Escape Sequence for a SM-X switch module in a 4000 series ISR

On the pre 4000 series ISRs you would use the regular Cisco escape sequence to exit a service module — CTRL-SHIFT-6 followed by X.  In the 44xx and 43xx series routers the switch modules do not respond to the regular escape sequence from the console.  Instead, to escape back to the router console use — CTRL-A followed by...

Restart a single context on an ASA with virtual instances

The Cisco ASA firewall can run as virtual host for multiple virtual ASA’s known as contexts.  We recently ran into an issue where a memory leak made one context inoperable.  Rather than reload the entire ASA and take out the other contexts we wanted to only restart the context that was having problems.  Unfortunately there is no way to reboot an individual context as the reload command does not exist inside a context.  The solution is to delete the context and recreate it.  This may sound daunting, but it takes a few seconds and your config is restored.  First login to the ASA and change to the context that’s having problems and save the config.  In our case the context named “transparent” was the one that stopped working.  (You may not want to save the config if a configuration issue broke the context.  If so this step is optional.) login as: admin admin@10.10.10.1’s password: Type help or ‘?’ for a list of available commands. ASA5525/admin> ASA5525/admin> en Password: ************ ASA5525/admin# changeto context transparent ASA5525/transparent# wr mem Then switch to the system context (the hypervisor layer) and show the context information.  In our case we have three contexts: admin, customer and transparent. ASA5525/transparent# changeto system ASA5525# show run context ! admin-context admin context admin   allocate-interface GigabitEthernet0/0   allocate-interface GigabitEthernet0/1   allocate-interface GigabitEthernet0/1.2   allocate-interface Management0/0   config-url disk0:/admin.cfg ! context customer   allocate-interface GigabitEthernet0/0   allocate-interface GigabitEthernet0/1.499   config-url disk0:/customer.cfg ! context transparent   allocate-interface GigabitEthernet0/3 outside   allocate-interface GigabitEthernet0/4 inside   config-url disk0:/transparent.cfg ! Copy the config for the context causing you problems.  Then remove the context. ASA5525# conf t ASA5525(config)#...

Troubleshoot Ruckus AP not connecting to Virtual SmartZone cloud controller

Here are a list of things to troubleshoot when a Ruckus AP is not registering to a Virtual SmartZone (VSZ) cloud controller. Ensure that the public IP address of the site where the AP resides is permitted through the firewall protecting the VSZ. Check that the AP has a valid private IP address and is pingable from the router at that site. SSH into the AP.  default credentials are super/sp-admin).  If those credentials don’t work then the AP has received its config from the controller and the zone credentials must be used. Ping an external IP address to confirm the AP can reach the internet. Run “get scg” rkscli: get scg ------ SCG Information ------ SCG Service is disabled. AP is not managed by SCG. State: Not Available - busy or not running. SCI is disabled. Server List: (IP or FQDN of VSZ shows here) No SSH tunnel exists Failover List: Not found Failover Max Retry: 2 DHCP Opt43 Code: 6 Server List from DHCP (Opt43/Opt52): Not found SCG default URL: RuckusController SCG config|heartbeat|mesh status|status intervals: 300|30|300|900 SCG gwloss|serverloss timeouts: 1800|7200 ---------------------------- If you see “SCG Service is disabled” Then run “set scg enable” and this should start the SCG service. If the Server List is incorrect or empty run “set scg ip {IP or FQDN goes here}” to point the AP to the VSZ...

Upgrading IOS-XE firmware on a 4000 series router

Had an issue where I was not able to successfully upgrade the IOS firmware on a Cisco 4351 router.  This model of router runs IOS-XE and has some slight differences in feature set compared to legacy IOS.  For example “ip dns server” was not an available command in the version the customer was running and so we needed to upgrade to the latest version which had support for running a DNS server. I had uploaded the firmware (which was a whopping 470MB) to the flash and then entered in: boot system flash isr4300-universalk9.03.16.00c.S.155-3.S0c-ext.SPA.bin I then saved and rebooted the device, but the old firmware was still loaded.  I discovered that the proper syntax for this series of router needs to be: boot system bootflash:/isr4300-universalk9.03.16.00c.S.155-3.S0c-ext.SPA.bin After a save and reboot we were on the new firmware and sure enough “ip dns server” was now a supported...

Barracuda ADC Load Balancer – How to show client IPs and not the proxy IP address – Part 2

In my first post on showing the client IP addresses through a Barracuda ADC load balancer, I showed how to get Direct Server Return to work for clients on the same network by adding loopback interfaces on the back-end servers.  In this post I will discuss a problem when using a layer 7 proxy service with Client Impersonation enabled on a multi-homed ADC. One of the requirements for client impersonation is that the back-end servers must use an ADC IP address as the default gateway.  In traditional two-armed deployments where the real servers sit behind the ADC this is not a problem.  However when the network is more complex and the ADC has interfaces in different networks and both VIPs and real servers sit on each of these networks then there can be some unexpected behaviors when it comes to the routing of packets. For example this diagram shows an ADC that sits on a management network, DMZ and LAN.  We have both VIPs and real servers on the DMZ and LAN. The problem that occurs in this environment is that when back-end servers are setup to use the ADC as the default gateway, they can no longer get to other networks.  For example, we discovered that packets that came from the back-end servers in the DMZ could not reach the LAN or get to the internet.  We found that the packets were coming in on the ADC’s DMZ interface, but then leaving the ADC’s management interface!  The Barracuda documentation states: If you have multiple networks, you must specify a default gateway on the NETWORK > Routes page for every interface that accepts incoming traffic. Even though default routes were added on the DMZ interface as shown below, the...