determining what is chewing your bandwidth

ip cef
interface dialer1
ip route-cache flow

show ip cache flow

ip flow-top-talkers
top 10
sort by bytes
cache-timeout 10000

show ip flow top-talkers

slappa#show ip flow top-talkers

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Vi2 BV1 06 01BB CBBF 6362
BV1 Di0* 11 E644 FF29 703
Vi2 BV1 06 01BB CB37 310
Vi2 BV1 11 FF29 E644 302
BV1 Di0* 06 CBC7 60F9 280
BV1 Di0* 11 E644 C8D5 270
BV1 Di0* 11 E644 60F9 222
BV1 Di0* 11 E644 B70D 222
BV1 Di0* 11 E644 DCE1 222
BV1 Di0* 11 E644 A1BD 222
10 of 10 top talkers shown. 40 flows processed.



How IPSEC Works

How IPSec Works


IPSec involves many component technologies and encryption methods. Yet IPSec’s operation can be broken down into five main steps. The five steps are summarized as follows:

Step 1 Interesting traffic initiates the IPSec process—Traffic is deemed interesting when the IPSec security policy configured in the IPSec peers starts the IKE process.
Step 2 IKE phase one—IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure channel for negotiating IPSec SAs in phase two.
Step 3 IKE phase two—IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers.
Step 4 Data transfer—Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database.
Step 5 IPSec tunnel termination—IPSec SAs terminate through deletion or by timing out.

This five-step process is shown in Figure 1-15.

Figure 1-15 The Five Steps of IPSec

Step 1: Defining Interesting Traffic

Determining what type of traffic is deemed interesting is part of formulating a security policy for use of a VPN. The policy is then implemented in the configuration interface for each particular IPSec peer. For example, in Cisco routers and PIX Firewalls, access lists are used to determine the traffic to encrypt. The access lists are assigned to a crypto policy such that permit statements indicate that the selected traffic must be encrypted, and deny statements can be used to indicate that the selected traffic must be sent unencrypted. With the Cisco Secure VPN Client, you use menu windows to select connections to be secured by IPSec. When interesting traffic is generated or transits the IPSec client, the client initiates the next step in the process, negotiating an IKE phase one exchange.

Step 1 is shown in Figure 1-16.

Figure 1-16 Defining Interesting Traffic

Step 2: IKE Phase One

The basic purpose of IKE phase one is to authenticate the IPSec peers and to set up a secure channel between the peers to enable IKE exchanges. IKE phase one performs the following functions:

  • Authenticates and protects the identities of the IPSec peers
  • Negotiates a matching IKE SA policy between peers to protect the IKE exchange
  • Performs an authenticated Diffie-Hellman exchange with the end result of having matching shared secret keys
  • Sets up a secure tunnel to negotiate IKE phase two parameters

IKE phase one occurs in two modes:

  • Main mode
  • Aggressive mode

Main Mode

Main mode has three two-way exchanges between the initiator and receiver.

  • First exchange—The algorithms and hashes used to secure the IKE communications are agreed upon in matching IKE SAs in each peer.
  • Second exchange—This exchange uses a Diffie-Hellman exchange to generate shared secret keying material used to generate shared secret keys and to pass nonces, which are random numbers sent to the other party, signed, and returned to prove their identity.
  • Third exchange—This exchange verifies the other side’s identity. The identity value is the IPSec peer’s IP address in encrypted form. The main outcome of main mode is matching IKE SAs between peers to provide a protected pipe for subsequent protected ISAKMP exchanges between the IKE peers. The IKE SA specifies values for the IKE exchange: the authentication method used, the encryption and hash algorithms, the Diffie-Hellman group used, the lifetime of the IKE SA in seconds or kilobytes, and the shared secret key values for the encryption algorithms. The IKE SA in each peer is bidirectional.

Aggressive Mode

In the aggressive mode, fewer exchanges are done and with fewer packets. In the first exchange, almost everything is squeezed into the proposed IKE SA values, the Diffie-Hellman public key, a nonce that the other party signs, and an identity packet, which can be used to verify the initiator’s identity through a third party. The receiver sends everything back that is needed to complete the exchange. The only thing left is for the initiator to confirm the exchange. The weakness of using the aggressive mode is that both sides have exchanged information before there is a secure channel. Therefore, it is possible to sniff the wire and discover who formed the new SA. However, aggressive mode is faster than main mode.

Step 2 is shown in Figure 1-17.

Figure 1-17 IKE Phase One

Step 3: IKE Phase Two

The purpose of IKE phase two is to negotiate IPSec SAs to set up the IPSec tunnel. IKE phase two performs the following functions:

  • Negotiates IPSec SA parameters protected by an existing IKE SA
  • Establishes IPSec security associations
  • Periodically renegotiates IPSec SAs to ensure security
  • Optionally performs an additional Diffie-Hellman exchange

IKE phase 2 has one mode, called quick mode. Quick mode occurs after IKE has established the secure tunnel in phase one. It negotiates a shared IPSec policy, derives shared secret keying material used for the IPSec security algorithms, and establishes IPSec SAs. Quick mode exchanges nonces that provide replay protection. The nonces are used to generate new shared secret key material and prevent replay attacks from generating bogus SAs.

Quick mode is also used to renegotiate a new IPSec SA when the IPSec SA lifetime expires. Base quick mode is used to refresh the keying material used to create the shared secret key based on the keying material derived from the Diffie-Hellman exchange in phase one.

Perfect Forward Secrecy

If perfect forward secrecy (PFS) is specified in the IPSec policy, a new Diffie-Hellman exchange is performed with each quick mode, providing keying material that has greater entropy (key material life) and thereby greater resistance to cryptographic attacks. Each Diffie-Hellman exchange requires large exponentiations, thereby increasing CPU use and exacting a performance cost.

Step 4: IPSec Encrypted Tunnel

After IKE phase two is complete and quick mode has established IPSec SAs, information is exchanged by an IPSec tunnel. Packets are encrypted and decrypted using the encryption specified in the IPSec SA. This IPSec encrypted tunnel can be seen in Figure 1-18.

Figure 1-18 IPSec Encrypted Tunnel

Step 5: Tunnel Termination

IPSec SAs terminate through deletion or by timing out. An SA can time out when a specified number of seconds have elapsed or when a specified number of bytes have passed through the tunnel. When the SAs terminate, the keys are also discarded. When subsequent IPSec SAs are needed for a flow, IKE performs a new phase two and, if necessary, a new phase one negotiation. A successful negotiation results in new SAs and new keys. New SAs can be established before the existing SAs expire so that a given flow can continue uninterrupted. This can be seen in Figure 1-19.

Figure 1-19 Tunnel Termination

Cisco License Activation

This new system will start becoming a bother when upgrading from IP Base to another feature license. This will require the following steps:

  1. The order of a Product Authorization Key (PAK) from Cisco
  2. The Unique Device Identifier (UDI) from the Router/Switch
  3. Entered this information into the Cisco Licensing Portal
  4. Taking the information from the Portal and installing the license onto the Switch/Router

The installation of the license file can be done using the *.lic file that you receive from the Portal using the Command line interface or the Cisco License Manager software. Using the command line:

Switch#license install tftp://x.x.x.x/license.lic

Alternatively one can use the call-home feature and the PAK Number, this however would mean that you have an internet connection to the Router/Switch and you feel comfortable that you won’t have the *.lic file when things go wrong as the Switch/Router installs this directly from the License Portal:

Switch#license call-home install PAK PAK-NUMBER
CCO Username: abcdef
CCO Password:
Follow the prompts to install the license

Configure Netflow's on Cisco Routers

To configure a Cisco Router to send netflows enter the following commands

ip flow-export source vlan1

ip flow-export version 5

ip flow-export destination 2055

Now Set the interface you want to receive net-flows for

interface dialer1

ip flow egress

ip flow ingress

ip route-cache flow

You can use solarwinds netflow analyser to collect the netflow data.


Online Crash Dump Analysis

If you ever need to analyze a Windows Dump file but don’t have the Windows Debugging Tools available here’s a handy way of doing an online analysis of the dump file.

Get the Windows Crash Dump file from C:WindowsMinidump, then ZIP the dump file and upload it on the OSR Online website via the Instant Online Crash Analysis Service.

