|
I seem to recall that you can upgrade ASA clusters as long as you go from 8.0 to 8.1 to 8.2, etc. You may have to be at the latest rev of those too.
|
#
?
Oct 10, 2011 19:37
|
|
|
|
| # ? May 31, 2024 05:13 |
|
|
Panthrax posted:Anyone use ONS 15454s with Sonus GSXes? We're in the middle of upgrading our GSXes, which requires reboots. Problem is this causes random T1s to go out of service on the oubound DS3s to the GSX. If we bounce the T1s on the Sonus side, they don't come up, but if I bounce the T1s on the ONS (by switching from ESF to unframed back to ESF) the T1 comes back up. I had a ticket open with TAC but since they don't have any GSXes kicking around they couldn't test it, but it definitely seems to be an issue on the ONS side. Anyone run into these problems? We're running 9.2.1 code on the ONSes, and upgrading to 7.3 code on the GSXes (which doesn't really matter, because we had an issue with one, which required another reboot after the software was upgraded, and still had T1s going out of service, so it wasn't the upgrade specifically). We usually see this on systems which see an RAI and interpret it as "well if I'm seeing an RAI, I'm not even going to bother turning on my transmit so I'll just keep sending AIS" and since the other end keeps seeing a framed AIS they keep sending RAI (ran into this on an Adtran 924e). See if your Sonus can be configured to ignore or not send RAI (in case it's originating the RAI).
|
|
#
?
Oct 10, 2011 19:54
|
|
|
Panthrax posted:Anyone use ONS 15454s with Sonus GSXes? We're in the middle of upgrading our GSXes, which requires reboots. Problem is this causes random T1s to go out of service on the oubound DS3s to the GSX. If we bounce the T1s on the Sonus side, they don't come up, but if I bounce the T1s on the ONS (by switching from ESF to unframed back to ESF) the T1 comes back up. I had a ticket open with TAC but since they don't have any GSXes kicking around they couldn't test it, but it definitely seems to be an issue on the ONS side. Anyone run into these problems? We're running 9.2.1 code on the ONSes, and upgrading to 7.3 code on the GSXes (which doesn't really matter, because we had an issue with one, which required another reboot after the software was upgraded, and still had T1s going out of service, so it wasn't the upgrade specifically). Yeah I have a bunch of GSXs with DS3s that run run to 454s. We don't see any of those problems though. Are you using transmux cards on the 454s? We only do DS3 muxing on our 454s currently and I don't remember having problems on the few circuits we had delivered as VT1.5s that were run through transmux cards. I wouldn't discount it being on the Sonus side. A few revs ago if a DS3 was out of service for more than a few hours we had to OOS/DIS/ENAB/IS it to get it to come back up. We're on 4.1 I think for the 454s (Whatever the latest you can run on a TCC+) and a special build of 7.3.2 because Sonus is worse than Cisco when it comes to branching their code. [e] Sonus interprets RAI and shows it as "YELLOWALARM". Not sure what it does with the transmit side though. Sounds like a great excuse to bust out a T-BERD though and see what the hell is going on. FatCow fucked around with this message at 23:38 on Oct 10, 2011 |
|
#
?
Oct 10, 2011 23:35
|
|
|
Powercrazy posted:I thought there was a way to upgrade the code on an ASA cluster without interruption, yet as I'm googling around I can't find a guide on how to do it. I'd manually force the secondary to go active prior to rebooting the primary. You'll know really quickly if there is a sync issue after you upgrade the secondary  . Generally speaking staying within the same major and minor version M.m you'll be ok.
|
|
#
?
Oct 10, 2011 23:57
|
|
|
FatCow posted:Yeah I have a bunch of GSXs with DS3s that run run to 454s. We don't see any of those problems though. Are you using transmux cards on the 454s? We only do DS3 muxing on our 454s currently and I don't remember having problems on the few circuits we had delivered as VT1.5s that were run through transmux cards. I wouldn't discount it being on the Sonus side. A few revs ago if a DS3 was out of service for more than a few hours we had to OOS/DIS/ENAB/IS it to get it to come back up. We come in on OCx, then send STS over to a DS3XM12, then send the T1s over VT1.5 to another XM12 so we can bundle more T1s together into a single DS3 port, since Sonus can't do port density better than 3 per card. Not sure what that's called, I'm kinda new at the whole ONS thing. But we're running TCC2Ps with XC-VXC-10g cross connect cards. It's just annoying because our PSTN GSXes coming up have 70 or 70 trunk groups on them, which we have to bounce (because they seem to be in service but when you make calls over them the GSX is killing the calls) and then I have to reset a shitload of T1s across 20 or 30 DS3s. Meh. Oh, well. Hopefully we don't have to go rebooting GSXes again any time soon...
|
|
#
?
