Re: [c-nsp] 7600/RSP720 + SIP-400
HYG RMS-7606-LB#sh platform hardware capacity system System Resources PFC operating mode: PFC3C Supervisor redundancy mode: administratively sso, operationally sso Switching resources: Module Part number Series CEF mode 17600-SIP-400 CEF256 CEF 2WS-X6724-SFP CEF720 dCEF 3WS-X6724-SFP CEF720 dCEF 5RSP720-3C-GE supervisor CEF Regards Jason CCIE#24775 On Tue, Dec 15, 2009 at 7:07 PM, Hank Nussbacher h...@efes.iucc.ac.ilwrote: At 18:49 15/12/2009 +0200, Tassos Chatzithomaoglou wrote: Can someone with a SIP-400 module execute the sh platform hardware capacity system command and send me the output? I would prefer people with 7600/RSP720. Not a RSP720 but close: petach-tikva-gp#sh platform hardware capacity system System Resources PFC operating mode: PFC3BXL Supervisor redundancy mode: administratively sso, operationally sso Switching resources: Module Part number Series CEF mode 1WS-X6582-2PA CEF256 CEF 2WS-X6582-2PA CEF256 CEF 3WS-X6582-2PA CEF256 CEF 4WS-X6582-2PA CEF256 CEF 7WS-SUP720-3BXLsupervisor CEF 9WS-X6748-GE-TXCEF720 dCEF 10 WS-X6704-10GE CEF720 CEF 11 7600-SIP-400 CEF256 CEF -Hank -- Tassos ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] traffic re-route on FW
Hi, I have a topolgy MPLS INTERNET | | | | CE1 CE2- (172.16.1.1/30 ) ( 172.16.2.1/30) | | | | |-172.16.1.2/30(FIREWALL CHECKPOINT)(172.16.2.2/30)- MPLS is my primary link and when its down I have a IPSEC TUNNEL from CHECKPOINT to remote peer (which is backup).. I'm confused how FW will be aware that MPLS SP is down and route traffic to Internet IPSEC TUNNEL. I don't have licencse for dynamic routing on CHECKPOINT. Thanks for help Jack ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 with WS-SVC-IPSEC-1, traffic not reaching module.
Hi Lee, You're right and I'm wrong. Have to use BITW. Thanks for the advise, back to reading more documentation for me. Best regards, .pelle On Tue, Dec 15, 2009 at 4:20 PM, Lee ler...@gmail.com wrote: On Tue, Dec 15, 2009 at 8:45 AM, Pär Åslund psl...@gmail.com wrote: Hi Lee, No, I don't have it configured with crypto connect. From what I read so far, I don't need that for site-to-site ipsec? All the docs I read talked about the bump in the wire encryption. Somehow or other you have to get the traffic going thru the ipsec card the only way I know of is to use the 'crypto connect' command or the much-discouraged-in-the-docs switchport trunk allowed vlan add NNN on the ipsec card ports. But I never did dynamic crypto maps, so maybe they do some extra magic? The asa in the remote office can ping the remote peer ip configured on the 6500. Just seems like bad magic for me right now that for some reason the traffic doesn't seem to reach the IPSEC module. A fun thing about the 6500 ipsec card is that traffic not matching the crypto map goes through unaltered whereas a real router would drop the traffic. If your ASA has a 192.168.1.1 address and the 6500 vlan 8 ip address is 192.168.1.2 it wouldn't surprise me that the asa can ping the 6500. Another fun thing about the 6500 ipsec card is that routing happens only on the cleartext traffic. By the time the traffic comes out of the ipsec card all the routing decisions have been made :( For example, say you're putting traffic for 10.10.10.0/24 in the IPSec tunnel and the tunnel endpoint is 192.168.1.1. If the route for 10.10.10.0/24 is out vlan10 and the route for 192.168.1.1 is out vlan 8 it ain't gonna work. I ended up adding a static route for 10.10.10.0/24 pointing to 192.168.1.1 as a work-around. Then again, I haven't had anything to do with a 6500 ipsec card for over a year so maybe they've fixed some of the weirdness that I had to deal with. Extra, forgot to show the configuration of the interfaces on module 8 - WS-SVC-IPSEC-1 Current configuration : 243 bytes ! interface GigabitEthernet8/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 8 switchport mode trunk mtu 4500 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk end interface GigabitEthernet8/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan none switchport mode trunk mtu 4500 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk end What I ended up with was interface GigabitEthernet8/0/1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 550,551,702 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! interface GigabitEthernet8/0/2 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 551,703 switchport mode trunk mtu 9216 no ip address flowcontrol receive on flowcontrol send off spanning-tree portfast trunk ! Looking at it now, having vlan 551 on G8/0/1 and 2 seems wrong.. but it did work. We moved all our ipsec tunnels over to asrs a while back, so nothing I need to do about it now :) Regards, Lee Best regards, .pelle On Tue, Dec 15, 2009 at 1:30 PM, Lee ler...@gmail.com wrote: Do you have the inside and outside vlan for your ipsec traffic configured with a crypto connect? eg interface Vlan7 description outside:encrypted traffic no ip address crypto engine subslot 8/0 crypto connect vlan8 ! interface Vlan8 description inside:cleartext traffic ip address xxx crypto map xxx crypto engine subslot 8/0 Regards, Lee On Tue, Dec 15, 2009 at 6:46 AM, Pär Åslund psl...@gmail.com wrote: Hi, I have problems with a WS-SVC-IPSEC-1 where I'm trying to setup a site-to-site tunnel. Last night, I got the tunnel up. But after applying a acl to the 6500, the tunnel went down and stayed down. Removing configuration just to get the tunnel up again and continue trying to get the interesting traffic through as intended, the tunnel never comes up. The remote device is a ASA 5505, where I haven't touched anything since this failure started. From what I can get out of all this, looking at logs and crypto statistics. The traffic never gets to the module in slot 8. show crypto sessions - nothing show crypto isakmp sa - nothing show crypto ipsec sa - nothing I can still use packet-tracer on the asa as I could before and the flow is created, but nothing ends up in the 6500 logs. debug crypto isakmp and debug crypto ipsec is both enabled without anything being logged. Any ideas are most welcome. Guess I have missed something obvious but right now I just can't figure out what it is. This it the configuration from the 6500.
