when you install Telus Internet, they will offer you a modem + router + wireless device Actionec T3200M, a lot of users still want to use their own third party router or firewall same as me, so we need enable the bridge function of T3200M and connect our own router or firewall to Port 1 of T3200M, so our router will get a additional external IP, but how can take advantage the of strong wireless signal of T3200M, there is an issue here, in T3200M, no option for us to disable the function of DHCP server, that DHCP server will setup default gateway as itself, so for the clients connect to wireless of T3200M, the traffic won't hit our own firewall, but how can I use that box as a wireless ap and use my own dhcp and firewall and routing function?
here is my solution:
1. setup the dhcp server use the ip range 192.168.1.253-192.168.1.253
2. add a reserved IP reserve ip 192.168.1.253 for a virtual Mac address 00:00:00:00:00:00
done
explanation:
no more ip available in the pool of T3200M, so your own DHCP server will take care of the DHCP request from clients.
Tuesday, February 26, 2019
Monday, January 7, 2019
how to resolve the boot issue of Palo Alto firewall
I have seen a couple of times of PA200 stuck during booting, the status light is amber and all the interface won't work except mgt and console. when you console in the box you might can see the auto-commit is fail and keep trying. the error message could be unknown application "zoom" or anything else
"Error: Undefined application 'zoom'
(Module: device)
Commit failed
Failed to commit policy to device
here are the steps I did to resolve this:
"Error: Undefined application 'zoom'
(Module: device)
Commit failed
Failed to commit policy to device
"
here are the steps I did to resolve this:
- delete the content cache
delete content cache curr-content version 90000 type all - rebuild the content database
debug swm rebuild-content-db - install the content file
request content upgrade install force yes file xxxxx.xx
Tuesday, July 24, 2018
Fortigate ssl vpn possible issue
when you use web filtering, for the unrated category the default setting is warning, it might cause the access to ssl vpn stuck at stage 98% and then failed.
what need be changed is to change the action from warning to monitoring or accept.
what need be changed is to change the action from warning to monitoring or accept.
Thursday, April 12, 2018
Fortigate sslvpn issue 5.6.3
when you updated your
firmware of fortigate or setup new sslvpn, if you are using certificate other than
factory default you might have issue to connect to sslvpn
from fortigate
debug:
Inovfw10 #
[18907:root:fc]allocSSLConn:280 sconn 0x7f820714c000 (0:root)
[18907:root:fc]SSL
state:before SSL initialization (208.98.207.34)
[18907:root:fc]SSL
state:before SSL initialization:DH lib(208.98.207.34)
[18907:root:fc]SSL_accept
failed, 5:(null)
[18907:root:fc]Destroy
sconn 0x7f820714c000, connSize=0. (root)
[18907:root:fd]allocSSLConn:280
sconn 0x7f820714c000 (0:root)
[18907:root:fd]SSL
state:before SSL initialization (208.98.207.34)
[18907:root:fd]SSL
state:before SSL initialization (208.98.207.34)
[18907:root:fd]SSL
state:fatal handshake failure (208.98.207.34)
[18907:root:fd]SSL
state:error:(null)(208.98.207.34)
[18907:root:fd]SSL_accept
failed, 1:no shared cipher
[18907:root:fd]Destroy
sconn 0x7f820714c000, connSize=0. (root)
[18907:root:fe]allocSSLConn:280
sconn 0x7f820714c000 (0:root)
[18907:root:fe]SSL
state:before SSL initialization (208.98.207.34)
[18907:root:fe]SSL
state:before SSL initialization (208.98.207.34)
[18907:root:fe]SSL
state:fatal handshake failure (208.98.207.34)
[18907:root:fe]SSL
state:error:(null)(208.98.207.34)
[18907:root:fe]SSL_accept
failed, 1:no shared cipher
[18907:root:fe]Destroy
sconn 0x7f820714c000, connSize=0. (root)
The server you want
to connect to requests identification, please choose a certificate and try
again. (-5)
from Fortigate GUI:
gui vpn events:
Log
Description SSL VPN exit error
Action
|
ssl-exit-error
|
Reason
|
N/A
|
solution:
conf vpn ssl
settings
set algorithm medium
Friday, April 6, 2018
Sonicwall IPsec VPN issues
when you use sonicwall as IPsec vpn devices, there is some thing you need pay attention:
1. when you or your peer firewall behind NAT, ip address for Peer ID always can not match, even you configure the remote firewall use the public ip, and the the peer ID, firewall identifier not working either, does not matter how you configure, but Domain name is working if it match the configuration of remote setting
2. if you want to access the firewall itself, permit any zone of subnet won't work, you need additional firewall rule to permit the interface as well
