msgbartop
msgbarbottom

18 Jan 17 Using SNMPWALK and PortQry tools

SNMPWALK and PortQry tools in Windows

We all know that Linux offers some built in tools that are great for troubleshooting purposes, however Windows Operating Systems have limitations. Me being a Windows user primarily (fan of CLI and CLI based tools), I am always looking for different tools. In this post I want to mention two tools that I have been able to use successfully.

My recent use was trying to troubleshoot SNMP on two switches. I was able to use snmpwalk to test SNMP and then utilize PortQry to check the ports via CLI. Here is my method and results:

Non Working – snmpwalk
COMMAND SYNTAX: snmpwalk -r:”ip-address” -c:”community-name” -v:2

Non Working PortQry Test
COMMAND SYNTAX: pq -n “ip-address” -cn !community-name! -e 161 -p udp

So above I have SNMP testing to a Non Working Switch. snmpwalk fails right away and the PortQry shows that the port is filtered, should say “LISTENING” like in the next example.

Working – snmpwalk
COMMAND SYNTAX: snmpwalk -r:”ip-address” -c:”community-name” -v:2

Working PortQry Test
COMMAND SYNTAX: pq -n “ip-address” -cn !community-name! -e 161 -p udp

Tags: , , ,

26 Aug 14 Cisco IOS ACL logging with Port numbers

Cisco IOS logging with source and destination ports

Recently I had to do some troubleshooting on a Cisco 2911 Router in order to find out if traffic is going from a certain IP address to another. So I did the usual created an extended Access List and then applied it to the interface like this:

ip access-list extended test
permit ip any any log
!
interface gi0/0
ip access-group test in
end

Now that is great and I was seeing the logs and traffic however what I also needed to know was the source and destination port numbers. This configuration was giving me the following:
Aug 25 08:24:28.608: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(0) -> 10.202.106.15(0), 1 packet
Aug 25 08:24:29.612: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(0) -> 10.202.106.15(0), 1 packet
Aug 25 08:24:30.700: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(0) -> 10.202.106.15(0), 1 packet
As you can see instead of getting the port number I am just getting a “0” in there. I needed to know the port numbers as well. Now the issue is if the access list line does not have the port numbers listed (Layer 4) it will not show them. So here is what I did to get it working:

ip access-list extended test
permit ip tcp any gt 1024 any gt 1024 log
!
interface gi0/0
ip access-group test in
end

When I did that I got the following results 🙂
Aug 25 08:24:28.608: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(9053) -> 10.202.106.15(12302), 1 packet
Aug 25 08:24:29.612: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(9052) -> 10.202.106.15(39817), 1 packet
Aug 25 08:24:30.700: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(9055) -> 10.202.106.15(12302), 1 packet

Tags: , ,

30 Oct 12 AnyConnect Error – No Address Available for SVC Connection

Cisco AnyConnect Client error message – No address available for SVC Connection

Recently working on a Cisco Any Connect project I ran into this error message. I was able to see that it is connecting and was letting me type my password in but it would then disconnect giving me the error message “No Address Available for SVC Connection. After looking around for a few min it was actually a pretty easy fix. I setup a Local DHCP Pool on the ASA for the Cisco Any Connect VPN but under Assignment Policy I forgot to check a button to allow the locally created DHCP Pool. See Screen shot below:

This was on Cisco ASA 5520 with 8.4 code

Tags: , ,

17 Sep 12 Cisco 4948E switch – Change boot file image

Changing boot image file for a Cisco 4948E switch

Recently I upgraded the IOS on couple of Cisco 4948E Switches. After uploading the IOS and specifying the boot file, I rebooted the Cisco 4948E Switch. After the switch rebooted I saw the following statement:

Autobooting using the first file from the bootflash..

So even if you do a show bootvar and you see the correct file in there, but every reload will boot the first file. The reason behind is because by default configuration register on the switch is 0x2101 which tells the Cisco 4948E Switch to boot the first IOS Image file. In order to boot the specified IOS file on Cisco 4948E Switch I used the following commands:

conf t
!
config-register 0x2102
boot system flash bootflash:image-name…..
!
exit
write mem
reload

Now when you boot you will see that it will boot from the specified file as shown below:

Tags: , , , , ,

29 Aug 12 Fortinet SSL VPN issues after Microsoft Update

Fortinet SSL VPN issues after Microsoft Update

Recently I encountered an issue with some of our users not being able to access Fortinets’ SSL VPN through their browsers. After some research I found out that the issue is related to Microsoft Security Update KB2585542 – Vulnerability in SSL/TLS Could Allow Information DisclosureVulnerability in SSL/TLS Could Allow Information Disclosure (2643584). This vulnerability is effecting the protocol so it technically is not the Windows Operating System issue per Microsoft.

