Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - Dieselboy

#1
Forum Lobby / Splunk? or?
July 03, 2023, 07:02:29 AM
Looking for an open source component to collect telemetry from network devices + everywhere. Does it exist? Seems like I need separate systems for network and then OS-based and container based.

https://www.sdxcentral.com/articles/news/cisco-aims-for-full-stack-observability-with-opentelemetry/2023/05/

https://techblog.cisco.com/blog/getting-started-with-opentelemetry

https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/telemetry-architecture-guide.html


Splunk does a free 14 day trial, might check it out but wanted something I could play with more long term.
#2
Short documentary about how the PIX appliance saved the world by implementing NAT to save the day.

https://www.youtube.com/watch?v=GLrfqtf4txw
#3
Harry is under the thumb and vanished.

King Charles doesn't have a great following because of what happened with Diana and the affair with Camilla.

Today I just learned that they're going to crown the King but also crown "Queen Camilla". Historical rule states it's not possible for a King and Queen - only one reigning monarch is permitted. Camilla is not favourable also for the same reasons. I find it disrespectful to say the least. He is not doing himself any favours and is only making his role as King harder. His mum left a great example behind that I dont think he can live up to.

I was not even aware of the coronation because Australia have nothing for it. Back in the UK for events like this, there are nation-wide street parties, decorations and pubs with decorations of flags.

Sad times.
#4
I have an issue where users are getting spammed with anyconnect messages which are difficult and disruptive to clear.

Environment

I am using the following systems
-   HA Cisco FTDv running purely as a AnyConnect SSL/TLS VPN server
-   Windows 10 clients
-   Cisco AnyConnect 4.10 VPN client software

Diagram
[ FTDv VPN server (IPv4 ONLY) ] -------> (( internet )) <----- [ Anyconnect client on Windows 10 at users Home (Dual Stacked IPv4/IPv6) ]

In terms of connectivity, this is important to note:

IPv4 connectivity is the sole IP used everywhere at the VPN server side, between FTDv and the public internet cloud

IPv6/IPv4 dual-stack client Windows 10 devices due to working from home and their chosen ISP (including mine) provides dual-stacked internet.


Problem description
A few people have reported this mass spam of "reconnecting" being alerted by cisco anyconnect client. I noticed this myself when waking my computer screen and logging in; but actually the laptop had gone to sleep and anyconnect reconnected due to the profile set. In my case I received 18 messages in the notification panel as well as pop ups on the screen, plus additional messages from anyconnect and other applications. The experience was that I was unable to use my computer for what felt like an eternity and it was impossible for me to close these notifications due to the high load.

Other people have noticed this when first initially connecting to the VPN.


Troubleshooting

-   DART logs taken via Cisco-provided powershell script
-   Cisco initially advised that the issue related to some other software on the computer due to multiple log messages: "Description: An established connection was aborted by the software in your host machine."

Log debug:
-   Logs show "Description: SOCKETTRANSPORT_ERROR_WRITE"
-   Even though we don't use IPv6 for the VPN connection or client addressing we also see "Private IPv6 Address: FE80:0000:0000:0000:4D5C:84AD:5344:6FFD/126"
-   Additionally:
o   Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED
o   Failed to add route to DNS server FE80:0:0:0:D2DB:B7FF:FEA9:1852 via interface FE80:0:0:0:AD7C:8530:699E:A3D3 (index 11)
-   And:
o   Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED
o   Unable to find matching route to FE80:0:0:0:D2DB:B7FF:FEA9:1852 (preferred interface index: 11)

Note: fe80 is the ipv6 equivalent of 169.254.x.x and is a link-local IP address

So what seems to be happening is this:
-   Windows 10 computer joins a dual stack network and receives ipv4 and ipv6 addresses on it's wifi interface
-   Windows OS additionally self-assigns link-local addressing on all it's enabled interfaces
-   Computer joins anyconnect VPN and this enables the previously disabled/unused anyconnect virtual network adapter
-   Windows OS assigns link-local addresses (multiple!) to the anyconnect adapter
-   Anyconnect needs to identify which network adapter on the system is associated with the VPN connection and chooses to identify this adapter by one of the IPv6 addresses
-   At some point the IPv6 address used as the identifier gets cleared out and removed, replaced with a different FE80:: address
-   Anyconnect breaks as it's unable to locate the adapter because the identifier is no longer present on the interface


