Had an issue where traffic was not working to a website. The connection to the site was branch office -> VPN -> HQ office -> VPN -> Webserver.
All VPN's were up and ACL rules looked good.
We took some captures saw the traffic going out and back but not arrvinng on the branch firewall. Looking at the asp drop table we saw tcp-not-syn. It was like the branch office could not see the return traffic was part of an existing TCP connection.
We telnet'd to the web site on 443 but using the web browser didn't work. The issue in the end was MTU.
The MTU on the branch site was set quite low 1340.
Tuesday 30 April 2019
Thursday 25 April 2019
download pcap file that was created in the FTD CLI
You might setup a capture inside
system support diagnostic-cli
copy /pcap capture:cap-name
now go into normal FTD cli
expert mode
cd /ngfw/mnt/disk0/
cp cap-name.pcap /ngfw/var/common/
Now you can download inside.pcap from the web gui
Devices -> Device MGMT -> Troubleshoot icon on FTD -> Advanced Troubleshooting
Its also possible to copy off with the copy command to scp/tftp
system support diagnostic-cli
copy /pcap capture:cap-name
now go into normal FTD cli
expert mode
cd /ngfw/mnt/disk0/
cp cap-name.pcap /ngfw/var/common/
Now you can download inside.pcap from the web gui
Devices -> Device MGMT -> Troubleshoot icon on FTD -> Advanced Troubleshooting
Its also possible to copy off with the copy command to scp/tftp
Wednesday 24 April 2019
how to reset Philips hue bulb when using with amazon echo plus / alexa
Had to reset my echo plus to fix another issue.
The echo plus has a built in bridge so I don't want to buy the Philips bridge.
Afterwards I couldn't add my Philips hue bulbs back, very annoying.
You need to reset the bulbs first.
1 Get the serial from the bulb.
2 Make sure its on, only reset one bulb at a time.
3 With the amazon alexa app on the phone, there is one master user. This is usually the phone/account that originally setup the echo. You need to use that smart phone.
4 Reset the bulb in the app
Start the alexa app on the smartphone
Go to devices in the bottom right
Tap the "plus" symbol in the top right
Add device
Tab "Light"
Scroll down to "Other"
Make sure the light is on
Tab "Discover devices"
This will fail, just wait for it
Now tap "Get help connecting"
Scroll down and tab "RESET PHILIPS HUE LIGHT"
Enter the serial number we took off the bulb earlier
Tap "Continue"
The echo should reset the bulb it should flash. Alexa should automatically discover it afterwards but if it doesn't try ask alexa to "discover my devices" again
Hope that helps.
The echo plus has a built in bridge so I don't want to buy the Philips bridge.
Afterwards I couldn't add my Philips hue bulbs back, very annoying.
You need to reset the bulbs first.
1 Get the serial from the bulb.
2 Make sure its on, only reset one bulb at a time.
3 With the amazon alexa app on the phone, there is one master user. This is usually the phone/account that originally setup the echo. You need to use that smart phone.
4 Reset the bulb in the app
Start the alexa app on the smartphone
Go to devices in the bottom right
Tap the "plus" symbol in the top right
Add device
Tab "Light"
Scroll down to "Other"
Make sure the light is on
Tab "Discover devices"
This will fail, just wait for it
Now tap "Get help connecting"
Scroll down and tab "RESET PHILIPS HUE LIGHT"
Enter the serial number we took off the bulb earlier
Tap "Continue"
The echo should reset the bulb it should flash. Alexa should automatically discover it afterwards but if it doesn't try ask alexa to "discover my devices" again
Hope that helps.
Tuesday 9 April 2019
packet capture on F5
netstat -nr | grep x.x.x.x can be useful too
tcpdump -i eth0 -s0 host 192.168.1.50 and host 192.168.1.100 -w /var/tmp/packet-capture.pcap
tcpdump -s0 -nni 0.0:nnnp -w /var/tmp/MYCAP.pcap host 192.168.10.100 and 192.168.20.200 -v
Copy your .pcap file off with win scp and open in wireshark
or read on CLI (on F5 is seems to take a long time to load the cap)
tcpdump -r /var/tmp/packet-capture.pcap
tcpdump -i eth0 -s0 host 192.168.1.50 and host 192.168.1.100 -w /var/tmp/packet-capture.pcap
tcpdump -s0 -nni 0.0:nnnp -w /var/tmp/MYCAP.pcap host 192.168.10.100 and 192.168.20.200 -v
Copy your .pcap file off with win scp and open in wireshark
or read on CLI (on F5 is seems to take a long time to load the cap)
tcpdump -r /var/tmp/packet-capture.pcap
Monday 1 April 2019
enable auditing/logging on NPS/radius server
View NPS events here:
Event viewer -> Custom Views\Server Roles\Network Policy and Access Services
Run CMD as administrator
Check if its on
auditpol /get /subcategory:"Network Policy Server"
If it shows "no auditing" its off
Switch it on (run CMD as admin)
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
Event viewer -> Custom Views\Server Roles\Network Policy and Access Services
Run CMD as administrator
Check if its on
auditpol /get /subcategory:"Network Policy Server"
If it shows "no auditing" its off
Switch it on (run CMD as admin)
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
Check if its on after running command above - had an issue where it didn't switch on, not sure what the problem was I was stopping/starting the NPS server around the same not.
Common issues
Confirm the IP's of radius clients are correct double check for any typos check name and the actual IP set
Confirm the shared secret matches on the client (WIFI AP etc) and server end (NPS server) often copying from a previous one will work fine.
Stop/Start NPS server after adding new radius clients
Check the NPS logs as detailed above while trying the radius connection
Run wireshark on NPS server to confirm radius request arrives
Saw an issue with a new zone directory the traffic.
Old ZD was working fine with radius
Moved to new ZD and its not working
We found the connection profile was not matching
Old one was matching on "Wireless - IEEE 802.11"
The new traffic was showing up as "VPN" for some reason
Added VPN to the connection policies and it was working so moved on.
I would say check the nas id on wireshark packets coming in
check the event log/auditing
check if we can config the nas id on the ZD
netsh trace tool on windows
Netsh trace start scenario=wlan,netconnection capture=yes report=yes
Re-produce the issue
To stop the trace :
Netsh trace stop
Re-produce the issue
To stop the trace :
Netsh trace stop
Subscribe to:
Posts (Atom)