In order to resolve the issue there are multiple methods:

25 Apr 12 Renew 3rd party Certificate on Cisco WLC 5508

How to renew and upload the third party Certificate on Cisco WLC 5508 for Web Authentication

If you need to generate a CSR Certificate Signing Request for Third Party Certificate and then load it up on your Cisco Wireless LAN Controller 5508. This is a pretty good guide and I used it myself to load the very first one. . Now this is all good however what happens once this certificate expires and you get it renewed and now you have to reload it. I wasn’t able to get specific information about it right away so hopefully this post will not only help me in future but also others :).

First and most important thing is, “hopefully you saved your private key” from when you initially setup your certificate. Because if you do have it then you do not have to start the whole process again. I save everything so I simply located my private key for the Cisco WLC 5508 and did the following: Note: This applies to Verisign which is what we use

  • So first I got the renewed Verisign Certificate and got hold of my old vs.pem file that I used initially
  • Next I replaced the old Verisign Certificate lines with the new ones and saved it This is the key step I guess
  • Now I took vs.pem and myprivatekey.pem files put them in the c:\openssl\bin folder
  • From the command prompt I changed to that folder and typed openssl
  • Next I used the following two commands:
  • pkcs12 -export -in vs.pem -inkey myprivatekey.pem -out vscert.p12 -clcerts -passin pass:12345 -passout pass:12345

    pkcs12 -in vscert.p12 -out vscert.pem -passin pass:12345 -passout pass:12345

  • So now I had the vscert.pem file just like before that I can load on the Cisco WLC 5508
  • Now get the Cisco WLC 5508 ready and load the new cert
  • I ran the following commands on the Cisco 5508 WLC:

    ** transfer download mode tftp
    ** transfer download datatype webauthcert
    ** transfer download serverip x.x.x.x
    ** transfer download path ./(I just typed that as my TFTP folder resides on the C:\TFTP)
    ** transfer download filename vscert.pem
    ** transfer download certpassword 12345
    ** Setting password to 12345
    ** transfer download certpassword 12345
    ** Setting password to 12345

  • Now Cisco WLC 5508 is ready to get the renewed Verisign Cert for the web authentication
  • Type the following command to start the process: transfer download start
  • You will see the screen like below, once it is done, just SAVE the config and reset the 5508 Wireless LAN Controller. New Verisign Certificate will take over

Note: These are the steps that I took to renew and then upload the renewed certificate from Verisign on Cisco 5508 WLC. Use this as a reference, always backup your configurations, do some research if you are not certain, don’t do something that you can’t undo 🙂

Tags: , ,

22 Apr 11 UPDATE-3-UNTAR_CMD_FAIL: updcode.c:2832 Error during untar of webauth bundle. Tar returned 256

Recently I had an issue where I was trying to upload a customized web authentication page on Cisco 5508 WLC and it kept giving me the following error ” %UPDATE-3-UNTAR_CMD_FAIL: updcode.c:2832 Error during untar of webauth bundle. Tar returned 256″. I am running software version 7.0.98.0 on the Cisco 5508 wireless LAN controller. After some digging I found out that apparently there is a bug in this software version and if you tar the files on any windows based system and try to upload Cisco 5508 Wireless LAN Controller can not extract them and will give you the error, “%UPDATE-3-UNTAR_CMD_FAIL: updcode.c:2832 Error during untar of webauth bundle. Tar returned 256”.

To resolve this issue is to actually tar those files on a Unix or Linux system and then upload them to the Cisco 5508 Wireless LAN Controller and then it was able to easily extract the tar file. Now I don’t know if this will work for every one but for me this solution worked.

Update: I also found out that I can use a windows based free utility to accomplish it and it works. I used a utility called IZArc to tar the files and then upload them and it was successful

Tags: , ,

11 Apr 11 IKE Initiator unable to find policy

Recently working on a site to site VPN between Cisco IOS and ASA firewall I encountered this error message when looking at the error logs. I was able to see Phase 1 and Phase 2 establish when I was looking at the public IP logs of the remote site. When I started to capture the remote ip I noticed this error message: IKE Initiator unable to find policy: Intf outside, Src: sourceip, Dst: destinationip. VPN was establishing but no traffic was passing

This was happening because the remote ip scheme was already in use on the Cisco ASA with a different Public IP. I deleted that VPN as it was setup wrong and then generated traffic over the VPN again. Everything worked without any issues.

Tags: , , , , , ,

WordPress SEO