up to %99 CPU before it finally shuts down, taking a couple of minutes to shutdown.

I think I have things setup correctly but just need to figure out the right parameters for traffic.

BaseballPCHiker
Jan 16, 2006



Does anyone have any experience with any ASA to Firepower migration tools?

I just tried the Cisco one and got 400+ errors from my uploaded config. I really, really, dont want to have to go through this line by line...

BaseballPCHiker
Jan 16, 2006



Ah hell I guess I've got a new project now. Hooray.... Although I read that I could still run ASDM code on it and that would buy me another couple of years but that seems like the lazy way out.

Anecdotally what have been your experiences with the Firepower firewalls? I've read a ton of negative stuff about them but its hard to tell just how much of it is cranky people use to doing everything in ASDM. This rant I read actually had me slightly concerned:

https://www.reddit.com/r/networking...firepower_rant/

BaseballPCHiker
Jan 16, 2006



falz posted:

Sooo not yet but it will replace pix os. Is it an acquisition?

The way I understand it is that Firepower is both the module they bought that used to be SourceFire which was an additional IPS/IDS feature you could buy in the past and install in an ASA and now also the name of their next gen firewall devices.

From what I was told by our var you can buy the current generation of Firepower firewall's and still run the old ASDM code on them for another 3-4 years until they're unsupported. If it really is as awful as it sounds we may go that route and hope for improvements in a couple of years.

I'd be interested in taking a look at the Palo Alto's but that would be such an uphill battle to fight to get a different vendor in here.

BaseballPCHiker
Jan 16, 2006



This is a fun bug!
https://www.cisco.com/c/en/us/suppo...42/fn64228.html

quote:

Field Notice: FN - 64228 - ASA 5506, ASA 5506W, ASA 5506H, ASA 5508, and ASA 5516 Might Fail After 18 Months or Longer Due to Clock Signal Component Failure

My boss buys most everything grey market and of course we dont have smart net on any of these. I get to look forward to replacing several ASAs in the next month...

BaseballPCHiker
Jan 16, 2006



quote:

It was almost certainly this. Some of those defective ASA's ended up in the grey-market and you bought them.

Grey market comes back to bite us again. I wish my boss would just go with someone like CDW for all of this but instead he spends half his day shopping around for "deals". The worst part is that now when we do try and go through normal channels people will be shocked by the price.

BaseballPCHiker
Jan 16, 2006



I am definitely not a licensing hardware guy so please forgive my ignorance. Is the only difference between DNA Essentials and Advantage is that I can make a device a layer 3 switch?

Besides some like obscure inventory benefits for whatever DNA is? I feel like I'm missing something major, and also feel like Cisco is jumping in full steam ahead to the byzantine world of Microsoft licensing.

BaseballPCHiker
Jan 16, 2006



Is there any real difference between optics? I was told they're all pretty much made in the same factory and just get slightly different software put on them?

I've always worked in places that cheap out on the optics and use the service unsupported transciever command.

BaseballPCHiker
Jan 16, 2006



I've got a very annoying problem that will be resolved with a code upgrade and reboot soon but in the meantime messages are spamming my syslog like crazy.

Specifically this message:
Local7.Notice x.x.x.x COUNTER: DATE TIME: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor x.x.x.x (VlanX) is up: new adjacency
Then the same thing with a is down: Peer Termination received

I've tried making a logging discriminator but cant seem to get the drat thing to stop filling up my syslog.

I tried this:
logging discriminator EIGRPMSG facility drops DUAL severity drops 5 mnemonics drops NBRCHANGE
logging console discriminator EIGRPMSG
logging monitor discriminator EIGRPMSG
logging buffered discriminator EIGRPMSG

If I do a show log I dont see the messages anymore but I still see them in my syslog. Do I need to do something else to stop these from getting sent out?

EDIT: Added logging host x.x.x.x discriminator EIGRPMSG thinking that would stop it from sending to syslog server but still no luck.

BaseballPCHiker fucked around with this message at 16:07 on Mar 11, 2019

BaseballPCHiker
Jan 16, 2006



Judge Schnoopy posted:

My project of pulling the networking team out of their CLIs isn't stressful at all why do you ask

I feel like I'm going to be one of the olds, blissfully pounding away at the CLI while some young whippersnapper does some fancy python poo poo to accomplish the same thing.

No I'm not bitter at all why do you ask?

Actually the last Cisco rep we met with mentioned that none of his clients are taking advantage of the new DNA Plus or whatever the heck its called for full network programability. Sometimes I think this is %90 marketing driven and sometimes I think I'm going to wake up one day without a job because I dont know python/jenkins/whatever.

