Re: What to do when your ISP off-shores tech support

[Eddie]

Matthew Black wrote:
> On Wed, 24 Dec 2008 10:10:33 -0800
>  Etaoin Shrdlu  wrote:
>> Matthew Black wrote:
>>
>>> On Wed, 24 Dec 2008 09:51:41 -0800
>>>  "Tomas L. Byrnes"  wrote:
>>>
 Cox Communications has fully on-shore support. Here in SD they are
 actually LOCAL.
>>
>>> In Verizon land, residential customers do not have
>>> CLEC voice or DSL alternatives. We do not have Cox.
>>> Our area is served by Charter Communications who has
>>> the broadband cable monopoly. Verizon has the fiber
>>> monopoly with their FIOS. AT&T fiber is not possible
>>> in Verizon land. Nobody competes against Verizon for
>>> residential service in Southern California.
>>
>> Sir, both COVAD and DSLExtreme beg to differ. Seriously. I just checked.
>>
>> -- 
>> The histories of mankind are histories only of the higher classes.
>>
>> Thomas Malthus
> 
> 
> Going through COVAD's interactive DSL chooser,
> there are no options for RESIDENTIAL service.
> 
> 
> 
> 
> DSLextreme is charging a higher price than Verizon
> and I suspect they are simply reselling Verizon's
> DSL rather than connecting my copper to their
> network. That's hardly what I consider CLEC service.
> I could be wrong and would switch if I could. But I
> don't see them offering voice and that's why I conclude
> they are reselling Verizon's DSL service.
> 
> matthew black
> california state university, long beach
> 
> 

I have 25 DSLExtreme lines along with 3 other providers in businesses
all around the SoCal area. The local loop is whatever the telco is, but
the network is their own.

The service was better a few years ago, but it's still far exceeds what
the big telco provides. The DSLX techs know their stuff and only once
did I have a tech not believe me. On the last call, the tech asked me if
I checked the DSL filters and I told them I had a hole house Selco box
at the MPOE and ran a dedicated cat5 wire as the phone like for the DSL
modem. The tech understood what I had did. No ATT, SBC, or Verizon tech
has ever understood that.

For one location, because of the distance, I had to order an IDSL line
from Covad (SBC owned the wires). I ran a cat5 drop from MPOE to the
office to make the tech's job easier. (yes I use cat5 for phone and
everything. Why not?)

Well, the install date came, the Covad tech came out and installed it,
but left with it not working.

So the blame game went on between SBC and Covad for 2 months before a
time could be arranged when both could be at the location at the same time.

When Covad connects the DSL modem to the pair at the MPOE the modem
makes a hissing sound. Covad proclaims the pair is bad. SBC guy says the
pair test good. SBC swaps to a new pair, but hissing remains. During
this time they are both on hold to the same call center, with their cell
phones on speaker. It was the same on hold music so it was sort of like
listening in stereo.  Both basically sat around for 3 hours on hold
until the SBC guy gave up and left. Covad guy's phone battery went dead
10 minutes later. Nobody ever got a tech on the phone.

To prove that the hissing noise was causing the problem, Covad guy
connected his laptop up and quickly got on the internet. Everything was
working fine. I guess nobody checked 3 hours ago and just assumed it
didn't work.

He tossed me a box with the modem and left. I was left to punch down the
phone lines and put the modem in the office. It was then I discovered
IDSL has about 130 volts running in the lines. Outch.

The IDSL line stopped working 2 years later so I replaced it with an
EVDO modem. Been fine since.

ATT is worse. I had a DSL guy install the DSL in a vacant abandoned
building twice. The business moved down the block, but the ATT guy just
went to the old building again and again. it took 4 months for that ATT
install.








signature.asc
Description: PGP signature


signature.asc
Description: OpenPGP digital signature

Re: Leap second tonight

[Eddie]

Steven Saner wrote:
> Jon Meek wrote:
>> My Solaris 10 boxes are all happy (and did not reboot). I monitor NTP
>> on a number
>> of devices, including one router. The router was off by one second for
>> a while, but
>> is OK after an hour. Everything else was fine immediately.
>>
>> In 2005, our CDMA clock got the leap second between 15:08 and 15:38
>> EST creating
>> some issues due to disagreement with the (too few) GPS clocks.
>>
>> Jon
>>
>> On Wed, Dec 31, 2008 at 7:53 PM, Wil Schultz  wrote:
>>> At which point my Solaris 10 v490's reboot in unison, lovely.
>>>
>>> Anyone else see anything interesting?
>>>
>>> -wil
> 
> I run a bunch of Slackware Linux boxes of varying versions. As best as I
> can tell, at or around 00:00 UTC all of my Slackware 12.0 boxes crashed
> with a kernel panic. I don't think it is ntpd because it is the same
> version as on 12.1 boxes (4.2.4p0) that did not crash. It may be the
> kernel: 2.6.21.5
> 
> Anyone else experience similar or was this coincidental and I have other
> issues...
> 
> Steve
> 

Yep. I have a few Slack 12 boxes lockup. Digging around, it looks to be
a issue with pre 2.6.21.5 kernels.

-Eddie



signature.asc
Description: OpenPGP digital signature

Re: Looking for AT&T / Verizon / Sprint WWAN service impressions - on or off-list replies welcome

[Eddie]

Crooks, Sam wrote:

I'm considering use of AT&T / Verizon / Sprint WWAN services and the
Cisco 3G router interface cards/integrated module in C880 routers for
primary or backup WAN network connectivity for routers.

I'm looking for information from users of these services on the
following: 


I have only Verizon at the remote locations. But I have messed with the 
others.




- addressing - Do these WWAN services use dynamic, PPPoE or static IP
assignment typically? Any of the 3? All?
   - is static IP assignment available?


Verizon is private NAT by default. They will provide a static public IP 
address for a one time fee of $500. If I recall right, it's still PPP, 
but you get the same IP address every time.


As of 6 months ago, Sprint did not have a static IP option. I now hear 
that they do.




- do these service providers use NAT within their network?

- How is the service reliability?  In most cases, is the service
available for use when you need to use it?


Depends on your location and the type of radio (USB or pcmcia) you use. 
The USB ones tend to flake out on me more, but it might be the router or 
other issues.



- How is the service coverage area?  Do you have problems getting
sufficient coverage in the deplouyment location to support desired
speeds (say 512kbps up/down as a minimum)?


Once again, this depends on your area. I use it as a last ditch effort 
when DSL is not available.




- is ESP / IKE / IPsec permitted through un-rate-limited and un-molested
by the providers?


No problems using IPSEC tunnels (Cisco PIX) over Verizon EVDO.


- If you build a IPsec/GRE tunnel over these services, do you have
frequent issues with the tunnel dropping, or a dynamic routing protocol
running through the tunnel going down frequently?


The Cisco Pix series tend to rebuild a dropped tunnel, so I can't say I 
have looked into it that deeply.




Also interested in similar information on impressions of similar EMEA
WWAN service providers, particularly Vodaphone and T-Mobile, if anyone
has experiences with these.


I have had issues running IPSEC tunnels over a local WISP. Whenever they 
would drop out do to maint (normally once a year), I could no longer 
establish an VPN tunnel. It would often take days to weeks before the 
tunnel would work again. Something in their system would drop the packets.


Never found the cause and switched over to EVDO.

No problems bringing up a VPN connection on my laptop, tethered to my G1 
phone on T-Mobile.





Replies on-list or off-list are welcome Your choice.

Cisco 3G interface and provider information:

http://www.cisco.com/en/US/products/ps7272/index.html

http://www.cisco.com/en/US/prod/routers/networking_solutions_products_ge
nericcontent0900aecd80601f7e.html#~north-america



Regards,

Sam Crooks


 








signature.asc
Description: OpenPGP digital signature

Contact wanted: abc.go.com

[Eddie Parra]

Does anyone have a contact for abc.go.com?  If so, could you please contact me 
offline?  

Thanks,

-Eddie

Re: Proving Gig Speed

[Eddie Parra]

+1 to Jared.  I’ve seen people not account for this when sizing CoS as well on 
Juniper.

-Eddie



> On Jul 16, 2018, at 11:08 AM, Jared Mauch  wrote:
> 
>> On Mon, Jul 16, 2018 at 01:02:28PM -0500, Dan White wrote:
>> We've found that running windows in safe mode produces better results with
>> Ookla. And MACs usually do better as well. We've gotten >900mb/s with those
>> two approaches.
> 
>I've seen engineers even forget to account for differing behaviors
> of vendors, eg: Juniper doesn't display the layer-2 header counters
> 
>This means a 920Mb/s link may actually be 100% once you add back in
> ethernet framing.  Remind folks that they are seeing the TCP/UDP throughput
> and there is ethernet + IP headers involved.
> 
>- Jared
> 

Re: a quick survey about LLDP and similar

[Eddie Parra]

+1 on it depends.  IMO, I would prefer LLDP vs. a vendor proprietary discovery 
protocol.  Where you intend to run it in your network is a major factor for 
risk.  

Also, you forgot to add LLDP-MED to #5 (but it might not be relevant to your 
services).

-Eddie



> On Feb 28, 2019, at 1:27 AM, Owen DeLong  wrote:
> 
> The problem with your survey is that there’s no option to answer “it depends”.
> 
> Hard yes or no answers aren’t realistic to the questions you’re asking 
> because the context,
> security parameters, sensitivity, and other parameters about the network all 
> factor into a
> decision whether to run or not run such protocols.
> 
> There are some environments where the benefit and convenience is moderately 
> high
> and the risk is extremely low. There are other environments where the benefit 
> is relatively
> low, but the risks are significantly higher.
> 
> Owen
> 
> 
>> On Feb 28, 2019, at 01:00 , Pierfrancesco Caci  wrote:
>> 
>> 
>> Hello,
>> having a bit of a debate in my team about turning on LLDP and/or CDP.
>> I would appreciate if you could spend a minute answering this
>> survey so I have some numbers to back up my reasoning, or to accept
>> defeat.
>> 
>> https://www.surveymonkey.com/r/TH3WCWP
>> 
>> Feel free to cross-post to other relevant lists. 
>> 
>> Thank you
>> 
>> Pf
>> 
>> -- 
>> Pierfrancesco Caci, ik5pvx
> 

Re: HULU NOC

[Eddie Parra]

John,

I have used supportrequ...@hulu.com prior.  Not sure if this is valid anymore.  

-Eddie



> On Feb 28, 2019, at 12:33 PM, John Alcock  wrote:
> 
> Afternoon,
> 
> I have searched the forums and have had no luck.
> 
> We have just received a new block of ip's.  None of my subscribers can get to 
> Hulu.  I have started updating all the major GeoIP Databases.
> 
> I figure I need to get Hulu to update their database. Of course calling 
> regular support is useless
> 
> Anyone have a contact?
> 
> John Alcock
> j...@alcock.org <mailto:j...@alcock.org>
> Network Engineer
> Highland Communications

Re: [nanog] GoDaddy

[Eddie Aquino]

What issues are you experiencing? I have a site that has been
intermittently reachable since Monday. I don't have many details as I just
took over but I'm almost certain it's GoDaddy hosted. It is not a secure
site. However, sometimes https works.

Eddie
Network Engineer
On May 15, 2014 7:44 PM, "takashi tome"  wrote:

> Hi all. Does anyone know whether GoDaddy is alive/down?
>
> thanks
>
> Takashi
>

Re: flow generating tool

[Eddie Parra]

If you are looking to automate any of your testing, +1 Ixia if the box
is using the Agilent OS/Interface (I forget how they are marketing it
now).  In regards to automation, I recently heard the Spirent
interface was quite handy for generating scripts from GUI
interactions, but I have not used it myself.

