|
sudo rm -rf posted:
Might be due to the po flapping while trying to negotiate with the other side. What mode was it on both sides of the channel? I only saw it in passive on the one side and didn't see the mode for the other. Edit: How's your STP set up? Are you running root guard and loop guard? Prescription Combs fucked around with this message at 02:41 on Mar 19, 2015 |
# ¿ Mar 19, 2015 02:39 |
|
|
# ¿ May 14, 2024 21:24 |
|
PIX 515E pimpin' pixfirewall# sh ver Cisco PIX Security Appliance Software Version 8.0(2) Compiled on Fri 15-Jun-07 18:25 by builders System image file is "flash:/pix802.bin" Config file at boot was "startup-config" pixfirewall up 6 mins 21 secs Hardware: PIX-515E, 256 MB RAM, CPU Pentium III 547 MHz Flash E28F128J3 @ 0xfff00000, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB 733Mhz/133FSB proc running at 547/100FSB Waiting for a 1Ghz coppermine proc to come in and see if it'll boot. It did not like the 1.4Ghz Tualatin.
|
# ¿ Mar 31, 2015 00:40 |
|
psydude posted:All about dat LT2P/IPSEC. switch(config)# service unsupported-transceiver switch(config)# no errdisable detect cause gbic-invalid
|
# ¿ Apr 17, 2015 02:00 |
|
wyoak posted:I know, but it's just not on that device/IOS (the caret actually points at the unsupported-transceiver part) IIRC, the commands are only in the catalyst switches. No clue on the router side.
|
# ¿ Apr 17, 2015 22:13 |
|
Apparently Brocade dropped device clustering support in Vyatta 6.7 MF_James, looks fairly straight forward IOS. http://www.cisco.com/c/en/us/td/docs/wireless/access_point/15-3-3/configuration/guide/cg15-3-3.html
|
# ¿ Apr 23, 2015 20:54 |
|
Anyone have any 5506/8-X's running in production yet? If so, how's the performance?
|
# ¿ Jul 9, 2015 16:07 |
|
Methanar posted:
Some interesting NATs you have going on the old firewall. Based on what tidbits of info you gave: code:
Prescription Combs fucked around with this message at 02:58 on Jul 16, 2015 |
# ¿ Jul 16, 2015 02:47 |
|
Methanar posted:Okay this is very helpful. 'MeadowNetwork' looks to already be defined in an object-group. 'Serpong_HQ' is an unknown from the config snippet you gave since it's a named IP. Methanar posted:nat (dmz,outside) source static DMZ-NAT0-LOCAL-NETS DMZ-NAT0-LOCAL-NETS destination static DMZ-NAT0-REMOTE-NETS DMZ-NAT0-REMOTE-NETS This is how the syntax is to keep the network 'identity' from changing. You can do some serious network masking with it. nat (real interface,mapped interface) source static <real network or IP> <mapped network or IP> destination static <real remote network or IP> <mapped remote network or IP> So, you can map your 'real' IP(s) as something else before it is sent to the destination network. Either for VPN or separate interface segment. In your case, you need to keep the network identity of 'dmz local' network when being sent across the VPN? to whatever destination subnet is defined on the NAT0 access-lists. Methanar posted:Kind of the same thing here, what are the capitals. Why is MeadowNetwork written twice in a row and what exactly is being sent to/from Serpong. Prescription Combs fucked around with this message at 07:40 on Jul 16, 2015 |
# ¿ Jul 16, 2015 07:35 |
|
Methanar posted:Has anyone ever had a problem with an ASA where it will respond to every ARP query and say that he owns the IP address in question. Let me tell you about a story of how 1 ASA took down nearly a whole butt in a data center because of a mis-configured NAT statement. manual NATs without declaring 'no-proxy-arp' at the end or not disabling it via sysopt is pretty hilarious in certain scenarios. sysopt noproxyarp <interface>
|
# ¿ Aug 10, 2015 19:37 |
|
Betting it's any of the following lines depending on where 192.168.0.0/16 is actually configured. I couldn't find any references in the config you pasted to that subnet. nat (inside,any) source static any any destination static obj-172.16.25.0 obj-172.16.25.0 nat (inside,any) source static any any destination static obj-129.129.30.0 obj-129.129.30.0 nat (inside,any) source static any any destination static IPVPNClient IPVPNClient nat (dmz,outside) source static any any destination static obj-172.16.25.253 obj-172.16.25.253 nat (dmz,dmz) source static any any destination static obj-172.16.25.253 obj-172.16.25.253 Do you know if your ASA needs to proxy arp for anything? Possibly the 129.129.30.0 subnet?
|
# ¿ Aug 10, 2015 20:06 |
|
Methanar posted:That's why it's so bizarre. The ASA has been sitting on my desk for like 4 weeks now and is brand new. It's never been used for real. I've been preparing it to be put into the network but it just absolutely refuses to let anyone else have an address. I'm pretty certain it's your NAT lines. Try turning on sysopt noproxyarp. conf t sysopt noproxyarp inside sysopt noproxyarp dmz sysopt noproxyarp outside See if the behavior is still there. Those 'any any' references on the nats literally mean any address even if not in the config.
