| Follow me on:

New Theme

November 29th, 2009 | 2 Comments

As I already announced on Twitter, I have updated my blog theme. I am very curious about your comments…… should this theme stay or should I revert back to the old one? What would you change at the current theme?

Updated on December 1ste 2009

Yesterday I have been playing with my new theme and eventually I ended up deleting all previous comments…. I also noticed that the WordPress Blog Stats didn’t work anymore, but luckily I found the solution for this. My new theme didn’t contain the wp_footer() function. The function is often used by plugins to insert PHP codes after everything else on your page. According to WordPress.org theme development documentation, you should place the wp_footer() function in the footer, which would be in the footer.php file.

Cisco banners with SSH

July 31st, 2009 | No Comments

When configuring a Cisco device I always configure some kind of banner, which is displayed when logging in. This banner contains some information, like security warnings and general information. There are different kind of banners.

  • exec: display a banner before displaying the enable prompt;
  • login: display a banner before the password login prompt when accessing the security appliance using Telnet;
  • motd: display a message-of-the-day banner when you first connect;

I was used to configuring a banner login with different variables, like shown below:

banner login ^
You have entered device $(hostname).$(domain) at line $(line) $(line-desc)
^C

This works fine when connecting with Telnet to the device, but this doesn’t work when using SSH. For security reason, I always use SSH to connect to devices, but I didn’t notice the “corrupt” banner since recently.

Banner login doesn’t support SSH:

“When accessing the security appliance through Telnet or SSH, the session closes if there is not enough system memory available to process the banner messages or if a TCP write error occurs. Only the exec and motd banners support access to the security appliance through SSH. The login banner does not support SSH.”

The example below shows the output from a banner motd and a banner login when connecting via SSH.

ssh -l admin 10.10.66.12

You have entered device $(hostname).$(domain) at line $(line) $(line-desc)

Password:

You have entered device C877.booches.nl at line 1
C877#

The first banner is de banner login and the second is the banner motd. So when using SSH to connect to a device, it is better to use a banner motd or a banner exec.

ASDM Error: Unconnected socket not implemented

December 23rd, 2008 | 1 Comment

When you receive the following error, while starting ASDM:

ASDM Error: Unconnected socket not implemented

You should look at your Java versions. When you are using Java 6 Update 10 or higher and ASDM 6.1.5 or lower, you will receive this error. There are two workarounds for this problem:

  1. Downgrade Java to Java 6 Update 7 or lower;
  2. Upgrade ASDM software;

Cisco released an Interim Release (6.1.5.57), which resolves the problem above.

PIX Failover not working

June 18th, 2008 | No Comments

Today I received the question why a PIX failover configuration wasn’t working. The customer accidentally disconnected the power cable from the primary PIX firewall. The secondary PIX firewall became the active one, but multiple DMZ segments weren’t working anymore. After rebooting the PIX firewall and making that the primary one again, the DMZ segments were reachable again.

I started looking at the failover state of the firewall. Entering the commando show failover on the primary PIX resulted in the following output:

This host: Primary - Active
        Active time: 5430735 (sec)
          Interface outside (1.1.1.1): Normal
          Interface inside (2.2.2.1): Normal
          Interface DMZ01 (3.3.3.1): Normal
          Interface DMZ02 (4.4.4.1): Normal (Waiting)
          Interface DMZ03 (5.5.5.1): Normal (Waiting)
Other host: Secondary - Standby Ready
        Active time: 5235 (sec)
          Interface outside (1.1.1.2): Normal
          Interface inside (2.2.2.2): Normal
          Interface DMZ01 (3.3.3.2): Normal
          Interface DMZ02 (4.4.4.2): Normal (Waiting)
          Interface DMZ03 (5.5.5.2): Normal (Waiting)

Interface DMZ02 and DMZ03 were the problem interfaces.

After doing some simple ping test, I noticed the problem interfaces couldn’t ping each other. Looking at the output above the interfaces are in Normal (Waiting) state. Searching the internet resulted in the following:

Failover does not start to monitor the network interfaces until it has heard the second “hello” packet from the other unit on that interface. This takes about 30 seconds. If the unit is attached to a network switch that runs Spanning Tree Protocol (STP), this takes twice the “forward delay” time configured in the switch (typically configured as 15 seconds), plus this 30 second delay. This is because at PIX bootup and immediately following a failover event, the network switch detects a temporary bridge loop. Upon detection of this loop, it stops forwarding packets on these interfaces for the “forward delay” time. It then enters the “listen” mode for an additional “forward delay” time, during which time the switch listens for bridge loops but not forwarding traffic (and thus not forwarding failover “hello” packets). After twice the forward delay time (30 seconds), traffic resumes flowing. Each PIX remains in “waiting” mode until it hears 30 seconds worth of “hello” packets from the other unit. During the time the PIX is passing traffic, it does not fail the other unit based on not hearing the “hello” packets. All other failover monitoring still occurs (that is, Power, Interface Loss of Link, and Failover Cable “hello”).
Source

Here they are talking about the STP configuration. I couldn’t imagine that the problem is lying in the STP configuration. I started tracking the mac-address on the switches to check the physical patching.

The problem was found directly. The patching of the secondary PIX wasn’t correct. The customer had swapped the two interfaces resulting in patching them in the wrong VLAN. After swapping the patches the failover state functions normally, looking at the output below:

This host: Primary - Active
        Active time: 5430735 (sec)
          Interface outside (1.1.1.1): Normal
          Interface inside (2.2.2.1): Normal
          Interface DMZ01 (3.3.3.1): Normal
          Interface DMZ02 (4.4.4.1): Normal
          Interface DMZ03 (5.5.5.1): Normal
Other host: Secondary - Standby Ready
        Active time: 5235 (sec)
          Interface outside (1.1.1.2): Normal
          Interface inside (2.2.2.2): Normal
          Interface DMZ01 (3.3.3.2): Normal
          Interface DMZ02 (4.4.4.2): Normal
          Interface DMZ03 (5.5.5.2): Normal

This proves again how import correct patching is!!!!!

  • my Tweetz

    • Going to install new PacketShaper licenses in an hour. The installation steps from BlueCoat are very clear... hope the installation is too 1 week ago
    • Just met some former class mates from 15 years ago. It's funny to hear what everbody is doing nowadays 1 week ago
    • Mysteryland is over. We had a great time. We saw great dj's and herad some good sets. And only 2 drops of rain!!! 1 week ago
    • We arrived at Mysteryland. The party can begin http://moby.to/22oq2q 1 week ago
    • Online mysteryland in de zwembroek ciao 1 week ago
    • More updates...

    Powered by Twitter Tools

  • Advertisements