HTHs,

-Eddie




On Mon, Sep 26, 2011 at 6:03 AM, Erik Bais  wrote:
> Perhaps not a tool as in software, but clearly something that you might want
> to have a look at :
>
> Ixia and Spirent devices ... Those are mostly used for applications like
> generating different kind of traffic.
>
> Erik Bais
>
>
>
>
>

Re: OSPF Visualizer?

[Eddie Parra]

Lorell,

This project has not been updated in some time:

http://ospfviz.sourceforge.net/

If you want a commercial product, check out Packet Design's "Route
Explorer" (aka "REX")

HTHs,

-Eddie




On Mon, Sep 26, 2011 at 1:41 PM, Lorell Hathcock  wrote:
> All:
>
>
>
> I am a small Wireless ISP in need of an OSPF visualizer that does not cost
> an arm and a leg.
>
>
>
> I would like one that can listen to LSA's in each area and build a map of
> the network.
>
>
>
> I anticipate that I could trouble OSPF issues with such a system.
>
>
>
> Any open source projects?
>
>
>
> Thanks in advance,
>
>
>
> Lorell Hathcock
>
>

Re: 10G switchrecommendaton

[Eddie Parra]

+1 Arista

-Eddie




On Jan 26, 2012, at 1:02 PM, Rodrick Brown  wrote:

> http://www.aristanetworks.com/
> 
> Sent from my iPhone
> 
> On Jan 26, 2012, at 3:20 PM, Deric Kwok  wrote:
> 
>> Hi all
>> 
>> I would like to have 10G switchrecommendaton
>> Ipref software can test around 9.2G but we can have congestion over 6G
>> in single port!
>> 
>> Thank you
>> 
> 

Re: FL-IX in Miami is ready for new members

[Eddie Tardist]

On Fri, Jan 16, 2015 at 1:07 PM, Patrick Tracanelli <
eks...@freebsdbrasil.com.br> wrote:

>
> > On 12/01/2015, at 17:24, Dave Temkin  wrote:
> >
> > Hi all,
> >
> >
> > FL-IX has started issuing LOAs for both 36 NE 2nd Street and NOTA in
> Miami.
> > If you have a network that peers at either location, we'd love to have
> you
> > as a member. We've committed to keeping the IX platform free for 3 years
> > (you bring the cross connect; we have pre-negotiated deals for
> inexpensive
> > riser in 36 NE 2nd).
> >
> >
> > For more information, please see: http://www.fl-ix.net
> >
>
> Do you have a suggestion for cost-effective cross connect provider from
> ZIP 33166 to 36 NE 2nd St. or NOTA?
>

LMC Wireless LLC is located in Doral.
They will provide microwave connect to Brickell area.
Maybe you should contact them about FL-IX site locations.
How are you connected today?
btw are you the same Patrick Tracanelli from ServerU routing appliances?

Re: scaling linux-based router hardware recommendations

[Eddie Tardist]

wnership for a
box that will give me PPS rates that otherwise would cost from 9,000 USD to
12,000 USD on an industry product.

I have followed a good discussion on a Linkedin Group (anyone googling for
it will find it) comparing Netmap to DPDK from the developer perspective.
Netmap developer pointed some good considerations while an Intel engineer
pointed some other perspectives. Overall, DPDK and Netmap sounds, from my
end-user/non-developer/non-software-engineer point of view, very similar in
matter of results, while different in the inner gore details with some
flexibility/generalist advantages for Netmap and some hardware specifics
advantages for DPDK when running Intel hardware (of course), since its like
CUDA is for Nvidia... vendor specific.

I honestly hope a fraction of this million dollar donated to FreeBSD
Foundation from WhatsApp founder goes on research and enhancements for
Netmap technology.

It's the most promising networking technology I have seen in the last
years, and it goes straight to what FreeBSD does best: networking
performance. It's not a coincidence that since the beginning of Internet,
top Internet traffic servers, from Yahoo! to WhatsApp and Netflix, run
FreeBSD.

I don't know how important decisions can be addressed concerning adding to
a Netmap stack a superset of full forwarding capability along with lagg(4),
vlan(4), Q-in-Q, maybe carp(4) and other lightweight but still very
kernel-path choppy features. But I hope FreeBSD engineers take good
decisions on assigning those issues. And address time, funds and goals to
Netmap.

For now, however, if you really want a relatively new and innovative
technology with actual code to use and run, ready and available, this is my
suggestion: FreeBSD+Netmap.

And for hardware vendors, iXSystems + ServerU.

It gets out from the speculation field, since Netmap reference code for
serious stuff, including a whole firewall, is available and ready to test,
compare results, enhance and use.

Suricata IDP has Netmap support, so yes, you can inspect close to line rate
packets on IDS (not IPS) mode with Suricata.

For everything else, DPDK, DNA, PF_RING, you have a framework in place.
Some are experimental, some are more mature, but you will have to code and
prove it by yourself.

While FreeBSD/Netmap is a flavor ready to be tasted.

This is my 5 cents opinion for such a great topic!

Concerning BGP convergence time. Come on, are you serious? You deal with
platforms that take 1 minute, up to 3 minutes for full convergence of a
couple of bgp FULL sessions?

What hardware is that? A Nintendo 8bits? LOL! ;-)

Seriously and literally, a Sega Dreamcast videogame running NetBSD + BIRD
will have better convergence time!!

Now, serious again and no ironic statements further.

While Cisco and Juniper have great ASICS chips and stuff, it's amazing to
see that nowadays, Juniper MX Series still run weak Cavium-Octeon CPU for
stuff their Trio 3D chip won't run. The same goes to Cisco with amazing
ASICS but with weak CPU power that need, indeed, to be protected from DDoS
attacks for things won't run on ASICS.

Convergence time frames above 30 seconds nowadays, IMHO, should not be
accepted on any new BGP environment. Only legacy hardware should take that
long.

For OpenBGP I have <30s convergence time for several full sessions on x86
hardware as the ones mentioned above. With BIRD, convergence time frames
are even lower. If convergence time takes longer on OpenBGP or BIRD its
mostly related to how long the UPDATE messages take to arrive, not to be
processed.

--
Eddie

Re: Short (!) survey about internet interconnection

[Eddie Tardist]

On Tue, Oct 20, 2015 at 6:33 AM, Uta Meier-Hahn  wrote:

> Dear networkers in North America,
>
> Internet interconnection is largely unregulated. However, in  some
> countries, public regulation has emerged – be it through transparency
> rules, mandatory peering or licensing terms.
>
> Currently, we lack an overview about where regulation exists and we know
> little about how it affects internet connectivity on a global scale.
>
> To start filling this information gap, I have set up a short survey for
> network engineers, peering coordinators and network-savvy legal staffers.
> The goal is to crowdsource an initial overview about formal regulation of
> internet interconnection around the world.
>
> Please participate! It takes no more than 10 minutes and will serve the
> community: http://limesurvey.hiig.de/index.php/675663?lang=en <
> http://limesurvey.hiig.de/index.php/675663?lang=en>
> I will publish the results under a Creative Commons license.
>
> Also, please consider helping by forwarding the link to fellow
> interconnection professionals - think of your Facebook or LinkedIn groups,
> of chat channels and mailing lists. The more regional diversity, the better.
>

When do you plan to publish the results? Will it be just the raw results or
a study on top of (or illustrated by) it will be published?

Nice survey.


>
> Thank you!
>
> Kind regards,
>
> Uta Meier-Hahn
> PhD Candidate
> Alexander von Humboldt Institute for Internet and Society
> Oberwallstr. 9 | 10117 Berlin
> meier-h...@hiig.de  | T +49 30 200 760-82 |
> www.hiig.de/en 
>

Re: IMIX or similiar near-user-load packet generator

[Eddie Tardist]

On Tue, Oct 20, 2015 at 1:01 AM, Stanislaw Datskevich  wrote:

> Thanks, Snabb Switch's packetblaster seems to be what I am looking for.
> My goal using it is to find out how much of real users traffic my new
> softrouter can handle until it begin doing packet drops.
>

I would recommend Trex with pkgtgen-dpdk or netmap's pkgt-gen. Have your
current router average packet size and rate and generate those patterns. If
you just use the suggested tools the traffic pattern may be different from
what you actually have.

http://trex-tgn.cisco.com
https://github.com/luigirizzo/netmap



> > Snabb Switch (https://github.com/SnabbCo/snabbswitch/)
> > Ostinato as already mentioned (http://ostinato.org/)
> >
> > - jkt
> >
> > On Mon, Oct 19, 2015 at 9:24 AM Jerry Jones  wrote:
> > > Ostinato?
> > > On Oct 19, 2015, at 4:22 AM, Stanislaw Datskevich 
> > > wrote:
> > >
> > > Hi all.
> > > Is there any opensource packet generator which can simulate a load
> > > closest to real users? Usually I use iperf, but it can simply
> > > generate
> > > huge load.
> > >
> > >
>

Re: Low Cost 10G Router

[Eddie Tardist]

On Wed, May 20, 2015 at 2:07 PM, Mike Hammett  wrote:

> Well, the cores on a many-core CPU aren't going to have the "torque" that
> a Xeon would. They're also still working on the software. It has gotten a
> ton better over the life of the CCRs thus far. BGP is still atrocious on
> the CCRs, but that's because the route update process isn't multithreaded.
> It won't be multithreaded in the next major version either, but they will
> have done some programming voodoo (all programming is voodoo to me) to
> reign in the poor performance issues with full tables.
>
> https://youtu.be/ihZiAC-Rox8?t=37m8s
>

I honestly don't know why most people gets impressed by the number of
Tylera cores on CCR and think it's a good thing.
Your "torque" point makes much sense to me. A few cores with decent clock
and Xeon or Rangeley "torque" is just better. Adding that much weak tylera
cores with low clock only results in much more context switching, much more
CPU Affinity needs.

Multithreading the relevant grained bit of code will also lead to more
context switching, but for threads now instead of processes.

As I understand the architecture of those solutions, I don't see why a bgp
daemon mono threaded is a problem. Ok, multithreaded would give a better
full routing convergence. But once the routing table is loaded it does not
matter how many threads the bgp process will use. The dirty work on Linux
(RouterOS kernel for that matter) will be done on the forward information
table, on the packet forwarding code and specially on softirq (interrupt
requests). This is where the bottleneck seems to be, IMHO. Linux is not
good at multithreaded packet forwarding and not good specially at handling
interrupt requests on multi-queue NICs. So, RouterOS is not good as well.

Therefore that "several dozens" cheap and weak tylera cores powering CCR
boxes is absolutely not friendly for Linux core and RouterOS itself.

I'm better served off with a smaller amount of cores with better clock and
better "torque" as Mr Hammett mentioned (I liked the expression usage yes)
and that's why a Linux or a BSD box with a couple Xeon CPUs will perform
better than CCR. Sometimes as someone mentioned a couple i7 cores will
outperform a CCR box as well. More torque, yeah. Less context switching and
time sharing wasted.

However this horizontal scalar number of tylera cores on the CCR is good
for marketing. After all "you are buying a 36 CPU box" paying "a couple
hundred bucks". Impressive, hum? Well not for me.






>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
>
> Midwest Internet Exchange
> http://www.midwest-ix.com
>
>
> - Original Message -
>
> From: "Colton Conor" 
> To: "Faisal Imtiaz" 
> Cc: "North American Network Operators Group" 
> Sent: Tuesday, May 19, 2015 9:06:26 PM
> Subject: Re: Low Cost 10G Router
>
> So this new $1295 Mikrotik CCR1036-8G-2S+EM has a 36 core Tilera CPU with
> 16GB of ram. Each core is running at 1.2Ghz? I assume that Mikrotik is
> multicore in software, so why does this box not outperform these intel
> boxes that everyone is recommending? Is it just a limitation of ports?
>
>
>
> On Tue, May 19, 2015 at 6:03 PM, Faisal Imtiaz 
> wrote:
>
> >
> >
> >
> > > I've seen serious, unusual performance bottlenecks in Mikrotik CCR, in
> > some
> > > cases not even achieving a gigabit speeds on 10G interfaces.
> Performance
> > > drops more rapidly then Cisco with smaller packet sizes.
> > >
> > > -mel beckman
> >
> >
> > Folks often forget that Mikrotik ROS can also run on x86 machines.
> >
> > Size your favorite hardware (server) or network appliance with
> appropriate
> > ports, add MT ROS on a CF card, and you are good to go.
> >
> > We use i7 based network appliance with dual 10g cards (you can use a quad
> > 10g card, such as those made by hotlav).
> >
> > with a 2gig of ram, you can easily do multiple (4-5 or more full bgp
> > peers), and i7 are good for approx 1.2mill pps.
> >
> >
> > Best of luck.
> >
> >
> > Faisal Imtiaz
> > Snappy Internet & Telecom
> >
>
>

Re: Possible Sudden Uptick in ASA DOS?

[Eddie Tardist]

On Fri, Jul 10, 2015 at 3:31 PM, Paul Hoogsteder  wrote:

> On 09-07-15 23:51, Nick Hilliard wrote:
>
>> On 09/07/2015 22:35, Ricky Beam wrote:
>>
>>> "Free" if you have a support contract.
>>>
>> No, free-as-in-beer.
>>
>> You register a guest CCO account, email t...@cisco.com, provide the device
>> serial number (or output of "show hardware") and the bugid + Cisco PSIRT
>> URL reference. Cisco TAC will then provide you with a download link with
>> fixed software, at no cost to you.  It's not a pain in the ass - it works
>> fine.
>>
>> Nick
>>
>>
>>  And while that's the general procedure for almost all Cisco products,
> there is even an faster way for the ASA:
>
> - register a CCO account
> - in ASDM choose Tools > Check for ASA/ASDM Updates
> - follow the onscreen instructions
>
> Paul.


Hello Gentlemen,

I had a crashing ASA 5585-S40 yesterday and it is still crashing today. Box
is up to date, I have similar setups on LAX and on east coast and I only
see the problem on west coast on circuits connected to Level3 traffic. I
have a couple tickets still open with Cisco staff. They have added some
dataplane protection which minimized the instability, but I dont know if
it's a coincidence or effective, since it's not that often but 5585-S40
boxes are still crashing.

If anyone got any update on what's going on please share. I have replaced
one critical box with a Juniper one but I can't do it for all my sites
promptly so.

So far what I found is that it's related to protocol 132 (sctp?). I have
tried to filter 132 but no success. I can't just filter source address
since it's legit, and proto 132 filtered traffic stills reaching the box up
the point it leads to the problem (if in fact it's sctp related).

It looks like I'm back to 90's since it seems like a single packet attack.
I can't see volumetric deviations, I can't see unusual patterns, proto 132
starts showing up and nothing goes wrong, suddenly I get the crash, no
matter if it's been a couple minutes with some proto 132 traffic or if the
traffic just started this second... the only "coincidence" is proto 132
popping up without any further specific pattern.

Weird and keeps happening.

Re: Possible Sudden Uptick in ASA DOS?

[Eddie Tardist]

On Fri, Jul 10, 2015 at 7:09 PM, Christoph Blecker 
wrote:

> The bug that this crash impacts is in ASA was introduced in 9.1(4.3)
> and fixed in 9.1(5.1) and later. Are you inside the affected version
> range? If not, it's not the bug being discussed here. If so, you may
> wish to upgrade.
>

Which is the bug being discussed here? I am still in the dark. No, I am not
in the affected range, the only bug I am aware related to proto 132 is back
from 2013 and I don't suspect it's the same bug by reading the advisory
(however it's the same problem, crashing system). This is why I am blindly
looking for clues. Proto 132 is a correlation I made and assumed but not
clear at all. If you are talking about any other bug please clarify or
point me for further readings, I am still looking for a reaction.

Thanks.




> Cheers,
> Christoph