Tuesday, March 8, 2016

Cisco ASA tftp Copies and Issues with atftpd

while attempting to copy a new anyconnect pkg file from a CentOS based server running atftpd, I received the following error on a Cisco ASA 5505:

%Error reading tftp://mytftpserver/anyconnect-win-3.1.14018-k9.pkg (Undefined error code)

On the tftp server in /var/log/messages, I saw:


Mar  6 14:49:19 mytftpserver  atftpd[15147]: Serving anyconnect-win-3.1.14018-k9.pkg to 192.168.47.5:32947
Mar  6 14:49:19 mytftpserver atftpd[15147]: Requested file to big, increase BLKSIZE

I had installed tftp a while ago... specifically atftp-server. After looking at the man page for in.tftpd, I concluded there was no good way to set BLKSIZE on this package. The fix was:

sudo yum erase atftp-server
sudo yum install tftp-server

I then edited the xinet.d/tftp file to enable it and change the target directory and restarted xinetd. After this, I was able to copy the pkg file over successfully.

Monday, December 28, 2015

Mellanox ConnectX-2 10GB Interface on FreeBSD 10.2

Although Mellanox's FreeBSD driver for the ConnectX-2 is included in the kernel source, the kernel modules are not included with the generic kernel. To use this card, build a custom kernel.

1. update the FreeBSD source using freebsd-update

sudo freebsd-update fetch
sudo freebsd-update install

2. copy the generic kernel config to a custom kernel
cd /usr/src/sys/amd64/conf

sudo cp GENERIC MYKERNEL01

4. edit the config file (sudo vi MYKERNEL01.) Add these lines to the bottom:

#### Mellanox ConnectX-2 support
options  OFED
options  IPOIB_CM
device  ipoib
device  mlx4ib
device  mlxen 

5. Compile the kernel and install it

cd /usr/src
sudo make buildkernel KERNCONF=MYKERNEL01
sudo make installkernel KERNCONF=MYKERNEL01

6. reboot

sudo shutdown -r now

Your new interface should show up when the machine comes back:

mlxen0: flags=8802 metric 0 mtu 1500
options=d07bb
ether 00:02:c9:52:ad:23
nd6 options=29
media: Ethernet autoselect (autoselect )
status: active


You can configure however you'd like (IP, MTU, etc.)

If you run freebsd-update on a regular basis, you may want to append a  kernel rebuild (step #5) to a script so you can rebuild the kernel automatically if there is a kernel source update.



Thursday, November 19, 2015

2010 Macbook Pro and problems with Yosemite and/or El Capitan

I have had terrible issues with a mid-2010 MBP 15" core i7 laptop. Doing a clean installation of either Yosemite or El Capitan, the installer fails toward the end or crashes on first boot. I have not tried a fresh Mavericks install. However, a restore from a Mavericks time machine backup works perfectly fine. Alternatively, a linux installation also worked well with no crashes.

Quite a few posts suggest it is a log board problem and that Apple would fix it. However, being impatient, I tried my own work around. I noticed that the problem didn't happen if I reduced the RAM from 8GB to 4GB (1 stick of DDR 3 instead of 2.)

A prevailing theory for this failure is that the Nvidia 330M card was crashing the system when it switched from the onboard to the 330M.

A couple of suggested work arounds:

1. disable automatic video switching in power preferences. This will likely consume battery at a faster rate

2. use gfxCardStatus and force it to either onboard or discrete

 What I did was:

1. do a fresh install of El Capitan with only 1 stick of DDR 3 (4GB)

2. fully patched the OS

3. installed gfxcardstatus and forced it to onboard only.

 I haven't had a crash since.

Wednesday, May 27, 2015

Windows Netstat and findstr - Same as find | grep on Linux/Unix

Unix/Linux users are familiar with the following patterns of usage for finding listening ports:

looking for services listening on ports 443 or 444:
netstat -a | grep 44[34]


find a service listening on port 602, 612, 604, 614, 608, or 618:
netstat -an | grep 6[01][248]


To do the same on windows, use netstat and findstr:


find a window's service listening on port 602, 612, 604, 614, 608, or 618:
netstat -an | findstr /R 6[01][248]

Wednesday, April 29, 2015

Determining What Kind of SFP Is Installed in a Cisco Switch

There are several round about ways of determining what kind of SFP is installed in a socket on a Cisco switch, but I think the easiest is this:


testswitch#show int gi3/1/2 capabilities
GigabitEthernet5/1/1
  Model:                 WS-C3750X-48
  Type:                  1000BaseLX SFP
  Speed:                 1000
  Duplex:                full
  Trunk encap. type:     802.1Q,ISL
  Trunk mode:            on,off,desirable,nonegotiate
  Channel:               yes
  Broadcast suppression: percentage(0-100)
  Flowcontrol:           rx-(off,on,desired),tx-(none)
  Fast Start:            yes
  QoS scheduling:        rx-(not configurable on per port basis),
                         tx-(4q3t) (3t: Two configurable values and one fixed.)
  CoS rewrite:           yes
  ToS rewrite:           yes
  UDLD:                  yes
  Inline power:          no
  SPAN:                  source/destination
  PortSecure:            yes
  Dot1x:                 yes

You can see the type and everything. You'll need to be enable mode, of course.



Tuesday, March 24, 2015

Acme/Oracle SBC Useful Commands

To get the box-id (useful for licensing, etc.)

show version boot


To get the current amount of sessions

show sessions


To check the state of session agents

show sipd agents

To lookup a number in the local routing table
If you had created an LRT policy called inboundnums

show lrt route-entry 15555551212

To backup the config

backup name_of_backup

To verify the config

verify-config


Saturday, February 28, 2015

Using 3rd SFP's on Cisco 3560s and 3750s

It's well known that Cisco does not especially like to support third party hardware products within their switches. Perhaps one of the most common cases of this is the support for 3rd party SFPs on the Catalyst line.

During the day of GBICs, 3rd party interfaces usually worked. Enter the SFP. Here's a typical response from a 3750 when plugging in, say, a Finisar SFP:

Feb  27 00:01:47.952: %GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: GBIC in port Gi2/0/1 has bad crc
*Feb 27 00:01:47.952: %PM-4-ERR_DISABLE: gbic-invalid error detected on Gi2/0/1, putting Gi2/0/1 in err-disable state

and a show int status demonstrates this:

show int status | inc Gi
Gi2/0/1                      err-disabled 1            auto   auto unknown



As an unspported work around work around, you can tell the switch to ignore the fact that the SFP was not blessed by Cisco. Keep in mind that Cisco will likely tell you to put in Cisco branded SFPs and that they won't support you with 3rd party SFPs in place (i.e., this is at your own risk!)


from conf t:
service unsupported-transceiver
 no errdisable detect cause gbic-invalid

You'll see this message


 Warning: When Cisco determines that a fault or defect can be traced to
the use of third-party transceivers installed by a customer or reseller,
then, at Cisco's discretion, Cisco may withhold support under warranty or
a Cisco support program. In the course of providing support for a Cisco
networking product Cisco may require that the end user install Cisco
transceivers if Cisco determines that removing third-party parts will
assist Cisco in diagnosing the cause of a support issue.


If you then move the SFP to another port, you should see something like this in int staus:

Gi2/0/2                      connected    1          a-full a-1000 unsupported

It works... don't forget to do a write mem.