Booches.nl

XenServer and Multicast with IGMP support

Today I tried to add a virtual Terminal Server within a XenServer to a NLB cluster. The current NLB cluster contained only physical servers. When adding the virtual server to the NLB cluster with the NLB manager, the server lost all IP communication. It isn’t possible to connect to or from the server. Together with the system administrator, we searched multiple forums and we found the solution to the problem.

It looks like XenServer doesn’t support multicast by default, because of the bridge design of the network interfaces. We found an interesting article on the internet to enable multicast on the virtual interface.

In the end we took the following steps to enable multicast support on the virtual interface of the XenServer.

1. 1. Install the XenServer tools on the virtual server;
2. 2. Execute the ifconfig command, like shown below, to enable multicast on the virtual interface;

# Retrieve the DOMID of the virtual server
xe vm-list name-label=<VMNAME> params=dom-id

# Enable multicast on the virtual interface of the virtual server
ifconfig vif<DOMID>.0 multicast

We restarted the virtual server and the DOMID changed, but multicast with IGMP support was still working and the server was still part of the NLB cluster. The system administrator will do some more testing and he will try to add another virtual server to the NLB cluster.

Upgrading Cisco switch stack

I always upgrade a switch stack with one single command. Last week I received a call from a customer with the question about the upgrade procedure for a switch stack. The customer wanted to upload the image separately to every single switch. I told him that he could upgrade all switches at once.

Since I am “playing” with a Cisco switch stack of 9 Catalyst 3750X switches today I will describe the upgrade procedure.

1. 1. You need to download the correct .tar image file;
2. 2. Copy it to the root of your FTP or TFTP server;
3. 3. Upload, extract and install the .tar file to the switches (I always use the /imageonly option, because I don’t need the html files for management);
4. 4. Reload the switch stack;

The command to upload and extract the .tar file can be found below:

sw-stack#archive download-sw /imageonly /overwrite /allow-feature-upgrade ftp://user:password@<IP address FTP server>/image-file.tar

Loading c3750e-universalk9-tar.122-55.SE1.tar !!!!!!!
[OK - 17745920/4096 bytes]

Loading c3750e-universalk9-tar.122-55.SE1.tar !!!!!!!
examining image…
extracting info (110 bytes)
extracting c3750e-universalk9-mz.122-55.SE1/info (444 bytes)
extracting info (110 bytes)

Stacking Version Number: 1.45

System Type:             0×00000002
Ios Image File Size:   0x00DE8200
Total Image File Size: 0x010ECA00
Minimum Dram required: 0×08000000
Image Suffix:          universalk9-122-55.SE1
Image Directory:       c3750e-universalk9-mz.122-55.SE1
Image Name:            c3750e-universalk9-mz.122-55.SE1.bin
Image Feature:         IP|LAYER_3|PLUS|SSH|3DES|MIN_DRAM_MEG=128

Old image for switch 1: flash:/c3750e-universalk9-mz.122-53.SE2
Old image will be deleted after download.
Old image for switch 2: flash2:/c3750e-universalk9-mz.122-53.SE2
Old image will be deleted after download.
Old image for switch 3: flash3:/c3750e-universalk9-mz.122-53.SE2
Old image will be deleted after download.
Old image for switch 4: flash4:/c3750e-universalk9-mz.122-53.SE2
Old image will be deleted after download.
Old image for switch 5: flash5:/c3750e-universalk9-mz.122-53.SE2
Old image will be deleted after download.
Old image for switch 6: flash6:/c3750e-universalk9-mz.122-53.SE2
Old image will be deleted after download.
Old image for switch 7: flash7:/c3750e-universalk9-mz.122-53.SE2
Old image will be deleted after download.
Old image for switch 8: flash8:/c3750e-universalk9-mz.122-53.SE2
Old image will be deleted after download.
Old image for switch 9: flash9:/c3750e-universalk9-mz.122-53.SE2
Old image will be deleted after download.

