After a core network switch reload, a strange problem occured for 5250 terminal sessions to an AS/400. Sometimes they worked and sometimes not. The same behaviour was observed using ping from within the same IP subnet.
The problem appeared to be the Ethernet framing on the AS/400. The ARP replies kept changing between type SNAP and ARPA. An ARP entry on the core routers showed the mac address of the AS/400 but using Ethernet “SNAP” encapsulation, rather than “ARPA”, the latter of which is the default encapsulation type for the Cisco 6500’s which we were using. Read more…
This describes a problem whereby a client connects to a server then waits for a report to complete before retrieving it. The report took longer than 5 minutes to complete and the TCP session remained idle whilst the client waited. After a while the TCP connection dropped.
Packet traces were taken at the client, server and intermediate points, which included an F5 load balancer which simply acted as a router. The analysis of the packet traces revealed some interesting things..
What was happening was that the TCP 3-way handshake completed to setup the TCP session. Then the client sends an HTTP GET requestor method (of TCP segment length 734 bytes) to submit the data, which is then received by a client-side firewall. The firewall then forwards it onwards towards the server in the direction of an F5 load balancer …
BUT: The HTTP GET doesn’t seem to arrive at the F5. The server-side firewall however, DID receive the GET and forwards it onto the application server, which then sends back an ACK to the client – which DOES go via the F5. Huh?
It was initially thought that the The F5 therefore saw an ACK packet for a TCP segment that it hasn’t seen, so it sends a RST packet in both directions to tear down the TCP session. This is a little confusing because the TCP session goes through the F5 but the HTTP GET request seemingly bypasses the F5 but does arrive at the server. After a bit of head-scratching and furrowed brows because it made no sense. The delay. The fact that there clearly wasn’t any asymmetry anyway because the ACK came back via the same path. So why the reset? Read more…
nMap uses a list of “default” applications in the nmap services file, used to list services running on scanned open ports. To see the “real” application execute nMap using the “-sV” option. Read more…
Following on from the brief personal aide-memoir: OpenSSL – Generate CSR and Test x509 Certificate, this post contains the recipe to generate a self-signed certificate and use this as a CA, to sign other certificates. This is because the term “Self signed certificate” is really incorrect, the proper phrase ought to be “Being your own Certificate Authority”, (or CA)
– You have the “root key”
– And you can “sign” other certificates
Read more…
This is a must-keep aide-memoir for troubleshooting VPN connections.
IKE (PHASE 1) Messages: Read more…
There is a field in each TCP segment called the “receive window”. The receiver is essentially signalling the amount of data that it can accept, or is willing to accept. This post describes the metrics and overhead.
The overhead is: window/2^tcp_adv_win_scale (tcp_adv_win_scale default is 2) So for linux default parameters for the recieve window (tcp_rmem):
87380 – (87380 / 2^2) = 65536. Read more…
This project achieves many objectives. It gives me a chance to learn how to use Python to control external devices (in this case a very cheap motion detecting sensor) and it also makes my girlfriend happy. Even though she does (rightly as there is a time and a place..!) complain about my “enthusiasm” for getting a pin to connect to a software interrupt. Anyway. Here it is:
Capturing the antics of Fudgie the Hamster!
Detects motion using a PIR Motion Detection GPIO sensing kit to leverage the GPIO pins on the Raspberry Pi, then takes photos using the Raspberry Pi Camera Module and updates Twitter with a random rant from Fudgie himself. Read more…
The recent update to Java has caused problems when the web interface of the Cisco ASDM has a security problem such as an unsigned or expired certificate. Java no longer allows ASDM to launch. The error message is shown as “This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute”. This problem is fixed by adding a site exception to Java. Read more…
When troubleshooting and using debug, it is possible to create logging lists to filter out messages which are unrelated to your problem.
%ASA-2-106016: Deny IP spoof from (199.89.222.7) to 192.168.240.1 on interface Inside
logging enable
logging timestamp
logging buffered warnings
logging buffer-size 65000
logging list ACL-MESSAGES_LOG-LIST message 106023
logging console ACL-MESSAGES_LOG-LIST
logging monitor ACL-MESSAGES_LOG-LIST
show log