Oct 11, 2011 02:05
|
|
|
VR Cowboy posted:Wowza, I didn't know they could do that. Thanks! It definitely works on my 3560X, but not on my older 3560. That's really useful. The built in test is only so useful. If a device is connected it can provide misleading results. In some instances it affects link state, before you get too comfortable buzzing that one in remotely. I like the Fluke CableIQ. It's a cable tester. It does not do any other sort of testing, as far as DHCP, pinging addresses, etc. The LinkRunner Pro displays LLDP and CDP information, and gives some PoE presence information, but I really don't like wasting time with it. A keychain PoE detector and a laptop are infinately faster or more flexible. We have an assload of 3750Xs deployed now, but I haven't run into any testing issues. What device are you using?
|
|
#
?
Oct 11, 2011 02:13
|
|
|
Partycat posted:The built in test is only so useful. If a device is connected it can provide misleading results. In some instances it affects link state, before you get too comfortable buzzing that one in remotely. We just have an older LANscaper 10/100 tester like this. It's getting old and beaten. It can do a basic DHCP & ping test, but when plugged in to a 3560X or 3750X it will (sometimes) give me an Rx overrun error, even though the port speed is supposed to auto-negotiate to 10/half. The port status will say that it's at 10/half, but I guess the switch isn't actually using that speed?
|
|
#
?
Oct 11, 2011 04:01
|
|
|
I am not a networking guy and never have been. That said, I've been tasked with setting up a couple of external sites with a hardware VPN to get them on our domain. I've got an ASA 5505 in hand, but that was already available. I've got a few cisco routers as well at my disposal, and some money. 1) Anyone want to handhold me through the process of setting up a quick proof of concept using the 5505 to be the client, and a 2811 as server for a remote access VPN? The 2811 is what I've got on hand, but I can get ahold of a 3000 series too. 2) Is this more trouble than it seems? What hardware should I be looking at for the VPN client? I've got money to spend if necessary. Basically, I dont know what I am doing but at least I know I dont know what I'm doing. Anyone care to direct me here? Goal is seamless VPN for a couple remote sites.
|
|
#
?
Oct 12, 2011 20:24
|
|
|
Walked posted:I am not a networking guy and never have been. If you've got 1 asa, get another one then use the ASDM wizard to create a site to site VPN on each side, that is the simplest way to do it.
|
|
#
?
Oct 12, 2011 20:43
|
|
|
For seamless VPN for a couple remote sites, I'd recommend either going entirely with ASAs or entirely with IOS based routers (like your 2800). You can get Cisco 871s, for example, for about five-hundred bucks that will do this job nicely. The configurations will be more complex on the IOS platform (at least, there's no ASDM wizard), but I could give you some skeletal configurations to work with (or, heck, I could just work it up for you in a few hours).
|
|
#
?
Oct 12, 2011 20:59
|
|
|
jwh posted:For seamless VPN for a couple remote sites, I'd recommend either going entirely with ASAs or entirely with IOS based routers (like your 2800). Entirely ASAs is definitely an option. We have one central location (PMO office) and about 3 satellite offices. I want to put an ASA at each office, and have that seamlessly connect to us here. A skeletal config for a 2800 series router would be awesome. If nothing more for me to get a proof of concept up for management thats very touchy-feely. Also, can one ASA handle being the VPN server for 4-6 locations? If so, that works fine for me, too.
|
|
#
?
Oct 12, 2011 21:06
|
|
|
How would you guys speed-test a gigabit (or any >100mbit) internet access circuit? I mean, I kinda doubt that speedtest.net would give you reliable results if you're trying to push >100mbit through transit peers, right?
|
|
#
?
Oct 12, 2011 23:53
|
|
|
Walked posted:Entirely ASAs is definitely an option. ASA5510 at the head office, ASA5505s at branch (with appropriate license for number of users/MACs behind it). The ASA can do hub/spoke VPN routing (not quite as neat as IOS DMVPN, but functional if the head office has plenty of bandwidth). It'll also handle firewalling/NAT for all the offices. CrazyLittle posted:How would you guys speed-test a gigabit (or any >100mbit) internet access circuit? I mean, I kinda doubt that speedtest.net would give you reliable results if you're trying to push >100mbit through transit peers, right?
|
|
#
?
Oct 13, 2011 00:28
|
|
|
ragzilla posted:ASA5510 at the head office, ASA5505s at branch (with appropriate license for number of users/MACs behind it). Can I get by with something cheaper than a 5510? I can probably get the PO pushed through, but its a bit spendier than I think management is going to want to see. 3 remote locations, 3 or so users per remote site. If 5510 is the way to go, then its the way to go.
|
|
#
?
Oct 13, 2011 02:50
|
|
|
Walked posted:Can I get by with something cheaper than a 5510? I can probably get the PO pushed through, but its a bit spendier than I think management is going to want to see. How many users at the head office? You can likely get away with a 5505 but if you have more than 25 users you'll need to purchase additional licensing for the 5505. 5505 has 100mbps of VPN throughput thanks to the accelerator chip, but you're also going to be eating into connections/second for all your connections over VPN, as well as internet access from the main office (hence why I'd normally recommend a 5510 for the head office)
|
|
#
?
Oct 13, 2011 02:54
|
|
|
CrazyLittle posted:How would you guys speed-test a gigabit (or any >100mbit) internet access circuit? I mean, I kinda doubt that speedtest.net would give you reliable results if you're trying to push >100mbit through transit peers, right? I've got a provider near me running their own speed test server and I've talked to the techs and it's on a gig line. Maybe there's someone close to you that has a private speediest link?
|
|
#
?
Oct 13, 2011 02:55
|
|
|
ragzilla posted:How many users at the head office? You can likely get away with a 5505 but if you have more than 25 users you'll need to purchase additional licensing for the 5505. About 50 users at the main office. There's no real infrastructure at the remote locations; just client machines at this time.
|
|
#
?
Oct 13, 2011 02:57
|
|
|
Nitr0 posted:I've got a provider near me running their own speed test server and I've talked to the techs and it's on a gig line. Maybe there's someone close to you that has a private speediest link? Even with a private speedtest you'll have difficulty checking multi megabit lines. I have a speedtest about 3 switched hops (+1 firewall) from my desk, I pull about 160mbps down, 21 mbps up (upstream results on >5mbit lines are almost never accurate due to the client having to assemble a payload on the fly to upload). Directly connected the best I've seen on a speedtest.net based server was 600mbps (laptop crossover'd to the server) down, 50mbps up.
|
|
#
?
Oct 13, 2011 02:59
|
|
|
Walked posted:About 50 users at the main office. There's no real infrastructure at the remote locations; just client machines at this time. If you have 50 users I'd assume you occasionally go over 50 MACs behind the firewall, so when pricing an ASA 5505 for the main office location make sure you're looking at the Unlimited version: ASA5505-UL-BUN-K9.
|
|
#
?
Oct 13, 2011 03:00
|
|
|
ragzilla posted:If you have 50 users I'd assume you occasionally go over 50 MACs behind the firewall, so when pricing an ASA 5505 for the main office location make sure you're looking at the Unlimited version: ASA5505-UL-BUN-K9. Yeah, thats much more within our (my) budgetary goals. I assume I can get by with the 10 user licenses for the remote locations?
|
|
#
?
Oct 13, 2011 03:02
|
|
|
Walked posted:Yeah, thats much more within our (my) budgetary goals. I assume I can get by with the 10 user licenses for the remote locations? So long as they don't have too many wireless or extra devices, to the ASA any device using a MAC address behind the firewall is a 'user'.
|
|
#
?
Oct 13, 2011 03:15
|
|
|
Can a device running IP SLA test to itself from one interface to another?
|
|
#
?
Oct 13, 2011 16:35
|
|
|
CrazyLittle posted:How would you guys speed-test a gigabit (or any >100mbit) internet access circuit? I mean, I kinda doubt that speedtest.net would give you reliable results if you're trying to push >100mbit through transit peers, right? iperf in udp mode with -P # options. that will spawn off X # of streams to really push the link. You'll need a server on each end, proper ACLs/firewall configurations for the ports you plan to use.
|
|
#
?