Note:
-   When running "netsh interface ipv6 show addresses" at the windows command prompt I often see 2x FE80:: addresses assigned to the anyconnect virtual adapter
-   The lifetime of FE80 addresses are "infinite" which means they are permanent and unchanging. The RFC [1] states that addresses will be assigned when the adapter gets enabled
-   In my case, my computer went to sleep which I can understand but worth to note "assume" will disable the network adapter. Returning from sleep, then, will enable the adapter and consequently receive new addresses – however, attempting to reproduce this specific issue scenario yesterday (to first confirm the issue and then to confirm my proposed resolution resolves the issue) I did not get any FE80 change at all on both of the assigned FE80 addresses.

Solution

I'm still working on it as I have been unable to test an effective solution, but suggestions so far are:

-   Config the xml profile "ip protocol support" to only ipv4
o   I tested this yesterday but still the anyconnect virtual adapter still received FE80:: addresses
-   Cisco suggested running the client bypass config on the VPN server but the description of this command states that it allows the anyconnect client to transmit data in clear text to the VPN server so without more context I am avoiding this at the moment. The default is not enabled for this command and therefore as well as the documentation specifically stating this, that the anyconnect client will drop the traffic instead. I cant see how this would resolve the issue for me either.
-   This is in no way an option for me due to the large org. and many users but I did confirm and obviously, turning off IPv6 within the anyconnect virtual adapter (simply uncheck the box for ipv6) results in the adapter no longer receiving FE80:: addresses and so should essentially mimic the equivalent experience as a ipv4 only client network where this issue is not present. I could perhaps implement this via GPO but I feel it's rather messy


Did anyone of you see this yet? We're a bit behind over here so, ipv6 is perhaps being rolled out to users homes first before being rolled out to offices and businesses.



[1] RFC 4862: IPv6 Stateless Address Autoconfiguration (rfc-editor.org)

#5
Had an impactful issue during a cutover to 9800 WLC which were implemented to replace EOL WLCs. Symptoms were, wireless clients would work for 300 seconds and then drop off while from both client and WLC perspective, they had an active session with session timers incrementing (client not disconnecting but wireless connectivity seemingly vanished after 300s).

Issue is because the 9800 WLC has IPv6 enabled for wireless clients only. If you issue a "show run | inc ipv6" then you dont see anything related to ipv6 because it's a default configuration. When I engaged tac about this multiple times, they informed me that ipv6 is definitely not enabled because "ipv6 unicast routing" is not enabled in the config.

Additionally, the WLC AirOS config was ran through the cisco-provided configuration migration converter tool so as to be able to boot up a 9800WLC with existing working configurations. However, the converter tool did not convert, implement or provide an equivalent configuration where IPv6 was fully disabled on the existing working configuration, hence the issue caused.

We did not have any issues with modern wifi clients. They did self-configure themselves with fe80:: addresses but continued to work. The specific clients which had issues with the 300s drop are old clients that are used for a specific purpose with critical functionality that are contractually provided by a 3rd party running Windows CE 6.0 OS which is pretty old and probably unique-ish to an extent.

In terms of client issue, they only have an issue when they self-configure with link-local FE80 addresses. Once I was able to properly turn off ipv6 for the wireless clients, they no longer self-configured and no longer had any connectivity issues. With ipv6 being enabled for wireless clients, packet captures show the WLC sending IPv6 RA's and the clients attempting to obtain DHCPv6.
Being that the clients are old, I suggest that they have an old and out of date IPv6 implementation. The clients could be around 15 years old. The org has around 2500 of them to suit a specific purpose and nothing more. The specific purpose was being fulfilled until the 9800 WLC was installed as described.
Given the type of device, available local device logging is approximately about ZERO content. So I've needed to join some dots and make assumptions here with regards to out of date IPV6 implementation.

Lastly, to top this one off, the official Cisco configuration reference is incorrect with regards to the command needed to turn off ipv6. It was easy to realise the problem because of the contextual help available on the IOS. The working command was "no wireless ipv6 client" whereas cisco documentation says the command is "no wireless client ipv6".


Long story short, Cisco have semi-enabled IPv6 on the 9800 WLC and it caused an outage.

Waiting to hear more about it from them, specifically, the intent and use-case for semi-enabling ipv6 in this way. 
#6
Bing Chat was great 1 or 2 weeks ago. Now, the experience is like interacting with a lazy teenager and not fun at all:
- often requests are ignored
- responses contain lies
- or responses focus on one specific aspect of the query rather than the whole query
- or the response is a sarcastic refusal to oblige

Additionally,
- data loss due to poorly implemented UIUX [1] and [2]

Firstly, regarding the data loss;
[1] - You get 2000 characters in a request message. So before submitting my message I need to scroll through the message. However, often, scrolling back down to the end of the message triggers the web page to morph into the legacy Bing search. So you scroll back up, but it now shows an empty, new Bing chat page and your entire composed message is gone without any way to recover it.

[2] - While chatting with Bing Chat there's problems being seen. There's a nice "Feedback" toast button on the bottom right of the screen. Being the good person that I am, I use the button to report on the experience and submit some feedback. Once done, the only way to get back to Bing Chat is to click the "close" button, because the rest of the page is visible but locked out, meaning you cannot click or type anywhere else on the page. However, clicking the close button results in a hard page reload and so all of your chats with Bing Chat (sent and received) are wiped out with no way to retrieve them.

:o

This is mind-bogglingly stupid.


Regarding the other points, last night I asked bing chat for the weather and the response was pretty generic and non-specific. So I ask bing chat for the time to see if it could put the two together and give me up-to-date weather information for my area in the present time like i had asked and chat responsed something like "I dont have the time information". Of course, I knew this to be untrue, so I probed chat and asked why it had informed me that. And the response from chat was that "because I dont have access to the clock on your computer". Odd. So next I asked it why it didn't just do a search for the time, since it is a search engine and if it needs any information then it was expected to complete the search at which point it then just refused to reply to me regardless of how I phrased the questions. I thought maybe it had broken, so I said to it "Are you still there? If you are, please give me a sign through any means of which you are capable to do so?". And it immediately replied "Hello, I am here. How can I help?" But again, trying to touch on why it didnt just do the search earlier resulted in another non-reply and then my message limit had been reached due to the false reply.

This is just the most recent encounter. I hope MS fix this soon because it used to be much much better but now it's painful.
#7
Scenario:
Cisco AnyConnect 4.10
Windows client
Tunnel-ALL networks, with a split-exclude ACL to avoid encrypting traffic destined for ms teams, webex teams, microsoft 365 etc

Experience seen is, accessing stuff on the local lan while connected to the VPN does not work, cannot connect. For example, a printer. I used wireshark and loaded up two instances of it, one on the anyconnect adapter and the other on the local wifi. When trying to access something on the local lan, the vpn adapter sees the request. Meaning the traffic is routed and encrypted through the VPN tunnel.

I had the inclination to check the local windows route table while connected to the VPN and it clearly shows two interesting routes while connected that are the same subnet as the local wifi. These two routes each point to the local on-link network ie the local wifi network as well as the same route but over the vpn tunnel. The metrics on these routes show the vpn tunnel always preferred, ie the on-link network has a metric as 311 and the same network but relating to the vpn has a metric of "2". So unless this is a red herring, then this tells me that local LAN traffic always gets sent over the tunnel.

I found a similar cisco forum thread, same issue: https://community.cisco.com/t5/vpn/issue-with-split-tunnel-and-local-lan-access-via-anyconnect-vpn/td-p/3754771

back in the day I played around with this and I was sure that it used to work as desired - where local lan is available even when using tunnel all. However generally I've not used tunnel all vpn for performance reasons a long time ago.
#8
When looking to find out about split-exclude domains and/or subnets I came across this link which includes a python script that can be run to source the most current data and build out an ACL from it.

Also I didnt know until I found this link that there is a website that allows you to run python scripts from it.

Cisco link regarding optimising VPN networks ie tunnel exclude latency-sensitive networks ie MS Teams, Webex teams:
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215343-optimize-anyconnect-split-tunnel-for-off.html


Microsoft link about why split tunnelling is required for Teams etc:
https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel?view=o365-worldwide

Run scripts from the web:
https://repl.it/@ministryofjay/AnyConnectO365DynamicExclude
#9
ServiceNow - the huge ITIL software that's designed to make end-users lives more difficult than it ever has to be.

