Asymmetric routing issue traffic is coming back a different way and the ASA doesn't like it. Check the default GW configured on the server.
See
http://www.ccierants.com/2014/06/deny-tcp-no-connection.html
Friday, 31 March 2017
Wednesday, 29 March 2017
characters not allowed in PSK on Cisco ASA
don't use
?
(space)
!
@
?
(space)
!
@
#
"
'
other vendors have their own issues with some characters had another issue on a draytek.
other vendors have their own issues with some characters had another issue on a draytek.
configure netflow on cisco router
flow record NETFLOW_RECORD
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect interface output
collect counter bytes long
collect counter packets long
!
!
flow exporter NETFLOW_EXPORT_TO_SOLARWINDS
destination x.x.x.x
source GigabitEthernet0/0
transport udp 2055
!
flow monitor NETFLOW_MONITOR
record NETFLOW_RECORD
exporter NETFLOW_EXPORT_TO_SOLARWINDS
cache timeout active 60
cache timeout inactive 15
!
interface gig0/1
ip flow monitor NETFLOW_MONITOR input
ip flow monitor NETFLOW_MONITOR output
!
captures all incoming traffic
route or shortest path
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow direction
collect interface output
collect counter bytes long
collect counter packets long
!
!
flow exporter NETFLOW_EXPORT_TO_SOLARWINDS
destination x.x.x.x
source GigabitEthernet0/0
transport udp 2055
!
flow monitor NETFLOW_MONITOR
record NETFLOW_RECORD
exporter NETFLOW_EXPORT_TO_SOLARWINDS
cache timeout active 60
cache timeout inactive 15
!
interface gig0/1
ip flow monitor NETFLOW_MONITOR input
ip flow monitor NETFLOW_MONITOR output
!
captures all incoming traffic
route or shortest path
Thursday, 23 March 2017
investigating failover on checkpoint firewall
check the tracker, you might have to open the older log file
set the origin filter to the two firewalls in question
set the filter on the message type column it has an icon for a log file or wrench etc
untick everything except control (wrench) (search for type:Control)
You can also try searching the information column for ClusterXL
on the CLI
cphaprobe state
cphaprobe -a if
set the origin filter to the two firewalls in question
set the filter on the message type column it has an icon for a log file or wrench etc
untick everything except control (wrench) (search for type:Control)
You can also try searching the information column for ClusterXL
on the CLI
cphaprobe state
cphaprobe -a if
cphaprob show_failover
I got a reason FWD PNOTE (so grep log for this)
grep -i FWD /var/log/messages*
https://community.checkpoint.com/t5/Security-Gateways/Reason-for-Firewall-Failover/td-p/157345
https://support.checkpoint.com/results/sk/sk56202
Wednesday, 22 March 2017
enable netflow on cisco asa
https://supportforums.cisco.com/document/30476/configuring-netflow-asa-asdm
ASDM steps
Device Management > Logging > Netflow
Click Add
Fill in netflow collector server interface and port (usually 2055)
Firewall > Service Policy Rules.
Click Add
Global - applies to all interfaces
Check source and destination IP address (uses ACL)
next
source: any, user: any, destination: any, service: ip, description: netflow
next
Select flow event all, check the send box beside the ip address of the netflow collecter
Finish
Apply
CLI config
access-list global_mpc extended permit ip any any
!
flow-export destination inside 192.168.1.13 2055
!
class-map global_class
match access-list global_mpc
!
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
class global_class
flow-export event-type all destination 192.168.1.13
ASDM steps
Device Management > Logging > Netflow
Click Add
Fill in netflow collector server interface and port (usually 2055)
Firewall > Service Policy Rules.
Click Add
Global - applies to all interfaces
Check source and destination IP address (uses ACL)
next
source: any, user: any, destination: any, service: ip, description: netflow
next
Select flow event all, check the send box beside the ip address of the netflow collecter
Finish
Apply
CLI config
access-list global_mpc extended permit ip any any
!
flow-export destination inside 192.168.1.13 2055
!
class-map global_class
match access-list global_mpc
!