[c-nsp] Weird L2TP Problem
Hi List, We've a 7301 running IOS 12.3(4r)T4 acting as an LNS. We've never had any major problems with it but today it stopped terminating sessions. When I enabled terminal monitoring (with no additional debug) I started getting messages like this one: %L2TP-3-ILLEGAL: _:_: ERROR: [l2tp_session_get_l2x_cfg::241] -traceback- (snip) %L2TP-3-ILLEGAL: _:_: ERROR: no config -traceback- (snip) I tried clearing all L2TP tunnels and they immediately came back up with no sessions. Only a reload worked as far as letting subscribers back on normally. Does anyone have any idea what these errors mean? Thanks, Dermot Williams Imagine Communications Ltd. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ios upgrade to SXI3
Cisco doesn't appear to have the engineering resources and/or will-power to move IOS into the 20th Century (pre-emptive multitasking with memory and process containment.) It is more beneficial for them to sell you new products with better versions of IOS. Tim: That's not really surprising. I'm not even sure it's a great idea to try, really. IOS is what it is, a coop-multitasking self-mem-managing embedded OS that operates under various sets of assumptions about how its world works (e.g. being able to scribble all over itself). There are God knows how many code branches managed by how many groups running on all manner of hardware, and some of that hardware uses multiple processors and dedicated ASICs. I'd argue that at least some of the hardware doesn't even have the resources to be running a pre-emptive virtual-memory OS. Somehow the idea that they are going to ease this into being a modular OS just doesn't fly. Spend the effort on something useful, like making sense of the code base or quality control. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Loopback/VLAN question
On Tue, 15 Dec 2009, Frank Bulk - iName.com wrote: I have 5 remote sites where I'm doing FTTH and transporting the traffic over a third-party transport gear to our HQ. Each site-HQ link is a separate VLAN and uniquely numbered. Have you considered re-tagging the VLANs on a cheaper device before the 7600 (which I assume you're sparing because of port cost) and re-tagging them to the same VLAN, with some private vlan conf on there to keep VLANs from talking to each other (assuming you want that)? Then the 7600 will just get all sites on one VLAN. Re-tagging VLANs does take up a few ports on a cheap switch, but it may be cheaper than using up more ports in the 7600 and the 3rd party transport. And I never said it wasn't ugly. SiteA SiteB SiteC SiteD SiteE | | | | | VLAN1 VLAN2 VLAN3 VLAN4 VLAN5 | | | | | = | 802.1q tagged (1 thru 5) | 2960 | - untagged, one per VLAN the same 2960 | 7609-S | DHCP server - typedef struct me_s { char name[] = { Thomas Habets }; char email[] = { tho...@habets.pp.se }; char kernel[]= { Linux }; char *pgpKey[] = { http://www.habets.pp.se/pubkey.txt; }; char pgp[] = { A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854 }; char coolcmd[] = { echo '. ./_. ./_'_;. ./_ }; } me_t; ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NAT-Device with authentication ?
Hello, are there any (cisco)-NAT-devices which enable the NAT after the user has done some kind of authentication - which is checked against a radius-server or an active directory for example ? What I need is like a captive portal connected to a NAT-device. The scenario I try to have is: The user will get its IP-address from a private IP-range via DHCP after connecting his computer to the network.. With this address he should be able to connect to services within his internal network. But to connect to computers outside his network he should authenticate himself. thanks for hints greetings, Andreas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Egress QoS on FE links with less than 100Mbps speeds
We're doing some Catalyst testing to roll out QoS on our Ethernet network and have come up against a hurdle. On most of our backbone links in a MAN, the actual bandwidth between one C/O to another C/O is not always 100Mbps. There are times when the link is only capable of hitting say 80Mbps (we're a wireless isp) or less. Since we have to use a FE port for this type of connection, do the switches believe that they have 100Mbps of bandwidth to play with when putting packets into the appropriate queues? I'm a bit confused as to how the switches work in this fashion. If I were using CAT5 cables or fiber this would be simple to understand as the bandwidth would be fixed. :) This is an example of a configuration on a 3550-24 that I'm using: interface FastEthernet0/x mls qos trust dscp wrr-queue bandwidth 40 35 25 1 wrr-queue cos-map 1 0 1 wrr-queue cos-map 2 2 wrr-queue cos-map 3 3 4 6 7 wrr-queue cos-map 4 5 priority-queue out ! The switches that we use are 2950, 3550, 3750 and 6524s. With MQC and layer 3 QoS, I would know how to fix this by simply using the bandwidth command on the physical interface and basing my output policy-map to use bandwidth percent for each class. Layer 2 QoS doesn't seem to work this way though. Any help would be appreciated. Thanks. Jose ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT-Device with authentication ?
Try searching for Document ID: 13890. It is about setting up auth-proxy with nat. If you can't find it I can send you a pdf I had downloaded. -- -- Brian Raaen Network Engineer bra...@zcorum.com On Wednesday 16 December 2009, Andreas Mueller wrote: Hello, are there any (cisco)-NAT-devices which enable the NAT after the user has done some kind of authentication - which is checked against a radius-server or an active directory for example ? What I need is like a captive portal connected to a NAT-device. The scenario I try to have is: The user will get its IP-address from a private IP-range via DHCP after connecting his computer to the network.. With this address he should be able to connect to services within his internal network. But to connect to computers outside his network he should authenticate himself. thanks for hints greetings, Andreas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT-Device with authentication ?
did you look at VLAN segregation pre/post authentication with either 802.1x (integrated auth) or VMPS (external auth)? Dave. Andreas Mueller wrote: Hello, are there any (cisco)-NAT-devices which enable the NAT after the user has done some kind of authentication - which is checked against a radius-server or an active directory for example ? What I need is like a captive portal connected to a NAT-device. The scenario I try to have is: The user will get its IP-address from a private IP-range via DHCP after connecting his computer to the network.. With this address he should be able to connect to services within his internal network. But to connect to computers outside his network he should authenticate himself. thanks for hints greetings, Andreas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Egress QoS on FE links with less than 100Mbps speeds
Hello, We had the same issue on couple of links. We solved it with the following command. The number on the end is a percentage of link speed in 1 percent increments. This was done on a 3750G running 12.2(44)SE6, this command might or might not work on other platforms. srr-queue bandwidth limit (10-90) Thank You Daniel Bielawa Network Engineer Liberty University Network Services Email: dwbiel...@liberty.edu Phone: 434-592-7987 -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Lobo Sent: Wednesday, December 16, 2009 8:45 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Egress QoS on FE links with less than 100Mbps speeds We're doing some Catalyst testing to roll out QoS on our Ethernet network and have come up against a hurdle. On most of our backbone links in a MAN, the actual bandwidth between one C/O to another C/O is not always 100Mbps. There are times when the link is only capable of hitting say 80Mbps (we're a wireless isp) or less. Since we have to use a FE port for this type of connection, do the switches believe that they have 100Mbps of bandwidth to play with when putting packets into the appropriate queues? I'm a bit confused as to how the switches work in this fashion. If I were using CAT5 cables or fiber this would be simple to understand as the bandwidth would be fixed. :) This is an example of a configuration on a 3550-24 that I'm using: interface FastEthernet0/x mls qos trust dscp wrr-queue bandwidth 40 35 25 1 wrr-queue cos-map 1 0 1 wrr-queue cos-map 2 2 wrr-queue cos-map 3 3 4 6 7 wrr-queue cos-map 4 5 priority-queue out ! The switches that we use are 2950, 3550, 3750 and 6524s. With MQC and layer 3 QoS, I would know how to fix this by simply using the bandwidth command on the physical interface and basing my output policy-map to use bandwidth percent for each class. Layer 2 QoS doesn't seem to work this way though. Any help would be appreciated. Thanks. Jose ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Help !!
