One-liners: simple ASA log parsers

Sometimes you do not need a detailed log-analysis but several simple one-liners that you can adjust without too much thinking how it works, what you did last time, etc. The examples below are absolutely NOT optimal, but rather modular for easy line-editing.

1. Allowed traffic:

cat   asa.log | grep permitted | grep access-list |
sed -e 's/^.*permitted//' -e 's/hit-cnt.*$//' |
sed -e 's/([0-9][0-9]*) ->/ ->/' | less

Result:

 tcp outside/10.2.8.30 -> inside/10.1.141.23(8080)
 tcp outside/10.2.8.30 -> inside/10.1.141.23(8080)
 tcp outside/10.2.8.35 -> inside/10.1.140.137(13000)
 udp outside/10.2.8.25 -> inside/10.1.9.14(137)
 udp outside/10.2.8.25 -> inside/10.1.81.15(137)
 tcp outside/10.2.8.44 -> inside/10.1.140.137(13000)
 tcp outside/10.2.8.31 -> inside/10.1.140.149(13000)

Noticed the “permitted” strings?

2. Denied traffic:

cat   asa.log | grep denied | grep access-list |
sed -e 's/^.*denied//' -e 's/hit-cnt.*$//' |
sed -e 's/([0-9][0-9]*) ->/ ->/' | less

Result:

 tcp inside/10.1.140.159 -> outside/10.2.8.24(515)
 tcp inside/10.1.140.159 -> outside/10.2.8.24(515)
 tcp inside/10.3.241.116 -> outside/10.2.8.251(1541)
 tcp inside/10.3.241.116 -> outside/10.2.8.251(1547)
 tcp inside/10.1.140.159 -> outside/10.2.8.24(515)

3. The most popular permitted traffic:

cat   asa.log | grep permitted | grep access-list | 
sed -e 's/^.*permitted//' -e 's/hit-cnt.*$//' |
sed -e 's/([0-9][0-9]*) ->/ ->/' |
awk ' {conn[$0]++;} END { for ( i in conn ) print conn[i],"	",i;}' | sort +0nr | less

Result (the first column is the amount of corresponding log entries):

21170   tcp outside/10.2.8.40 -> inside/10.1.140.149(13000)
18023   tcp outside/10.2.8.34 -> inside/10.1.140.149(13000)
17981   tcp outside/10.2.8.31 -> inside/10.1.140.149(13000)
11034   tcp inside/10.1.140.251 -> outside/10.2.8.68(10001)
10652   tcp outside/10.2.8.43 -> inside/10.1.140.137(13000)
10628   tcp outside/10.2.8.44 -> inside/10.1.140.137(13000)
10484   tcp outside/10.2.8.47 -> inside/10.1.140.137(13000)
10437   tcp outside/10.2.8.23 -> inside/10.1.140.137(13000)
7618   tcp outside/10.2.8.25 -> inside/10.1.140.137(13000)
7550   tcp outside/10.2.8.27 -> inside/10.1.140.137(13000)
7515   tcp outside/10.2.8.49 -> inside/10.1.140.137(13000)
7496   tcp outside/10.2.8.29 -> inside/10.1.140.137(13000)
6826   tcp outside/10.2.8.30 -> inside/10.1.141.23(8080)
6011   tcp outside/10.2.8.35 -> inside/10.1.140.137(13000)
5896   tcp outside/10.2.8.40 -> inside/10.1.141.23(8080)
5809   tcp outside/10.2.8.30 -> inside/10.1.140.137(13000)

4. Modification for versions 8.2+:

cat asa.log | grep Deny | grep access-group | sed -e 's/^.*Deny//' -e 's/by.*$//' | sed -e 's/dst/ ->/' -e 's/src//' | less

You can use this method to generate a policy based on the current traffic.

Additional “greps” will allow you to filter for specific ports or IP-addresses.

Replace “permitted” with “denied” and you’ll get the “most popular denied traffic”.

UPnP devices do not see each other

If UPnP devices do not see each other, most likely there are two problems:

Multicasts are not forwarded

Simple Service Discovery Protocol (SSDP) uses multicast IPv4 address 239.255.255.250. The local switches must be able to forward such traffic. On a Cisco switch you run the following command to allow that:

no ip igmp snooping vlan 101

Firewall blocks UPnP traffic

Related ports: UDP-1900 and TCP-2869

Default passwords

Solaris 11: root/solaris
Cyclades console servers (e.g. ACS4): root/tslinux
Avocent ACS5000 console servers: root/avocent
Avocent ACS6000 console servers: admin/avocent or root/linux
Cisco VPN3000: admin/admin
Cisco ASA: empty
Netscreen: netscreen/netscreen
Avocent/Cyclades PM IPDU: admin/pm8 root/linux

Solaris 11 EA (b173) ZFS pool versions

 

Solaris 11 EA (Sep 2011 build 173) updated zpool version to 33:

$ zpool upgrade -v
This system is currently running ZFS pool version 33.

