Test radius authentication on cisco

There is a handy test commands once you've configured radius/tacacs and you're wondering if the authentication is working as expected. I've tested it on 3750 and 2800 with the specified versions of IOS below. According to cisco it should work from 12.2(28)SB.

SW#sh ver
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)
SW#test aaa group radius server 1.2.3.4 auth-port 1645 user correctpass new-code
User successfully authenticated

SW#test aaa group radius server 1.2.3.4 auth-port 1645 user wrongpass new-code
User rejected

and on my 2800 router:
(C2800NM-ENTBASEK9-M), Version 12.4(13d), RELEASE SOFTWARE (fc2)

R1#test aaa group radius user correctpass new-code
Trying to authenticate with Servergroup radius
User successfully authenticated

R1#test aaa group radius user wrongpass new-code
Trying to authenticate with Servergroup radius

 

Note that on 2800 if the authentication is not successful you dont get any output for it. Could be a bug solved in later versions, or might be working as designed ;-)

Get rid of console timeout on GNS3/dynamips

One of the things that I hate is the processor to be cycling on 100% while I'm trying to configure something. Most of the time the reason for it is console timeout. I'm using this script on each router to get rid of console timeout, and some other things:

en
conf t
no ip domain-lookup
no cdp log mismatch duplex
line console 0
exec-timeout 33333
end
wr

That will setup the timeout to 3 weeks and 2 days, and your processor can breath a bit ;-)

Enjoy!

Troubleshooting BGP Flowchart

Amazing... just came across this flowchart. It is interactive as well!

Destination NAT (Outside NAT) on Cisco and xlate flags

The task was extremely simple. The packet with: SRC: 10.111.0.0/24, DST: 192.168.252.10, needs to be translated to: SRC: 10.111.0.0/24, DST: 10.100.252.10. Having extensive amount of all kinds of NAT done on Checkpoint (you can do that with 3 clicks on Checkpoint), I thought this will be piece of cake. It took me 4-6 hours, going through many Cisco FWSM examples and I had to write to IPexpert CCIE Security mailing list for help.

I started to look for a way to use static (outside, inside) I as thought the first interface is the interface which will hit the packet. It turn out that I'm totally wrong, and it doesn't matter the order in the static statement as long the first statement match the real interface and the second interface match the mapped interface.

At the end the config was:

static (inside,outside) 192.168.252.10 10.100.252.10

We can use: show xlate debug to verify the NAT:

NAT from inside:10.100.252.10 to outside:192.168.252.10 flags si idle 0:00:33 timeout 0:01:00 connections 0

Note the "si" flag above. The list of all flags:

Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
       o - outside, r - portmap, s - static

For explanation for each flag, check the table named: Translation Flags in the command refference for the version of the FWSM/ASA.

Also few days ago, Cisco announced that they will do changes also on NAT in ASA version 8.3.

NAT on FWSM and not good syslog message

Syslog is absolutely my best friend in troubleshooting Cisco firewalls. Today, I got surprised by getting so "usual" message for such unpredictable issue. I hope Cisco can add new syslog message for this issue. I've checked version 4.1 documentation of syslog messages, and I wasn't able to find syslog message when traffic is dropped due to passing between interfaces with same security levels.

Today I was doing some NAT setup on FWSM 3.1. I wasn't sure that the config will work as there is no example on configuration guide for 2 nat statements with same number on same interface with different source addresses. However there was an example of this in the config guide for version 4.0 (Figure 15-15), so I wanted to try it if it will work. The configuration is below:

nat (if1) 1 192.168.16.0 255.255.240.0
nat (if1) 1 192.168.32.0 255.255.224.0
nat (if1) 1 192.168.64.0 255.255.192.0
nat (if1) 1 10.101.0.0 255.255.0.0
nat (if1) 1 10.114.0.0 255.255.0.0
nat (if1) 1 10.128.0.0 255.128.0.0
nat (if2) 1 10.216.0.0 255.255.0.0
nat (if3) 1 10.100.0.0 255.255.0.0
global (if4) 1 8.8.8.8

Everything worked as expected except the connections from if2. Looking at the log I got this message:

Mar  2 16:07:12 10.100.255.20 %FWSM-3-106011: Deny inbound (No xlate) tcp src if2:10.216.20.1/37377 dst if4