Extracting images from archive into flash…
Extracting images from archive into flash on switch 2…
Extracting images from archive into flash on switch 3…
Extracting images from archive into flash on switch 4…
Extracting images from archive into flash on switch 5…
Extracting images from archive into flash on switch 6…
Extracting images from archive into flash on switch 7…
Extracting images from archive into flash on switch 8…
Extracting images from archive into flash on switch 9…

extracting c3750e-universalk9-mz.122-55.SE1/c3750e-universalk9-mz.122-55.SE1.bin (14570585 bytes)
extracting c3750e-universalk9-mz.122-55.SE1/info (444 bytes)
extracting info (110 bytes)

<..>

Installing (renaming): `flash:update/c3750e-universalk9-mz.122-55.SE1′ ->
`flash:/c3750e-universalk9-mz.122-55.SE1′
New software image installed in flash:/c3750e-universalk9-mz.122-55.SE1

<..>

Removing old image: flash:/c3750e-universalk9-mz.122-53.SE2
Removing old image: flash2:/c3750e-universalk9-mz.122-53.SE2
Removing old image: flash3:/c3750e-universalk9-mz.122-53.SE2
Removing old image: flash4:/c3750e-universalk9-mz.122-53.SE2

<..>

All software images installed.

The boot parameters are automatically changed to the new IOS firmware. You can check the boot parameters with the show boot command.

Cisco stack: version mismatch

When adding a new switch to an existing stack, the new switch should have the same software image as the existing stack member switches. If the new switch has different software, the switch isn’t capable of joining the stack.

Switch/Stack Mac Address : 588d.0918.3100
H/W   Current
Switch#  Role   Mac Address     Priority Version  State
———————————————————-
*1       Master 588d.0918.3100     15     1       Ready
2       Member c471.fe99.b580     1      2       Version Mismatch

There are different ways to upgrade the new switch to the correct software image. The hard way is unplugging the new switch from the stack, upgrade the switch separately and add the switch to the stack again. A more easy way is using the archive copy-sw command. This command allows you to copy the software from a specific member switch to the new switch.

The example below copies the software from switch 1 to the destiniation switch 2.

sw-stack#archive copy-sw /destination-system 2 1
System software to be uploaded:
System Type:             0×00000002
archiving c3750e-universalk9-mz.122-53.SE2 (directory)
Stacking Version Number: 1.43

System Type:             0×00000002
Ios Image File Size:   0x00DA7200
Total Image File Size: 0×01076600
Minimum Dram required: 0×08000000
Image Suffix:          universalk9-122-53.SE2
Image Directory:       c3750e-universalk9-mz.122-53.SE2
Image Name:            c3750e-universalk9-mz.122-53.SE2.bin
Image Feature:         IP|LAYER_3|PLUS|SSH|3DES|MIN_DRAM_MEG=128

Old image for switch 2: flash2:/c3750e-universalk9-mz.122-53.SE1
Old image will be deleted after download.

Extracting images from archive into flash on switch 2…

Installing (renaming): `flash2:/update/c3750e-universalk9-mz.122-53.SE2′ –> flash2:/c3750e-universalk9-mz.122-53.SE2′
New software image installed in flash2:/c3750e-universalk9-mz.122-53.SE2
Removing old image: flash2:/c3750e-universalk9-mz.122-53.SE

All software images installed.

sw-stack#reload slot 2

This is by far the easiest way to upgrade the new switch to the correct software image. Another method is using the copy command.

sw-stack#copy image-file.bin flash2:

sw-stack#config t

sw-stack(config)#boot system switch 2 flash:/image-file.bin

sw-stack(config)#exit

sw-stack#wr mem

sw-stack#reload slot 2

This method is very useful if you are using an image without the html web features.

Cisco ASA: web interface not working

I had to troubleshoot a Cisco ASA today, where the client wasn’t able to connect to the management web interface anymore via https. The customer didn’t install ASDM locally, but always starts the Java-based version.

After upgrading the Cisco ASA to software version 8.2(1) and a reboot, the client wasn’t able to connect to the web interface anymore. I was able to connect to the firewall with my locally installed ASDM client, but I couldn’t access the web interface either.

While troubleshooting I first tried the basic settings, like management access-list, regenerate crypto keys and change the management port. All these options didn’t help, but the strange thing was that the web interface was working remotely.

While working with Mozilla I received the following error:

cannot communicate securely with peer: no common encryption algorithm(s).

In Google Chrome I receive the following error:

Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.

And of course Internet Explorer didn’t gave any usable information. I started looking at the supported encryption algorithms within the firewall with a show version. I noticed that VPN-3DES-AES was disabled. The next step was the enable the VPN-3DES-AES ciphers. The upgrade license for this feature is available for free at http://www.cisco.com/go/license.

