USB-Serial adaptor on Mac OS X

I have a USB-Serial adaptor (prolific pl2303 chip) and MBP Mac OS 10.11.4 for connecting to console of switches, routers and firewalls via screen. Since somewhere between Mac OS 10.11.2 and 10.11.3, the setup is broken as screen will hang if I exit the screen session and then try to reconnect to the device via USB-Serial adaptor. I did upgrade to the latest firmware from prolific page for Mac but did not help…So I started posting for help on Internet forums…

janm on Stack Exchange really helped. Here is the workarounds: use cu instead of screen on Mac for the task. The catch though is by default cu needs to be run with sudo. So,

  1. Type in the password everytime you try to connect to console.
  2. Use one of the followings to get rid of the password prompts:

OPTION 1: Create cu configuration file like “/Users/test/cu.conf” with content below and also create the lock folder accordingly. Run the cu command as “cu -I /Users/test/cu.conf -l /dev/cu.usbserial -s 9600 –nostop

lockdir /Users/test/cu_lockdir

OPTION 2(HIGHLY NOT Recommended): Run “sudo visudo” and uncomment the line below and save and exit.

 %wheel ALL=(ALL) NOPASSWD: ALL

BTW, I also opened a bug report with Apple and provided necessary debug but have not heard back yet…I think the screen compiled with Mac OS X changed on handling port open/close.

IPSec tunnel with Policy-Based NAT on Fortigate

First, here is the highlevel diagram

Drawing1

The requirements are:

1. Establish IPSec VPN Tunnel between Fortigate and Cisco ASA

2. Translate the Source IP address to 10.153.153.0/24 when 10.100.100.0/24 connect to 172.24.200.0/24 via the IPSec tunnel.

3. Do not translate 172.24.200.0/24 when connect to 10.153.153.0/24 via IPSec tunnel.

With end using ASA, this is just a standard IPSec tunnel setup. Even replace the Fortigate with an ASA, the configuration is fairly straight forward. But with Fortigate, it is a little bit tricky, at least at the very beginning. Because there is no GUI configuration option in my FortiOS 5.2 to create such tunnel. So I have to start from CLI.

Here below are the configuration put onto the Fortigate.

config firewall address
edit "LocalSubnet-RealIP-1"
set associated-interface "LAN"
set subnet 10.100.100.1 255.255.255.0
next
edit "LocalSubnet-RealIP-2"
set associated-interface "LAN"
set subnet 10.100.100.2 255.255.255.0
next
edit "RemoteSubnet"
set subnet 172.24.200.0 255.255.255.0
next
end

config vpn ipsec phase1
edit "Tunnel4Test"
set interface "WAN"
set nattraversal disable
set proposal aes128-sha1 3des-sha1
set dhgrp 5 2
set remote-gw 204.204.204.18
set psksecret ENC YHbmejTH3Doryywk/KkQZ+qWXBEOP1RScs+ewjBmhzXcTguEdmuKsW8g==
next
end

config vpn ipsec phase2
edit "Tunnel4TestP2"
set phase1name "Tunnel4Test"
set use-natip disable
set proposal aes128-sha1
set pfs disable
set keepalive enable
set auto-negotiate enable
set src-addr-type ip
set dst-addr-type ip
set src-subnet 10.153.153.0 255.255.255.0
set dst-subnet 172.24.200.0 255.255.255.0
next
end

config firewall policy
edit 1
set srcintf "LAN"
set dstintf "WAN"
set srcaddr "LocalSubnet-RealIP-1"
set dstaddr "RemoteSubnet"
set action ipsec
set schedule "always"
set service "ALL"
set utm-status enable
set natip 10.153.153.1 255.255.255.255
set av-profile "Default"
set webfilter-profile "Default"
set ips-sensor "Default"
set application-list "Default"
set profile-protocol-options "default"
set inbound enable
set outbound enable
set natoutbound enable
set vpntunnel "Tunnel4Test"
next
edit 2
set srcintf "LAN"
set dstintf "WAN"
set srcaddr "LocalSubnet-RealIP-2"
set dstaddr "RemoteSubnet"
set action ipsec
set schedule "always"
set service "ALL"
set utm-status enable
set natip 10.153.153.2 255.255.255.255
set av-profile "Default"
set webfilter-profile "Default"
set ips-sensor "Default"
set application-list "Default"
set profile-protocol-options "default"
set inbound enable
set outbound enable
set natoutbound enable
set vpntunnel "Tunnel4Test"
next
end

 
Once the initial configuration is done on Fortigate, you can then modify the settings from GUI.

Did I configure the QoS Policy Wrong!!??

“The short answer is maybe”. This was what I gave to one of the customers when he asked me.

The story was he has Cisco 2960-S switches and configure policy-maps for prioritize the Voice Traffic. But when he run “show policy-map interface” on any of his switch, he got no matches…

There is indeed an known bug for the 2960 switch but somehow Cisco only identifies it for IOS 12 while my customer is using IOS 15… Being lazy??…

Anyhow, “show mls qos interface statistics” does show the matches.

Traffic Capture on IOS router

Ever run into scenario that you need to capture the traffic on production network but you can not do SPAN or put the capture device inline to network without bring down network briefly? The answer is capture on the IOS router directly.

First, Create a monitor buffer on router:

Router# monitor capture buffer MYCAPBUFFER Circular

Then create a capture point on router:

Router# monitor capture point ip cef MYCAP serial 1/0 both

Then, Associate the buffer and capture point

Router# monitor capture point associate MYCAP MYCAPBUFFER

Now, Turn on the capture point

Router# monitor capture point start MYCAP

The following message should show up on the console of router.

