Friday, December 18, 2015

CAUTION : reload stack switch

最阴Cisco :D


Sometimes habit/dependent lead to mistakes.

When reload 2960x stack switch (maybe apply to all stack switch), you might reload entire stack

Sometimes is too confident when execute command but shit happen



Normally reload member by execute reload slot x

So, when execute reload , less/missing 1 alphabet (reload slo 1) ; it still working fine, reload the member switch 




But when execute reload, example
reload slor 2 !! It should prompt error as usual, but this time cisco prompt confirm, so just press enter ; 
Surprise !!!


It reload entire stack switch
 




What if the switch is in production and design as below


At that moment,

Engineer

Customer / Higher Management / Report manager


5 min downtime is not fun at all , my career is on chopping board or ban access to customer data center

Customer might lost  million dollars (trading) , or someone lost his life (if Hospital failed to authenticate patient medical card and missed the golden rescue period)

Lucky was in post migration environment

So, I posted something in community
herewith my post at Cisco community

https://supportforums.cisco.com/discussion/12732176/2960x-reload-command-issue


community member post it proper document about reload command, Cisco treat it as reason when execute wrong command LOL

herewith document 

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/stack_manager/command_reference/b_stck_152ex_2960-x_cr/b_stck_152ex_2960-x_cr_chapter_01.html#wp3486313748


But I look at it as defect coding. Confusing engineers/administrator and mislead engineer.


Although it proper document but doesn't make sense to me or any engineer because  used to it prompt error when execute wrong command, sadly in this case it doesn't 

Be caution when reload stack switches


Thanks
Han




Tuesday, December 15, 2015

Palo Alto PBF (policy based forward, aka PBR) in shared gateway


If you found my page seeking solution for Palo Alto setup PBF in shared gateway and have same design as I did, picture as below



my answer to you is NO.

This had confirm by Palo Alto TAC



Any document shared gateway not support PBF ? Is NO ~~~


Any solution for this ? I still working on possible workaround to load balance 2 telco line, but solution in my mind is so complicated and hard to operate/tshoot in future

Will update my solution if it is working :P

During my case lodge, the latest version  PA-OS  is 6.1.8, 7.0.3, 6.0.12;

I'm not too sure will Palo Alto include this feature in future, might require refer to release note.

Thanks
Han



Thursday, October 22, 2015

Checkpoint IPSO unable reset password

Not much information about this error except a blog I shown as below


The original ipso IPSO-6.2-GA039-04.14.2010-225515-1 unable to reset the local password, herewith the error I get when try to reset

Enter full pathname of shell or RETURN for /bin/sh:
# /etc/overpw
    This program is used to set a temporary admin password when you have
    lost the configured password.  You must have booted the machine into
    single user mode to run it.  The configured password will be changed.
    Please change the temporary password as soon as you log on to your
    system through voyager.

Please enter password for user admin:
Please re-enter password for confirmation:
Continue? [n] y
Running fsck...
/dev/ad0s4f: FILE SYSTEM CLEAN; SKIPPING CHECKS
/dev/ad0s4f: clean, 177550 free (1182 frags, 22046 blocks, 0.5% fragmentation)
/dev/ad0s4a: 12 files, 416 used, 31359 free (23 frags, 3917 blocks, 0.1% fragmentation)
/dev/ad0s4h: 1638 files, 391770 used, 245341 free (333 frags, 30626 blocks, 0.1% fragmentation)
mount_v9fs: not found
mkdir: /var/tmp2: Read-only file system
/etc/overpw: cannot create /tmp/forget.XX: No such file or directory
/etc/overpw: cannot create /tmp/forget.XX: No such file or directory
mv: /tmp/forget.XX: No such file or directory

    Admin password changed.  You may enter ^D to continue booting. 
    THIS IS A TEMPORARY PASSWORD CHANGE.
    PLEASE USE VOYAGER TO CREATE A PERMENANT PASSWORD FOR THE USER ADMIN.
umount: /var: not a file system root directory
# ^DLoading configuration files.
kernel dumps on /dev/ad0s4b

There is a blog http://adrianoherberth.blogspot.my/2013/08/reseting-checkpoint-firewall-smart-1.html mention how to “hack” it but during the fsck, result were different from what he post

Blog
Mine
# fsck
** /dev/ad0s4f (NO WRITE)
** Last Mounted on /
** Root file system
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
1762 files, 39170 used, 199233 free (29 frags, 49801 blocks, 0.0% fragmentation)
** /dev/ad0s4a
** Last Mounted on /config
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
6 files, 45 used, 15990 free (10 frags, 3995 blocks, 0.1% fragmentation)
** /dev/ad0s4h 
** Last Mounted on /preserve
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
2905 files, 397072 used, 198435 free (163 frags, 49568 blocks, 0.0% fragmentation)

# fsck
** /dev/ad0s4f (NO WRITE)
** Last Mounted on /
** Root file system
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
1762 files, 77241 used, 177550 free (1182 frags, 22046 blocks, 0.5% fragmentation)
** /dev/ad0s4a (NO WRITE)
** Last Mounted on /config
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
12 files, 416 used, 31359 free (23 frags, 3917 blocks, 0.1% fragmentation)
** /dev/ad0s4h (NO WRITE)
** Last Mounted on /preserve
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
1638 files, 391770 used, 245341 free (341 frags, 30625 blocks, 0.1% fragmentation)


Ultimate , fresh install a latest IPSO 6.2 to solve the issue 

Thanks
Han


Wednesday, October 21, 2015

Free packet analysis

To Anyone reading this post, I'm provide free packet analysis.

Just upload your packet file to cloudshark.org  and email me the link.

Thanks
Han

Sunday, August 16, 2015

install stack switch


Job Scope
- Install 4 stack switches or more





When unbox those switches found, with 0.5m stack cable




below is the solution to stack 5 switches with 0.5 m stack cable


stack 6 switches
stack 7 switches
stack 8 switches



While drafting this topic, actually I found actually cisco.com did document it as below but for

stack 9 switches

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/hardware/installation/guide/3750x_3560x_HIG/HIGINSTL.html#wp1151563




Thanks
Han