Saturday, February 14, 2015

Non-Technical Wonderings: Teaching and Groups

I remember in my Undergraduate Programs how much I hated group work. Your group wasn't always in sync with you, and sometimes interpersonal communication became a royal issue. Of course, an instructor was trying to teach you to have the ability to work together, because sometimes (i.e., the real world) you have to work with people that you don't like, or that aren't as capable as you.

When I completed my Graduate Program, I realized how much I loved the group work. Maybe it's because everyone felt they had to be there as an Undergrad, but those in the Graduate program actually wanted to be there. They were, on the whole, willing to put forth the effort to do what was needed to be done. And as a group of working adults, you could communicate with each other, and figure out what you needed to have done in a timely manner.

Now, speaking as an Instructor for an Undergraduate Program, I still want to do Group Work as relevant for the reasons I've mentioned above. But it's difficult to see a group have some failures because of minor shortcomings that get overlooked due to those interpersonal issues. Every single person misses a question because one person didn't do the task accordingly. There's something to be said in group failures and group successes, but, I don't know that I agree with the idea that a group should have issues because one person makes a minor mistake. But to rectify that, every member of the group should be looking over each other for mistakes. Again, that's the idea of group work.

I suppose it's a mixture of having the available resources to accomplish a task, versus making group coordination and communication a part of that task. I suppose I've always appreciated the idea of group work, but in practicality with a time crunch involved, I wonder if it's feasible.

Tuesday, February 3, 2015

Cisco ACS Migration 4.2.x to 5.6, continued

Well, hopefully you'll read this post before you start your own journey through the migration process. Because it'll save you a lot of time. This posting might be a bit more 'ranty' than it is technically helpful, but I've been working through a lot for the past few days. I'll still include valuable links where available.

In the last posting I made, I provided information, links, and possible components that you should consider when making the migration from ACS 4.x to 5.6.

Let's catch you up on where I am.

After obtaining console access to the Windows Virtual Machine, the migration utility still refused to run correctly. After doing some more digging, I found this piece of documentation regarding the migration utility for ACS 5.6, notably this piece:

The ACS 5.6 migration utility is not supported on Windows 2008 64 bit.
Well. Grand.

After doing a bit more research, I found that ACS 5.4 and ACS 5.5 have no such warnings about their migration utilities. So now, we take the ACS Appliance that we have, and attempt to downgrade it from ACS 5.6 to 5.4. Except that in this documentation and in this documentation (and trial and error), you cannot install ACS 5.4 on the 3495 Apppliance. So now, we move on to ACS 5.5, which is supported on the 3495.

So now, back to where we have been originally. Re-download the migration utility from ACS 5.5, make sure to configure the ACS unit for the web-based migration utility (see previous post), connect to the console of the Windows 2008 x64 Virtual Machine, and attempt to connect.

You can probably tell from my enthusiasm that it didn't work. Which, at that point, I've exhausted every forum post and blog post relevant to this process, so, we turn to the Cisco support forums:

CSCtn17779 Bug was noticed, Run the migration machine on Windows 2003 32-bit.

And there you have it. I don't have access to a Server 2003 x86 server, so I can't test the validity of the statement.

Wednesday, January 21, 2015

Cisco ACS Migration, 4.2.x to 5.6

So it's been a while since I've written anything, and that's mostly because the majority of things I work on are now considered classified, internal, or confidential. It makes it difficult to write topics on concepts when you're not 100% certain the public can know anything about it.

This however, I'm relatively certain I'm good to work with.

So the company that I'm working with now is in the process of migrating some of their ACS servers from 4.2.x appliances to 5.6 appliances. Cisco has a pretty comprehensive guide on the process here.  One of the major issues that comes from 4.2.x on an appliance versus a Windows server comes from the fact that you need an NT Agent on a Domain Member server so that it can connect to Active Directory accordingly. On a Windows Server, the NT Agent is local, so it's not a worry. Well, Secure ACS 5.6 no longer needs that Windows NT Agent, it can just point directly at the LDAP server--great!

Except that we also have another major issue by having appliances. In order to migrate the database from 4.2.x to 5.6, you must first export the database from the appliance to a Windows Server, so that you can run the migration tool against it.

Which means that to migrate, you'll need:

  • Your source ACS Appliance
  • Your Windows Server to host the ACS Application
  • A Windows version of ACS
  • Your 5.x Appliance or Virtual Machine
  • A series of helpful web links

Which is one of the reasons we have this blog post, is to provide a series of helpful web links, and share some of my infuriating issues.

Most of everything comes from this link, the Migration guide from ACS 4.x to 5.6. You'll also want to know how to re-image the appliance in the event that you blow it up.

Now, Cisco offers a full version of ACS 4.2 that's a trial to download, so as long as you have a support contract you'll be fine there.