Hi folks I'm new here and searching for help because i have to prepare a good network topology in which can stablish a connesction between 5 offices, but now i dont have any idea about what kind of router and switch do i use. the scenary is this main office with 30 pcs 1 dns server, 1 mail server and db server and 5 branches with 20 pcs each one all office with different isp with a satatic ip. is it work ? i want to send and receive packets trough a vpn tunnel but i'd like to know what is the best equipment (models) including firewall, vpn security, and all features inside. please let me know it , any help is welcome Thanks in advance and sorry by my ignorance ! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] FWSM logging problem
It seems our FWSM doesn't log all denied ACLs. I blocked an IP address on our FWSM and wanted to see whomever on campus is trying to access this address (Botnet CC). I added the following line in the ACL (even raised priority), you can see that the rules triggers when I tried to telnet the address : access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4 log critical interval 30 (hitcnt=9) 0x6e051e8c There is however no corresponding syslog message on our syslog server or in the buffered logs on the FWSM. These are our logging settings : already raised queue size, some messages moved to another log level so they don't get send to our syslog server. ACL log messages are normally of ID 106100 level debugging, I can find several of them on the syslog server but not for the specifiec ACE. logging enable logging timestamp logging emblem logging console debugging logging monitor debugging logging buffered debugging logging trap informational logging asdm informational logging queue 1024 logging host DA-rt x.x.x.x logging message 305010 level debugging logging message 305009 level debugging logging message 302015 level debugging logging message 302014 level debugging logging message 302013 level debugging logging message 302016 level debugging logging message 302021 level debugging Anyone has a clue on how to get all syslog messages for the ACE's that have a log part ? Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Help !!
This sounds like a good candidate for VPN. We personally use the ASA5520 for a concentrator in a similar application providing both LAN to LAN (branch office connectivity) and VPN Client access for mobile end users and their laptops. Depending on the pipe size and forwarding requirements / branch office sizes you could use Pixes in the field or even routers with VPN functionality and use an ASA as the central concentrator. Lots of ways to get from here to there might be a good time to talk to your Cisco Rep and sales engineer. - Original Message - From: osmcr...@gmail.com To: cisco-nsp@puck.nether.net Sent: Wednesday, December 16, 2009 7:46 AM Subject: [c-nsp] Help !! Hi folks I'm new here and searching for help because i have to prepare a good network topology in which can stablish a connesction between 5 offices, but now i dont have any idea about what kind of router and switch do i use. the scenary is this main office with 30 pcs 1 dns server, 1 mail server and db server and 5 branches with 20 pcs each one all office with different isp with a satatic ip. is it work ? i want to send and receive packets trough a vpn tunnel but i'd like to know what is the best equipment (models) including firewall, vpn security, and all features inside. please let me know it , any help is welcome Thanks in advance and sorry by my ignorance ! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Help !!
If you need branch to branch communications you might want to consider DMVPN (Dynamic Multipoint VPN). cf. http://www.cisco.com/en/US/products/ps6658/index.html -mtw -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados Sent: Wednesday, December 16, 2009 8:38 AM To: osmcr...@gmail.com; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Help !! This sounds like a good candidate for VPN. We personally use the ASA5520 for a concentrator in a similar application providing both LAN to LAN (branch office connectivity) and VPN Client access for mobile end users and their laptops. Depending on the pipe size and forwarding requirements / branch office sizes you could use Pixes in the field or even routers with VPN functionality and use an ASA as the central concentrator. Lots of ways to get from here to there might be a good time to talk to your Cisco Rep and sales engineer. - Original Message - From: osmcr...@gmail.com To: cisco-nsp@puck.nether.net Sent: Wednesday, December 16, 2009 7:46 AM Subject: [c-nsp] Help !! Hi folks I'm new here and searching for help because i have to prepare a good network topology in which can stablish a connesction between 5 offices, but now i dont have any idea about what kind of router and switch do i use. the scenary is this main office with 30 pcs 1 dns server, 1 mail server and db server and 5 branches with 20 pcs each one all office with different isp with a satatic ip. is it work ? i want to send and receive packets trough a vpn tunnel but i'd like to know what is the best equipment (models) including firewall, vpn security, and all features inside. please let me know it , any help is welcome Thanks in advance and sorry by my ignorance ! ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities Advisory ID: cisco-sa-20091216-webex http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml Revision 1.0 For Public Release 2009 December 16 1600 UTC (GMT) Summary === Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) Player. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system of a targeted user. The Cisco WebEx WRF Player is an application that is used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The WRF Player can be automatically installed when the user accesses a WRF file that is hosted on a WebEx server. The WRF Player can also be manually installed for offline playback after downloading the application from www.webex.com. If the WRF Player was automatically installed, the WebEx WRF Player will be automatically upgraded to the latest, non-vulnerable version when users access a WRF file hosted on a WebEx server. If the WebEx WRF Player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml. Affected Products = Vulnerable Products - --- The vulnerabilities disclosed in this advisory affect the Cisco WebEx WRF Player. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are affected. Affected versions of the WRF Player are those prior to the first fixed versions, which are shown in the section Software Versions and Fixes of this advisory. To check if a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support - Downloads section. The version of the WebEx client build will be displayed on the right-hand side of the page under About Support Center, for example Client build: 27.11.0.3328. There is no way to check if a manually installed version of the WRF Player is affected by these vulnerabilities. Therefore, Cisco recommends that users upgrade to the most current version of the player that is available from http://www.webex.com/downloadplayer.html. Products Confirmed Not Vulnerable - - The Cisco WebEx Player for the WebEx Advanced Recording Format (ARF) file format is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === The WebEx meeting service is a hosted multimedia conferencing solution that is managed by and maintained by Cisco WebEx. The WebEx Recording Format (WRF) is a file format that is used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The WRF Player is an application that is used to play back and edit WRF files (files with .wrf extensions). The WRF Player can be automatically installed when the user accesses a WRF file that is hosted on a WebEx server (stream playback mode). The WRF Player can also be manually installed after downloading the application from www.webex.com to play back WRF files locally (offline playback mode). Multiple buffer overflow vulnerabilities exist in the WRF Player. The vulnerabilities may lead to a crash of the WRF Player application, or in some cases, lead to remote code execution. To exploit a vulnerability, a malicious WRF file would need to be opened by the WRF Player application. An attacker may be able to accomplish this by providing the malicious WRF file directly to users (for example, via e-mail), or by convincing users to visit a malicious website. The vulnerability cannot be triggered by users attending a WebEx meeting. These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CVE-2009-2875 * CVE-2009-2876 * CVE-2009-2877 * CVE-2009-2878 * CVE-2009-2879 * CVE-2009-2880 Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also
Re: [c-nsp] Help !!
