Category: Networking

Temporary disable failover on Cisco ASA

Peter Tavenier4 Comments

If you have a planned maintenance and you know you will hit your Failover LAN between two ASA’s in an Active/Standby configuration. If is very useful to temporary disable the Failover mechanism so the Standby firewall stays Standby and you don’t end up in a situation where you have two Active firewalls.

Below is an example output of the show failover output of an ASA 5520: (only relevant information is shown in this output)

firewall/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/1 (up)
...
        This host: Primary - Active
...
        Other host: Secondary - Standby Ready
...

Now login to the Standby firewall and disable failover very easily via the no failover command in configuration mode:

 
firewall/stby# conf t
firewall/stby(config)# no failover
INFO: This unit is currently in standby state. By disabling failover, this unit will remain in standby state.
firewall/stbyNoFailover(config)#

You can see on the output it adds NoFailover to the CLI prompt.

We’re back on the Active unit and you can see the Secondary in Disabled where it was previously Standby Ready:

firewall/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/1 (up)
...
        This host: Primary - Active
...
        Other host: Secondary - Disabled
...

If your maintenance is finished, you should enable the failover mechanism again on the Standby node:

firewall/stbyNoFailover(config)# failover
firewall/stby(config)# 

        Detected an Active mate
Beginning configuration replication from mate.
End configuration replication from mate.

firewall/stby(config)# end
firewall/stby#

Now you’re done, check you Active/Standby status again, this should be the same as the first show failover command in this post.

Splunk as monitoring tool

Peter TavenierLeave a comment

Last week I attended the Splunk Live! event in Amsterdam. This is an event which is organised by Splunk itself and is about learning the Splunk community about their product. Some speakers of the event Splunk CIO Doug Harr, Splunk Sales Engineer Marco Paniagua, but maybe even more interesting Splunk users Wiam Vos for Kadaster and Karl Lovink for Belastingdienst.

Splunk is an tool which collects data (any data!) of any amount, any location and any source. Since there is no upfront schema defined for Splunk you can really import any data you like. This is as Splunk tries to tell us the strength of their product. Splunk indexes all the data in receives on so called indexers and via a search-head you are able to search or view the data via a Dashboard. This can be done via basis search strings or via advanced graphs and/or apps.

Splunk can be downloaded and installed very easily. Once you installed it you can add sources an play around. Splunk indexes all the information you feed it and you can search an graph all that data in a way you like it. What is even greater is that you can use the Splunkbase to install apps. This can save you a lot of work since good apps are already developed by other people and you can use them to display specific needs. Some examples of apps to view application specific data are:

  • WMware
  • UCS
  • Netflow
  • Exchange

The default license is Free which gives you the ability to index 500MB per day. If you exceed this amount of data you need a Enterprise license. The price depends on the amount of data you index with Splunk per day. You also get some extra features like Access Control and Index Replication.

You could run Splunk in a virtual environment, but it is important to keep in mind that Splunk needs a lot of disk IO. therefor it might be better to use dedicated hardware for Splunk. To be sure the Splunk performs well on a virtualized environment you could give several Splunk virtual machines a dedicated amount CPU/memory/disk space.

For good performance it might also be wise to use separate machines for indexing and for searching. for example you could use a loadbalancer to load balance traffic between two locations, where on each side one search-head and one indexer is running. You could send data form all reporting devices to both indexers. In this way you geographical separate your data (for disaster recovery purposes) and balance the load of the servers as well, which enrich the user experience when using this tool.

In the short future I hope to do some tests with real network traffic and post some results here as well.

Installing Nortel VPNC on Ubuntu

Peter Tavenier2 Comments

I’m running Ubuntu 12.04.1 wheezy/sid and I needed a way to connect to the office Nortel VPN server. On a Windows machine you normally use Nortel Contivity Client. But this is not available for Linux. There is a nortel branch available of vpnc which you can find here.

The first step is to install svn-buildpackage, use the command below for this. There some extra packages coming with this install, but this is OK.

apt-get install svn-buildpackage

Now you can do a check-out on the SVN repository:

svn co -r517 http://svn.unix-ag.uni-kl.de/vpnc/branches/vpnc-nortel

This downloads the files in a new directory (vpnc-nortel) in the location you are at this moment.

Now it is time to install the vpnc client. go to the vpnc-nortel directory you just downloaded and perform the command:

make

This should make the compile the files for your OS, but the first time this failed form me with the error message:

root@ubuntu:~/vpnc-nortel# make
Package gnutls was not found in the pkg-config search path.
Perhaps you should add the directory containing `gnutls.pc'
to the PKG_CONFIG_PATH environment variable
No package 'gnutls' found
...

To solve this issue you should first install libgnutls-dev:

apt-get install libgnutls-dev

Then you can try again:

make
make install

The make install should give an output like this:

root@ubuntu:~/vpnc-nortel# make install
install -d /etc/vpnc /usr/local/bin /usr/local/sbin /usr/local/share/man/man1 /usr/local/share/man/man8 /usr/local/share/doc/vpnc
if [ "`uname -s | cut -c-6`" = "CYGWIN" ]; then \
		install vpnc-script-win /etc/vpnc/vpnc-script; \
		install vpnc-script-win.js /etc/vpnc; \
	else \
		install vpnc-script /etc/vpnc; \
	fi
install -m600 vpnc.conf /etc/vpnc/default.conf
install -m755 vpnc-disconnect /usr/local/sbin
install -m755 pcf2vpnc /usr/local/bin
install -m644 vpnc.8 /usr/local/share/man/man8
install -m644 pcf2vpnc.1 /usr/local/share/man/man1
install -m644 cisco-decrypt.1 /usr/local/share/man/man1
install -m644 COPYING /usr/local/share/doc/vpnc
install -m755 vpnc /usr/local/sbin
install -m755 cisco-decrypt /usr/local/bin

The last thing to do is to edit the configuration file to the settings of your company. In my case this configuration file (/etc/vpnc/default.conf) looks like:

IPSec gateway 
IPSec ID 
IPSec secret 
Xauth username 
Vendor nortel
IKE Authmode gpassword
Enable Single DES
IKE DH Group dh1

Now your ready!
To start vpnc perfrom:

vpnc

en to stop vpnc:

vpnc-disconnect