TCP Offloading, Windows 2012 Servers

If you are utilizing Windows 2012 Servers with TCP Offloading enabled and seeing network issues ranging from low throughput to loss in connectivity, the following articles provide recomendation on disabling TOE on the Servers:

http://www.rackspace.com/knowledge_center/article/disabling-tcp-offloading-in-windows-server-2012

http://www.rackspace.com/knowledge_center/article/installing-xenserver-tools-on-next-generation-windows-cloud-servers

Brocade ADX – JSession Persistence

This is an example for JSession ID based persistence for Brocade ADX:


csw-rule "JSESSION" header "cookie" pattern "JSESSIONID=" case-insensitive
csw-rule "URI" url pattern "JSESSIONID=" case-insensitive                 
                                                                          
csw-policy "CSW_JSESSION" case-insensitive                            
 match "JSESSION" persist offset 0 length 32 passive-persist              
 match "URI" persist offset 0 length 32 passive-persist                   
 default forward 1        

In the above policy, the persistence decision is made based on the first 33 characters (0-32) of the JSession ID. If this number has to be different, we would have to alter the CSW Policy to reflect the right number of characters. The csw-policy “CSW_JSESSION” would have to be utilized within the Virtual Server.

Programming Language Popularity

If you are new to programming and looking to figure out the “hot language” to master, this link could be of assistance.

The link provides the list of programming languages that is being actively searched online. It isn’t a perfect tool but it is a good start. Although, I am not a programming expert, it is certainly good to master “Object Oriented Programming”. This framework is utilized by many high level programming languages.

iRULE – String Usage


when HTTP_REQUEST {
set URI [string tolower [HTTP::uri]]

if {$URI starts_with "/m/" }{
set NEW_URI [string range [HTTP::uri] 2 end]
HTTP::respond 301 Location http://www.domain.com$NEW_URI
}
}


$ curl -Ik http://10.10.10.10/m/URI
HTTP/1.0 301 Moved Permanently
Location: http://www.domain.com/URI
Server: BigIP
Connection: Keep-Alive
Content-Length: 0

Replacing

set NEW_URI [string range [HTTP::uri] 2 end]

with

set NEW_URI [string trimleft [HTTP::uri] /m/]

will provide the following output:


$ curl -Ik http://10.10.10.10/m/URI
HTTP/1.0 301 Moved Permanently
Location: http://www.domain.comURI
Server: BigIP
Connection: Keep-Alive
Content-Length: 0

Note the lack of “/” in the “Location” header, just before the start of URI.

In order to retain the “/”, I did a string trimleft with “/m” instead of “/m/” i.e.,

set NEW_URI [string trimleft [HTTP::uri] /m]

instead of

set NEW_URI [string trimleft [HTTP::uri] /m/]

However, the result was the same.

Based on this devcentral article, it looks like “string range” is a better option as “string trim” tends to trim individual characters as instead of the “string of characters”.

Another issue to remember is that if we use “string trim”, we get the following output:

$ curl -Ik http://10.10.10.10/m/mURI
HTTP/1.0 301 Moved Permanently
Location: http://www.domain.comURI
Server: BigIP
Connection: Keep-Alive
Content-Length: 0

and “string range” provides the following:

$ curl -Ik http://10.10.10.10/m/mURI
HTTP/1.0 301 Moved Permanently
Location: http://www.domain.com/mURI
Server: BigIP
Connection: Keep-Alive
Content-Length: 0

So, if you are just looking to remove specific “string of characters”, “string range” is a better option based on testing on 11.x code version.

RackConnect v2 Terminology

If you are a customer of Rackspace and utilize RackConnect technology, you may have encountered Rackspace specific terminologies while interacting with Rackspace via Ticket/Phone. This post will provide some of the terminologies and explanations:

“EDGE Device” is the outermost network device (Firewall or Load Balancer) in your infrastructure.

“CONNECTED Device” is the network device (Firewall or Load Balancer) that is connected to the Public Cloud infrastructure.

“RC Environment” refers to the combination of “EDGE” and “CONNECTED” device and the cloud account in a particular Data Center. A customer can have multiple “RC Environment” within the same DC or in multiple DC.

Example:
Customer A can have “Primary(LON)” and “Seconday(LON)” – 2 RC Environments (Primary & Secondary) in the same DC – LON

Customer B can have “Primary(DFW)” and “Secondary(LON)” – 2 RC Environments (Primary & Secondary) in 2 different DC – DFW & LON

Traffic Flow between Cloud & Dedicated Servers in RCv2 & RCv3 is seen here:
http://www.rackspace.com/knowledge_center/article/comparing-rackconnect-v30-and-rackconnect-v20#i

Vyatta – VPN bug

After complete configuration of the site-site VPN, the following error would show up while running the command shown:

vyatta# run show vpn ipsec status
IPSec Process Running PID: 3300

1 Active IPsec Tunnels

IPsec Interfaces :
eth0    (no IP on interface statically configured as local-ip for any VPN peer)

After searching online, I came across the following community post that wasn’t of much help. Based on input from Brocade TAC Engineers, the above bug is superficial and doesn’t affect the functionality of the site-site IPSec tunnel configured on the Vyatta device. For now, this can be ignored as a benign bug.

Isakmp Keepalive – Cisco ASA & Checkpoint

Cisco ASA has Isakmp Keepalive Enabled by default. You can see this by running “show run all” and look under the tunnel-group configuration for the specific IPSec tunnel.

 

Default Setting for a tunnel-group:

tunnel-group 10.10.10.10 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2
no ikev2 remote-authentication
no ikev2 local-authentication

 

Configuration change required to disable isakmp:

tunnel-group 10.10.10.10 ipsec-attributes
isakmp keepalive disabled

 

After Change:

tunnel-group 10.10.10.10 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive disable
no ikev2 remote-authentication
no ikev2 local-authentication

 

Error Message Seen in the Cisco ASA Logs:

Jan 26 05:10:03 [IKEv1]IP = 10.10.10.10, Keep-alives configured on but peer does not support keep-alives (type = None)

 

The following is taken from Cisco documentation link provided:

“If you configure ISAKMP keepalives, it helps prevent sporadically dropped LAN-to-LAN or Remote Access VPN, which includes VPN clients, tunnels and the tunnels that are dropped after a period of inactivity. This feature lets the tunnel endpoint monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes unresponsive, the endpoint removes the connection. In order for ISAKMP keepalives to work, both VPN endpoints must support them.

In some situations, it is necessary to disable this feature in order to solve the problem, for example, if the VPN Client is behind a Firewall that prevents DPD packets.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#solution07

In my experience, “Isakmp Keepalive” compatibility between vendors – Cisco & Checkpoint specifically doesn’t exist and it is better to disable it rather than leave it enabled on the Cisco ASA. If enabled between incompatible devices, it can lead to the tunnel dropping sporadically without reason.

Cisco ASA Deny Access-List

Does the Cisco ASA send a reset when a packet is denied by configured access-list ?

This depends on the configuration of the access-list – is it applied for inbound or outbound traffic on an interface & if there is any “service reset” command as specified here:

service resetinbound:
Sends TCP resets for all inbound TCP sessions that attempt to transit the adaptive security appliance and are denied by the adaptive security appliance based on access lists or AAA settings.

service resetoutbound: (Default)
Sends TCP resets for all outbound TCP sessions that attempt to transit the adaptive security appliance and are denied by the adaptive security appliance based on access lists or AAA settings.

service resetoutside:
Enables resets for TCP packets that terminate at the least secure interface and are denied by the adaptive security appliance based on access lists or AAA settings.

resetinbound ----> Send reset to a denied inbound TCP packet
resetoutbound ----> Send reset to a denied outbound TCP packet
resetoutside ----> Send reset to a denied TCP packet to outside interface

By default (service resetoutbound), Cisco ASA sends an explicit TCP reset for connections terminating at the Cisco ASA Firewall, if it is denied by access-list that is configured to block outbound connections like this:

access-list OUT line 1 extended deny ip host 1.1.1.1 host 2.2.2.2
access-group OUT out interface outside

For the same access-list, if it is configured for inbound access-list, the connection will be dropped without any discard being sent out:

access-list OUT line 1 extended deny ip host 1.1.1.1 host 2.2.2.2
access-group OUT in interface outside

Reference:

Service Reset – Cisco ASA

F5 iRule – User Agent


when HTTP_REQUEST {
set HOST [string tolower [HTTP::host]]

if { ($HOST eq "domain.com" || $HOST eq "www.domain.com" ) and 
         ([HTTP::header User-Agent] contains "Chrome/33.0.175") and
            ([HTTP::header User-Agent] contains "(X11; Linux x86_64)") } {
                reject
               }
}

The above iRule will enable the F5 to send a TCP RST (reset) to the client for a specific domain and specific User-Agent information within the incoming HTTP Request.