yup our geografic area is relative short no more than 400 km around and all the branch use an static ip address and now they arent connected Please tell me more about it thanks in advanced On Wed, Dec 16, 2009 at 10:19 AM, Richard Golodner rgolod...@infratection.com wrote: On Wed, 2009-12-16 at 09:46 -0600, osmcr...@gmail.com wrote: please let me know it , any help is welcome If you can tell me how your offices are connected it will be a big help in designing a topology. For example Frame-Relay, MPLS, and how far are the office apart? Different countries or within the same geographic area? Richard ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM logging problem
What code are you on? These types of items have been going on for a while in various iterations of code. There's been so many it's hard for me to keep them straight LOL! But, if you post your code I'll try and look up my notes. In the end, you'll have to call TAC and they will tell you to upgrade to xyz. Try to get a bugid and make sure the recommended upgrade fixes your problem. I've had a couple logging issues that had no id and TAC just said upgrade. As a side note, have you had the issue of traffic blowing by an ACE? :) tv - Original Message - From: Holemans Wim wim.holem...@ua.ac.be To: cisco-nsp@puck.nether.net Sent: Wednesday, December 16, 2009 9:44 AM Subject: [c-nsp] FWSM logging problem It seems our FWSM doesn't log all denied ACLs. I blocked an IP address on our FWSM and wanted to see whomever on campus is trying to access this address (Botnet CC). I added the following line in the ACL (even raised priority), you can see that the rules triggers when I tried to telnet the address : access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4 log critical interval 30 (hitcnt=9) 0x6e051e8c There is however no corresponding syslog message on our syslog server or in the buffered logs on the FWSM. These are our logging settings : already raised queue size, some messages moved to another log level so they don't get send to our syslog server. ACL log messages are normally of ID 106100 level debugging, I can find several of them on the syslog server but not for the specifiec ACE. logging enable logging timestamp logging emblem logging console debugging logging monitor debugging logging buffered debugging logging trap informational logging asdm informational logging queue 1024 logging host DA-rt x.x.x.x logging message 305010 level debugging logging message 305009 level debugging logging message 302015 level debugging logging message 302014 level debugging logging message 302013 level debugging logging message 302016 level debugging logging message 302021 level debugging Anyone has a clue on how to get all syslog messages for the ACE's that have a log part ? Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EEM BGP
Well, did a bunch of testing and I am still stuck. So here's the basic idea and config. When the peer is actually shut, I log a message to syslog (info simplified and anonymized to protect innocent). event manager applet BGPADJ_SHUT event syslog occurs 2 pattern %BGP-5-ADJCHANGE: neighbor 172.16.10.3 Down period 600 action 100 cli command enable action 110 cli command configure terminal action 120 cli command router bgp 666 action 130 cli command neighbor 172.16.10.3 shutdown action 140 syslog msg Neighbor 172.16.10.3 shutdown by EEM This works great. Notice action 140. To turn the peer back up, I would like to wait 60 seconds (probably 10 minutes in real world) and look for the Neighbor 172.16.10.3 shutdown by EEM in the syslog as this will tell me when I need to start my timer. event manager applet BGPADJ_NOSHUT event tag bgpevent1 syslog pattern %BGP-5-ADJCHANGE: neighbor 172.16.10.3 Down event tag bgpevent2 syslog pattern Neighbor 172.16.10.3 shutdown by EEM trigger delay 60 correlate event bgpevent1 and event bgpevent2 action 100 cli command enable action 110 cli command configure terminal action 120 cli command router bgp 666 action 130 cli command no neighbor 172.16.10.3 shutdown action 140 syslog msg Neighbor 172.16.10.3 noshut by EEM This is the part that does not work. For the correlation, I want to either look for event 1 and 2 or just 2. 1 and 2 is really just a self check. The apparent problem is that EEM doesn't look at the messages that it injects into syslog. So, the trigger never happens. And as verification, I tried it with event1 or event2. While watching debug it picks up on event1. Any ideas? Recommendations? tv - Original Message - From: Clyde Wildes cwil...@progrizon.com To: 'Tony Varriale' tvarri...@comcast.net; cisco-nsp@puck.nether.net Sent: Tuesday, December 15, 2009 3:31 PM Subject: RE: [c-nsp] EEM BGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT-Device with authentication ?