Oct 13, 2011 17:16
|
|
|
well, poop. Guess that's out the window then. It's not like I can get a server with iperf inside L3's NOC. I'm going to be installing a 500mbit pipe for a customer, and undoubtedly they're probably going to go to sonic.net or megapath.com and run the speedtest on there and then come back to me saying "It's tooo slooooow!!! This test says 25mbps upload! seee???" Kill me. *edit* or they'll whine that their Youtube videos aren't downloading at faster than 5-10mbit/sec down... Yes, that's happened several times already.
|
|
#
?
Oct 13, 2011 19:42
|
|
|
Request RFC2544 test results with your order.
|
|
#
?
Oct 13, 2011 21:03
|
|
|
CDN test files are great for circuit testing.quote:--20:07:40-- http://cachefly.cachefly.net/100mb.test 100mb is a bit small for this but you shouldn't have a problem maxing it out with a larger file.
|
|
#
?
Oct 13, 2011 21:10
|
|
|
And I'm back. So, where I'm fuzzy on setting up the ASA and handling routing. I've got an ASA 5505 acting as a VPN server. Its on the corporate office network, behind a 1:1 NAT rule, that permits all traffic. Internal Interface (vlan 1) is 192.168.1.0 Subnet Outside interface (vlan 2) is 172.19.80.0 subnet A device on the internal interface can communicate with all out subnets connected to the network. E.g. it can hit a 172.19.70.0 subnet fine. A device on the outside, can hit the 192.168.1.0 subnet fine However, if I have a client VPN in, it can only sorta communicate. It's connecting to the IP of the outside interface (172.19.80.29) and I've tried having the ASA dole out both 192.168.1.X IP addresses, and 192.168.100.X IP addresses. In this situation, I can hit devices connected to the internal interface (e.g. 192.168.1.2) but nothing connected outside. I assume this is because I'm dumb and the outside interface is acting as the VPN interface and thus everything dies. But I also dont know. Any suggestions?
|
|
#
?
Oct 13, 2011 21:20
|
|
|
FatCow posted:CDN test files are great for circuit testing. yeah, That only works if both the CDN and the transit networks in between will allow single large connections at that speed. Linode's (25 miles away) local file dump peaked out at 20mbps, and the cachefly file peaked at 10mbps. I know for a fact that our transit connections are much faster than that because we're regularly pushing 300mbps average. Also there's another carrier in the same colo as us on one of our same transit providers, and I can get speeds in excess of 100mbps to them. tortilla_chip posted:Request RFC2544 test results with your order. The problem isn't getting wire-line results. The problem is meeting customer expectations when they surf over to http://www.speakeasy.net/speedtest/ and go "WHQAT THE poo poo ISPco! Why is my (20/50/100mbps) connection only uploading at 3mbps?!?!?!?!? GIMMEE MONEY BACK"... when the problem is that the receiving speedtest server isn't geared toward testing anything faster than home xDSL or CableCo connections. This is my love/hate relationship with working on the provider side of the internet. 
CrazyLittle fucked around with this message at 00:52 on Oct 14, 2011 |
|
#
?
Oct 14, 2011 00:49
|
|
|
Walked posted:And I'm back. As I have been made painfully aware over the years, the ASA is not a simple router and will not behave as such. You should need to add the CLI config item: same-security-traffic permit intra-interface Possible explanation: The ASA does not let traffic enter and exist the same interface without this command. Since your VPN connection is tied to the outside interface, traffic can flow everywhere you allow except back out the outside interface. This is referred to as "hairpinning". A better explanation can be found here
|
|
#
?
Oct 14, 2011 03:44
|
|
|
BelDin posted:As I have been made painfully aware over the years, the ASA is not a simple router and will not behave as such. You should need to add the CLI config item: You are my hero. Going to give that a whirl tomorrow. Sounds like the solution!
|
|
#
?
Oct 14, 2011 04:32
|
|
|
CrazyLittle posted:
Attempting to satisfy idiots is a losing proposition.
|
|
#
?
Oct 14, 2011 12:02
|
|
|
inignot posted:Attempting to satisfy idiots is a losing proposition. Sadly idiots control a lot of money.
|
|
#
?
