Re: [leaf-user] LRP router failing? - the Last Chapter (STH)DSL line-quality info
Thank you, Peter. I will watch for that in the future. Dale Mirenda On Oct 18, 2004, at 10:21 AM, Peter Mueller wrote: Glad its working!! But let's go back to your ifconfig: eth0 Link encap:Ethernet HWaddr 00:10:4B:2C:90:9C inet addr:64.113.213.14 Bcast:64.113.213.15 Mask:255.255.255.252 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1800 errors:0 dropped:0 overruns:0 frame:0 TX packets:2184 errors:0 dropped:0 overruns:0 carrier:341 Collisions:0 Interrupt:9 Base address:0xff00 See the carrier errors (15.6%)? For future use, carrier errors indicate cable fault or low-layer problem related to that interface.FYI the dumpfile looks normal. --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] LRP router failing? - the Last Chapter (STH)DSL line-quality info
On Oct 14, 2004, at 8:13 AM, [EMAIL PROTECTED] wrote: snip So the idea that different gear may be stronger or more tolerant is not off-the-wall at all. Thanks for letting us know how it all turned out. scott; canada Thanks for the validation, Scott. I'm staying here another day in Boise because the ISP is sending a replacement DSL router (tomorrow) to see if that solves the problem (logical, since it is the only critical component in the whole network that I have not replaced!). That will tell us whether this theory is right or not. Dale Mirenda The replacement for the suspect FlowPoint 2200 DSL router arrived today from the ISP (an Efficient Networks 5851). I plugged it into the network sans the crutch switch between the two routers, and it worked like a charm. Hypothesis becomes history. Thanks again to all who helped me with this problem, with a special nod of course to Ray who put me on the fast track to the solution. I also learned a lot about troubleshooting these issues from all of you who responded, and that is just as valuable as, if not more than, fixing this one. This entire incident also goes quite a ways with my superiors, who once again have seen first-hand the reliability of the LEAF routers, and the support system that has grown around them. Case closed, lessons learned. Dale Mirenda --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] LRP router failing?
Thank you, Charles. I've addressed your questions to the measure of my ability below: On Oct 12, 2004, at 7:59 AM, Charles Steinkuehler wrote: Dale Mirenda wrote: On Oct 11, 2004, at 10:31 AM, Peter Mueller wrote: I can do that on the one in Seattle, and on the remote router when I get to Boise, Erich. I'll read up on tcpdump (never used it before) and give it a go. Thanks for the idea; I'm getting lots of input on tools I've never had to think about before, and that is why I came to this forum for help. E.g., tcpdump -i eth0 (or eth1) not port ssh tcpdump -i eth0 net 192.168.0/24 and not proto \\icmp tcpdump -i eth0 host 1.2.3.4 or host 5.6.7.8 and not port ssh Protocols require double-escaping, for example ICMP above. Windump is the windows equivelant. I think Ray is on the right track with spyware. Be sure to check ifconfig for transmission errors, too. eth0 Link encap:Ethernet HWaddr 00:C0:9F:3F:44:42 inet addr:1.2.3.21 Bcast:1.2.3.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 ** This is what you are looking for ** RX packets:54447768 errors:2 dropped:0 overruns:0 frame:1 ^^ TX packets:52184055 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 ** RX bytes:854678430 (815.0 Mb) TX bytes:2033727102 (1939.5 Mb) Base address:0xece0 Memory:fe1e-fe20 A few errors - 1 every million or so is usually fine. P Thanks for the tutorial, Peter. I'll put it to good use. This incident has taught me that I need to focus on this kind of tool to prepare for emergencies. I don't have a lot to add, as it looks like you've already gotten excellent responses from others in the group, They've been wonderful. Some of the suggestions have been a bit over my head, but that won't last for long. I'll read up on the tools mentioned and be able to use them in short order. but I do have a few quick points and questions: - I like to use the -n switch to tcpdump, which prevents it from trying to resolve IP addresses into domain names (especially if your network isn't working right). - You'll find tcpdump and the required libpcap on the Dachstein CD (if you're running one of my images). Just mount and cd to the CD (packages have to be installed from the current directory), then: lrpkg -i libpcap lrpkg -i tcpdump - What kind of hardware are you running? Older pentium (and especially 486 boxen) can fairly easily be overloaded by 100 MBit NICs if ad/spy/mal-ware is spewing full bore. Very interesting point. All of my DachBoxen are retired P1 or P2 desktops. The original Boise LEAF router was a very old (but sturdy) P2. I replaced it with a spare P! that I had here in Seattle, and tested before I sent it down. Since then the Boise problem has worsened considerably. Hmmm... - I doubt your IPSec setup is to blame, even if you still have the old office in the config files, although I'd still check to make sure. I have several Dachstein boxen at multiple sites in a partial mesh VPN, and don't notice any problems when any of the sites go down (which happens fairly freqently, as a number of the sites are homes, not offices). That has been my observation in the past, as well, although I intend to double-check when I arrive in Boise tomorrow. - Have you been using anything like MRTG to monitor bandwidth usage via snmp? The traffic graphs can often quickly tell you where to start looking for problems (ie: inbound traffic is pegged...go find the rouge kazza user and get them to play nice; outbound traffic pegged...look for an infected system; traffic looks normal...start verifying your configurations and infrastructure). My, that is timely. My #1 project for today was to check my SuSE distro for a network traffic monitor that I can run on Linux, with output that my untrained eye can comprehend. I will look for MRTG. Does it only work with snmp enabled devices? I know my HP ProCurve switches can be configured to provide snmp data, and I'm sure that my Linux fileservers can be somehow, and the HP networked printers probably. But how about the Win98 desktops? And does Dachstein-CD-1.0.2 provide snmp data by default, or do I need to implement that as well? I know I can find this out for myself with a bit of research, but I'm getting short of time and I'd like to play with this stuff on my healthy net in Seattle before I try to get it running in Boise, so please forgive the newbie whining. I'm not really a newbie, but this crisis has made me feel like one. - My 'gut reaction' is to suspect either infrastructure (ie: bad cable, switch, hub, NIC, etc) or an unidentified host generating lots of traffic. I'm kind of leaning toward infrastructure myself, although I tried to address that early on. I would like to ask a question about
Re: [leaf-user] LRP router failing?
