Use the following command:
icmp deny any outside
Google Links
-
Recent Posts
Archives
Categories
Blogroll
Meta
Google Ads
How to stop a Cisco ASA from replying to ICMP traffic from outside
Monday, August 22, 2011
Oracle eBiz error PA_TT_INV_MTH_FLAG_INVALID_AMG
Wednesday, May 18, 2011
If you get the Oracle error PA_TT_INV_MTH_FLAG_INVALID_AMG check sysadmin and the requested responsibility.
Problem With Bonding and Packet Loss on Red Hat Enterprise Linux 3
Tuesday, March 1, 2011
We moved a blade server running Red Hat Enterprise Linux 3 from one enclosure to another. The old enclosure had Nortel switches, the new enclosure had Cisco switches. After moving the server we noticed connectivity problems. Looking at the switches it appeared that the server’s MAC address was moving between the different switches. There were no errors on any of the interfaces. The server was configured for bonding with active-backup (mode 1). The relevant entries in /etc/ modules.conf read:
alias bond0 bonding mode=1 miimon=100 primary=eth0
Checking /proc/net/bonding/bond0 showed that it was actually using round robin mode (and that there had note been any link failures):
Bonding Mode: load balancing (round-robin)
In the end it seems to have been an issue with the entry in /etc/modules.conf. We changed it to:
alias bond0 bonding
options bond0 mode=1 miimon=100 primary=eth0
then restarted and that seems to have fixed the problem:
$ grep "Bonding Mode:" bond0
Bonding Mode: fault-tolerance (active-backup)
I’m not sure why it used to work fine before.
I also came across this http://www.experts-exchange.com/Networking/Linux_Networking/Q_24599062.html (hint to read this link, search for the URL in Google). It seems that the guy posting here had similar syntax and the same problem. If someone has access to Experts Exchange perhaps they can earn themselves some points by answering the question.
Slow Upload Performance
Wednesday, January 19, 2011
We were having issues where some PCs had slow upload performance over the WAN. The WAN link was a E3 (34Mbps) with round trip latency of around 50ms and was not congested. When uploading to SharePoint, some PCs would upload at between 150 and 250 KBps. Otherwise identical PCs would upload at over 1MBps. The PCs were running the same physical hardware, the same Operating Systems (Windows XP, although we later reproduced the issue with Windows 7), the same patches and the same drivers. We also confirmed that they had the same TCP settings in HKLM\SYSTEM\CurrentControlSet\Services\TCPIP.
A comparison of packet captures was interesting. The graphic below shows two uploads.
Comparison of two TCP flows
The one on the left is of a slow upload between host “Client” and the SharePoint server “Server”. The one on the right is of a fast upload between host “Client2″ and the SharePoint server “Server”. Both are actually Flow Graphs from Wireshark. Notice that the one on the left pauses after 60ms (0.060 seconds) and waits for an ACK from Server. However, the one on the right continues on. Yet the TCP Window sizes are identical in both flows.
In the end we discovered another parameter in Windows. AFD.SYS is used to support Windows sockets applications. Registry parameters for ADF.SYS are found in HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters. The one that’s relevant is DefaultSendWindow. On the slow machines this parameter was not set and so used the default (decimal 8192 it seems). On the fast PC this was set to decimal 64512 (hex fc00).
Changing this value on the PCs with slow upload speed and then rebooting seems to have fixed the problem.
For more information on this parameter see Network: The relationship between TCPWindowSize and DefaultReceiveWindow.
So, why was this value different between PCs. It seems that when you install the Citrix MetaFrame Client the installer automatically increases this value. The fast PCs all had the MetaFrame Client installed.
Flexible NetFlow through an IPSec VPN Tunnel
Monday, August 9, 2010
As of IOS 12.4(20)T Cisco routers can send NetFlow data through an IPSec VPN tunnel. The flow exporter just needs to be configured with the output-features option. According to Configuring Data Export for Cisco IOS Flexible NetFlow with Flow Exporters this option “Enables sending export packets using QoS and encryption”.
For example:
flow exporter NFSVR
destination 10.1.1.1
source Vlan1
output-features
transport udp 9996
!
!
flow monitor flow-monitor
record netflow-original
exporter NFSVR
cache timeout active 1
However, although the output-features command appears to be available on earlier versions of IOS, it doesn’t seem to have been implemented. You can type the command without error, but it never makes it into the config. So, if you’re trying to get this working, and it’s not, I suggest checking your IOS version.
Poor Voice Quality, Inbound Calls Work, Outbound Calls Don’t on BRI
Monday, August 9, 2010
I had an issue the other day when we replaced an ISDN PRI interface with a BRI. I reconfigured the voice gateway and had inbound calls working – albeit a fair bit of static. However, I could not get outbound calls to go via the BRI interface. I had debugging on for isdn q931 and voip ccapi inout and was seeing entries similar to:
Aug 5 07:51:08.643: ISDN BR0/1/0 Q931: RX <- RELEASE_COMP pd = 8 callref = 0x84
Cause i = 0x82E404 - Invalid information element contents
Aug 5 07:51:08.643: //21/8043BD33BC09/CCAPI/cc_api_call_disconnected:
Cause Value=100, Interface=0x4900DFC0, Call Id=21
Aug 5 07:51:08.643: //21/8043BD33BC09/CCAPI/cc_api_call_disconnected:
Call Entry(Responsed=TRUE, Cause Value=100, Retry Count=0)
Aug 5 07:51:08.643: //20/xxxxxxxxxxxx/CCAPI/ccCallReleaseResources:
release reserved xcoding resource.
Aug 5 07:51:08.647: //21/8043BD33BC09/CCAPI/ccCallSetAAA_Accounting:
Accounting=0, Call Id=21
Aug 5 07:51:08.647: //21/8043BD33BC09/CCAPI/ccCallDisconnect:
Cause Value=100, Tag=0x0, Call Entry(Previous Disconnect Cause=0, Disconnect Cause=100)
Aug 5 07:51:08.647: //21/8043BD33BC09/CCAPI/ccCallDisconnect:
Cause Value=100, Call Entry(Responsed=TRUE, Cause Value=100)
Aug 5 07:51:08.647: //21/8043BD33BC09/CCAPI/cc_api_get_transfer_info:
Transfer Number Is Null
Aug 5 07:51:08.647: //21/8043BD33BC09/CCAPI/cc_api_call_disconnect_done:
Disposition=0, Interface=0x4900DFC0, Tag=0x0, Call Id=21,
Call Entry(Disconnect Cause=100, Voice Class Cause Code=0, Retry Count=0)
Aug 5 07:51:08.647: //21/8043BD33BC09/CCAPI/cc_api_call_disconnect_done:
Call Disconnect Event Sent
Aug 5 07:51:08.647: //-1/xxxxxxxxxxxx/CCAPI/cc_free_feature_vsa:
In the end it turns out I was missing the configuration command compand-type a-law
voice-port 0/1/0
translation-profile incoming pstn-incoming
translation-profile outgoing pstn-outgoing
compand-type a-law
cptone AU
Note this is for a router in Australia – other countries might be different.
Different MTU Settings on a Cisco 877 Router
Tuesday, April 20, 2010
I have a remote site on an ADSL connection using a Cisco 877 router. There’s an IPSec VPN back to my location. They connection speed is very good:
Download Speed (kbps): 23410
Upload Speed (kbps): 1017
The ADSL router was configured with pretty typical MTU and MSS settings (probably copied off the Internet):
interface Vlan1
ip mtu 1452
ip flow ingress
ip tcp adjust-mss 1452
interface Dialer0
ip mtu 1452The remote site has a VMware ESXi server. I couldn’t remotely connect to the ESXi server using the vSphere client. I could connect using ssh. However, if I tried running any command with a reasonable size output (e.g. ps) the session would hang and then time out. I could connect to a remote server using RDP, but it was very slow to connect (once connected the RDP session was fine).
I had no problems connecting to the ESXi server from the VMware session.
I tried running an FTP on the remote server and copying a file to my location with the following result:
ftp: 149504 bytes sent in 28.89Seconds 5.17Kbytes/sec.
That’s pretty slow for a connection with almost 1Mbps upload speed.
So, I started playing around with MTU and MSS (in the following tests MSS was either set to the same value as MTU or 40 bytes less):
mtu 1200
ftp: 149504 bytes sent in 1.58Seconds 94.74Kbytes/sec.
mtu 1300
ftp: 149504 bytes sent in 2.84Seconds 52.62Kbytes/sec.
I finally settled on the following:
interface Vlan1
ip mtu 1242
ip flow ingress
ip tcp adjust-mss 1200
interface Dialer0
ip mtu 145294Kbytes/sec is pretty reasonable for a 1Mb link with round trip latency of around 83ms.
Then I started wondering if my ACL was blocking Path MTU Discovery. So, I added the following to the inbound ACL on the 877 (as per http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml) and changed the MTU values back to original:
permit icmp any any unreachable
permit icmp any any time-exceededHowever, there were no hits and it didn’t seem to help at all:
ftp: 149504 bytes sent in 28.73Seconds 5.20Kbytes/sec.
Then after reading a bit more I wondered what would happen if I took all the MTU and MSS settings off:
ftp: 149504 bytes sent in 3.05Seconds 49.08Kbytes/sec.
Hmm. Much better than the original settings, although not as good as MTU 1200. Perhaps the link might be under a bit of load, let’s try again:
ftp: 149504 bytes sent in 1.52Seconds 98.68Kbytes/sec.
And a third time:
ftp: 149504 bytes sent in 1.52Seconds 98.68Kbytes/sec.
So I tried a fourth and fifth time (both had the same result):
ftp: 149504 bytes sent in 1.50Seconds 99.67Kbytes/sec.
So, I thought, maybe the router or computer is remembering the session and MTU (if it’s doing MTU discovery). So I disconnected the FTP sessions and reconnected:
ftp: 149504 bytes sent in 1.50Seconds 99.74Kbytes/sec.
Amazing. So the tip? Perhaps the best way to handle MTU is to not worry about it.
Sun boot error: The file just loaded does not appear to be executable
Wednesday, April 14, 2010
When you try to boot a Sun SPARC based machine from CDROM you get the error “The file just loaded does not appear to be executable”:
ok boot cdrom
Resetting ...
Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 333MHz), No Keyboard
OpenBoot 3.19, 384 MB (50 ns) memory installed, Serial #12345678.
Ethernet address 8:0:20:11:22:33, Host ID: 80112233.
Rebooting with command: boot cdrom
Boot device: /pci@1f,0/pci@1,1/ide@3/cdrom@1,0:f File and args: -F cprboot
Boot load failed.
The file just loaded does not appear to be executable.
Boot device: disk File and args: -F cprboot
Boot load failed.
The file just loaded does not appear to be executable.
okYou may also get this error if you’re attempting to boot from a new disk. You are, however, able to boot from CD in single user mode (boot cdrom -s).
Notice that File and args contains “-F cprboot”. This parameter is inserted in the Boot PROM if the machine was suspended. The parameter is used to restore the running OS from the state file saved to the hard disk at the time the system was suspended. Obviously neither the CD nor a new hard disk will contain the state file.
You can see this parameter in the Boot PROM:
ok printenv boot-file
boot-file = -F cprbootTo remove this parameter use the following command at the ok prompt:
set-default boot-file
Hopefully the system will now boot successfully:
ok boot cdrom
Boot device: /pci@1f,0/pci@1,1/ide@3/cdrom@1,0:f File and args:
SunOS Release 5.6 Version Generic_105181-05 [UNIX(R) System V Release 4.0]
Copyright (c) 1983-1997, Sun Microsystems, Inc.
Configuring devices...
fd0: unformatted diskette or no diskette in the drive
fd0: unformatted diskette or no diskette in the drive
fd0: unformatted diskette or no diskette in the drive
The system is coming up. Please wait.
....How to do a Stop-A on a PS/2 Keyboard with a Sun Interface Converter
Thursday, April 8, 2010
If you’re using a PS/2 keyboard on an older model Sun with a Sun Interface Converter (part number 730-2068-01) you might be wondering where the Stop key is. Use the Break key instead. For example, Break+A instead of Stop+A.
MRTG error: log file was corrupt or not in sorted order
Thursday, January 21, 2010
You create an MRTG config file to poll for CPU load on a device. When you run mrtg you get errors similar to that below:
Rateup ERROR: /usr/bin/rateup found server.cpu's log file was corrupt
or not in sorted order:
time: 1263993300.Rateup WARNING: /usr/bin/rateup The backup log file for server.cpu was invalid as well
WARNING: rateup died from Signal 0
with Exit Value 1 when doing router 'server.cpu'
Signal was 0, Returncode was 1This may be because you have only specified one MIB value. MRTG assumes there will be two values (e.g. Tx and Rx). You can get around this problem by specifying the same value twice. MRTG will then superimpose one on the other. For example:
Target[server.cpu]: .1.3.6.1.4.1.9.9.109.1.1.1.1.5.1&.1.3.6.1.4.1.9.9.109.1.1.1.1.5.1:public@192.168.100.1:
For more information see this link.