SG300-28 SSH incoming packet was garbled on decryption

I use PuTTY to SSH into Cisco switches regularly. Today I ran into the message 'incoming packet was garbled on decryption'. I logged into the switch via HTTP and saw the uptime was 115 days. After seeing I could PuTTY into the SG-300-28P right above it, I just rebooted the bottom switch, and then PuTTY instantly connected via SSH and everything was fine. The connection settings were stored in a profile so the settings were fine. I was just wondering if anyone else has ever seen this. I am fine rebooting every 115 days if it happens again. FW is 1.2.7.76. On a similar note, the Save icon quit blinking on the 28P right around the 115 day uptime mark. A reboot resumed the icon blinking. Not a huge issue, but when I see that I wonder what else the switch might be doing that I don't know about.
Another question is this: Is the SLM2024PT-NA the same as a SG200-26? I'm putting one in thursday and it will be my first of the 'smart' switch line. I ask because if I search for SLM2024 on Cisco's website I see another switch that was apparently made before the SG line came out, but it doesn't have the -NA suffix in its model.

Hello Mr. Hackbarth,
There is a known problem when OpenSSH has been built against an incorrect version of OpenSSL; that causes this error message. The quick workaround is to configure PuTTY to use SSH protocol 2 and the Blowfish cipher.
Go to Connection -> SSH -> Protocol options. Set “Preferred SSH protocol version:” to SSH version 2.
Go to Connection -> SSH -> Encryption options. Promote Blowfish to the top of the list of “Encryption cipher selection policy:”
I hope this infomation helps you.
Diego Rodriguez
Cisco network engineer
Thank you
*If this answer was satisfactory for you, please mark the question as Answered.*

Similar Messages

SG300 inter-VLAN routing and MAC address changes in incoming packets

Hello
I have SG300-20 working in Layer3 mode
VLAN1 is not used
Internet gateway is in VLAN211
Clients are in other VLANs
Switch is default gateway for clients and itself has internet gateway as default route.
MAC address of switch is XX:XX:XX:XX:XX:63
When client sends trafic to Internet destination MAC address in outgoing packets is XX:XX:XX:XX:XX:63
But in incoming packets source MAC address is XX:XX:XX:XX:XX:69
Why does it change? And how can I setup switch to use only XX:XX:XX:XX:XX:63 MAC address?

Hi Robert,
I'd like to pick up this old thread because we have a huge problem with the behavior of the SG300 router/switch regarding the "spoofed" MAC source addresses. We have connected this switch to another router which has some special routing capabilities. It routes certain IP packets directly to MAC addresses which it learned from snooping on special traffic.
When connected to a SG300 router with an Ethernet base address of XX:XX:XX:XX:XX:48 we receive packets with Ethernet source addresses like e. g. XX:XX:XX:XX:XX:49 or XX:XX:XX:XX:XX:4D (depending on which hardware port they came from). Our special router "learns" these MAC addresses and tries to send associated outgoing packets directly to these addresses using e. g. XX:XX:XX:XX:XX:49 as the MAC destination address.
Our problem is that the SG300 does not forward the packet if the MAC destination address is not equal to the switch's Ethernet base address (XX:XX:XX:XX:XX:48 in our case). This renders the SG300 series useless for our systems.
Is there new firmware available which fixes this problem for us? We don't care which MAC source address the SG300 uses in incoming packets we receive, but we expect that the SG300 handles packets correctly for outgoing packets we send with this MAC address as the destination address.
Thanks,
Chris

Java Library to drop the incoming packet flow

hi there,
i m planning to make application layer filter. i need to drop the flow of incoming packets. So can anyone suggest me any java library which is able do this?
or else if i have to create my own library then how can i proceed in that?

thnx oscar 4 ur reply...
actually i want to drop the incoming packets which r coming from restricted URL. means any how i want to restrict the user to see the particular webpage.
so if cant hav this low level API in java, then can u suggest me how to implement it in other way?..
i hav to make this project in JAVA only.
i have got one API named "libipq" (source: snort.org) which can drop the packet flow. But this API is for linux OS and i want to implement on windows... pls help

BreakNetException: Break packet was received?