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
class global_class
flow-export event-type all destination 192.168.1.13
enable SNMP on cisco ASA
outside is the interface where the snmp server that will be checking is. In my case its coming from outside but for you it might be inside.
x.x.x.x is the IP addresses of your SNMP server
snmp-server host outside x.x.x.x community SecretCommunityString version 2c
snmp-server location Dublin
snmp-server contact admin@careface.com
snmp-server community SecretCommunityString
x.x.x.x is the IP addresses of your SNMP server
snmp-server host outside x.x.x.x community SecretCommunityString version 2c
snmp-server location Dublin
snmp-server contact admin@careface.com
snmp-server community SecretCommunityString
Tuesday, 14 March 2017
Wireshark
First we need to get a specific idea of the problem. Before we capture any data.
Define the problem
One app, multiple apps, everything ?
Slow or totally not working ? Any errors ?
When did the issue start ? Patches installed / updates ?
Intermittent or constant happens at peak times ?
Affects one or multiple people ?
Who, what, where, when and hopefully get to the why and resolution.
Capture close to the source of the data
If you can capture at both ends (make sure times are in sync NTP)
Problem with capturing from wireshark on the computer is that we are not seeing the data on the wire. winpcap sits in between the kernel and the NIC driver. So wireshark gets it before the NIC card. Ideally we want to see the data as it is on the wire. We can use a SPAN port for that.
Analyze - > expert info
Broadcasts storms are usually something broken, like a malfunctioning NIC and keeps firing out lots of traffic. Can be caused by no STP running and a loop has been created. Bad configuration like PIM running instead of PIM sparse mode.
Define the problem
One app, multiple apps, everything ?
Slow or totally not working ? Any errors ?
When did the issue start ? Patches installed / updates ?
Intermittent or constant happens at peak times ?
Affects one or multiple people ?
Who, what, where, when and hopefully get to the why and resolution.
Capture close to the source of the data
If you can capture at both ends (make sure times are in sync NTP)
Problem with capturing from wireshark on the computer is that we are not seeing the data on the wire. winpcap sits in between the kernel and the NIC driver. So wireshark gets it before the NIC card. Ideally we want to see the data as it is on the wire. We can use a SPAN port for that.
Analyze - > expert info
Broadcasts storms are usually something broken, like a malfunctioning NIC and keeps firing out lots of traffic. Can be caused by no STP running and a loop has been created. Bad configuration like PIM running instead of PIM sparse mode.
Extract specific packets from a larger capture
Can mark packets with ctrl + M
Easier to use a display filter to get all packets we want (ip.addr == 192.168.1.100)
Then to file -> export specified packets
We can select the captured / displayed / marked from the radio buttons
Excessive requests and responses.
filter for arp (destination broadcast ff:ff:ff:ff:ff:ff:ff)
find the offending MAC addresses
map it to location on the network
shutdown the port or unplug the device
DNS
place the capture on the host trying to resolve DNS
Follow UDP steam
capture for tcp/udp port 53
Measure response time
expand DNS
find transaction ID
right click apply as filter selected
expand DNS
Response in: 14 (just double click it)
We will see Time: 0.04
Right click apply as a column (right click edit DNS TIME)
Capture filters
host 192.168.1.100 and host 192.168.2.200
Display filters
Find the syn packets
tcp.flags.syn == 1
Find dns packets
dns
Find dns packets with a string
dns contains "servername"
Find DNS lookups for a specific URL
dns.qry.name == "www.malware-url.com".
Excessive requests and responses.
filter for arp (destination broadcast ff:ff:ff:ff:ff:ff:ff)
find the offending MAC addresses
map it to location on the network
shutdown the port or unplug the device
DNS
place the capture on the host trying to resolve DNS
Follow UDP steam
capture for tcp/udp port 53
Measure response time
expand DNS
find transaction ID
right click apply as filter selected
expand DNS
Response in: 14 (just double click it)
We will see Time: 0.04
Right click apply as a column (right click edit DNS TIME)
Capture filters
host 192.168.1.100 and host 192.168.2.200
Display filters
Find the syn packets
tcp.flags.syn == 1
Find dns packets
dns
Find dns packets with a string
dns contains "servername"
Find DNS lookups for a specific URL
dns.qry.name == "www.malware-url.com".
