Network technologies and trends

February 28, 2018  3:26 AM

Cisco announces new version of CCIE SP Written and Lab Contents with version 4.1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Access, CCIE, Cisco, Cisco IOS, Exam, Hardware, IOS, IPv4, IPv6, MPLS, QoS, router, Routing, service provider, Software, VPN

Recently Cisco updated the blueprint for the Cisco CCIE Service Provider Written & Lab exams, the new CCIE SP version 4.1 is only about 10% different than its preceding version 4.0. The exam format still remains the same, the CCIE SP written exam number also remains the same (400-201) and the CCIE SP lab exam comprises of three modules

  • Troubleshooting
  • Diagnostic
  • Configuration

These minor changes certainly ensure that the changes are minimal, they are frequent (Cisco does minor updates once a year) and incremental.

Below is the domain level comparison of CCIE Service Provider v4.0 and v4.1.

CCIE Service Provider v4.0

CCIE Service Provider v4.1
1.       Service Provider Architecture and Evolution

2.       Core Routing

3.       Service Provider Based Services

4.       Access and Aggregation

5.       High Availability and Fast Convergence

6.       Service Provider Security, Operations, and Management

7.       Evolving Technologies


1.       Core Routing

2.       Service Provider Architecture and Services

3.       Access and Aggregation

4.       High Availability and Fast Convergence

5.       Service Provider Security, Operations, and Management

6.       Evolving Technologies



Compared to CCIE Service Provider version 4.0, domains remained almost identical, except that domain 1 and domain 3 were merged into one single domain: domain 2 (Service Provider Architecture and Services) in the new revision. Other domains were kept, although minor modifications were made within these domains as well. As a result, domain weightings did shift slightly:


SP 4.0 Domains

Written (%) Lab (%)
Service Provider Architecture and Evolution 10 NA
Core Routing 20 27
Service Provider Based Services 20 26
Access and Aggregation 15 17
High Availability and Fast Convergence 10 13
Service Provider Security, Operations, and Management 15 17
Evolving Technologies 10 NA

SP 4.1 Domains

Written (%) Lab (%)
Core Routing 25 30
Service Provider Architecture and Services 21 22
Access and Aggregation 18 21
High Availability and Fast Convergence 14 15
Service Provider Security, Operations, and Management 12 12
Evolving Technologies 10 NA


Domain 1 (Core Routing): No topics were added or removed within this domain, but some items were moved, rephrased, or merged into one single item:

  • “MAM and RDM models” were moved from MPLS QoS Models to MPLS TE QoS:
    • 6.d. Describe, implement, and troubleshoot MPLS QoS Models (Pipe, Short Pipe, and Uniform)
    • 6.e. Describe, implement, and troubleshoot MPLS TE QoS (MAM, RDM, CBTS, PBTS, and DS-TE)
  • The “mLDP and P2MP TE” tasks under within Multicast were merged into a single item:
    • 5.c Describe, implement, and troubleshoot mVPN

Domain 2 (Service Provider Architecture and Services) now holds tasks of the original domain 1 and 3.
Off the original domain 1, the following task, focusing on hardware architecture components was removed:

  • Describe platform architecture components such as RP, Line cards, and Fabric Crossbar

Other items that were part of domain 1, such as software architecture, mobility node functions, and virtualization concepts, were rephrased to better define their scope:

  • 1.a. Describe network architecture components and service provider network domains, for example: PE, P, CE, Metro Ethernet, Core, Aggregation, RAN Backhaul, and eNodeB
  • 1.b. Describe Cisco IOS, Cisco IOS-XR, and Cisco IOS-XR software architecture components, for example: XR Kernel, System Manager, and Interprocess communication
  • 2.a Physical router virtualization, for example: SDR, Multiple-Logical-Routers, and Satellite Network Virtualization
  • 2.b. Network Function Virtualization architecture concepts, for example: Service Function Chaining, ESP, EPN, and NFVI

Off the original domain 3, the following changes were made:

  • “Describe, implement, and troubleshoot GRE and mGRE based VPN” was removed.
  • “Transit policy enforcement” and “Internet peering route and transit policy enforcement” were merged into one single item:
  • 6.b. Describe, implement, and troubleshoot Internet peering route and transit policy enforcement


Domain 3 (Access and Aggregation) had the following items removed:

  • Describe Broadband Forum TR-101 such as Trunk N:1 and Trunk 1:1
  • Describe Link Fragmentation (LFI), cRTP, and RTP
  • Describe, implement, and troubleshoot end-to-end fast convergence (covered in domain 4)

Domain 4 (High Availability and Fast Convergence) remains unchanged, only the weights changed.

Domain 5 (Service Provider Security, Operations, and Management) had the most changes. In this domain, service provider operation oriented items have been removed:

  • Describe, implement, and troubleshoot port mirroring protocols, for example, SPAN, RSPAN, and ERSPAN
  • Describe network event and fault management
  • Describe performance management and capacity procedures
  • Describe maintenance, operational procedures
  • Describe network inventory management process
  • Describe incident management process based on ITILv3 framework

The CCIE Service Provider version 4.1 exam continues to focus on dual-stack solutions for both IPv4 and IPv6 technologies, as it was already deployed in the CCIE Service Provider version 4.0 exam. All solutions, for example, routing protocols, fast convergence, and L3VPN cover both IPv4 and IPv6 technologies.

Recommended Hardware and Software Equipment

The CCIE Service Provider lab exam environment was updated. However, no new technologies or features were added to the exam topics and therefore, the impact of this software update is minor. Candidates who want to prepare for the exam using hardware equipment are advised to use the following Cisco equipment and Cisco Software releases, which are used in the Diagnostic module.

  • P, PE, and RR role: ASR 9000 Series running Cisco IOS XR 6.0 release
  • PP, PE, and CE role: ASR 1000 Series running Cisco IOS XE 3.13 (15.4S) release
  • PE and CE role: Cisco 7600 Series running Cisco IOS 15.4S release
  • Access and Aggregation role: Cisco ME 3600x Series running Cisco IOS 15.4S release


One could say this a good approach from Cisco to keep CCIE exams more relevant to the new hardware and software they release.

February 27, 2018  4:57 AM

Panorama has open software issues, auto logout after 10 minutes

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Palo Alto Networks

When it comes to an idle timeout, by default Palo Alto Networks Firewalls and Panorama are configured for 3600 seconds (1 hour). This means if a Security Engineer or Security Analyst logs into the Web UI of Palo Alto Networks Firewalls and Panorama keeps the session idle for an hour they are not automatically logged off.

One can also change the idle time from the Web UI as shown below for the value they want for.

Go to Device > Setup > Management > Authentication Settings:

Idealistically by default Palo Alto Networks Panorama should logs out the Administrator after 60 minutes of idle time, however, this is not true as its been observed after 10 minutes of inactivity Panorama Web UI forces a logout. This occurs due to a reported bug, as it fails to apply an idle timeout value of 3600 seconds, rather 600 seconds (10 minutes) is applied.

Currently, no workaround is provided by Palo Alto Networks to resolve this issue, despite this issue was reported in the year 2012 yet there is no fix provided.

February 21, 2018  5:42 AM

Palo Alto Networks releases PAN-OS 8.1 and new hardware firewalls

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Data centers, Decryption, Networks, Palo Alto Networks, risks, Security, SSL, threats

The recent press release from Palo Alto networks comes with a great surprise as they released PAN-OS 8.1 which comes with some great new features and enhancements, also the new hardware they introduced have plenty to offer.

With growing threats targeted in form, SSL is always challenging to intercept and stop. Even the Next-Gen Firewall fails to stop some of the SSL embedded attacks and threats, the only way one can stop them is by intercepting the SSL traffic at the hardware level.  Palo Alto Networks Next-generation firewalls are known for their decryption capabilities and they are quite stable as well. With PAN-OS 8.1 Palo Alto Network Firewalls are empowered to streamline the SSL decryption traffic as they are capable of decrypting the SSL traffic once and share the decrypted traffic with other devices easily which further enhances security by simply applying the principle of defense in depth.

PAN-OS 8.1 simplifies application security, as well as some of the new feature, includes in 8.1 version are as follows

Application filter to allow new App-IDs – Temporarily allow new apps, this feature ensures that the newly released apps are not accidentally blocked until one review their security policy and then they can an appropriate action.

Better tools to assess the effect of App-IDs – Get insight into newly categorized application activity and the effect of the new App-IDs on their traffic.

Rule usage tracker to eliminate security risks – Remove unused security rules by understanding when a rule was the last hit, which eliminates holes that create security risks.

