February 2018 - F1-CONSULT

The ASA bind account password is wrong.
The ASA bind username, (or path to the user object) is wrong.
You have set the LDAP server group to use LDAPS (port 636) and the server specified as an LDAP host is not authenticating via LDAPS.
There is no connectivity between the ASA and the LDAP server.

You can narrow it down by running the following debug:

debug ldap 255

1	debug ldap 255

In the following output you can see either the username or the password is wrong:

ASA(config)# debug ldap 255
debug ldap  enabled at level 255
[-2147483629] Session Start
[-2147483629] New request Session, context 0x00007fffbcc69c88, reqType = Authentication
[-2147483629] Fiber started
[-2147483629] Creating LDAP context with uri=ldap://192.168.110.10:389
[-2147483629] Connect to LDAP server: ldap://192.168.110.10:389, status = Successful
[-2147483629] supportedLDAPVersion: value = 3
[-2147483629] supportedLDAPVersion: value = 2
[-2147483629] Binding as asa
[-2147483629] Performing Simple authentication for asa to 192.168.110.10
[-2147483629] Simple authentication for asa returned code (49) Invalid credentials
[-2147483629] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[-2147483629] Fiber exit Tx=207 bytes Rx=720 bytes, status=-2
[-2147483629] Session End

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

ASA(config)# debug ldap 255

debug ldap enabled at level 255

[-2147483629] Session Start

[-2147483629] New request Session, context 0x00007fffbcc69c88, reqType = Authentication

[-2147483629] Fiber started

[-2147483629] Creating LDAP context with uri=ldap://192.168.110.10:389

[-2147483629] Connect to LDAP server: ldap://192.168.110.10:389, status = Successful

[-2147483629] supportedLDAPVersion: value = 3

[-2147483629] supportedLDAPVersion: value = 2

[-2147483629] Binding as asa

[-2147483629] Performing Simple authentication for asa to 192.168.110.10

[-2147483629] Simple authentication for asa returned code (49) Invalid credentials

[-2147483629] Failed to bind as administrator returned code (-1) Can't contact LDAP server

[-2147483629] Fiber exit Tx=207 bytes Rx=720 bytes, status=-2

[-2147483629] Session End

In the following output you can see the firewall is trying to connect over LDAPS but the server is not configured, (or not answering on TCP 636):

ASA(config)# debug ldap 255
debug ldap  enabled at level 255
[-2147483625] Session Start
[-2147483625] New request Session, context 0x00007fffbcc69c88, reqType = Authentication
[-2147483625] Fiber started
[-2147483625] Creating LDAP context with uri=ldaps://192.168.110.10:636
[-2147483625] Connect to LDAP server: ldaps://192.168.110.10:636, status = Failed
[-2147483625] Unable to read rootDSE. Can't contact LDAP server.
[-2147483625] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[-2147483625] Session End

1

2

3

4

5

6

7

8

9

10

ASA(config)# debug ldap 255

debug ldap enabled at level 255

[-2147483625] Session Start

[-2147483625] New request Session, context 0x00007fffbcc69c88, reqType = Authentication

[-2147483625] Fiber started

[-2147483625] Creating LDAP context with uri=ldaps://192.168.110.10:636

[-2147483625] Connect to LDAP server: ldaps://192.168.110.10:636, status = Failed

[-2147483625] Unable to read rootDSE. Can't contact LDAP server.

[-2147483625] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2

[-2147483625] Session End

For us the issue had been nailed down to Active Directory Group Policies based on the following message: “A stronger authentication method is required for this server”

You you need to change the following:

Domain controller: LDAP server signing requirements to NONE
Network security:LDAP client signing requirements to NEGOTIATE

cucm_ldap_problem4

Reference:

https://www.petenetlive.com/KB/Article/0001271
http://mehmetyeni.com/cucm-ldap-connection-problem-error-while-connecting-to-ldapip-address389-null/

2018-02-20/by wriedel

MySQL – How to Back Up and Restore a Database

MySQL

Declarations

Database: [dbname]
User: [uname]
Password: [pass]

