Tag Archives: yasirirfan

How to configure OSPF Totally Stubby Area in Cisco Routers- Series 1?

In this series of posts lets configure OSPF Totally Stubby Area, but before proceeding further let’s summarise the below topology

OSPF Totally Stubby Area
  1. Two OSPF Areas Area 0 and Area 5
  2. R1, R2 and R4 are part of Area 0 and OSPF is configured on the directly connected links on each router ( R1 – R2 link , R1-R4 link)
  3. R4 has four loop back interfaces  loopback 1 (10.0.1.1) , loopback 2 (10.0.2.2) ,loopback 3 (10.0.3.3) and loopback 4 (10.0.4.4) ,these loopback interfaces networks are redistributed into OSPF
  4. R2-R3 are part of Area 5, R2 happened to be a ABR
  5. OSPF Area 5 is configured on the interfaces connected between R2-R3.

Currently Area 5 is a normal area and its not been configured as a totally stubby area,  R2 installs the R4 loopback interface networks as Type 5 LSA and forward the same to Area 5

We can see from the below snap shot R2 received R4 loopback networks as Type 5 LSAs and the routes are installed as Type 2 External OSPF routes, also we could see the interface connecting R1-R4 are also advertised as Type 3 LSA

R2 - R4 route
R2 - type 5

R3 sees R4 loopback interfaces network as Type 5 LSA and R1-R4 , R1-R2 links network 192.168.14.0/29 , 192.168.12.0/29  as Type 3 LSAs

R3 LSA table

In next post, let’s see by what impact Area 5 will have especially after configuring it as  OSPF Totally Stubby Area.

How to configure Cisco VIRL – VMMaestro to use SecureCRT as an external telnet and SSH Client?

Cisco VIRL comes with an internal SSH and Telnet client which is quite good and it opens all the SSH and telnet sessions within VMMaestro GUI, but if someone wants to use Secure CRT on  their MAC as an external client, one can easily configure the changes in VIRL VMMaestro,

VMMaestro-1

Terminal>Cisco Terminal

Step 1

Change the title format to : %s

Step 2

Select : Use external terminal applications

Step3

Use the following fields show below

Telnet command:/Applications/SecureCRT.app/contents/MacOS/SecureCRT
Telnet arguments:/T /N %t /TELNET %h %p
SSH Command:/Applications/SecureCRT.app/contents/MacOS/SecureCRT
SSH arguments:/T /N %t /TELNET %h %p
VMMaestro-2

By doing these minor changes you can use Secure CRT to SSH or Telnet VIRL Devices

telnet VIRL
VIRL telnet 1

What is the OSPF Stub Area?

We all know OSPF as routing protocol is one of the most widely used IGP protocol, OSPF happens to be the most scalable IGP protocol. OSPF also happens to be one of the complex protocols as it deals with various concepts and terminologies. One such a topic where people get confused is OSPF Area types.

I will try to simplify them and present them in an easy language, I am not going to reinvent the wheel, as one can find plenty of resources for OSPF.

What is a OSPF Stub Area ?

OSPF Stub Area basically filters out information of an OSPF database purely based on the LSA types, Basically, an ABR  in a Stub Area prevents LSA type 5 to be flooded into a Stub Area, it removes Type 5 LSA  and replaces them with a default route which is a Type 3 LSA.  To simplify  ABR creates a default route using LSA 3, listing a  0.0.0.0 with a subnet mask  0.0.0.0 and flood the same into the stub area. By using Stub Area feature one can reduce the CPU utilization of a Router.

OSPF Stub Area

From the above scenario, we can see Type 3 LSA is exchanged between Area 0 and 5, however, when a Type 5 LSA reaches R2 which is an ABR, it will strip External LSAs  (Type 5 LSAs) and replace them with a default route towards the Router R3.

OSPF Stub Area is configured in Cisco Routers using an IOS command

router ospf 1

area 5 stub

In the upcoming post, let’s see how to configure OSPF stub area in Cisco Routers, we will build a sample topology using Cisco VIRL.

Does CCIE track selection need counselling?

When it comes to choosing a CCIE track most of the CCIE aspirers are confused, every day I encounter at least one CCIE aspirers approaching me for advice. Some times I petty them but there are in need of guidance, so I morally try to support them and guide them to best of my ability.

CCIE

Why are most of them are confused in choosing CCIE tracks?