Panorama™ management 8.1 includes new features that provide even greater efficiency for teams managing physical and virtual appliances running PAN-OS. Using variables in templates, one can now leverage common configurations across many devices while substituting device-specific values in place of IP addresses, IP ranges, FQDNs and more.

Palo Alto Network released new hardware with a specific purpose.

The new PA-3200 Series appliances deliver up to 5x performance increase, up to 7x decryption performance increase, up to 20x decryption session capacity increase compared to existing hardware for the internet edge, and 1G/10G/40G interfaces for flexible connectivity options and they are well suited at Internet Edge

Now Palo Alto networks are also targeting industrial zone, works shops etc with very hard environmental conditions. They have introduced PA-220R ruggedized next-generation firewall brings the same PAN-OS features that protect the largest data centers; offers an extended temperature range; and is certified to IEEE 1613 and IEC 61850-3 standards for vibration, temperature and immunity to electromagnetic interference. It provides interactive visibility and control of industrial protocols and applications, such as Modbus, DNP3, IEC 60870-5-104, Siemens S7, OSIsoft PI® and more.

The newly released PA-5200 Series appliances prevent threats and safely enables applications in mobile network environments and large enterprise data centers. The PA-5280 offers security at throughput speeds of up to 68 Gbps and session capacity of up to 64 million.

To summarize enhancements in nutshell are as follows


  • Easier adoption of SSL-decryption in multi-vendor environments
  • 20X decryption sessions capacity boost at internet edge
  • Efficient adoption of best practices
  • Management at scale
  • Advanced threat detection and prevention
  • Quick detection of targeted attacks

Hardware Highlights

  • PA-3200 Series – 5x performance increase, 7x decryption performance
  • PA-220R ruggerized firewall for harsh environments
  • PA-5280 – Throughput =>68Gbps and session capacity up to 64 million

February 5, 2018  10:19 PM

Cisco ASA Firewalls and Cisco FTDs can be – exploited remotely due to “Remote Code Execution and Denial of Service Vulnerability” updates

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Adaptive Security Device Manager, API, ASA, Cisco, Cisco ASA, Cisco Firewall, Code, Denial of Service, DOS, REMOTE, Software, SSL, VPN, vulnerability

In my previous post, I talked about the vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. On January 29, 2018, Cisco recommended following ASA Versions which could overcome the vulnerability

Cisco ASA Major Release  First Fixed Release 
8.x1 Affected; migrate to or later
9.01 Affected; migrate to or later
9.31 Affected; migrate to or later
9.51 Affected; migrate to or later


However, the latest blog post by Omar Santos at Cisco blogs explains how the vulnerability can be exploited using crafted XML messages.






Picture Courtesy: Cisco Blog

If an SSL or DTLS listen socket exists in the Cisco ASA then the ASA is vulnerable, even if you have patched your ASA with the above-mentioned software versions the ASA still can be exploited. So it’s better to repatch the Cisco ASA with the below recommended ASA versions

Cisco ASA Major Release  First Fixed Release 
8.x1 Affected; migrate to
9.01 Affected; migrate to
9.31 Affected; migrate to
9.51 Affected; migrate to

A new set of ASA features which are vulnerable is updated in Cisco Security Advisory,

Feature Vulnerable Configuration
Adaptive Security Device Manager (ASDM)1 http server enable <port>
http <remote_ip_address> <remote_subnet_mask> <interface_name>
AnyConnect IKEv2 Remote Access (with client services) crypto ikev2 enable <interface_name> client-services port <port #>
anyconnect enable
AnyConnect IKEv2 Remote Access (without client services) crypto ikev2 enable <interface_name>
anyconnect enable
AnyConnect SSL VPN webvpn
enable <interface_name>
Cisco Security Manager2 http server enable <port>
http <remote_ip_address> <remote_subnet_mask> <interface_name>
Clientless SSL VPN webvpn
enable <interface_name>
Cut-Through Proxy (Not vulnerable unless used in conjunction with other vulnerable features on the same port) aaa authentication listener <interface_name> port <number>
Local Certificate Authority (CA) crypto ca server
no shutdown
Mobile Device Manager (MDM) Proxy3 mdm-proxy
enable <interface_name>
Mobile User Security (MUS) webvpn
mus password <password>
mus host <hostname>
mus <address > <mask > <interface_name>
Proxy Bypass webvpn
REST API4 rest-api image disk0:/<image name>
rest-api agent
Security Assertion Markup Language (SAML) Single Sign-On (SSO)5 N/A


1ASDM is vulnerable only from an IP address in the configured http command range.
2 Cisco Security Manager is vulnerable only from an IP address in the configured http command range.
3The MDM Proxy is first supported as of software release 9.3.1.
4The REST API is first supported as of software release 9.3.2. The REST API is vulnerable only from an IP address in the configured http command range.
5SAML SSO is first supported as of software release 9.6.

