Fail

April 9, 2013 ASA

ASA Upgrade to 9.0(2)

“In theory there is no difference between theory and practice. In practice there is.” Yogi Berra

Usually, no matter how much planning, testing, thinking about, or stalling you build in to an upgrade project, the bill comes due at the end and isn’t what you expected. Maybe someone ordered the lobster, or multiple drams of Johnny Walker Blue, but either way you have a situation to deal with… right now. How you deal with it determines many things about your skills and your character, but that’s for another post as I’m going to try my best to keep this one short and to the point.

I recently had the wonderful experience of upgrading an Active/Passive failover pair of ASA units to the newest of the new code, 9.0(2) from 8.4.2(8). After the 8.3 kerfuffle (NAT changes automagically, anyone?) I was particularly keen to not miss any possible gotchas in this upgrade. I also scheduled a larger than usual maintenance window–even though we didn’t expect any downtime–just in case.

I should interject here, for those of you aghast at the thought that we would possibly implement new, some would say, bleeding edge code on production systems, a couple of things:

We always run bleeding edge code, usually because we have need of the bleeding edge features the code brings. In this case, IPv6 features sorely lacking in prior code versions
We have adopted a very aggressive IPv6 stance, as I have written about before, and we tend to find our aspirations and designs are well out in front of significant portions of the code available for our equipment
Noting the prior two items again, I’ll also add that Firewalls, in particular, seem to have code that is months or years behind the route/switch world. That holds true across all vendor platforms. Why? I don’t know, but that’s another post.

With our need-for-upgrade bona fides established, I dutifully read the entire Release notes for the 9.0(x) ASA code and while I was excited at many of the new features–mostly around IPv6–and disappointed at others (No OSPFv3 address families? Really?) something immediately jumped out at me: Page 19 and its disturbing title, “ACL Migration in Version 9.0”

Any time you see the word “migration” in any documentation referring to an upgrade of production code or configuration, you know two things:

It probably happens auto-magically, which is basically a synonym for “we’re going to bork your code but we’re only going to loosely tell you where, how, and why.”
You’d better have good backups and be prepared, because a roll-back is likely going to be as painful as just plowing ahead.

To summarize the boring details for you, prior to the new code you had two categories of Access Control Lists (ACLs): those for IPv4 and those for IPv6. Inside each of those macro-levels you had the normal standard and extended lists and whatever other features. You applied the IPv4 and the IPv6 access-lists to the interface in whatever direction and that was that. True to the dual-stack model, you really were running two parallel networks and never the ‘twain shall meet.

During and after the upgrade to 9.0(x) ASA code, a couple of things happen:

IPv6 standard ACLs are no longer supported, and any you have are migrated to extended ACLs.
If IPv4 and IPv6 ACLs are applied in the same direction, on the same interface they are merged.
The new keywords any4 and any6 are added in place of the old any keyword.
Supposedly, if certain conditions are met (and they were in my case) your IPv4 and IPv6 ACLs should be merged into one (they were not).

While it is a bit scary to have any vendor automagically migrating portions of your configuration to a new format, it happens and as long as they document well and you do your due diligence, things can work out just fine. Other times they completely go to hell because of an undocumented feature. This upgrade fell somewhere in the middle.

As it turns out, a critical fact was left out of the documentation. Namely, that all of your access-groups that had been applied in some direction or another would now, quite frankly, not be applied to anything. In other words, my firewalls were now letting anything out of the network and nothing in. I quickly applied my new access-lists to the interfaces a couple of times before I discovered that you can now only have one applied in any direction (par for most IOS devices).

Since these were production and I had some higher risk on the IPv4 side (we have a lot of rules, and a default-block outbound policy) than the IPv6 side, I did the following:

I blocked IPv6 in and out, then applied the IPv4 lists to the interfaces in the correct directions.
I hand migrated (notepad is your friend) the IPv6 access rules into the IPv4 lists and brought IPv6 access back online.
I then deleted the redundant (old) ACLs.

Everything came back, life was good, mostly nobody noticed anything. What’s the lessons learned from this experience? Besides don’t upgrade ASAs? How about these:

Always have a backup of your configuration, preferably taken a few minutes before you start the upgrade. In this case I didn’t use the backups for more than a reference, but they were available if I had wanted to roll back.
Know your configuration and your devices. This seems intuitive, but a lot of people would have gotten part way through this migration, saw that their ACLs were borked, and been lost. If you’re going to live on the edge, at least have a helmet.
Read the documentation. I did, and while it didn’t directly help, I at least knew ahead of time what was likely to break. I also knew once it broke what the likely problem area was. To tie this into the CCIE Lab (back to studying, so it’s on my mind) it’s a bit like being able to look at a network diagram and instinctively know where you’ll have problems (two routers doing redistribution between EIGRP and OSPF, check).

At the end of the day, it all worked out for a variety of reasons listed above. Would I suggest any readers out there try this sort of “no net” upgrade to bleeding edge code? Probably not. In my case, I’m a masochist it seems, and this is my therapy. Now on to my 6500 upgrade to 15.1(1)SY. I’m sure I’ll be writing about that not long from today.

November 30, 2010 Apple

iTunes Home Sharing

A decent into the hell of Bonjour and black turtle-necks

This is just another short example in what I’m expecting will be a recurring theme here on Packet Queue: attention to detail. As a network engineer, as in so many professions, paying attention to the little things can mean the difference between 10 minutes of troubleshooting and 3 days of unmitigated, sleep-deprived hell. Luckily enough for me, the example I’m about to give wasn’t 3 days by any means, and since it was personal and not business the urgency wasn’t the same as if a WAN link had failed. That said, I wanted it fixed.

My wife just bought a new computer—her first Mac since the original—and during the initial moving of files and such, I discovered a nifty feature of iTunes: Home Sharing. Now, I have a large iTunes library at home already—something on the order of almost 180 Gigabytes—and wanted her to be able to share that library on her new Mac. After all, we’re not pirates; we just want to have access to our shared music library on any computer or device in the house relatively seamlessly. So I read a quick little blurb on the how-tos and why-fores of home sharing (real men sometimes read directions) and turned it on. Aside from the crickets, nothing happened. Sacrebleu!

Bonjour?

Bonjour! ¡No Hablo!

No, not a greeting but a name given by Apple to their zeroconf implementation that allows devices (printers, storage, shares, etc.) to auto-magically find one another. This is the service that was supposed to make my iTunes library shareable between computers. This is the service that was supposed to make everything in my dull world shiny again. Not being overly steeped in the Apple world, however, has made me naturally suspicious of anything that “just works” as more often than not, said thing only “just works” if you “just use it in this one way”. That natural suspicion of mine was proven to be well-founded.

Upon reading up on Bonjour, I discovered that it uses mDNS (multicast DNS) to find services. Well, I thought, that would mean that multicast routing should work to fix my woes and I set off to work my magic. Of course, I had missed a critical detail that would have saved me some time: the multicast DNS implementation that forms a part of Bonjour uses the multicast group address of 224.0.0.251. If you haven’t noticed the problem yet, neither did I right away. Had I noticed said problem, I wouldn’t have completely reconfigured my ASA and 2811 for multicast routing, and I wouldn’t have started tracing packets with WireShark:

The Multicast range runs from 224.0.0.0 through 239.255.255.255 as every first-year networking student probably knows. But that range is like all other ranges and has certain reserved addresses within it. In our case, the most interesting range is 224.0.0.0/24 which is known as the Local Network Control Block, or sometimes just Link-local. Addresses in this range include the OSPF addresses of 224.0.0.5 and .6, and RIPv2 address of 224.0.0.9, among others. The salient detail being that these multicast addresses are typically sourced with a TTL of 1 and are not to be sent off of the broadcast domain in which they originate.

My wireless network, which my wife’s new Mac is on, is a different VLAN (and hence, different broadcast domain) from my wired network. In fact, between my three wireless networks and multiple lab networks, my home environment probably has something on the order of 25 different broadcast domains. Definitely not the norm for the average user, but also not uncommon if you start looking at more technical people or production environments. So, the bottom line is that Bonjour and iTunes won’t work in my environment without an mDNS proxy or some other trickery.

What bothers me most about this revelation is that a lot of Apple’s software and peripherals work on this same system. Airport (Apple’s wireless) as well as their printer setup, shares, etc. all work using Bonjour so are, from at least a simple viewpoint, broken across broadcast domains. I’m guessing from Google searches and such that it’s a minority of users of iTunes who are concerned about this, and so it may not even make sense for Apple to address the problem. But if you extrapolate that out to everything else using Bonjour, and consider a corporate network environment, I have to wonder how much of this contributes to Apple’s lack of penetration into enterprise networks.

As always, if I’ve gotten details wrong or you’d just like to offer your own opinion back and further the discussion, I can be reached here on this blog or via @someclown on Twitter.

November 21, 2010 Fail

Things I Hate, Episode 1

Brought to you by the Impediment-to-Sales Sales department

It was not long ago that I was sitting across a conference room table from our [insert large software vendor of choice here] expecting to have a conversation about the features and benefits of upgrading one of our major software packages to the newest version. This was our internal mail system, and as we had quite a few interconnected systems and sites, along with what we already knew of the major architectural changes in the new version, we knew the upgrade wouldn’t be easy. So, we acquiesced to our salesperson’s requests and set up the meeting. That was our first mistake.

After the requisite initial pleasantries were exchanged, we began discussing the product in question. We weren’t sold just yet on actually doing the upgrade, so one of the first questions we wanted answered was basically just a simple “Why do we want to upgrade?” In other words, we already have a working system, so what does this newest version bring to the table vis-a-vis new features, benefits, manageability, etc. Asking this question–and expecting a clear, useful answer–turned out to be not only an exercise in futility, but also mistake number two.

“It allows you to create pockets of collaboration by leveraging out-of-the-box, paradigm-shifting, synergies of strategic planning.”

But what does it do?

“The new version better leverages vertical interest segments in a transitory user base, which represents a shifting paradigm in strategy-focused mind-share and thought-leadership.”

The conversation went on like that for a bit before we finally decided to cut our losses and move on to some other topics around our upcoming license renewal, etc. As it turns out, substantial pockets of the sales-force at certain large software vendors seem to be trained in a language that sounds a lot like English, uses a lot of interesting words strung together in fairly obscure patterns, and in the end almost exactly fails to communicate anything at all useful. The unfortunate thing is that this was supposedly the expert in the product line who could answer our questions–he was brought along to the meeting specifically to speak “engineer-to-engineer.”

Now, I am not only a network engineer but also the IT Director for a multi-national manufacturing firm. I am used to straddling the line between engineering and management, and actually pride myself on being able to communicate complex engineering principles to c-level executives in a way that makes sense, and accomplishes something. I don’t think that I’m so far gone on the engineering side that I have to have a team of PhDs come in every time I want to learn about a product. That said, I do expect that my time will be respected and when I want to know what your product has to offer that you will take the radical step as a vendor of bringing along someone who knows what the hell they’re talking about.

The moral of the story is that we did not then, nor have we since, upgrade to that new product version. Not out of spite or any bad feelings for the vendor as a whole, but simply because we finally found the answers we needed from a combination of white papers and some peer groups with whom we maintain relationships with. For you vendors who can’t seem to articulate what your product actually does without using a hodge-podge of terms poached from a buzz-word bingo card, my general gut reaction is that your product is probably not unique or helpful in any meaningful way–and that is not the first impression you as a vendor or salesperson want to make. I suspect I am not alone in that feeling, either.

October 4, 2010 ASA

Back from China

After roughly one week in Shanghai, China to set up a new site on our corporate network, it is painfully apparent that I need to get back into this writing business. The dates on my posts belie my weak attempts at covering up my laziness. That said, there were at least a couple of things of note worth using up a few words on.

Note One (where it really is someone else’s fault)

Due to an unfortunate series of poor decisions, poor project management, and a quite sudden and unreasonable expectation of delivery dates, we [IT] were forced to poach some bandwidth from a sister company of ours who had a slight excess in the manufacturing facility where our new office was to be set up. By slight, I mean exactly 256kb. For those of you not accustomed to seeing the abbreviation for kilo, well, you’re too young. More on that in a moment.

All of that aside, we engineered the circuit all the way from the provider’s edge in Shanghai, back to our facilities on the West Coast and verified traffic was flowing. Once we got to Shanghai and hooked up our router and started building out the network behind it, we noticed that we couldn’t move any traffic at all. With a quick extended ping using the inside network interface as the source, as well as some trace-routes from other places, we verified that the provider had neglected to put a route in the BGP tables for the new network. Thank God for 24-hour NOC support, and within 30 minutes that problem was resolved.

Note Two (where the author tries to check the turn-signal fluid)

As we moved on to creating and joining up a shiny new R2 Read-only Domain Controller (RODC) everything went off the rails. Timeouts galore. DNS wouldn’t resolve quickly enough to allow the new DC to join the forest. Off I go on a jolly search for default timeout settings, registry tweaks, offline methods to install a DC (ugly at best) and generally going further down the rabbit hole of complexity, even going so far as to direct another engineer working for me to prep for a call to Microsoft (never fun.)

Having already racked a lot of gear, we decided to call it a night and come back fresh in the morning. I always find it helpful to contemplate problems like this over a good single-malt Scotch. So I did, a few times, and that led to morning and a face-palm moment. To wit:

In the cab on the way to the office the next day it occurred to me that I should check the security on the firewalls back home. I knew I didn’t put any ACLs on that new link, knowing I’d be testing and I prefer to test in the absence of artificial problems, then crank down the screws once I’m confident of the design. I thought, however, that I had overlooked a NAT exemption or something else and decided to spend some quality time checking that portion of the infrastructure.

So, I got my coffee at the office (thankfully the office manager is a Kiwi who favors Starbucks) and started to look over the configuration of the firewalls. Right there was my face-palm moment: an ACL which, in some security-conscious delusion I had put on the link in question, allowing ICMP traffic and denying everything else. *GAAAAAH* Long story short, I changed the ACL and everything “magically” started working.

All I can say here is that it doesn’t matter who you are, or how much experience with troubleshooting you have, always start with the simple stuff first. Some of the best advice I ever got was from an instructor of mine who was fond of saying “be the packet.” By that he just meant that you have to start from the packet’s point of view and slowly work through everything that happens to said packet from beginning to end. Wiring, arping, routing, etc. whatever. Be the packet.

Also, don’t be afraid to admit mistakes. They will happen and hopefully other people around you can learn from them. At least after they’re done laughing. Which sometimes takes a while.

Note Three (hey you kids, get off my @#$ lawn)

I just wanted to take a quick moment to address the inevitable questions about our link at 256kb, and the musings that I obviously must have meant mb instead. Bandwidth is always seen as one of those more is better kind of things, and ignoring the temptation to toss out the standard bandwidth/delay screed here, let me just tell you that you can get by with less than you think. By the way, those of us who can remember when a 2400 baud modem was blow-your-hair-back fast (multiple lines of text at once!) tend to be more pragmatic about these things.

On that link we currently have a domain controller running, several workstations with email and our main corporate ERP software. We also, and this is what I really like, have two 7900-series IP phones running. These are both homed to our main CUCM, Unity and IPCC servers back in the U.S. and have excellent call quality. In fact, we tested a phone call (no local calling for these phones in China) from those phones in Shanghai, through the CUCM in the U.S., and back to a U.S. homed cell phone in Shanghai and got no discernable jitter.

Moral of the story? You can get by with less bandwidth than you think. Would I choose to? Hell no! 🙂

August 10, 2010 Cisco

New Post Delay…

For all of you paying any attention at all, I owe you an apology on the complete lack of writing the last week or so. Last week, however, a large pile of backordered Cisco gear showed up at the office and needed to be staged *immediately* or as close to that as could reasonably be expected. We’re in the throes of a complete infrastructure upgrade and everything sort of backed up unexpectedly with the recent delivery problems from Cisco. I would question how that becomes my problem, but after 16+ years doing this professionally, I already know the answer to that question. At any rate, look for a new post in my series on 802.1x in the next day or so.

July 27, 2010 DS3

TELCO FAIL

Last Thursday afternoon, at approximately 2:25pm, there was a loud sucking sound that can only be heard by network engineers conditioned to expect bad, ugly things to happen at inopportune times, and all upstream connectivity to our corporate office died.

*Ka-phoot*

Predictably, IT was immediately assisted by many, many helpful people wandering by our area, sending emails, making phone calls, or stopping us in the hall to ask if we knew that the network was down. Usually in these situations the first couple of people get a good explanation of what we think the problem is, and what an ETA might be. After the 10th person, however, my responses tend to devolve a bit and I either end up giving a curt one-word answer, or feigning shock and amazement.

I should explain here that the way the architecture of our network works, we have our IP provider, SIP Trunks, Point-to-Point circuits, VPN end-points, and all of our external-facing servers in a very robust telecom hotel–The Westin Building, for those keeping score–in downtown Seattle. From there, we move everything over our DS3 to our corporate headquarters not far from Seattle. We also have many other dedicated circuits, IPsec tunnels, and assorted ballyhoo to other locations around the world, but for discussion here just keep in mind the three locations I’ve described.

So the DS3 that is our lifeline was down. It was after hours in our Canadian location so with any luck nobody would notice all night–they use a lot of critical services across another DS3, but that also routes through Seattle first. Additionally, it was a particularly nice day in Seattle (rare) and a lot of people were already out of the office when this link went down. Hopefully we could file a trouble ticket and get this resolved fairly quickly.

Within just a few minutes of filing said trouble ticket, I had a representative of the provisioning telecom on the line who said that, yes, they saw a problem and would be dispatching technicians. There were some other calls following that, but the short version is that by 5:30pm “everything was fixed” according to the telecom and would we please verify so they could close the ticket. Unfortunately, the problem was not fixed.

