I decided to split up the links on this site to Tech Links and Other. Tech Links will be filled with sites that I used on a regular basis, or sites that I recommend to others. For example, I use Wireshark on many an occasion to troubleshoot client-server software and analyze IP traffic patterns. I use Cisco devices on an almost daily basis. And Gizmodo is just a cool site for new tech info and devices.
I had a fairly strange issue recently involving an ASA5510, an IPSEC tunnel, and a client-server application. The setup is this: ASA5510 firewall configured with an IPSEC tunnel to a far-end Cisco VPN Concentrator. Behind the firewall at the far end sits a web server. Behind the firewall at the near end is a Windows server running a software program.
The software opens a socket on the Windows server and initiates a TCP connection to the far-side web server on port 80. Then it sends a GET xxxxx command, reads the returned data, and terminates the connection.
What was happening was that at times the software would fail and kick out a bunch of Winsock errors. I couldn’t troubleshoot the far-end web server, as it belongs to a different company. Even though I had the source code for the Windows application, I didn’t have permission to make changes to do any debugging. So I did the only thing I could and started sniffing packets. I used the “capture” command on the ASA to monitor the TCP traffic entering and exiting the tunnel. I used a laptop, Wireshark, and a “monitor” port on a Cisco Catalyst outside the ASA to monitor the IPSEC traffic across the tunnel. I also wrote a quick test program in C to open a socket, connect to the web server, and wait for awhile to see the unexpected disconnect.
Upon inspection of the traffic, I saw that the Windows server and the web server were connecting, but then after a few seconds the web server would send a FIN packet to the Windows server. The Windows application would then send it’s GET command, but the web server had already dropped the connection and a TCP RST packet would be generated back to the Windows server.
What I found out was that when my test program initiated the connection, I was able to see the 3-way handshake (SYN, SYN-ACK, ACK) on the ASA, but I never saw the traffic outside the ASA on the tunnel. Yet something was answering and establishing a connection. The ASA somehow was hijacking the session and connecting to the Windows server and not passing the packets on to the web server like I expected it to.
After a lot of research and testing, I ended up isolating the problem to a CSC module installed in the ASA. The module had been installed since the original turn-up of the ASA. We’d had some issues in the past with it and hadn’t renewed the TrendMicro licensing, so I’d logged into it a long time ago and disabled all the scanning. However, I’d never adjusted the service policies to stop sending traffic through the CSC.
Anyway, I changed the policy on the outside interface to remove the directive to send the traffic to the CSC, and the issue was immediately resolved.
What I found out was that when I ran the test program with the CSC directive removed, I was able to see the connection outside the ASA at the same time as I saw it on the inside. The connection established and held for several minutes without dropping. I turned the CSC back on, and the connections started getting terminated again.
I’ve yet to figure out why the CSC was behaving this way. The whole setup had worked fine for a couple months, and nothing had changed on the ASA or CSC config. Yet that’s definitely where the problem was coming from.
I you happen to read this and have any info on what could cause this, please let me know.
Dave Lalande at 2 Peas Consulting recently made CNBC news with this article about their new DWDNS product. Give it a quick read, then come back to my comments.
I’ve been in the business a long time. By business, I mean the Internet, and a long time – well, when I started working for the first ISP my area, we were on Supra 9600 modems and everything was still character-based. WAIS, Gopher, Archie, Telnet, FTP, IRC…. no WWW, no pictures, no GUI. Because I’ve been around this stuff a long time, I’ve gotten to see it evolve. Back then to register a domain you filled out a text form and emailed it to Internic. If you were smart/lucky enough to not screw up the form, they’d evetually respond in days or weeks, depending on the load, to let you know your domain was accepted. It might be another couple days for it to hit the root servers and actually work. But, on the plus side, it was free.
At some point, and I don’t remember years very well, they started charging for domains. I think the first charge was 100 for 2 years, 50 per year after that. It was worth is, because the influx of money greatly improved response times and such. Remember, before that it was a free service by a government agency.
Now I can buy a domain from lots of different places and have it up and running within hours, if not minutes. Prices are low, lots of tools are provided – life is good. Or at least it was. Now the issue is that so many domains area registered and either in-use or being held by squatters that all the nice, simple, memorable ones are used up. People are having to resort to longer and longer domain names to find something unique and unused.
