Site Upgrades for September 2015

First, I want to apologize for not doing my job. Over the past couple years I’ve let this site become slightly stagnant. I won’t attempt to make excuses, but I will say that I’m in a much better place now. Hopefully inspiration will continue to strike, and I will continue to put pen to paper… or finger to keyboard?

2015-09-18 at 8.52 PMOver the past couple weeks I’ve put a fair amount of time and monetary resources into RouterJockey. I’ve fixed quite a few CSS bugs, without hopefully creating more. I purchased an SSL certificate and moved the site to HTTPS, which helps me more than it really does you… but in doing so, I’ve also enabled SPDY 3.1. SPDY should help load times, but Nginx was already doing a pretty good job. Oh, in order to get SPDY up to 3.1 I was forced to migrate away from the Ubuntu repo for Nginx.. but that’s not a huge deal.

I’ve also spent some time redesigning the menu bar, adding new links, removing some useless ones, and writing an all new disclaimer. Please be sure to read and understand everything posted on that page before attempting to read any of my articles… /s

But seriously. I want to take the time to thank all of you for putting up with my stagnation, and for supporting my attempt at humor by selling t-shirts. I had planned on also putting some stickers on sale, but I cannot find a site like teespring for stickers. If you know of one, please let me know!

RouterJockey is launching a clothing line?!?!???

Ok maybe that title is a bit grandiose… But due to the great response I received Friday morning from the launch of the original PCAP shirt, and the IPv6 follow-up, I decided to create a few new designs and put everything into a store front. If the demand continues I will continue to publish new shirts, and keep up with relaunching original designs into their own campaigns. Not that I expect the demand for these shirts to continue long term, but you never know. Nevertheless I appreciate everyone’s support thus far.

But I need you! Yes… You! I need your ideas, and most importantly I need your feedback. So please, contact me on twitter and let me know what you think. If you like what you see, please share the url for the store.

Without further ado…

2015-09-11 at 1.47 PM-1
Click to visit the RouterJockey shop

PCAP or it didn’t happen…. The t-shirt!

Some days I don’t know why I do things… But last night I was playing around with creating a PCAP meme when my friend Josh Kittle said he’d be interested in a t-shirt like that. I got to thinking about it and realized some network engineers out there also might enjoy something like this, so I fired up a campaign on teespring!

Let me know what you think, I may do other shirts in the future as this was fun to work on. If you have any ideas you don’t plan on using, let me know and I might work on developing them.

Oh, and since Jay Franklin had to have an IPv6 shirt… I also launched another version with an IPv6 packet capture, and the #IPv6 hashtag on the back.


Click one of the shirts to see them on teespring…

ASA v9.4 Elliptic Curve Cryptography with TLS1.2

cryptoWith ASA version 9.4 Cisco has added support for Elliptic curve cryptography (ECC), which is one of the most powerful types of encryption in use today. While ECC has been in use since 2004, only it’s recently use has skyrocketed. Part of this reason is power consumption… In my limited understanding, experts have concluded that a shorter ECC keys are just as strong as a much larger RSA key. This increases performance significantly, which reduces the power required for each calculation. If you want to learn more about ECC, check out this fantastic article from arstechnica.

That brings me to the issue. Last night I failed over some 5585x’s running > 9.4 that happened to be doing Anyconnect SSL VPN. This morning, my client was seeing issues. Luckily the solution was simple and a college pointed me to the solution fairly quickly. From the Cisco support community page I found later on….

For version 9.4.(x) we have the following information:

Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated:

ssl cipher tlsv1.2 custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5”

Also see the ASA 9.4 Release Notes, which include a quick blurb on the issue…

Well-Known Intervals

Listed below are many events which occur on network devices at well-known intervals. The list is provided to serve as an aid while troubleshooting recurring network disruptions. Please consider helping to expand this list by adding other recurrent issues you encounter not already listed.

This list was generated by Jeremy Stretch from PacketLife, but lost after he took his wiki down. Luckily I had previously saved it, as I found it useful, and with his permission I’ve reposted it here.

Short (<=5 minutes)

1 Second

  • Default VRRP hello timer
  • Default EAP-Identity-Request Timeout (Unified WLAN)
  • Default EAP-Request Timeout (Unified WLAN)
  • Default EAPOL-KEY Timeout (Unified WLAN)
  • CleanAir AP Sampling Interval (Unified WLAN)
  • Default Group Specific Query interval (Maximum Response Time of 10) for IGMPv2

2 Seconds

  • Default IEEE 802.1D STP hello timer
  • Default RADIUS / LDAP Server Timeout (Unified & Autonomous WLAN)
  • Default NMSP Updates from WLC to Loc/MSE Server (Unified WLAN)
  • Default IGMPv2 Last Member Query Count x 2

3 Seconds

  • Default GLBP hello timer (Cisco IOS)
  • Default HSRP hello timer (Cisco IOS)

5 Seconds

  • Default EIGRP hello timer on links >= 1.544 Mbps (Cisco IOS)
  • Default LDP hello timer for links (Cisco IOS)

10 Seconds

  • Default HSRP hold timer (Cisco IOS)
  • Default IS-IS hello timer (Cisco IOS)
  • Default OSPF hello timer on broadcast and point-to-point links (Cisco IOS/JunOS)
  • Default 802.1x Supplicant Response Timeout (Unified WLAN)
  • Default Mobility Keepalive Interval (Unified WLAN)
  • Default AP Discovery Timeout (Unified WLAN)
  • Default LDP hello timer for targeted LDP (Cisco IOS)
  • Default LMI Frame Relay message
  • Default IGMPv2 Query Response Interval

Continue reading

a network engineering blog