movement3

How to read sh process cpu history output

movement3 — Wed, 25 Jan 2012 21:15:58 +0000

I should have probably known this…

sh processes cpu history

    1111111112222211112222211111111111111111111111112222211111
    6666555550000055553333377777555556666666666555552222277777
100
90
80
70
60
50
40
30
20 **********************************************************
10 **********************************************************
   0….5….1….1….2….2….3….3….4….4….5….5….
             0    5    0    5    0    5    0    5    0    5
               CPU% per second (last 60 seconds)

New info on the left, then move to the right. 0 – 60 secs

    2232232322223222232222322223222232222322223222232223322233
    3233395434442322240012231114431132111201112001231113321133
100
90
80
70
60
50
40      *
30   * ***    *    *    *    *    *    *    *    *   **   **
20 ##########################################################
10 ##########################################################
   0….5….1….1….2….2….3….3….4….4….5….5….
             0    5    0    5    0    5    0    5    0    5
               CPU% per minute (last 60 minutes)
              * = maximum CPU%   # = average CPU%

    6333333344476668997433373444444445463333433333333333333433344333433333
    6656864720511174254538515509083501465655064655569566565042316775654427
100                  *
90                 **
80                ***
70 *          * *****    *           *
60 *          ******#*    *           *
50 *         ******##**   * * * * * * *                        *   *
40 ****** *********##** ********************* *************   *******   *
30 ***********#****##****************************************************
20 ######################################################################
10 ######################################################################
   0….5….1….1….2….2….3….3….4….4….5….5….6….6….7.
             0    5    0    5    0    5    0    5    0    5    0    5    0

Here you will see the CPU spike at approx 15-17 hours ago. 0 – 72 hrs.

CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%

DNS dig commands

movement3 — Tue, 24 Jan 2012 20:05:04 +0000

$ dig +trace @4.2.2.2 www.movement3.com

; <<>> DiG 9.8.1 <<>> +trace @4.2.2.2 www.movement3.com
; (1 server found)
;; global options: +cmd
.                       18694   IN      NS      k.root-servers.net.
.                       18694   IN      NS      h.root-servers.net.
.                       18694   IN      NS      d.root-servers.net.
.                       18694   IN      NS      g.root-servers.net.
.                       18694   IN      NS      e.root-servers.net.
.                       18694   IN      NS      m.root-servers.net.
.                       18694   IN      NS      l.root-servers.net.
.                       18694   IN      NS      a.root-servers.net.
.                       18694   IN      NS      c.root-servers.net.
.                       18694   IN      NS      f.root-servers.net.
.                       18694   IN      NS      b.root-servers.net.
.                       18694   IN      NS      j.root-servers.net.
.                       18694   IN      NS      i.root-servers.net.
;; Received 228 bytes from 4.2.2.2#53(4.2.2.2) in 16 ms

com.                    172800 IN      NS      e.gtld-servers.net.
com.                    172800 IN      NS      a.gtld-servers.net.
com.                    172800 IN      NS      c.gtld-servers.net.
com.                    172800 IN      NS      f.gtld-servers.net.
com.                    172800 IN      NS      h.gtld-servers.net.
com.                    172800 IN      NS      g.gtld-servers.net.
com.                    172800 IN      NS      m.gtld-servers.net.
com.                    172800 IN      NS      d.gtld-servers.net.
com.                    172800 IN      NS      i.gtld-servers.net.
com.                    172800 IN      NS      l.gtld-servers.net.
com.                    172800 IN      NS      k.gtld-servers.net.
com.                    172800 IN      NS      j.gtld-servers.net.
com.                    172800 IN      NS      b.gtld-servers.net.
;; Received 495 bytes from 202.12.27.33#53(202.12.27.33) in 125 ms

movement3.com. 172800 IN NS ns1.zoneedit.com.
movement3.com. 172800 IN NS ns3.zoneedit.com.
;; Received 112 bytes from 192.26.92.30#53(192.26.92.30) in 62 ms

www.movement3.com.      1200    IN      A       98.196.98.206
movement3.com.          1200    IN      NS      ns1.zoneedit.com.
movement3.com.          1200    IN      NS      ns3.zoneedit.com.
;; Received 96 bytes from 76.74.236.21#53(76.74.236.21) in 47 ms

.org is handled by:
a0.org.afilias-nst.info.
a2.org.afilias-nst.info.
b0.org.afilias-nst.org.
b2.org.afilias-nst.org.
c0.org.afilias-nst.info.
d0.org.afilias-nst.org.