BaseballPCHiker
Jan 16, 2006



I've got some new ASA 5506-X that I'm getting ready to configure and deploy. Looking at the code releases for them makes me a bit nervous. Their suggested release is 9.10.1 interim, but they also have 9.12.1 code available. Is anyone running these, what version of code are you using?

BaseballPCHiker
Jan 16, 2006



Got a user who is trying to do a bunch of video encoding that all goes into an old 3560X, despite the uplink being a two gig fiber port channel I see a ton of output drops on the physical interfaces. No QoS on the line, its all multicast traffic from what I can tell, and its only about 30 Mbps when the video is getting uploaded to the 3560X.

Am I wrong that this is probably just an issue with the CPU getting maxed out from bursty type traffic:

code:
            1 1 1        1    111     1111   1  1    1       1      11 111
    7777070707778877707777000787770000777077077880777768707777790070009777
    3383010000425444205443000071310000285014053400222394207164400060000895
100     * * *        *    ***     ****   *  *    *       *      ** ***
 90     * * *   *    *    *** *   ****   *  *    *       *     *** ****
 80   * * * *   **   **   *** *   **** ***  ** ***     * ** *  ***********
 70 **********************************************************************
 60 **********************************************************************
 50 ********************************************#*******************####*#
 40 ######################################################################
 30 ######################################################################
 20 ######################################################################
 10 ######################################################################
   0....5....1....1....2....2....3....3....4....4....5....5....6....6....7.
             0    5    0    5    0    5    0    5    0    5    0    5    0
                   CPU% per hour (last 72 hours)
                  * = maximum CPU%   # = average CPU%

BaseballPCHiker fucked around with this message at 17:28 on Apr 29, 2019

BaseballPCHiker
Jan 16, 2006



Why would Cisco Emergency Responder work with Catalyst 9300-9400s but not 9200s? I guess my question is what the hell is wrong with Cisco. Hopefully there is an early code release or something I can use to get these working.

BaseballPCHiker
Jan 16, 2006



Partycat posted:

I wouldn’t hold your breath on that - if the 9200 isn’t newer they don’t seem to go back and add things.

It’s not a very good program it just checks the “E911” checkbox for Cisco sales

Well bugger. I emailed our sales rep just to see if he had any inklings, but yeah probably a lost cause.

Bigass Moth posted:

What isn’t working, port location? You should be able to use subnet pools if that’s the case.

Bingo. Will have to setup with subnet pools as an alternate I guess.

Just doesnt make sense that they'd support 9300 and 9400s but not the 9200 within that same series of switches.

BaseballPCHiker
Jan 16, 2006



BaseballPCHiker posted:

Why would Cisco Emergency Responder work with Catalyst 9300-9400s but not 9200s? I guess my question is what the hell is wrong with Cisco. Hopefully there is an early code release or something I can use to get these working.

So put in a TAC case and asked our Cisco rep about this.

Basically they have no plans to support CER with 9200s. So we're using IP subnets which works for most of our sites, but we have a few places with different physical locations on the same subnet, which means we'll just have to manually add in phones there.

BaseballPCHiker
Jan 16, 2006



Partycat posted:

Happy Monday, happy Cisco

Introduction

This document applies to Cisco Emergency Responder, Release 11.5(4) SU3.

Cisco Emergency Responder release 11.5(4) SU3 supports the following new feature:

Supports Catalyst 9200 and 9200L models. For more information, see the Supported Voice-Ready LAN Switches section.

Woohoo!

One less thing to worry about. I wonder why TAC or are rep didnt tell us this was on the horizon...

BaseballPCHiker
Jan 16, 2006



Kazinsal posted:

It is. We've got a few servers at work running EVE-NG now because it was worth spending a few hundred bucks on licenses for that and a couple days building images for all the gear we regularly need to lab up instead of fighting with GNS3 or trying to get stuff set up in the back room all the time.

I will have to look into this because EVE-NG sounds like it would work really well for us. Currently I'm using my old Boson NetSim to lab as much as I can, its not as bad as GSN3 but much more limited in its capabilities.

BaseballPCHiker
Jan 16, 2006



Anyone ever work much with CWDM fiber?

We're having a really strange issue, and I am not a fiber expert at all, with one of our fiber channels. Its the same dark fiber between multiple sites, all of the sudden its like we were bleeding trunks and looped the network, storm control kicked in shut off interfaces and then everything came back up except for one specific 1390 wavelength.

