Skip to content
May 24 14

How to fix issues with promiscuous interface in KVM

by Patrick Durante

I had a simple issue I was stuck on. I was trying to configure an IDS in KVM that needed to see all traffic for a specific subnet. I added a new interface and the host was able to see all of the traffic, but the virtual interface inside the KVM did not. The bridge was configured properly, but I needed to add the following command on the host for the VM to finally see the traffic.


brctl setageing br2 0

Hopefully it will save you some time if you run into the same issue. I just added that to rc.local and on boot the problem was solved.

Apr 30 14

Simple performance increase for php websites

by Patrick Durante

After following the post here,

http://www.tecmint.com/install-xcache-to-accelerate-and-optimize-php-performance/

I was able to get about a 5x performance gain in php applications on my web server. Very simple to install and configure. You can then do a benchmark test with the apache AB tool to see for yourself.

ab -n 1000 -c 2 http://siteaddress/index.php

Apr 11 14

Configure email reports with Observium

by Patrick Durante

Find the graph that you want to get in an email report. Click RRD COMMAND in the top right to get the code to create the graph on the command line. An example:


rrdtool graph /tmp/k93ewPFhVr6kIgGy.png --alt-autoscale --rigid -E --start 1397210793 --end 1397232393 --width 1159 --height 300 -c BACK#EEEEEE00 -c SHADEA#EEEEEE00 -c SHADEB#EEEEEE00 -c FONT#000000 -c CANVAS#FFFFFF00 -c GRID#a5a5a5 -c MGRID#FF9999 -c FRAME#5e5e5e -c ARROW#5e5e5e -R normal --font LEGEND:8:'DejaVuSansMono' --font AXIS:7:'DejaVuSansMono' --font-render-mode normal COMMENT:'Bits/s Now Avg Max 95th \n' DEF:outoctets=/opt/observium/rrd/asa5505/port-15.rrd:OUTOCTETS:AVERAGE DEF:inoctets=/opt/observium/rrd/asa5505/port-15.rrd:INOCTETS:AVERAGE DEF:outoctets_max=/opt/observium/rrd/asa5505/port-15.rrd:OUTOCTETS:MAX DEF:inoctets_max=/opt/observium/rrd/asa5505/port-15.rrd:INOCTETS:MAX CDEF:octets=inoctets,outoctets,+ CDEF:doutoctets=outoctets,-1,* CDEF:outbits=outoctets,8,* CDEF:outbits_max=outoctets_max,8,* CDEF:doutoctets_max=outoctets_max,-1,* CDEF:doutbits=doutoctets,8,* CDEF:doutbits_max=doutoctets_max,8,* CDEF:inbits=inoctets,8,* CDEF:inbits_max=inoctets_max,8,* VDEF:totin=inoctets,TOTAL VDEF:totout=outoctets,TOTAL VDEF:tot=octets,TOTAL VDEF:95thin=inbits,95,PERCENT VDEF:95thout=outbits,95,PERCENT VDEF:d95thout=doutbits,5,PERCENT AREA:inbits#92B73F LINE1.25:inbits#4A8328:'In ' GPRINT:inbits:LAST:%6.2lf%s GPRINT:inbits:AVERAGE:%6.2lf%s GPRINT:inbits_max:MAX:%6.2lf%s GPRINT:95thin:%6.2lf%s\\n AREA:doutbits#7075B8 LINE1.25:doutbits#323B7C:'Out' GPRINT:outbits:LAST:%6.2lf%s GPRINT:outbits:AVERAGE:%6.2lf%s GPRINT:outbits_max:MAX:%6.2lf%s GPRINT:95thout:%6.2lf%s\\n GPRINT:tot:'Total %6.2lf%s' GPRINT:totin:'(In %6.2lf%s' GPRINT:totout:'Out %6.2lf%s)\\l' LINE1:95thin#aa0000 LINE1:d95thout#aa0000

Create a bash script to and set the start and stop time of the graph you want to create. Input them as variables for –start and –end at the beginning of the RRD command. Example:

Save the following as dailybw.sh


#!/bin/bash

current_time=`date +%s`
#Graph Length is old time, it is currently set for 6 hours.
old_time=$((current_time-21600))
echo $old_time