Its recommend to immediately upgrade your ASA with the new recommended release to overcome this vulnerability.

February 5, 2018  3:30 AM

How to ace Check Point Certified Security Administrator exam?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CCSA, certification, Checkpoint, coaching, Exam, Firewalls, NAT, Security, VPN

Recently I was successful in passing Check Point Certified Security Administrator (CCSA) exam and now I am a Check Point Certified Security Administrator. Check Point Certified Security Administrator (CCSA) exam is a pretty straightforward exam which addresses the following topics and one need to score 70% to pass the exam.

  • Check Point Technology Overview
  • Deployment Platforms and Security Policies
  • Monitoring Traffic and Connections
  • Network Address Translations
  • User Management and Authentication
  • Using SmartUpdate
  • Implementing Identity Awareness
  • Configuring VPN tunnels
  • Resolving security administration issues

When it comes to exam preparations often one needs to depend upon their experience along with either official training or self-study materials. In my case, I relied more on hands-on experience and Check Point CCSA GAiA 156-215.76  CBT nuggets by @KeithBarkerCCIE . This video series is really quite good as @KeithBarkerCCIE walks through the topics of CCSA exam in the quite interesting way and simultaneously he builds a virtual lab and demonstrates what he is teaching, by this way one can certainly grasp the topics quite easily. I build a virtual lab and practiced what I was learning by watching Check Point CCSA GAiA 156-215.76  CBT nuggets.  The video series is quite helpful for those, who just started their Checkpoint journey, as Keith explains the concepts and history of Checkpoint in less than 35 minutes in a most effective way.

The great things about CBT Nuggets are that you can avail their coaching facilities known as “Accountability Coaching” Buy availing this facility you are ensured that your progress is tracked and a dedicated coach will help you to determine your goals and set deadline.  I was lucky to work with Megan Flores as she helped me build my goals and the objective behind this certification. She was a great mentor and I am thankful to her for the follow-ups and the motivation calls she made. It’s really helpful to set deadlines and held accountable for those deadlines.

To summarize one with a good understanding of networks and firewalls can take this course and prepare well for the Check Point Certified Security Administrator (CCSA) exam. I believe Check Point CCSA GAiA 156-215.76  CBT nuggets by @KeithBarkerCCIE  is a great tool to ace the exam.

February 2, 2018  12:40 AM

Cisco ASA Firewalls and Cisco FTDs can be exploited remotely due to “Remote Code Execution and Denial of Service Vulnerability”

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, Cisco, Cisco ASA, Cisco Firewall, Code, Denial of Service, DOS, REMOTE, Software, VPN, vulnerability

According to latest Cisco Security Advisories and Alerts update, Cisco ASA Firewalls, and Cisco FTDs can be exploited remotely provided WebVPN is configured on them. There is a vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.

The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:


Following Cisco Products are affected by this vulnerability

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)

One can discover whether their Cisco ASA is affected by running the Cisco ASA Command “ show running-config webvpn” as shown below

The following example shows the output of the command for a device that is running Cisco ASA Software and has WebVPN enabled on the Outside interface.

ciscoasa# show running-config webvpn


enable Outside

The customer can also use the show asp table socket command and look for an SSL and a DTLS listen socket on TCP port 443. An SSL and DTLS listen socket on TCP port 443 must be present in order for the vulnerability to be exploited. The following example shows the output of the command for a device that has SSL and DTLS listen sockets on TCP port 443:

ciscoasa# show asp table socket

Protocol  Socket    State      Local Address       Foreign Address

SSL       00005898  LISTEN*

TCP       00009718  LISTEN*

TCP       0000e708  LISTEN*

SSL       00011cc8  LISTEN*

DTLS      000172f8  LISTEN*


Determining the ASA Running Software Release

To determine whether a vulnerable version of Cisco ASA Software is running on a device, administrators can use the show version command in the CLI. The following example shows the output of the command for a device that is running Cisco ASA Software Release 9.2(1):

ciscoasa# show version | include Version

Cisco Adaptive Security Appliance Software Version 9.2(1)

Device Manager Version 7.4(1)

Customers who use Cisco Adaptive Security Device Manager (ASDM) to manage devices can locate the software release in the table that appears in the login window or the upper-left corner of the Cisco ASDM window.