|
# ¿ Aug 11, 2015 02:54 |
|
Methanar posted:Shutting off proxy arp fixed the IP conflict issue I was having. Whoops. Yeah I'm used to a shared infrastructure environment that primarily does public > private NAT where public IPs generally don't reside behind the FWs. Since you have public address space across multiple interfaces you'll want to leave it enabled on those interfaces. A better workaround may be to disable it on the manual NAT lines that have the 'any any' as source and only identity NAT what you need with specific objects / object-groups.
|
# ¿ Aug 11, 2015 18:34 |
|
crunk dork posted:Anyone have any trouble trying to TFTP an ASDM .bin to an ASA inside of GNS3? Using solarwinds and it pokes along before timing out somewhere in the middle of the transfer with a "no client response" error. ASA has default (blank?) config except for a Gig eth interface configured with an IP address. I have a loopback adapter configured on Win10 and use that as the interface on a 'butt device' in GNS3 to let the solarwinds transfer to the ASA. Try FTP or SCP.
|
# ¿ Oct 13, 2015 21:46 |
|
Reiz posted:I'm guilty of switchport trunk allowed vlan add x. But that's the safe way to not wipe everything off the trunk ? "switchport trunk allowed vlan X" will definitely gently caress up your day if you don't realize what you've done.
|
# ¿ Dec 7, 2015 01:43 |
|
Shame on your for using a NetScreen in TYOOL2015
|
# ¿ Dec 21, 2015 05:35 |
|
Cisco certified power cable. Only $49.95!
|
# ¿ Jan 4, 2016 21:13 |
|
Slickdrac posted:So, Cisco pages aren't entirely clear about this, but can I take an ASA OS (9.1.4 in this case) off a 5525X and drop it onto a 5510 without bricking it? We've been upgrading our 5510s at work to 9.1(6)10 w/out any issues. Just use the non-smp version and make sure you have 1gig of ram in it. Also, the ASA-X 8.6 flash bug is the worst when there are hundreds spread across data centers still running that code ver.
|
# ¿ Jan 12, 2016 05:41 |
|
Sprechensiesexy posted:Since no one mentioned them yet. You can have a look at the Juniper SRX series, the lower end of the spectrum might fall in your price range. Please no. Trying to diagnose any network issues on Junipers is awful. They have a shell you can drop in to but you can't tcpdump data plane traffic. You have to rely on stateless ACL's and export the pcaps.
|
# ¿ Jan 26, 2016 04:03 |
|
Docjowles posted:I'm about ready to flip out on Rackspace support. I've been trying to get a simple ipsec VPN tunnel set up to them for a week now. Every time they write me to say it's done, I try, and it fails to come up. I spend a bunch of time combing my config for errors and running debug mode. See nothing. Check back with Rackspace: "oh lol sorry did you say you wanted 10.2.2.0/24 tunneled? We just randomly entered some other network that was not mentioned anywhere in the ticket instead. u mad?" I'm on the third iteration of complete dumbass, non-sequitur errors with no end in sight. Can you PM me the ticket number? I can take a look.
|
# ¿ Sep 27, 2016 22:55 |
|
double post
|
# ¿ Sep 27, 2016 22:55 |
|
Docjowles posted:We finally got it working this morning, but I appreciate the offer. It turns out when I ask them to tunnel a /16, and they configure that as 255.255.255.0 on their side, the proposals don't match. Who would have thought Sounds like you're dealing with the U.S. business unit. It's a real crapshoot over there.
|
# ¿ Sep 28, 2016 20:34 |
|
tadashi posted:When I create site-to-site VPNs from my ASA 5510, the tunnel will only become active once I send packets from my side to the remote site. This seams like secure behavior but is there a way to just allow traffic to start passing once the tunnel exists? As already mentioned, if they're both configured then it doesn't matter which side initiates. If you are concerned with making sure the tunnel stays up you could get rid of the idle timer with a group-policy or use an sla monitor to send traffic to an arbitrary address across the tunnel. I usually only see 1-2 packets get dropped while the negotiations occur if the tunnel is not currently established and I generate traffic destined for the remote side.
|
# ¿ Oct 11, 2016 23:48 |
|
Oh boy. We have over 7,000 5508's in production effected.
|
# ¿ Feb 10, 2017 03:39 |
|
Kazinsal posted:What the unholy gently caress Dedicated hosting. They're the new 'low-end' high throughput firewall my company offers to customers since the 5510-5550's are EOL.
|
# ¿ Feb 10, 2017 18:11 |
|
CrazyLittle posted:Welp Broadcomm's acquisition of Brocade will eventually solve all your problems. Apparently they're killing off all of their product lines, including the last bits of Vyatta This makes me beyond happy. I have to deal with their lovely ServerIron ADX's at work all the time. Constant hardware failures and dumbass software bugs.
|
# ¿ Jul 19, 2017 07:23 |
|
Sepist posted:If anyone has the old arrowpoint load balancer (Cisco css) run "show groups", it has a similar easter egg There was also llama mode for debugging.
|
# ¿ Jul 28, 2017 01:17 |
|
Anyone ever run in to link flapping with nexus vPCs to a pair of SRX1400's in link agg before? Only one of the SRX units to the pair of routers is getting the errors/link flaps. code:
|
# ¿ Sep 26, 2017 03:02 |
|
hanyolo posted:Are you trying to run LACP between both SRX1400 firewalls? Because SRX reth interfaces do not support LACP between chassis members, since chassis cluster is simply active/passive and uses gARP for failover. It's set up properly like on the right side of the image in the KB article. Two separate vPCs on the Nexus side and a single reth on the SRX side, four 10gig links total. Only node1 has the link flap issues. It's very strange.
|
# ¿ Oct 3, 2017 06:38 |
|
ate poo poo on live tv posted:Are the vpcs cross chassis? Or do the links on nexus router 0 go to srx node 0 and router 1 goes the node 1? I'll have to double check the infra, pretty sure we do have a JTAC case open(I'm not directly handling the issue). It's one of the thousands of customers my company supports. No infrastructure changes remotely possible. It's a very large financial institute with red tape for days. Posted as a shot in the dark is all, really. FatCow posted:Our SRX1400s have all sorts of issues like these. We had to disable BFD to get reconvergence times down. Occasionally they stop forwarding packets between a pair of IPs. Failover times are seemingly random. We had link/stability issues in the past but they seem to be gone now. Glad my place isn't the only one having random rear end issues with the 1400's, SRX's in general have some odd issues. One of my favorites is the code train that ISSU is broken on and you have to bounce both units at the exact same time or all hell breaks loose on a code upgrade.
|
# ¿ Oct 4, 2017 09:34 |
|
ate poo poo on live tv posted:Have there been any advancements in load-balancing specifically SSL Termination/Offload? Single F5's are not good at SSL TPS, even with their accelerator cards. You'd ideally want to distribute traffic regionally to maximize any sort of SSL TPS. Whether that's multiple regions with F5's or nginx. No single point is going to scale well with SSL TPS. e: Alternately use a CDN to handle the brunt of SSL and then pipeline the traffic from the CDN to your load balancer to minimize SSL TPS on that. Prescription Combs fucked around with this message at 22:02 on Dec 27, 2017 |
# ¿ Dec 27, 2017 21:57 |
|
ate poo poo on live tv posted:Our traffic is already Anycast from 4 geographically distinct locales, plus AWS. The million CPS number was just our biggest datacenter. Yeeeesh that's a lotta traffic.
|
# ¿ Dec 28, 2017 03:05 |
|
Thanks Ants posted:If I need a basic router to do NAT for a ~100Mbps internet connection at a remote site and maybe do an IPsec tunnel, is it worth tearing my hair out with a Mikrotik/Ubiquiti box or is the correct answer to just buy an SRX300? My vote would be Edgerouter lite.
|
# ¿ Jan 9, 2018 01:45 |
|
Richard Noggin posted:That and the inadvertent right click inside a PuTTY session. This one got me good a few years ago. Managed to do an entire maintenance 2 hours early in about 2 seconds.
|
# ¿ Jan 31, 2018 01:12 |
|
quote:ERROR: Long VLAN name knob is not enabled, vlan-name >32 char is not allowed. Had a laugh at this one.
|
# ¿ Jun 5, 2018 23:45 |
|
That rant is very accurate. My company has started deploying them and trying to manage a fleet of them is a nightmare.
|
# ¿ Aug 31, 2018 21:05 |
|
ASAs are great. Fight me.
|
# ¿ Aug 31, 2018 21:42 |
|
MF_James posted:Cool, yeah I dropped the commands in and they worked but I wasn't sure if it would actually happen. Old as poo poo topic but unless you absolutely need to capture every connection to syslog, enable syslog permit host down or that ASA will block all traffic if that syslog server goes down. E: when sending TCP syslog. Udp doesn't care obvs. Prescription Combs fucked around with this message at 22:49 on Nov 22, 2019 |
# ¿ Nov 22, 2019 22:47 |
|
Moey posted:Keeping the firewall chat going, is everyone doing UTM type stuff from the edge, or maybe something at the client level? If you already know SRX I think they do UTM stuff now too.
|
# ¿ Nov 23, 2019 17:01 |
|
Tetramin posted:Yeah I found this out the hard way. That’s such a stupid default setting, especially in an environment that patches servers every week. "Why does our internet/vpn connectivity always go down when the syslog server patches?!"
|
# ¿ Dec 11, 2019 06:13 |
|
|
# ¿ May 14, 2024 21:24 |
|
uhhhhahhhhohahhh posted:Cool ASA poo poo: upgraded a 5525X to 9.8(2)35 last week and now the ASDM logs are spammed 30 times a second with ICMP logs that are supposedly coming from the next hop for the management interface - a Nexus 9k - which definitely isn't doing any tracking or icmps to this device. That's pretty old code, might wanna consider something in the 9.12(2) interim train
|
# ¿ Jan 7, 2020 09:17 |