I decided to split up the links on this site to Tech Links and Other. Tech Links will be filled with sites that I used on a regular basis, or sites that I recommend to others. For example, I use Wireshark on many an occasion to troubleshoot client-server software and analyze IP traffic patterns. I use Cisco devices on an almost daily basis. And Gizmodo is just a cool site for new tech info and devices.
I had a fairly strange issue recently involving an ASA5510, an IPSEC tunnel, and a client-server application. The setup is this: ASA5510 firewall configured with an IPSEC tunnel to a far-end Cisco VPN Concentrator. Behind the firewall at the far end sits a web server. Behind the firewall at the near end is a Windows server running a software program.
The software opens a socket on the Windows server and initiates a TCP connection to the far-side web server on port 80. Then it sends a GET xxxxx command, reads the returned data, and terminates the connection.
What was happening was that at times the software would fail and kick out a bunch of Winsock errors. I couldn’t troubleshoot the far-end web server, as it belongs to a different company. Even though I had the source code for the Windows application, I didn’t have permission to make changes to do any debugging. So I did the only thing I could and started sniffing packets. I used the “capture” command on the ASA to monitor the TCP traffic entering and exiting the tunnel. I used a laptop, Wireshark, and a “monitor” port on a Cisco Catalyst outside the ASA to monitor the IPSEC traffic across the tunnel. I also wrote a quick test program in C to open a socket, connect to the web server, and wait for awhile to see the unexpected disconnect.
Upon inspection of the traffic, I saw that the Windows server and the web server were connecting, but then after a few seconds the web server would send a FIN packet to the Windows server. The Windows application would then send it’s GET command, but the web server had already dropped the connection and a TCP RST packet would be generated back to the Windows server.
What I found out was that when my test program initiated the connection, I was able to see the 3-way handshake (SYN, SYN-ACK, ACK) on the ASA, but I never saw the traffic outside the ASA on the tunnel. Yet something was answering and establishing a connection. The ASA somehow was hijacking the session and connecting to the Windows server and not passing the packets on to the web server like I expected it to.
After a lot of research and testing, I ended up isolating the problem to a CSC module installed in the ASA. The module had been installed since the original turn-up of the ASA. We’d had some issues in the past with it and hadn’t renewed the TrendMicro licensing, so I’d logged into it a long time ago and disabled all the scanning. However, I’d never adjusted the service policies to stop sending traffic through the CSC.
Anyway, I changed the policy on the outside interface to remove the directive to send the traffic to the CSC, and the issue was immediately resolved.
What I found out was that when I ran the test program with the CSC directive removed, I was able to see the connection outside the ASA at the same time as I saw it on the inside. The connection established and held for several minutes without dropping. I turned the CSC back on, and the connections started getting terminated again.
I’ve yet to figure out why the CSC was behaving this way. The whole setup had worked fine for a couple months, and nothing had changed on the ASA or CSC config. Yet that’s definitely where the problem was coming from.
I you happen to read this and have any info on what could cause this, please let me know.
Had a small glitch today in a Cisco router config that I had to figure out. The main router had a couple static translations of public IP’s to privates for incoming connections to go directly to internal servers, as well as for outgoing connections from those servers to be translated as well.
Problem was, outgoing connections were also being translated for those servers when the connections were going to Cisco VPN clients.
The fix I ended up with was one we’d used before – apply a route-map to the internal interface, directing all the traffic destined for the VPN client to a loopback interface without the “nat inside” statement, effectively causing the packets to skip the NAT process entirely.
I wonder, though, if there might not be a cleaner solution. After all the normal NAT overload command allows for a route-map to specify what traffic to translate and what traffic to pass untranslated, why not the static NAT commands?
I’m not sure if I’ll get a chance to research this anytime soon, but if I do, I’ll be sure to post what I find.
Finally, I took the time to put this together. This is a quick-and-dirty guide to replicating a project that I did for someone. It’s not going to tell you every detail of what to type, but it should get you going in the right direction if you’re needing some guidance. Continue reading »
We’ve had one of these for a couple weeks, evaluating how it might fit into our product and services portfolio. The UC520 is basically a router/firewall/VoIP system all in a single package. Without getting into long descriptions of features, Cisco basically took the most common features of their ISR routers, Call Manager, and Unity Voice mail and combined them into a reasonably-priced package for small businesses. As it was explained to me, it’s pretty much the 1861 with dynamic routing and advanced firewall stripped out, CPU boosted up to support more call control features, and integrated voice mail. Built-in wireless is an option. Integrated POE switch to power IP phones.
Cisco has tons of info on their site about the UC520 and their whole Unified Communications line, and there are even 3rd-party sites dedicated to the UC520 itself, so I’m not going to spend much time here talking about specific configurations. Instead I’m just going to try to give some opinions of the product as time goes by and we start deploying them. If we DO come up with some interesting custom configurations, I may post those for anyone interested.
Today should be a good day. I’ve got some customer work to do first thing in the morning, moving them from one type of service to another, which involves IP changes and therefore tunnel changes on all their remotes. After that, I’m doing manager-type stuff – status reports, email on projects – mixed with research [...]
Found out a surprising limitation today on the Cisco ASA5505. Apparently you cannot have more than 1 subnet assigned to a VLAN. For instance, if a company is using 192.168.0.0/24 for their servers and 192.168.1.0/24 for their PC’s, and they haven’t graduated to the point of managed VLAN-aware switches, there is no way to put [...]
This has come up a few times lately in my line of work – the need to set up and allow Cisco VPN client software to connect to the customer’s router, and pass all Internet traffic through that router and back out. Bookmark to:
Sometimes things go right for a change. I finally got my dual-ISP single-hub DMVPN with mGRE, ipsec and EIGRP working. I may have to do some tuning of the failover to smooth things out, but it’s working, and that’s what’s important. I can kill the primary ISP connection and after a short delay of 20 [...]
I said before that I thought I had discovered a Cisco bug. Turns out that’s probably not the case, although I have discovered a problem and don’t have a solution – yet. Bookmark to:
| © 2010 Virtual Adept | Suffusion WordPress theme by Sayontan Sinha |