FTD Software

This vulnerability applies to the FTD 6.2.2 software release, which was the first to support the Remote Access VPN feature. This release contains both Firepower and ASA code. Review Firepower Threat Defense Devices in the Cisco Firepower Compatibility Guide for additional information.


Determining the Running FTD Software Release


Administrators can use the show version command at the CLI to determine the FTD release. In this example, the device is running software release 6.2.2.

> show version

———————[ ftd ]———————

Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.2 (Build 362)

UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c

Rules update version : 2017-03-15-001-vrt

VDB version : 279



In order to overcome this vulnerability, one has to upgrade their Cisco ASA and Cisco FTD appliances as there is no other workaround available.

Cisco has released a new ASA version of software which closes this vulnerability, so its recommend to install the recommend ASA Software based on the below table,

Cisco ASA Major Release  First Fixed Release 
8.x1 Affected; migrate to or later
9.01 Affected; migrate to or later
9.31 Affected; migrate to or later
9.51 Affected; migrate to or later


When it comes to FTD, Cisco FTD major release prior to 6.2.2 are not vulnerable simply because they were not supporting VPNs, the below table shows the details of the fix.

Cisco FTD Major Release  First Fixed Release 
Prior to 6.2.2 Not vulnerable
6.2.21 (All FTD hardware platforms except 21xx) (21xx FTD hardware platform)


Its recommended to take the advice of Cisco TAC and plan the software upgrade.

This vulnerability was discovered by Security researchers Cedric Halbronn form the NCC group and reported the same to Cisco. On Feb 2 2018 at the Recon Brussels conference, Cedric Halbronn is scheduled to deliver a talk on how he exploited this vulnerability.

January 2, 2018  4:48 AM

A review for Cisco Press title “Cisco Firepower Threat Defense (FTD)” by Najmul Rajib

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, CCIE, CCNA, CCNP, Cisco, Cisco Press, DNS, firewall, Security, SSL

The recently released Cisco Press title “Cisco Firepower Threat Defense (FTD)” by Najmul Rajib is a great treat to read as he addresses most of the new concepts and new approach one has to adapt to enhance his/her Cisco’s Firepower technology.









Courtesy: Cisco Press

This title comes with 22 chapters divided into four parts and follows a standard Cisco Press format of chapter summary and followed by quiz

• Part I Troubleshooting and Administration of Hardware Platform
• Part II Troubleshooting and Administration of Initial Deployment
• Part III Troubleshooting and Administration of Traffic Control
• Part IV Troubleshooting and Administration of Next-Generation Security Features

The evolution of Firepower is a good starting point of this title as it addresses the concepts of Defence Center, FireSIGHT Systems and Firepower systems in very concise manner and also this gives a good understanding of Firepower System Software Components.

The ASA reimaging chapter is quite elaborative and gives all the steps one should follow to reimage their ASA with unified FTD image. The chapter comes with great screen shots of the steps one should follow. If one wants to re-image their ASA Firewall with unified FTD image they can also see my post published some in April 2017.

Part II of this title addresses the administration and troubleshooting steps, licensing and registration process, followed by the Firepower deployment modes.

Whereas Part III focusses more into the troubleshooting and administration of traffic like how one can capture a traffic from Firepower engine, how one can download a .pcap file. How to inspect an SSL traffic, though this section could have been more elaborative as it addresses to fail the SSL interception in detail.

Part IV concludes this title with some advanced troubleshooting and administrating tips for Cisco’s Next Generation Security features like blocking a DNS query, URL filtering, discovering and blocking traffic based on applications.

One can certainly make use of this title to enhance their knowledge about Cisco Next-Generation Firewalls as it comes with best practices for the various topic, few such topics which grabbed our attention was a deployment of FTD in routed mode and blocking DNS query. Also, this title happens to be very handy guide for CCNA Security, CCNP Security, and CCIE Security exams preparations.