My understanding is that those muxes are passive devices, there isnt much to them. Is it possible for them to go bad and like combine wavelengths somehow? Maybe just the optics got messed with, like they put on an OTDR to do testing somewhere and burned an optic? Im at a complete loss.

BaseballPCHiker
Jan 16, 2006



I've also got a 3560 that sits outside in a metal box baking through the summer. It finally went down last week, when I investigated it wasnt the heat that shut it off. It was now apparently home to an ant colony...

I used an air compressor and blew a bunch of air through it and its been fine since.

BaseballPCHiker
Jan 16, 2006



Eletriarnation posted:

Has anyone here ever had a TAC engineer actually refuse to provide support (or argue with you about it, at least) to a system with 3rd party optics when not seeing any symptoms pointing to the optics? I was a TAC engineer a while back and I wasn't told to do that, and I never saw anyone else do that. We were told to troubleshoot normally and only suggest swapping optics with a specific reason to.

I'm not saying it doesn't happen, there could be some policy for other products I didn't work with or things might have changed at some point, but curious to know if it's an "abundance of caution" thing or an "I've been burned by this" thing.

We've had this happen before, and to be fair to Cisco the optics that we were using definitely were at a very low power level, we'd get low threshold warnings quite a bit on the particular interface. Still they looked at that, the low power, and said fix that first. While it was a issue, it wasnt the issue, ultimately.

BaseballPCHiker
Jan 16, 2006



MF_James posted:

Can a cisco device syslog to the same IP twice but on different ports?

I have a want/need to condense 2 syslog "servers" (aka windows 7 workstations set up by my predecessor) and I'd prefer to just have one listen on something like UDP/1025 while the other listens on UDP/514, but I'm not sure if that will actually work; other option is obviously give the new VM 2 IP addresses and just have each one listen on its' own IP.

Just my two cents since I did something very similar a few weeks ago.

I ended up giving the VM 2 NICs and having our syslog servers listen on both. I didnt spend a ton of time troubleshooting but I was never able to get the software to listen on different ports on 1 IP. This very well could have been a limitation of our syslog software but I didnt want to sink any more time on the project and the 2 vNICs have worked well enough. Your mileage may vary.

BaseballPCHiker
Jan 16, 2006



BaseballPCHiker posted:

Anyone ever work much with CWDM fiber?

We're having a really strange issue, and I am not a fiber expert at all, with one of our fiber channels. Its the same dark fiber between multiple sites, all of the sudden its like we were bleeding trunks and looped the network, storm control kicked in shut off interfaces and then everything came back up except for one specific 1390 wavelength.

My understanding is that those muxes are passive devices, there isnt much to them. Is it possible for them to go bad and like combine wavelengths somehow? Maybe just the optics got messed with, like they put on an OTDR to do testing somewhere and burned an optic? Im at a complete loss.

So this is from way back but thought I'd post an update.

Apparently the issue had something to do with a water peak on the fiber that affects that wavelength. The fiber put in was old enough that it was not "zero water peak fiber", which I had never heard of before and wasnt an issue until a fiber break by a contractor that got fixed added just enough attenuation that we started having issues.

The fix was having our vendor come out with a OTDR that could handle those wavelengths and basically clean each optic and end and splice point. At which point our levels went back up and we're now up and running and happy again. So an odd issue with a basic fix.

BaseballPCHiker
Jan 16, 2006



ragzilla posted:

The water peak refers to an increase in attenuation peaking around 1383nm from 1360-1460nm. Transmissions in this range will suffer attenuation similar to 1310nm at the peak.

https://www.fiberoptics4sale.com/bl...ater-peak-fiber

-edit-
This is incredibly common as a lot of the fiber out there is standard g.652, and not the more modern and exotic like low water peak and dispersion shifted (unless it's new longhaul intercity builds that use DS fiber to avoid doing DCM, but even that's less useful now with 200G+ superchannel OEO regen GMPLS networks).

I read the same link after our fiber management company was telling us about it. I honestly had no idea this was even a thing, but it made perfect sense to us as it was affecting the wavelengths that article mentioned.


Partycat posted:

Yeah if you spend for metrics on your big boy circuits do that. Cheap gear and optics leaves you with nothing which ... tells you nothing.

Water peak is a property of the cable though, so they likely just cleaned it all.

As we are pushing to 100G we are getting a rude awakening to the need to clean 20 years of garbage because we didn’t cap fibers, clean faces, and treat the glass carefully. Endface inspection is big, and finding scratched cores on panel connectors sucks if you need them reterminated.


falz posted:

Any cheap optic of any speed should have dom. As for gear, my assumption is juniper or Cisco (not Cisco by Linksys or whatever the Soho stuff is). Plenty of open source ways to trend this for free.

