I wanted to use PBR on our DMVPN tunnels to set the next-hop address to a Layer 3 switch on the LAN. We set it up and it seemed to work fine. Then it was noticed that is a site went down even briefly and the tunnel dropped, the tunnel would never re-establish itself (The tunnel interface remained line up/protocol down). We recreated the problem in our lab and it consistently failed. We moved the tunnel to an IOS router and that wasn’t affected.
It was eventually revealed that apparently, PBR is handled differently in IOS-XE and IOS routers.
The problem occurs when a route-map is attached to an interface with only a “set” operation and no “match” (When there is no match specified there is an implicit “match any any”) OR when a match “any any” is used. Read more…
First implemented by the National Security Agency (NSA) in 1993, the Secure Hashing Algorithm (SHA) is used by certification authorities such as Verisign and Thawte to sign certificates and Certificate Revocation Lists. SHA is used to generate unique hash values from files.
This is the SHA-1 hash fingerprint from the bbc.co.uk website:
root@raspberrypi:/# echo | openssl s_client -connect bbc.co.uk:443 2>/dev/null | openssl x509 -fingerprint -noout
SHA1 Fingerprint=EA:D2:F2:79:18:A0:CD:2B:10:3B:12:01:CF:B1:9E:CC:AF:0F:28:0C
SHA versions:
- SHA0 Obsoleted
- SHA1 Currently the most widely implemented
- SHA2 Stronger than SHA-1 due to longer hash (SHA224, SHA256, SHA384 and SHA512)
As part of their SHA-2 migration plan, Microsoft, Google, and Mozilla have announced that they will stop trusting SHA-1 certificates. Google began phasing out trust in SHA-1 certificates in November 2014. Read more…
LTM has built-in application health monitor templates for many TCP-based application protocols (FTP, HTTP, HTTPS, IMAP, LDAP, MSSQL, NNTP, POP3, RADIUS, RTSP, RPC, SASP, SIP, SMB, SMTP, SOAP).
If you need to monitor an application which depends on an upper layer protocol for which there is not a built-in monitor template, LTM provides a number of options to build a monitor based on the underlying transport layer protocol– TCP. Read more…
Having already generated the RSA key-pair on the ASA with “crypto key generate rsa mod 2048”) create a trustpoint for the VPN users, generated an SSL cetificate and CSR and have received the signed X.509 certificate and CA and intermediate SSL certificates, the certificate and CA certs will need to be installked onto the Cisco ASA. This procedure describes the method using the CLI. Read more…
This aide-memoir describes and compares NAT configuration (Identity NAT, NAT Exemption/Identity NAT and also compares the syntax between ASA version 8.4.2 and below. There are some considerable differences to the syntax and some of the better-known commands have been deprecated. Read more…
Long Fat Pipes
High-capacity packet satellite channels are LFN’s (Delay 4 x 35‘800 km = 470ms RTT) and modern terrestrial long-haul fibre-optic paths will also fall into the LFN class. There are three fundamental performance problems with the current TCP over LFNs:
• Window Size Limit (2^16 or max 65k bytes) – Remedy: TCP option “Window scale”
• Recovery from Segment Losses – Remedy: TCP option “selective acknowledgement”
• Round-Trip Measurement – Remedy: TCP option “Time stamp” Read more…
Browsers can setup two or more TCP connections to an HTTP server to facilitate parallel downloads. As the browser parses the Web page it is aware of which objects it needs to download.
Rather than send the requests in series over a single connection, the requests are sent over parallel connections to enable faster downloading of the Web page. Another technique used by browsers to improve the performance is “HTTP pipelining”. Read more…
Two videos which explain about VRF configuration and troubleshooting. the first is an excellent overview and the second a practical demonstration of VRF configuration:
- Ivan Pepelnjak – Introduction to Virtual Routing and Forwarding (VRF) tables
- Keith Barker – Cisco VRF and troubleshooting
Read more…