“It’s 2015 why are you messing around with floppy drives?” I hear you ask! Well for importing certificate requests, and issued certificates from an offline root CA server, it’s still considered best practice to use a virtual floppy drive rather than connect the offline root server to the production network.
So today while deploying a PKI infrastructure, I needed to present a floppy drive to a Windows Server 2012 R2 Issuing (subordinate CA). Despite me adding the hardware, presenting a floppy image and ticking ‘connected’ the floppy drive refused to ‘appear’ in Windows.
Solution
The problem was the client had a ‘Pre-hardened’ Server 2012 R2 template, that I had used to deploy the server, and in the BIOS of the template the floppy drive was disabled.
1. Set the VM to boot into BIOS next time it starts (you can reboot and keep pressing F2).
2. Main > Legacy Diskette A: > Set to [1.44/1.25 MB 3 1/2].
3. At this point I hit F10 (Save and Exit), booted up the VM, and it was still missing!
4. Turns out (after some more BIOS digging) that the controller was also disabled! Advanced > I/O Device Configuration.
5. Set Floppy disk controller to ‘Enabled’ > F10 > Boot the VM. Problem solved!
Related Articles, References, Credits, or External Links
You can still right click the networking icon in your task tray and manually join a wireless network, but with the new UI there is a much more user friendly way.
Solution
1. Bring up the Settings menu (Press Windows Key+I, or swipe in form the left on a tablet/tablet) > Select the available networks icon.
2. Select the wireless network you want to connect to.
3. If you want to always connect to this network tick the box and select ‘Connect’.
4. If your router has a PIN number for access (check its documentation) then you can enter that here, and follow the instructions. The PIN number is usually shown on the router/access point on a sticker. However if you use a WEP or WPA password, then select ‘Connect using security key instead’.
Note: The system for joining a wireless netork using a PIN number, is very insecure! just to a Google search for “hacking wireless with reaver”, I suggest you disable this feature if you can.
5. Type in your WEP/WPA Key > Next.
6. All being well, you should now be connected.
Related Articles, References, Credits, or External Links
Had a stack of 3560-X Switches to update today, and when I went looking for the notes I used last time, I could not find them. So This time I took the time to document the procedure.
Solution
Now I could load in the IOS image from TFTPlike this, but last time I did this I used a spare USB drive and the image ‘tar’ file, and found it a lot less hassle.
1. Make sure you have formatted your dive at FAT32, download you image file to it and put it in the switch.
At console you should see something like this;
[box]Apr 22 13:13:18.466: %USBFLASH-5-CHANGE: usbflash0 has been inserted![/box]
2. Update the switch like so;
[box]
Petes-Switch#archive download-sw usbflash0:/c3560e-universalk9-tar.150-2.SE6.tar
examining image...
extracting info (110 bytes)
extracting c3560e-universalk9-mz.150-2.SE6/info (581 bytes)
extracting info (110 bytes)
System Type: 0x00000002
Ios Image File Size: 0x0135B200
Total Image File Size: 0x0187BA00
Minimum Dram required: 0x08000000
Image Suffix: universalk9-150-2.SE6
Image Directory: c3560e-universalk9-mz.150-2.SE6
Image Name: c3560e-universalk9-mz.150-2.SE6.bin
Image Feature: IP|LAYER_3|PLUS|SSH|3DES|MIN_DRAM_MEG=128
Old image for switch 1: flash:/c3560e-universalk9-mz.122-55.SE8
Old image will be deleted before download.
Deleting `flash:/c3560e-universalk9-mz.122-55.SE8' to create required space
————output removed for the sake of brevity————
extracting c3560e-universalk9-mz.150-2.SE6/dc_default_profiles.txt (66292 bytes)
extracting c3560e-universalk9-mz.150-2.SE6/c3560e-universalk9-mz.150-2.SE6.bin (20288000 bytes)
extracting info (110 bytes)
Installing (renaming): `flash:update/c3560e-universalk9-mz.150-2.SE6' ->
`flash:/c3560e-universalk9-mz.150-2.SE6'
New software image installed in flash:/c3560e-universalk9-mz.150-2.SE6
All software images installed.
Petes-Switch#reload
Proceed with reload? [confirm]
*Mar 1 00:09:14.243: %SYS-5-RELOAD: Reload requested by console. Reload reason: Reload command
[/box]
3. At this point when the switch reloads, it will take a long time to boot as it performs a lot of updates and code rewrites when it restarts.
Upgrading The Catalyst Service Module
These switches have a 10Gb Service module in them that also needs updating, once the switch reboots you will have to wait a few minutes before the service module boots as well, if you don’t wait then you will see this; [box]
Petes-Switch#show switch service-modules
Switch/Stack supports service module CPU version: 03.00.76
Temperature CPU
Petes-Switch# H/W Status (CPU/FPGA) CPU Link Version
-----------------------------------------------------------------
1 OK 48C/43C notconnected N/A
Mar 30 01:29:55.128: POST: Macsec Uplink Loopback Tests : Passed Decryption Mode
Mar 30 01:29:57.594: POST: Macsec Uplink Loopback Tests : End
Mar 30 01:29:57.594: %PLATFORM-6-FRULINK_INSERTED: FRULink 10G SM module inserted.
Mar 30 01:32:13.188: %PLATFORM_SM10G-3-SW_VERSION_MISMATCH: The FRULink 10G Service Module
(C3KX-SM-10G) in switch 1 has a software version that is incompatible with the IOS software
version. Please update the software. Module is in pass-thru mode.
Petes-Switch#show switch service-modules
Switch/Stack supports service module CPU version: 03.00.76
Temperature CPU
Petes-Switch# H/W Status (CPU/FPGA) CPU Link Version
-----------------------------------------------------------------
1 OK 54C/54C ver-mismatch 03.00.41
[/box]
Or it may simply look like this;
[box]
Mar 30 01:32:29.403: %PLATFORM_SM10G-6-LINK_UP: The FRULink 10G Service Module (C3KX-SM-10G)
communication has been established.
Petes-Switch#
Petes-Switch#show switch service-modules
Switch/Stack supports service module CPU version: 03.00.76
Temperature CPU
Petes-Switch# H/W Status (CPU/FPGA) CPU Link Version
-----------------------------------------------------------------
1 OK 50C/48C connected 03.00.76
[/box]
To perform the upgrade, you will need a matching image for the service module.
[box]
Petes-Switch#archive download-sw usbflash0:/c3kx-sm10g-tar.150-2.SE6.tar
examining image...
extracting info (100 bytes)
extracting c3kx-sm10g-mz.150-2.SE6/info (499 bytes)
extracting info (100 bytes)
System Type: 0x00010002
Ios Image File Size: 0x017BDA00
Total Image File Size: 0x017BDA00
Minimum Dram required: 0x08000000
Image Suffix: sm10g-150-2.SE6
Image Directory: c3kx-sm10g-mz.150-2.SE6
Image Name: c3kx-sm10g-mz.150-2.SE6.bin
Image Feature: IP|LAYER_3|MIN_DRAM_MEG=128
FRU Module Version: 03.00.76
Updating FRU Module on switch 1...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Updating FRU FPGA image...
FPGA image update complete.
All software images installed.
Petes-Switch#reload
Proceed with reload? [confirm]
Mar 30 01:47:19.459: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command.
[/box]
Related Articles, References, Credits, or External Links
I needed to get the Uptime/Duration of a particular VPN tunnel this week. It was for a client with multiple VPN tunnels that was having problems with just one.
Solution
Option 1 via Command Line
1. Connect to to the firewall > Go to enable mode and use the following command, replace 123.123.123.123 with the IP of your VPN endpoint.
[box]
PetesASA>
PetesASA> enable
Password: ********
PetesASA# show vpn-sessiondb l2l filter name 123.123.123.123 | incl Duration
Duration : 0h:08m:26s <<<<<<<
PetesASA#
[/box]
If you want a LOT MORE information use the following command;
[box]
PetesASA# show vpn-sessiondb detail l2l filter name 123.123.123.123
You have an Apple device and you would like to create a remote VPN connection to a Cisco device running AnyConnect.
Note: This is not a walkthrough on how to configure AnyConnect, for that go here.
Be aware that in addition to your SSL VPN licences your Cisco ASA device also needs a “AnyConnect Mobile – ASA 5510” license. If not you will receive this error.
Solution
1. Firstly you need to download and install the Cisco AnyConnect client from iTunes.
2. Once installed launch the AnyConnect client software.
3. As this is the first time we have launched it we need to configure a connection, select “Add VPN Connection”.
4. Give the connection a name, and enter either public IP of your Cisco Device (Or its public name) > Save.
5. Slide the button from Off to On.
6. If you are using a “Self signed” certificate on the Cisco device you will see this warning, simply click continue.
7. Depending on how your authentication is setup, supply your username and password > Connect.
8. All being well, the client should say connected. (If you get a licensing error see here).
9. You are now connected to your corporate network, all the while you are connected you will see the VPN icon at the top of the screen.
Related Articles, References, Credits, or External Links
You have an Android device* and you would like to create a remote VPN connection to a Cisco device running AnyConnect.
Note: This is not a walkthrough on how to configure AnyConnect, for that go here.
Be aware that in addition to your SSL VPN licences your Cisco ASA device also needs a “AnyConnect Mobile” license. If you do not have one you will receive this error.
*Note: At time of writing the AnyConnect client is only available for Samsung, HTC, Lenovo, and Android phones that have been rooted.
Solution
1. First head over to the Android Market, locate and then install the AnyConnect Client on your device.
6. Set the server address, to either the public IP of your Cisco device, or if you have a public DNS name that points to it e.g. vpn.yourdomain.com you can enter that. (Providing the device can resolve that address using DNS).
7. You should not need to enter Certificate details, unless your IT department have secured the AnyConnect profile with certificates like this. In most cases you would supply a username and password to connect, so this is not relevant. If you are unsure speak to the person/department that looks after your Cisco device.
8. To save the connection click “Done”.
8. To start the connection, simply tap it.
Note: To delete/edit a connection profile tap and hold it.
9. Type in your credentials > OK.
10. When connected you will get a “Green Tick” and the logo at the top of the screen will show a closed padlock. This padlock logo will remain all the time you are connected.
11. To disconnect, simply tap the green tick, and the client software will terminate the connection.
Related Articles, References, Credits, or External Links
Thanks to David Simpson for trusting me with his phone for half an hour.