IPSEC-3-REPLAY_ERROR: IPSec SA receives anti-replay error or %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed The above or similar error message is caused by when a cisco device detects and mitigates an IPsec replay network attack [RFC6479]. “IP Authentication Header” [RFC4302] and “IP Encapsulating Security Payload (ESP)” [RFC4303] define an anti-replay service that employs a sliding window mechanism. … More VPN Anti-Replay drops
This article is based on the following software Cisco ASAv Software Version 9.12(2)9 Firepower Extensible Operating System Version 2.6(1.152) ASDM Version 7.12(2) Microsoft Windows Server 2016 with NPS as radius server You may have had an occasion where a user wanted access to an ASA firewall. You are hesitant to grant access, because you don’t … More Assigning privilege levels on Cisco ASA with Radius
SSH to the GNS3 server. Better to do this than using the VMware or Virtual-box console as you’ll want to copy and paste later on. 1 – On GNS3 server, select “Open Console” . . . . . 2 – Download the generator using the following command. https://srv-file14.gofile.io/download/0yjCRc/CiscoIOUKeygen3f.py Note 1 (The URL is case … More Generate Cisco IOURC license with Python
Syslog Watcher : https://syslogwatcher.com Syslog Server A syslog server collects, parses, stores, analyses, and explains syslog messages to professional network administrators, helping to improve the stability and reliability of the network. Syslog Watcher installs a dedicated syslog server, integrating log data from multiple network devices into a single, easily manageable and accessible place. Collecting and … More Syslog Watcher
VPNs are amongst the most annoying topics for me. While the theory and concepts are easy the amount of moving parts required to enable it to work are easily misplaced. It doesn’t help that Cisco hasn’t found a smooth way to bring these moving parts into one section similar to how they use address-family or … More Cisco Ikev2 L2L VPNs
Follow this document on how to setup multicast on Cisco routers: https://www.cisco.com/c/en/us/support/docs/ip/ip-multicast/9356-48.html We will focus only on VLC Media Player as a multicast source and receiver. Setup multicast network with windows 10 machines on both ends (1x receiver + 1 x server) Linux should be okay also but I was unable to receive with Debian … More Testing multicast with VLC Media Player
Use this TCL script. Change “20” in the line {$i <= 20} to match desired amount of loopbacks Change the ip range to your what you need. Copy and paste the entire script tclsh for { set i 0 } {$i <= 20 } { incr i } { puts [ ios_config “interface loopback$i” … More Need multiple loopbacks on IOS/IOU?
The purpose of a load balancer is to distribute client connections to multiple servers to increase load capacity and provide high availability. One common requirement of load balanced applications, since most application servers maintain session information on the local box, is that a client must stay locked to a single server for the duration … More F5 LTM Encrypted Cookie Insert Persistence
In order to acomplish the AnyConnect authentication using certificates the AnyConnect client should get a valid certificate from the CA server, at the same time the ASA should have the CA Root certificate in order to properly validate the certificate of the connecting client. 1-) Make sure you have an AnyConnect image applied in the … More AnyConnect Certificate Based Authentication.
Understanding NAT and NAT Rule Order (ASA 8.3/8.4 First of all, there is no such thing as ‘nat-control’ any more so you either define a NAT or you don’t. Traffic that does not match any NAT rules will be allowed to bypass the firewall without any translation (like NAT exemption but without explicitly configuring it, more … More Understanding NAT and NAT Rule Order (ASA 8.3+)
Continue Reading Here
Filtering routes out of the routing table isn’t something you do much of on a regular network but when you need to you have to. Usually these things are used when you need a quick dirty fix and our CCIE candidate Andrew Carr presents a good example of such a case. The issue: When you buy … More OSPF distribution-list
Possible solution to hairpin routing issues. Using your perimeter firewall as a VPN termination point can cause routing issues on a cisco ASA because of hair-pinning and invalid next-hop addresses. There are a few ways to get around this type of problem. The one I present is a very fun way of doing it … More Fixing VPN Hairpin issues using OSPF
Great configuration comparison between Legacy EIGRP and EIGRP Named Mode by IPexpert. Very good improvement with the new EIGRP syntax, neat sectioned config and it totally makes sense but what an annoyance… just when I thought “Ah, i’ll skip EIGRP cuz I know it all” This shouldn’t be difficult to retain or figure out on the spot if … More EIGRP Named Mode
Hopefully the above diagram is clear enough. The topology from R1 u to R4 and R6 to R9 runs two VRFs CIA and FBI BGP runs between R6 and R9 only R5 does not take part in any VRF routing, there is a GRE tunnel between R4 and R6 R6 does inter-VRF routing Fx/x.11 … More BGP and VRF routing
Example Scenario – Unable to browse the Internet when Using a GRE Tunnel? . Sometimes when traffic goes through a generic routing encapsulation (GRE) tunnel, you can successfully use the ping command and Telnet, but you cannot download Internet pages or transfer files using File Transfer Protocol (FTP). In the diagram above, when the Client wants to access … More TCP MSS and related topics
Being told off by a router, what is this world coming to….
/31 Subnet – http://www.ietf.org/rfc/rfc3021.txt So I’m working with GNS3 trying to perfect my BGP skills and decided to advertise a network of 210.69.1.1/24 which existed on my loopback 10 interface. For filtering purposes I needed a longer prefix to appear in the BGP table and I decided to change the mask to /30, but as i was … More The /31 Subnet
Written done! woop woop One more step!
CoPP – (Control Plane Policing) I suffered two days trying to make this work but missed a fundamenal step. Telnet traffic passing through the control-plane which is destined for another device should have its service-policy set to “Output” A bit of theory on CoPP (Taken from – https://sites.google.com/site/amitsciscozone/home/qos/copp—control-plane-policing) CoPP – Control Plane Policing Definitions: Control Plane … More CoPP
Completed CCNP yesterday.Halfway through CCIE written, happy days, that’s all i have to say 🙂
STP, RSTP, MST, PVST all share one common thing which is almost never discusses and rarely documented. The priority value in the BID. MST – Multiple spanning-tree. I had to dig to find stuff on this, there isn’t a lot of documentation around for MST. A good video that explains the basics can be found … More STP’s Bridge ID
What a horror! Encountered a nasty one with Network Address Translation Overload, took me a while to figure this one out. NAT Overload The Scenario: WWW : 209.65.200.241/29 ISP : 209.65.200.254 /29 : 209.65.200.226 /30 R1 : 209.65.200.225 /30 : 10.1.1.1 /30 R2 : 10.1.1.2 /30 —————————————————————————————————————————- As you can see, R1 has … More NAT / PAT
Spent the last 10 years in the server world with some network knowledge and like most server engineers / MCSE / MCITP folk, i thought i knew it all. Yes sir i can ping and i can sub-net and i can do port forwarding, i even know all the well known ports, oh by the … More Introduction
JUNIOR TAITT 