The cisco ASA proxy authentication would authenticate you prior to being NAT'd, if that fails you are prevented from gaining external access. Thsi can be accomplished for any application you wish. I am sure most if not all enterprise class firewalls have this feature. Mike On Wed, Dec 16, 2009 at 9:59 AM, David Freedman david.freed...@uk.clara.net wrote: did you look at VLAN segregation pre/post authentication with either 802.1x (integrated auth) or VMPS (external auth)? Dave. Andreas Mueller wrote: Hello, are there any (cisco)-NAT-devices which enable the NAT after the user has done some kind of authentication - which is checked against a radius-server or an active directory for example ? What I need is like a captive portal connected to a NAT-device. The scenario I try to have is: The user will get its IP-address from a private IP-range via DHCP after connecting his computer to the network.. With this address he should be able to connect to services within his internal network. But to connect to computers outside his network he should authenticate himself. thanks for hints greetings, Andreas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM logging problem
Tony, As a side note, have you had the issue of traffic blowing by an ACE? :) What you referring to here? I run both the FWSM and ACE module. We have had a plethora of problems with the ACE. The best is it just stops responding and passing traffic and it doesn't failover when that happens. Nick -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tony Varriale Sent: Wednesday, December 16, 2009 12:31 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] FWSM logging problem What code are you on? These types of items have been going on for a while in various iterations of code. There's been so many it's hard for me to keep them straight LOL! But, if you post your code I'll try and look up my notes. In the end, you'll have to call TAC and they will tell you to upgrade to xyz. Try to get a bugid and make sure the recommended upgrade fixes your problem. I've had a couple logging issues that had no id and TAC just said upgrade. As a side note, have you had the issue of traffic blowing by an ACE? :) tv - Original Message - From: Holemans Wim wim.holem...@ua.ac.be To: cisco-nsp@puck.nether.net Sent: Wednesday, December 16, 2009 9:44 AM Subject: [c-nsp] FWSM logging problem It seems our FWSM doesn't log all denied ACLs. I blocked an IP address on our FWSM and wanted to see whomever on campus is trying to access this address (Botnet CC). I added the following line in the ACL (even raised priority), you can see that the rules triggers when I tried to telnet the address : access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4 log critical interval 30 (hitcnt=9) 0x6e051e8c There is however no corresponding syslog message on our syslog server or in the buffered logs on the FWSM. These are our logging settings : already raised queue size, some messages moved to another log level so they don't get send to our syslog server. ACL log messages are normally of ID 106100 level debugging, I can find several of them on the syslog server but not for the specifiec ACE. logging enable logging timestamp logging emblem logging console debugging logging monitor debugging logging buffered debugging logging trap informational logging asdm informational logging queue 1024 logging host DA-rt x.x.x.x logging message 305010 level debugging logging message 305009 level debugging logging message 302015 level debugging logging message 302014 level debugging logging message 302013 level debugging logging message 302016 level debugging logging message 302021 level debugging Anyone has a clue on how to get all syslog messages for the ACE's that have a log part ? Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM logging problem
What does the output of 'show logging queue' look like? Are msgs being actively discarded? How large of a queue depth is too large -- 2048, 4096, 8192? -- Eric Cables On Wed, Dec 16, 2009 at 10:03 AM, nm...@guesswho.com wrote: Tony, As a side note, have you had the issue of traffic blowing by an ACE? :) What you referring to here? I run both the FWSM and ACE module. We have had a plethora of problems with the ACE. The best is it just stops responding and passing traffic and it doesn't failover when that happens. Nick -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto: cisco-nsp-boun...@puck.nether.net] On Behalf Of Tony Varriale Sent: Wednesday, December 16, 2009 12:31 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] FWSM logging problem What code are you on? These types of items have been going on for a while in various iterations of code. There's been so many it's hard for me to keep them straight LOL! But, if you post your code I'll try and look up my notes. In the end, you'll have to call TAC and they will tell you to upgrade to xyz. Try to get a bugid and make sure the recommended upgrade fixes your problem. I've had a couple logging issues that had no id and TAC just said upgrade. As a side note, have you had the issue of traffic blowing by an ACE? :) tv - Original Message - From: Holemans Wim wim.holem...@ua.ac.be To: cisco-nsp@puck.nether.net Sent: Wednesday, December 16, 2009 9:44 AM Subject: [c-nsp] FWSM logging problem It seems our FWSM doesn't log all denied ACLs. I blocked an IP address on our FWSM and wanted to see whomever on campus is trying to access this address (Botnet CC). I added the following line in the ACL (even raised priority), you can see that the rules triggers when I tried to telnet the address : access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4 log critical interval 30 (hitcnt=9) 0x6e051e8c There is however no corresponding syslog message on our syslog server or in the buffered logs on the FWSM. These are our logging settings : already raised queue size, some messages moved to another log level so they don't get send to our syslog server. ACL log messages are normally of ID 106100 level debugging, I can find several of them on the syslog server but not for the specifiec ACE. logging enable logging timestamp logging emblem logging console debugging logging monitor debugging logging buffered debugging logging trap informational logging asdm informational logging queue 1024 logging host DA-rt x.x.x.x logging message 305010 level debugging logging message 305009 level debugging logging message 302015 level debugging logging message 302014 level debugging logging message 302013 level debugging logging message 302016 level debugging logging message 302021 level debugging Anyone has a clue on how to get all syslog messages for the ACE's that have a log part ? Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM logging problem
Sorry...Access Control Entry in an ACL on FWSM. What code are you running on 6500 and ACE that you are having these issues? I seen that on the appliances in some early 2.x. tv - Original Message - From: nm...@guesswho.com To: tvarri...@comcast.net; cisco-nsp@puck.nether.net Sent: Wednesday, December 16, 2009 12:03 PM Subject: RE: [c-nsp] FWSM logging problem Tony, As a side note, have you had the issue of traffic blowing by an ACE? :) What you referring to here? I run both the FWSM and ACE module. We have had a plethora of problems with the ACE. The best is it just stops responding and passing traffic and it doesn't failover when that happens. Nick -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tony Varriale Sent: Wednesday, December 16, 2009 12:31 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] FWSM logging problem What code are you on? These types of items have been going on for a while in various iterations of code. There's been so many it's hard for me to keep them straight LOL! But, if you post your code I'll try and look up my notes. In the end, you'll have to call TAC and they will tell you to upgrade to xyz. Try to get a bugid and make sure the recommended upgrade fixes your problem. I've had a couple logging issues that had no id and TAC just said upgrade. As a side note, have you had the issue of traffic blowing by an ACE? :) tv - Original Message - From: Holemans Wim wim.holem...