If the VPN capabilities of FTD was discussed it would have added some more value as this is a key feature of any Next-Generation Firewalls.

To conclude it’s a well-written title by Najmul Rajib which helps one to understand what FTD is and how one can start working with FXOS as it comes with a good example and best practices.

November 21, 2017  4:42 AM

Cisco Champions 2018 applications are open  

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Cisco, communities, social media, technologies, User groups

Cisco runs a program known as Cisco Champions, which purely runs on nominations, one can either nominate himself/ herself or someone whom they see as experts in Cisco Products and Technologies. Cisco expects the potential Cisco Champions to actively share their knowledge, expertise and thoughts in technical forums, communities, user groups, social media and speaking engagement across the social web, IRL and with Cisco.







Image Courtesy: Cisco Blog

The Cisco Champion program is open all the individuals who are either 18 years in age or older and they cannot be a government official or Cisco employees with following qualities

  • Is active on social media
  • Expresses balanced view of Cisco
  • Has Cisco-related expertise
  • Has overall expertise in IT industry
  • Chooses to actively participated in conversations relevant to Cisco and the IT industry

Being a Cisco Champion for 2017 I certainly recommend one to nominate themselves or others for this program, Cisco Champions program is quite beneficial and one can peer with fellow Cisco Champions as they get good opportunity to learn from subject matter experts and share their knowledge as well.

The last day to register for this program is November 24th ,2017.

November 9, 2017  3:23 AM

What is “TCP Spurious Retransmission” ? And why does this occur for the FTP traffic passing through a Cisco ASA Firewall?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, Cisco, Cisco ASA, Filezilla, firewall, FTP, Network security, TCP

Recently we come across an issue where FTP  connection was not established between the client and the FTP server. The connection was passing through the Cisco ASA Firewall. Upon troubleshooting, we discovered 3-way TCP handshake was happening, however, once the login name and password entered to access the FTP directory nothing was accessible and no errors were reported in the FileZilla client.








Figure 1.2- Packets captured in pcap format in Cisco ASA Firewalls

Upon capturing the packet at Cisco ASA Firewall we discovered after 3-way TCP handshake, the FTP connection was initiated and the client was asked to enter the login credentials, and same is visible in the packets captured. However, after entering the login credentials it was observed TCP retransmission was occurring and TCP Spurious Retransmission was happening.

Before getting into the solution and the reasons why this was happening it’s better to understand what is “TCP  Spurious Retransmission” is?

As exhibited in the above TCP flow, the ACK sent to the receiver didn’t reach the sender in time,  since the ACK failed to reach the sender before RTO expires, the sender retransmits the same data that acknowledged by the receiver. This type of retransmissions are known are “ “TCP  Spurious Retransmission”





Figure 1.2- TCP Spurious Retransmission data flow

In our case, Cisco ASA was configured to do the FTP inspection in strict mode.

policy-map default_policy

class inspection_default

inspect ftp strict FTP-Map


The main issue with a strict option in our case was, the FTP client failed to process the FTP traffic due to the security of protected network was increased.

By simply inspecting the FTP traffic in normal mode the issue was resolved, we used the below Cisco ASA commands,

policy-map default_policy

class inspection_default

inspect ftp

When it comes to FTP its hard to troubleshoot, as logs collected doesn’t provide the details for the failure occurred. One has to capture the packets and download the captured packets in the pcap format for further analysis.

June 8, 2017  9:10 AM

Recertifying Cisco expert exams a new twist is here

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CCIE, Certifications, Cisco

Being a CCIE/CCDE its self is a huge step one would take in his/her life, it’s an informed decision one needs to take as maintaining a CCIE/CCDE  is not an easy task. Every two year one needs to recertify his or her CCIE/CCDE either by passing any CCIE written / CCDE written exam or by passing CCIE/CCDE lab exam. Apart from extensive preparations, one needs to also has to bear the pain of exam costs as Cisco CCIE written exams not quite easy to pass and its cost one a good amount of money.

The recent CCDE practical lab exam cancellation has raised the reputation of expert level exams conducted by Cisco. These days often its been observed people with no experience in networking domain were CCIEs / CCDEs, where as it took over decades of hard earn experience to plan the CCIE journey.

With the announcement of Cisco Continuing Education Program Cisco added a new twist for recertification process of their expert level certifications. Cisco believes that principles like Flexibility, Diversity, and Integrity will be the driving force for this program.

