This post explains the IKE Debug message: “Duplicate first packet detected”
This event is logged when packets do not reach their destination, usually due to network routing problems. The Phase 1 IKE exchange between the tunnel peers fail at MM_WAIT_MSG2
( see: Troubleshooting ISAKMP Phase 1 Messages – Part 1 to understand the IKE Messages further)
1) IKE initator sends MM_SND_MSG1 and goes into MM_WAIT_MSG2 state
2) IKE responder receives MM_SND_MSG1 and sends MM_SND_MSG2 back to the initiator and goes into a MM_WAIT_MSG3 state, expecting MM_SND_MSG3 as the next exchage from the initiator
3) IKE initiator having not received MM_SND_MSG2 from the responder, resends MM_SND_MSG1, resulting in the “Duplicate first packet detected” being logged on the responder. Read more…
IPSec involves many component technologies and encryption methods. Yet IPSec’s operation can be broken down into five main steps. The five steps are summarised as follows:
|
Step 1 |
Interesting traffic initiates the IPSec process—Traffic is deemed interesting when the IPSec security policy configured in the IPSec peers starts the IKE process. |
|
Step 2 |
IKE phase one—IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure channel for negotiating IPSec SAs in phase two. |
|
Step 3 |
IKE phase two—IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers. |
|
Step 4 |
Data transfer—Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database. |
|
Step 5 |
IPSec tunnel termination—IPSec SAs terminate through deletion or by timing out. |
A crypto map—is a Cisco IOS software configuration entity that performs two primary functions. First, it selects data flows that need security processing. Second, it defines the policy for these flows and the crypto peer that traffic needs to go to. A crypto map is applied to an interface. The concept of a crypto map was introduced in classic crypto but was expanded for IPsec. This aide-memoir pulls together items from Cisco.com to provide a useful recipe and refresher. Read more…
Here is a handy way to use EEM to failover to a second ISP – use with a route-map:
Cisco EEM configuration: Read more…
This is the syntax to use to test SMTP relays. Commands are in bold:
telnet x.x.x.x 25
HELO mydomain.com
250 mobile.yourdomain.com Hello mydomain.com ([129.0.52.74]), pleased to meet you Read more…
This script is a simple, interactive way to backup and date-stamp your juniper Netscreen ISG/SSG (ScreenOS) firewall configurations. The script copies the configurations from the firewall using scp. Configurations older than one day ( -mtime +1) are archived off to a bz2 compressed file. Archives older than 60 days ( -mtime +60 ) are removed from the disk.
The usage is: nsb.sh [ip address / hostname of Netscreen]. (VIEW SCRIPT)
Read more…
FTP over SSL (ftps) – Explicit SSL vs. Implicit SSL / Active mode vs Passive mode
Explicit SSL:
ACTIVE MODE:
– A connection to the server is made on TCP/21 (ftp-control channel)
– A connection to the server is made on TCP-20 (ftp-data). Read more…
The steps to create the (Windows) .msi are as follows:
STEP 1: Download the ISO file from cisco.com software download navigator page (http://software.cisco.com/download/navigator.html ) Read more…
This aide-memoir describes and compares NAT configuration (Identity NAT, NAT Exemption/Identity NAT and also compares the syntax between ASA version 8.4.2 and below. There are some considerable differences to the syntax and some of the better-known commands have been deprecated. Read more…
It should be noted that many algorithms require the Cisco IOS to have access to the cleartext password.
The Vigenere algorithm is used to obfuscate the passwords (not really encrypt them as there is no encryption key) in order to prevent “shoulder surfing” from exposing passwords to someone who briefly looks at a running configuration.
If, however, someone gets hold of the configuration they can easily retrieve the passwords using the reverse translation of the Vigenere algorithm.
- This can be done using various “type-7” password crackers or indeed within the IOS itself
- Cisco IOS uses this level-7 encryption when the “service password-encryption” command is used. Here is a Perl Script which deobfuscates the Cisco Viginere password Read more…
Long Fat Pipes
High-capacity packet satellite channels are LFN’s (Delay 4 x 35‘800 km = 470ms RTT) and modern terrestrial long-haul fibre-optic paths will also fall into the LFN class. There are three fundamental performance problems with the current TCP over LFNs:
• Window Size Limit (2^16 or max 65k bytes) – Remedy: TCP option “Window scale”
• Recovery from Segment Losses – Remedy: TCP option “selective acknowledgement”
• Round-Trip Measurement – Remedy: TCP option “Time stamp” Read more…