Hi there!
I have been dealing with this exception while performing a executeBatch() on an oracle DB table:
Exception Details
Type: BreakNetException: Break packet was received
Exception Class: oracle.net.ns.BreakNetException
Message: Break packet was received
API: Exception
Exception StackTrace
Method Class Line File Name
getNextPacket oracle.net.ns.NetInputStream 246 <unknown>
read oracle.net.ns.NetInputStream 175 <unknown>
read oracle.net.ns.NetInputStream 100 <unknown>
read oracle.net.ns.NetInputStream 85 <unknown>
readNextPacket oracle.jdbc.driver.T4CSocketInputStreamWrapper 122 <unknown>
read oracle.jdbc.driver.T4CSocketInputStreamWrapper 78 <unknown>
unmarshalUB1 oracle.jdbc.driver.T4CMAREngine 1179 <unknown>
unmarshalSB1 oracle.jdbc.driver.T4CMAREngine 1155 <unknown>
receive oracle.jdbc.driver.T4CTTIfun 279 <unknown>
doRPC oracle.jdbc.driver.T4CTTIfun 186 <unknown>
doOALL oracle.jdbc.driver.T4C8Oall 521 <unknown>
doOall8 oracle.jdbc.driver.T4CCallableStatement 202 <unknown>
executeForRows oracle.jdbc.driver.T4CCallableStatement 1005 <unknown>
executeForRowsWithTimeout oracle.jdbc.driver.OraclePreparedStatement 9870 <unknown>
executeBatch oracle.jdbc.driver.OraclePreparedStatement 10014 <unknown>
executeBatch oracle.jdbc.driver.OracleStatementWrapper 213 <unknown>
pmiExecuteBatch com.ibm.ws.rsadapter.jdbc.WSJdbcPreparedStatement 1037 <unknown>
executeBatch com.ibm.ws.rsadapter.jdbc.WSJdbcStatement 843 <unknown>
executeBatch com.xxx.commons.persistence.jdbc.XXXCallableStatement 187 <unknown>
persistCustRecommendations com.XXX.services.XXX.dao.CustomerRecommendationDAO 96 <unknown>
invoke sun.reflect.GeneratedMethodAccessor152 - <unknown>
invoke sun.reflect.DelegatingMethodAccessorImpl 37 <unknown>
invoke java.lang.reflect.Method 611 <unknown>
invokeTargetOperation org.apache.axis2.jaxws.server.dispatcher.JavaDispatcher 120 <unknown>
invoke org.apache.axis2.jaxws.server.dispatcher.JavaBeanDispatcher 118 <unknown>
invoke org.apache.axis2.jaxws.server.EndpointController 111 <unknown>
receive org.apache.axis2.jaxws.server.JAXWSMessageReceiver 161 <unknown>
receive org.apache.axis2.engine.AxisEngine 212 <unknown>
processHTTPPostRequest org.apache.axis2.transport.http.HTTPTransportUtils 172 <unknown>
doPost com.ibm.ws.websvcs.transport.http.WASAxis2Servlet 1606 <unknown>
service javax.servlet.http.HttpServlet 595 <unknown>
service javax.servlet.http.HttpServlet 668 <unknown>
service com.ibm.ws.webcontainer.servlet.ServletWrapper 1230 <unknown>
handleRequest com.ibm.ws.webcontainer.servlet.ServletWrapper 779 <unknown>
handleRequest com.ibm.ws.webcontainer.servlet.ServletWrapper 478 <unknown>
handleRequest com.ibm.ws.webcontainer.servlet.ServletWrapperImpl 178 <unknown>
This is the code that throws the exception:
boolean retVal = false;
Connection myConnection = null;
String myOracleEnv = null;
CallableStatement csCustSavedRecm = null;
try {
int seq = 0;
for (ProductRecommendationSummary customerRecommendation : customerRecommendationsList) {
    customerRecommendation.setDisplaySequenceNbr(++seq);
    csCustSavedRecm.setString(1, customerId);
    csCustSavedRecm.addBatch();
csCustSavedRecm.executeBatch(); // <-- Exception thron here
retVal = true;
} // end try
catch(BatchUpdateException batchUpdateException){
catch (Exception exp) {
} // end catch
finally {
} // end finally
This exception isn't always being thrown, I could say it happens in just 5% of all the requests made to this command.
I have been looking information about the exception but can't find anything.
I would really appreciate any help on this!
Thanks!
ps. I'm using ojdbc6.jar

Hi:
It seem to be a network problem or Net service problem because is a low level exception related to the network packet size or timeout.
Please take a quick look at this post:
Marcelo Ochoa's personal blog: An efficient way to do massive inserts with Oracle JDBC
specially the link to the parameter SDU http://docs.oracle.com/database/121/NETAG/glossary.htm#BGBBHCJF here an explanation http://docs.oracle.com/database/121/NETAG/intro.htm#CHDFDBAA , larger value will be better for batch processing.
Best regards, Marcelo.

Can I divert incoming packets to another port?

Hello ,
I'm new to this environment of getting info. from forums.
I'm currently doing a network project in java.I'm forced to solve this problem & clear this doubt:
Suppose some packets are coming into my system directed onto a particular port,say 345.Now ,instead of these packets going to port 345,I need to first divert the incoming packet to a port I want,say 987,which checks these packets,performs validation & if valid , redirects it to actual port 345-If the packet fails the check,it must be dropped.This is one module in my project.
I'm doing the project in Java,
so please help me with the Java code for
FIRST DIVERTING ANY INCOMING PACKET-DIRECTED TO ANY PORT ONTO A PORT THAT I WANT TO FUNCTION AS A CHECK POINT.
I'LL BE VERY THANKFUL TO EVERYONE WHO HELPS ME.
RAVI KISHORE.

Somehow, I doubt you can do that.
It's far more likely to either
1) Have your app listen to a separate port number, then
filter the packets as required, then forward to your final
destination port or...
2) Let your app take over the port in question, and change the original
port listeners port number to something else.
By the way, port numbers below 1024 are reserved / "well known ports".
Choose something above 1024 for your own app.
regards,
Owen

Not getting incoming email was working yesterday

On my macbook pro I can't get mail or send mail. i am using the mail program. was working fine yesterday...

Troubleshooting Wi-Fi issues in OS X
Wireless Connection Problems - Fix
Wireless Connection Problems - Fix (2)
Wireless Connection Problems - Fix (3)
Wireless Connection Problems - Fix (4)

SG300 ssh strange error: "A client is already connected"

Hi,
I've got a few SG300-52 switches running software version 1.3.0.62 which I configured for ssh management access with public key authentication via:
ip ssh server
ip ssh pubkey-auth auto-login
username mgmt password ... privilege 15
crypto key pubkey-chain ssh
user-key mgmt rsa
key-string ...
This is working fine if I connect interactively from my management system with:
ssh -i mgmt_id_rsa mgmt@switch
where mgmt_id_rsa is the name of a file containing the private key.
I get a privileged command prompt as intended, without being asked for a password.
However if I try to pass a command on the ssh command line like this:
ssh -i mgmt_id_rsa mgmt@switch show version
the command just hangs until I hit the Enter key a second time, and then emits the strange message:
Received disconnect from 10.11.12.13: 2:
A client is already connected
(Exactly like that, including the line break after the "2:" and the blank before "A client".)The same happens if I pipe the command I want to send into ssh like this:
echo show version | ssh -i mgmt_id_rsa mgmt@switch
except the error message appears immediately and I don't have to hit Enter a second time.
This is unfortunate as the objective of the whole exercise is to send commands to the switch from a script.
Can anyone shed some light on why this is so? What is that strange message "a client is already connected" trying to tell me? Is that another bug in Cisco's ssh implementation? Ideas for a workaround, anyone?
Thanks,
Tilman
PS: I already asked that question over in the "big business" support community before noticing there's a separate small business section, but got no answer there.
PPS: The real objective of the exercise is to make scripted backups and updates of the switches' configurations, ie. what would be naturally expressed as
scp -i mgmt_id_rsa mgmt@switch:running-config /var/backup/switch.config
and
scp -i mgmt_id_rsa /var/conf/switch.configchange mgmt@switch:running-config
except it doesn't work that way because the SG300's ssh server lacks scp support. Trying to replace that by
ssh -i mgmt_id_rsa mgmt@switch copy running-config scp://server/var/backup/switch.config
and
ssh -i mgmt_id_rsa mgmt@switch copy scp://server/var/conf/switch.configchange running-config
led me straight to the problem above. Just in case someone feels inclined to ask the standard forum question: "Why do you want that anyway?" :-)