The following versions are supported:

VER DESCRIPTION
--- --------------------------------------------------------
1 Initial ZFS version
2 Ditto blocks (replicated metadata)
3 Hot spares and double parity RAID-Z
4 zpool history
5 Compression using the gzip algorithm
6 bootfs pool property
7 Separate intent log devices
8 Delegated administration
9 refquota and refreservation properties
10 Cache devices
11 Improved scrub performance
12 Snapshot properties
13 snapused property
14 passthrough-x aclinherit
15 user/group space accounting
16 stmf property support
17 Triple-parity RAID-Z
18 Snapshot user holds
19 Log device removal
20 Compression using zle (zero-length encoding)
21 Deduplication
22 Received properties (Solaris Nevada b130 Dec 2009)
23 Slim ZIL
24 System attributes
25 Improved scrub stats
26 Improved snapshot deletion performance
27 Improved snapshot creation performance
28 Multiple vdev replacements (ZFS for Linux)
29 RAID-Z/mirror hybrid allocator
30 Encryption
31 Improved 'zfs list' performance (Solaris 11 Express b151a Nov 2010)
32 One MB blocksize
33 Improved share support (Solaris 11 EA b173 Sep 2011)

Encryption failure: Received a cleartext packet within an encrypted connection

Recently I’ve stumbled upon a strange looking site-to-site (CheckPoint R70 to Cisco VPN3k) VPN problem:

Connections from some networks were dropped with the following error:

Encryption failure: Received a cleartext packet within an encrypted connection

The first step was to check the encryption domains for the tunnel. In both GUI and /etc/fw/conf/user.def the encryption domain was the whole class B network, assigned to the company.

Next step was tracing.

Continue reading “Encryption failure: Received a cleartext packet within an encrypted connection”

WordPress 3.1 vs 3.0 vs. 3.1.1 and “archives” URL’s

Updated on Apr 07, 2011 @ 02:54:

If you made the change below for 3.1RC-3.1 and/or used manually created tag/category links in 3.1RC-3.1 and just upgraded to 3.1.1, you may find that the links are broken. The reason is that in 3.1.1 the tag and category links returned to the 3.0 style with the word “archives” in the URL.

To make it work you can change .htaccess to the following:

RewriteEngine On
RewriteBase / #or where your blog root is

#RewriteRule archives/category/(.*) category/$1 [L,R=301]
#RewriteRule archives/tag/(.*) tag/$1 [L,R=301]
RewriteRule ^category/(.*) archives/category/$1 [L,R=301]
RewriteRule ^tag/(.*) archives/tag/$1 [L,R=301]

Posted on Feb 25, 2011 @ 00:22:

In WordPress 3.1 the link structure have been changed

from (< =3.0.x):

wp/archives/category and wp/archives/tag
to (>= 3.1.x)
wp/category and wp/tag

If you have existing “hard” links to tags or categories, add the following lines (in red) to .htaccess:

RewriteEngine On
RewriteBase /
RewriteRule archives/category(.*)$ category$1 [L,R=301]
RewriteRule archives/tag(.*)$ tag$1 [L,R=301]

How to get rid of conime.exe

Conime.exe (C:\WINDOWS\system32) is “Console Input Method Editor” which is used if you have more than one input language configured. Under Windows Vista it tends to multiply itself and take lots of CPU and memory resources. Microsoft refuses to fix this bug (or probably it’s a feature?)

One method to get rid of this annoyance is to enable only one language (Control Panel – Regional and Language Options – Keyboard and Languages)

Another one is to remove/rename the binary:

takeown /f %windir%\system32\conime.exe
icacls %windir%\system32\conime.exe /grant %UserName%:F
rename %windir%\system32\conime.exe conime.bak

ASA and traceroute

By default ASA does not decrease the TTL field, hence is not visible in traceroute output. This is how to change this behaviour :

asa# conf t
asa(config)# icmp unreachable rate-limit 10 burst-size 5
asa(config)# policy-map global_policy
asa(config-pmap)#
asa(config-pmap)#  class class-default
asa(config-pmap-c)# set connection decrement-ttl

The result:

asa# sh run
. . .
icmp unreachable rate-limit 10 burst-size 5
. . .
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  . . .
  inspect icmp
  inspect sunrpc

 class class-default
  set connection decrement-ttl

service-policy global_policy global
. . .

Sources:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
http://packetu.com/content/view/50/

Crash recovery after updating Win7 x64

Not sure if it’s a problem of VirtualBox, but when trying to install Win7x64 SP1 Windows stuck with the following message:

Fatal error C0000034 applying update operation 282 of 117809 (_00000…)

This method helped!

YEP I GOT IT WORKING!! I DONT KNOW IF MY METHOD IS THE BEST BUT IT WORKS!

This method works without Safe Mode, without backups, without System Restore, without DISM, and without a Windows 7 DVD repair disc.

INSTRUCTIONS:

01. Reboot your computer while it’s starting up.

02. When your computer starts up again, choose the option “Launch Startup Repair”
–> PIC: http://notebooks.com/wp-content/uploads/2011/01/Recov-1.jpg

03. When the Startup repair starts, click cancel.

04. After you click cancel it will show a box. Click “Don’t Send”
–> PIC: http://i52.tinypic.com/xgjriw.png

05. Click the link “View advanced options for recovery and support”

06. In the new window click Command Prompt at the bottom.
–> PIC: http://i51.tinypic.com/50imu8.png

07. In Command Prompt type this and press enter: %windir%\system32\notepad.exe

08. Notepad will open. In notepad go to File–>Open.

09. Change the type of files notepad views from .txt to All Files (see pic)
–> PIC: http://i51.tinypic.com/35nd74z.png

10. Now in Notepad, go to C:\Windows\winsxs\ (or whichever drive Windows is installed on)

11. In that folder, find pending.xml and make a copy of it

12. Now open the original pending.xml (it will load really slow because the file is huge)

13. Press CNTRL+F and search for the following exactly: 0000000000000000.cdf-ms

14. Delete the following text (yours will be a little different):


–> PIC: http://i54.tinypic.com/adzpzp.png

Your PC might not have all 3 sections of code (, , ). Just make sure you delete section “Checkpoint” and whatever other sections have “000000000000000.cdf-ms”. They will be right next to eachother.

15. Save the file, close notepad, close command prompt, restart your computer.