While raising a change, why is it so difficult to add "affected CI's" ?
-- if you have 30 CIs to add, it's going to take bloody ages...
-- it's impossible to scroll through the CI list and check all that apply, click next page, check more and then click ADD
--- if you click next page, all your checked items are cleared out >:(
-- while searching for your CI by hostname, the returned results seem to list all of the CIs that are around your search result, not just the one you searched for, so I have to use the web browser FIND function (ctrl+F) and then paste the hostname in there as well so that it clearly shows me the item on a row
-- and, while using the cumbersome UI to add those 30 CI's, the "add all" button is way too close. So when I'm getting close to completing adding the 28th / 29th / 30th CI, I accidentally click "ADD ALL (YOU LOSER!)" and then 1000 CI's are added to the change and I need to go and delete them all, on multiple pages. One single accidental click then costs you hours of work.


When trying to get data out of ServiceNow you can display a nice dashboard and filter query. The result is a web-based table. I've customised the columns to show Hostname, OS, some other relevant columns like "owner" but most importantly, IP address.
- why is there no column for "subnet mask" or netmask? So now I have an excel sheet populated with the exported data and I am still blocked from raising a firewall change request because I dont have subnet ID's without a netmask.
If I drill into a single CI, "Netmask" is indeed there but there is no column to add it in to the table so it can be exported along with matching IP to the relevant hostname.
EVEN BETTER would be if there were smarts programmed into Service Now to automatically calculate the subnet ID based on the IP and Mask so that you could filter on it! But that would take some thinking power...

Trying to find CMDB on the very long menu on the left is not possible for me. I dont know where it is and the menu is too cluttered for me to figure it out. I usually use the ctrl+F, or type the hostname in the search bar and fumble my way around until I see the data I need.

When trying to raise a change, have to use ctrl+F to find "Change" and then I can see the "new change" option. Why not just break the UI down into the relevant sections. Pathetic.

There is so much data present in service now that you probably want to have multiple tabs open on different areas of service now. So the logical thing to do is to right click a menu link -> open in new tab. Will service now allow you to do this? Absolutely not. Although most times if you press CTRL and then right click, the open in new tab option is there.


I engaged servicenow directly back in perhaps 2014 because I was looking for service desk systems for my last employment. These problems were there at that time and I avoided it very quickly. It's as though the people that make this software have no idea how people use it from a real-world perspective? It's a very capable software that aims to make it as difficult to use and as much inconvenience as possible. Horrible.

<End complaining>

No one should need to go on a 4-weeks long training course to do basic everyday tasks in service now. I've never needed training to use my online banking or check emails from gmail.
#10
Cisco has a weird policy. I was unable to use my gmail account as my email address and I dont have a private domain.

So here's the story:

- assigned my personal account to my employer company back in around 2014
- after this we became a Cisco partner
- Cisco wielded their almighty hammer, I had to use the company email address for the account. In hindsight this must be due to becoming a cisco partner
-- "partner resources" now showing under my personal account which was using a @domain of the company as a sign-in
- I was departing this company so I updated the email address to that of the new employer
- I then left that employer and went over seas
- I then lost access to the account because I no longer had access to the email address


So at this point I contacted Cisco to explain. I needed to do something because I had to book an exam in the following few weeks. Cisco informed me that my only option was to create a new Cisco account. I didnt like it but I was unable to fight Thor with a plastic keyboard. I booked / passed the exam and I have a personal account registered to my gmail so those boxes were ticked again and I was happy with that regard.

But get this;

I'm now back at company #2. I tried logging in to that Cisco account and:
a) I can log in
b) it's still associated to the company
c) it's still associated to my CCO ID, and all my certifications and exams are displaying there including the exam I passed overseas
d) it does still have the partner resources link (even though I'm not in a position to manage the company's partner status (I havent even clicked around to find out what options are available, I just notice the "partner" link showing up.


Nothing is broken, so nothing needs fixing... I think. But I have 2x Cisco logins that show up my certifications. I suppose, I actually only have one login (the gmail one) and the other is tied to the current company that I work for and when I depart I'll just forget about the account associated to my employer. But I suppose, technically I can associate the gmail account to another employer simultaneously - not that I'm going to attempt that, but it's an odd situation.
#11
Forum Lobby / Optus got hacked to the bone (Australia)
October 03, 2022, 01:28:20 AM
https://www.cyber.gov.au/acsc/view-all-content/alerts/optus-data-breach

Optus kept some customers data for 10 years
Drivers license records, medicare, passport numbers disclosed

Government stepping in to enable Optus customers to get new driving license numbers (previously not possible (WA), and in other states only possible if the user has been a victim (need to give over police crime numbers before getting a new license)
#12
Forum Lobby / Power automate, anyone??
August 31, 2022, 01:48:36 PM
I started playing with power automate a short while ago and was blown away by it's power and reach. So much so I was considering owning 365 personally.

I've just discovered I already have access personally. When I go to office.com it says 'FREE' in small writing and I can use cloud versions of word/excel etc but I have power automate cloud and desktop.

I was looking to use power automate to pull data out of connectwise API as well as integrate MS (Teams / Forms / sharepoint) with pushing data into connectwise eg raising tickets or jobs based on a questionnaire.

Had a quick look at the suggestions in the app on the desktop and it has examples such as pulling data out of PDFs. Other examples are renaming new files on the pc to include the date/timestamp and GUI testing (calc.exe is used in the example).

Do any of you use this already and have any cool examples?
#13
Security / Private key data in certificate store
July 13, 2022, 05:45:41 AM
I warned a business that they had pushed a CA certificate to desktop machines but the CA public and private key was included. In mmc it says "you have a private key that corresponds to this certificate".
I said it could be possible to retrieve the private key. So I set out trying to do that.

I think that the key is marked as non-exportable, because when I try to export the cert, the option to include the private key is greyed out.
When I try to run a repair using certutil via powershell on the CA cert thumprint, a message comes up requesting to insert a smart card.

I'm not 100% sure where the private key is stored, in encrypted files on the HDD or the TPM.

I can export the CA certificate and private key from the windows registry, edit the registry file and then import that to my local user area in the personal certs. It then shows up in mmc for that specified location and displays that there is a private key included. I still cannot export they private data. I did not try importing this reg file into another machine for obvious reasons. I just want to demonstrate the risk, not create one.

So I wasnt able to export the private key data. According to the WWW, exporting the registry allows the cert and private key pair to be imported to another windows system.
In any case, there's no need to push the CA private key to end systems. Is there anything more I can do to get the tech teams to realise? I am expecting they will argue that I've not been able to extract the private key, therefore it is secure  :)
#14
Scenario:

When joining a voice conference, we go on mute. Around 2 minutes later, the call gets disconnected.
or
When calling or receiving a call from a BT remote party, the call is disconnected after going on mute for 2 minutes (muting MS Teams).

In our scenario, our realised issue is with BT, however this will impact any SIP peer connected to a MS Teams Direct Routing provider for any organisation - therefore it's a high impact scenario that may not be realised until going on mute for 2+ minutes.

Voice path:

MS Teams app -> "PSTN call" -> remote party is British Telecom (BT)

"PSTN call" = a SIP service provided by a carrier that supports MS Teams Direct Routing.

Captures taken at the PSTN carrier (facing BT) as well as BT response, tell us that BT disconnect the call (normal call clearing) after a 2 minute timer because while on mute BT no longer receive any media or signaling packets whatsoever. So essentially, BT see the call as hung up on the remote side (from this perspective, the remote side is MS Teams).

Where I am

I'm just coming into this issue right now. I am told by my peers that, Microsoft do not send anything when on mute. No signaling, no media and also that Micosoft say they refuse to fix this issue because they dont need to for USA customers.

I have my doubts surrounding this so I am trying to push my own investigation.

However I wanted to reach out to the forum here to see if any of you had come across this issue?

What I *think* is actually happening, is that MS Teams do send signaling to the PSTN carrier and this signaling gets lost / dropped and doesnt make it to BT. Therefore this would be a PSTN provider issue which I can try and push.

When looking around the internet, these people have the exact same issue:

https://techcommunity.microsoft.com/t5/microsoft-teams/call-disconnects-while-on-mute/m-p/1020879

#16
Security / active/active ASA with firepower
December 15, 2021, 01:59:29 AM
Came across something else new today and I'm trying to find out what is the proper supported operation:

ASA 5545 pair with firepower services (9.12 code)
Firepower modules in both ASAs with licenses
Two ASA contexts (plus 1 system context)
Each context runs on single ASA in Active/Active

What happens during failover of a context? I do not know.