rrdtool graph /tmp/dailybandwidth.png --alt-autoscale --rigid -E --start $old_time --end $current_time --width 1159 --height 300 -c BACK#EEEEEE00 -c SHADEA#EEEEEE00 -c SHADEB#EEEEEE00 -c FONT#000000 -c CANVAS#FFFFFF00 -c GRID#a5a5a5 -c MGRID#FF9999 -c FRAME#5e5e5e -c ARROW#5e5e5e -R normal --font LEGEND:8:'DejaVuSansMono' --font AXIS:7:'DejaVuSansMono' --font-render-mode normal COMMENT:'Bits/s Now Avg Max 95th \n' DEF:outoctets=/opt/observium/rrd/naphrtrbr01/port-8.rrd:OUTOCTETS:AVERAGE DEF:inoctets=/opt/observium/rrd/naphrtrbr01/port-8.rrd:INOCTETS:AVERAGE DEF:outoctets_max=/opt/observium/rrd/naphrtrbr01/port-8.rrd:OUTOCTETS:MAX DEF:inoctets_max=/opt/observium/rrd/naphrtrbr01/port-8.rrd:INOCTETS:MAX CDEF:octets=inoctets,outoctets,+ CDEF:doutoctets=outoctets,-1,* CDEF:outbits=outoctets,8,* CDEF:outbits_max=outoctets_max,8,* CDEF:doutoctets_max=outoctets_max,-1,* CDEF:doutbits=doutoctets,8,* CDEF:doutbits_max=doutoctets_max,8,* CDEF:inbits=inoctets,8,* CDEF:inbits_max=inoctets_max,8,* VDEF:totin=inoctets,TOTAL VDEF:totout=outoctets,TOTAL VDEF:tot=octets,TOTAL VDEF:95thin=inbits,95,PERCENT VDEF:95thout=outbits,95,PERCENT VDEF:d95thout=doutbits,5,PERCENT AREA:inbits#92B73F LINE1.25:inbits#4A8328:'In ' GPRINT:inbits:LAST:%6.2lf%s GPRINT:inbits:AVERAGE:%6.2lf%s GPRINT:inbits_max:MAX:%6.2lf%s GPRINT:95thin:%6.2lf%s\\n AREA:doutbits#7075B8 LINE1.25:doutbits#323B7C:'Out' GPRINT:outbits:LAST:%6.2lf%s GPRINT:outbits:AVERAGE:%6.2lf%s GPRINT:outbits_max:MAX:%6.2lf%s GPRINT:95thout:%6.2lf%s\\n GPRINT:tot:'Total %6.2lf%s' GPRINT:totin:'(In %6.2lf%s' GPRINT:totout:'Out %6.2lf%s)\\l' LINE1:95thin#aa0000 LINE1:d95thout#aa0000

I used the following perl script which will take the graph as an inline html doc. I first execute the bash script to generate the graph and then email it.


use strict;
use warnings;
use MIME::Lite;

system("/bin/bash /usr/local/src/dailybw.sh");

my $msg = MIME::Lite->new(
                 To      =>'emailaddress@email.com',
                 From    =>'server@server.com',
                 Subject =>'6AM Daily Bandwidth Report',
                 Type    =>'multipart/related'
                 );
    $msg->attach(Type => 'text/html',
                 Data => qq{ <body>
                            <br>6AM Daily Bandwidth Report<br>
                            <br>Daily<br>
                             <img src="cid:dailybandwidth.png">
                             </body> }
                 );
    $msg->attach(Type => 'image/png',
                 Id   => 'dailybandwidth.png',
                 Path => '/tmp/dailybandwidth.png',
                 );
    $msg->send();

Feb 18 14

Firewall Service Module Upgrade from 3.1 to 3.2 or 4.1 in fail over pair.

by Patrick Durante

The documentation doesn’t state it but you can do a zero downtime upgrade from 3.1 to 3.2, and then to 4.1 for the FWSM fail over pair. I had open a case with Cisco and they actually stated it was a bug in the document. Here is the practice I followed that worked well.

On the day of the upgrade.
1) Connect to SW01 and do a wr memory all
2) Connect to switch 1 and 2 and copy the new image and asdm. Via TFTP in your admin vLAN XXX using IP address that is in the same network as admin context.
**You can only have one image and one asdm, so you have to use the following names.
copy tftp flash:image —- command to copy the image
copy tftp flash:asdm —- command to copy asdm.
** Note – I was getting an error message “WARNING: The flash device is in use by another task. Failed to open image in flash.” I just disconnected from my session and reconnected. The message went away after I tried the TFTP transfer a third time.

3) Connect to sw 1 and make it active for all contexts. # failover active (confirm that all sessions and everything is running from SW01) show failover
4) Once SW01 is primary #failover reload-standby
5) Wait till standby has reloaded with new image and is in a standby ready state. It should show a mismatch, but it will allow you to fail over active connections.
6) If reload is complete and secondary is standby ready, then issue #no failover active (on primary)
7) Connect back to your new secondary unit and issue #reload on primary once all services are failed over to standby unit.

Make sure to take backups of system execution space, admin context, and any other contexts you may have created.

Feb 7 14

How to shrink a Cent OS 5/6 VM in VMware

by Patrick Durante

Need to shrink a linux VM? I’ve found this is the best way that doesn’t cause any corruption issues.

