In this post I will try explaining the CLI commands used in the Cyberoam and how they will help in resolving the issues.
Saturday 17 December 2011
Monday 12 December 2011
Question
If you have questions on any deployment, please share your scenarios and every one can suggest their ideas.
Cyberoam Deployment with only one switch
Below is the customer network:
internet--->L3--->All users using L3 as as gw
The customer is having only L3 and internet is being terminated on it and also all the users are connected to it. How to deploy the CR in this network. There are many solutions to this problem. But this is the one I like so sharing with you.
The simplest solution is to Terminate internet link directly on the Cyberoam. But I will explain you many situations where you will be forced to use this deployment.
Solution
----(L)CR(W)---
| |
-------------------------------
| 3 2 | 1 ------->internet
| L3 |
| 4 5 6 7 |
------------------------------
users
The port 1 an Port 2 of the switch will be one single vlan lets say vlan 100. Port 3,4,5,6,7 will be lets say in single vlan 20 and the users are connected to this port.
The users will be using default gw as the cyberoam LAN IP address which is connected to port A.
Other networks where you can use deployment:
There is only one L3 switch and you want to use CR in HA mode.
Deployment : Cyberoam deployed as single arm proxy in multiple vlan
Hi All,
Below is the network scenario
-------->vlan10
Fw--->l3 --------->vlan20----->CR
---------->Vlan30
Here Firewall is connected to a l3 switch which is capable to do inter-vlan routing. Customer is not ready to make any changes.
Cyberoam has be configured to place in the server vlan 20. The gateway of all these server is vlan interface on the L3 i.e. 192.168.20.1
To deploy the Cyberoam in the single arm proxy you need to get a free IP from the Vlan 20 network and assign in to PORT A of the appliance.
Port B--->Any dummy IP address and the gw of the port B will be any dummy IP address
In the Cyberoam Network--->static routes, you need to add following route:
destination network : 0.0.0.0/0.0.0.0
interface Port: Port A
Next Hop: 192.168.20.1
Users in other vlans will be using the CR IP in their browsers.
So traffic path from the Vlan 30 ---->l3---->CR(port A-IN)--->scanning done---->Port A (OUT due to static route)---->L3--->FW---internet
and the return path will also be same.
Below is the network scenario
-------->vlan10
Fw--->l3 --------->vlan20----->CR
---------->Vlan30
Here Firewall is connected to a l3 switch which is capable to do inter-vlan routing. Customer is not ready to make any changes.
Cyberoam has be configured to place in the server vlan 20. The gateway of all these server is vlan interface on the L3 i.e. 192.168.20.1
To deploy the Cyberoam in the single arm proxy you need to get a free IP from the Vlan 20 network and assign in to PORT A of the appliance.
Port B--->Any dummy IP address and the gw of the port B will be any dummy IP address
In the Cyberoam Network--->static routes, you need to add following route:
destination network : 0.0.0.0/0.0.0.0
interface Port: Port A
Next Hop: 192.168.20.1
Users in other vlans will be using the CR IP in their browsers.
So traffic path from the Vlan 30 ---->l3---->CR(port A-IN)--->scanning done---->Port A (OUT due to static route)---->L3--->FW---internet
and the return path will also be same.
IPSec Error
Error log:
Dec 09 12:37:50 "Mind_set_Tunnell-3" #5813: cannot respond to IPsec SA request because no connection is known for 10.64.21.160/28===1xx.110.1xx.98...91.21.xx.xxx===10.80.0.0/13
Solution:
This log describes the SA. The CR is not able to match this SA to any of its already existing SA. Check carefully the subnets at both ends. Everytime there is this error, customer has always done error in the subnet mask or the lan Ip address. So check carefully.
Dec 09 12:37:50 "Mind_set_Tunnell-3" #5813: cannot respond to IPsec SA request because no connection is known for 10.64.21.160/28===1xx.110.1xx.98...91.21.xx.xxx===10.80.0.0/13
Solution:
This log describes the SA. The CR is not able to match this SA to any of its already existing SA. Check carefully the subnets at both ends. Everytime there is this error, customer has always done error in the subnet mask or the lan Ip address. So check carefully.
Sunday 11 December 2011
How to deploy CR as single arm proxy Deployment 3
To deploy the CR as single arm proxy it pretty straight forward.
When to deploy CR in Single arm proxy:
1> Customer is really not ready to make any changes in the network
2> Customer wants to replace existing proxy
3> Customer has to use the CR IP as the direct proxy in their users browser.
Scenario:
(Scenario may vary but this would be a simple scenario)
Router-->FW(192.168.1.1)--->switch--->users
|
CR(Port A-192.168.1.xxx)(Port B-Dummy IP address)(CR GW any dummy)
Deployment Mode of Cyberoam: Gateway
Steps:
1> deploy the Cyberoam in gateway mode with any dummy WAN IP address(Port B)
2> You need to connect the LAN interface (port A) to the switch so choose an IP within lan range or use existing proxy ip address once you replace it
3> Most important is in creating the static route from the GUI (Network -->static routes)
destination network : 0.0.0.0/0.0.0.0 gateway FW lan Ip address
The route is most import:
1> the traffic from the browser will be received by the Cyberoam on port A.
2> Because of the static route it wil be retuned to the FW gateway once it does all the scanning and other stuff.
When to deploy CR in Single arm proxy:
1> Customer is really not ready to make any changes in the network
2> Customer wants to replace existing proxy
3> Customer has to use the CR IP as the direct proxy in their users browser.
Scenario:
(Scenario may vary but this would be a simple scenario)
Router-->FW(192.168.1.1)--->switch--->users
|
CR(Port A-192.168.1.xxx)(Port B-Dummy IP address)(CR GW any dummy)
Deployment Mode of Cyberoam: Gateway
Steps:
1> deploy the Cyberoam in gateway mode with any dummy WAN IP address(Port B)
2> You need to connect the LAN interface (port A) to the switch so choose an IP within lan range or use existing proxy ip address once you replace it
3> Most important is in creating the static route from the GUI (Network -->static routes)
destination network : 0.0.0.0/0.0.0.0 gateway FW lan Ip address
The route is most import:
1> the traffic from the browser will be received by the Cyberoam on port A.
2> Because of the static route it wil be retuned to the FW gateway once it does all the scanning and other stuff.
Thursday 8 December 2011
Hi All,
If you are configuring LDAP on windows AD server to authenticate the user then you need to use the below syntax when requested for admin username while configuring the LDAP
cn=administrator,cn=users <-------this is because the administrator usually exits in this container
if the user is somewhere else you can use ldap browser to find out his exact query to be used in the admin username while configuring ldap.
HTH
If you are configuring LDAP on windows AD server to authenticate the user then you need to use the below syntax when requested for admin username while configuring the LDAP
cn=administrator,cn=users <-------this is because the administrator usually exits in this container
if the user is somewhere else you can use ldap browser to find out his exact query to be used in the admin username while configuring ldap.
HTH
Deployment Scenario 2
Hi All,
Check the network diagram
(HO)CR <========IPSEC=======>CR(BO
| |
(users)--->switch switch<----(users 10.1.2.0/24)
(10.1.3.0/24)
|
Router<----Remote Office users(10.1.1.0/24)
Requirement: The BO users should reach 10.1.3.0 and 10.1.1.0 subnet
Solution: 1>Create the normal tunnel between HO and BO
2> in the HO local subnets [10.1.3.0/24 + 10.1.1.0/24] and remote subnet is [10.1.2.0/24]
3> In the BO local subnets [10.1.2.0/24] and remote subnet is [10.1.3.0/24 + 10.1.1.0/24]
4> In the HO there should be static route
if destination is 10.1.1.0/24 next hop address is the routers IP address which is in same subnet as 10.1.3.0
Check the network diagram
(HO)CR <========IPSEC=======>CR(BO
| |
(users)--->switch switch<----(users 10.1.2.0/24)
(10.1.3.0/24)
|
Router<----Remote Office users(10.1.1.0/24)
Requirement: The BO users should reach 10.1.3.0 and 10.1.1.0 subnet
Solution: 1>Create the normal tunnel between HO and BO
2> in the HO local subnets [10.1.3.0/24 + 10.1.1.0/24] and remote subnet is [10.1.2.0/24]
3> In the BO local subnets [10.1.2.0/24] and remote subnet is [10.1.3.0/24 + 10.1.1.0/24]
4> In the HO there should be static route
if destination is 10.1.1.0/24 next hop address is the routers IP address which is in same subnet as 10.1.3.0
Cyberoam IPSec Error
Cyberoam IPSec logs may give you pretty good clues about the error. To check the logs you need to type the command
show vpn IPSec-logs
(use can use tab just to complete the command)
Below is the error from the above said logs:
ERROR: asynchronous network error report on eth1 (sport=500) for message to 60.51.xxx.xxx port 500, complainant 60.51.xxx.xxx: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Solution: There is nothing much you can do about this. The error simply says that the port 500 is not open at the other end or the pluto is not working at the other end. We can know later that port 500 was blocked by the ISP. Pretty Strange but that was all.
Monday 5 December 2011
L2tp not connecting from IPADS
Hi All,
Today I encountered an issue and good finding.
Issue Description: Users with windows PC/lappy were able to connect to L2TP but not iPad users.
Resolution Steps:
1> Were using l2tp authentication protocol as ANY
console> sh vpn config
PPTP
AUTHENTICATION ANY
ENCRYPTION DISABLE
L2TP
AUTHENTICATION ANY
2> The users who were connecting from the PC were using PAP
console> sh vpn L2TP-logs
3> On Google we found that iPad uses MS-CHAPv2 as auth protocol.
4> Users were on AD
5> Since MS-CHAPv2 windows proprietary and we can not use it. So we turned to use IAS and installed RADIUS on AD.
6> Integrated RADIUS with CR
7> And made the VPN users to authenticate with authentication server as RADIUS
8> It worked well with all the users using MS-CHAPv2 as authentication protocol
Today I encountered an issue and good finding.
Issue Description: Users with windows PC/lappy were able to connect to L2TP but not iPad users.
Resolution Steps:
1> Were using l2tp authentication protocol as ANY
console> sh vpn config
PPTP
AUTHENTICATION ANY
ENCRYPTION DISABLE
L2TP
AUTHENTICATION ANY
2> The users who were connecting from the PC were using PAP
console> sh vpn L2TP-logs
3> On Google we found that iPad uses MS-CHAPv2 as auth protocol.
4> Users were on AD
5> Since MS-CHAPv2 windows proprietary and we can not use it. So we turned to use IAS and installed RADIUS on AD.
6> Integrated RADIUS with CR
7> And made the VPN users to authenticate with authentication server as RADIUS
8> It worked well with all the users using MS-CHAPv2 as authentication protocol
Saturday 3 December 2011
Video Request
Hi Everyone,
Please send the requests to add video to the blog. I will try creating new videos to add to the blog which will help in configuring Cyberoam easily. Video request may include:
1> configuration
2> Cyberoam strategies
3> Troubleshooting
I will try to make the videos and upload it as soon as possible.
Please send the requests to add video to the blog. I will try creating new videos to add to the blog which will help in configuring Cyberoam easily. Video request may include:
1> configuration
2> Cyberoam strategies
3> Troubleshooting
I will try to make the videos and upload it as soon as possible.
Friday 2 December 2011
VPN
Error Msg:
Dec 01 15:00:42 "VPN-1" #436: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
Resolution:
VPN here is the tunnel name. This peer is initiating the tunnel but the other end is not responding to it and the reason is due to wrong pre-shared key being used. To resolve this change the pre-shared key in your tunnel settings.
Dec 01 15:00:42 "VPN-1" #436: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
Resolution:
VPN here is the tunnel name. This peer is initiating the tunnel but the other end is not responding to it and the reason is due to wrong pre-shared key being used. To resolve this change the pre-shared key in your tunnel settings.
Deployment Scenario 1
Current Network:
Internet-->PIX-->Cisco 2800-->Cisco Catalyst 3560-->Cisco 2900 switch
After deploying CR:
Internet-->CR-->Cisco 2800-->Cisco Catalyst 3560-->Cisco 2900 Switch
More on Network:
Internet-->PIX-->Cisco 2800-->Cisco Catalyst 3560-->Cisco 2900 switch
After deploying CR:
Internet-->CR-->Cisco 2800-->Cisco Catalyst 3560-->Cisco 2900 Switch
More on Network:
- There were vlans on the network.
- there were multiple 2900s connected to catalyst
- catalyst was responsible for the intervlan routing
- NAT was only done on pix, so will the cyberoam.
Issue: No user from any VLAN was able to access internet
Debugging:
1> users were able to reach Cisco 2800
2> From Cisco 2800 we could ping CR and the vlan computers
3> From CR we could ping Cisco 2800 WAN interface but not the LAN interface IP.
Clearly it was a routing issue. So we created static routes for a single vlan just to confirm. The static route we added was
if the destination is vlan 1 subnet then next hop will be cisco 2800 wan ip address
And it started working.
Deployment
Here I will try to post each new deployment and how we were able to integrate Cyberoam successfully in the network. Hope this helps.
Your comments are always welcome
Your comments are always welcome
Website with keepalives
Issue: A website was sending keep alives but after 5 min the website timed out and the users was logged out.
Details: A webiste was hosted outside the network. Users from inside the network were trying to access this website. On close observation of the packets we found that the browser was sending the packets to the website which was keep alive packet after every 5 mins. However the site was sending a FIN packet.
Resolution: At first we thought that the issue was at the website end. Because the website was gracefully finishing the connection. But on close observation we found the following
1> The SYN packet to initiate the connection was sent with ISP1 IP address
2> The keep alive packet was set with ISP2 IP address.
The connection was load balanced. But since the website was not having any connection already with ISP2 IP address it simply sent the FIN packet.
Details: A webiste was hosted outside the network. Users from inside the network were trying to access this website. On close observation of the packets we found that the browser was sending the packets to the website which was keep alive packet after every 5 mins. However the site was sending a FIN packet.
Resolution: At first we thought that the issue was at the website end. Because the website was gracefully finishing the connection. But on close observation we found the following
1> The SYN packet to initiate the connection was sent with ISP1 IP address
2> The keep alive packet was set with ISP2 IP address.
The connection was load balanced. But since the website was not having any connection already with ISP2 IP address it simply sent the FIN packet.
Firewall
Each day I will try posting various challenges that I have faced. Hope this helps in resolving issues while you are on field.
Subscribe to:
Posts (Atom)