I've checked the access-list, and the hitcounts were there, so next step in the traffic flow is matching of xlate table. I've removed the specific nat statement, re-tried and same message. I've added it again and re-tried, and again the same message. It took some time until I got the idea to check the security levels on the interfaces, and I got this:

FWSM/context#show nameif
Interface                Name                     Security
ethernet2                if1                       25
ethernet4                if2                       20
ethernet3                if4                       20
ethernet1                if3                      100
ethernet5                if5                       20

After permitting traffic on same security levels interface, I got the connection:

FWSM/context# show runn same-security-traffic
same-security-traffic permit inter-interface

FWSM/context# show xlate debug | grep 10.216.20.1
TCP PAT from if2:10.216.20.1/34305 to if4:8.8.8.8/1039 flags ri idle 0:00:20 timeout 0:00:30 connections 1

FWSM/context# show conn detail | grep 10.216.20.1
TCP out 10.111.0.1:23 in 10.216.20.1:54785 idle 0:00:02 Bytes 64 FLAGS -

Next challenge, BGP

After passing CCDA, my next adventure will be BGP. I'll use 2 sources, both of them recommended from my 2 colleagues who are CCIE holders.

- Internet Routing Architectures

According to my colleagues this is the BGP bibles. I've been through the first 4 chapters, and I cant wait to finish it.

In meantime I'll do some labs and troubleshooting using the book below (you should expect  uploaded dynamips files and diagrams here in near future, unless I get extremely busy or lazy ;-) )

- Routing TCP/IP volume II

Jeff Doyle has a blog as well.

And off course I'll consult one of the best (if not the best one) networking blog from BGP/MPLS guru Ivan.

I'll keep you posted on this, I'm sure. In meantime if someone stumbled accross my messy blog, and have found another place with configuration tasks with solution in BGP, please leave a comment.

Thank you!

First design exam, Cisco CCDA

Earlier this week I vent on CCDA. It wasn't that easy as I expected, but I got somewhat lucky and I was able to pass it with 87%. Passing score is around 82,5%.

There were a lot of question from Security, Routing, VoIP, QOS and Wireless. Extensive amount of questions came from SONA and Hierarchical design methods (Access / Distribution / Core layers)   Some of the questions were tricky and took some 10 minutes calculation before answering.

I would like to share the books that I've used for preparation for this exam:

- Top-Down Network Design

I've been through this book page by page. I've enjoyed every second spent on it, as it tries to teach you how to think before designing some topology. Also the resources on the web page can be very helpful for the future. Highly recommended!

- CCDA Official Exam Guide

After top-down book, I've been through Wireless and VoIP chapters from this book, and briefly reviewed routing part. Last week before the exam, I've been through summary part of each chapter, and used the quick reference guide:

- CCDA Quick Reference Sheets.

Make sure that you're very well prepared before sitting on this exam. It is tricky, and it covers a lot of material.

Good Luck!

nat-control

There are times when you think that access-list have some problems, and then you'll find out that the hitcounts are increasing. You're almost sure that the traffic is passing, but you cant find connection in the connection table? You've checked syslog and you've found one of those beautiful syslog messages:

%ASA-3-305005: No translation group found for tcp src inside:10.1.1.9/11039 dst outside:198.133.219.25/80

%ASA-3-305006: regular translation creation failed for tcp src inside:10.1.1.9/11040 dst outside:198.133.219.25/80

%FWSM-3-305005: No translation group found for tcp src inside:10.1.1.9/11039 dst outside:198.133.219.25/80

%FWSM-3-305006: regular translation creation failed for tcp src inside:10.1.1.9/11040 dst outside:198.133.219.25/80

We'll most probably you have nat-control enabled. You can verify it using the following command:

FWSM/CONTEXT# show runn nat-control
nat-control

Well, what is nat-control then? Nat-control is feature on Cisco firewalls to maximise the security. When it is enabled, each packet MUST match a NAT rule in order to pass the firewall. It is important to keep in mind that even packets initiated from HIGHER security level interface (inside) MUST match a NAT rule in order for the packet to be processed to lower security interface (outside). Nat-control is disabled by default.

Going aside - Network Design

I've started to get more responsibilities of proposal of new solutions to our customer, not only related to security, I've decided to go through some design books, and maybe attempt a design exam from Cisco as well.

About CCSE, I'll wait for Bobby video to came out in February, and I think that should fill the gap needed for me to pass CCSE.

In meantime few days I go, I came across this book. What I like about it that it is not exam oriented, like certification guides, but it is more oriented to teach you how to think as designer.

Also very useful resources on author book site.

For me now there are 2 path's:

1. CCSE, CCIE Security Written and CCIE lab.

2. CCDA, then BGP, a bit of voice, and then CCDP.

Will depends on what role I'll have in the future of the project. Anyway, I'm sure I'll enjoy both path's. 

Portchanneling, or how to bring the LAN down

I had a lot of fun doing LAN refresh implementation on site for our client last 18 months. Sites were somewhere between 100 - 700+ users, and the number of switches were from 5 - 40. Gathering information's for their existing LAN, Preparing the design and configuration is one thing, on site implementation is something different, more challenging and more interesting.

Yesterday I've found out that is extremely easy to break such LAN remotely. With 1 move we've lost access to the core switch, whole site was down for 5-10 minutes, and after reloading of the core switch, and re-configuring everything was fine.

The task was to move a server from one VLAN to another, and to force that server to communicate with the site through the firewall installed on site. The routing function for the new VLAN is done by an UTM-1 Egde firewall, which is connected to the core switch. The server was connected on Access switch (same as the WAN router). I've made a step-by-step explanation for my colleague who had to perform the task, and I've made 1 mistake about portchanneling. I've asked him to modify the physical interfaces, instead of portchanneling interface. As soon as he started with the change, I got call from him that the site is down. I vent to his PC and I see the putty session with last command entered: "switchport trunk allowed vlan add 201" as instructed. Everything was down, so we called on site, they confirmed that site is down, and we asked the switch to be reloaded. It took 5-10 minutes, and we checked the command reference for portchanneling in meantime. One of the mistakes was that switchport configuration was edited on PHYSICAL interface, instead of virtual PORTCHANNEL (Po5) interface. After reload my colleague added the new VLAN on the Portchannel interface of the Access Switch first, and then added it on the Portchannel interface of Core switch, and everything vent ok. (the physical interfaces config got updated automatically as expected). Change vent fine, that server was migrated, and all the NATted connections towards the server were working as expected.

The "mystery" remained... why the heck we lost access to the Core switch? The Core switch have loopback interface and even that was not reachable until the switch got rebooted. I was enlighten by one of our colleagues, a CCIE R&S holder.

On 158 of the 160 sites, the WAN Router (Provided by ISP) is directly physically connected to the Core Switch. On 2 of the sites (I got this info today) the WAN router wasn't placed in the same room as the Core switch, and then we use portchannel bundled with 4 or more Gigabit physical interfaces, between the Core switch and the "Access" switch which is physically connected to the WAN router. Off course I didn't check if this was the case. So the logical L3 diagram was like :WAN->CORE---->ACCESS, but physically they were like: WAN->ACCESS---->CORE. By breaking the portchannel between the Core and Access switch, we lost access to the Core Switch, as the Core Switch wasn't physically connected to the WAN router.

Lessons learned:

1. Verify the network diagram. Verify if the configuration of the device corresponds to the diagram. (This should take less then 10 minutes, you can find outputs below)

2. Check the command reference and/or examples in case you haven't done the task recently (add vlan on a port-channel)

3. Do not make too many assumptions.

CORE#show ip route
S*   0.0.0.0/0 [1/0] via 10.122.134.1

CORE#show arp | inc 10.122.134.1
Internet  10.122.134.1   24   0000.0c07.ac01  ARPA   Vlan100

CORE#show mac address-table | inc 0000.0c07.ac01
100    0000.0c07.ac01    DYNAMIC     Po5

CORE#show int po5 | inc Members
  Members in this channel: Gi1/0/5 Gi1/0/6 Gi2/0/5 Gi2/0/6

CORE#show cdp nei Gi1/0/5
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port
ACCESS           Gig 1/0/5             120           S I      WS-C3750- Gig 1/0/1

Change password on non-admin user in SPLAT

Unbelievable, but true.

Passwd command is used by Checkpoint to change ONLY expert password :-)

Do not try to use "passwd <username>" as that wont do the job :-)

[Expert@nd00001]# passwd
Enter new expert password:
[Expert@nd00001]# passwd user
Enter new expert password:

After a bit of scratching my head I got this:

[Expert@nd00001]# which passwd
alias passwd='/bin/expert_passwd'
        /bin/expert_passwd
[Expert@nd00001]# more /bin/expert_passwd

******** /bin/expert_passwd: Not a text file ********

Luckily there is still good old passwd stored in /usr/bin/:

[Expert@nd00001]# /usr/bin/passwd test
Changing password for user test.
New UNIX password:
BAD PASSWORD: it is too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

This strangely reminds me on the good old "su" hack. Lessons learned from that hack is: "Make sure you ALWAYS use full path to your binaries!!!"