Back up

Back up a dedicated database from the Command Line:

mysqldump --opt -u [uname] -p[pass] [dbname] > [dbname].sql

1	mysqldump --opt -u [uname] -p[pass] [dbname] > [dbname].sql

Back up all the databases:

mysqldump -u root -p[pass] --all-databases > alldb_backup.sql

1	mysqldump -u root -p[pass] --all-databases > alldb_backup.sql

Back up with Compress:

mysqldump -u [uname] -p[pass] [dbname] | gzip -9 >[dbname].sql.gz

1	mysqldump -u [uname] -p[pass] [dbname] \| gzip -9 >[dbname].sql.gz

Restore

1. Create an appropriately named database on the target machine
2. Create an appropriately named user on the target machine

mysql -u [uname] -p[pass]
      CREATE DATABASE [dbname];
      CREATE USER [uname]@localhost IDENTIFIED BY '[pass]';
      GRANT ALL PRIVILEGES ON [dbname].* TO [uname]@localhost;
      FLUSH PRIVILEGES;

1

2

3

4

5

mysql -u [uname] -p[pass]

CREATE DATABASE [dbname];

CREATE USER [uname]@localhost IDENTIFIED BY '[pass]';

GRANT ALL PRIVILEGES ON [dbname].* TO [uname]@localhost;

FLUSH PRIVILEGES;

3a. Import an uncompressed SQL dump

mysql -u [uname] -p[pass] [db_to_restore] < [backupfile.sql]

1	mysql -u [uname] -p[pass] [db_to_restore] < [backupfile.sql]

3b. Import a compressed SQL dump

gunzip &lt; [backupfile.sql.gz] | mysql -u [uname] -p[pass] [dbname]

1	gunzip < [backupfile.sql.gz] \| mysql -u [uname] -p[pass] [dbname]

2018-02-14/by wriedel

ZFS – Replacing a dead disk in a zpool

ZFS

ZFS – Single Path

1. Check zpool status:
zpool status vol -x

2. Find the {GUID} of the {dead-disk} within zdb:
zdb -l /dev/{dead-disk}

3. Offline the the {dead-disk} within zdb:
zpool offline vol /dev/disk/by-id/{dead-disk}

4. Detach the {dead-disk} disk:
zpool detach vol /dev/disk/by-id/{dead-disk}

5. Replace the {dead-disk} disk:
zpool replace {your_poolname} {drive to be replaced} {new drive to take its place}
zpool replace vol &lt;GUID> /dev/disk/by-id/{new-disk}

6. Check zpool status:
zpool status vol -x

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

1. Check zpool status:

zpool status vol -x

2. Find the {GUID} of the {dead-disk} within zdb:

zdb -l /dev/{dead-disk}

3. Offline the the {dead-disk} within zdb:

zpool offline vol /dev/disk/by-id/{dead-disk}

4. Detach the {dead-disk} disk:

zpool detach vol /dev/disk/by-id/{dead-disk}

5. Replace the {dead-disk} disk:

zpool replace {your_poolname} {drive to be replaced} {new drive to take its place}

zpool replace vol <GUID> /dev/disk/by-id/{new-disk}

6. Check zpool status:

zpool status vol -x

ZFS – Multi Path

1. Physically remove disk

2. Find failed multipath disk
multipath -ll

3. Remove multipath disk
multipath -F

4. Physically insert new disk (record WWN from drive label first)

5. Add the WWN to /etc/multipath.conf as a new alias (WWN can be found on physical disk label, for WD disks, add a 3 to the beginning)

6. reload multipath service (only reloads config and rescans, will not interrupt live systems)
service multipathd reload
multipath -v2
multipath -ll A14

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

1. Physically remove disk

2. Find failed multipath disk

multipath -ll

3. Remove multipath disk

multipath -F

4. Physically insert new disk (record WWN from drive label first)

5. Add the WWN to /etc/multipath.conf as a new alias (WWN can be found on physical disk label, for WD disks, add a 3 to the beginning)

6. reload multipath service (only reloads config and rescans, will not interrupt live systems)

service multipathd reload

multipath -v2

multipath -ll A14

2018-02-13/by wriedel

BIND – Response Policy Zones (RPZ)

BIND

ISC Webinars:
https://www.isc.org/mission/webinars

ISC Webinar on RPZ:
https://www.isc.org/wp-content/uploads/2017/12/RPZ-webinar7.ppt.pdf

Security Zones – Rackspace Case Study:
http://www.securityzones.net/images/downloads/Rackspace-RPZ-Case-Study.pdf

Free Trial
http://www.securityzones.net/free-trial.html

Installation Guide for BIND with RPZ with links to example files:
http://www.securityzones.net/images/downloads/BIND_RPZ_Installation_Guide.pdf

ISC KB articles on RPZ:
https://kb.isc.org/article/AA-00525/110/Building-DNS-Firewalls-with-Response-Policy-Zones-RPZ.html

MX Tools – Spamhaus RPZ Service:
https://portal.spamhaustech.com/ma/manual/rpz/

RPZ web site with data feed providers list:
https://dnsrpz.info

2018-02-13/by wriedel

CISCO CUBE SipGate

CUBE

1. Cisco Unified Border Element with Support for Multi-VRF

Cisco Unified Border Element Configuration Guide

2. SIPGATE

To let you CUBE register with SIPGATE for incoming calls, you need to ensure that the sip-ua, retry invite is 2 else it will not register!!!!

sip-ua
retry invite 2

!
ip host sipconnect.sipgate.de 217.10.68.150
ip host _sip._udp.sipconnect.sipgate.de srv 0 0 5060 sipconnect.sipgate.de
!
voice service voip
 ip address trusted list
  ipv4 <cucm1> 255.255.255.255
  ipv4 <cucm2> 255.255.255.255
  ipv4 217.10.68.150 255.255.255.255
 address-hiding
 mode border-element 
 media transcoder sync-streams
 media statistics
 allow-connections sip to sip
 fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw
 modem passthrough nse codec g711alaw
 sip
  header-passing
  registrar server
  conn-reuse
  privacy-policy passthru
  no call service stop
!
!
voice class uri uri2sipgate sip
 host dns:sipconnect.sipgate.de
 host ipv4:217.10.68.150
!
voice class uri uri167cucm sip
 host dns:cucm1.toocoolforyou.net
!
voice class uri uri168cucm sip
 host dns:cucm2.toocoolforyou.net
!
voice class codec 217
 codec preference 1 g711alaw
 codec preference 2 g711ulaw
 codec preference 3 g729r8
 codec preference 4 g726r32
!
voice class codec 111
 codec preference 1 g711alaw
 codec preference 2 g711ulaw
 codec preference 3 g729r8
 codec preference 4 g726r32
!

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

!

ip host sipconnect.sipgate.de 217.10.68.150

ip host _sip._udp.sipconnect.sipgate.de srv 0 0 5060 sipconnect.sipgate.de

!

voice service voip

ip address trusted list

ipv4 <cucm1> 255.255.255.255

ipv4 <cucm2> 255.255.255.255

ipv4 217.10.68.150 255.255.255.255

address-hiding

mode border-element

media transcoder sync-streams

media statistics

allow-connections sip to sip

fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw

modem passthrough nse codec g711alaw

sip

header-passing

registrar server

conn-reuse

privacy-policy passthru

no call service stop

!

voice class uri uri2sipgate sip

host dns:sipconnect.sipgate.de

host ipv4:217.10.68.150

!

voice class uri uri167cucm sip

host dns:cucm1.toocoolforyou.net

!

voice class uri uri168cucm sip

host dns:cucm2.toocoolforyou.net

!

voice class codec 217

codec preference 1 g711alaw

codec preference 2 g711ulaw

codec preference 3 g729r8

codec preference 4 g726r32

!

voice class codec 111

codec preference 1 g711alaw

codec preference 2 g711ulaw

codec preference 3 g729r8

codec preference 4 g726r32

!

2018-02-12/by wriedel

Debian – How to delete broken packages

Debian

1. remove broken packages

cd /var/lib/dpkg/info; rm <packagename.*>
sudo dpkg --purge --force-remove-reinstreq <code><packagename>
sudo dpkg --remove --force-remove-reinstreq <code><packagename>
sudo dpkg --remove --force-remove-reinstreq --force-depends <package-name></code>

1

2

3

4

cd /var/lib/dpkg/info; rm <packagename.*>

sudo dpkg --purge --force-remove-reinstreq <code><packagename>

sudo dpkg --remove --force-remove-reinstreq <code><packagename>

sudo dpkg --remove --force-remove-reinstreq --force-depends <package-name></code>

2. after removing package update your system

sudo apt-get autoremove && sudo apt-get autoclean &&</code><code></code>sudo apt-get update <code>&&</code><code></code>sudo apt-get upgrade

1	sudo apt-get autoremove && sudo apt-get autoclean &&</code><code></code>sudo apt-get update <code>&&</code><code></code>sudo apt-get upgrade

3. re-install the package

sudo apt-get install -f 
sudo apt-get install <code><packagename>
sudo apt-get install --reinstall <packagename></code><code></code><code>

1

2

3

sudo apt-get install -f

sudo apt-get install <code><packagename>

sudo apt-get install --reinstall <packagename></code><code></code><code>

2018-02-08/by wriedel

Ubuntu – How to fix broken packages

Ubuntu

1. fix broken packages

sudo apt-get --fix-broken install

1	sudo apt-get --fix-broken install

2. cleanup 1st

sudo rm /var/lib/apt/lists/* -vf
sudo apt-get update

1 2	sudo rm /var/lib/apt/lists/* -vf sudo apt-get update

3. cleanup 2nd

sudo apt-get clean 
sudo apt-get autoclean 
sudo apt-get autoremove

1

2

3

sudo apt-get clean

sudo apt-get autoclean

sudo apt-get autoremove

4. Package Manager

sudo dpkg --configure -a
sudo apt-get update

1 2	sudo dpkg --configure -a sudo apt-get update

2018-02-08/by wriedel

WordPress – auto-update via proxy

WordPress

Here a brief config snipped to allow WordPress to

use a http proxy server for updates
enforce ssh
enable auto-upgrade for WP core, plugins and themes

/** WordPress update via proxy */
define('WP_PROXY_HOST', 'proxy.f1-online.net');
define('WP_PROXY_PORT', '8080');
define('WP_PROXY_BYPASS_HOSTS','localhost');

/** SSH upgrade */
define('FTP_PUBKEY','/home/webmaster/.ssh/id_rsa.pub');
define('FTP_PRIKEY','/home/webmaster/.ssh/id_rsa');
define('FTP_USER','webmaster');
define('FTP_HOST','localhost:22');

/** auto-upgrade WordPress core */
define( 'WP_AUTO_UPDATE_CORE', true );

/** auto-upgrade WordPress plugins*/
add_filter( 'auto_update_plugin', '__return_true' );

/** auto-upgrade WordPress themes */
add_filter( 'auto_update_theme', '__return_true' );

/*** force SSL usage for admin */
define('FORCE_SSL_ADMIN', true);

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

/** WordPress update via proxy */

define('WP_PROXY_HOST', 'proxy.f1-online.net');

define('WP_PROXY_PORT', '8080');

define('WP_PROXY_BYPASS_HOSTS','localhost');

/** SSH upgrade */

define('FTP_PUBKEY','/home/webmaster/.ssh/id_rsa.pub');

define('FTP_PRIKEY','/home/webmaster/.ssh/id_rsa');

define('FTP_USER','webmaster');

define('FTP_HOST','localhost:22');

/** auto-upgrade WordPress core */

define( 'WP_AUTO_UPDATE_CORE', true );

/** auto-upgrade WordPress plugins*/

add_filter( 'auto_update_plugin', '__return_true' );

/** auto-upgrade WordPress themes */

add_filter( 'auto_update_theme', '__return_true' );

/*** force SSL usage for admin */

define('FORCE_SSL_ADMIN', true);

2018-02-07/by wriedel

Postfix – DNSBL Providers

The complete IP check for sending Mailservers

DNSBL Providers:

CISCO ASA LDAP AAA Error ‘AAA Server has been removed’

Problem:

Solution:

MySQL – How to Back Up and Restore a Database

ZFS – Replacing a dead disk in a zpool

ZFS – Single Path

ZFS – Multi Path

BIND – Response Policy Zones (RPZ)

CISCO CUBE SipGate

1. Cisco Unified Border Element with Support for Multi-VRF

2. SIPGATE

Debian – How to delete broken packages

Ubuntu – How to fix broken packages

WordPress – auto-update via proxy

Meet with us

Where to find us

Get in touch with us

Latest Blog Entries

Archive for month: February, 2018

The complete IP check for sending Mailservers

DNSBL Providers:

Problem:

Solution:

1. Cisco Unified Border Element with Support for Multi-VRF

2. SIPGATE

Meet with us

Where to find us

Get in touch with us

Latest Blog Entries