.net is handled by the same global top level domain severs as .com domains.

You’ll see the root servers redirect to the GTLD servers. The GTLD servers will redirect to Zone Edit DNS servers as per the NS records.

Other dig commands:
dig +short @4.2.2.2 www.movement3.com
dig mx @4.2.2.2 movement3.com

http://dnsknowledge.com/whatis/how-domain-name-servers-work/

Cisco EEM high CPU/Memory script

movement3 — Thu, 05 Jan 2012 20:11:18 +0000

I am just discovering EEM scripts. They are pretty cool! Here are couple of simple scripts for high CPU/Mem. Probably need to tweak the sh commands for the high CPU, I used only the high memory script. Please note, my 2801 router has EEM 3.0 installed. I tried the EEM High CPU script on a 4506 switch with EEM 2.4, but it did not work correctly. Not sure what is happening, haven’t had time to really troubleshoot it.

When the router detects less than 16 MB (16000000) it will run the script and delete itself.
Another value can be 8 MB (8000000)

event manager applet LOW_IO_MEM
event snmp oid 1.3.6.1.4.1.9.9.48.1.1.1.6.1 get-type exact entry-op lt entry-val “16000000″ poll-interval 60
action 0.0 syslog msg “LOW MEMORY DETECTED. Please wait – logging information to flash:low_mem.txt”
action 0.1 cli command “enable”
action 0.2 cli command “term exec prompt timestamp”
action 1.2 cli command “show memory statistics | append flash:low_mem.txt”
action 1.3 cli command “show process mem sorted | append flash:low_mem.txt”
action 2.3 cli command “show mem all total | append flash:low_mem.txt”
action 3.2 cli command “show log | append flash:low_mem.txt”
action 3.3 cli command “show tech | append flash:low_mem.txt”
action 3.4 cli command “show mem debug leaks summ | append flash:low_mem.txt”
action 5.1 syslog msg “Self-removing applet from configuration…”
action 9.1 cli command “configure terminal”
action 9.2 cli command “no event manager applet LOW_IO_MEM”
action 9.3 cli command “end”

Here are the console messages:
*Jan 5 19:32:18.179: %HA_EM-6-LOG: LOW_IO_MEM: LOW MEMORY DETECTED. Please wait – logging information to flash:low_mem.txt

*Jan 5 19:32:58.267: %HA_EM-6-LOG: LOW_IO_MEM: Self-removing applet from configuration.

5 min avg: .1.3.6.1.4.1.9.9.109.1.1.1.1.8.1
1 min avg: .1.3.6.1.4.1.9.9.109.1.1.1.1.7.1
5 sec avg: .1.3.6.1.4.1.9.9.109.1.1.1.1.6.1

Here are some SNMP strings for older(?) models:
5sec: 1.3.6.1.4.1.9.2.1.56.0
1min: 1.3.6.1.4.1.9.2.1.57.0
5min: 1.3.6.1.4.1.9.2.1.58.0

event manager applet HIGH_CPU
event snmp oid 1.3.6.1.4.1.9.2.1.58.0 get-type exact entry-op lt entry-val “50″ poll-interval 60
action 0.0 syslog msg “HIGH CPU DETECTED. Please wait – logging information to flash:high_cpu.txt”
action 0.1 cli command “enable”
action 0.2 cli command “term exec prompt timestamp”
action 1.2 cli command “show memory statistics | append flash:high_cpu.txt”
action 1.3 cli command “show process mem sorted | append flash:high_cpu.txt”
action 2.3 cli command “show mem all total | append flash:high_cpu.txt”
action 3.2 cli command “show log | append flash:high_cpu.txt”
action 3.3 cli command “show tech | append flash:high_cpu.txt”
action 3.4 cli command “show mem debug leaks summ | append flash:high_cpu.txt”
action 5.1 syslog msg “Self-removing applet from configuration…”
action 9.1 cli command “configure terminal”
action 9.2 cli command “no event manager applet HIGH_CPU”
action 9.3 cli command “end”

The Cisco router with high CPU and Memory

movement3 — Thu, 05 Jan 2012 16:58:19 +0000

Our local tech reported that he had to reboot the Internet router every now and then to restore the Internet connection. We did notice we would get Solarwinds alerts every 10-14 days. It first started around late Nov/early Dec.

