Cisco IPS doesn’t like ICMP redirects

I’ve been trying to figure out why a pair of Cisco IPS (AIP-SSM in this case) wouldn’t auto-update signature files or connect to the new Global Correlation feature. The management interfaces were located on a subnet that was between the firewall and the internal L3 switch. The internal LAN’s are on the other side of the switch.

I’ve known for a long time that Cisco ASA’s don’t support sending ICMP redirects. Because of this the IPS’s default gateway couldn’t be set to the FW interface. If I did that they would never be redirected to reach the internal networks. I’ve never had a problem with IOS doing ICMP redirects though, so the IPS’s have been using the switch VLAN interface as the default gateway. The switch sends ICMP redirects when the IPS needs to get out to the internet and the traffic goes direct to the firewall.

Except it doesn’t. I could swear it did at one time in the past. Either my memory is faulty or an image update on the IPS broke it. Now, it seems the IPS tosses ICMP redirects. My guess is it worries about man in the middle attacks and and ICMP redirect is a possible sign of that. So even though the switch is doing the correct thing the IPS disregards it.

Moved the IPS management interface to one of the internal LAN’s and all is happy now.

Blue Iris for video security

Zoneminder, argh. I’m not sure how much time I’ve put into getting Zoneminder to work but it’s a lot. There’s just something about it that confounds me, whether it’s because of the underlying OS or hardware problems…Zoneminder seems to be the typical open source linux app. Very capable, ugly as sin and exceedingly difficult to get working right, unless you are the geek “they” designed it for.

So, I’ve decided to punt. At some point getting something done becomes more important than playing and learning. I bought my PV149 card from BlueCherry some time ago and I check back in with them from time to time. They’ve long had a reference to Blue Iris as a Windows alternative. I’m trying it out and so far it couldn’t be easier to use. I’m a little concerned that it doesn’t handle load as well and is banging on the server pretty hard, but it seems to be getting by ok.

I’ll report back once I’ve played with the motion detection and the alerting system.

If Cisco.com falls over, does it make a sound in the media?

I’m mystified as to how Cisco.com can go down worldwide for 2+ hours during business hours and there is virtually nothing in the news about it. I managed to find this reference in the Register. Not surprising as the outage hit the UK in the middle of the day. I’ve not found any other comments.

How is it that the king of the networking world, preacher of all things BC/DR, can be down for 2+ hours and no one thinks it’s a big deal.

If nothing else, it sure would be nice to get a root cause analysis from Cisco so we can have a “teaching moment”. If there’s a scenario where arguably the most savvy networking company in the world can suffer a catastrophic failure of a high availability service, we would all be well served to understand the details.

And Cisco’s response about the dangerous power failure at the data center that I tweeted about? I’m not buying that. If that happened then it should have shut down and failed to the DR site. I can’t believe that Cisco has all of Cisco.com in a single data center.

This is like your parents telling you every day not to smoke and then you catch them puffing away one day.

What’s the deal Cisco???

Cisco AnyConnect Essentials

I recently discovered this new Cisco AnyConnect Essentials license being touted for the 8.2 code for ASAs. It took me a little while to parse through the cryptic description on Cisco’s site but it seems that you can now get client based SSL for a couple hundres $$’s depending on the ASA model. That’s up to the platform supported max!

If you want the web portal “clientless” SSL VPN you have to pay the previous crazy pricing for the “Premium” license. For most people this won’t matter and what it means is essentially a cheap SSL client solution now. Woohoo!

This guy seemed to confirm my thoughts.

Dude stole my theme too! 🙂

NorcoTeck RPC-450 install

I didn’t see much in the way of review info on the
NORCO RPC-450 4U Rackmount Server Case

.  On top of that, the pics almost always showed a microATX motherboard installed, which was nice for having lots of room left.  However, I had an Extended ATX or EEB motherboard that I wanted to get into this thing so it was  little bit of a gamble when I ordered it.  I’m pretty happy with the results  although there are caveats and some tight areas.  Without further ado, the review:

Newegg shipped this thing double boxed and it arrived in fine condition.  I don’t live very far from the New Jersey distribution warehouse and I’m lucky enough to get stuff from them within a day or two.

From NorcoTek RPC-450

The RPC-450 comes with 2 big 120mm fans up front. Once you remove those you can slide out the drive cages. What’s cool about this is that the drive cages are kind of like 5in3’s. As you can see in this pic the space could support 3 5.25″ drives vertically but with the cages installed there are slots for 5 3.5″ drives. The 2 cages slide in and out using the same locking tabs you’d use for drives.

From NorcoTek RPC-450

On to the motherboard installation. The EEB size motherboard really does fill the space. Making matters worse, the fans and heatsinks for the dual xeons are located way up at the front of the motherboard. Here you can see how close one of the fans is to the frame:

From NorcoTek RPC-450

In this pic you can see my thumb 🙂 and also how close the installed optical drive is. If the fans are any taller you aren’t getting the optical drive in.

From NorcoTek RPC-450

You can see here that this fan problem also means you can’t put more than 2 hard drives in the middle cage. Anything below that and the plugs would interfere with the fans:

From NorcoTek RPC-450

Just an overhead shot. The power supply fit easily and didn’t get in the way. I didn’t get my hands all hacked up either like is common when I’m working in some cases. Most of the edges really are rolled.

From NorcoTek RPC-450

So, in the end, it works. If you have a smaller motherboard you’ll have almost no problems. I got a second case for my Unraid setup and that used a MicroATX motherboard. Lots of space and the cooling has been excellent. The same setup in a Coolermaster CM690 had the 1TB Hitachi drives hitting 40C+. In this case with the 120mm fans blowing right across them I’m usually in the high 20’s on the Hitachi and only occasionally does it hit 30C. That’s a lot of piece of mind for the life of my drives.

All pics are here http://picasaweb.google.com/mdgeek/NorcoTekRPC450# although the rest are fairly blurry.

I hate java.

I might have mentioned that before.  In case I didn’t…I hate java.  Now, today’s issue didn’t come directly because of java but it was the result, and an obscure one at that.

I’ve been struggling with a client issue that basically boiled down to slow or non-responsive websites that were passing through IOS firewalls.  Most websites would work fine and if we re-routed the traffic to another outbound connection that had an ASA it would work perfectly.  Also, if we connected a laptop directly to these remote site internet connections it would be smooth sailing.  So obviously something was unhappy on the IOS firewall.  I tried changing MTU, MSS, disabling the websense (urlfilter) connection.  All kinds of different things!  Nothing made a bit of difference.

I decided to run the Tweak Test over at dslreports.com to see what the MTU and MSS results would be, thinking that’s still what I needed to fix.  Tweak test is a java applet.  I had someone onsite run it and I happened to be watching the console at the same time.  All of a sudden I start seeing “FW-3-HTTP_JAVA_BLOCK” messages popping up.  WTH!  So, I figure out that java is blocked by default on IOS firewall.  Here’s the fix:

access-list 3 permit any
ip inspect name inspect http java-list 3

Yep, basically add the acl for any and then add java-list to the end of the http inspect.  I also have a urlfilter on the end to maintain the websense checks.  ARGH!  I decided to try my problematic website, of which enterprise.com happens to be one, and it popped right up.  I never got an error message about java before trying to run this app on dslreports.com.  I never saw reference to a Java problem in any of my debugs.

I know this wasn’t java’s fault directly, but if java wasn’t such a piece of garbage it might not have to be blocked by default.

iPhone VPN and Cisco IOS

I had quite a bit of trouble getting this to work the other day.  After some googling I came across this thread over on 6200networks.com.  I had matched up the config he had listed just by chance because I was also enabling an L2L VPN.  However, I still couldn’t get it to work.  The trick was to change the IPSEC transform set to AES-256.  After that it was smooth sailing.  I posted a comment over there but he hasn’t approved it yet.

I’ve discovered ISAKMP profiles too.  Very cool!