@ua.ac.be To: cisco-nsp@puck.nether.net Sent: Wednesday, December 16, 2009 9:44 AM Subject: [c-nsp] FWSM logging problem It seems our FWSM doesn't log all denied ACLs. I blocked an IP address on our FWSM and wanted to see whomever on campus is trying to access this address (Botnet CC). I added the following line in the ACL (even raised priority), you can see that the rules triggers when I tried to telnet the address : access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4 log critical interval 30 (hitcnt=9) 0x6e051e8c There is however no corresponding syslog message on our syslog server or in the buffered logs on the FWSM. These are our logging settings : already raised queue size, some messages moved to another log level so they don't get send to our syslog server. ACL log messages are normally of ID 106100 level debugging, I can find several of them on the syslog server but not for the specifiec ACE. logging enable logging timestamp logging emblem logging console debugging logging monitor debugging logging buffered debugging logging trap informational logging asdm informational logging queue 1024 logging host DA-rt x.x.x.x logging message 305010 level debugging logging message 305009 level debugging logging message 302015 level debugging logging message 302014 level debugging logging message 302013 level debugging logging message 302016 level debugging logging message 302021 level debugging Anyone has a clue on how to get all syslog messages for the ACE's that have a log part ? Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] traffic re-route on FW
On Wed, 2009-12-16 at 14:44 +0530, jack daniels wrote: Hi, I have a topolgy MPLS INTERNET | | | | CE1 CE2- (172.16.1.1/30 ) ( 172.16.2.1/30) | | | | |-172.16.1.2/30(FIREWALL CHECKPOINT)(172.16.2.2/30)- MPLS is my primary link and when its down I have a IPSEC TUNNEL from CHECKPOINT to remote peer (which is backup).. I'm confused how FW will be aware that MPLS SP is down and route traffic to Internet IPSEC TUNNEL. I don't have licencse for dynamic routing on CHECKPOINT. Thanks for help Jack The simple answer, since you have a presence at both ends for this application, is to put a cheap router at each end (inside the firewalls) and run an routing protocol to select which of two tunnels is used. One tunnel goes over the MPLS network, the other over your IPSec tunnel. An 1811 or SSG-5 will do the job if you're talking T1 speeds. See the white paper Redundant Routes in IPSec VPNs on my web site at http://www.networkingunlimited.com/white009.html for some ideas. It won't provide a cookbook design for you, but it will walk you through the issues and some of the trade offs that you'll need to make. Good luck and have fun! -- Vincent C. Jones Networking Unlimited, Inc. Phone: +1 201 568-7810 v.jo...@networkingunlimited.com ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM logging problem
On Wed, 16 Dec 2009, Holemans Wim wrote: It seems our FWSM doesn't log all denied ACLs. I blocked an IP address on our FWSM and wanted to see whomever on campus is trying to access this address (Botnet CC). I added the following line in the ACL (even raised priority), you can see that the rules triggers when I tried to telnet the address : access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4 log critical interval 30 (hitcnt=9) 0x6e051e8c There is however no corresponding syslog message on our syslog server or in the buffered logs on the FWSM. Any chances you'd have %FWSM-1-106101: Number of cached deny-flows for ACL log has reached limit somewhere ? Check on show access-list output: FWSM(config)# sh access-list | inc flows access-list cached ACL log flows: total 1, denied 1 (deny-flow-max 1) Here I've configured 1 flow. Once you reach the flow limit, the further logs are suppressed (AFAIK, with the logic being, that since the whole idea behind the log is to decrease the amount of logging messages, if we get a lot of hits, we are probably already under stress, so would not want to stress further by downgrading the logs to sending them per-packet). If you have a lot of ACEs that are marked with log keyword, this might be what you see. Decreasing the interval should help to keep the # of logs under max. These are our logging settings : already raised queue size, some messages moved to another log level so they don't get send to our syslog server. ACL log messages are normally of ID 106100 level debugging, I can find several of them on the syslog server but not for the specifiec ACE. For the specific ACE, you can remove the log keyword. Bit counter-intuitive as this might seem, it would not stop the logging for the denied sessions - just the messages will be different (firewall-style): %FWSM-4-106023: Deny icmp src outside:X.1.1.1 dst inside:Y.1.1.1 (type 8, code 0) by access-group foo [0x17a38302, 0x0] instead of: %FWSM-6-106100: access-list foo denied icmp outside/X.1.1.1(0) - inside/Y.1.1.3(8) hit-cnt 1 (first hit) [0xe6aea397, 0x0] That 106023 will be sent one-message-per-hit. So I think it should precisely fit what you are looking for. cheers, andrew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM logging problem
Oops..sorry for the confusion. We are working with TAC and the BU directly with this. They are aware of the issue and acknowledge that it is happening across all code releases A2(1.x/2.x/3.x) Unfortunately when this happens you can't even run any diag commands. I have a plugin from TAC that dumps to the Linux shell of the blade but it looks like whatever process that runs away is dynamic and they don't know what it is yet. They acknowledge we are not the only customer. -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tony Varriale Sent: Wednesday, December 16, 2009 1:34 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] FWSM logging problem Sorry...Access Control Entry in an ACL on FWSM. What code are you running on 6500 and ACE that you are having these issues? I seen that on the appliances in some early 2.x. tv - Original Message - From: nm...@guesswho.com To: tvarri...@comcast.net; cisco-nsp@puck.nether.net Sent: Wednesday, December 16, 2009 12:03 PM Subject: RE: [c-nsp] FWSM logging problem Tony, As a side note, have you had the issue of traffic blowing by an ACE? :) What you referring to here? I run both the FWSM and ACE module. We have had a plethora of problems with the ACE. The best is it just stops responding and passing traffic and it doesn't failover when that happens. Nick -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tony Varriale Sent: Wednesday, December 16, 2009 12:31 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] FWSM logging problem What code are you on? These types of items have been going on for a while in various iterations of code. There's been so many it's hard for me to keep them straight LOL! But, if you post your code I'll try and look up my notes. In the end, you'll have to call TAC and they will tell you to upgrade to xyz. Try to get a bugid and make sure the recommended upgrade fixes your problem. I've had a couple logging issues that had no id and TAC just said upgrade. As a side note, have you had the issue of traffic blowing by an ACE? :) tv - Original Message - From: Holemans Wim wim.holem...@ua.ac.be To: cisco-nsp@puck.nether.net Sent: Wednesday, December 16, 2009 9:44 AM Subject: [c-nsp] FWSM logging problem It seems our FWSM doesn't log all denied ACLs. I blocked an IP address on our FWSM and wanted to see whomever on campus is trying to access this address (Botnet CC). I added the following line in the ACL (even raised priority), you can see that the rules triggers when I tried to telnet the address : access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4 log critical interval 30 (hitcnt=9) 0x6e051e8c There is however no corresponding syslog message on our syslog server or in the buffered logs on the FWSM. These are our logging settings : already raised queue size, some messages moved to another log level so they don't get send to our syslog server. ACL log messages are normally of ID 106100 level debugging, I can find several of them on the syslog server but not for the specifiec ACE. logging enable logging timestamp logging emblem logging console debugging logging monitor debugging logging buffered debugging logging trap informational logging asdm informational logging queue 1024 logging host DA-rt x.x.x.x logging message 305010 level debugging logging message 305009 level debugging logging message 302015 level debugging logging message 302014 level debugging logging message 302013 level debugging logging message 302016 level debugging logging message 302021 level debugging Anyone has a clue on how to get all syslog messages for the ACE's that have a log part ? Wim Holemans Netwerkdienst Universiteit Antwerpen ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM logging problem