For 100g no different, if this is lr4 you should be able to get per-lane statistics pretty easily.

We've historically majorly cheaped out on optics here, along side plenty of grey market switches, which is now coming back to bite us. Things have started to change for the better though once new management came in. We're now ordering optics with DOM, we actually got a cheap OTDR to do some basic diagnostics, got money to have a vendor come out and clean ends, etc. Plus later this year we should be making the switch over to DWDM from our old CWDM stuff.

I entered this job knowing nothing about fiber and just now am starting to feel like I have a reasonable idea of whats going on. It's really a whole new world.

BaseballPCHiker
Jan 16, 2006



What syslog software are you using?

What does your config look like for the ASA if you do a show run?

Did you specify an interface for the logging host? For example:

code:
logging host INSIDE 192.168.1.1 Port#

BaseballPCHiker
Jan 16, 2006



MF_James posted:


logging host inside 192.168.86.6


Try putting the port numbers at the end up that IP. Like: logging host inside 192.168.86.6 UDP/513.

I just fought a similar battle and am trying to look through my notes to figure out how and the heck I got it working.

BaseballPCHiker
Jan 16, 2006



Heres hopefully a quick question.

About a year ago while we were doing an equipment refresh I made a point to enable bpduguard on all of our access switches to prevent some horrific episodes that have happened here in the past.

Well I finally had a port go err-disabled and had a heck of a time getting back up. I had to remove the access and voice vlan from the port config, re-enable the port, then add the vlan config back. Is that the normal way of doing it or is there a quicker way?

Also the port in question was an end user bringing in some stupid android TV box thing that caused the port to shutdown. He's a firefighter and said he wanted it to play Kodi on overnight shifts...

BaseballPCHiker
Jan 16, 2006



Tried to look up the EOL date on a 2960CX earlier today and couldn’t pull up the page. Gave up and forgot about, then my coworker had a hard time downloading something from the Cisco site. Forgot about that until we were coincidentally meeting with our Cisco rep this afternoon.

In his words: “Massive internal outage, heads are going to roll over this”.

BaseballPCHiker
Jan 16, 2006



You know what I really hate ASDM on FirePowers. Actually I'm really starting to get sick of ASAs in general, seems like we hit a new bug every single week.

Anyway, not sure if this is a bug or something I broke but I'm guessing a bug.

Recently updated the certs on our ASA for our clientless SSL VPN connections. Just a simple cert update as ours was about to expire. Ever since users can sign in, authenticate using Duo 2-factor, and see WebVPN bookmarks. But if they click on them the page opens a new tab and just fails. As far as I can tell this is some odd Java issue but I really dont know, and I've spent the past few hours banging my head against the wall trying to figure this out. I've opened a TAC case and will hopefully hear back soon.

In the meantime has anyone run into this before? I've checked our backup configs just to make sure nothing else has changed and I dont see anything besides the cert upgrade.

EDIT: I found the problem. ASDM, Remote Access VPN, Clientless SSL VPN Access, Portal Bookmarks, select Bookmark group, select bookmark, edit, uncheck "Enable SmartTunnel"

Wasnt found int the config, the preview on the send command shows ASDM deleting some temp file off of disk0: and creating a new tempasdm#### file to throw on disk0.

BaseballPCHiker fucked around with this message at 19:12 on Oct 30, 2019

BaseballPCHiker
Jan 16, 2006



We've got a pair of 2110s running right now in HA.

They'll probably be the last Cisco firewalls that ever run in this place. They've gotten so bad.

Palo Alto has a pretty great online demo/lab setup that we've been looking into. Probably the direction we'll go when it comes time to replace the 2110s.

https://portal.netdevgroup.com/learn/pan8-ce-pilot

BaseballPCHiker
Jan 16, 2006



This bug is getting exploited again, time to upgrade ASAs if you're being affected:
https://bst.cloudapps.cisco.com/bug...bug/CSCvi16029/
Good to know it wasnt hardware that was causing one of our ASAs to keep reloading.

BaseballPCHiker
Jan 16, 2006



This is a dumb question but I am willing to expose my ignorance to the people of SA.

What do people who run ASAs do for URL filtering?

We run ASAs at all of our sites, or a few firepower 2110s in ASA mode. More and more we need to make rules to allow stuff for Azure, AWS, etc which uses URLs instead of static IPs. From my limited poking around I've seen some people mention using RegEx expressions within the ASA and that may be what I end up having to do. We fully plan on switching from Cisco firewalls to Palo Altos come our next refresh, and those appear to allow URL based rules right out of the box. So I really only need to come up with something that will make it the next 2 years.

