Archive

Archive for April, 2010

PIX concurrent source IP addresses limit

April 30, 2010 1 comment

One of my branch offices uses Cisco PIX 501 to create a site-to-site VPN with the main office. This branch is a DR site that run a Domain Controller, a file server and 10 Windows XP clients.

During my last visit to this site (which no one ever uses) I noticed that one of the PCs could not access the internet. After a quick review of the connection I found that all the local resources like file server or RDP are accessible, I could access shares, RDP or PCAnywhere to\from local machines and use the network printer.

My Documents redirection failed as the files are (still, I’m in a rebuilding process) in the main office.
I also noticed that PCAnywhere or RDP to\from the main office to this machine fail while other machines within this remote branch had no issues.

When I  tried to access remote shares in the main office, browsing failed.

Internet connectivity was down too, I tried both IE and Firefox but both couldn’t connect. Testing to a local web page worked and other machines connected any web site easily. I verified that Proxy is not configured on IE or Firefox, this was not the issue.

One of the things that blew my mind was TCP/IP and RPC troubleshooting results:
Both ping and tracert worked both ways to\from the main office.
DNS had no issues, I could resolve both Internet addresses and main office names on the faulty machine.
Using gpresult command I verified that domain related features like Group Policy did apply to the local machine.

This machine like all PCs in the site uses DHCP. I verified the configuration using ipconfig /all but I knew it is identical since they all use the same DHCP server.

I have to admit that I did not suspect the firewall right away because ping did work but at this point I had nothing else to check and no one else to blame so I started poking around the PIX configuration and documentation. It took me a while but eventually I found the piece of information that solved the mystery:

The Cisco PIX 501 10-user license supports up to 10 concurrent source IP addresses from your internal network to traverse through the Cisco PIX 501

Doh! so simple, so obvious and yet I didn’t even think about this option…

The next step, confirming that this is the real issue was easy. I used the show local-host command to see which show all active connections:

show local-host
Interface inside: 10 active, 12 maximum active, 3967 denied
local host: <192.168.199.54>,
TCP connection count/limit = 1/unlimited
TCP embryonic count = 0
TCP intercept watermark = unlimited
UDP connection count/limit = 0/unlimited
AAA:
Xlate(s):
Conn(s):
TCP out 192.168.200.19:445 in 192.168.199.54:3383 idle 0:00:48 Bytes 288161 flags UIO

The complete output show the same details for ten different internal IPs. The PC that could not connect the internet was not on the list. It exceeded the limit and was denied.

The command show time xlate provided the other part of the answer, it shows the timeout settings:

timeout xlate 0:05:00

I used the clear local-host command to reset the PIX local-host table and immediately was able to browse from my machine. Problem solved (kind of).

The reason I did not notice this problem in the past is that no one uses this office. The empty office with few PCs that hardly communicate with the main office and never use the web could not raise an alarm. Being there and checking all the PCs (login, updates, etc) created traffic that did not get idle and prompted the issue.

Lesson #1 – When you support a low-cost DR site make sure you buy the right equipment. I use an old (very old) PIX as we tried to cut costs. We used an old PIX that had no use but what we saw as a great deal turn out to be a problem.

Lesson #2 – Make sure you visit your DR sites and test them. Try to simulate the real activity that your DR situation require and see if it is functioning as expected.

Advertisements

642-832 TSHOOT – Now available

April 29, 2010 Leave a comment

As the end of life for the old CCNP track is getting closer, 93 days left before ISCW and ONT exams retire, the last piece of the new track is now available.
If you didn’t hear about the changes you can get all the details here.

TSHOOT, exam number 642-832  is now out of beta and available at any VUE center.
You can now take the Troubleshooting and Maintaining Cisco IP Networks exam (which practically replace the ISCW and ONT exams) and complete your CCNP certification taking only three exams.

You can find the most updated blueprint here and if you do not have a Cisco login you can download the pdf version. If you started your studies based on the beta blueprint check the changes comparison page. I did not see any difference but if I missed it let us all know.

How to find Windows install date

April 27, 2010 Leave a comment

I had an argument with one of my colleagues about one of the servers.
The matter in question: When was server X installed?

