Routing

MikroTik Automatic IPSec Failover

Problem: Mikrotik allows only one ipsec policy per network-to-network pair. If you want to have redundant tunnels between two locations with two upstreams you cannot configure ipsec redundancy on Mikrotik because one ipsec policy is always marked as “invalid” by the OS. Solution: I made a Mikrotik script that checks the status and reachabilty of …

MikroTik Automatic IPSec Failover Read More »

Juniper MX204 Setup Guide

Juniper MX204 is router from Juniper running Junipers own operation system Junos. The MX204 has 4x 40Gb and 8x 10Gb. The 40Gb ports can be split into 4x 10Gb. After unboxing it has no configuration. Connect a standard RS232 console cable with a Cisco style RJ45 connector, set your terminal to 9600 8N1 and power …

Juniper MX204 Setup Guide Read More »

Source IP Address Based on User

If you want to use different source IP addresses based on the logged in user or running service on a Linux computer you can use these simple commands: /sbin/ifconfig eth0:1 NEW-IP-ADDRESS netmask YOUR-NORMAL-NETMASK /sbin/iptables -t nat -A POSTROUTING -m owner –uid-owner USERNAME -j SNAT –to-source NEW-IP-ADDRESS You can use this if the source IP is …

Source IP Address Based on User Read More »

PaloAlto Packet Loss of 1% and More

Problem: PaloAlto firewall is dropping packets in small bursts of some seconds, and sometimes it drops TCP connections. It only happens on HA clusters on interfaces in active/passive (fail over) mode. Solution: disable the following check box in the Ethernet interface Advanced – LLDP settings: “Enable in HA Passive State” Discussion: Palo Alto uses only one MAC address …

PaloAlto Packet Loss of 1% and More Read More »

ASR Tips’n’Tricks

ASR-1001-X and IOS-XE is sometimes different and sometimes very similar to classic IOS. Update. You can update, the firmware as usual: # copy http: bootflash: # conf t (config)# boot system flash bootflash:asr1001x-universalk9.03.16.00.S.155-3.S-ext.SPA.bin Show SFP (transceiver) info: # show hw-module interface tenGigabitEthernet 0/0/0 transceiver status # show hw-module interface tenGigabitEthernet 0/0/0 transceiver idprom .. to be continued

MLPPP over L2TP over Ethernet Channel Groups on Cisco ASR

  Problem: After upgrading an ethernet port to a channel-group, all MLPPP connections fail on a Cisco ASR 1002-X. The log file looks like this: Jul 31 2015 07:04:44.801 CEST: Vi4 PPP: Phase is AUTHENTICATING, Authenticated User Jul 31 2015 07:04:44.801 CEST: Vi4 CHAP: O SUCCESS id 143 len 4 Jul 31 2015 07:04:44.801 CEST: Vi4 …

MLPPP over L2TP over Ethernet Channel Groups on Cisco ASR Read More »

F5 data flood

Problem: A F5 load balancer LTM sends lots of data to some clients. Sometimes this fills up all the available bandwidth with 1 Gbit or more. At the same time the input traffic does not raise. The traffic charts look like if F5 is attacking some clients (reversed DDoS :-) ) Discussion: After some time of staring …

F5 data flood Read More »

Cisco ASR 1002-X and PPTP

Problem: PPTP from any client to an ASR1002-X Cisco does not work. PPTP Connections starts but in PPP LCP phase the connection fails. Solution: Cisco ASR1002-X with Software IOS-XE 15.3(2)S2 has no PPTP support. You have to take a different Router! Discussion: The weird thing is, that most of the PPTP stack is still configureable and working, …

Cisco ASR 1002-X and PPTP Read More »