This leaves you needing a Windows Host to run the software on. And...according to our documentation, ACS 4.2 runs on Windows Server 2008 x64. Note: Not R2. This was a huge problem in our environment, because their bare minimum standard for Windows Servers was Server 2k8R2. And because it's larger corporate politics, that meant lots of paperwork, lots of documentation, lots of justification, and someone's time to spin off a new Virtual Machine for me.

While waiting on the Virtual Machine spin-up, it's a good time to bring online the ACS Appliance for 5.6. Important note that I discovered during installation: the NTP server (or it was the gateway) must be reachable while loading the IP settings, or else you'll have to re-image it from scratch. Not sure why, but that's what I had to end up doing.

Once you have your ACS 5.6 appliance or virtual machine running, complete with remote accessibility, you can begin your migration. After waiting for your Windows Server to be built, loaded with Java, and imported from a backup, you're ready to begin.

First, download the migration utility from the ACS Appliance and load it on your Windows Server.

Next, when connecting, specify a username and password and connect accordingly.

Then, after troubleshooting the connections and available configuration settings, spend several hours tearing your hair out trying to further troubleshoot why the connection continues to fail for no reason. Then you find an obscure post on a German Cisco forum that leads you to this link. The point of reference that made me nearly scream was this:

Remote Desktop Support
The Migration Utility does not support Remote Desktop Connection. You must run the Migration Utility on the migration machine; or, use VNC to connect to the migration machine.

 So make sure when trying to run the migration utility, you don't RDP into your Virtual Machine. You have to VNC into it, or get some local hardware to run it off of.

Edit: On to the next issue....(You'll want to read that post if you haven't already)

Wednesday, June 11, 2014

Cisco ASA-SM: ASDM won't load

So I'm in the process of trying to migrate from the Cisco PIX Series Firewalls to the ASA Series, configured in roughly the same format and style until we can re-migrate to the Zone-Based firewalls. Well, today, I ran into an interesting issue that I couldn't find much support on.

So, these were Cisco ASA-SM (Adaptive Security Appliance Service Modules) loaded into a 6500-E Series. After the device is configured for allowing the appropriate connections, I wanted to load up the ASDM to see the differences in how NAT translations were done (Bi-directional as opposed to Unidirectional).

Except that I couldn't get the ASDM to load. In fact, it wasn't even listening on tcp/443.

As it turns out, for the ASDM to load, you need some additional components. But first, for the uninitiated, how do we set up the ASDM?

You'll find a million posts from Cisco or Blogposts from other users showing you how this is done, so, this should be review. For a brief post on how to configure the ASDM, read here.

Since this is an ASA-SM, out of the box we can session into the blade and configure it from there. You could use telnet or SSH, but since I'm in the process of still building it, I haven't gotten that far yet.

YourRouter#session slot 6 processor 1

Since my routers are in a VSS pair, I use this command:

MyRouter#session switch 2 slot 6 processor 1

This command tells the router that we want to session into the blade, as if we were at the console (session), which switch in the VSS pair I want (switch #, optional due to your configuration), which slot the blade is loaded into (slot #), and which processor I want to use (processor #). 

After you connect to the device, go to the enable mode, and then configure mode.

This, of course, assumes that you have built an interface on the ASA-SM. If you haven't, you'll need to do that first. To configure the device to allow you to connect on http:

yourasa(config)# http server enable
yourasa(config)# http your_subnet_number your_subnet_mask interface

And that's all there is to it! Right?

Except what happens when it doesn't work? Here's where I was, tearing my hair out. 

Cisco has some available documentation on troubleshooting the ASDM:

And others. The first one gave me some good insight and commands, except for one that I couldn't run on the ASA:

show asp table socket

show asp table was present, but the socket option couldn't be found. When I ran an nmap scan against the device, it wasn't even listening on 443. So what gives?

As it turns out, for you to be able to access the ASDM, you have to download and install the free 3DES-AES key from Cisco, which just requires a Cisco user account. You can download it here:

Under Security Products, you'll find the options for Cisco ASA 3DES/AES License. Once you agree to the terms and conditions, they should send you an e-mail containing the license activation key. 

How can you confirm that you don't already have the 3DES-AES license? Run show version, and look for this:

yourasa# show version
Licensed features for this platform:
Maximum Interfaces                : 1024           perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
DES                               : Enabled        perpetual
3DES-AES                          : Disabled       perpetual
Security Contexts                 : 2              perpetual

Once you input the activation key, you should see this:

yourasa# show version
Licensed features for this platform:
Maximum Interfaces                : 1024           perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
DES                               : Enabled        perpetual
3DES-AES                          : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
Botnet Traffic Filter             : Disabled       perpetual

We had to do an additional command to confirm that it would use the 3DES-AES in the SSL configurations:

yourasa(config)# ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Once that command was placed in, the web page loaded right away, and allowed us to connect to the ASDM. 

So there you go, hopefully that helps you in your own configurations and troubleshooting for the ASDM and your ASA-SM. 

Sunday, June 1, 2014

Writing More!

So I've finally been given the opportunity to write more.

Well, not quite.