1)Add a new disk to the host that is the size you would like it to be.
2)Boot a copy of GParted and shrink the free space.
3)Download the latest copy of CloneZilla and boot the ISO. If the machine boots to fast to mount the ISO I choose the option to boot directly into the bios.
4)Once in CloneZilla you need to choose advanced > select the option to disable partition size checking. If you don’t do this then you won’t be able to clone from a larger to smaller disk.
5)Selection the option to copy the boot loader.
6)Reboot and enjoy the new space that was reclaimed on the host VM server.

Jan 10 14

Nagios check for VPN status on cisco router

by Patrick Durante

I wanted to get the status of a VPN on a cisco router. The OID would change via SNMP if the site to site VPN went down. So I wrote a simple expect script to get that info on the command line.


#!/usr/bin/expect

set login "ciscousername"
set addr "10.10.10.10"
set pw "ciscopass"
set enpw "ciscoenpass"

spawn ssh $login@$addr
expect "Password: "
send "$pw\r"
sleep 1
send "en\r"
expect "Password: "
send "$enpw\r"
expect "#"
send "show crypto isakmp sa detail\r"
send " "
sleep 1
expect "#"
send "quit\r"

Once I had that I could just grep for the name of the S2S to verify it was up. If you have that output to a temp location then configure a nagios plugin to look for the string of your VPN tunnel name.


#!/bin/bash

COMMAND=`cat /tmp/vpnstatus.txt`

SUCCESS="0"
WARNING="1"
CRITICAL="2"
UNKNOWN="3"

if grep -q "$1" <<< $COMMAND; then
        echo "OK - $1 SMS SITE-TO-SITE IS UP"
        exit ${SUCCESS}
        else
        echo "CRITICAL - $1 SMS SITE-TO-SITE IS DOWN"
        exit ${CRITICAL}
fi

When you update your nagios config just pass the variable of the site to site name, I.E. check_vpn_staus sitename. If it’s in the output of the expect script it will pass. If it is missing from the file the check will fail. Just have the expect script run in crontab and output to a file like so.

*/10 * * * * expect /usr/local/sbin/vpn_check.exp > /tmp/vpnstatus.txt

Dec 5 13

Centos 6.5 KVM issue with bridged interface to virtual machine

by Patrick Durante

I had recently updated my CENT OS home server to 6.5. I use KVM for various virtual machines and I noticed that after the update my Windows VMs stopped listening to multicast traffic. This caused all types of issues with my home Media Center, which uses UPnP. The problem was that they started to enforce multicast snooping after the update. To fix it I had to disable it. Then the bridged interface will forward all multicast packets(DLNA/UPnP).

echo "0">/sys/devices/virtual/net/br-lan/bridge/multicast_snooping

Substitude br-lan with your actual bridge interface, for example br0. Another note, add it to rc.local because it resets back to default on reboot.

Dec 5 13

How to shrink a KVM raw image for Windows Guest

by Patrick Durante

I had assigned too much free space to a VM in Windows that was used for a test server. The quick and easy way to shrink a disk for KVM is to use qemu-img. First, shrink the guest using partition tools. You can do this with disk management in Windows. Second, go to the location of the disk .img file. Use the command:
qemu-img resize Window2008Server-1.img 200G

This would change the image size to be 200GB. That’s it. Just make sure the VM is powered off before you do any of this.

Oct 11 13

“AnyConnect is not enabled on the VPN server”

by Patrick Durante

I was rolling out two new ASAs and I kept getting the error message “Anyconnect is not enabled on the VPN Server”. I was able to hit the web page URL and login without issue. It was only when I used the client directly on the desktop and typed in the vpn URL that it wouldn’t work. It’s because there’s a conflict between the ASDM using 443 and the AnyConnect client making a connection on the same port. To resolve the issue with your AnyConnect client, make sure that you add the group URL at the end of the connection string. For example, make sure in the client you use “vpn.test.com/VPN” instead of just vpn.test.com. The VPN client should connect without issue. As a side note, you can also get this error message if you don’t have webvpn enabled for the outside interface.

Also a side note, if you are trying to use IAS and active directory to authenticate users make sure you enable password management. I was getting the following till I enabled password management.

“The user attempted to use an authentication method that is not enabled on the matching remote access policy.”

This is for both IPSEC or the AnyConnect client.

Jul 12 13

Copying cisco configs via terminal using Tera Term doesn’t copy all commands

by Patrick Durante

I noticed an issue when rolling out some new floor switches and migrating the configurations.  When I would copy and paste via Tera Term I would lose some of the output from the terminal.  The easy way to fix this is to modify the copy and paste delay in the settings.

Setup > additional settings > Copy and Paste > Paste delay per line > set it to 100ms.

Make sure to click save setup and restart tera term.

This seems to be the best setting to have a config copy without causing any characters to overlap and causes errors on input.