- Original Message - From: Andrew Yourtchenko ayour...@cisco.com To: Tony Varriale tvarri...@comcast.net Cc: cisco-nsp@puck.nether.net Sent: Wednesday, December 16, 2009 12:54 PM Subject: Re: [c-nsp] FWSM logging problem That's indeed the proper thing to do. And please, after making sure - also let the case owner know, that it did fix the problem - it's a step sometimes overseen :-) Yup sure is. :( shoot me the case#s unicast, if you still have them. The one I found in a quick search did mention the bug ids along with the pretty detailed explanations for each, but maybe there were some others where there was less info, that I could not find... I haven't fielded one of these in a little while. Last one was earlier this year. I'll have to look. http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml ? There could be some other scenarios where by tweaking the object group one gets the ACL exploded so much that it does not fit into the network processors anymore - then the previously compiled version is being used - but generally you get a pretty prominent warning about that. Nope...NP was fine. How we found it was the ACE not getting hits. So, we then added an ACE next below the one that was getting passed over and it would get hit. Obviously this actually added to the size :) thanks, andrew No problem. :) tv ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Weird L2TP Problem
We've a 7301 running IOS 12.3(4r)T4 acting as an LNS. We've never had any major problems with it but today it stopped terminating sessions. When I enabled terminal monitoring (with no additional debug) I started getting messages like this one: %L2TP-3-ILLEGAL: _:_: ERROR: [l2tp_session_get_l2x_cfg::241] -traceback- (snip) %L2TP-3-ILLEGAL: _:_: ERROR: no config -traceback- (snip) you might have hit CSCsi90461, fixed in 12.4(11)T4 and 12.4(15)T1 (among others). oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Cisco IPS vs TippingPoint
Hi All, I would like to know how the TippingPoint IPS platform compare with the Cisco IPS in terms of functionality and effectiveness. My experience is with the Cisco offering, but I have read some very good reviews about TippingPoint IPS and wanted to read your experience with it. Thanks. Felix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IPS vs TippingPoint
Anything is better than the Cisco IPS in our testing. The Tipping point is quite good as is the Juniper IDP (75, 250, 800, 8200 etc) I've used the tipping point and it was quite good and the reporting functionality was superior. If you're interested in this space also check out Juniper, ISS, Source Fire, and don't shoot me but McAfee. In terms of actual threat detection the vendors all did fairly well with the exception of Cisco. The units we tested as well as other 3rd party tests you can find by googling show Cisco falls short by about 40% in terms of threats detected. Get your self some hands on demos of all these products if this is an area you're seriously interested in. HTH Scott - Original Message - From: Felix Nkansah felixnkan...@gmail.com To: cisco-nsp@puck.nether.net Sent: Wednesday, December 16, 2009 11:31 AM Subject: [c-nsp] Cisco IPS vs TippingPoint Hi All, I would like to know how the TippingPoint IPS platform compare with the Cisco IPS in terms of functionality and effectiveness. My experience is with the Cisco offering, but I have read some very good reviews about TippingPoint IPS and wanted to read your experience with it. Thanks. Felix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Egress QoS on FE links with less than 100Mbps speeds
On Wed, 2009-12-16 at 08:45 -0500, Lobo wrote: [...] There are times when the link is only capable of hitting say 80Mbps (we're a wireless isp) or less. Since we have to use a FE port for this type of connection, do the switches believe that they have 100Mbps of bandwidth to play with when putting packets into the appropriate queues? The interface will take packets from the output queue and send them as fast as it can, so as long as there are packets to be sent they will be sent at 100 mbps. I'm a bit confused as to how the switches work in this fashion. If I were using CAT5 cables or fiber this would be simple to understand as the bandwidth would be fixed. :) The interesting things happen in the box that converts from 100 mbps to something less, i.e. the wireless bridge. Why is it sometimes less than 100 mbps? Is it simple loss because of varying signal quality? Does the wireless bridge compensate for this loss by retransmitting at layer 1, meaning a little RTT variance and some lost bandwidth? Or does it just drop and let the overlying protocols handle this? (In short: how do you measure it? TCP throughput is not a reliable measurement.) About the switch: The WRR you configure (on a 3550) is Weighted Round Robin; it doesn't define anything relating to how much bandwidth there actually is, it just defines how many packets from each queue to serve to the interface tx ring in each turn. The important bit though is IMHO that you use the priority queueing. This means that queue 4 (CoS 5) will _always_ be sent first. This should minimise loss when traffic crosses the wireless bridge. The switches that we use are 2950, 3550, 3750 and 6524s. With MQC and layer 3 QoS, I would know how to fix this by simply using the bandwidth command on the physical interface and basing my output policy-map to use bandwidth percent for each class. Layer 2 QoS doesn't seem to work this way though. On the 3750 you can use what Daniel mentioned: srr-queue bandwidth limit. AFAIK this just uses a time divisioning on the interface and throws away unused timeslots. Bear in mind that if the wireless bridge has a very shallow queue this might not work very well. This command isn't available on the 2950 or 3550. And even though a few (10GE) ports one the 6500/7600 platform support SRR, you can't cap the interface as such like this. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Cisco IPS vs TippingPoint
Felix, I'd take a look at the recent info from NSS Labs and some of the responses from TP if you're looking at evaluating them. http://www.networkworld.com/news/2009/120709-ips-tests.html http://nsslabs.blogspot.com/2009/12/tippingpoint-tests.html http://tippingpointblog.com/2009/12/04/update-on-tippingpoint-third-party-pr oduct-testing/ Scott -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Felix Nkansah Sent: Wednesday, December 16, 2009 2:32 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Cisco IPS vs TippingPoint Hi All, I would like to know how the TippingPoint IPS platform compare with the Cisco IPS in terms of functionality and effectiveness. My experience is with the Cisco offering, but I have read some very good reviews about TippingPoint IPS and wanted to read your experience with it. Thanks. Felix ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EEM BGP