3. if you want to monitoring the firewall use SNMP, you also need check snmp in advanced setting of VPN
1. when you or your peer firewall behind NAT, ip address for Peer ID always can not match, even you configure the remote firewall use the public ip, and the the peer ID, firewall identifier not working either, does not matter how you configure, but Domain name is working if it match the configuration of remote setting
2. if you want to access the firewall itself, permit any zone of subnet won't work, you need additional firewall rule to permit the interface as well
3. if you want to monitoring the firewall use SNMP, you also need check snmp in advanced setting of VPN
Tuesday, April 3, 2018
Linux box in Azure partitions issue
when you create a Linux box in Azure, such as Centos, even you select the hard drive of 64G, the partition tools not fully use the disk, it might like this
#fdisk -l
Disk /dev/sda: 68.7 GB, 68719476736 bytes, 134217728 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk label type: dos
Disk identifier: 0x000cd8ad
Device Boot Start End Blocks Id System
/dev/sda1 * 2048 1026047 512000 83 Linux
/dev/sda2 1026048 62914559 30944256 83 Linux
Disk /dev/sdb: 17.2 GB, 17179869184 bytes, 33554432 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk label type: dos
Disk identifier: 0x9075e55c
Device Boot Start End Blocks Id System
/dev/sdb1 128 33552383 16776128 83 Linux
# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 30G 3.0G 27G 10% /
devtmpfs 3.9G 0 3.9G 0% /dev
tmpfs 3.9G 0 3.9G 0% /dev/shm
tmpfs 3.9G 65M 3.9G 2% /run
tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup
/dev/sda1 497M 105M 392M 22% /boot
/dev/sdb1 16G 45M 15G 1% /mnt/resource
tmpfs 797M 0 797M 0% /run/user/1000
#fdisk -l
Disk /dev/sda: 68.7 GB, 68719476736 bytes, 134217728 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk label type: dos
Disk identifier: 0x000cd8ad
Device Boot Start End Blocks Id System
/dev/sda1 * 2048 1026047 512000 83 Linux
/dev/sda2 1026048 62914559 30944256 83 Linux
Disk /dev/sdb: 17.2 GB, 17179869184 bytes, 33554432 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk label type: dos
Disk identifier: 0x9075e55c
Device Boot Start End Blocks Id System
/dev/sdb1 128 33552383 16776128 83 Linux
# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 30G 3.0G 27G 10% /
devtmpfs 3.9G 0 3.9G 0% /dev
tmpfs 3.9G 0 3.9G 0% /dev/shm
tmpfs 3.9G 65M 3.9G 2% /run
tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup
/dev/sda1 497M 105M 392M 22% /boot
/dev/sdb1 16G 45M 15G 1% /mnt/resource
tmpfs 797M 0 797M 0% /run/user/1000
then you need to resize the partition
here are the steps
for Centos 7:
1. sudo fdisk /dev/sda
type: p
this will show both partitions /dev/sda1 and /dev/sda2 which are basically partitions 1 and 2
type: d then 2 (to delete partition 2)
type: n then p , 2 (to recreate partition 2) you can accept the default values
type: w (to save the new partition)
type: q (to exit fdisk)
sudo reboot (to reboot the VM so the partition is updated)
2. To finalize the resize, after the reboot, execute the command:
sudo xfs_growfs /dev/sda2
Tuesday, August 12, 2014
ASA vpn issue
when you have internal certificate for your ASA and the certificate is expired on the PC, you might get a couple of warning or error messages
first warning will be " the certificate has an invalid date"
after your enter the username and password, you will get disconnect error message "AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network."
solution: find the expired certificate and delete it then try again
another issue is the url in connection profile
don't use https://xxx.xxx.com/ddd/
have a "/" there might cause some unexpected issue,
first warning will be " the certificate has an invalid date"
after your enter the username and password, you will get disconnect error message "AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network."
solution: find the expired certificate and delete it then try again
another issue is the url in connection profile
don't use https://xxx.xxx.com/ddd/
have a "/" there might cause some unexpected issue,
Subscribe to:
Posts (Atom)
-
when you updated your firmware of fortigate or setup new sslvpn, if you are using certificate other than factory default you might have is...
-
Installing or Upgrading HostScan Use this procedure to upload, or upgrade, and enable a new HostScan image on the ASA. Use the image to ...
-
Reboot the switch. You will see a prompt during boot right after the cisco logo made out of #s that says "Autoboot in 2 seconds - p...
