| Follow me on:

HP Virtual Connect Manager

January 23rd, 2012 | No Comments

While change the configuration of within a HP Virtual Connect Manager I noticed that I didn’t have any options to delete server profiles, Ethernet Networks or Shared Uplink Sets within the web browser.

I needed to change the configuration dramatically from an active / standby configuration to an active / active configuration. I also needed to change the complete server profile configuration and Ethernet Networks configuration.

I noticed that I can also connect through SSH to the HP VC Flex-10 Enet modules. This presents a CLI with different command options. And of course I had more options within the CLI compared to the web interface.

——————————————————————————-
HP Virtual Connect Management CLI v3.18
Build: 3.18-3 (r46087) Apr  1 2011 17:45:49
(C) Copyright 2006-2011 Hewlett-Packard Development Company, L.P.
All Rights Reserved
——————————————————————————-

GETTING STARTED:

help           : displays a list of available subcommands
exit           : quits the command shell
<subcommand> ? : displays a list of managed elements for a subcommand
<subcommand> <managed element> ? : displays detailed help for a command

->?

Through the CLI I had the option to remove the server profiles, Ethernet Networks and the configured Shared Uplink Set. The help command (?) is very useful to check the command syntax to remove different configuration settings. You have to remove the different items in the correct order. I used the following order:

  1. 1. Server Profile : remove profile <profile_name>
  2. 2. Ethernet Networks : remove network <enet_name>
  3. 3 Shared Uplink Set : remove uplinkset <sus_name>

When you try to delete the items in the wrong order you will receive an error message on the console, like shown below.

->remove uplinkset SUS1
ERROR: Operation not allowed : The requested shared uplink set is currently in use by one or more networks

After deleting the configuration I configured my desired setup. The configuration can be a lit bumpy, which depends on the firmware used with the Virtual Connect Manager. I found a very good article on configuring HP Virtual Connect Manager in conjunction with ESX, Windows Hyper-V.

HP Virtual Connect Ethernet Cookbook: Single and Multiple Enclosure Domain

TIP: when configuring or changing Ethernet network settings on a Server Profile, first unassigned the profile from the bay. Changing settings on an unassigned profile is much faster than on an assigned profile.

McAfee Firewall – NAT mapping

December 28th, 2011 | No Comments

While testing a McAfee Enterprise Firewall running software 8.2.0, I had some problems with the creation of a NAT mapping. The firewall is configured as standalone firewall. All (NAT / access rule) configuration on the firewall is done using Access Control Rules. McAfee uses two types of NAT mapping:

  1. 1. NAT: mostly used to translate a private IP address to a public IP address;
  2. 2. Redirect: redirect traffic to a public IP address to a private IP address;

I tried to publish an internal network component to the internet. I created a simple rule with the following parameters. These parameters are very straightforward and the configuration is similar to firewalls from different vendors:

Application: SSH Source Zone:
external		 Destination Zone:
external
  Source Endpoint:
Any		 Destination Endpoint:
Public IP address
  NAT address:
None		 Redirect:
Private IP address

 

I tested the NAT mapping, but couldn’t connect to the internal component using the public IP address. The first step in troubleshooting is looking at the logging, but I couldn’t find any logging on the firewall. It looked like the traffic didn’t even reach the firewall.

We have a shared internet segment with multiple firewalls. So I started doubting the configuration of the different firewalls.

  • Was somebody already using the public IP address in a NAT configuration?
  • Has the default gateway of the internet segment already an ARP entry for the public IP address?

I looked at the configuration of the firewalls, but nobody was using the public IP address. With this in mind, I ruled out the ARP entry “problems” on the ISP router.

When using NAT on a public IP address, which isn’t the same as the interface IP address, the firewall has to proxy ARP the public IP address. So does the firewall proxy ARP for the public IP address?

I started looking at the rest of the configuration with emphasis on the network configuration. I noticed that I had the option to add an alias IP address to the external interface. This can be found under Network – Interfaces – external interface. I added the public IP address as alias.