To get a quick answer we used Systeminfo.exe, a forgotten command-line tool that is already installed on Win XP and 2003\2008 Servers. This is the command and output:

To get the same result on Windows 2000 server use the remote option from XP or 2003\2008 servers:

c:\systeminfo /S < ipaddress> /U domain\username /P password | find /i “install date”

the result on our only windows 2000 server was:

Original Install Date:     3/15/2004, 16:08:36

OFF TOPIC – CAT5 trash

April 27, 2010 1 comment

Kasey McMahon cleaned her networking closet and found an interesting use for her CAT5 leftovers…

ONT – PASS! CCNP Completed!!!

April 26, 2010 14 comments

Yes. The day has come and I’m so relieved. I’ve completed my ONT exam an hour ago and achieved my goal to become CCNP.

This time I had some bad karma leading to exam day. It started with an unbelievable ear pressure pain over the weekend which made me miserable and continued into this morning when I walked into my cubical to discover the BSoD on a Domain Controller. Scheduled for an 11am exam I had few hours to fix and monitor the server but being the only IT guy around here it made me nervous when I had to step out of the office.

Due to the rain and the problem I also skipped my traditional pre-exam coffee and when I called my Wifi few minutes before the exam I told her that I have a really bad felling. The last reason that made me nervous is Aaron‘s repeated scares about the wireless part of the exam. I did not know what to expect as he warned me about the wireless commands…

Back to the point. The exam was easy, the easiest of all 4. It had trivial questions that checked your study notes and memory but did not challenge your understanding. Since the labs did not require any configuration the scenarios where limited and not complex. It is true what they say: leave ONT to the end because it is the easiest of them all (and I now know why Cisco removed it from the CCNP track).

I’m taking few days off to relax and prepare for my 42 mile ride this weekend.

I want to thank all of you for your support during the last few month, your comments and personal emails pushed me forward and helped me get to this point!

Dilbert on wireless network

April 24, 2010 Leave a comment

Semi OFF-TOPIC but within the ONT exam topics.
Dilbert.com on building a wireless network:

Now the exam looks much easier 😀

ONT – WLSE and WCS

April 23, 2010 2 comments

I mentioned both WLSE and WCS in my ONT – Wireless introduction post but I spent some time reading and running a demo lab (to be exact – play with the screens on a production environment) and feel they deserve a more detailed post. I do not know how much emphasis the exam put on either topics but if anyone plan on CCNP Wireless or even CCNA Wireless, this post will be handy.

WLSE, Wireless LAN Solution Engine works with autonomous WAPs. It provides centralized configuration and reporting capabilities which makes the network “self-handling” and support up to 2500 Access Points. These are some of the features included in WLSE:

  • Reduces deployment and operating expenses
  • Simplifies daily operation and management of autonomous Cisco Aironet WLANs
  • Enhances network security:
    Detects, locates, and mitigates rogue access points and unauthorized ad-hoc networks
    Make sure the consistent application of security policies
  • Improves WLAN performance and availability:
    Detects RF interference
    Optimizes radio coverage and settings
    Monitors performance and faults
  • Saves time and resources:
    Automating the configuration of Cisco Aironet access points and bridges
    Assisted site survey to determine optimal antenna selection and access point settings such as transmit power and channel selection

How does the fancy Cisco wording translate into action? WLSE provide the following capabilities:

  • When an AP failure is detected, WLSE can automatically increase the power and coverage of other APs in the area. Doing so it is reducing the possible outage to a minimum.
  • Auto shutdown of rogue APs though dangerously affecting availability, provide a powerful automatic security mechanism.
  • Centralized management capabilities are essential in the modern network.
    Centralized management also allow auto-configuration of new APs, firmware upgrades and radio management.

WCS, Wireless Control System works with lightweight WAPs.
These are the main features of WCS:

  • Significantly reduces operational costs with built-in tools, guides, and templates
  • Improves IT efficiency through an intuitive GUI and flexible ease of use
  • Minimizes IT staffing requirements through centralized operational control
  • Easily scales to meet the needs of wireless LANs across locations

How does the fancy Cisco wording translate into action? WCS provide the following benefits:

  • The software can run on Windows or Red Hat servers
  • Using SNMP to communicate with the controllers
  • Provide centralized management for Lightweight APs
  • Tracking up to 1500 devices when integrated with Location Appliance (configured via Location menu option on WCS management screen)
  • On-demand location of rogue APs – up to 10 meters range
  • Using four QoS level profiles: Platinum, Gold, Silver, Bronze

This is a good (56 min long) instructional video on WCS:

If you survived this long post, check this (short) funny Cisco instructional video: