Posts

Posted on

Configuration re-sync Juniper ISG NSRP cluster

When the ISG cluster devices are correctly configured, they will start synchronizing the configuration. You can check if the configurations is in sync with the following command:

Cluster1:fw01(M)-> exec nsrp sync global-config check-sum     
configuration in sync

It can happen from time to time that the configuration of the cluster run out of sync:

Cluster1:fw01(M)-> exec  nsrp sync global-config check-sum 
Warning: configuration out of sync

To solve this issue, you should force the configuration sync (only on the backup device!!!!):

Cluster1:fw02(B)-> exec nsrp sync global-config save
load peer system config to save
Save global configuration successfully.
Save local configuration successfully.
done.
Please reset your box to let cluster configuration take effect!

Cluster1:fw02(B)-> reset 
System reset, are you sure? y/[n] y
In reset ...

After the reboot of the backup device, the cluster should be fully operational and in sync.

Note : when the device prompts you to save the config, enter “n” (no)

Posted on

Quality of Service with Cisco ASA

Bin some years since I was working with Cisco ASA and QoS. I am into Cisco ASA performance optimising and tuning, it`s lots of fun to play around with different settings and get as much performance out of the ASA.

The ASA supports the following QoS features:

  • Priority queuing – To prioritize the packets that need prioritization like Voice over IP which is sensitive to latency. The ASA can only support Low Latency Queueing (LLQ).
  • Policing – To prevent traffic to consum all the network bandwidth by one user or one application. The policies restrict the bandwidth and can be applied to inbound and outbound traffic to an interface. The options are either drop or permit when the traffic exeed the limits.
  • Traffic shaping – Traffic that exceed the configured limits will be queued and sent when the traffic goes below the threshold. Traffic shaping will not drop packets that go over the threshold what is better for application which are sensitive to packet loss. Can be only applied to outgoing traffic on a physical interface and traffic shaping on ASA 5500-X models it is not supported.

Some information you need to keep in mind if you configure QoS on a Cisco ASA:

  • Supported in single context mode only. Does not support multiple context mode. Very sad because I prefer using virtual security contexts on ASAs.
  • QoS features can be only applied to physical interfaces (port-channel are not supported)
  • The ASA does not locally mark/remark any classified traffic.

See the following supported feature combinations per interface:

  • Standard priority queuing (for specific traffic) + Policing (for the rest of the traffic).
  • Traffic shaping (for all traffic on an interface) + Hierarchical priority queuing (for a subset of traffic).

In my case I have a Cisco ASA 5515-X and will do standard priority queuing and policing for the rest of the traffic.

Please always read the Cisco ASA Configuration Guide to ensure that your configuration is correct and supported!

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Quality of Service Configuration                         ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Class of Service	DSCP Marking (codepoint name)	    ::
:: Premium	        46 (EF)		                    ::
:: Business-1		26 (AF31)			    ::
:: Business-2		18 (AF21)		            ::
:: Standard		0				    ::
:: Management		34 (AF41)			    ::
:: Routing Protocol	48 (IP-Precedence 6)		    ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::   

class-map premium-qos-traffic
	match dscp 46
	exit

class-map business-1-qos-traffic
	match dscp 26
	exit

class-map business-2-qos-traffic
	match dscp 18
	exit		

policy-map transfer-uk-mpls_policy

	class premium-qos-traffic
		priority 
		exit

	class business-1-qos-traffic
		police output 8388500 conform-action transmit exceed-action transmit
		exit

	class business-2-qos-traffic
	 	police output 10485760 655360 conform-action transmit exceed-action drop
	 	exit

	class class-default
		police output 2097000 655360 conform-action transmit exceed-action drop
		exit

priority-queue transfer-uk-mpls
	exit

service-policy transfer-uk-mpls_policy interface transfer-uk-mpls
Posted on

NetScaler Lync 2013 Frontend (Reverse proxy) balancing

I will not go into much detail about Lync 2013 infrastructures its just a basic setup to use the NetScaler as reverse proxy for external access to the Lync Frontend server. I am still working on the virtual server configuration for the Lync Edge and internal Lync Frontend server but will follow soon. Especially the Lync Edge is a bit tricky because you can’t use SNAT (not recommended) for your load balancing configuration, so the NetScaler needs to own the gateway and all traffic must path though the NetScaler.

Very useful is the Lync 2013 Protocol Map to understand the communication flow.

Add Custom Availability Monitors

add lb monitor monitor-LYNC-TCP4443 TCP -LRTM ENABLED -destPort 4443 -secure YES 
add lb monitor monitor-LYNC-TCP8080 TCP -LRTM ENABLED -destPort 8080

Add Lync Servers

add server LYFE01 10.1.1.30
add server LYFE02 10.1.1.31

Create Service Groups and bind Monitors

add serviceGroup service-LYNC-FE_8080 HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES -appflowLog DISABLED 
add serviceGroup service-LYNC-FE_4443 SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES -appflowLog DISABLED

bind serviceGroup service-LYNC-FE_8080 LYFE01 8080 -CustomServerID "\"None\"" 
bind serviceGroup service-LYNC-FE_8080 LYFE02 8080 -CustomServerID "\"None\"" 
bind serviceGroup service-LYNC-FE_8080 -monitorName monitor-LYNC-TCP8080 
bind serviceGroup service-LYNC-FE_4443 LYFE01 4443 -CustomServerID "\"None\"" 
bind serviceGroup service-LYNC-FE_4443 LYFE02 4443 -CustomServerID "\"None\"" 
bind serviceGroup service-LYNC-FE_4443 -monitorName monitor-LYNC-TCP4443

Create Virtual Servers for Lync

add lb vserver vserver-LYNC-FE_80 HTTP 10.44.124.6 80 -persistenceType COOKIEINSERT -timeout 180 -cookieName MS-WSMAN -cltTimeout 180 
add lb vserver vserver-LYNC-FE_443 SSL 10.44.124.6 443 -persistenceType COOKIEINSERT -timeout 180 -cookieName MS-WSMAN -cltTimeout 180

Bind Virtual Servers to Service Groups and configure SSL

bind lb vserver vserver-LYNC-FE_80 service-LYNC-FE_8080 
bind lb vserver vserver-LYNC-FE_443 service-LYNC-FE_4443 

set ssl vserver vserver-LYNC-FE_443 -tls11 DISABLED -tls12 DISABLED 
bind ssl vserver vserver-LYNC-FE_443 -certkeyName lync.mydomain.net

If you want more details please have a look into the Deplyment Guide – Citrix NetScaler for Microsoft Lync

More information about from Microsoft you find here: Network Planning, Monitoring, and Troubleshooting with Lync Server

 

Posted on

NetScaler Exchange 2013 Load Balancing

Here an example how to configure Microsoft Exchange 2013 load balancing on Citrix NetScaler

Add Exchange Client Access (CAS) Servers

add server EXCHANGE-CAS01 10.1.0.101
add server EXCHANGE-CAS02 10.1.0.102

Create Service Groups

add serviceGroup service-EXCHANGE-OWA SSL -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES -appf DISABLED

bind serviceGroup service-EXCHANGE-OWA EXCHANGE-CAS01 443 -CustomServerID “\”None\””
bind serviceGroup service-EXCHANGE-OWA EXCHANGE-CAS02 443 -CustomServerID “\”None\””
bind serviceGroup service-EXCHANGE-OWA -monitorName https

Import SSL cert

add ssl certKey mail-exchange-cas -cert “/nsconfig/ssl/mail-exchange-cas.pem” -key “/nsconfig/ssl/mail-exchange-cas.pem”

Create and Configure Virtual Server for Exchange

add lb vserver vserver-EXCHANGE-OWA SSL 192.168.0.1 443 -persistenceType SOURCEIP -cltTimeout 180
set ssl vserver vserver-EXCHANGE-OWA -tls11 DISABLED -tls12 DISABLED
bind lb vserver vserver-EXCHANGE-OWA service-EXCHANGE-OWA

Bind SSL to Service Groups and Virtual Server

bind ssl serviceGroup service-EXCHANGE-OWA -certkeyName mail-exchange-cas
bind ssl vserver vserver-EXCHANGE-OWA -certkeyName mail-exchange-cas

Some more information you find in the Citrix deployment guide for Exchange

Posted on

Cisco ASA Identity Firewall

Testing at the moment identity firewalling with a Cisco ASA for a new office network infrastructure.

From the configuration everything is straight forward and easy to set-up:

1. Configure AAA LDAP Server

aaa-server addomain.net protocol ldap
aaa-server addomain.net (INSIDE) host 10.1.0.1
    ldap-base-dn DC=addomain,DC=net
    ldap-group-base-dn DC=addomin,DC=net
    ldap-scope subtree
    server-type microsoft
    server-port 389 
    ldap-login-dn *username*
    ldap-login-password *password*
    exit

If you use ldap over SSL you need to enable it and change the server port!

2. Configure Windows Cisco AD Agent

Install the Cisco AD Agent on one of your Windows Servers, not the Domain Controller if you also want to use NPS!

adacfg client create –name ASA5515 –ip 10.1.0.250/32 –secret secretpresharedkey 
adacfg dc create -name DC01 -host DC01.addomain.net -domain addomain.net -user Administrator -password *password*

2.1 Check Windows AD Agent Configuration

C:\IBF\CLI\adactrl.exe show running
C:\IBF\CLI\adacfg.exe client list
C:\IBF\CLI\adacfg.exe dc list

3 Configure AG Agent on the ASA

aaa-server adagent protocol radius
    ad-agent-mode

aaa-server adagent (INSIDE) host 10.1.0.2
    key secretpresharedkey
    user-identity ad-agent aaa-server adagent

4. Configure Identity option on the ASA

user-identity domain ADDOMAIN aaa-server addomain.net
user-identity default-domain ADDOMAIN

5. Example Object and Access List Configuration

object-group user USERNAME
    user ADDOMAIN\user1
    exit

object-group user GROUPNAME
    user-group ADDOMAIN\IT-ADMINs
    exit

access-list INSIDE-IN extended permit ip user ADDOMAIN\user1 any host 10.1.1.1
access-list INSIDE-IN extended permit ip user-group ADDOMAIN\\ADMINs any host 10.1.1.1
access-list INSIDE-IN extended permit ip object-group-user GROUPNAME any host 20.1.1.1

More information about how to configure identity firewalling you find here: Configuring the Identity Firewall