Blog: Cisco

During troubleshooting of some VPN connection issues, I was running a traffic dump session on the Ecessa PowerLink.  I noticed some unusual SSH traffic going to the internal VPN router.  When I entered in “show users” at the command line of the router, it showed myself and someone using “root” connected.  The IP address of the “root” user was an external IP address.  I performed a “whois” on the IP address.  It appeared to be originating from St. Louis Missouri. [more]

I talked to another engineer about this and after some investigation and testing, it turns out that when a person is trying to connect to a Cisco device, the show users output will show whatever username is being utilized.  I verified this by connecting to the same router and typing it “admin” at the username prompt.  The show users output showed the name admin.

The newer versions of the Cisco IOS allow you to add a compression algorithm to the transform set that defines how traffic is encrypted.  After adding new crypto map entries at a client using this compression, other VPNs (using the original transform set that does not include compression) started getting odd errors.  The VPN would stay up, but only small ping packets would get through.  And different endpoints had different sized pings that would make it through.  Eventually, I tried removing the crypto map entries using compression and the other problems disappeared.  The lesson I learned from this was to not use a crypto map that mixes transform sets with compression and transform sets without compression.

Here is a way to easily display several lines before what you are searching for in a Cisco router configuration.  Use “show run line | include <string>”.  The line modifier causes the device to number each line.  Then use “show run line | beginning <number> :” to start a few lines before.  Keep in mind these commands can be abbreviated.

When working with an ASA 5505, if you change the ip address of the internal interface to a different subnet, make sure you enable http access to the new subnet or you won’t be able to use the Cisco ASDM interface anymore. Command: http 192.168.0.0 255.255.255.0 inside.

I was attempting to add a PAT (port address translation) rule for https (TCP 443) on a customer's Cisco ASA. The rule kept getting rejected with the error that it could not be created.  After trying a few times, I figured out the ASA was rejecting the rule because ASDM (Adaptive Security Device Manager) access, which uses https had been enabled on the outside interface.  I changed the port number for ASDM and I was then able to create the PAT rule.

Using TCL on Cisco devices: TCL is a powerful programming language that can be used to many tasks.  You enter the TCL environment by entering the tclsh command.  You exit by entering tclquit.  Here is a command you can use to create file on a router.  For text files, this could be much easier than getting a tftp for tfp server available to use.  First enter tclsh to get into TCL.  Enter this command but do not press Enter after the line.  Substitute the file name and location for flash:test

puts [open "flash:test" w+] {

[more]Enter or paste in your text in right after the {.  When finished, enter } and press Enter.  Then enter tclquit to exit out of the TCL environment.  If the text you are entering contains an unmatched right curly brace }, this will not work since this will terminate the input.  Also, TCL variables being with a dollar sign $, so you cannot use those either.  If you are pasting in a configuration, then usually passwords are the only lines that will give problems.

Many TCL scripts have been written, including a simple editor.  I am not sure what versions of IOS include TCL – the feature navigator does not match what I have seen.  A nice introduction to TCL on Cisco is http://www.netcraftsmen.net/welcher/papers/iostcl01.html, which has links to some Cisco pages.  Learn more about TCL at http://tcl.tk.

By accident the other day ran across some information that I thought was pretty interesting. Natively, Cisco 3560, 3750, 4500, and 6500 MLSs use CEF instead of route caching for layer 3 switching. There are several things that will cause what is called a "CEF Punt" which is where CEF defers the processing down to the layer 3 routing engine. It can happen for several reasons: packet needs to be fragmented, MAC not found in adjacency table, no route in FIB...stuff like that. But here's the interesting part. A log attribute on an ACL actually causes a CEF Punt. So, it might be worthwhile to remove those entries once troubleshooting is done so that as much traffic is hardware switched as possible.

Cisco has a feature for monitoring network connections in various manners.  The IP SLA (service level agreement) feature allows the router to track objects via ICMP, network connections, etc. and monitor things like availability, latency, and jitter, and to making routing decisions based on these.

We’ve implemented this feature to perform failover when a device becomes unavailable.  It is possible to monitor multiple items, and to make decisions based on what the aggregate result is, using either Boolean logic or based on percentages.

Finally, we ran into a problem at customer site where the “interface” keyword was not working as expected on an IP SLA object.  I changed to use the “address” keyword, and the tracked object started working as expected.

The other day I was setting up a Disaster Recovery DHCP server. Part of the testing process was to set up a test branch with an additional 'ip helper' command in the router so that it would start forwarding DHCP broadcasts across the WAN to the Disaster Recovery site. I entered the command and immediately started seeing traffic at the DR DHCP server. However, i was seeing more UDP traffic than just DHCP. I also started seeing errors like this in the event logs:

The master browser has received a server announcement from the computer <MACHINE> that believes that it is the master browser for the domain on transport NetBT_Tcpip_{66AC525D-CD06-401. The master browser is stopping or an election is being forced.

[more]Its not uncommon to see these messages from time to time, but i was seeing these non-stop for about an hour. After some searching i found that the 'ip helper-address' command that is standard in our Cisco router config turns on UDP broadcast forwarding for 8 different protocols. DHCP is one of them, but i wanted to turn it off for all the others. So, i found this command:

ip forward-protocol upd <protocol/port>

The previous command was supposed to fix it. The router would accept 'ip forward-protocol udp dhcp' , but it would not show up in the running config. Finally, I realized it is one of those commands that that you have to turn off what you don't want instead of turn on what you do, so i entered in these commands to stop the NETBIOS broadcast traffic:

no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm