ip virtual-reassembly exceeded issue

Publié: 7 septembre 2009 dans HA, Networking
Tags:, , , , ,
0

Hi all,

Days ago I was facing an issue concerning a VRRP cluster (using keepalived). Every hour, the backup server was changing its VRRP state to master and two second later (after forced re-election) goes back to the backup state.

The same number of NICs are connected to each server, each NIC is configured in a vrrp_instance. But only one vrrp_instance on the backup server changed its state to master, the others did the same while they belong to the same vrrp_sync_group.

The vrrp_instance whose state is changing is connected to a Cisco VPN router.

After many days of investigation (looking at if the server is receiving VRRP packets, if there were errors on the packets… if there were dropped packets…) I discovered in the log of the VPN router some messages which warn that virtual-reassembly parameter was exceeded… Heu ???

After searching, I increased this parameter on each interface of the Cisco VPN router :

ip virtual-reassembly max-reassemblies 32

This solves the problem, but until now I don’t know why VRRP on a server complains about that, sniffing didn’t give me too much information to analyse…

Cisco SDM doesn’t start cause of Java error

Publié: 7 août 2009 dans Networking
Tags:,
0

Hi falks,

Today I tried to use for the first time the Cisco SDM. Unfortunatly, when the Cisco SDM Express launched, I got nothing. Bad news…

I looked at the Java JRE console and I found an IndexOutOfRange error !

In my workstation I had the Java 1.6.0_13 installed, after googling, I found this post where gays suggest to downgrade or upgrade Java JRE to resolve the problem.

I upgraded the JRE to 1.6.0_15 and now the SDM is working…

Gateway High Availability

Publié: 23 juillet 2009 dans HA, Networking
Tags:, , , ,
2

Hi,

In this article I will explain the different techniques used for gateway high availability.

So first let’s explain what is a HA gateway ?
A high available gateway is a first-hope router (layer 3) that is available 100% (or almost) of time. This can be achieved by using many strategies.

The most used, well known and reliable strategy is the first-hop redundancy where two or more routers act as a unique virtual gateway.
This strategy is divided into two techniques : Failover and Loadbalancing.

The failover technique defines a router as the master of the group and the others routers as the backups. When the master router goes down a backup router (depending on his priority) becomes the master.
The loadbalancing technique uses all the routers (all of them are masters). Every router is used, for example, in round robin manner.

The HSRP protocol (proprietary and no more supported by Cisco) and the VRRP protocol (Virtual Router Redundancy Protocol) are two protocols used for failover redundancy.

GLPB (Gateway Load Balancing Protocol) is a Cisco proprietary protocol that can be used for load balancing traffic between many gateways.

Here is a very nice cheat sheet from stretch

I’m CCDA certified

Publié: 22 juillet 2009 dans Networking
Tags:,
2

Hi all,

I was a little bit buzy to prepare my Cisco CCDA (640-863) exam… but the important thing is that I passed it !

Now, I’m going to prepare the CCNA…

Connect to a router’s inside interface

Publié: 27 juin 2009 dans Networking
Tags:, , , , ,
0

Hi folks,

Two months ago we implemented a DRP network in a branch office. The connection between the main office and the branch one is done with a site-to-site IPSec VPN.

Here is the global schema :

VPN

VPN

Everything was ok until I tried to connect to the F0/0 IP of the remote VPN router (VPN-2). Thus, I was unable to get connected.

I checked ACLs, routes, … everything is ok.
Being connected on the VPN-2 (indirectly connected), I tried to telnet back to the 192.168.1.1 machine, then I got a Host unreachable error.

Strange, routes are ok (a default route exists throughout the ISP router)… The error suggests there is no route to the host, so I added an explicit route on VPN-2 indicating the ISP router as the gateway to connect to the 192.168.1.0/24 network.

ip route 192.168.1.0 255.255.255.0 A.B.C.D

As expected, this solved the problem.

After this, I thought why the default route wasn’t been used ?
My suggestion :
192.168.1.0/24 is a RFC1918 network and may be the IOS default route doesn’t hundle these networks.

Your comments are welcome.

storing file’s permissions with svn

Publié: 7 Mai 2009 dans Uncategorized
Tags:,
1

Hello,

As users of version control tools, you may notice that file permissions are not stored. This can become a problem like in the case of a script that must be executed only by root. For example, When you commit such a file (with 700 permission), subversion (as an example) change the permissions to 755.

Tigris published a script which resolves this problem, it’s name is asvn. The aim of the script is to store properties that correspond to the file’s permission attributes. You just use it like you’ve been using svn.

Here is the script.

Sure, there is another solution… it’s a little bit tricky.

ESX 3.0.2 VM cloning

Publié: 7 Mai 2009 dans Linux, Virtualisation
Tags:
0

Hi,

To clone a VM under ESX 3.0.2 you can use VMware Converter, here is a solution I use (if I want to clone a VM on the same ESX) :

Connect to the ESX with ssh and use these command-line :

cd /vmfs/volumes/storageX
mkdir newVM
vmkfstools -i oldVM/oldVM.vmdk newVM/newVM.vmdk
sed 's/oldVM/newVM/g' oldVM/oldVM.vmx > newVM/newVM.vmx
vmware-cmd -s register /vmfs/volumes/storageX/newVM/newVM.vmx
chmod 755 newVM/newVM.vmx

Then go to the GUI (VIC) and start the machine, you will be asked a question about the UUID answer Create (to create a new one for the new VM).

I tested these command without any problem, but it’s given without any garantee as your environment may be different.

vim editor and word completion

Publié: 7 Mai 2009 dans Uncategorized
Tags:,
0

Hi,

Yesterday, while I was editing a bash script with vim I accidentally hit CTRL+p and you know what ? vim displayed me a list of words which begin with the same letters I typed… cool thing, never seen it before while auto-completion is not configured.

Have fun!

SSH and DNS reverse lookup

Publié: 30 avril 2009 dans Linux, Security, Virtualisation
Tags:, , ,
0

One of the sucking thing with SSH is that it uses DNS to map IPs to domain name.
When you have some DNS problems and need to connect through SSH into a box, you can get a timeout or some delay.

This is almost true in ESX servers. To solve this on ESX 3.0.2 you need to create a file : /etc/sysconfig/sshd with this inside :
OPTIONS="-u0"
then restart your SSH daemon (don’t worry, you will not loose your connexion if you didn’t make a mistake).

Under debian like systems, you only need to add this line in the /etc/ssh/sshd_config : UseDNS no
then restart your SSH daemon.

Disconnect a user from Linux systems

Publié: 30 avril 2009 dans Linux
Tags:,
0

Sometimes you may like to disconnect a user who forgot an open SSH session on a server.
I use this to do it : kill -HUP
And you ?

We can also set an idle time to automatically close sessions…

Entrées Précédentes
Entrées Plus Récentes