TLS Handshake Failing - Changing IP address. Networking

---

• TLS Handshake Failing - Changing IP address.
• Experiences with Honeypots (for a school-project)
• Trouble getting FortiAP up and running
• For those Engineers who had their network taken over/managed by a 3rd party VAR (Accenture, NTT, Fujitsu etc). How was it? How is it going?
• Finally figured out how to replicate policy based DCE/RPC inspection from the ASA onto our new FTD Platforms.
• Nexus vPc advice
• Point to point connection via tunnel
• Aruba ClearPass policy across locations
• Aruba ClearPass User ACL with Cisco switches?
• Best p2p receiver ~1KM ?
• Endpoint Authentication
• MAC Spoofing in Campus LAN (SD-Access)
• Cisco ISE CLI password reset
• Firewalls and DHCP Transaction ID
• Need assistance with failed router cutover please!
• DANOS - Filtering out default route on OSPFv3
• Help with Cisco SG200-50P Voice VLAN issues.
• Best enterprise Networking vendor

TLS Handshake Failing - Changing IP address. Posted: 18 Sep 2021 01:37 PM PDT Having a difficult issue with SSL handshakes on a client-server TLS connection over 443 we are trying to troubleshoot. We have a client PC on a customer's network trying to connect over the internet to a cloud hosted server. We have good access to the cloud solutions' tech support and somewhat indirect access to the customer's firewall vendor that is managing the infrastructure getting our PC out to the internet to connect to the cloud server. We had this PC, via an agent service, connecting fine to the cloud solution over port 443 previously. The customer required that we change the local IP on the client PC decrementing the last octet (we went from .251 to .250). It is not an option at this point to change the IP back or to anything else for reasons I can't go into. The agent no longer connects and here is what we know: The failure with .250 occurs after the client sends Client Hello and the server responds with an ACK but the Server Hello never comes following that. The Server sends an RST, ACK to close the socket after 15+ second timeout, I believe because it next expected a Client Key Exchange from the client following the Server Hello, but the Server Hello never gets to the client, so it of course never sends the Client Key Exchange. When we temporarily go back to .251 (or try another IP in the subnet that is free) this key exchange happens flawlessly every time. We tested via OpenSSL this key exchange to our server, and it behaved as above when using the agent. We also tested key exchange with OpenSSL to google's 8.8.8.8:443 and it behaved exactly the same. .250 failed like above and .251 worked (and .252 worked too). When it fails over .250 the protocol shown in wireshark is TLSv1, when it works on .251 the protocol is TLSv1.2 (we are not doing anything differently except changing the local ip). This may be a quirk/feature in wireshark as i'm seeing similar structures to the packets for the record layer and the hanshake protocol in both cases but in the "protocol" column in wire shark is it choosing to display TLSv1 and TLSv1.2 respectively for the packets in spite of this. So this may be nothing, it may be because the actual TLS version is declared in the Server Hello and that is never happening for .250 so it shows TLSv1. The firewall/networking vendor for the customer has confirmed that they are not doing any SSL inspection and that the rules are the same for all IPs in this subnet. We've asked this multiple times at this point. This is out of our direct control and the area most suspect at this point IMO, but they are growing tired of our prodding. If I traceroute to our server on .250, none of the hops reply via ICMP after the default gateway. If i do a traceroute to our server on .251, all of the hops reply via ICMP from the default gateway all the way to the cloud server. Again, hardly seems like these two IPs have the same rules. The IP is the only thing changing between the two tracert tests). Would love some insight/encourage to focus our efforts on the firewall vendor, or identify any other avenues of attack in our troubleshooting/isolation. submitted by /u/Training_Skill_5309 [link] [comments]

Experiences with Honeypots (for a school-project) Posted: 18 Sep 2021 05:35 AM PDT Hi Guys Saw, that quetions like mine pop up from time to time, however it wasn't exactly what I was looking for, therefore asking my own questions now..For a school project I want to setup a small Honeypot environment. In order to evaluate different possible solutions I would like to have some real-life experiences and maybe even real-life examples from different setups. I'm looking for both high- or low-interaction honeypots as well as "appliances" like FortiDeceptor or whatever fancy marketing-names these devices have. So my questions are: What (if any) software do you use for your low-interaction honeypot? What Tools do you use to "observe" your high interaction honeypot? Do you maybe even have a appliance / complete solution as high interaction honeypot? *Do you have experience with a appliance like FortiDeceptor or any other vendor? I'm primarily thinking about honeypots in the enternal network to decept and/or reveal some malicious activity.I know that there are other and probably even better options - which I'll certainly mention in my project, but as I had to chose a specific topic for the school-project so I'm all in on Honeypots :) I'm open and thankful for all opinions, experiences and discussions! submitted by /u/d0n_Eggi [link] [comments]

Trouble getting FortiAP up and running Posted: 18 Sep 2021 10:49 AM PDT Hey all! I am hoping to obtain some guidance as i've run into a brick wall. For some context, I am a networking noob. I have some fundamental networking knowledge and have done basic cisco router/switch configurations but nothing crazy and only in an educational environment (and that was about 4 years ago, at that). I am a Jr Sys Admin tasked with setting up a network at one of our overflow offices and I have run into a bit of a snag. I have a Fortigate 100F that will be used as our Firewall and act as our router. I also have a Cisco SF300-48P switch underneath. Alongside this, I have a FortiAP 431f that I need to deploy. I have the Fortigate and the switch configured and operating normally. When I plug into one of the ports on the switch I obtain network connectivity and it seems to work great. I was tasked with deploying a FortiAP to provide a wireless option for some of our more mobile users in this office which is where the FortiAP 431F comes in. I figured it would be easy enough, configure the interface in the fortigate for wireless, plug the AP into that port on the fortigate and I should be able to configure from there. However, to my dismay, I have realized that the Fortigate 100f does not offer PoE and so when I plug the AP into the fortigate, it doesn't power on. It looks like I will need to have this AP run through the switch. I attempted to plug the AP into the switch and the AP powered on just fine (a good sign!) however I could not see the AP in the FortiAP manager console when in the admin console of the fortigate. This leaves me at a bit of an impasse as I cannot interface the AP for configuration because it does not appear in the FortiAP section of my admin console (when remoted into the fortigate). I assume that I am just missing something very obvious here. It doesn't seem like running an AP off a switch is an unorthodox or unusual configuration so I may just need a nudge in the right direction. Any guidance is greatly appreciated! submitted by /u/Abstand [link] [comments]

For those Engineers who had their network taken over/managed by a 3rd party VAR (Accenture, NTT, Fujitsu etc). How was it? How is it going? Posted: 17 Sep 2021 08:39 PM PDT I'm seeking insight from those shops who have had a VAR step in and take over full management of the network to provide comment. Things I'm interested in hearing your experience on: What equipment did you have before vs. now? What better/worse standards were introduced? Was there any major architecture changes (e.g. SD-Access, standard 3-tier, etc)? How has the service been from a "boots on the ground" worker? For those who lived through a transition, do you believe the outcome has been for better or for worse for your end customer (the business)? Care to share any photos of before/after Network closets? Thanks! submitted by /u/Winter-Ad-8884 [link] [comments]

Finally figured out how to replicate policy based DCE/RPC inspection from the ASA onto our new FTD Platforms. Posted: 18 Sep 2021 01:43 PM PDT Seriously, it's was like Cisco wants to punish us for moving to the FTD platform. I had even used their migration tool previously to convert our ASA config to the FTD and the post migration report listed the inspection policy as unsupported. I spent hours scouring forum, blogs, and white paper sites and really couldn't find any good documentation about how you could go about doing it. The most I could find was some suggestions to use FlexConfig objects. We had several tickets open with Cisco tac on this issue, and every engineer assigned failed to give me a good solution. Their answer always came back to just creating rules in the access policy opening all the high range ports between security zones. Which, kind of sucks as a solution. So yes, maybe I'm an idiot for not figuring this out earlier, or maybe it was clearly documented somewhere and my google-fu really could use a refresher, but it is possible to replicate policy based DCE/RPC inspection using FlexConfig objects. (To a degree, I still couldn't get it to let me configure timeout pinhole settings, but take the victories you can I guess) I welcome reddit's mockery for banging my head against tha wall this long before figuring it out. submitted by /u/v2micca [link] [comments]

Nexus vPc advice Posted: 18 Sep 2021 09:07 AM PDT Kinda out of my realm, as I am more at home in IOS world, but here goes.... I have a C9300 switch connected back to a pair of N9K's at the core. The C9300 is trunked over fiber back to the core on a port channel, one connection to N9K-A and one connection to N9K-B, utilizing vpc and hsrp. As this is a critical link, we have added a microwave backup to this site in case the fiber is ever damaged. The traffic between this site would be measured in kilobits rather than gigabits, but every bit is fairly important. I would prefer that 100% of the traffic utilize the fiber until the microwave is the only option. How would you go about adding this backup connection? Add it to the hsrp standby group as a third member? Isolate it and let STP sort it out? Thanks in advance submitted by /u/Hatcherboy [link] [comments]

