Case Study: F5 Load Balancer and TCP Idle Timer / fastL4 Profile

March 6th, 2015 No comments

This describes a problem whereby a client connects to a server then waits for a report to complete before retrieving it.  The report took longer than 5 minutes to complete and the TCP session remained idle whilst the client waited.  After a while the TCP connection dropped.

Packet traces were taken at the client, server and intermediate points, which included an F5 load balancer which simply acted as a router. The analysis of the packet traces revealed some interesting things..

What was happening was that the TCP 3-way handshake completed to setup the TCP session.  Then the client sends an HTTP GET requestor method (of TCP segment length 734 bytes) to submit the data, which is then received by a client-side firewall.  The firewall then forwards it onwards towards the server in the direction of an F5 load balancer …

BUT: The HTTP GET doesn’t seem to arrive at the F5.  The server-side firewall however, DID receive the GET and forwards it onto the application server, which then sends back an ACK to the client – which DOES go via the F5. Huh?

It was initially thought that the The F5 therefore saw an ACK packet for a TCP segment that it hasn’t seen, so it sends a RST packet in both directions to tear down the TCP session. This is a little confusing because the TCP session goes through the F5 but the HTTP GET request seemingly bypasses the F5 but does arrive at the server. After a bit of head-scratching and furrowed brows because it made no sense.  The delay. The fact that there clearly wasn’t any asymmetry anyway because the ACK came back via the same path. So why the reset? Read more…

Categories: linux Tags:

Using nMap to Identify Applications

March 3rd, 2015 No comments

nMap uses a list of “default” applications in the nmap services file, used to list services running on scanned open ports.  To see the “real” application execute nMap using the “-sV” option. Read more…

JUNOS Boot from Backup Image – Recovery

February 17th, 2015 No comments

Another quick aide-memoir describing the recovery of a corrupted JUNOS image – the EX3300 series LAN switch has booted from the backup image.

— JUNOS 11.4R5.5 built 2012-08-25 05:29:29 UTC

**                                                                   **
**                                                                   **
**  It is possible that the primary copy of JUNOS failed to boot up  **
**  properly, and so this device has booted from the backup copy.    **
**                                                                   **
**  Please re-install JUNOS to recover the primary copy in case      **
**  it has been corrupted.                                           **
**                                                                   **

darenm@coresw1# show version
## Last changed: 2015-02-13 10:50:43 UTC
version 11.4R5.5; Read more…

Categories: Juniper, Uncategorized Tags:

OpenSSL – Self Signed Certificates / Becoming a Root CA

February 10th, 2015 No comments

Following on from the brief personal aide-memoir: OpenSSL – Generate CSR and Test x509 Certificate, this post contains the recipe to generate a self-signed certificate and use this as a CA, to sign other certificates. This is because the term “Self signed certificate” is really incorrect, the proper phrase ought to be “Being your own Certificate Authority”, (or CA)
– You have the “root key”
– And you can “sign” other certificates
Read more…

Categories: Security Tags: ,

Troubleshooting ISAKMP Phase 1 Messages – Part 1

January 22nd, 2015 No comments

This is a must-keep aide-memoir for troubleshooting VPN connections.

IKE (PHASE 1) Messages: Read more…

Categories: CISCO, Security Tags: , ,

TCP Auto-Tuning

November 17th, 2014 No comments

There is a field in each TCP segment called the “receive window”.  The receiver is essentially signalling the amount of data that it can accept, or is willing to accept.  This post describes the metrics and overhead.

The overhead is: window/2^tcp_adv_win_scale (tcp_adv_win_scale default is 2) So for linux default parameters for the recieve window (tcp_rmem):
87380 – (87380 / 2^2) = 65536. Read more…

Categories: linux Tags:

Fudge Cam – Python Code

April 22nd, 2014 No comments

This project achieves many objectives. It gives me a chance to learn how to use Python to control external devices (in this case a very cheap motion detecting sensor) and it also makes my girlfriend happy. Even though she does (rightly as there is a time and a place..!) complain about my “enthusiasm” for getting a pin to connect to a software interrupt. Anyway. Here it is:

fudgeCapturing the antics of Fudgie the Hamster!

Detects motion using a PIR Motion Detection GPIO sensing kit to leverage the GPIO pins on the Raspberry Pi, then takes photos using the Raspberry Pi Camera Module and updates Twitter with a random rant from Fudgie himself. Read more…

Categories: Raspberry Pi Tags:

Cisco ASA Java 7 update causes ASDM not to Launch

April 14th, 2014 No comments

The recent update to Java has caused problems when the web interface of the Cisco ASDM has a security problem such as an unsigned or expired certificate. Java no longer allows ASDM to launch. The error message is shown as “This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute”. This problem is fixed by adding a site exception to Java. Read more…

Categories: CISCO, Security Tags:

Cisco ASA Debug, Syslog and Logging Lists

April 10th, 2014 No comments

When troubleshooting and using debug, it is possible to create logging lists to filter out messages which are unrelated to your problem.

%ASA-2-106016: Deny IP spoof from ( to on interface Inside

logging enable
logging timestamp
logging buffered warnings
logging buffer-size 65000
logging list ACL-MESSAGES_LOG-LIST message 106023
logging console ACL-MESSAGES_LOG-LIST
logging monitor ACL-MESSAGES_LOG-LIST
show log

Categories: CISCO, Protocol Analysis Tags:

How to export the SSL certificate from a Wireshark packet capture

April 10th, 2014 No comments

How to obtain the SSL certificate from a Wireshark packet capture: Read more…

Categories: SSL/TLS Tags: