PPPOA failures on IOS 15.1

September 17 2011

Just a quick one. All latest versions of version 15.1 IOS on CCO have a major bug when it comes to ADSL.

If the underlying ATM interface bounces at any point, the PPPOA dialer interface will go down, and will never recover without a reboot. The ATM interface will show as up, however all outbound packets will be dropped. PPP will show request time outs as if the remote end isn’t responding.

We have a TAC case open and will update this post with fix details. It’s been acknowledged by TAC as a bug.

15.0(1)M trains seem to be ok, and it seems to be something that has crept into 15.1.

Barry Hesk

Cisco CP-6921 handset restrictions

15 September 2011

Cisco have recently marked as end of sale the CP-7911 handset which is a “work horse” handset for many customer deployments. The 6921, featuring a headset port and full duplex speakerphone which the 7911 didn’t have, seems to be an attractive option however there are a few of restrictions to be aware of.

1. The 6921 whilst being a two line phone does not support two calls per button. The second channel can only be used for transfer or conference. This is unlike the way that the 7911 operates which provides two calls per button.

2. DND does not work on the handset when mapped to a softkey. This is an issue that is known by Cisco and there is a workaround of setting it to the 2nd button. However, if you want to use the 2nd button as a second line, you can’t use DND. This does not sound great to us.

3. Auto Answer on headsets. Other Cisco handsets that support auto answer on headsets provide the ability to play a “zip” tone on auto answer so that the agent knows a call has just arrived. The 6921 does NOT support this tone and we don’t know why. It can seemingly play the tone for internal calls, however it does not play it for external calls. Cisco TAC confirm that this is expected behaviour however we haven’t been able to find any documentation that reflects this. It also seems like a very strange restriction. Net result, we’d be loath to recommend 6921s with headsets if you want auto answer.

So all in all, be careful how you deploy 6921s. They are not as attractive as they appear at first glance.

Barry Hesk

Cisco IOS AnyConnect SSL VPN Configuration

15 September 2011

Cisco have been pushing the new versions of their AnyConnect client for some time now. They have also announced as End of Sale the traditional IPSEC based client which has been around for a number of years. This means that the IPSEC client will not be available on new OS platforms and is also not supported on 64 bit platforms.

The new client is the AnyConnect Secure Mobility Client which will be the platform to use moving forwards.

At the head end, both Cisco ASA Firewalls, and IOS based routers with the correct software image are supported. Licenses are required on both platforms – which is a change from Cisco as on the ASA platform in particular, the cost of IPSEC VPN was bundled into the unit cost.

Attached is a sample config for an IOS based router. You will need version 15 to get this to work properly.

ip http server enable
ip http secure-server enable
!
ip local pool client-pool 10.255.255.1 10.255.255.10
!
webvpn gateway SSLVPN
ip address X.X.X.X port 443
http-redirect port 80
ssl trustpoint TP-self-signed-3096684075
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-3.0.3054-k9.pkg sequence 1
!
webvpn context SSLVPN
ssl authenticate verify all
!
!
policy group SSLVPN_Policy
functions svc-required
svc address-pool “client-pool”
svc keep-client-installed
svc split include 10.1.200.0 255.255.255.0
svc split include 192.168.100.0 255.255.255.0
default-group-policy SSLVPN_Policy
gateway SSLVPN
max-users 10
inservice

Barry Hesk

HP launch new enterprise security software packages

13 September 2011

Hewlett Packard (HP) have announced new enterprise security software packages based on products that have been aquired in the last couple of years.

ARCSight, TippingPoint and Fortify Software have been combined into a single overarching management platform to give a central view of network operation and risk management.

Barry Hesk

Diginotar SSL certificate attack

6 Sep 2011
It’s been widely reported in the press that Dutch Certificate Authority (CA) Diginotar was breached by hackers. As a result, 531 digital certificates were fraudulantly issued including for several *.google.com domains.

A good article describing what happened is available here:

http://www.theinquirer.net/inquirer/news/2106065/major-domains-targeted-diginotar-ssl-attack

Mozilla (author of Firefox) has taken the unique step of removing Diginotar’s root CA from it’s trusted list within its broswer; this means that Firefox will no longer trust ANY site that is using a cetificate that was issued Diginotar.

Expect the fallout from this to continue for some time yet….

Barry Hesk

Cisco ASA 8.3 NAT

Cisco ASA Version 8.3 (and now 8.4) has been out and shipping for quite some time. Based around our own experiences, and some feedback from customers we’ve been researching.

The following link provides a really helpful overview of what has changed in version 8.3 and higher.

http://www.thenetworker.co.uk/blog/?p=1

It’s fair to say that NAT in 8.3 does cause confusion and is a radical departure from what was in place previously. In our minds, it’s much more aligned to the way that Checkpoint perform NAT on their platforms. It is also worth pointing out that in our experience, migrating from 8.2 to 8.3 does not work smoothly, or in some cases at all, and you will almost definitely need to rebuild your NAT from scratch at version 8.3. If you’re planning an upgrade to 8.3 or 8.4 please bear it in mind, and that you may need to completely rework your NAT. For most people this is not a massive issue as typically you may have a couple of static NAT entries, some exclusions for VPN traffic, and a dynamic interface based statement to catch everything else. However, if you have anything a little more complex, like policy NAT make sure you test and test again to ensure it’s all working ok.

Barry Hesk

Cisco Unity Connection 8.5 Installation Woes

Aug 27 2011
It’s been brought to our attention that there are a number of issues relating to a new installation of Unity Connection 8.5. Various problems have been reported including the installation DVD failing a media check, the installation process hanging for 30 minutes or more, and various other crashes being reported.

We are currently trying to define a process for a smooth installation and will post back here when we’ve finished our testing. It may be worth going straight to the newest release – version 8.6, rather than going with 8.5.


This link gives a few more details.

Barry Hesk

Cisco EoS Announcements

Aug 2011

In recent weeks, Cisco Systems have announced a slew of End of Sale (EoS) notices including the entire Unity voicemail line (as predicated by Intrinsic in an earlier post)

Unity is now officially EoS with Unity Connection being the recommended replacement product. Cisco Speech Connect, which provides Speech Recognition services to voicemail deployments is also EoS as a standalone product, as it has now been integrated into Unity Connection 8.5.

Also subject to EoS are the Cisco 7921 wireless handset (replaced with the more expensive 7925 version) and a couple of Gigabit models of the 2960 switch which are replaced with 2960S versions. Cisco 7911 handsets are also now EoS with the recommended replacement being the 6921.

Barry Hesk

RIM Announce MVS Version 5.1

11 May 2011
RIM used this year’s Blackberry World Conference to announce MVS version 5.1. This is an update to the already Generally Available version 5.0 which brings Voice over WiFi support to Cisco Unified Communications Manager and Cisco Unified Communications Manager Express PBX platforms.

MVS Version 5.1 extends the PBX support to Avaya and Nortel PBX systems widening it’s appeal.

An interesting additional feature is the ability for the hand held to detect when it’s WiFi signal is weakening to the point of being unusable and warning the user before the call drops.

We’ll be testing version 5.1 and will report back here.

Barry Hesk

Well.. It’s happened already!

09 May 2011
It’s happened a little quicker than we expected. One of our clients requested a new block of IP addresses from their ISP. Guess what, IPv6 addresses were allocated to them with the ISP saying that they didn’t have any IPv4 addresses left.

Fortunately, the client has equipment in the form of firewalls, IPS and routers that can all handle IPv6, however they are now asking serious questions about how IPv6 to IPv4 interworking is going to work.

Equally as fortunately, we’ve been preparing for this and can offer advice and guidance on what will, and won’t work. As we move forward, this is something that a lot of businesses, including ourselves, are going to have to consider.

Barry Hesk