Point to point connection via tunnel Posted: 18 Sep 2021 09:07 AM PDT To start I deal with more of defensive and offensive security, so while I can understand the networking aspects some, they are not my primary knowledge base. I am in the process of designing a training network involving two forested domains with extremely limited access between the both. Here is a rough break down.. Forest 1's domain will have an overarching dc with 2 child domains (a & b). Each child domain will also have a separate file sever and dc. Under each child domain will be several pcs. Forest 2 will be it's own domain with a single dc and separate file server with several pcs. The idea is to grant selective authentication trust for a single domain admin from forest 2 dc to forest 1 dc. That will be pretty much the only access between the forests with 1 other alternative. The access I am trying to figure out is a pc to pc connection from Forest 1, child domain b, pc 3 to forest 2, pc 2. I am hoping to set up a one way trust for a single user that can only be accessed via tunnel. Forest 2 will not be able to access Forest 1 via this route at all. Please share any links or knowledge on this process or let me know if I need to draw anything out and provide more information. submitted by /u/DarkJediSkii [link] [comments]

Aruba ClearPass policy across locations Posted: 18 Sep 2021 03:04 PM PDT Hi We are a globally located enterprise and looking at Aruba Clearpass. Any best practices on whether it should be deployed per location or in a few central locations. If deployed centrally, there would be latency issues. If deployed distributed, I am not sure how we would get policy consistency across locations. Any thoughts on best practices please? submitted by /u/Pro_network17 [link] [comments]

Aruba ClearPass User ACL with Cisco switches? Posted: 18 Sep 2021 02:56 PM PDT Hi I have a question regarding the use of per-user ACL's with Aruba ClearPass. Is this only possible with Aruba switches or will it also work if we have Cisco switches. In this case, ClearPass does not know how to provision Cisco switches and only talks to Cisco switches via RADIUS. I don't see how RADIUS has the mechanism to provision highly granular ACE's, so I am thinking this is user ACL's with ClearPass are not possible if we have Cisco switches. But am I missing something? submitted by /u/Pro_network17 [link] [comments]

Best p2p receiver ~1KM ? Posted: 18 Sep 2021 12:55 PM PDT Hi. I used microtik sxt for years, but it's broken. Please suggest me a cheaper p2p wireless device for 1KM away from pop site (it has a direct sight) and maximum speed of my internet service is 16Mb/s submitted by /u/----Peace---- [link] [comments]

Endpoint Authentication Posted: 18 Sep 2021 05:07 AM PDT If an endpoint wired or wireless gets disconnected physically or faces an IP disconnect for some reason, does it need to reauthenticate itself with ISE and redo the DORA? Or can such endpoints in Campus LAN be authenticated and join the network back despite reachability to ISE/AAA/DHCP server being down as a result of Data center reachability being down? submitted by /u/loudmind1908 [link] [comments]

MAC Spoofing in Campus LAN (SD-Access) Posted: 18 Sep 2021 07:52 AM PDT Does Cisco SDA solution, specially use of LISP, help crackdown MAC spoofing or MAC theft? In my experience, if MAC spoofing/theft occurs, LISP is not intelligent enough to know if the first device is legit or the second. submitted by /u/loudmind1908 [link] [comments]

Cisco ISE CLI password reset Posted: 18 Sep 2021 01:08 AM PDT Hi, all. Could somebody please explain the best way to reset the the CLI password for SNS-3515 appliance running ISE 2.7? We've CIMC access but it decided to stop working now. (I can ping but GUI/SSH doesn't work) That leaves me with only option which is via bootable USB. I found this guide but quite confused with the exact steps needed. steps. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200568-ISE-Password-Recovery-Mechanisms.html Has anybody done this before? If so, what is the best way to reset it? Step 3 on the guide says: Step 3. Restart SNS-35XX appliance and go to the BIOS mode on console Step 4. In the BIOS mode, choose boot from USB. Any idea how can I force the ISE to boot to the BIOS? Is there a keyboard break I should send? Thanks in advance. submitted by /u/vsurresh [link] [comments]

Firewalls and DHCP Transaction ID Posted: 18 Sep 2021 04:49 AM PDT We are currently troubleshooting an issue where in our site has asymmetrical routing towards the data center where the DHCP servers are. The discover message goes out one side and the offer message is being received on the other WAN circuit. Based from the packet capture the transaction ID is being altered. If we try to force the DHCP communication over one circuit via static route or shutting down one circuit then DHCP works well and transaction ID is intact. We do not have access at the DC side but we suspect that there are two firewalls out there facing different mpls circuits that's causing the transaction ID to be altered. I can't think of any network device that would alter the payload other than a firewall. So assumption is, discover message goes out mpls1, passes through fw1, offer message goes back through fw2, then mpls2. Thinking like since fw2 doesn't have session on its table, it messes up the offer message but it allowed to pass through. Maybe they allowed to pass udp any/any. I just can't seem to find a firewall product that could cause this. Any idea? Thanks! Edit: I tested on a lab using ASA but ASA is just letting it pass through without any modifications to the payload. submitted by /u/pengmalups [link] [comments]

Need assistance with failed router cutover please! Posted: 17 Sep 2021 11:28 PM PDT We tried earlier to upgrade our edge cisco routers. We have 2 WAN links and we use eBGP to peer with the carriers. The primary link was to go from 500M fiber to 10G. The backup link is 50M fiber. The customer failed due to the primary carrier claiming they never moved us to 10G service at their CO. Only the physical line was put in. So, we rolled back to the old router and service. After that, we notice we had asynchronous routing. Context: we have a /24 public block purchased from the secondary carrier(Grande communications). We are advertising this to the primary carrier(spectrum). Spectrum is now saying they do not and will not advertise this /24....despite us having this setup for several years at least. Does anyone have any knowledge of the WAN part here? I'm not familiar enough with the carrier part to say that Spectrum is full of shit and should be advertising this route for us. Do we need to provide some type of LOA or does the carrier who we lease the /24 need to provide this? Any help would be greatly appreciated. We've been at this for hours and I don't know what to do. submitted by /u/watkinsmr77 [link] [comments]

DANOS - Filtering out default route on OSPFv3 Posted: 17 Sep 2021 05:40 PM PDT I`m trying to setup an Full Table BGP router on DANOS and it is working fine so far. Transit connections are working and the same for the connection to the IX platform. However i have one vlan to get back to the rest of the network running OSPFv3 which also holds a default route for the rest of the network to function (al sub locations to gain internet access) I would like to filter out the default but it looks like it it no possible on DANOS to apply a inbound filter? submitted by /u/raymonvdm [link] [comments]

Help with Cisco SG200-50P Voice VLAN issues. Posted: 17 Sep 2021 04:28 PM PDT Hello, I hate to burden anyone with this but I'm at a loss. I have several phones that initially came up fine on VLAN 2 as expected but now have resorted to coming up only on VLAN 1 and nothing I do seems to change that. Initially I was convinced the issues were related to auto voice VLAN or auto smart port settings that are enabled by default as I could see the VLAN membership magically changed when I logged into the switch. I set everything back and I set the built-in voice VLAN to 100, unused. Default VLAN 1 is default PVID 1 and voice VLAN is 2. Here's where it get's weird. I programmed ports 1-50 untagged PVID 1, tagged VLAN 2 (except ports 47 and 48 which are PVID 2 - my actual voice VLAN i.e. 172.16.X.X). Port 48 is my router providing DHCP to the phones and 47 is a nat'd subnet for the data network. All phones are tagging VLAN 2. First run all phones came up VLAN 2 and all PC's VLAN 1, packed up and left. After leaving, a day layer I get a call several phones aren't working. I have them check IP's and they are VLAN 1. I have them verify the phone still set to VLAN 2. I log into switch only to find several switched, this is when I disabled auto everything (at least I think everything). I got the phones to all come back up on VLAN 2 after a hard reboot but what's weird is the MAC Address Tables show the phone's MAC in both the VLAN 1 list and the VLAN 2 list even if I clear the list and let it rebuild. How can this be? There are PC's behind many of the phones and they all come up VLAN 1, so essentially I see 3 devices per port in the MAC Address Table, a PC and phone for VLAN 1 and the very same phone for VLAN 2. Today I log in and clear the MAC Address Table and I only see the two untagged PVID 2 ports 47 and 48 belonging to VLAN 2 and everything, all phones and PC's are in the VLAN 1 group. Additionally when checking the phones, they all have VLAN 1 IP's now!!! I'm going insane!. Do I throw this switch in the trash? Please advise thank you! submitted by /u/p_ingram [link] [comments]

Best enterprise Networking vendor Posted: 18 Sep 2021 01:27 AM PDT Hey guys, Cisco has too many components to manage..Tired of their forever integration…always need to buy new hardware for their next integrated feature etc. Which vendor provides the following capabilities better or equal to Cisco. Micro-segmentation (Cisco ISE, dot1x etc) Virtual networks/multi-tenancy (overlay) NGFW - can be different vendor Wireless Software defined (controller based) routing/switching. Preferably should have a single dashboard (DNA center is lol). Remote management support for switches (never need to console in ever). Stackable switches, minimal downtime during upgrades. Should extend to datacenter switches. How good are Fortinet, Juniper, Arista etc? Thanks submitted by /u/IssueStrong9382 [link] [comments]

You are subscribed to email updates from Enterprise Networking Design, Support, and Discussion. To stop receiving these emails, you may unsubscribe now.	Email delivery powered by Google
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States