*May 2 16:25:46.727: %BUFCAP-6-ENABLE: Capture Point MYCAP enabled.

Then try to generate some traffic on network, or simply just use ping. 

Once you think enough traffic has been generated and captured, stop the traffic capture

Router# monitor capture point stop MYCAP

You can view the status of capture, it should show “inactive”.

Router# show monitor capture buffer all parameters

You can also view the traffic dump on router but not much making sense to me though…

Router# show monitor capture buffer MYCAPBUFFER dump

Router# show monitor capture buffer MYCAPBUFFER

I prefer to Export the dump/capture into a proper capture file for further analysis

Router# monitor capture buffer MYCAPBUFFER export ?

bootflash: Location to dump buffer

disk0:     Location to dump buffer

disk1:     Location to dump buffer

flash:     Location to dump buffer

ftp:       Location to dump buffer

http:       Location to dump buffer

https:     Location to dump buffer

pram:       Location to dump buffer

rcp:       Location to dump buffer

scp:       Location to dump buffer

slot0:     Location to dump buffer

slot1:     Location to dump buffer

tftp:       Location to dump buffer

Remote Access vCloud Director VM Console

Not sure if VMware did not do the documentation properly OR I did not read it properly. It took me over 2-day to figure out how to setup vCloud Director to provide VM console access of VM to authorized user on Internet. The highlevel diagram is attached below. This might not be the best setup but works and makes sense to me.
Image
The configuration on Firewall (I use ASA):
  1. Configure Static NAT for 172.16.8.10 to 1.2.3.4. So user on Internet can access 1.2.3.4 to login to vCloud Director portal
  2. Configure identity NAT between External and LAN interfaces: for any traffic, which arrives on External interface of firewall, destines for 1.2.3.5, firewall will translate the source address to 1.1.1.1 and destination address to 172.16.9.10
The configuration on vCloud Director (I use centOS with 2 NICs and default gateway 172.16.8.1):
  1. Set the external proxy IP to 1.2.3.5 in the vCloud Director management portal
  2. Add static route in centOS: Send traffic to 172.16.9.2 if the destination address is 1.1.1.1

Recovery Cisco router/switch login password

There might be tons of same topic on Inter-Web, especially on Cisco website, but I still decide to post it, at least I can archive in case I lost computer or notebook…

Cisco Router/Switch Password Recovery:

1. Apply break during the device booting sequence: Mostly the “Ctrl + Break” will work. I use putty 99% of time and putty needs to be configure/accessed via clicking the left mouse button on the icon in the top left corner of PuTTY’s terminal window to see the special command “break”.

2. Set configure register: rommon 1> confreg 0x2142

3. Reset the device: rommon 2> reset

4. Type no after each setup question, or press Ctrl-C in order to skip the initial setup procedure.

5. Type configure memory OR copy start run

6. Change password(s) when device boots up completely

7. Restore the config register: hostname(config)#config-register 0x2102 <– REMEMBER TO DO IT

8. Type write memory or copy running-config startup-config in order to commit the changes.

9. Reload device.

NOTE, all interfaces are shutdown when doing password recovery. So manual “no shut” is needed for each interface.

For recovering password for Cisco ASA, check here.

See Also: Cisco Reference

Processor Load Troubleshooting Tips

Apply to IOS Cisco gears ONLY:

Router#show processes cpu | exclude 0.00%__0.00%__0.00%

Router#show processes cpu | include CPU|IP Input

Router#show processes cpu history

Router#show processes | include ARP Input <- ARP messages orginated from router itself. There will be a lot of the ARP message sent out if router has to keep asking for Mac address of the next hop.

Router#show processes | include Net Background <- process used to create packet buffer when hardware buffer is full. If also the interfaces also loaded, it could also have this process loaded.

Router#show processes | include IP Background <- handle the configuration change for interface. Maybe a bad interface flapping up and down could cause issue.

Router#show processes | include TCP Timer <- handle the TCP session terminated on router itself. A lot of ssh/telnet/https sessions to router for management could increase the processor load.

•Check the default route setting on router. It is better to set default route to an address instead of the broadcast interface, like the fast ethernet interface, to avoid keep generating ARP Messages.
•Check the interface throttles, overruns, ignores in “show interface” command, which could increase the load.
•Run “Router#show tcp statitics” to see the statistics of connections.
•Run “Router#show tcp brief” to see sessions to router/switch as management connection.
•Hacker could generate thousands of connections to DoS of router. So put some access-list on VTY to protect remote management.

If you find the above looks familiar, study the CCNP yourself, you might write some fancier ones 🙂

Memory Load issue on Cisco gear

Cisco gear possible memory Load issue:
•Pay attention to log message, like ‘%SYS-2-MALLOCFAIL: …’ on Cisco device, run to the device to reboot it. The memory is leaking bad!! I found this: ‘%SYS-3-INVMEMINT: Invalid memory action (free) at interrupt level’ on Cisco 1920 router with IOS 15.1(4)M3 and Cisco openned a bug (#CSCtx59639). But not sure when there can be a fix…
•If “show” commands show nothing but blank screen, there is something wrong with memory on device.
•From serial console: “Unable to create Exec – No Memory OR Too many Processes”, that means something is wrong related memory.
•If wrong IOS image loaded, could be because of not enough memory.
•If bug in IOS image, there could be memory leak.
•Worn or Virus focus on IOS
•BGP could also load memory

If you find the above looks familiar, study the CCNP yourself, you might write some fancier ones 🙂