I can’t believe I didn’t know about this tool! until today.

Wyse wnos.ini configuration generator

Configuration Generator

This small tool creates the configuration files you will need for Wyse ThinOS, Wyse Linux v6, Wyse Enhanced Ubuntu Linux and Wyse Enhanced Suse Linux. It can also create Windows CE Addons based on a registry configuration file and send Real-Time commands to the units like Shutdown, Reboot, etc.

You need Microsoft .NET Framework 2.0 to use this tool.
If you want to run this program from a network share, you have to modify your .NET permissions like this:
– Find {Windows-Directory}Microsoft.NET{.NET-Version}caspol.exe
– Execute “caspol -machine -addgroup All_Code -url serverpath* FullTrust -n FullTrustFromNetworkShare 
– This will give all .NET applications from the above network share full access
Read more here

Configuring WinRM using GPO

If running winrm quickconfig on every XenApp server is not efficient for your site, you can configure WinRM using Microsoft Group Policy. Settings configured by Group Policy overrides the configuration changes made by the installer or configuration changes made locally on the desktop.

Complete the following procedure to configure WinRM using Group Policy:

  1. Set the WinRM service to auto start:
  2. In the Group Policy Editor, navigate to Computer Configuration Policies Windows Settings Security Settings System Services.
  3. Double click Windows Remote Management (WS-Management) and set it to Automatic.
  1. Create the WinRM listener:

c. In the Group Policy Editor, navigate to Computer Configuration Policies Administrative Templates Windows Components Windows Remote Management (WinRM) WinRM Service.

d. Double click Allow automatic configuration of listeners and configure the IPv4 filter to *.

  1. Create a firewall exception for WinRM:

e. In the Group Policy Editor, navigate to Computer Configuration Policies Windows Settings Security Settings Windows Firewall with Advanced Security.

f. Create an Inbound Rule for WinRM for port 5985.

  1. After configuring the preceding three group policies, restart the server to update the group policies and start the WinRM service.

Disable Java AutoUpdate via GPO

You do probably have java installed at your terminal server.
Turning off Java auto update from control panel will not turn this feature off for all users, but this can be done with Group Policy and the Preferences GPO and Registry.

To do this, simply log on as Administrator, open regedit and browse to HKEY_Current_user -> Software – > JavaSoft -> Java Update

While having the registry window open, browse to control panel and open Java and turn of Check for updates automatically.
After doing that, go back to registry and hit refresh to fetch the newly created Reg_Binary key: “EnableAutoUpdateCheck”

Open Group Policy Management, browse to the Terminal server / Xenapp GPO and go down to Preferences – > Windows Settings. Right click and select NEW-> Registry Wizard

Browse to the REG_BINARY key you just found and use CREATE as action.
Publish this to all users that need Automatic Updates to be turned off.

Setup timesync on 2008/2008R2 servers

Setup timesync on the Pdc Emulator (Domain controller)

net stop w32time

w32tm /config /syncfromflags:manual /manualpeerlist:”,,”

w32tm /config /reliable:yes

net start w32time

The windows time service should begin synchronizing the time. You can check the external NTP servers in the time configuration by typing:

w32tm /query /configuration

configure Member servers to update from PDC emulator (Domain Controller)

net stop w32time w32tm /config /syncfromflags:DOMHIER net start w32time

Enabling Remote Citrix Access Management Console Connections (Windows 2003)

It is often useful to remotely manage your Citrix server farm from your desktop or a management workstation, the only issue is that in a Citrix Presentation Server 4.5 farm installed on Windows Server 2003, remote connections are disabled by default.

The Citrix Access Management console used COM+ to communicate to the server farm as as such Network COM+ connections need to be enabled.  To enable this follow these steps on each of the Citrix servers you will connect to:

1. Click Start then select Control Panel
2. Double click Add Remove Programs
3. Select Add Remove Windows Components
4. Highlight Application Server and click Details
5. Tick Enable Network COM+ Access and click OK then Next to install
6. Once installed click Finish
Now that Network COM+ is enabled on the Windows Server you will be able to successfully run discovery from your management workstation.