The Cruft Of My Brain

Ran across this tonight. Someone had entered a prefix-list with the name “at&amp ;t” instead of “at&t” (wordpress didn’t like it either so I added the space between the p and the ; but they should really be together.

Oddly enough, IOS wouldn’t allow the bad line to simply be deleted. The “;” had to be removed so that the no command included “at&ampt”

Probably some sort of a regex problem or an ascii escape character but it’s still kind of strange.

scott Cisco Routing and Switching, Cruft, Networking

I’ve been trying to figure out why a pair of Cisco IPS (AIP-SSM in this case) wouldn’t auto-update signature files or connect to the new Global Correlation feature. The management interfaces were located on a subnet that was between the firewall and the internal L3 switch. The internal LAN’s are on the other side of the switch.

I’ve known for a long time that Cisco ASA’s don’t support sending ICMP redirects. Because of this the IPS’s default gateway couldn’t be set to the FW interface. If I did that they would never be redirected to reach the internal networks. I’ve never had a problem with IOS doing ICMP redirects though, so the IPS’s have been using the switch VLAN interface as the default gateway. The switch sends ICMP redirects when the IPS needs to get out to the internet and the traffic goes direct to the firewall.

Except it doesn’t. I could swear it did at one time in the past. Either my memory is faulty or an image update on the IPS broke it. Now, it seems the IPS tosses ICMP redirects. My guess is it worries about man in the middle attacks and and ICMP redirect is a possible sign of that. So even though the switch is doing the correct thing the IPS disregards it.

Moved the IPS management interface to one of the internal LAN’s and all is happy now.

scott Cisco Routing and Switching, Cruft, Networking, Security

“It works similar to access-list in that if you have any SNMP View on certain MIB trees, every other tree is denied inexplicably.”

scott Cisco Routing and Switching, Cruft, Networking

I’ve gotten a look at a powerpoint with the technical details now. Nothing too earth shattering. More of a natural progression of capabilities and performance.

I’m such a geek. The one cool new feature is that they have finally put in a USB console port. Actually mini USB. I’m not sure of the wisdom of using that over the already present regular USB ports, but that’s ok. I can’t find anything about how that’s going to work. I expect you’ll have to install a driver for USB to COM on windows just like you do with the USB to Serial dongles but this should be Cisco provided.

How cool would it be if there’s a hidden driver for that in Windows 7 already.

Now all we need is a wireless USB KVM and you could manage a whole data center of routers without running more cables. Better have some good security on that!

scott Cisco Routing and Switching, Cruft, Networking

Looking for a cheap and reliable way of doing packet capture remotely. I found this reference to using PFSense and it looks like a pretty slick idea. I was quite happy with PFSense when I was using it as a firewall so this idea looks like a winner. I’ll post back if I try it out.

scott Cisco Routing and Switching, Cruft, Networking

I’m mystified as to how Cisco.com can go down worldwide for 2+ hours during business hours and there is virtually nothing in the news about it. I managed to find this reference in the Register. Not surprising as the outage hit the UK in the middle of the day. I’ve not found any other comments.

How is it that the king of the networking world, preacher of all things BC/DR, can be down for 2+ hours and no one thinks it’s a big deal.

If nothing else, it sure would be nice to get a root cause analysis from Cisco so we can have a “teaching moment”. If there’s a scenario where arguably the most savvy networking company in the world can suffer a catastrophic failure of a high availability service, we would all be well served to understand the details.

And Cisco’s response about the dangerous power failure at the data center that I tweeted about? I’m not buying that. If that happened then it should have shut down and failed to the DR site. I can’t believe that Cisco has all of Cisco.com in a single data center.

This is like your parents telling you every day not to smoke and then you catch them puffing away one day.

What’s the deal Cisco???

scott Cisco Routing and Switching, Cruft, Networking, Security

Helped someone figure out a weird problem just now. He would telnet to a router and then telnet back out to a host. He would then try the ctrl-shift-6, x sequence and he would get nothing on the screen. He could type disconnect 1 and get no feedback but as soon as he pressed enter it would show the router prompt and immediately reconnect the session. Seems like it was only listening to the “enter”.

Turns out it was an echo problem. In his Putty settings he had Terminal:Line discipline options set to Force On for both Local Echo and Local line editing. He set these both to Auto and it worked fine after that.

Not sure how that get set but I thought I’d share. A quick google didn’t turn anything up that seemed similar.

scott Cisco Routing and Switching, Cruft, Networking

Comcast managed to hose up my internet connection which I host this site as well as some forums on. They did this by assigning my static IP’s to another location in their network. The result was split routes at their peering routers with the majority of traffic going into a black hole and a trickle getting through to me.