I activated the VPN-3DES-AES feature, but still wasn’t able to connect to the firewall with the web interface. I checked the SSL encryption used by the firewall.

fw01# show ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: des-sha1
Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled

The firewall still didn’t enable the ciphers supported in my browser. If the VPN-3DES-AES license isn’t installed, only the cipher des-sha1 is enabled by default. I added the correct ciphers with the following command:

fw01(config)# ssl encryption aes256-sha1 aes128-sha1 3des-sha1

After adding the command I was able to connect to the ASA with both the web interface and the ASDM.

Cisco Connect – Software Download Entitlement Controls

I read about it on the internet and last week I received the “official” mail from the Cisco Partner Channel about the changes regarding the Software Download Centre Entitlement Controls. The e-mail (in Dutch) can be found below. I have different feelings about the changes regarding the software entitlements. It isn’t possible anymore to just download any software with a CCO of PICA (Partner Initiated Customer Access) account from January 2nd 2011.

Downloading software is only possible for networking components with a valid ‘software- download‘ contract (like SmartNet). If you have a contract to download software for a specific Cisco Catalyst switch, you can only download the software of that switch. So check your Cisco Service contract, like serial number and part ID, check if they are correctly registered and if the contract are registered to the correct CCO ID.

Sadly for me, as consultant, it will be very hard to download the latest software. I have a valid CCO account, but as a company we don’t have any support contracts to download software. Not only the change in software entitlement, but also the change in the license structure of the hardware and software feature set has impact on my daily work. It is getting harder and harder, and in the end, maybe impossible to check the latest features with tools like GNS3 and Dynamips. Not only for testing purposes, but also for studying purposes. Emulating software with Dynamips is extremely powerful when you try to achieve CCIE or other certifications.

On the other hand, I can also understand Cisco that they try to protect the copyrights of their products and the investment of the paying customers. I know that multiple vendors make their software available for free, but I know some of these vendors and they have very poor software maintenance. Sometimes you need to downgrade after upgrading an image. Or specific releases just disappear and aren’t supported anymore.

I guess we have to get used to the new concept and in a couple of months or years we don’t know better. I am positive that somebody will find new ‘solutions’ for the download and feature set ‘problems’.

Beste Partner,

Zoals u wellicht weet is voor het gebruik van Cisco software een licentie vereist. Een licentie die betaald is en waarmee u software kunt downloaden. Dit spreekt voor zich. Echter, voorheen was het mogelijk om met een CCO of PICA (Partner Initiated Customer Access) account met ‘software-download toegang’ alle IOS software te downloaden. Ook van producten die niet binnen het contract vielen. Cisco heeft tot op heden een zogenaamd trust model gehanteerd.
Om de copyrights van onze software producten te beschermen, herzien we in december alle contracten op basis van betaalde licenties. Partners die betaald hebben voor de service kunnen in de toekomst software blijven downloaden. Diegenen zonder licentie hebben vanaf 2 januari geen gratis toegang meer. Op die manier beschermt Cisco het intellectueel eigendom en uw investering in de producten.
Om deze wijziging zo goed mogelijk te laten verlopen, vragen we u als Partner het volgende te doen voor 2 januari 2011:

• Check hier of uw Cisco Services contract(en) volledig zijn en vul eventueel ontbrekende gegevens in, zoals serie nummers, part ID’s (productserie en typenummer) en locaties.
• Verifieer of al uw Cisco producten geregistreerd staan op het Cisco servicecontract en dat u geldige licenties heeft voor de Cisco Software.
• Bekijk of alle servicecontract(en) aan de juiste gebruikersnaam en CCO ID zijn gekoppeld op www.cisco.com
• Controleer of al uw medewerkers geregistreerd en geautoriseerd zijn en check of hun gegevens ook correct zijn ingevuld.

Vanaf 2 januari 2011 controleren we standaard alle software die wordt gedownload op licenties. De download snelheid vertraagt niet. En als u geregistreerd bent, ondervindt u geen hinder van deze wijziging tijdens het downloaden.

Mocht u naar aanleiding van dit bericht vragen hebben, stel deze gerust aan uw Partner Account Manager.

Met vriendelijke groet,
Cisco

Fred Gerritse
Directeur Partner Organisatie