Its been observed that most of them are confused at the step 1 of CCIE, they struggle to choose a CCIE track for them, some of them try to meet instructor after instructor of different tracks to select the CCIE track, this makes them more confused. Even I have seem some people start with a CCIE track A for few months and then again they change their track to track B, this is not a good sign for some one who already started the journey of CCIE.

I believe most of them want to choose a CCIE track for different reasons like

  • Which CCIE track is in more demand?
  • Which CCIE track is easy to pass?
  • Which CCIE track offers me more remuneration?
  • Which CCIE track is easy to simulate?
  • Which CCIE track costs less?

So and so forth, well these are not the valid reasons to select a CCIE track. I strongly believe there should be strong desire and passion towards a particular track, which comes out when you ask the series of questions which mentioned in the article “ The Journey of CCIE – Series 1”. Yet some people may need some sort of Pre CCIE counselling in selecting a CCIE track and planning their journey.

Well, as per my knowledge no one is offering such service if someone wants to seek any guidance they can reach me out I can assist them in choosing their passions. Yes, CCIE is a passion and can be only achieved when someone gives more than 100%. Please do feel free to reach me out, I will more than glad to help you.

Cisco ASA VPN troubleshooting  – Decaps but No encaps

Recently we observed a strange issue while building a site to site VPN tunnel between a Cisco ASA [9.1( 5) ] and Palo Alto Next Generation firewall.(PAN-OS 7.0.9) It was observed always phase 1 part of tunnel established successfully with peer however phase 2 failed to come up.

Always we were seeing issues with encapsulation, the packets sent were never encapsulated, however the packets received from remote peers were de capsulated, this means  the ASA was not encrypting the data. The below logs demonstrates the error,

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 74, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#send errors: 0, #recv errors: 74

We did a through troubleshooting and we ensured the following ay both ends of the firewalls

  • Ensure both the firewalls have an appropriate route for the interesting traffic / proxy id
  • Ensured the ACL / Policies are matched
  • Ensured NAT configuration is done properly as were using source based NATTing at both the end.
  • Ensured proper debugging is done at both ends,
  • Involved vendors to see what the issue was

Upon through troubleshooting it was discovered the ASA was hitting a bug CSCuo58411

This bug basically creates duplicate entries in tunnel manger and one could see from the below logs

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 10: matched.
Jul 24 08:20:49 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.0.100.2, sport=45638, daddr=192.168.120.100, dport=45638

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 10: matched.
Jul 24 08:20:50 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager

The work around worked for us to fix this issue, was to upgrade the ASA from 9.1(5) to 9.5(3)6 . The other recommended work around to fix this issue is

Issue “debug menu ike-common 10” to remove the stale IKEv2 entries (this will delete all current IKEv2 connections)

A review for “CCDE The Practical Guide.”  

When it comes CCDE certification preparation, unlike CCIE exams it’s hard to get instant gratification as CCDE certification happens to be theoretical and one certainly will not be engaged in configuring the real gears.  

 Often those who come from hands-on experience find it hard to measure their progress, and usually, they end up giving up their CCDE aspirations.   

 At one point in my life, I had an aspiration to be a CCDE did start my journey. However, my dopamine levels never raised with the CCDE training stuff available at that particular time. I gave up.   

 After getting know Mohamed Radwan and the frequent discussions, I had with him about the technology made the paradigm shift in my transformation from being an implementation and operations Engineer to Security Architect.  

 Lately, after several technical encounters, I had with Mohamed and especially after attending his last CCDE boot camp as a guest participant to review the security domain, gave me the insights on what made me give up my CCDE aspirations. He was quite competent to bring in the awareness and the mindset one needs to persist in being a CCDE.  

 When Mohamed released his much-awaited title “CCDE The Practical Guide” I realized if this title exists a few years back, my motivation would not have faded away.  I feel the title is the continuation of his CCDE boot camp as its quite analytical and practical and does brushes up one’s mindset from the CCDE exam perspective.   

Not only the title comes with four different scenarios covering critical sectors like finance, service providers, training firms and Telco’s but also it addresses the full range of technologies which are vital to CCDE exam. Mohammad is quite articulative in covering the scenarios in an exciting format as one could feel as if they are real and does force the reader to contemplate and act.   

The juice of this title is the questions and the options provided for each scenario, once one complete responding all items for the four scenarios comes with this title,  they can measure their understanding and what hat they wore while answering those questions. The tips Mohamed has provided for each question gives an idea of what mindset one should have while answering CCDE exam questions.  

To conclude this title will undoubtedly help CCDE aspirers to have a great understanding of the CCDE exam and how they should approach each question and what mindset they should have.