The Firepower ACP would need to be applied to both firepower modules so that it was ready and waiting for a failover while the other context is actively using the firepower module (sending it traffic). However my brief look at FMC appears to have 2 firepower devices, one for context 1 and the other for context 2.

I located this relevant guide about ASA and multi context but it doesnt quite go over the exact configured scenario I've seen [1]. I'm wondering if it's not supported, and firepower is taken out-of-path during failover, or whether it supports virtual ACP / contexts.

This is not FTD.

I found a web blog which suggests it will work normally [2] and says "The Firepower appliances, when running the ASA image, come with a 10 context license. Additional licenses can be used to add more contexts. Refer to Cisco's documentation to see which licenses are supported on each model."

Does the forum have experience with this at all?


[1] - https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/configuration/general/asa-912-general-config/ha-contexts.html#ID-2171-00000922

[2] - https://networkdirection.net/articles/firewalls/asamultiplecontextmode/
#17
I have encountered a single port channel from a Cisco switch that looks like it may channel to both active and standby ASAs (rather than be two separate port channels, one to each ASA). I've yet to confirm the physical cabling, in case the ports are incorrectly labelled. I dont have access to the ASAs and cant do a layer 2 trace from the switch because it's one logical cable.

From the switch perspective, it will load-balance across the 4 1GB links in the channel. If 2 of those links are going to the standby ASA then I expect the standby ASA to be receiving about half of the traffic being sent over the channel.

What is the standby ASA expected to do with that traffic? Will it drop or process?
#18
I updated my home gaming PC last month. Nothing really broke. It's faster than win10 and switching between full screen game and desktop is now instant. Compared with win10 where it shows a black screen for what feels like eternity when switching.

The only problem I have is lack of internet explorer. My grandmas house back in UK has cameras fitted on the outside and I'd like to keep a check on her as she lives alone and has hallucinations due to cataracts that were left too long. She had a fall the other week.

The cameras recording box I think is chinese and needs a browser plugin to show the video feed. This only works with IE.

Does anyone know of any possible options/solutions for me to view the cameras with win11? I havent upgraded my mums PC yet because of this.
#19
Guides and Labs / Virtual labs - eve-ng
November 25, 2021, 02:44:38 AM
I've come across this: https://www.eve-ng.net/

Spin up a beefy EVE-NG VM in VMWare (64GB RAM, many vCPUs) and then I can build an SD-WAN lab. I plan to start this tomorrow.
#20
CCNP certs expire in Sept next year so thinking about the next years study and exams. Recertification has changed again <sarcasm> yay! </sarcasm> and there are a few ways to recertify.

Simple option that I know about (obtain 80 credits)
- take 1 x Core CCNP exam = 80 credits

OR
- take 2 x concentration exams at 40 credits each

I've been looking into this and though I already have CCNP Enterprise I am looking to take 2 x concentration exams to get certified in SDWAN and SDAccess
1. 300-415 -- Implementing Cisco SD-WAN Solutions (ENSDWI)
2. 300-420 -- Designing Cisco Enterprise Networks (ENSLD)

Now to obtain a CCNP you need to take 1 core and 1 concentration. But this new track I am unsure what happens if I complete the 2 exams above and then pass the core exam? Do I obtain 2 additional CCNP certs at that point?
Another similar scenario would be that I could go down a new cert track to me like Security. I could pass 2 x concentration Security exams to recertify the Enterprise CCNP but then later on if/when passed the Security Core exam I would achieve CCNP Security (twice?) ref: https://www.cisco.com/c/dam/en_us/training-events/certifications/career-path.pdf

//

First up then is the 300-415. No Cisco press book specifically for that so so far I am navigating this path:
1. buy/read this https://www.ciscopress.com/store/cisco-software-defined-wide-area-networks-designing-9780136533177
2. CBT Nuggets videos (18 hours)  https://www.cbtnuggets.com/it-training/cisco/ensdwi-300-415

Once I've at least got stuck into the above I'll figure out next steps eg lab or other reading material. Should be fun :)