Now the fun began. To appease the telecom representative, I accepted the possibility that my DS3 controller card had coincidentally died or locked the circuit or some other bunch of weird pseudo-engineer guessing from the telecom representative. This meant I had to drive to our data center in Seattle, in rush hour traffic, to personally kick the offending router in the teeth.

After an hour or so of typically nasty Seattle rush-hour traffic I arrived at the datacenter and began testing. Our DS3 controller was showing AIP on the line, so more technicians were dispatched to find the offending problem. Meanwhile, I wandered over to the Icon Grill to get some dinner and an après-ski beverage or two.

Fast forward a few hours and the AIP condition on the DS3 controller was gone, but I now had an interface status of “up up (looped)” which is less than ideal, shall we say. I decided at this point to cut my losses and head home and possibly get some sleep while the telecom engineers and their cohort tried to figure out how this might be my fault.

With some three hours of sleep or so, I woke up at 5am and started looking at all of my emails, listening to all of my voicemails, and generally cursing anyone within earshot–mostly consisting of the cats–as my wife was still asleep. At this point I got on a conference bridge with the President of the telecom broker we use and together we managed to drag a rep in from the provisioning company who could then drag in as many engineers as needed to get the problem solved. Not, however, before I was rather pointedly told by said provisioning woman that I would have to pay for all of this cost since the problem was “obviously with my equipment, since her software showed no loops in the circuit.”

Once the engineers started hooking up testers to the circuit–physically this time–they could see a loop, but at the Seattle side (the side reporting the loop.) Another engineer saw a loop on the headquarters side, and still a third saw no loop at all. As it turns out, the circuit was provisioned by company “A” who then handed off to company “B” and finally to company “C” who terminated the circuit at the demarcation point at our headquarters. All for less than 20 miles, but I digress. Finally we all agreed to have Company “C” come onsite, interrupt the circuit physically at the demarcation equipment and look back down the link to see what he could see. As a precaution at this point, and tired of being blamed for ridiculous things, I and my staff physically powered down our routers on either side of the link. Since the loop stayed, that was the last time I had anyone point the finger my way. Small miracles and all of that.

Once the rep from Company “C” got onsite and interrupted the circuit for tests, he was still seeing “all green” down the line. Since the other engineers monitoring were still seeing a loop, they asked him to shut down the circuit. He did, and they still saw a loop. This was one of those “Aha” moments for all of us except the engineer from Company “C” who just couldn’t figure out what the problem might be. All of us suspected that the loop was between the Fujitsu OC-3 box at our Demarc, and the upstream OC-48 Fujitsu Mux a couple of miles away and we finally convinced this guy to go check out the OC-48. Sure enough, a few minutes after he left our circuit came back on again. And we all rejoiced, and ate Robin’s Minstrels.

At the end of the day, we ended up with just short of 24 hours of downtime, for a DS-3 from a major telecom provider that everyone here would recognize; 23 hours and 5 minutes, to be exact. So what was the problem, and the solution? Any telecom guys want to stop reading here and take a guess?

As it turns out, the original cause of our link going down was this same engineer pulling the circuit by mistake. When the trouble ticket was originally filed, he rushed out and “fixed” his mistake. But, what he hadn’t noticed the first time is two critical things:

(1) The circuit had failed over to the protect pair. DS3 circuits use one pair of fiber for the normally used (or working) circuit, and a separate fiber pair for the fail-over (or protect) circuit.

(2) The protect pair at the OC-3 box at the demarcation point hadn’t ever been installed.

For lessons learned here, the main thing that comes to me is that we absolutely have to find a way to get true redundancy on this link, even if it means connecting our own strings between tin-cans. I should explain, by the way, that redundancy to this headquarters building is very difficult due to location: the last mile provider is the same no matter who we use to provision the circuit. In addition, with one major fiber loop in the area, even if we could get redundancy on the last mile we would still be at the mercy of that loop. We are at this point, after this incident, looking at a fixed LoS wireless option that has recently become available. Apparently we can get at least 20Mb/s although I haven’t heard any claims on the latency, so we’ll see.

I’m also shocked and appalled that three major telecoms, all working in concert, took almost a full day to run this problem to ground. I’m probably naive, but I expect more. The only saving grace in all of this is the level of professionalism and support I received from the telecom brokers we use. They were absolutely on top of this from the beginning, shepherded the whole process along, even facilitating communications between the players with their own conference bridge for the better part of a day. If anyone needs any telecom services brokered, anywhere in the world I’m told, contact Rick Crabbe at Threshold Communications.

With this summation done, my venting complete, and everything right with the world, I’m off for a beverage.