Tony, Why do you want to look for the Syslog event? It would happen anyway inside your original script, right? Maybe try something like this: event manager applet BGPADJ_SHUT event syslog occurs 2 pattern %BGP-5-ADJCHANGE: neighbor 172.16.10.3 Down period 600 maxrun 700 action 100 cli command enable action 110 cli command configure terminal action 120 cli command router bgp 666 action 130 cli command neighbor 172.16.10.3 shutdown action 135 syslog msg Neighbor 172.16.10.3 shutdown by EEM action 140 cli command do ping 1.1.1.1 repeat 1 timeout 600 action 150 cli command no neighbor 172.16.10.3 shutdown action 155 syslog msg Neighbor 172.16.10.3 no shutdown by EEM (we assume that 1.1.1.1 is not pingable. You can route it to null0 if you like) -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tony Varriale Sent: Wednesday, December 16, 2009 19:38 To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] EEM BGP Well, did a bunch of testing and I am still stuck. So here's the basic idea and config. When the peer is actually shut, I log a message to syslog (info simplified and anonymized to protect innocent). event manager applet BGPADJ_SHUT event syslog occurs 2 pattern %BGP-5-ADJCHANGE: neighbor 172.16.10.3 Down period 600 action 100 cli command enable action 110 cli command configure terminal action 120 cli command router bgp 666 action 130 cli command neighbor 172.16.10.3 shutdown action 140 syslog msg Neighbor 172.16.10.3 shutdown by EEM This works great. Notice action 140. To turn the peer back up, I would like to wait 60 seconds (probably 10 minutes in real world) and look for the Neighbor 172.16.10.3 shutdown by EEM in the syslog as this will tell me when I need to start my timer. event manager applet BGPADJ_NOSHUT event tag bgpevent1 syslog pattern %BGP-5-ADJCHANGE: neighbor 172.16.10.3 Down event tag bgpevent2 syslog pattern Neighbor 172.16.10.3 shutdown by EEM trigger delay 60 correlate event bgpevent1 and event bgpevent2 action 100 cli command enable action 110 cli command configure terminal action 120 cli command router bgp 666 action 130 cli command no neighbor 172.16.10.3 shutdown action 140 syslog msg Neighbor 172.16.10.3 noshut by EEM This is the part that does not work. For the correlation, I want to either look for event 1 and 2 or just 2. 1 and 2 is really just a self check. The apparent problem is that EEM doesn't look at the messages that it injects into syslog. So, the trigger never happens. And as verification, I tried it with event1 or event2. While watching debug it picks up on event1. Any ideas? Recommendations? tv - Original Message - From: Clyde Wildes cwil...@progrizon.com To: 'Tony Varriale' tvarri...@comcast.net; cisco-nsp@puck.nether.net Sent: Tuesday, December 15, 2009 3:31 PM Subject: RE: [c-nsp] EEM BGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] 7600 SIP-600 w/ SPA-10GE
Does anyone have any experience with the SIP-600 for the 7600/6500 Platform? The PFC-3CXL/3BXL does not provide TCP flags in netflow data. We are interested in potentially using the SIP-600 with a 10GE SPA to work around the limitation of the PFCs on the non-NPU blade we currently use. Does anyone have any experience with this? LR Mack McBride Network Architect ViaWest, Inc *** Disclaimer: The above message is strictly my own opinion and does not reflect opinions or policies of my employer. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] EEM BGP
Tony, Yes EEM does not screen on the syslog messages that it emits. When we built the EEM syslog Event Detector the test team insisted that we implement it this way to prevent recursion. ;-) You can always use an application specific event to trigger policy B from policy A. You could use a trigger statement to delay the running of policy B if desired. Use the following: event manager applet BGPADJ_SHUT event syslog occurs 2 pattern %BGP-5-ADJCHANGE: neighbor 172.16.10.3 Down period 600 action 100 cli command enable action 110 cli command configure terminal action 120 cli command router bgp 666 action 130 cli command neighbor 172.16.10.3 shutdown action 140 syslog msg Neighbor 172.16.10.3 shutdown by EEM action 150 publish-event sub-system 798 type 100 arg1 shutdown event manager applet BGPADJ_NOSHUT event tag bgpevent2 application sub-system 798 type 100 trigger delay 600 action 100 cli command enable action 110 cli command configure terminal action 120 cli command router bgp 666 action 130 cli command no neighbor 172.16.10.3 shutdown action 140 syslog msg Neighbor 172.16.10.3 noshut by EEM Thanks, Clyde Progrizon, Inc. www.progrizon.com -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Tony Varriale Sent: Wednesday, December 16, 2009 9:38 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] EEM BGP Well, did a bunch of testing and I am still stuck. So here's the basic idea and config. When the peer is actually shut, I log a message to syslog (info simplified and anonymized to protect innocent). event manager applet BGPADJ_SHUT event syslog occurs 2 pattern %BGP-5-ADJCHANGE: neighbor 172.16.10.3 Down period 600 action 100 cli command enable action 110 cli command configure terminal action 120 cli command router bgp 666 action 130 cli command neighbor 172.16.10.3 shutdown action 140 syslog msg Neighbor 172.16.10.3 shutdown by EEM This works great. Notice action 140. To turn the peer back up, I would like to wait 60 seconds (probably 10 minutes in real world) and look for the Neighbor 172.16.10.3 shutdown by EEM in the syslog as this will tell me when I need to start my timer. event manager applet BGPADJ_NOSHUT event tag bgpevent1 syslog pattern %BGP-5-ADJCHANGE: neighbor 172.16.10.3 Down event tag bgpevent2 syslog pattern Neighbor 172.16.10.3 shutdown by EEM trigger delay 600 correlate event bgpevent1 and event bgpevent2 action 100 cli command enable action 110 cli command configure terminal action 120 cli command router bgp 666 action 130 cli command no neighbor 172.16.10.3 shutdown action 140 syslog msg Neighbor 172.16.10.3 noshut by EEM This is the part that does not work. For the correlation, I want to either look for event 1 and 2 or just 2. 1 and 2 is really just a self check. The apparent problem is that EEM doesn't look at the messages that it injects into syslog. So, the trigger never happens. And as verification, I tried it with event1 or event2. While watching debug it picks up on event1. Any ideas? Recommendations? tv - Original Message - From: Clyde Wildes cwil...@progrizon.com To: 'Tony Varriale' tvarri...@comcast.net; cisco-nsp@puck.nether.net Sent: Tuesday, December 15, 2009 3:31 PM Subject: RE: [c-nsp] EEM BGP ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] IPv6 nd ra suppress broken on SXI3?
Grzegorz Janoszka grzeg...@janoszka.pl wrote: We recently upgraded one of our routers to 12.2(33)SXI3 (from SXF). Soon after the upgrade one of our customers complained that he started to see RA messages. From the beginning on his interface we have ipv6 nd ra suppress, I added ipv6 nd ra mtu suppress, but the customer says he still sees that. Has anyone seen broken ra suppression on SXI3? I can confirm that for pretty much the whole SXI* series, IIRC even in SXH*. It seems to disable sending of unsolicited RAs, but it still answers to router solicitations. Bernhard ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] FWSM logging problem
On Wed, 16 Dec 2009, Tony Varriale wrote: gets the ACL exploded so much that it does not fit into the network processors anymore - then the previously compiled version is being used - but generally you get a pretty prominent warning about that. Nope...NP was fine. How we found it was the ACE not getting hits. So, we then added an ACE next below the one that was getting passed over and it would get hit. Obviously this actually added to the size :) No, if you'd hit the size limitation you'd see a prominent warning. So got to be something different. If you get this to happen again, that'd be a case indeed. (And if it's something new that's something that we would need to replicate here in the lab, so the more context details you have around it, that might help this effort - the better). kind regards, andrew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] NAT-Device with authentication ?
are there any (cisco)-NAT-devices which enable the NAT after the user has done some kind of authentication - which is checked against a radius-server or an active directory for example ? You're probably looking for the IOS auth-proxy feature. A configuration example is here: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration _example09186a0080094655.shtml It works well - there is a limit on how big your HTML file can be - I've gotten around this where a customer wanted to display a large terms and condition page by putting those in an IFRAME and serving it from an external web server. You can also specify hosts that can be reached without authentication by tweaking the access list. HTH. B. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/