Messages

Saw the eclipse yesterday in Dallas, it was fantastic. Just enough breaks in the clouds to get the full effect.

Someone brought in a bunch of the glasses so most of the office went outside to check it out. We only got a partial, but it was still cool. Then someone created a Jira task for watching the eclipse to make sure we could all record our time correctly.

-Otanx

Don't you live in the desert?

Yes, I do, and it is becoming more and more desert every day with the lake drying up. There are still some places to dive near by. Nothing that comes close to the Caribbean, but still good enough. I didn't get the generator done. I was missing parts I thought I had. Hardware store helped out, but there are a couple items I had to order. Supposed to be delivered this week.

This is my last week at the old job. So this weekend will be filled with small get togethers with coworkers that couldn't get together during the week. Then the wife leaves for another work trip on Sunday night.

-Otanx

We have had some big windstorms off and on the last few weeks. One of the cabinets on the back side of the house tipped over, and broke up. Still need to clean up the parts. Luckily nothing important in it.

Wife is traveling for work this week so I get the place to my self. Using that time to build an O2 generator so I can make my own Nitrox for SCUBA. Getting it put together in the living room, and once I have it working I will take it up to my brothers place where the compressor is and mount it. Just need to get it done before Friday night.

-Otanx

I don't even want to think of changing wireless at my house. Figuring out all the IOT items that need to be updated with the new SSID and password would be a pain. Last time I updated I configured the new to match the old, and crossed my fingers.

-Otanx

How long is the delay between the last two packets. Is ISE taking too long to return the valid authentication, and devices are timing out? Are the devices configured for multiple tac_plus servers, and those are timing out before it tries the one you are looking at? Also re-reading your original post what are the AAA configs on the devices, is that initial failure coming from the local database, and then it tries tac_plus?

I am not sure on how to decrypt at SSH session using wireshark. You could try enabling telnet to bypass the whole issue of decrypting it, but I would doubt it would show you much.

Thanks,
-Otanx

Most systems won't like some special characters. For linux try to stay away from any quotes " ' ` slashes /\ ampersand & dollar sign $. All of those have special meaning and have to be escaped to work, but it is just easier to not use em at all.

-Otanx

Not sure why your book says it is a broadcast. The ACK is a Unicast back to the client. However, even if it is a broadcast the DHCP packet contains the Client MAC address. See the Wireshark Wiki here: https://wiki.wireshark.org/DHCP

The first capture file on that page has a basic DHCP session. You can see the Discover and Request are both broadcasts. However, the Offer and Ack are both Unicast.

-Otanx

If nobody can agree on the password is then that is probably your issue. Using SNMPv3 there are five items you need to make sure all match.

- Username: kind of obvious
- Password: kind of obvious
- Encryption Key: This is different than the password. The password authenticates the user, the key encrypts the data.
- hashing algo: This is how the password will be hashed. MD5, SHA, etc. Not all systems support the same algorithm so you need to pick one that all the systems can do. If it only says SHA it is probably SHA1, and not SHA2/SHA256.
- encryption algo: The is the encryption that will be used. 3DES, AES, etc. Same as hashing. Not all support the same ones. Also if the choice is just "AES" it is probably AES128 not AES256.

If you are getting credential failure then the encryption algo and key are probably OK. It has to decrypt the packet to authenticate. Then check hashing, password, and username. If you can get a pcap wireshark can decrypt SNMP you just have to supply the info under the protocol preferences.

-Otanx

Do you have the budget to stand up the new place first and migrate? That is how we ended up doing it. We built out the new data center network, and some new hypervisors and storage. We connected it to the old facility with a temporary circuit, and started migrating systems from one to the other. Once we thought we were done we shut off the link to the old space, and did a scream test. Took a couple tries. Once done we excessed most of the gear at the network gear at the old site. It was pretty old anyway.

Issues we had:
- Servers not installed correctly: We had servers sitting on top of other servers. No rails to be found. This caused some issues with order of operations. I can't move the server on the bottom until we move the other servers. After the move those all got flagged for replacement.
- Drive failures: Make sure you have good backups. Drives are going to fail. If you have a lot of the same drives see if you can get the vendor to send some ahead of time for swaps. Otherwise you move a server, and the drive fails. You RMA it, and wait for the RAID rebuild before doing the second server in the HA pair. Or you accept risk and move the second server while the first one is still in a degraded state.
- Other failures: Drive failures are not the only thing that will fail. Power supplies, fans, full systems. Moving systems will break them. When possible virtualize, and move, or build on new hardware, and decom.
- Link speed: We built out new, and migrated. We found we still had 3 devices that only would do 100M, and didn't have a way to support them on the new gear that did 1/10G.
- Misc parts: Stock up on cables of different types and lengths, power cables, SFPs, cage nuts, screws, etc. You don't want to scrounge up cables because the server was installed 2U below the switches in the old place, but is now at the bottom of the rack. This also includes extra tools for mounting gear. If you don't know there is a tool for installing cage nuts so you don't rip your fingers apart. Get a bunch.

-Otanx

There are a few items you need to consider:
1. Will the GPON hand out addresses to both the openwrt and PFsense routers at the same time? Some ISPs limit customers to a single device, and if so you will not get any failover.
2. How do you plan on handling the inside to outside traffic flow? Assuming the openwrt router is the default gateway how will the endpoints know to start using the PFSense router instead?
3. You will still have a lot of single points of failures, and this setup only protects you from a failure of the openwrt router. If that is worth it is up to you. I would probably not bother, and if I was having issues with the openwrt router I would just replace it instead of trying to add redundancy.
4. Understand that you will still take an outage on failover because the NAT and connection tables will end up blank.

-Otanx

Depending on how many credits you need there are 28 free ones on u.cisco.com. The DEVNAE and SDWFND trainings are free. Just have to take the time to do it.

-Otanx

For the first time in awhile I actually got most of my goals this year. Renewed both CISSP, and CCNP. The CCNP was close I didn't end up with enough credits from Cisco Live, and had to do some online training through U.Cisco to get the last few. The CPEs didn't actually get processed until after the CCNP expired, but they date them to when you took it, and it reactivated. I was a little worried for awhile. I also passed the CCNA-DevNet test. It wasn't too hard.

Now to figure out 2024 goals.

-Otanx

If you can't do ICS/NAT on the Windows box then you will need to look at the config on the box with the IP 192.168.255.34, and put a default route on it pointed back to the Windows box. I think this is where the issue is. The Windows box is forwarding the traffic through just fine, but nothing on the IOT network knows where to send the return traffic.

-Otanx

Are you NATing the traffic on the Windows box, or is it going out with the original IP. If no NAT does the device at 192.168.255.34 know how to route back to the 10.91 IP?

-Otanx

Playing Borderlands 3 right now. Local split screen co-op so both my wife and I can play. Finished story line the other day. Now working through the side quests, and achievement hunting. I started playing it becasue it was a free download with the PS subscription. The free play ended this month. Went to buy a copy to keep playing, but it was $60. So instead we drove halfway across town to a Gamestop that had a used copy in stock for $2.

-Otanx