Once I explained to them what they broke it was a relatively quick fix.

Then, we lost power after a storm last night. Batteries lasted about an hour but that was not nearly enough.

And traffic has really been sucky for my day job. 2.5 hours almost every trip this week. That’s each way.

Ugh. I’m tired.

scott Cisco Routing and Switching, Cruft, Home and Hobbies, Networking

I didn’t see much in the way of review info on the
NORCO RPC-450 4U Rackmount Server Case
.  On top of that, the pics almost always showed a microATX motherboard installed, which was nice for having lots of room left.  However, I had an Extended ATX or EEB motherboard that I wanted to get into this thing so it was  little bit of a gamble when I ordered it.  I’m pretty happy with the results  although there are caveats and some tight areas.  Without further ado, the review:

Newegg shipped this thing double boxed and it arrived in fine condition.  I don’t live very far from the New Jersey distribution warehouse and I’m lucky enough to get stuff from them within a day or two.

From NorcoTek RPC-450

The RPC-450 comes with 2 big 120mm fans up front. Once you remove those you can slide out the drive cages. What’s cool about this is that the drive cages are kind of like 5in3’s. As you can see in this pic the space could support 3 5.25″ drives vertically but with the cages installed there are slots for 5 3.5″ drives. The 2 cages slide in and out using the same locking tabs you’d use for drives.

From NorcoTek RPC-450

On to the motherboard installation. The EEB size motherboard really does fill the space. Making matters worse, the fans and heatsinks for the dual xeons are located way up at the front of the motherboard. Here you can see how close one of the fans is to the frame:

From NorcoTek RPC-450

In this pic you can see my thumb and also how close the installed optical drive is. If the fans are any taller you aren’t getting the optical drive in.

From NorcoTek RPC-450

You can see here that this fan problem also means you can’t put more than 2 hard drives in the middle cage. Anything below that and the plugs would interfere with the fans:

From NorcoTek RPC-450

Just an overhead shot. The power supply fit easily and didn’t get in the way. I didn’t get my hands all hacked up either like is common when I’m working in some cases. Most of the edges really are rolled.

From NorcoTek RPC-450

So, in the end, it works. If you have a smaller motherboard you’ll have almost no problems. I got a second case for my Unraid setup and that used a MicroATX motherboard. Lots of space and the cooling has been excellent. The same setup in a Coolermaster CM690 had the 1TB Hitachi drives hitting 40C+. In this case with the 120mm fans blowing right across them I’m usually in the high 20’s on the Hitachi and only occasionally does it hit 30C. That’s a lot of piece of mind for the life of my drives.

All pics are here http://picasaweb.google.com/mdgeek/NorcoTekRPC450# although the rest are fairly blurry.

scott Cisco Routing and Switching, Cruft, Home and Hobbies, Networking, Security

I might have mentioned that before.  In case I didn’t…I hate java.  Now, today’s issue didn’t come directly because of java but it was the result, and an obscure one at that.

I’ve been struggling with a client issue that basically boiled down to slow or non-responsive websites that were passing through IOS firewalls.  Most websites would work fine and if we re-routed the traffic to another outbound connection that had an ASA it would work perfectly.  Also, if we connected a laptop directly to these remote site internet connections it would be smooth sailing.  So obviously something was unhappy on the IOS firewall.  I tried changing MTU, MSS, disabling the websense (urlfilter) connection.  All kinds of different things!  Nothing made a bit of difference.

I decided to run the Tweak Test over at dslreports.com to see what the MTU and MSS results would be, thinking that’s still what I needed to fix.  Tweak test is a java applet.  I had someone onsite run it and I happened to be watching the console at the same time.  All of a sudden I start seeing “FW-3-HTTP_JAVA_BLOCK” messages popping up.  WTH!  So, I figure out that java is blocked by default on IOS firewall.  Here’s the fix:

access-list 3 permit any
ip inspect name inspect http java-list 3

Yep, basically add the acl for any and then add java-list to the end of the http inspect.  I also have a urlfilter on the end to maintain the websense checks.  ARGH!  I decided to try my problematic website, of which enterprise.com happens to be one, and it popped right up.  I never got an error message about java before trying to run this app on dslreports.com.  I never saw reference to a Java problem in any of my debugs.

I know this wasn’t java’s fault directly, but if java wasn’t such a piece of garbage it might not have to be blocked by default.

scott Cisco Routing and Switching, Cruft, Networking, Security