Is it still worth getting a CCIE?

July 25, 2012 at 10:58 am (Opinions, Technology) (, )

I’ve been thinking a lot lately about if I still want to pursue a CCIE.  If so, which one?  There are so many to choose from.  Today I spoke to a wise, senior associate of mine and asked him about this question of mine.  His advice was invaluable.  His suggestion was to study for a CCIE in a speciality that interests you.  Why?  Because you need some really good motivation to keep working towards it on a constant basis.  Excellent advice!

Although I have my CCNP in routing and switching, the CCIE that really interests me is CCIE Data Center.  This is because it it contains many of the things that interest me and that I already work with on a day to day basis:

  • storage
  • switching
  • routing
  • virtualization
  • security

Anyhow, I need to do more research about what the best way is to prepare for taking the CCIE written exam for datacenter.  If you have any suggestions, please post them as comments to this article.

Speaking of articles, I also ran across this great one regarding whether or not it’s still worth trying to get the CCIE.  If you read the article, make sure you take time to read the comments too.  There’s some really good stuff there.

 

Permalink Leave a Comment

No security exception for SSL EV certificates in Fire Fox 3.6.17

May 18, 2011 at 10:05 am (Technology) (, )

Today I learned something new about Fire Fox 3.6.17. I was migrating a SSL EV certificate from a IIS server onto a Virtual Server that is located on a KEMP LoadMaster. This test server on the LM is running a prototype/test site. Therefore, the domain name doesn’t match the domain name that the SSL cert was created for. This normally will create a SSL name mismatch error in the web browser. This error normally can then be bypassed by the user, this process is called “Security Exception” in Fire Fox. I went to add this exception and found that Fire Fox wouldn’t allow me to add it. What’s interesting is that the exception window tells you that the identification of the certificate is so positive that there is no reason for you to add an exception.

This site provides valid, verified identification. There is no need to add an exception.

I think this is a good thing.  It really helps make the EV certificates more strong and adds value to them.  I guess I’ll go back to using a self signed certificate for testing.

No security exception.

Permalink Leave a Comment

Getting err-disable when trying to bring up EtherChannel.

June 21, 2010 at 11:51 am (Technology, TechTips, Uncategorized) (, , )

Recently I was trying to bring up a EtherChannel connection between a Catalyst 3750 and a Catalyst 4507.

I was going to join 4 ports together.  One from each of the first 4 blades on the 4507.  It is good to use several blades to protect against a blade failure.

However, when I went to bring up the bundle using LACP, within seconds all bundled ports were shut down and this logging message popped up:

%PM-4-ERR_DISABLE: channel-misconfig (STP) error detect on GigabitEthernet1/0/45.

I was really stumped as to what was causing this.  Google searching did not really return any clear answers.

The message was stating that there error was somehow related to Spanning Tree Protocol.  I turned on all Spanning Tree debugs and re-enabled just the first port again, but the debugs didn’t show anything unusual happening.  What was interesting is that this error was only occurring on the 3750, no errors were showing up on the 4507.  I double checked the STP root bridge priorities, etc.

I started to comb the running-config with a fine toothed comb on the 3750.  It was then that I noticed this config towards the top:

spanning-tree etherchannel guard misconfig

This config intrigued me.  I had not noticed it before and I was unclear as to what it might do.  I no’d out the command and again tried to bring up just the first interface in the bundle.  No cigar, same epic fail.  At this point, I saved the config (write me) and reloaded the switch.  Once the switch was back up, I again tried to bring the the bundle members, but in reverse order, starting with gi1/0/48 and moving towards gi1/0/45.  One by one, they were each able to join the bundle.  Finally, I went to  bring up the last interface, gi1/0/45.  It came up, however the command show etherchannel 2 summary showed that it was in the waiting state.  This is indicated by state w.  It seemed to stay in waiting for about a minute until it changed to I.  The status I indicates that the port is individual and not part of the bundle.

I thought that it was strange for gi1/0/45 to go to individual mode.  I then traced the cabling from gi1/0/45 on the 3750 to fa3/3 on the 4507.  “Now just you wait a sec!”  I found that I had accidentally cabled to port fa3/5 instead.  This was the wrong port and was not configured to be part of the etherchannel.

Wow, so

spanning-tree etherchannel guard misconfig

Was trying to tell me that I had a mis-cabled port!  That’s pretty sweet.  I did a quick google search on the command and found that essentially it allows EtherChannel to use STP to attempt to find misconfigurations (including messed up cabling).

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/stp_enha.html#wp1029499

This story has two morals:

1) Definitely configure STP etherchannel guard misconfig.  That command is just another of those that will watch your back.  You just gotta love those commands.

2) If your ports are going err-diable and your getting that odd STP misconfig error.  Remember to go check your cabling and which ports are config’d.

Happy Routing!

Permalink 1 Comment

Can’t SSH into ASA?

May 19, 2010 at 11:04 am (Technology, TechTips) (, , )

Something strange happened today when I went to SSH into my ASA cluster.

Upon running ssh I got this error message:

ssh_exchange_identification: Connection closed by remote host

I started Google searching for information on this error message and found some people writing that the error could be resolved by making some changes on the client.  If you view the log on the ASA, you will see a error message that states:

Fail to establish SSH session because RSA host key retrieval failed.

This indicates that the problem is not with the client at all.  Rather, the problem is with the server end, in this case, the ASA.  The issues is that the ASA does not have a RSA host key.

Resolve this issue by running these commands below in the CLI.  Remember that you can still run CLI commands from the ASDM.  Launch the ASDM.  Click on Tools.  Click on Command Line Interface.  Click on Multiple Line.

Commands to run:

conf t
crypto key generate rsa modulus 2048
wr mem

Now you should be able to log in just fine.

See this link for more information on SSH configuration on the ASA:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml

Permalink 8 Comments

iQstor report commands

March 8, 2010 at 4:22 pm (Technology, TechTips) (, )

Are you like me and need to generate system reports from your iQstor SAN units for debugging purposes?

Well then you’re in luck!  Below you will find the commands that will run the report command on both controllers.  It will also run the syslogd command on both controllers.  Simply specify the start and end dates for the syslogd command.

This will send the output to the terminal that you are on.  So, if you are going to telnet into the controllers, I suggest that you use the script tool to start your telnet session with.  Then when you are done, you just ctrl-d out of script and you’ll have the output files ready to send back into iQstor for them to look at.

And without further delay, here are the commands:

report
rrcii -C report
syslogd -q -a 3/4/10 -b 3/8/10
rrcii -C {syslogd -q -a 3/4/10 -b 3/8/10}

Permalink Leave a Comment

Useful OpenSSL commands.

March 8, 2010 at 11:44 am (linux, Technology, TechTips) (, )

Often times I’ll find myself needing to do tasks with SSL certificates using OpenSSL.  I always need to look up the commands again and this takes time.  I became determined to not allow that to happen again.  This time I decided to write this quick cheat sheet of OpenSSL commands that I use often enough.  If you happen to see a command that I use here that you know of a better way to do it, please post a comment with that information for me.

Generate a private RSA key:

openssl genrsa -out host.key 1024

Generate CSR:

openssl req -new -nodes -key host.key -out host.csr
Note:  Make sure that the CN (Common Name) is the FQDN of the site that this certificate is for.

Self Signed Certificate:

openssl x509 -req -days 30 -in host.csr -signkey host.key -out host.cert

View Certificate:

openssl x509 -in filename.cert -noout -text

Permalink Leave a Comment

Bad RAM on iQstor.

February 10, 2010 at 2:55 pm (Technology, TechTips) (, , )

I have a iQstor 2880 SAN device.  Recently I was logged into one of the controllers and noticed some strange error messages showing up on the console:

10:49:11, Wednesday, 02/10/2010
: EXCEPTION: Dram Error detected:      count=19 cause=4000 esr_c_0004=20000 esr_c_000C=0 esr_c_Lcause=1 esr_c_Lerr=7cc2a2b6
Dram Error being handled: count=19 cause=4000 esr_c_0004=20000 esr_c_000C=0 esr_c_Lcause=1 esr_c_Lerr=7cc2a2b6
Dram Error recovered:      count=19 cause=4000 esr_c_0004=20000 esr_c_000C=0 esr_c_Lcause=1 esr_c_Lerr=7cc2a2b6

If you see errors like this, it indicates that you have bad RAM on the controller that you are logged into.  Now, the important thing to note here is that these memory errors will only show up on the console of the controller that has the bad RAM.  The messages will not be placed into syslog OR copied to the console of all controllers.  The best way to verify which controller has the bad RAM is to open a telnet session to both controllers and leave them up for a while.  Wait for the console posted error to show up and then you have confirmation on which controller to switch out the memory on.

Now, if only iQstor would get the errors to trigger an alert, copy to both consoles (with detail of which console has bad RAM, and syslog.

Permalink Leave a Comment

dotDefender putting wrong result code in IIS log.

February 8, 2010 at 11:38 am (Technology, windows) (, , )

I work with a IIS server that has a application firewall called dotDefender.  This host also has a HIDS (Host Based Intrusion Detection System) called OSSEC.  Which, by the way, I highly recommend, it is an excellent open source software package.  One of the functions of OSSEC is to monitor the IIS logs looking for URL requests that match a pattern of potentially bad requests.  Once it spots one of these requests, it checks the HTTP result code.  If the result code is a success type, then OSSEC will generate an alert.  However, if the result code indicates that there was not success, then no alert will be generated.

I have been receiving many alerts from this web server about bad requests that have resulted in success.  To test exactly what was happening I manually recreated the process that the client makes connecting to the server to see what it responds with.

Trying 192.168.254.30...
Connected to www.mywebserver.com.
Escape character is '^]'.
GET /examples/jsp/source.jsp?%2e%2e/%2e%2e/%2e%2e/%2e%2e/system/autoexec.ncf HTTP/1.1
Host: www.mywebserver.com

HTTP/1.1 302 Denied
Connection: close
Date: Mon, 08 Feb 2010 14:49:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-dotDefender-denied: 1
Location: https://www.mywebserver.com/InvalidRequest.html
Content-Type: text/html

<html></html>Connection closed by foreign host.

Well, that looks good.  The client was given a error 302 which is ‘denied’.  Nice!  But what got logged by IIS for the transaction?

2010-02-08 14:49:09 W3SVC1 www 192.168.254.30 GET /examples/jsp/source.jsp %2e%2e/%2e%2e/%2e%2e/%2e%2e/system/autoexec.ncf 80 - 192.168.254.1 HTTP/1.1 - - - www.mywebserver.com 200 0 0 247 112 5125

Wowzers!  For some reason IIS has logged status code 200, ‘OK’, for that transaction.  This makes it look like that nasty URL has succeeded.  As a result OSSEC does it’s job and alerts me about that.

This behavior by dotDefender is completely wrong.  I’m guessing it’s likely a bug.  They probably don’t have dotDefender reporting the status code correctly into ISS.  I’d trouble shoot and fix it myself if I had access to the source code.  However, the application is proprietary so my hands are tied in that regard.  I have opened a support ticket with the provider AppliCure.  I’ll provide an update when I get more information from them.

Update #1 (Tue Feb  9 11:02:14 EST 2010):

AppliCure has confirmed that the issue is reproducible in their lab.  I actually have a ticket number now.  Exciting!

Update #2 (Tue Mar  2 09:57:40 EST 2010):

Well, I haven’t heard any news from AppliCure support on my ticket in a long time now.  I decided to contact support through the Online Support Chat widget.  For some reason, I never receive any emails from their support department.  They tell me that they are still investigating the issue.  They hope to have a fix in the next release.  The next release?  They can’t give me a fix for it?  Ouch.  They will call me to let me know when the next release is available and if it contains the fix.

Permalink 3 Comments

New Chiller unit is coming in!

February 3, 2010 at 12:33 pm (Technology) ()

Well the new Chiller unit for our Data Center is now being installed.  This is quite exciting, as we’ve needed another cooling unit to add redundancy and more tonage for a while now.

We had to commandeer half of the kitchenette to turn into a additional mechanical room for the unit.  The door way to this new room is pretty small.  You can see in the picture that it’s a tight squeeze to get the new unit through the door.  I’ll have to post again once it’s installed.

Chiller unit through door

Chiller going through door.

Permalink Leave a Comment

Squid + HAVP + HTML 5 Video tag

July 1, 2009 at 11:12 am (linux, Technology) (, , , )

Ok, so Fire Fox 3.5 came out yesterday and it now fully supports embedded video objects via the HTML 5 video tag.

Excitedly, I went to test the functionality of this new feature.  However, when testing again this URL: http://www.mozilla.com/en-US/firefox/video/ I found that the browser began to load the video but it appeared to just hang.   Now, I am using this browser on a network that sends all http traffic through a proxy server which runs Squid, HAVP and SquidGuard.

After further investigation I determined that there was a default setting in the HAVP configuration file (/usr/local/etc/havp/havp.config) that was causing this issue.

Look for this section in the config file:

# Allowing Range is a security risk, because partial
# HTTP requests may not be properly scanned.
#
# Whitelisted sites are allowed to use Range in any case.
#
# Default:
# RANGE false

Change RANGE to:

RANGE true

Remember to restart your HAVP processes.

Now, the browser will be able to play videos since it needs to request files via ranges.

Let me know if this helped you out.

Permalink 1 Comment

Next page »

Follow

Get every new post delivered to your Inbox.