Hi all,
I've improved my expect script a bit to:
allow specifying the SSH user and keyfile on the command line
allow sending configuration mode commands
correctly handle very long commands (line wrap) and commands producing no output
Extended usage:
ciscosb-exec confuser@myswitch -i ~/.ssh/confuser_id_rsa -c "ip ssh-client username memyself"
ciscosb-exec confuser@myswitch -i ~/.ssh/confuser_id_rsa "copy scp://myserver/workdir/myswitch.configchange running-config"
The "new and improved" script:
#!/usr/bin/expect
# Script to run an IOS command on a Cisco Small Business Switch via ssh
# Prerequisites:
# - Cisco Sx300 series switch with software version 1.3 or later
# - public key authentication with auto-logon configured
# Usage:
#   ciscosb-exec [] [@]
# Args:
#         username on switch
#         name or IP address of switch
#      command string to execute
# Options:
#   -c          execute in configuration mode
#   -i use SSH private key from
#   -d          activate debugging output
# Result:
#   Switch response will appear on stdout
# debug switches
log_user 0
exp_internal 0
# configurable values
set sshcmd "/usr/bin/ssh -c aes192-cbc"
# end of configurable values
# below matches prompts such as "switch#", "switch>", "switch$"
set prompt "\[>#$\]\ *$"
# getopt implementation snarfed from http://www2.tcl.tk/17342
proc getopt {_argv name {_var ""} {default ""}} {
    upvar 1 $_argv argv $_var var
    set pos [lsearch -regexp $argv ^$name]
    if {$pos>=0} {
        set to $pos
        if {$_var ne ""} {
            set var [lindex $argv [incr to]]
        set argv [lreplace $argv $pos $to]
        return 1
    } else {
        if {[llength [info level 0]] == 5} {set var $default}
        return 0
# parse command line
set configmode [getopt argv -c]
getopt argv -i idfile
if {[getopt argv -d]} {
log_user 1
exp_internal 1
if {[llength $argv] != 2} {
send_user "Usage: ciscosb-exec \[\] \[@\] \"\"\n"
send_user "Arguments:\n"
send_user "        target username (default: current user)\n"
send_user "          target host name or IP address\n"
send_user "         command string to execute\n"
send_user "Options:\n"
send_user "    -c            execute in configuration mode\n"
send_user "    -i    use SSH private key from \n"
send_user "    -d            activate debugging output\n"
exit 1
set target [split [lindex $argv 0] @]
if {[llength $target] == 1} {
set device [lindex $target 0]
set userid "$env(USER)"
} elseif {[llength $target] == 2} {
set userid [lindex $target 0]
set device [lindex $target 1]
} else {
send_user "bad target: [lindex $argv 0]\n"
exit 1
set command [lindex $argv 1]
if {[info exists idfile]} {
set sshcmd "$sshcmd -i $idfile"
eval "spawn $sshcmd -l $userid $device"
match_max [expr 32 * 1024]
# handle initial noise
set timeout 20
while { 1 } {
expect {
    # command prompt
    -nocase -re "$prompt"     {break}
    # confirmations (unknown fingerprint etc.)
    -nocase -re "\$yes/no\$" {send "yes\r"}
    # username prompt
    -nocase -re "name:|^login:" {send "$userid\r"}
    # password prompt
    -nocase -re "word:" {send_user "Public key authentication failed\n"; exit}
    # errors
    timeout     {send_user "Timeout waiting for command prompt\n"; exit}
    eof         {send_user "Connect failed: $expect_out(buffer)\n"; exit}
# disable terminal formatting junk
send "terminal datadump\r"
expect {
    -nocase -re "$prompt"     {}
    timeout     {send_user "Timeout waiting for command prompt\n"; exit}
    eof         {send_user "Connection lost: $expect_out(buffer)\n"; exit}
send "terminal width 0\r"
expect {
    -nocase -re "$prompt"     {}
    timeout     {send_user "Timeout waiting for command prompt\n"; exit}
    eof         {send_user "Connection lost: $expect_out(buffer)\n"; exit}
# switch to desired mode
if {$configmode} {
send "configure terminal\r"
expect {
    -nocase -re "$prompt"     {}
    timeout     {send_user "Timeout waiting for command prompt\n"; exit}
    eof         {send_user "Connection lost: $expect_out(buffer)\n"; exit}
# actual command may take a long time
set timeout 180
send "$command\r"
expect {
    # skip command echo
    -re "$command\[\r\n\]*"   {exp_continue}
    # answer confirmation request
    -nocase -re " \$Y/N\$.*\? *$" {
        # send confirmation, skip echo
        send "Y"
        expect -re "Y\[\r\n\]*"
        exp_continue
    # collect response, excluding next prompt
    -re "\r\n"                {send_user "$expect_out(buffer)"; exp_continue}
    -nocase -re "$prompt"     {send "exit\r"}
    timeout     {send_user "Timeout waiting for command prompt\n"; exit}
    eof         {send_user "Connection lost: $expect_out(buffer)\n"; exit}
set timeout 20
expect {
    # second exit needed for logging out from configuration mode
    -nocase -re "$prompt"     {send "exit\r"}
    timeout     {send_user "Timeout waiting for hangup\n"; exit}
    eof         {exit}
expect {
    -nocase -re "$prompt"     {puts "Failed to log out, disconnecting"; exit}
    timeout                   {puts "Timeout waiting for hangup"; exit}
    eof                       {exit}
HTH
Tilman

Why did Apple change the incoming caller photo Id to a small picture in a small circle instead of the large full screen picture when calls are received? This is useless. If it isnt cchanged back to the way it was I am done with the iphone. Hello Galaxy

This will be my last iphone if thhis minor software issue is not cleared up. I hate the new caller ID incoming picture. Too small

We are all users like yourself. No one here is an employee or representative of Apple. We cannot know why the photo of the incoming caller was changed. We can only say that it is what it is. If that feature change is enough to make you want to change phones then get the phone that best suits your needs. In the meantime you can send feedback to Apple here:
http://www.apple.com/feedback/iphone.html

Default class map is dropping all Packets

Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time. I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing.
Cisco871#sh run
Building configuration...
Current configuration : 8005 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
hostname Cisco871
boot-start-marker
boot-end-marker
logging buffered 4096
no logging console
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock summer-time PST recurring
crypto pki trustpoint TP-self-signed-4004039535
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4004039535
revocation-check none
rsakeypair TP-self-signed-4004039535
crypto pki certificate chain TP-self-signed-4004039535
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430
33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25
B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E
147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF
41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5
F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06
03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D
0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06
092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069
D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585
8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524
E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9
3543BD68 A4B2692D 05CBF6DC C93C8142
            quit
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.5
ip dhcp excluded-address 172.16.15.1 172.16.15.5
ip dhcp excluded-address 172.16.15.14
ip dhcp excluded-address 172.16.17.1 172.16.17.5
ip dhcp excluded-address 192.168.19.1 192.168.19.5
ip dhcp pool MyNetNative
   import all
   network 10.0.0.0 255.255.255.248
   default-router 10.0.0.1
   domain-name MyNetNet.org
   dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
   lease 0 2
ip dhcp pool MyNetData
   import all
   network 172.16.15.0 255.255.255.240
   dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
   default-router 172.16.15.1
   domain-name MyDomain.org
ip dhcp pool MyNetVoice
   import all
   network 172.16.17.0 255.255.255.240
   dns-server 172.16.15.14
   default-router 172.16.17.1
   domain-name MyDomain.org
ip dhcp pool MyNetGuest
   import all
   network 192.168.19.0 255.255.255.240
   default-router 192.168.19.1
   domain-name MyNetGuest.org
   dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
ip domain name MyDomain.org
ip name-server 172.16.15.14
ip name-server 4.2.2.4
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type inspect TCP_PARAM
parameter-map type inspect global
username MyAdmin privilege 15 secret 5 MyPassword
archive
log config
hidekeys
class-map type inspect match-all MyNetGuest-access-list
match access-group 110
class-map type inspect match-any Base-protocols
match protocol http
match protocol https
match protocol ftp
match protocol ssh
match protocol dns
match protocol ntp
match protocol ica
match protocol pptp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all MyNetGuest-Class
match class-map MyNetGuest-access-list
match class-map Base-protocols
class-map type inspect match-all MyNetNet-access-list
match access-group 100
class-map type inspect match-any Voice-protocols
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any Extended-protocols
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imaps
match protocol smtp
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
class type inspect MyNetGuest-access-list
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
class type inspect MyNetGuest-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone
class class-default
pass
zone security MyNetNet-zone
zone security MyNetGuest-zone
zone security MyNetWAN-zone
zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone
service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone
service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone
service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
interface FastEthernet0
description Cisco-2849-Switch
switchport mode trunk
speed 100
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
description SBS-Server
switchport access vlan 10
spanning-tree portfast
interface FastEthernet4
description WAN
no ip address
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security MyNetWAN-zone
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
interface Vlan1
description MyNetNative
ip address 10.0.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
ip tcp adjust-mss 1452
interface Vlan10
description MyNetData
ip address 172.16.15.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan20
description MyNetVoice
ip address 172.16.17.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan69
description MyNetGuest
ip address 192.168.19.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetGuest-zone
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 100 remark MyNetnet
access-list 100 permit ip 10.0.0.0 0.0.0.7 any
access-list 100 permit ip 172.16.15.0 0.0.0.31 any
access-list 100 permit ip 172.16.17.0 0.0.0.15 any
access-list 110 remark MyNetGuest
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3
access-list 110 deny   ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7
access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31
access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15
access-list 110 permit ip 192.168.19.0 0.0.0.15 any
control-plane
banner login ^CC
You know if you should be here or not.
         if not please leave
NOW
^C
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
ntp server 172.16.15.14
webvpn cef
end
Cisco871#sh zone security
zone self
Description: System defined zone
zone MyNetNet-zone
Member Interfaces:
    Vlan1
    Vlan10
    Vlan20
zone MyNetGuest-zone
Member Interfaces:
    Vlan69
zone MyNetWAN-zone
Member Interfaces:
    FastEthernet4
Cisco871#sh zone-pair security
Zone-pair name MyNetNet->MyNetGuest
    Source-Zone MyNetNet-zone Destination-Zone MyNetGuest-zone
    service-policy MyNetNet-zone_to_MyNetGuest-zone_policy
Zone-pair name MyNetNet->MyNetWAN
    Source-Zone MyNetNet-zone Destination-Zone MyNetWAN-zone
    service-policy MyNetNet-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetWAN
    Source-Zone MyNetGuest-zone Destination-Zone MyNetWAN-zone
    service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetNet
    Source-Zone MyNetGuest-zone Destination-Zone MyNetNet-zone
    service-policy MyNetGuest-zone_to_MyNetNet-zone_policy
Cisco871#sh int faste4
FastEthernet4 is up, line protocol is up
Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)
Description: WAN
Internet address is 10.38.177.98/25
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:34:50, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 2000 bits/sec, 3 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     593096 packets input, 73090812 bytes
     Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog
     0 input packets with dribble condition detected
     9940 packets output, 1016025 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
Zone-pair: MyNetNet->MyNetWAN
Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy
    Class-map: MyNetNet-Class (match-all)
      Match: class-map match-all MyNetNet-access-list
        Match: access-group 100
      Match: class-map match-any Voice-protocols
        Match: protocol h323
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol skinny
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol sip
          0 packets, 0 bytes
          30 second rate 0 bps
      Match: class-map match-any Extended-protocols
        Match: protocol pop3
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol pop3s
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol imap
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol imaps
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol smtp
          0 packets, 0 bytes
          30 second rate 0 bps
      Match: class-map match-any Base-protocols
        Match: protocol http
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol https
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ftp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ssh
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol dns
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ntp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ica
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol pptp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol icmp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol tcp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol udp
          0 packets, 0 bytes
          30 second rate 0 bps
      Inspect
        Session creations since subsystem startup or last reset 0
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:0:0]
        Last session created never
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 0
        Last half-open session total 0
    Class-map: class-default (match-any)
      Match: any
      Drop (default action)
        5196 packets, 256211 bytes
Cisco871#sh log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
    Console logging: disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 1745 messages logged, xml disabled,
                     filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
    Trap logging: level informational, 1785 message lines logged
Log Buffer (4096 bytes):
001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to policy match failure
001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0
001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to policy match failure
001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to policy match failure

Hello Charlie,
I would recomend you to investigate a little bit more about how the ZBFW features works
Now I am going to help you on this one at least, then I will give you a few links you could use to study
We are going to study traffic from MyNetNet-zone to the MyNetWan-zone
First the zone-pair
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
so lets go policy-map
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
Finally to the class map
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
That keyword MATCH-ALL is the one causing the issues!!
Why?
Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )
So here are the links
http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
https://supportforums.cisco.com/thread/2138873
http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
You have some work to do
Please remember to rate all the helpful posts
Julio
CCSP

The FTP protocol: How does the AE manage inbound packets?