and everyone who has helped you with LRP have much reason to be proud. Dale Mirenda --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] LRP router failing?
On Oct 11, 2004, at 10:31 AM, Peter Mueller wrote: I can do that on the one in Seattle, and on the remote router when I get to Boise, Erich. I'll read up on tcpdump (never used it before) and give it a go. Thanks for the idea; I'm getting lots of input on tools I've never had to think about before, and that is why I came to this forum for help. E.g., tcpdump -i eth0 (or eth1) not port ssh tcpdump -i eth0 net 192.168.0/24 and not proto \\icmp tcpdump -i eth0 host 1.2.3.4 or host 5.6.7.8 and not port ssh Protocols require double-escaping, for example ICMP above. Windump is the windows equivelant. I think Ray is on the right track with spyware. Be sure to check ifconfig for transmission errors, too. eth0 Link encap:Ethernet HWaddr 00:C0:9F:3F:44:42 inet addr:1.2.3.21 Bcast:1.2.3.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 ** This is what you are looking for ** RX packets:54447768 errors:2 dropped:0 overruns:0 frame:1 ^^ TX packets:52184055 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 ** RX bytes:854678430 (815.0 Mb) TX bytes:2033727102 (1939.5 Mb) Base address:0xece0 Memory:fe1e-fe20 A few errors - 1 every million or so is usually fine. P Thanks for the tutorial, Peter. I'll put it to good use. This incident has taught me that I need to focus on this kind of tool to prepare for emergencies. Dale Mirenda --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] LRP router failing?
On Oct 10, 2004, at 2:36 AM, Erich Titl wrote: M are 80 ms fine for you? Is this your normal service? Yes, it is, Erich. The Seattle to Portland link enjoyed a latency of about 25 ms, much nicer for internet backups and so on, but that was though a major carrier with a latency guarantee and involved just a few hops. Traceroute has shown as many as 17 hops between Seattle and Boise (same with the Portland to Boise link when it existed). It's not fast but it has been reliable up to now. Dale Mirenda --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] LRP router failing?
On Oct 10, 2004, at 11:10 AM, Lynn Avants wrote: An 'ipsec barf' will give you virtually every detail concerning the VPN authentication and connection process. Probably the first test I'll run when I'm at the Boise console. Assuming you are running both ends for subnet sharing, you will not be able to ping the internal gateway address through the tunnel.. this test should be performed by pinging an internal client on one subnet from an internal client on the other subnet. That is typically how I do the ping tests. I hit the outside address of the LEAF router from inside the Seattle private network to compare with the DSL router (which never drops packets) and the inside Boise network, which in the beginning was dropping a lot of traffic when the outside address was dropping few or none. Now, the situation has degenerated to the point that the Do not use either of the gateways to test this connectivity. The only way the router can participate through the tunnel is if the connection allows it to be a host instead of a gateway. Many of us use the gw-to-gw tunnel for typical filesharing and also run a host-to-host tunnel to allow for connectivity ping checking on an interval. Setup an stunnel connection, say, between the Linux fileservers, through the LEAF ipsec tunnel? This allows you to run a script that reloads both tunnels if the host-to-host tunnel goes down for x-seconds and expediates manual intervention by the maintainer and makes testing far easier. I might ask for more details about how you set up and use those scripts. I admit that I am woefully short of tools (hardware, software, and brainware) for dealing with this sort of problem. That's what comes of not having enough network crises to learn from. It may be that the routers are continually attempting to connect to the Portland office that doesn't exist anymore if this office is still in the configuration file(s). I thought I had been careful about that, but I'm not taking anything for granted. Possibly any nice XP boxes are attempting to connect to shares at Portland that no longer exist and flooding the router with garbage traffic as well. No XP at this firm: MacOS9, MacOSX, Win98, WinNT, and the Linux servers. But your point is valid, none the less. It is not just XP that can spew garbage. But, the problem persists even with every Boise host turned off. That is what is so confusing about this whole thing. I can only conclude at this point that I've made some gross error assumption because I missed something in the remote troubleshooting I've done so far. The results just don't make sense. Thank you for your help, Lynn. Dale Mirenda --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] LRP router failing?
I can do that on the one in Seattle, and on the remote router when I get to Boise, Erich. I'll read up on tcpdump (never used it before) and give it a go. Thanks for the idea; I'm getting lots of input on tools I've never had to think about before, and that is why I came to this forum for help. Dale On Oct 10, 2004, at 2:40 PM, Erich Titl wrote: Dale can you install tcpdump on those Bering boxes and monitor the traffic on their interfaces. You might see what happens when you try to connect. Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl --- - leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] LRP router failing?
that was replaced. 3. I've never known a problem with LEAF software to survive a reboot. 4. The problem persists even with no client machines operating on the private side of the router. I really don't know where to go from here. These machines were so easy to set up and they have worked so well that I have never had to troubleshoot them before. I know how to use ping and fping, and a bit about nmap (but not much). Mainly, I don't have any idea apart from a bad network cable, bad NIC in the router, virus or adware on the network, what could cause something like this in the first place, and all of those possibilities have been eliminated to my satisfaction. Thanks in advance for any advice. Dale Mirenda --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Road warrior VPN questions
I have a VPN set up between three offices using DachsteinCD v.1.0.2. Everything is working beautifully. Now I need to extend the functionality of the VPN to a half-dozen laptops and a few (desktop) telecommuters. When I originally read the ssh documentation I breezed through the part about opportunistic encryption and thought Cool. When I'm ready for this I can set up a 'dynamic VPN' and not have to manually create tunnels for every user. Taking another look, though, it seems that this tool is not ready for prime time. Am I wrong about that? The docs still warn not recommended for production use! Are there any fancy tricks I can use to make this easier on myself, or do I need to just quit whining and start configuring? Dale Mirenda --- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] What's this guy trying?
on 10/14/02 3:09 PM, [EMAIL PROTECTED] at [EMAIL PROTECTED] wrote: port 1433.. isn't that Citrix or more specifically the ICA protocol. Or was it VNC... joey Not Citrix: that's 1494... Dale Mirenda On Mon, 14 Oct 2002 23:29:42 +0200 Jon Clausen [EMAIL PROTECTED] wrote: Logged into a remote Dachstein box to check up on something else, and I see huge amounts of denied packets in /var/log/messages... Connection attempts from f.x: 10.131.224.1:3 - 62.243.222.62:1 ^^unknown^^ ^^my remote^^ I see a bunch of these from different IPs (that is, from port 3 to port 1)... dunno what to make of that, but then there's this guy: # grep 65.82.107.120 $_ | nl 1 Oct 14 15:05:56 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5685 F=0x T=45 (#2) continues in 'bursts' to: ... 164 Oct 14 15:06:07 skilderhus kernel: Packet log: input DENY eth0 PROTO=1 65.82.107.120:5 62.243.222.62:0 L=56 S=0x00 I=5866 F=0x T=45 (#2) is this some kind of DoS? Am I under attack, or is it just some misconfigured box? I nmapped the IP, and the only thing that came up was: Port State Service 1433/tcp openms-sql-s -so I'm guessing it's a zombie windows host... (?) TIA Jon Clausen --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [Leaf-user] NT networking over LEAF IPSEC VPN
Brock, I am on the verge of having to deal with this issue as well, and your mapping suggestion is very exciting. I'm not adept at writing login scripts, though; could you provide a sample syntax for mapping the drives? Have you done this with a Samba PDC? Dale Mirenda From: Brock Nanson [EMAIL PROTECTED] Date: Fri, 19 Apr 2002 15:01:05 -0700 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE:[Leaf-user] NT networking over LEAF IPSEC VPN Do you need free run of network neighbourhood, or could you get by with several mapped drives? These could be done automagically with a logon script. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Dachstein CD remote login
My DCD firewall/VPNs are working perfectly. The only thing I have not figured out is how to log in to the machines and configure them from another terminal. Logins would only be from the secure network, so ssh would not be strictly needed, but it would be nice to know how to set up the ssh connection. I have noticed that there are a half-dozen ssh-related files listed on the DCD Contents page, and there is an indication there that the preferred ssh is the one used with Jacque Nilo's Bering distribution. There is an ssh howto on his site; is that the best doc available for this purpose? Any Dachstein vs. Bering caveats before I proceed? Dale Mirenda ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] DachsteinCD security questions
I've just succeeded in setting up my first Linux-based VPN using DachsteinCD. I greatly appreciate the high quality of the Dachstein package and the (passive) help I got from browsing archives of this list. At this point, I have two security-related questions: 1. How can I apply a password to the root login that takes you to lrcfg at bootup? Without password protection, anyone with access to the console could get into the configuration data. 2. If I use telnet to access my remote firewalls only through the VPN, do I create a security problem? Should I use ssh for this instead of vanilla telnet? Thanks for your help, both future and past. Dale Mirenda ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