According to Cisco CLN post:

Flexibility is achieved by offering existing Cisco certified individuals an alternative option for recertification, in addition to the already existing option of recertifying by passing the relevant exam(s). Diversity is achieved by allowing individuals a wide range of preapproved items, such as online courses, instructor-led training, authoring of content, and Cisco Live training offerings (collectively called “Continuing Education items”), which can be pursued to earn credits toward recertification. Integrity is achieved by having Cisco authorized content providers, who deliver the content to the individual seeking recertification, validate the credits submitted by that individual.”

The Continuing Education Program is governed by the Cisco Continuing Education Advisory Board. Candidates who choose to recertify through the Continuing Education Program will be required to earn a certain number of credits by completing the required Continuing Education item(s) as delivered by a content provider and paying the Continuing Education administrative fee before their current certification becomes inactive.

Once candidates have earned the designated number of credits and paid their Continued Education administrative fee, they will be recertified as per the existing recertification policies.

The Cisco Continuing Education Program is valid only for the people who are holding a valid Cisco expert level certifications like CCIE and CCDE in either active or suspended status, also those who hold Emeritus status are eligible for this program with few exceptions

  • Candidates in Emeritus status who are required to pass both a written exam and a lab to become active again
  • Candidates who achieved Emeritus status by earning Business Transformation Certifications as described on the CCIE website

In order recertify Cisco Expert level certifications like CCIE and CCDE, one must abide by the following three steps

  • Agree to the Terms and Conditions associated with the Continuing Education Program as part of the enrollment process
  • Earn 100 credits required by completing any of the preapproved Continuing Education offerings
  • Pay the Continuing Education administrative fee

One can enroll by visiting the Continuing Education Program portal using their CCO login details and agree to the terms and conditions. Once logged in the portal shows the active status of their certifications and when they are expiring


Cisco had provided multiple options to earn credits, one way of earning credits is to attend Cisco Live training sessions and one can earn maximum of 70 credits from the required 100 credits. The below table gives one a brief idea about how the credits are earned for different sessions.

Cisco Live
Session Type Level Credits per Session
Technical Breakout 1000 Level 1
2000 Level 2
3000 Level 3
4-Hour Technical Seminar 1000 Level 3
2000 Level 4
3000 Level 5
8-Hour Technical Seminar 1000 Level 6
2000 Level 8
3000 Level 10
4-Hour Instructor-Led Lab 1000 Level 3
2000 Level 4
3000 Level 5
8-Hour Instructor-Led Lab 1000 Level 6
2000 Level 8
3000 Level 10

Cisco charges $300 US as administrative fees to recertify ones CCIE and CCDE through continuous education program. Cisco has listed all the rules and criteria at Continuing Education Program portal about this programs its recommend to read the post in details to know what are those criteria, some of the rules governed by Continuing Education Program are as follows

  • For Expert-level certifications, new recertification dates will be issued as per existing Cisco CCIE policies and  procedures; therefore, there may be a time lag between completion of  requirements and issuing of the recertification date.
  • Credits, once earned, will be valid for three years from the date they were earned, as long as they do not meet either of the  criteria described here:
  • Credits will expire if a new recertification cycle starts, either by passing an exam or recertifying some other credential.
  • Credits will expire if your certification becomes inactive before completing the Continuing Education requirements.
  • Credits earned for a given course can only be counted once within the recertification cycle. Repeating the same course will not count towards recertification credits.
  • Credits, once used, cannot be reused for any other certification track or level.
  • Credits must be used (1) before they expire, or (2) during the certification cycle in which they were earned, whichever occurs earlier.
  • Students who are approved to use printed student kits per the exception process can still log into the digital kit using the credentials provided in order to register within the digital kit platform that is linked to the Continuing Education database.

One can view the full catalog of the Continuing Education offerings that have been approved by the Cisco Continuing Education Advisory Board logon to the Continuing Education Program portal. Also one could access the complete program catalog by visiting this link

Well, Cisco has taken some concrete methods to maintain the credibility, integrity, and diversity of their expert level exams. However, the question arises here is it worth to spend this amount of money and time for recertification?

The brighter side of this program is, it offers enormous options to recertify Cisco Expert level exams, personally, I am convinced to adopt the new path as I am free to choose the path/technologies to earn required credits to recertify my CCIE.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: