Feb 25 2010 4:30PM GMT
Posted by: Jason Tramer
radio,
Cisco,
Wireless,
bridge,
interface,
reset,
disabled,
root,
non-root
This gave me some issue the other day. I was setting up two Cisco 1411 wireless bridges to connect to each other for the first time. One was root bridge, the other set as non-root bridge.
After i set them up I was checking the web interface of the non-root bridge and the Radio interface was showing as disabled. I tried to re-enable it, but it wouldn’t come online. Logs show the interface was reset.
After a little research I found out this is actually normal. At the time the bridges were no point at each other and if the non-root bridge can not detect the root it disables it’s own radio interface. As soon as pointed them at each other the interface came back online.
Feb 12 2010 2:56PM GMT
Posted by: Jason Tramer
router,
Cisco,
DHCP,
server,
client,
pool,
DNS
I had a weird issue yesterday. I had a Cisco 1800 series router that was configured to hand out DHCP and up until a few days ago everything worked fine with it. Then suddenly out of the blue it still handed out DHCP but did not hand out the DNS-Server option even though it was configured.
I tried removing and re-adding that option and even rebooting the router but that didn’t resolve the issue. In the end I blew away the entire DHCP pool and re-created it and that resolved the issue.
Strange though.
Dec 16 2009 2:17PM GMT
Posted by: Jason Tramer
Cisco,
ASA,
secondary,
IP,
address,
interface,
static,
arp,
route
Unlike in a Cisco router where you can used the secondary command to add a secondary address to an interface, the Cisco ASA does not support this. Here is a workaround however.
1. First find out the mac address of the ethernet interface you will be using:
sh interface Ethernet0/1
This should show you the MAC address of the network interface.
2. Force this arp address onto whichever Vlan you are using:
interface Vlan1
mac-address 0019.0726.xxxx
nameif inside
3. Now define a static arp entry for the IP you want to use as a secondary address. Use the same mac address as the one from above, and enable proxy ARP on it:
arp inside 192.168.1.1 0019.0726.xxx alias
You can verify this is working properly using the show arp command that should return you the ip and mac address, like this:
sh arp
inside 192.168.1.1 0019.0726.xxx alias
4. At this point any system on the local interface can use the ip as its default gateway and it will work just fine. You need to ensure that return packets are coming back to the source, and this means you have to add a static route for this network on the inside interface (pointing to the primary ip of the interface, let’s say 192.168.1.1 for the sake of argument):
route inside 192.168.1.0 255.255.255.0 192.168.0.1 1
5. Also we need to ensure that traffic is allowed between the same interface hosts, and same level of security interfaces:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
and you probably want to be sure that access lists will allow the traffic from/to the newly added network.
Enjoy
Dec 13 2009 12:11AM GMT
Posted by: Jason Tramer
Cisco,
881,
router,
crash,
memory leak,
12.4.24t1,
12.4.24t2
I was recently working with a Cisco 881 router that kept having memory leaks and crashing. At first it would only crash once a day or so but eventually it started crashing hourly.
I went through serveral different firmware versions and finally found one that fixed the issue. The last version I had been using was 12.4.24T1, but when I went to 12.4.24T2 all the issues went away.
Dec 3 2009 3:41PM GMT
Posted by: Jason Tramer
Cisco,
ASA,
ASDM,
HA,
High Availability,
wizard,
active,
standby,
Add new tag,
CLI
Ok so you can easily do this from within the ASDM using the HA wizard, however I recently tried this and had issues with the wizard not working for me. So here is how you do it from the cli:
Primary:
failover
failover lan unit primary
failover lan interface failover Ethernet X
failover key cisco
failover interface ip failover x.x.x.1 y.y.y.y standby x.x.x.2
Secondary:
failover
failover lan unit secondary
failover lan interface failover Ethernet X
failover key cisco
failover interface ip failover x.x.x.1 y.y.y.y standby x.x.x.2
It should begin the failover replication process immediately upon completing both units.
Use “show failover” to see the status
Hope this helps
Dec 1 2009 12:46AM GMT
Posted by: Jason Tramer
Cisco,
VPN,
Security
Check out this article:
http://www.theregister.co.uk/2009/11/30/…
This is quite big news. Cisco has been pushing it’s clientless SSL VPN pretty hard.
Nov 30 2009 4:11PM GMT
Posted by: Jason Tramer
Add new tag,
Cisco,
router,
schedule,
scheduling,
kron
I recently needed to schedule nightly reboots for a Cisco router and I found this article very helpful.
http://articles.techrepublic.com.com/510…
Nov 30 2009 4:09PM GMT
Posted by: Jason Tramer
WatchGuard,
ASA,
Cisco,
VPN
I have been working with a client with multiple sites and up until recently they have been using Watchguards at all sites. Recently we have been switching out some of the Watchguard for Cisco ASA’s but there have been a ton of site to site VPN issues. For example, a tunnel goes down, so you re-key it, it doesn’t come back up, but if you recreate then tunnel on the watchguard side with the exact same settings everything works fine. What is the point of having a Standard if companies aren’t following it. Yeesh.
Nov 26 2009 10:40PM GMT
Posted by: Jason Tramer
Cisco,
ASA,
L2TP,
PPTP,
LDAP,
Ipsec,
ssl,
CHAP,
PAP,
Remote Access,
RA,
VPN
So I configured my ASA to provide L2TP remote access VPN. I originally set it up with a local user database and it worked fine. After I decided to tie it in to LDAP so I could authenticate against Active Directory. I set up my LDAp integration and used the built-in test tool to make sure it worked, and it did. However every time I tried to log in with a AD account I got authentication failures. So I eventually gave up and placed a call with Cisco TAC and do you know what I found out? If you want to use LDAP authentication with L2TP RA vpn you have to use PAP because LDAP authentication isn’t supported with CHAP. The practical effect of this is that when your ASA sends the passwords to your DC it is in clear text.
Cisco kind of has you over the barrel when it comes to RA vpn. You could go with SSL vpn but the licences are hideously expensive. You could do IPSec vpn but they don’t have a 64 bit client nor are they planning on making one from what I heard. You could do L2TP but if you want LDAP integration you have to send passwords in clear text unless you set up LDAP over SSL. Not to mention that the ASA’s no longer even support PPTP.
It is more then a little annoying I have to say.
