I manage an equipment demo network accessed via the old Cisco VPN Client. Last night the router seems to have become the subject of attacks that overload the remote access in such a ways as to deny legitimate remote access. No unauthorised remote logins have occurred but the continued connections are a DoS.
Using the command show aaa user all show dozens of connections like this:
Unique id 67 is currently in use. Accounting: log=0x18001 Events recorded : CALL START INTERIM START INTERIM STOP update method(s) : NONE update interval = 0 Outstanding Stop Records : 0 Dynamic attribute list: 66534E00 0 00000001 connect-progress(36) 4 No Progress 66534E14 0 00000001 pre-session-time(254) 4 19965(4DFD) 66534E28 0 00000001 elapsed_time(324) 4 0(0) 66534E3C 0 00000001 pre-bytes-in(250) 4 0(0) 66534E50 0 00000001 pre-bytes-out(251) 4 0(0) 66534E64 0 00000001 pre-paks-in(252) 4 0(0) 66534E78 0 00000001 pre-paks-out(253) 4 0(0) No data for type EXEC No data for type CONN NET: Username=(n/a) Session Id=00000040 Unique Id=00000043 Start Sent=0 Stop Only=N stop_has_been_sent=N Method List=0 Attribute list: 66534E00 0 00000001 start_time(327) 4 Dec 16 2016 14:54:43 66534E14 0 00000001 session-id(322) 4 64(40) No data for type CMD No data for type SYSTEM No data for type RM CALL No data for type RM VPDN No data for type AUTH PROXY No data for type CALL No data for type VPDN-TUNNEL No data for type VPDN-TUNNEL-LINK No data for type 11 No data for type IPSEC-TUNNEL No data for type 13 No data for type RESOURCE Debg: No data available Radi: No data available Interface: TTY Num = -1 Stop Received = 0 Byte/Packet Counts till Call Start: Start Bytes In = 0 Start Bytes Out = 0 Start Paks In = 0 Start Paks Out = 0 Byte/Packet Counts till Service Up: Pre Bytes In = 0 Pre Bytes Out = 0 Pre Paks In = 0 Pre Paks Out = 0 Cumulative Byte/Packet Counts : Bytes In = 0 Bytes Out = 0 Paks In = 0 Paks Out = 0 StartTime = 14:54:43 UTC Dec 16 2016 Component = VPN_IPSEC Authen: service=LOGIN type=ASCII method=LOCAL Kerb: No data available Meth: No data available Preauth: No Preauth data. General: Unique Id = 00000043 Session Id = 00000040 Attribute List: 66534E00 0 00000001 port-type(162) 4 Virtual Terminal 66534E14 0 00000009 interface(158) 13 W.X.Y.Z PerU: No data available Service Profile: No Service Profile data.
Where W.X.Y.Z is the IP address of the attacker.
I've added a temporary ACL on the class A subnet from where the attacks originate to the public interface of the router but it has no effect:
interface FastEthernet0/1 description Outside interface ip address .... .... ip access-group 101 in no ip redirects no ip unreachables ip nat outside
access-list 101 remark temporary attack block attack access-list 101 deny ip W.0.0.0 0.255.255.255 any access-list 101 permit ip any any
The relevant local AAA config is:
aaa new-model ! aaa authentication login default local aaa authentication login vpn_xauth_ml_1 local aaa authentication login sslvpn local aaa authorization network vpn_group_ml_1 local ! aaa session-id common
username ABCD secret 5 ....
I' m struggling to get my head around what's happening, probably not helped by the fact this all occurred at midnight.
... View more
I recently migrated a couple of 6941 phones from ports on a NME-16ES-1G-P that died to a 9ESW with POE. These two phones connect via Cat 3 and were set to 10 Mbps full duplex because of the cabling limitation. Now, no matter how I configure the 9ESW (auto auto, 10 auto, 10 full, or even 10 half) I get continuous "duplex mismatch discovered" errors on the 2821 router. I've tried leaving the phone on auto and setting it to 10 full and 10 half. No combination works, even auto on the switch and auto on the phone. You would expect 10 full set at both ends would avoid any negotiation. The router is running 15.1 something. The phone loads are DSP69xx.12-4-122-99.131025 and SCCP69xx.9-4-1-3SR1. The phones worked fine for years on the 16ES service module. I appreciate the 9ESW is a different beast from the 'ES and I had little difficulty migrating the other Cat5 connected phones to it. The 16ES was removed from the router to enable the 9ESW to operate. The problem phones work fine connected over Cat 5 but replacing the premise wiring is not an option in this case. So to restore service I put the 6941 phones on an external third-party POE switch hooked to the same port on the 9ESW. Everything is fine (except the phones are in the wrong VLAN (native rather than voice but they still work OK). Any suggestions please?
... View more
Best way to avoid any counterfeit product is to request support contract along with it or just ask for the product serial number in advance to buy a support contract for the same, Any Cisco partner should be able to tell you the status of product by serial number. I always ask for product serial numbers in advance and buy from my trusted cisco partners only.
... View more
Thanks again Leo. I forgot to mention the PS in the 2851 isn't the one with the extra socket for the PoE option, it is just the standard AC PS. Still I would have thought that the NME would have been detected and operated in non-PoE mode as a switchport module. Maybe you do need the PoE PS for these things to work. It could also be that the module is U/S. The 2851 works well with 4 WICs and an NM switchport module installed. It also has two AIMs, a PVDM and 1GB RAM installed.
... View more
this is one of the typical scenarios where the authentication is better done with digital certificates. Another solution that will technically work but is not a best practice, is the usage of wildcard pre-shared-keys. And a third solution. With these old routers, you can also do the authentication with rsa-encryption. Sent from Cisco Technical Support iPad App
... View more