You guessed it. The NAT mapping is working……

CactiEZ – configuration basics

December 19th, 2011 | No Comments

Every time I install CactiEZ or Cacti on another platform, I am searching for the commands to basically install the most common parameters, like static IP addressing, NTP sync and time zones.

Several times I thought about writing a simple article with the necessary commands and final I had time to create it.

Networking

netconfig
service network restart

Time Sync

ntpdate –u ntp1.nl.net

Time Zone

yum install system-config-date
system-config-date

This will make my life so much easier.

AeroHive Spectrum Analysis

November 3rd, 2011 | No Comments

One cool feature about AeroHive is the build-in Spectrum Analysis feature, which is enabled by default from HiveOS 4 and higher. Spectrum analysis is very useful to get a view of the RF environment near an access-point.  This is especially useful when troubleshooting bad connections (high volume of retransmissions) or other problems related to the RF environment. A spectrum analysis can help to detect interfering components, like bluetooth devices, cellular phones or a micro wave.

HiveAPs even have the possibility to recognize device types, which interfere with the wireless environment. Device identification is only possible with HiveAP 110, 120 and 170 access-points. The HiveAP 320 and 340 cannot perform any kind of spectrum analysis and the HiveAP 330 and 350 can perform a spectrum analysis, but don’t have the device identification feature.

To perform a spectrum analysis with AeroHive, you need to configure at least one SSID. When the SSID is configured you have the option to perform the analysis in both the 2.4 Ghz and the 5 Ghz band.

To start the analysis, open the HiveManager, click Monitor – Access Points – HiveAPs and select a HiveAP, then click Tools – Spectrum Analysis to begin the spectrum analysis. The screenshot below shows the spectrum analysis pane.

aerohive-spectrum-analysis

A full description of the different panes can be found in the online HiveManager WebHelp. I like the spectrum analysis feature, because of it’s power and strength during troubleshooting and planning of a wireless environment.

Cisco ASA – Reset TCP connection

August 22nd, 2011 | No Comments

“Normal” TCP applications use a three-way handshake to establish a session. After data has been send the session is closed. Some legacy applications don’t always close a TCP session. They keep the session open, even when the session is idle for a long time (+ 2 hours). When the session is idle and a client wants to send data, the clients sends a PSH packet followed by the new data. Both stations use the original session information to maintain the connection.

This behavior is problematic when components, like firewalls are along the path between the two clients. A Cisco ASA firewall for example automatically flushes a TCP session when it’s idle for 1 hour. When the clients start sending data after an idle period of 1 hour, by starting with a PSH command, the firewall doesn’t recognize the session anymore and drops the traffic. Both clients need to flush / restart their TCP session to establish a new valid session through the firewall.

The Cisco ASA firewall has the option to change the default idle timers and even send a reset (RSET) to both clients when the idle timer is reached. The Reset bit in TCP is designed to allow a client to abort / terminate the TCP session with another client. This forces both clients to re-establish a new session, which is learned and maintained by the firewall. This prevents a session from getting dropped in the firewall when it’s idle for more than one hour.

To configure a TCP reset you need to specify the “interesting” traffic for a reset through an access-list and specify the reset parameters via a policy-map like shown below.

access-list reset_tcp extended permit ip 192.168.10.0 255.255.255.0 host 10.10.10.205
!
class-map cm_reset_tcp
match access-list reset_tcp
!
policy-map global_policy
class cm_reset_tcp
set connection timeout idle 0:15:00 reset

The configuration snippet resets a connection when it’s idle for 15 minutes between the network 192.168.10.0/24 and the host 10.10.10.205. The sessions are initiated by the remote network. You can view the connection parameters with the show conn command.

fw01# show conn address 192.168.10.2 address 10.10.10.205 detail
TCP DMZ:192.168.10.2/31731 Inside:10.10.10.205/4000,
flags UIOB, idle 3m11s, uptime 51m56s, timeout 15m0s, bytes 165157

The output shows the configured idle timeout of 15 minutes, the real idle timeout and the uptime of the connection.

« Older Entries