I've noticed the following with resect to how the AE handles NAT port forwarding for the FTP protocol.
1. Forwarding for FTP service seems to only work if the WAN port is 21, e.g. map 21 -> 21 works, 2121 -> 21, does not work (packets seem to be dropped at the AE). However, such a restriction hold with other services such like ssh or openvpn.
2. When ftp packets are received by the LAN server, they have the IP of the client stripped and arrive at the server with the WAN IP assigned to the AE, as indicated by the logs. Again, other services that we are forwarding to the server arrive with the correct client IP. So this is only an FTP thing.
The AE seems to do some analysis of incoming packets and treat them differently. One question:
Why does the Airport Extreme do this, and apparently only for FTP packets?

I found a workaround by changing the port my FTP server listens to from 21 to 2121. I then set the AE to forward port 21 on the WAN side to 2121 on the LAN side. This allows the server to know what IP the client is connecting from.
I'm still curious why the AE strips the client's IP when you forward to port 21 on the LAN side.

Load balancing effect on ssh/https connections

We have a RV016 load balancing between two broadband WAN connections. On protocols that are sensitive to a change in IP address such as ssh and https, if the client connection goes inactive for a short time (sometimes as short as 10 seconds), the RV016 often changes WAN connection as part of its "load balancing" feature. Most protocols do not even notice, but the more sensitive protocols do and often lock a session or timeout the session which is not a good thing.
We have been able to bind these sensitive protcolols to a particular WAN port but (in our minds) this is not an "ideal" situation. In fact I would consider this to be a broken "load balancing" solution and should be fixed.
Does anyone have any "permanent fixes" or ideas on this?
Thanks!

Sorry Tom, but I wrote (edited for clarity): "What would happen [..] when the particular WAN chosen goes down? Does the system apply the same binding to ***another WAN*** until the original one comes back up, will it ignore the bining and so break any new sessions of the same protocol or will it simply fail (no connection)?"
I did not write "the other WAN". That is, I am considering the case, quite common, of more than two WANs.
Proper load balancing is described here:
http://help.mysonicwall.com/sw/eng/305/ui2/23100/Network/WAN_Failover_Load_Balancing.htm
"About Source and Destination IP Address Binding
When you establish a connection with a WAN, you can create multiple interfaces, dividing up the task load over these interfaces. There are both Primary and Secondary WAN interfaces. This task distribution model maintains high performance, ensuring that one interface does not become an impasse to the point where it blocks traffic from passing. This process is WAN Load Balancing.
While WAN Load Balancing addresses performance challenges, it can create other problems, including losing track of sessions. Session confusion can occur because some applications fail to adequately track multiple user sessions load-balanced on multiple interfaces. These applications treat incoming packets as originating from different users because they use IP addresses to differentiate user sessions instead of application-layer user identification tags.
To ensure that you have proper connectivity in all applications, SonicWALL provides a feature called Source and Destination IP Addresses Binding, a solution that maintains a consistent mapping of traffic flows with a single outbound WAN interface."
and their appliances are no more expensive than Cisco multi WAN ones...

Reading or changing sequence number in TCP packets

I don't know wether this is feasible,But you're my last chance to figure out something else.Can i read the sequence number that comes inside the TCP header in the incomming packets?This sound illogical but since there is a method for getting the IP of the sender(And that IP exits in the IP header Network layer i),then the sequence number (TCP header inside the Transport layer)must exits in the packet.Can i read it?
-And an even more illogical question? can i change that sequence number or the acknowlege number to form a new packet ? Its like converting a packet to and from a packet object to a string of bits ?
I know excatly where the sequence and acknowledge numbers are located (after how many bits) inside the TCP header?

ejp wrote:
first off I'm wanna appply this to javame application and jpcap have some native code i dunno how to use it on a cell phone.You cant.You can migrate the code to work on a mobile phone, in theory. This is unlikely to be worth it even if you succeed.
I was thinking if i can change the acknowledge numberYou can't.Like sticking your hand in a blender. Its simpler to say you can't but I say you shouldn't want to.
i can order the server i'm connected to to send the data from a specific byte no sequentially.Use a protocol that already understands that. HTTP and FTP spring to mind.There are existing protocols for this which work and your phone is likely to support HTTP with XHTML basic already.
-Drop this packet and then form another packet with the same info as if it were formed automatically except replaciong the acknolwedge number with the size of my buffered data + 1.TCP/IP will never let this work even if you could do it, which you can't. You cannot skip data this way. This is not what acknowledgements and sequence numbers are for.
I also know that some protocols support requesting files from a specific byte(like HTTP) but i wanna do it inside the network layer not the application layerWhy?You prefer the blender, I see.

Questions about tuning the USRP packet -based link examples

Hi everyone,
   Today I do some tests and tunning on the USRP packet-based link examples, and I find these questions:
   First I set the following parameters to the Packet Transmitter.vi: Tx frequency=2441M, samples per symblol=8, sample rate=800k, then the symbol rate should be 100k
   Then I set the Rx frequency to 2441=M and do three tests to the USRP packet receiver.vi:
   1. set the samples per symbol to 8, the sample rate to 800k, all the packets can be received correctly very fast.
   2. set the samples per symbol to 40, the sample rate to 4M, all the packtes can be received correctly, but slower than the former test.
   3. set the samples per symbol to 50, the sample rate to 5M, all the packets can be received correctly, but much slower than the former two tests.
   4. set the samples per symbol to 40, the sample rate to 5M, but change the sample rate to  4M when input the argument to the resample&demod_shell.vi, then I find that no packets can be received correctly.(According to my understanding, resampling the data with 4M sample rate should make the input data time-aligned)
   Can anyone help me interprete above test? Thanks in advance!

Hi 0711,
You are correct. If you sample at 5MS/s and have a samples/sym of 40, resampling with a sample rate of 4MS/s will allow you to receive the signal. Digging into the sub_resample_and_demodulate.vi, I found the issue. The modulation toolkit resample VI that is being used pulls the sample rate of the incoming signal from the incoming waveform (or the dt of the incoming waveform). In the resample and demodulate subvi, the dt of the incoming signal was hard wired to be 1/x of the desired sampling rate. For all other uses cases, having these 2 parameters hard wired together does not cause a problem, but for the 4th case you described it does. I edited the subvi like shown in the image below and was able to get it working:
Hope that helps and let me know if you have any further questions. I'll do my best to get you an answer.
Sarah Y
SDR Product Manager
National Instruments | Ettus Research

Packet received from multicast broadcast has external IP

Hello,
I have a program set up to send a message over the network via multicast. When the message is received, it checks if the IP of the packet is equal to the local host's IP, and if it is it has different behaviour. This was working fine when working locally on the LAN, but when running it on a web-facing machine, the received packet's IP is being returned as its external Internet one, so I can't do the comparison to the local host's IP.
I don't have a ton of experience in this area so I don't know what is causing this to happen or how it can be fixed. Below is the excerpt from my code which compares the packet's IP to that of the local machine. Any insight would be appreciated, thanks in advance.
InetAddress address = packet.getAddress();
logger.debug(String.format("Received message from %s", address.getHostAddress()));
if (!(address.getHostAddress().equals(InetAddress.getLocalHost().getHostAddress())))
logger.debug("Host address is not local address (" + InetAddress.getLocalHost().getHostAddress() + ")");
}

You need to enumerate all the NetworkInterfaces and all the IP addresses they represent, and check the incoming packet's source IP address against all of those.

Bonjour sends packets to external IPs

Hello,
While checking the traffic made by my computer I noticed that some packets were sent towards 2 rogue IPs on a regular basis:
45.219.2.52 1318 TCP
45.216.128.38 3000 TCP
Those IPs belong to:
OrgName: Interop Show Network
OrgID: ISN-4
Address: 600 Harrison St
City: San Francisco
StateProv: CA
PostalCode: 94107
Country: US
Doing a netstat tells me that the process performing those requests is the Bonjour service:
mDNSResponder.exe
Is Bonjour performing those requests by nature or is my Bonjour software infected?
Fulg0re
Message was edited by: fulg0re

http://www.bing.com/search?q=bonjour+packets
Bonjour - Zero Configuration NetworkingBonjour is a networking protocol that sends and receives network packets on UDP port 5353. If you have a "personal firewall" enabled, you will need to ensure that UDP port 5353 is ...
Certain firewalls will only partially block Bonjour packets, so if you experience intermittent behavior, check the firewall settings and verify that Bonjour is listed as an exception and is allowed to receive incoming packets.
http://cleansofts.org/bonjour.html
Bottom line: it is one 'noisy' and talkative service, so I disble and uninstall it if a program insists on installing it on my systems.
Also, if you have ever used torrents, your IP address got harvested, and others will come knocking, and your firewall will see DDoS - another reason to configure your router firewall and harden it as first line of defense from the outside world.
you could block the port on your router and see. also most firewalls can log and alert/email you.

SG300-28 SSH incoming packet was garbled on decryption

Similar Messages

Maybe you are looking for