Blogs

Cisco 1841 IPSEC Tunnel Failover Bug

Ran into a strange issue with crypto maps and ipsec tunnel failover on an 1841. We had a t1 link between the HQ site and the remote site. EIGRP routing protocol was running across the WAN link. A backup DR ipsec tunnel was configured using a crypto ma (standard config, no tunnel interface) across a comcast cable link. DR tunnel came up as soon as the t1 went down, and traffic failed over. But when the t1 was restored, the specific ip address that had been used as a test case on the 1841 router would not flow back across the ipsec tunnel.

rinetd troubleshooting

Had a situation on debian stable sgw firewall running rinetd tcp proxy to redirect smtp, rdp and web traffic on a backup t1 connection where millions of log entries like this were being created: Dec 1 19:40:21 server-name.domain.com rinetd[28467]: accept(0): Socket operation on non-socket

Understanding Linux /proc/cpuinfo

A hyperthreaded processor has the same number of function units as an older, non-hyperthreaded processor. It just has two execution contexts, so it can maybe achieve better function unit utilization by letting more than one program execute concurrently. On the other hand, if you're running two programs which compete for the same function units, there is no advantage at all to having both running "concurrently." When one is running, the other is necessarily waiting on the same function units.

php.ini settings for debian apache2 vservers

enable_dl = Off max_execution_time = 15 max_input_time = 15 memory_limit = 32M log_errors = On track_errors = On error_log = /var/log/apache2/error.log post_max_size = 32M upload_max_filesize = 32M mysql.allow_persistent = Off mysql.connect_timeout = 10 session.save_path = /var/lib/php5 register_globals = Off sendmail_path = /usr/sbin/sendmail -t -i -f www@www.thissite.com Apache settings to match nginx reverse proxy: ServerRoot "/etc/apache2" AcceptMutex flock LockFile /var/lock/apache2/accept.lock PidFile /var/run/apache2.pid Timeout 10 KeepAlive Off

nginx

We have been rolling out nginx to help scale up our websites that use apache and php: http://www.richweb.com/nginx

Yahoo SMTP Error 554 Message not allowed - [320]

Caused by incorrect time on sending SMTP client (PC). Mail was relayed thru an SMTP auth postfix server which had correct time. Yahoo is scanning all of the SMTP headers, not just the host that is sending the email inbound to their MX.

SSH settings to minimize session timeouts

Place these settings in the ssh server (sshd) configuration file and restart sshd: /etc/ssh/sshd_config ClientAliveInterval 120 ClientAliveCountMax 3 TCPKeepAlive yes The other way, and easier and safer way is for your desktop machine to send those keep alive messages. As root on your desktop (or client) machine, edit /etc/ssh/ssh_config and add the line: ServerAliveInterval 60

Deleting a Software Raid Array - Linux

In this case 2 swap partitions on 2 SATA drives had been accidentally forced into a RAID1 array. We stop the array: mdadm --stop /dev/md1 Delete the array: mdadm --remove /dev/md1 Zero the superblocks: mdadm --zero-superblock /dev/sdc2 mdadm --zero-superblock /dev/sdb2 Return the paritions to be usable as swap: mkswap /dev/sdb2 mkswap /dev/sdc2 echo "#New RAID SCAN" >> /etc/mdadm/mdadm.conf mdadm --examine --scan >> /etc/mdadm/mdadm.conf Edit with a text editor, and place the new scanned arrays under:the section: # definitions of existing MD arrays

Cisco ASA with Riverbed WAN Optimizer

Installed in an ipsec lan 2 lan tunnel environment: Riverbed uses Type 76 which falls in the Unassigned Type range 28-252. Some firewall configurations will strip TCP options or else drop packets with these options. (For example, Cisco PIX Firewall IOS 7.0 may block the auto-discovery probe.) access-list riverbed_tcp extended permit tcp any any class-map tcp-traffic match access-list riverbed_tcp tcp-map allow-probes tcp-options range 76 78 allow policy-map global_policy class tcp-traffic set connection advanced-options allow-probes

Cisco ASA 5510 No Xauth IPSEC Bug

Problem Description: ASA 5510 is the central site FW, multiple IPSEC tunnels present to ASA5505 remotes. One of the remote is acting funny; the ipsec tunnel can be initiated from a ping inside cmd on the ASA5510, but the 5505 cannot initiate the tunnel. Once the tunnel is ip, traffic is 2-way. After checking all the crypto map and no nat acls, and a reboot, I was left diffing (comparing) a working 5505 config with one that was not working. There were no differences other than the ip addresses. Both tunnel setups were identical on the central site ASA5510 as well.
Syndicate content