Monday 28 March 2022

ruckus cloud controller AP install

 Was having issues getting AP's to join the cloud

Couldn't see any drops/blocks on firewall.

The AP's were trying to look up a DNS name RuckusController.customer-domain.com

Went onto the customer DC and added A record RuckusController.customer-domain.com and pointed it to the public IP of our cloud controller (virtual smart zone)

Also best to add mac addresses of the AP's to DHCP reservations

Make sure all is matching if you have 2 unsync'd DC setups 


Other URLs I saw the contorllers were trying to access

ap-registrar.ruckuswireless.com

ap-registrar.cloud.ruckuswireless.com

*.ruckuswireless.com

ocsp.entrust.net


It was access cloud controller IP on 

UDP 12223

Posted by at No comments:

Thursday 24 March 2022

Meraki switches

Make sure license in place which may in po/job folder

In dashboard add org you can paste in order number should add all devices and licenses.

Then we needed to give switch internet access with DHCP and it connected to the cloud about 15mins

Log into dashboard and config from there.

Keep in mind if you move switches to location with no internet you will lose config access


 

Posted by at No comments:

Wednesday 16 March 2022

pscp file to cisco router

I was trying to copy files to a cisco ASR 1001x router.

I was having issues due to internal FW rules etc. I could SSH so probably SCP would work.


I needed to enable the following command on the ASR router

ip scp server enable

However it still wasn't working.

I needed to run the pscp command on my server with the files with the -scp switch to force the old protocol

pscp -scp filename.bin username@x.x.x.x:filename.bin


I had to fill in the second filename.bin for the destination otherwise it would not work


Posted by at No comments:
Labels: , , , , , , , ,

Tuesday 15 March 2022

read in variable in windows .bat file

usage

test.bat MyUsername MYPW


script-----------------

 @echo off

set username=%1

set password=%2


echo %username%

echo %password%

pause

script-----------------


plink can be used to automate ssh tasks

Posted by at No comments:

Monday 7 March 2022

cisco ftd/asa smart licensing strong encryption

Customer to setup smart licence account with cisco https://software.cisco.com/

Needs to be setup with user@customer-domain.com email

Once setup get them to add you as admin

When buying licenses specific the smart account with the disti/vendor. Often they mess it up and the smart license goes into limbo. You then need to open a case with licensing team licensing@cisco.com

Once you get the license appearing in the smart license console you need to assign it to the device.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/intro-license-smart.html#id_57013


Generate token in the cloud and copy to a notepad

On FTD/ASA

conf t

call-home

license smart

feature tier standard

feature strong-encryption

license smart register idtoken XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

license smart renew auth

show license summary

sh ver



Posted by at No comments:

Thursday 3 March 2022

Firepower hotfix and patch schedule info

 When cisco find an issue they sometimes release a hotfix as a small quick fix.

The real fix will be put into the next maintenance release.


6.6 last FMC that supports cisco user agent ID. If you want to go above you need to uninstall useragent and install Cisco ISE-PIC agent

6.7.0 removes support for old ciphers. If you are using FTD you need to make sure all VPNs have been migrated to IKEv2 and updated ciphers.

ASA55xx-X devices only support up to certain sensor patches at time of writing 6.6.5.2

When you upgrade to 6.7.0 for example you should also upgrade to the latest release of 6.7.x at the time of writing it was 6.7.3 this ensures you get all fixes in your branch.

Because branches are worked on by different dev teams just because its fixed in 6.4.0.14 does not mean the same issue is fixed in 6.7.0 so you need to make sure to go to 6.7.3 or what ever is that latest patch in that branch




Posted by at No comments:
Labels: , , , ,

fmc error after upgrading to 6.7.3 interface modified

You get a health warning that interfaces are modified after upgrade to 6.7.3


SSH into FMC

enter "expert" mode

enter "sudo su"

Run this command

OmniQuery.pl -db mdb -e "select status,category,hex(uuid),body from notification where status=11;"

For each UUID delete the notification

OmniQuery.pl -db mdb -e 'delete from notification where uuid=unhex("XXXXXXXXXXXXXXXXXXXXXXXX");'

OmniQuery.pl -db mdb -e 'delete from notification where uuid=unhex("YYYYYYYYYYYYYYYYYYYYYYYY");'

OmniQuery.pl -db mdb -e 'delete from notification where uuid=unhex("ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ");'


Check again, it should be blank

OmniQuery.pl -db mdb -e "select status,category,hex(uuid),body from notification where status=11;"


Check your FMC interface the alert should have cleared



Posted by at No comments:
Labels: , , , , ,

show patch history on FMC CLI

 SSH to FMC

expert

cat /etc/sf/patch_history


This is useful for seeing hotfixes applied as they don't show in the version number in the web interface

Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)