Network Engineers need Linux

Although I am my no means an expert in Linux (yet), I have done the swap.  I have dropped Windows for a Mint 17.3 Linux.  Since I work in the network consulting realm, it does make things (some things) a little simpler.  I am a fan of Windows 10, but the good about Linux far out weighs the good about Windows.

Benefits:

• Become more familiar with commands that are regularly used to install and troubleshoot Cisco and other vendor appliances
• terminal services are much more fluid and many variants are available
• VIRL and GNS3, in my opinion, run much more efficiently on Linux.
• Over all performance increase 
• Less bloat in my OS
• The new Linux distros' GUIs are as good as, if not better than Windows
• IT'S FREE!

Drawbacks:

• Visio and a few other office like products
• I like Outlook much better than Thunderbird or Evolution

*** I still have Windows 10 installed on my hard drive for now if I need to use certain applications

More info on current Linux distributions: Click Here

More info on Mint: Click Here

SYNful Knock

Maybe downloading that IOS/firmware from bit torrent isn't such a great idea.  Watch your back, they're taking things from you.

FireEye
Cisco Blog Post
SNORT Rule

Cisco ISE Fail Open Ports

One thing that you have to to consider when installing ISE in an organization is complete ISE failure.  In this scenario ISE has failed because of complete power outage or network access to ISE has been removed and no access can be granted to end devices.  This could in effect shut down your entire company.  This is a very big problem when dealing with a multi-site business with a singular data center.

On your switch ports, add the following command to your standard 802.1x config:
authentication event server dead action authorize vlan X

This command will grant access and dump all traffic on the specified VLAN in the event of total ISE failure/unreachability.

Patching Cisco ACS

Problem

During an ACS upgrade I have gotten the following error message many times and banged my head against the nearest wall:

 "% Manifest file not found in the bundle"

Here is an example:

acs/admin# patch install 5-6-0-22-1.tar.gpg Upgrade

Do you want to save the current configuration ? (yes/no) [yes] ?

Generating configuration...

Saved the running configuration to startup successfully

% Manifest file not found in the bundle

acs/admin#

Commence Head-Wall meetings

Reason

Here is (in my opinion) the most common reason for this error:

• Incorrect command

Resolution

The command should be:

• acs/admin# acs patch install 5-6-0-22-1.tar.gpg repository Upgrade ------ Correct
• acs/admin# patch install 5-6-0-22-1.tar.gpg Upgrade -------- Incorrect 

Wireless Mobility Connections Fail and Do Not Recover When ASA is Rebooted

I saw this issue for the first time today so I thought it was worth sharing. 
Full article is linked here: LINK

Took TAC a while to find the issue, but apparently TAC says its a design issue not a bug.

Brief overview:

Problem

In this situation a Wireless LAN Controller (WLC) at 10.10.1.2 attempts to communicate with the WLC at 10.10.9.3, but the communication fails.
This problem can be triggered by any of these events:

• The ASA is rebooted.
• The routing table is modified by an administrator or routing protocol.
• An interface is shut down, then brought back up by the administrator.

Besides mobility traffic, this problem might be experienced for any UDP or non-TCP IP protocols.

Solution

Solution 1

One possible solution for this issue is to remove the same-security permit intra-interface command from the ASA. This solution prevents the u-turn connection from being built back out the same interface on which the original packet was received, which allows the correct connection to be built when the interface comes up. However, depending on the routing table of the ASA, this solution might not work (the traffic might be routed to another interface other than the intended destination based on the routing table), and the same-security permit intra-interface command might be necessary for other connections on the ASA.

Solution 2

For this specific instance, the problem was successfully mitigated by enabling the timeout floating-conn feature. This feature, which is not enabled by default, caused the ASA to tear down these connections one minute after a more preferred route to one of the endpoints is added to the routing table out a new interface of the ASA, which occurs when the dmz interface comes up. The connections are then immediately rebuilt when the next packet arrives at the ASA, using the more preferred interface (dmz, instead of inside for the 10.10.9.3 host).

ASA(config)# timeout floating-conn 0:01:00