Dave has a suggestion, and that’s his DWDNS project. He wants to offer you a new domain name with any 3-letter domain as the TLD (right-most part), except for TLD’s already in use, such as .net, .org, .com, .biz, etc… Including numbers, this is somewhere upwards of 46000 new TLD’s. Here are the “benefits”:
1) Trademarked names are protected. Supposedly trademarked names are pre-determined and allocated ahead of time to their respective trademark owners so that noone else can register them and “hold them ransom”, so to speak. Yes, that does happen at times – a squatter picks up a cool domain and holds it, hoping someone will want it someday and be willing to pay for it. If you had thought about myspace.com before anyone else did, you could register it and hold onto it. Eventually when they created Myspace, they would have had to buy that domain to get it from you. However, if they trademarked Myspace first, and they you squatted on a domain using their trademark, they’d just sue to get it released.
Along with this is the problem of when a new TLD is released. I might have ford.com and ford.net, but when .biz is released I need to snatch it before someone else. Then .org, snatch it as well. Then .name, .info, etc… But nothing about DWDNS will fix that. 2peasconsult.ing is going to still want to register all the 2peasconsulting.net, .com, .biz, etc… to protect their trademark.
2) does not operate under a set number of top level domains (TLDs) – Sure it does. There are just 46000+ of them. You’re counting on the name of the company to make enough sense and be memorable enough that there is no doubt as to the last 3 characters of the domain name. Is it 2peasconsult.ing, 2peasconsulta.nts, 2peasconsulting.llc? Better register all the possibilities to make sure you get all the requests.
3) Infinitely more possibilities – not truly infinite, but yeah, lots more. Lots.
However, this idea isn’t unique. I found UnifiedRoot, a company which does essentially the same thing as DWDNS, except they allow ANY TLD, not just 3-digit ones. Also, ICANN, the Internet Corporation for Assigned Names and Numbers, who actually regulates the real top-level TLD’s, has been discussing since mid-2008 opening up to ANY TLD.
The DWDNS and the UnifiedRoot system are ideas that are kinda neat, but both rely on browser plugins to work, as they aren’t REALLY part of the ICANN TLD and root server system. I can register virtad.ept and load up the browser plugin, and it will work. But noone else will be able to access www.virtad.ept unless they load the plugin as well. The only way for them to really catch on is if everyone uses them, and ICANN will implement their unrestricted TLD’s way before that happens.
Finally, I took the time to put this together. This is a quick-and-dirty guide to replicating a project that I did for someone. It’s not going to tell you every detail of what to type, but it should get you going in the right direction if you’re needing some guidance. Continue reading »
Found out a surprising limitation today on the Cisco ASA5505. Apparently you cannot have more than 1 subnet assigned to a VLAN. For instance, if a company is using 192.168.0.0/24 for their servers and 192.168.1.0/24 for their PC’s, and they haven’t graduated to the point of managed VLAN-aware switches, there is no way to put both their subnets onto a single ASA interface and route between them.
On a Cisco router, it would be as simple as:
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip address 192.168.1.1 255.255.255.0 secondary
The ASA just doesn’t support it, apparently. I’m not sure what would happen if I put 192.168.0.1/24 on VLAN2 on Ethernet0/1 and 192.168.1.1/24 on VLAN3 on Ethernet0/2 and plugged both of them into the unmanaged switch network. Of course, that brings its own challenges due to the 3-VLAN limitation on the base license, etc….
Luckily, in the application I was configuring it for, I found out that the company could easily drop the second subnet and simplify things a lot.
This has come up a few times lately in my line of work – the need to set up and allow Cisco VPN client software to connect to the customer’s router, and pass all Internet traffic through that router and back out. Bookmark to:
Sometimes things go right for a change. I finally got my dual-ISP single-hub DMVPN with mGRE, ipsec and EIGRP working. I may have to do some tuning of the failover to smooth things out, but it’s working, and that’s what’s important. I can kill the primary ISP connection and after a short delay of 20 [...]
I said before that I thought I had discovered a Cisco bug. Turns out that’s probably not the case, although I have discovered a problem and don’t have a solution – yet. Bookmark to:
| © 2010 Virtual Adept | Suffusion WordPress theme by Sayontan Sinha |