BaseballPCHiker
Jan 16, 2006



GreenNight posted:

Cisco Umbrella. It works amazingly well.

I misspoke or am not understanding. Not really URL filtering that I need but rules based on URLs instead of IPs.

Like allow from this URL to this host in DMZ based on these ports, etc, etc.

Although we are supposed to get a year of umbrella free coming up through our VAR so if its something I can leverage to accomplish this than that would be great.

BaseballPCHiker
Jan 16, 2006



Thanks Ants posted:

Could you do filtering by URL on traffic coming *from* Azure, though? If you had a reverse DNS you could match on then you'd also have a static IP address and could just use that in your rule, perhaps I'm missing something.

Maybe look at ExpressRoute?

The issue, as I understand it, is that traffic coming from Azure/AWS can be a huge range of IPs. Whichever cloud vendor we're working with thats using Azure/AWS can move their service to different regions or have different source IPs on any given day as they make changes to their environment. So if we do a DNS lookup and get an IP to base a firewall rule off of that same vendor could have a different IP the next day.

Maybe something like Express Route of AWS DirectConnect would work though depending on the cost.

BaseballPCHiker
Jan 16, 2006



Sepist posted:

If you're using the ASA without FirePower you would have to use regex strings attached to a class-map attached to a policy-map

Ended up going this route for now. It does what we need it to do. Thanks for the tip.

BaseballPCHiker
Jan 16, 2006



This isnt really a bug but I've still found it annoying:
https://bst.cloudapps.cisco.com/bug...894/?rfs=iqvred

After the CDPwn exploit we pushed out new firmware (12.7) to our phones. With the new firmware comes a feature called "lower your voice" where a little cartoon guy pops up shushing the user telling them to pipe down. Info here:
https://www.ciscolive.com/c/dam/r/c...BRKUCC-2050.pdf

As of right now there is no way to globally disable this in call manager. Our helpdesk is getting a bunch calls from loudmouths asking to turn it off.

BaseballPCHiker
Jan 16, 2006



My best asset as an IT person has been never being afraid to be the stupid person because thats how I learn best, trying/failing/repeat. In the spirit of that I have a question for the network people here.

I'd like to start rolling out Ciscos config archive and rollback feature on new devices we deploy. If I'm understanding it correctly I can specify a path to save configs too using TFTP. We already have that infrastructure in place for our nightly config backups, so it should be pretty easy for me to make a new folder to save these archives too.

If I understand correctly once I have devices saving archives via tftp we can remotely start working on a device, issue a revert 20 or something, and if we totally hose things up the switch will revert back to its previous archive.

How would that work though if you truly mess something up? For example, you start working on a switch, do a revert 20 command, then while pruning a trunk you forget to do 'allowed vlan add' and just do 'allowed vlan'. In this case the switch has lost connectivity back to the tftp server so how is it getting its old archived config?

Am I better off setting up the archives to be saved locally? Then still have our nightly config backups run via tftp?

BaseballPCHiker
Jan 16, 2006



Yeah as I was looking into it more saving the archives locally looks to be the best way forward for us.

That way if a device gets foobared it can just revert to the archive stored locally. That plus the tftp config backups nightly ought to cover us.

BaseballPCHiker
Jan 16, 2006



I just upgraded code on a bunch of 5515 ASAs to what is supposedly to be the last major revision.

How bad are the 2110 series FirePower/SourceFire/AMP/WhateverTheFuck now? When I last looked into them they seemed pretty universally reviled. We'll be doing replacements of these 5515s within the next year or two and are strongly considering Palo Altos as well.

Adbot
ADBOT LOVES YOU

BaseballPCHiker
Jan 16, 2006



Charliegrs posted:

For a Cisco 3702 AP the default mode is lightweight AP right? I have an RMA unit Cisco sent me hooked up the same switch port as the old unit and it has a pingable IP but the drat thing will not talk to the WLC. I ran capwap and cert debugs from the controller and I see no traffic whatsoever from this AP. I'm wondering if maybe the unit isn't in LAP mode?

Lightweight sounds correct to me.

I've had some success consoling into those APs and running a clear capwap ap all-config to get them to reset and finally talk to the WLC.

Also now that I think about it, check for any weird DHCP options you may have set for your network the AP is going into. I feel like there were some phone DHCP options we had set for a subnet that didnt seem to play nice with a couple of 3702s. I'll have to go back and dig up the tickets and look.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply