EdgeOS 1.9.1 l2tp ipsec vpn

So upgrading to the latest firmware on my Ubiquiti Edgerouter in typical fashion broke something I depend on, remote access to my home network.

The solution below was found in the forums. The poor fellow posted his problems September 9, 2016. Engineers responded January 27, 2017.

delete vpn l2tp remote-access outside-address
delete vpn l2tp remote-access outside-nexthop
set vpn l2tp remote-access dhcp-interface eth0

The official documentation states the outside-nexthop and outside-address were deprecated.

 

Reference

https://community.ubnt.com/t5/EdgeMAX/ERL-1-9-X-Can-t-connect-to-l2tp-ipsec-vpn-server-after-router/td-p/1667212

Cisco Router Packet Forwarwding

Process Switching

The router scans the entire routing table, searching for an exit interface that is connected to the destination network. Note this is CPU intensive and no longer practiced because it would quickly bog down a router.

Fast Switching

Enabled by default on all interfaces that support fast switching. To conserve resources, the router builds a table in high speed cache to prevent process switching every packet it receives.

When a router receives a packet sent to a destination not already in cache, it will be process switched.

After finding the exit interface and determining the Next Hop IP, the router will place this information in the cache.

You can enable fast switching per interface by issuing

conf t
int fa0/0
ip route-cache

Review that fast switching has been enabled

Lab-C#show ip int fa0/0 | in IP fast
 IP fast switching is enabled
 IP fast switching on the same interface is disabled

You can view the table held in cache

show ip cache

You can review this process of placing entries in the cache by enabling packet debugging by issuing

debug ip packet detail

Keep in mind that when you have enabled packet debugging you can review process switching activity, however fast switched and CEF switched packets do not show up. So for the sake of troubleshooting it may be a good idea to disable fast switching (no ip route-cache) and CEF.

References

Intense School: Process Switching, Fast Switching, and CEF

Cisco Fast Switching

Cisco Verify CEF Switching

Gratuitous ARP

A client network interface configured for DHCP will issue a gratuitous ARP request after it has received an IP offered from the DHCP server. It does this to detect if any other local hosts have the same IP address in order to avoid a continued address conflict.

The host in question will issue a gratuitous ARP request packet configured as follows:

Source Hardware Address (SHA): its own MAC address
Source Protocol Address (SPA): the DHCP assigned IP address
Destination Hardware Address: Broadcast MAC FF:FF:FF:FF:FF:FF
Destination Protocol Address: the DHCP assigned IP address

Since hosts are required to receive and process all ARP traffic, you can expect a gratuitous ARP reply if another host already has the IP address recently assigned. At this point the DHCP client will report the address conflict to the DHCP server.

Although the DHCP server will initially send pings to the IP it intends to assign as a preventative measure, it is possible the ARP table on the DHCP server is not accurate. Therefore a local host could be lurking on the network with the IP in question but a MAC address other than what is, or is not, recorded in the ARP table on the DHCP server.

References:

RFC 826: Ethernet Address Resolution Protocol

RFC 5227: IP Address Conflict Detection

Wireshark: Gratuitous ARP

Slot Naming Convention

When matching physical interfaces on a router to what we see in the CLI it is important to understand the Cisco slot naming convention. Cisco will number slots,sub slots, and ports right to left, then bottom to top.

Convention is Slot#/Port# or Slot#/Subslot#/Port#

Review available interfaces from the CLI by issuing the command:

show ip interfaces

Built-in interfaces belong to Slot 0.  For example, the 2811 router has two built in Fast Ethernet ports. From the CLI they are identified as Fa0/0 and Fa0/1

Say I plug in a serial module WIC-2T into subslot 0. From the CLI they are identified as S0/0/0 and S0/0/1. This shows the WIC-2T module belongs to slot 0, subslot 0, and we have two interfaces available at ports 0 and 1.

To illustrate another slot, slot 1; I plug a network module extension (NME) known as NM-1FE2W.  This has one Fast Ethernet interface and provides two additional subslot spots for wide interface card (WIC) modules above. In my following illustration you can see I have added another WIC-2T to the NM-1FE2W.

As a result I now have two more serial interfaces that are identified in the CLI as S1/0/0 and S1/0/1.

At last I will populate subslot1 of the previously installed NM-1FE2W with a 4 port switch interface card, the HWIC-4ESW. From the CLI you’ll observe 4 new interfaces, Fa1/1/0, Fa1/1/1, Fa1/1/2, and Fa1/1/3.

After adding the NME and all WICs you have access to the following interfaces:

Router>show ip interface FastEthernet0/0 is administratively down, line protocol is down (disabled) Internet protocol processing disabled FastEthernet0/1 is administratively down, line protocol is down (disabled) Internet protocol processing disabled 
Serial0/0/0 is administratively down, line protocol is down (disabled) Internet protocol processing disabled Serial0/0/1 is administratively down, line protocol is down (disabled) Internet protocol processing disabled FastEthernet1/0 is administratively down, line protocol is down (disabled) Internet protocol processing disabled 
Serial1/0/0 is administratively down, line protocol is down (disabled) Internet protocol processing disabled Serial1/0/1 is administratively down, line protocol is down (disabled) Internet protocol processing disabled FastEthernet1/1/0 is up, line protocol is down Internet protocol processing disabled FastEthernet1/1/1 is up, line protocol is down Internet protocol processing disabled FastEthernet1/1/2 is up, line protocol is down Internet protocol processing disabled FastEthernet1/1/3 is up, line protocol is down Internet protocol processing disabled Vlan1 is administratively down, line protocol is down Internet protocol processing disabled

Below is a screen shot of what my Cisco 2811 router looks like in Packet Tracer.

CiscoSlotConvention

Destination Unreachable vs Request Timed-Out

According to Mr. Lammle:

If a packet is lost on the return to the originating host we will probably see a request timed-out because of an unknown error.

If a packet is lost on the way to it’s destination, we will see a destination unreachable message. Typical cause is a router along the way does not possess a route to the destination.

To summarize, a packet can successfully reach its destination and on the return can be dropped at the destination host or a successive router because a needed route does not exist.

Locate and uninstall Windows Product Key

Recently I began preparing a Task Sequence in Microsoft System Center Configuration Manager (SCCM) to upgrade workstations from Windows 8.1 Pro to Windows 10.

A goal of mine was to conserve the product keys we had purchased so they wouldn’t go to waste.

Here is a short Powershell script that could be included as a step in a Task Sequence to accomplish this goal.

$temp = cscript.exe C:\windows\system32\slmgr /dlv
#$temp = Select-String -Path .\license.txt -Pattern "Application ID:"
#$temp = Select-String -InputObject $temp -Pattern "Application ID:"
$temp=Select-String -InputObject $temp -Pattern "Application ID:"
$temp=$temp.ToString()
$temp=$temp.SubString(57)
echo $temp
slmgr /upk $temp

Restart Ubiquiti Edgerouter Remote Access VPN

After connecting to my home lab the day before, today no dice.

Connecting from the same site as yesterday, I enabled the hotspot on my iPhone and connected my laptop to the personal WiFi.

At that point I could bring up the vpn to back home.

At the router I issued show vpn debug to check things out. To my surprise I found the router still had an active SA from my last connection.

Security Associations (1 up, 0 connecting):
remote-access[2]: ESTABLISHED 9 hours ago,

I was able to break down this SA by issuing restart vpn from a non-global configuration prompt. In other words, do not bother issuing this command in configure mode. Ensure your terminal looks like you@edgerouter:~$

 

Reddit – Link list

For my sake I posted this comment from a Moderator on Sysadmin that points at resources for learning more about a variety of topics including Cisco networking, Linux, Microsoft and information security.

Another recommendation is to peruse the Gilded posts in this forum. A list of some of the best posts as voted up by the community.

https://www.reddit.com/r/sysadmin/gilded

Using iPerf to test bandwidth

We can measure link bandwidth between two hosts by using iPerf.

Configure the server:

iperf -s -u

Configure the client:

iperf -c 172.20.255.254 -u -b 100m  -d -i 1

  1. -c Connect client to server at IP 172.20.255.254
  2. -u Use layer 4 transport protocol UDP instead of the default, TCP
  3. -b Send traffic over UDP and a bandwidth of 100 Mbit/s
  4. -d Make test in both directions
  5. -i Provide updates at 1 second intervals until test completes

 

 

References:

  1. https://www.sd-wan-experts.com/iperf-bandwidth-testing/
  2. https://fasterdata.es.net/performance-testing/network-troubleshooting-tools/iperf-and-iperf3/
  3. https://iperf.fr/

Send SYSLOG from Palo Alto to LibreNMS

Step 1 – Configure Server Profile used to send SYSLOG messages to a destination
Note: The Palo Alto Administrators guide states that by default all log data is forwarded over the MGT interface. In addition, we will have to create a Server Profile for external services the firewall will interact with.

From your web based management console navigate to Device -> Server Profiles -> Syslog. You’ll configure the name, ip address or fqdn of the syslog server, port, and format. Typically syslog messages are sent over UDP to port 514 in a BSD format. IETF format is normally used over TCP/SSL.

paloalto-syslog-server-profile

Step 2 – Enable Log Forwarding
Navigate to Objects -> Log Forwarding.
We create a Log Forwarding Profile that specify ServerProfiles that we will be sending event logs to in the form of SYSLOG and SNMP messages. You can control a severity threshold to define when messages are forwarded out of the palo alto to your log collector.

paloalto-logforwarding

 

Step 3 – Add Log Forwarding Profile to a Security Rule
In this example I have created a security rule that governs DNS traffic that is generated in our LAN and is destined for the Internet. My thought is I would like to receive notice when any user on my network tries to resolve a URL while avoiding our internal DNS servers. I edit this “Deny DNS Out” rule, navigating to the Actions Tab where we specify a Log Forwarding Profile created in step 2.

paloalto-connect-logforwarding-to-securitypolicy