Find DNS queries that didn't return an answer
(!(dns.flags.rcode==0))&&(dns.flags.response==1)
Find by string
Edit > Find Packet. Under "Find By:" select "string" and enter your search string
frame contains "string"
http contains "GET"
Find by string
Edit > Find Packet. Under "Find By:" select "string" and enter your search string
frame contains "string"
http contains "GET"
(http) and (frame contains "CONNECT")
(http contains CONNECT) or (http contains GET)
Filter by IP
ip.addr==192.168.0.10
(ip.addr==192.168.0.10) or (ip.addr==192.168.0.50)
Filter by MAC
eth.addr ==xx
Show arp
arp
arp.duplicate-address-detected
Search the payload for text
frame contains "string"
TCP len column is useful to see if the packet had data.
We need to send acks and get acks for packets we sent
TCP we don't ACK every packet we might ack every other packet.
Checking if a re-transmission is the same packet or not
IP header -> IP ID
Some retransmissions can be normal, lots usually indicate a problem like we sent request but never hear anything back so retransmit. Can indicate packet duplication (network loop) check the ip header -> ID
0.375 = 375 ms
TCP re transmission with double the number and eventually time out
1 3 6
expert info is wireshark trying to help
right click copy as a filter
coloring rules (add it)
You can add rules to your wireshark config to look out for things
Headers
Ethernet (L2)14 bytes
IP4 (L3) 20 bytes
In the hex view each line has 16 bytes
You can count a bye in the hex b4 a8 (that's 2 bytes)
Standard MTU is usually 1500
Jumbo frame is 9000 (usually used for VMware/SAN)
Wednesday, 8 March 2017
setup sub interfaces on cisco ASA
This is the real interface basically it has no config
interface GigabitEthernet0/1
speed 1000
duplex full
no nameif
no security-level
no ip address
Sub interface 20 (we use the same number as the VLAN)
interface GigabitEthernet0/1.20
vlan 20
nameif LAN
security-level 100
ip address 10.20.1.1 255.255.255.0 standby 10.20.1.2
Sub interface 25
interface GigabitEthernet0/1.25
vlan 25
nameif DMZ
security-level 50
ip address 10.25.8.1 255.255.255.0 standby 10.25.8.2
!
Create and apply some basic ACLs
access-list LAN extended deny ip any any log
access-list LAN line 1 extended permit icmp any any log
access-group LAN in interface LAN
access-list DMZ extended deny ip any any log
access-list DMZ line 1 extended permit icmp any any log
access-group DMZ in interface DMZ
We need to attach a trunk port to Gig0/1. It must carry the VLANs 20 and 25. This config will be done on the switch.
interface GigabitEthernet0/1
speed 1000
duplex full
no nameif
no security-level
no ip address
Sub interface 20 (we use the same number as the VLAN)
interface GigabitEthernet0/1.20
vlan 20
nameif LAN
security-level 100
ip address 10.20.1.1 255.255.255.0 standby 10.20.1.2
Sub interface 25
interface GigabitEthernet0/1.25
vlan 25
nameif DMZ
security-level 50
ip address 10.25.8.1 255.255.255.0 standby 10.25.8.2
!
Create and apply some basic ACLs
access-list LAN extended deny ip any any log
access-list LAN line 1 extended permit icmp any any log
access-group LAN in interface LAN
access-list DMZ extended deny ip any any log
access-list DMZ line 1 extended permit icmp any any log
access-group DMZ in interface DMZ
We need to attach a trunk port to Gig0/1. It must carry the VLANs 20 and 25. This config will be done on the switch.
Tuesday, 7 March 2017
tracing latency with wireshark
Run you capture, run your test
Open the capture, click on a packet.
right click on TCP in the bottom pane
-> protocol preferences -> calculate conversation timestamps
timestamps appears under TCP
right click -> Apply as column
sort highest number on top. Value is in seconds 1.0 is one second
0.02 is 2 ms.
FIN ACKs can be ignored as they are just closing connections
Open the capture, click on a packet.
right click on TCP in the bottom pane
-> protocol preferences -> calculate conversation timestamps
timestamps appears under TCP
right click -> Apply as column
sort highest number on top. Value is in seconds 1.0 is one second
0.02 is 2 ms.
FIN ACKs can be ignored as they are just closing connections
Monday, 6 March 2017
cisco asa vpn keep alives cli
sh run all | tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2
no ikev2 remote-authentication
no ikev2 local-authentication
found in ASDM
Config -> Site-to-site VPN -> select peer -> Edit -> Advanced -> tunnel-group
Subscribe to:
Posts (Atom)