Checkpoint confirmed that in a bit strange way ;-)

Download backup from SmartCenter using SCP

SFTP didn't worked on R62, and I decided to try SCP. I had to check CPUG in order to get this done :-)

Basically this is what you need to do:

1. Download PSCP

2. Edit /etc/scpusers file, adding your username into the file, 1 user per line

3. Change the shell to /bin/bash for your user in /etc/passwd

4. Restart ssh deamon: "service sshd restart"

5. Use command similar to:

C:\Documents and Settings\USER\Desktop>pscp -scp
user@10.100.2.20:/var/CPbackup/backups/backup_hostname.domain.com_2_2_2010_10_47.tgz
F:\Provider\backup\backup_hostname.domain.com_2_2_2010_10_47.tgz
user@10.100.2.20's password:
backup_hostname.domain.com_2 | 236672 kB | 9466.9 kB/s | ETA: 00:02:15 |  15%

That's all!

P.S. Don’t forget to check md5 checksum after you got that file transferred ;-)

CheckPoint CCSE Failed with 63%

It is my first failure on certification exam, and I've been on more then 10 exams so far.

My feeling studying for this exam is that Checkpoint doesn't teach you how the things work according to RFC, but where to click in the GUI in order something to work.

I was amazed again from exam quality. 3 of the questions were repeated with different answers. 4-5 of the questions I wasn't able to understand. There was a mistake in the questions instead of "process" was mentioned "device", and thing like that.

I got 50% on remote access, VPN :-) , Clustering, and 60% on Site-to-Site VPN :-) And there was plenty of theoretical questions on the exam. I hope they can verify their theoretical questions, as really they were close to impossible to understand them. Also they are not following the RFC terminology on the technical questions. With my background in Cryptography and hands on practice on VPN with the product, I shouldn't have any problem getting 100% on many of the topics.

But, always look on the bright side of life :-)

The plan is to show up once more in 2 weeks. In meantime I'll go through the material one more time, and I'll blog my notes for each topic.

That will definitely be my last exam in Checkpoint. I don’t think it is worth to spent time, money and nerves on exam with such poor quality.

Checkpoint CCSE, 1 week before exam day

I've been through most of the material so far, except SSL Network Extender and Clientless VPN. I'll do this tonight, and I'll book my exam either on friday this week, or monday next week.

Few notes so far: I advise you to go through material in the following order:

1. Upgrade Chapters

2. High Availability and Cluster XL

3. VPN theory chapters

4. Site to Site VPN chapters

5. Remote Access VPN chapters

The reason for that is because in VPN chapters there are a lot of ClusterXL related stuff, and I had to go back and forward between them all the time, so I decided to go through ClusterXL before VPNs.

Note that Load Sharing mode will not work with 15day licence. You need to licence your virtual machines, before making those labs. There is 30 day evaluation version on the CD which comes with the book.

You can find details of used materials here.

Checkpoint CCSE Progress

I've decided to prepare for this exam, as I don’t have experience with Remote Access and ClusterXL. Those 2 topics will take most of the time for my practice with the virtual machines.

I got soft copy of Check Point Security Administration II NGX 1.1 from a colleague who was on the course in 2007, and I'll use that book for the labs.

For the theoretical part, I've decided to use Checkpoint Official guides, as it will be easier for the future. I'll review the theoretical part in the official course book as well.

I expect to sit on exam in 2-3 weeks.

You can find more details here

Checkpoint CCSA passed with 81%

Yesterday I've passed the exam with 81%.  The score is not that good, because I got 33% on the LDAP questions (I was too lazy to install AD on my Windows 2003 machine, and there were 7-8 LDAP questions) The rest of the topics vent fine with some of them above 70% and most of them above 80%. I've finished 5 topics with 100%.

Few questions on the exam were rather strange, and I wasn't able to understand them, even after 5 times reading. One of the questions had multiple choice answer (from 5 options) and 1 of the answer offered was: 1, 3 and 3 :) I've wrote a comment on that question, so I hope no one will get it again. There were 7-8 questions from general Network Security, not related to Checkpoint products at all.