I've finally given myself enough reason and motivation to write more.

That's better. 

So, this is my continued attempt at a technical blog. Here, I write down things that I know, learn, and experience for the general-knowledge and well-being that I share with others. As I experience problems, I want to write them down.

So, what am I talking about today?

A colleague of mine and I were talking the other day, and he mentioned to me Windows Azure. So, let's back up a moment before we dive in.

The company that I own (Shameless link) has an Ubuntu 12.04 Linux box hosted by Rackspace so that we can do development. It hosted Web Services (Apache), E-mail Services (Postfix, Courier, SASL Authentication/Encryption, SpamAssassin), Database Services (MySQL, PostgreSQL), and a Mumble server. And all-in-all, it worked fine. We had a Team Foundation Server rented by another company, and added bandwidth, the two services was about $32 a month. We weren't using the TFS service as much as I wanted, so I had looked at killing it, but it wasn't until recently that Visual Studios had integration with Git that I felt that we could change hosting.

Back to the present day.

A colleague of mine and I were talking the other day, and he mentioned to me Windows Azure. In our conversations, he explained what he used it for, how much database and web page space he uses, and basically mentioned that it was for pennies on the dollar. So, in conversation, I learn that he obtained Microsoft Windows services for pennies on the dollar every month. So, I try to be a reasonable business man, let's take a look into it.

Boy, was I impressed. And it's even better than that.

The general notion behind 'cloud' services is that you can host web sites, databases, virtual machines, and more, in a virtual environment. But Microsoft, being the large proprietor of software that they are, made available their resources.

If you sign up for Windows Azure, what can you get?


  • 10 Web Sites per region. 
  • 10 Mobile Services with a 20MB SQL Database with up to 500k API calls.
  • An implementation of Active Directory* for up to 500k objects. 
  • 100k Notification pushes to active devices 

*It's not a full Active Directory environment as you would see in a normal infrastructure, it's more of a user database, but you can't bind hosts to it. 

So wow, for free, that's pretty impressive, especially for developers. I'm trying to cut costs, and they can run virtual machines, let's see what I can get for $32 a month with respect to my environment:

  • I could get two 'Extra Small' Windows VMs, with 1Ghz CPU and 768MB of RAM for $26.79
  • Two 'Extra Small' Linux VMs, with the same specifications for the same price.

So, for the cost I'm already incurring, I could build two boxes at the same cost, regardless of Operating System, and have it hosted. At this point, I was feeling pretty confident in this move, because we get the free resources on top of the purchased resources. 

So I talked to my business partner, because when you're co-owned you don't make decisions like this by yourself, and he agreed once I laid out the details for him.

So, we signed up, and started spawning new virtual machines; they were ready in minutes. They had a public IP address, a public DNS name, a public firewall with port translations available, and the resources I had above.

Boy, was I impressed. Don't get me wrong, there's nothing wrong with Rackspace. In face, their management of DNS made it quite easy to get services going, and in general I had no problems with them. This was just better.

So where does it get even better than that?

Last year, the company applied to become a Microsoft BizSpark partner for software development. We have a few major applications that we want to write and sell, and it was difficult to do so because to create them, we needed licenses of things. And after explaining what we wanted to do, we were approved and joined the BizSpark community.

At first, BizSpark was great for us for licenses--Visual Studios, versions of Microsoft Windows for us to test our software on, and copies of different applications offered by Microsoft, which included but not limited to, Microsoft Exchange, SQL Server, Team Foundation Server, BizTalk Servers, and so much more. I estimated it was well over $500,000 in software licensing.

But we had no hosts to run these things on.

Now we do.

Because being a BizSpark partner, and joining Microsoft Azure, they give us $150 in credits a month.

A virtual machine was ~$13.

I can now cut my hosting costs down, spin up new virtual machines, and get all of my hosted needs met so that we can actually code...without having to worry about counting pennies on things. When you have a finite budget...that matters.

This is where it was even better than that.

Because now I can spin up several extra-small virtual servers, host an internal Active Directory, IIS deployment, Exchange, and TFS...without being charged.

We can finally code the way we want to, without having to worry about the costs of doing so. This is exactly what BizSpark was designed to do, and because of Windows Azure we can do it.

This is where it was even better than that. 

So my next few blog posts will be covering the state of things as I install and configure Windows Server 2012, and the related content from there.

Damn, I'm more excited by this than I should be.

Friday, August 26, 2011

New Life

So I've decided to give this blog a new breath of life. Since then, I've changed positions and gained numerous experiences along the way, of which I plan to write about. Any content, documentation, images, or advice is freely posted, I'd just appreciate some credit if you used my solution, or if something you found was different in your configurations.

Tuesday, April 22, 2008

Disabling IPv6, Part Deux

It should also be noted that apparently disabling IPv6 disconnects all of my SMB connections. Doing that change probably isn't the best of ideas, even though Microsoft didn't mention that part. I'm sure it's not their fault though.