Oct 14, 2011 17:24
|
|
|
ragzilla posted:Sadly idiots control a lot of money. It's doubtful the guy gibber gabbering at you on the phone controls the purchasing decisions. That's a different group of idiots that may or may not care what the first idiot has to say. I came to a conclusion a while ago : idiots never have to suffer any consequences for their stupidity; so I'm probably not going to suffer any for ignoring them.
|
|
#
?
Oct 14, 2011 17:48
|
|
|
That's an interesting idea. How's it working out so far
|
|
#
?
Oct 14, 2011 19:31
|
|
|
ragzilla posted:Sadly idiots control a lot of money. "Idiots" and "Customers" tend to overlap by a lot, and businesses don't do so hot without customers.
|
|
#
?
Oct 14, 2011 22:36
|
|
|
jwh posted:That's an interesting idea. How's it working out so far It more or less works. The idiots are angry with me, but they are almost always completely impotent, so it doesn't matter. I think if you engage with an unconsciously incompetent person / crank you automatically lose. It reinforces their premise that they are an authoritative entity that must be satisfied, which is always impossible. They aren't going to be logically convinced of anything because they don't have the capacity to understand anything, so you just go in circles of stupidity. If some goof calls you up wanting to know why they don't see a 45Mbs transfer rate when they ftp a single file between two hosts on their new DS3; you're going to do what? Send them a link to some article discussing how TCP windowing is the bottle neck for that kind of test? If they could understand that they wouldn't be calling you in the first place. And it doesn't matter if the crank goes away mad. No one at the customer company is hanging on his every word for guidance. Most purchasing decisions are driven by who some VP plays golf with anyway. And the two year contract for the DS3 was already signed...which as we all know...actually works fine.
|
|
#
?
Oct 15, 2011 01:16
|
|
|
I have this interesting issue with trying to access a webserver from inside my network. Basically I have a static route pointing the server to the outside world. I am able to access the web server via HTTPS and everything from outside the network (i.e. the internet). However when I try to access the server from inside the network it tries to log me into the router itself. I am not sure how to fix this problem. I guess I understand what is happening I am typing in myserver.mydomain.com and the DNS's of the internet are giving me an IP of 1.1.1.1, the outside interface to my router, which in turn my router is supposed to do a NAT translation and send it to my web server. I think what is happening is when a client from inside my network accesses the website it goes out to the internet, then back to the router to be translated, but stops thinking it has met its destination. Then it tries to load the SDM thinking I want to remote into the router. I disabled SDM and now I get a 404 error when inside the network. Would this be more of a DNS server thing I would have to change in my internal network? My DNS servers don't reach out to the outside world and I think it would help, maybe. Or is this a routing issue? EDIT: Also at my new Net Engi Security job, I mess mostly with Juniper stuff. It was my first week and I have to say once I got used to Juniper it wasn't a big fuss. The CLI is a lot like Cisco in a lot of ways.
|
|
#
?
Oct 15, 2011 18:25
|
|
|
Bardlebee posted:
You're trying to do NAT reflection, which used to be considered a big no-no. A lot of non-cisco gear supports it. As far as I know, Cisco still doesn't support it because it's breaking the concept of a "firewall" by having outside interface IP addresses respond on the inside interface. The easiest way around it is to remap local DNS to resolve the local IP when inside the office. CrazyLittle fucked around with this message at 18:33 on Oct 15, 2011 |
|
#
?
Oct 15, 2011 18:27
|
|
|
CrazyLittle posted:You're trying to do NAT reflection, which used to be considered a big no-no. A lot of non-cisco gear supports it. As far as I know, Cisco still doesn't support it because it's breaking the concept of a "firewall" by having outside interface IP addresses respond on the inside interface. I'm not a big DNS guy and admittedly its not my office. I would google a how-to on remapping local DNS, but I am unsure on what I would be looking for. We have a 2008 server, if its different at all. Also, I had no idea NAT reflection was a thing, though I think the DNS solution sounds a bit more graceful.
|
|
#
?
Oct 15, 2011 18:39
|
|
|
|
| # ? May 31, 2024 05:13 |
|
|
He just means that you probably have an internal dns server that is passing requests for anything not in it's database off to the internet and it's coming back with the external ip address. Just create an entry in the local dns server with the same name as your web server and point it to the internal IP address. Easy.
|
|
#
?
Oct 15, 2011 18:45
|
|