Except the sources specified in this post, I've used the following:

- QOS Chapter from NGX II version 1.1 book

- SmartDefense white paper

- 2 very good blogs/sites: fir3net and netl33ts

Good Luck!

DHCP Snooping on Cisco Switches

DHCP protocol is widely used and have security issues as it was build long time ago before there was need for network security. Cisco have implemented several enhancements in IOS to (partially) protect and stop most of the DHCP attacks. Port Security, DHCP Snooping, IP Source Guard and Dynamic ARP Inspections are mostly used these days.

DHCP Snooping is a security feature which protect the network clients to receive IP settings from rogue DHCP servers. Ports can be classified into 2 types: trusted and untrusted. Ports which are connected to a authorized DHCP servers have to be configured as trusted. All the rest should be configured as untrusted (the default value). Trusted ports are bypassed from DHCP Snooping validation. DHCP Snooping feature can be enabled per Vlan.

Enabling this feature will create DHCP Snooping binding database  with support up to 8192 entries. In that database there are records for: IP address of the client, MAC Address of the client, DHCP lease time, Interface on which the client is connected and VLAN number (there are also checksums for each entry and one checksum for the file)

The switch is comparing Source MAC Address with DHCP CHADDR (Client Hardware Address). If those 2 addresses match, packet is forwarded. In other case, the packet is dropped.

The switch will drop the packet if:

1. Packet originated from DHCP server is received on untrusted port
2. The Source MAC Address is different then the CHADDR
3. The switch receive a DHCPRELEASE on interface for a MAC address which doesn't match the interface in the DHCP Snooping binding database
4. DHCP relay agent forwards a packet that includes option-82 information to an untrusted port. (this situation will be covered in another post, as I've experienced this in practice recently)

Example of DHCP Snooping configuration:

Switch(config)# ip dhcp snooping
Switch(config)ip dhcp snooping vlan 101-102,104,301,1000

Show commands:

show ip dhcp snooping

Switch#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
101-102,104,301,1000
DHCP snooping is operational on following VLANs:
101-102,104,301,1000
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

show ip dhcp snooping binding

Switch#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:21:70:15:EA:8D   10.216.20.55     244958      dhcp-snooping   101   FastEthernet3/0/22
00:1C:23:4F:F3:DD   10.216.20.43     244166      dhcp-snooping   101   FastEthernet1/0/10
00:1C:23:4F:F3:10   10.216.20.37     246563      dhcp-snooping   101   FastEthernet4/0/16
00:1C:25:97:57:63   10.216.20.42     258392      dhcp-snooping   101   FastEthernet4/0/23
00:1C:23:4F:E6:E1   10.216.20.30     240567      dhcp-snooping   101   FastEthernet3/0/18
00:21:70:15:E9:14   10.216.20.26     152945      dhcp-snooping   101   FastEthernet3/0/2
00:1C:23:5A:F7:93   10.216.20.34     160704      dhcp-snooping   101   FastEthernet2/0/9
00:1C:23:4F:F6:4B   10.216.20.45     245043      dhcp-snooping   101   FastEthernet1/0/14
00:1C:23:4F:F4:24   10.216.20.48     97990       dhcp-snooping   101   FastEthernet3/0/12
00:1C:23:4F:F6:BF   10.216.20.36     244629      dhcp-snooping   101   FastEthernet1/0/21
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:24:E8:BC:FF:6E   10.216.20.54     252080      dhcp-snooping   101   FastEthernet2/0/12
00:22:68:13:55:A8   10.216.20.47     253335      dhcp-snooping   101   FastEthernet4/0/23
00:21:70:15:FC:F2   10.216.20.31     252408      dhcp-snooping   101   FastEthernet2/0/19
00:1E:C9:70:D4:F2   10.216.20.82     201709      dhcp-snooping   101   FastEthernet3/0/16
00:0F:1F:EA:23:04   10.216.20.69     226910      dhcp-snooping   101   FastEthernet4/0/14
00:21:70:15:F8:06   10.216.20.32     243896      dhcp-snooping   101   FastEthernet3/0/1
00:21:70:15:EA:0E   10.216.20.57     158323      dhcp-snooping   101   FastEthernet3/0/10
00:21:70:15:EB:78   10.216.20.41     248641      dhcp-snooping   101   FastEthernet2/0/21
00:21:70:16:00:9D   10.216.20.38     159319      dhcp-snooping   101   FastEthernet2/0/11
00:21:70:15:EB:15   10.216.20.59     247514      dhcp-snooping   101   FastEthernet2/0/18
00:1A:6B:D4:53:C5   10.216.20.52     248756      dhcp-snooping   101   FastEthernet4/0/23
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:1C:25:97:81:55   10.216.20.51     255468      dhcp-snooping   101   FastEthernet4/0/20
00:22:68:13:28:40   10.216.20.40     255690      dhcp-snooping   101   FastEthernet4/0/23
00:21:70:15:FC:C9   10.216.20.33     242025      dhcp-snooping   101   FastEthernet4/0/17
00:21:70:15:FF:E1   10.216.20.46     250732      dhcp-snooping   101   FastEthernet1/0/18
00:1C:23:5A:F7:EE   10.216.20.27     241494      dhcp-snooping   101   FastEthernet2/0/10
00:24:E8:D5:CF:9E   10.216.20.60     244181      dhcp-snooping   101   FastEthernet3/0/15
00:21:70:AF:C0:BF   10.216.20.53     243784      dhcp-snooping   101   FastEthernet4/0/19
00:21:70:B0:48:68   10.216.20.49     246445      dhcp-snooping   101   FastEthernet5/0/20
00:1C:23:4F:86:F4   10.216.20.44     242733      dhcp-snooping   101   FastEthernet1/0/15
00:1C:23:4F:F4:DB   10.216.20.35     239051      dhcp-snooping   101   FastEthernet2/0/2
00:21:70:15:FB:FF   10.216.20.87     243821      dhcp-snooping   101   FastEthernet3/0/6

show ip dhcp snooping statistics detail

Switch#show ip dhcp snooping statistics detail
Packets Processed by DHCP Snooping                    = 1823
Packets Dropped Because
   IDB not known                                       = 0
   Queue full                                          = 0
   Interface is in errdisabled                         = 0
   Rate limit exceeded                                 = 0
   Received on untrusted ports                         = 0
   Nonzero giaddr                                      = 0
   Source mac not equal to chaddr                      = 680
   Binding mismatch                                    = 0
   Insertion of opt82 fail                             = 0
   Interface Down                                      = 0
   Unknown output interface                            = 0
   Reply output port equal to input port               = 0
   Packet denied by platform                           = 0

And log messages when some PC are trying to use different MAC address then their hardware address:

Jan  6 09:55:47.405 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0021.6a31.a2ec, MAC sa: 001c.2597.802a
Jan  6 09:57:42.085 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0022.68e1.e669, MAC sa: 001c.2597.5763
Jan  6 10:01:29.406 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0021.6a31.a2ec, MAC sa: 001c.2597.802a
Jan  6 10:03:33.086 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0022.68e1.e669, MAC sa: 001c.2597.5763

Upgrade of libsw package on Provider-1

Recently we purchased new UTM-1 Edge firewalls, and we ship some of them to a site far away in Northern Norway (without testing them in the lab first, off course ;-) ). On our surprise they came up with version 8 of firmware, all of other firewalls had version 7.5 and our Smart Center had support for 7.5 only. After the installation of the policy on the Edge device, in the log of the Edge firewall came up this message: "Wrong update version in policy (got policy 655 instead of 700)". Checkpoint have published sk31448 for this problem.

P.S. Make sure you backup your old libsw files, before upgrading to the new version.

Checkpoint CCSA instead of CCIE Written

Just decided to do CCSA before CCIE Written.

I have more then 4 years of experience with Checkpoint products, but I've never sit down to read for some of their products that I haven't used. I've done few installations of the firewalls, I've created approximately 50 site to site tunnels using Edge or 3rd party devices.

Now this decision came up because most probably I'll get a task to upgrade complete Checkpoint Infrastructure for our client from R62 to R65/R70, and I decided to work on it. After 1 month work approximately 2-3 hours per day, I'm 1-2 weeks away from exam date.

If you decide to do that I encourage you to use the following:

1. Install Smart Center and Firewall on SPLAT, test Windows (AD server) host and/or Backtrack test host and do your own labs at home

2. I've used this R65 book

3. CCSA CBT Nuggets

4. CPUG Group Forums

I'll update you with my exam experience once I sit on it.