Internet

PaloAlto Packet Loss of 1% and More

Problem: PaloAlto firewall is dropping packets in small bursts of some seconds, and sometimes it drops TCP connections. It only happens on HA clusters on interfaces in active/passive (fail over) mode. Solution: disable the following check box in the Ethernet interface Advanced – LLDP settings: “Enable in HA Passive State” Discussion: Palo Alto uses only one MAC address

PaloAlto Packet Loss of 1% and More Read More »

Generate CSR using openssl

Browsers started to warn users about certificates with Sha1 signature. Sha256 is needed now a days. So it’s time to renew certificates from Thawte, Godaddy, etc You can generate a new Certificate Signing Request with openssl with this command: openssl req -nodes -newkey rsa:2048 -keyout servername.key -out servername.csr -sha256 “servername.csr” is an ascii file you can send

Generate CSR using openssl Read More »

F5 data flood

Problem: A F5 load balancer LTM sends lots of data to some clients. Sometimes this fills up all the available bandwidth with 1 Gbit or more. At the same time the input traffic does not raise. The traffic charts look like if F5 is attacking some clients (reversed DDoS :-) ) Discussion: After some time of staring

F5 data flood Read More »

Howto generate an SSL key and self signed cert with openssl

For SSH, HTTPS, TLS SMTP,POPS, IMAPS you need a RSA key pair. Most Linux package installers produce this pairs automatically, but if you like, you can generate them yourself. The quickest method I found is: openssl req -x509 -nodes -newkey rsa:2048 -keyout servername.key -out servername.crt -days 1024 This command asks you some questions. The most

Howto generate an SSL key and self signed cert with openssl Read More »

AVM Fritz!box DHCP Problem

Problem: I wanted to provide a CWMP (TR-069) ACS URL to an AVM modem using DHCP on the WAN Interface, but the DHCP server ignores this vendor-option. Discussion: Following the TR-069 specs, the CWMP-ACS Server can be included in an dhcp response using vendor-option (SubOption 1). Usually vendor options should work with isc-dhcp-servers like that:

AVM Fritz!box DHCP Problem Read More »

IPv6 Only Test

The IPv6 designers refused to define an IPv4/IPv6 gateway, because it’s a contradiction to the NO-NAT, End2End paradigm of IPv6. The result is that IPv6 doesn’t really lift off, because every IPv6 user has IPv4 too (Dual Stack), which gives no pressure to move on to implement IPv6. Large providers had to implement NAT instead

IPv6 Only Test Read More »