I opened a ticket with Cisco thinking it was a bad network card and sent them the show tech. Cisco support ask for more sh commands, but I couldn’t SSH into the router the next day, but it was still passing traffic. This was a tale tale sign.

After we got console access, I saw these messages at the console:

%% Low on memory; try again later

%% Low on memory; try again later

*Jan 3 15:13:43.077: %SYS-2-MALLOCFAIL: Memory allocation of 20000 bytes failed from 0x602E3D38, alignment 0
Pool: Processor Free: 192948 Cause: Memory fragmentation
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= “ADJ resolve process”, ipl= 0, pid= 97, -Traceback= 0x602A7FC0z 0x602BEC04z 0x602DDCA0z 0x6100632Cz 0x6100681Cz 0x6100DEF8z 0x6100EB9Cz 0x6100B0FCz 0x61E62BC8z 0x61E62C44z 0x61E64F44z 0x61E65008z 0x61E6571Cz 0x61E658C8z 0x61E67020z 0x63F742F8z

Looking at the sh tech output, the CPU was very high and IP ARP Adjacency was taking over 160 MB.

I got the local tech to reboot the router. Configured a temp password and got him to paste these commands:

config t
no ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 0.0.0.0 0.0.0.0 1.1.1.2
end

The ip route command fixed the issue. From Cisco support’s email:

If you point a static route to a broadcast interface, the route is inserted into the routing table only when the broadcast interface is up. This configuration is not recommended because when the next hop of a static route
points to an interface, the router considers each of the hosts within the range of the route to be directly connected through that interface. For example, ip route 0.0.0.0 0.0.0.0 Ethernet0

With this type of configuration, a router performs Address Resolution Protocol (ARP) on the Ethernet for every destination the router finds through the default route because the router considers all of these destinations as directly connected to Ethernet 0.

This kind of default route, especially if it is used by a lot of packets to many different destination subnets, can cause high processor utilization and a very large ARP cache (along with attendant memory allocation failures).

http://tools.cisco.com/squish/3af76

Cisco ASA SSL VPN config

movement3 — Thu, 22 Dec 2011 15:26:14 +0000

Here are some links detailing how to configs SSL VPN on a Cisco ASA

First we can get a free SSL cert from StartCom.

http://blog.prorouting.com/2009/12/free-ssl-cert-on-cisco-asa-for-webvpn.html

I copy/paste the below info from Pro Routing because it is really good info, and I want to have it in case something ever happens to the original blog.

The post has information regarding PKCS#12 (PFX) files which combines the public and private key into one certificate. This is handy if you have a wildcard cert, you can create a PFX file and install it on many devices.

Start at the Authenticate or Sign-Up page.
Create Account for your domain.
Log into account
You’ll see 3 options
Tool Box, Certificates Wizard, Validations Wizard.
Pick Validations Wizard and change drop down time to Domain Name Validation.
Fill out domain name, press continue.
Pick email address to get validation key. Follow instructions.

Go to Certificates Wizard.
Pick Web Server SSL/TLS Certificate for Certificate Target
Generate Private Key, I left keysize to 2048
!! I know the ASA can generate CSR, but StartCom only accepts SHA and the ASA generates using MD5.
A private Key is generated. Save as ssl.key – Important to save this certificate.
Continue through following instruction.

Tool Box
Retrieve Certificate
- pick Certificate just created.
– should be 2 in there, the one for the browser to use the StartCom site and one for the Server – Class 1)
- copy and paste certificate.

Go Create PKCS#12 (PFX) File
- copy and paste private key into Private Key box
- copy and paste certificate you just grabbed into Enter Certificate box.
- provide a password
- save p12 file that is created, this will be imported into the ASDM.

In ASDM
- Configuration
– Device Management
   – Certificate Management
    – Identity Certificates
    – Add
    – Create Trustpoint Name (Startcom-SSL)
    – Enter Decryption Passphrase used earlier
    – import p12 file.
    – Add Certificate.
– Advanced
   – SSL Settings
   – Change outside trustpoint to one created earlier (Startcom-SSL)
-Apply
-Save

Creating CSR on Cisco ASA

http://www.digicert.com/csr-creation-cisco-asa-vpn.htm

crypto key generate rsa label vpn-test-com.key modulus 2048 noconfirm
crypto ca trustpoint ASDM_TrustPoint0
keypair vpn-test-.com.key
id-usage ssl-ipsec
fqdn vpn.test.com
subject-name CN=vpn.test.com,OU=IT,O=TestINC,C=US,St=CA,L=SomeCity
enrollment terminal
crypto ca enroll ASDM_TrustPoint0 noconfirm

to delete a rsa key:
crypto key zeroize rsa

Here are some links to configure the SSL VPN

http://www.techrepublic.com/blog/networking/clientless-ssl-vpn-remote-access-set-up-guide-for-the-cisco-asa/1366

http://www.techrepublic.com/blog/networking/customize-the-ssl-portal-for-remote-users-in-the-cisco-asa/1385

http://www.techrepublic.com/blog/networking/eight-easy-steps-to-cisco-asa-remote-access-setup/1201

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a008094abcb.shtml

group-policy MV-SSLVPN internal
group-policy MV-SSLVPN attributes
dns-server value 4.2.2.2 8.8.8.8
vpn-tunnel-protocol svc (the SSL client will be installed on the computer, if you want a web portal, use the keyword webvpn instead)
address-pools value MV-SSLVPNPOOL
sysopt connection permit-vpn

Next, we’ll assign the specific attributes:
tunnel-group MV-SSLVPN type remote-access
tunnel-group MV-SSLVPN general-attributes
default-group-policy MV-SSLVPN
tunnel-group MV-SSLVPN webvpn-attributes
group-alias MV-RemoteAccess enable
webvpn
tunnel-group-list enable

Allowing single sign-on

When accessing CIFS links on the clientless WebVPN portal, users are prompted for credentials after clicking the bookmark. LDAP is used to authenticate both the resources and the users already have entered LDAP credentials to login to the VPN session.

You can use the auto-signon feature in this case. Under the specific group-policy being used and under its WebVPN attributes, configure this:

hostname(config)# group-policy ExamplePolicy attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# auto-signon allow uri https://*.example.com/* auth-type all

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a008094abcb.shtml

VMWare Player auto start virtual machine

movement3 — Wed, 21 Dec 2011 20:49:39 +0000

For my home server, I have Windows 2008 R2 running with VMWare Server. Something happened with VMWare Server and it would not start. I googled the error message but couldn’t find anything of much help. Someone suggested to uninstall and install the software, but VMWare doesn’t offer the download anymore. They are offering VMWare Player as the free product. I installed VMWare Player and imported the VM settings. It worked great, but Player does not support automatically starting the VM when Windows first boots up. There is a work around to accomplish this:

Start > Run > control userpasswords2
Uncheck: Users must enter a user name and password to use this computer

http://www.expta.com/2008/03/how-to-enable-autologon-in-windows.html

Create a shortcut for file.vmx to the desktop. Copy this shortcut to the Startup folder.

http://communities.vmware.com/thread/237553

Cisco ASA remote access and hair pinning

movement3 — Wed, 07 Dec 2011 23:13:46 +0000

I’ve always use two Cisco ASA firewalls in a network, one ASA for firewalling duties and the second ASA for remote access VPN. On the remote access VPN, you entered route 0.0.0.0 0.0.0.0 (your core router) tunneled. However if you are working on a smaller network that has only one ASA that does both firewalling and remote access VPN, you need to configure it for hair pinning. Below is the remote access config:

(Command to allow ASA hair pinning)
same-security-traffic permit intra-interface

(Do not NAT to the VPN IP pool address, 10.3.4.0)
access-list nonat extended permit ip any 10.3.4.0 255.255.255.0

ip local pool TEST-VPNPOOL 10.3.4.100-10.3.4.103 mask 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.3.3.0 255.255.255.0

(Nat the VPN pool to the outside interface)
nat (outside) 1 10.3.4.0 255.255.255.0

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

(Crypto statement to create dynamic statement for remote access VPN)
crypto dynamic-map dynmap 999 set transform-set 3DES-SHA

crypto map TEST-map 999 ipsec-isakmp dynamic dynmap
crypto map TEST-map interface outside

crypto isakmp enable outside

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

group-policy TEST-VPN internal
group-policy TEST-VPN attributes
dns-server value 4.2.2.2 8.8.8.8
vpn-tunnel-protocol IPSec
group-policy idle-time internal
group-policy idle-time attributes
vpn-idle-timeout 30

username bob password removed encrypted

tunnel-group TEST-VPN type remote-access
tunnel-group TEST-VPN general-attributes
address-pool TEST-VPNPOOL
default-group-policy TEST-VPN
tunnel-group TEST-VPN ipsec-attributes
pre-shared-key *****

http://www.velocityreviews.com/forums/t600150-asa-split-tunnel-problems.html

http://www.computerfreetips.com/Cisco_router_tips/Remote-Access-VPN.html

Cisco Voice dial-peer notes

movement3 — Sat, 03 Dec 2011 23:42:38 +0000

Cisco Voice Troubleshooting

I don’t troubleshoot voice very often so when I do I often have to look up the commands. Here is a summary of our setup and commands.

Voice Trunking
Router with a T1/PRI card <====> PBX

On the router config:
dial-peer voice 3 pots
destination-pattern 5…
port 2/0/1

On the PBX, you would configure it to accept 5… and send the call to the proper with the extension. The PBX would also be configured to send X ext to the router. Additional dial-peers would be configured on the router.

Router <=======> Router
On the router config:
dial-peer voice 4 voip
destination-patter 6….
session target ipv4:1.1.1.1

By default the # symbol terminates the call. As soon as the user enters #, he will get a fast busy. To change the termination signal, the command is: dial-peer term (letter).
dial-peer term A

To ensure the gateway is forwarding all the digits, you can enter the command: forward-digits X under the dial-peer voice 1 pots.

Cisco commands:
Active calls on gateway
sh voice call summary
sh voice call status
sh voice port summary
sh call active voice bri (shows codec)
sh call history voice bri

What happens when you dial a number
show dialplan number 1234
show dial-peer voice sum

Troubleshooting commands:
sh controllers T1
debug voice ccapi inout

Hardware inventory:
sh inventory
sh voice dsp
sh diag | inc dsp
sh diag | inc FRU Part Number
sh inv

Other commands:
sh mgcp
test voice translation-rule
show sip-ua register status

Links:
http://www.cisco.com/en/US/docs/ios/12_3/vvf_c/dial_peer/dp_confg.html
http://www.networkworld.com/subnets/cisco/042707-ch4-dialplans.html?page=6
http://thurmantech.com/node/5

Cisco Wireless web auth device timeout

movement3 — Wed, 23 Nov 2011 16:53:06 +0000

After further testing with the wireless web auth login method we noticed that if a laptop were left idle for 5 mins, the user was presented to the login page again and had to re-enter the username/password. After some researching I enabled this timeout value:

WLANS > Advanced > Edit the timeout value for Session Timeout.

Here are my tests on Windows 7:
Idle for 6 mins – OK
Idle for 13 mins – OK

Reboot, got a different IP address – had to re-enter password
Lid shut for 2 mins – had to re-enter password

Seems if the laptop goes to sleep, then you have to re-enter the username/password.

https://supportforums.cisco.com/thread/2096604

https://supportforums.cisco.com/thread/2089102

Cisco Voice YouTube notes

movement3 — Wed, 23 Nov 2011 15:50:18 +0000

Codec	Bandwidth	Quality	Drop Tolerance
G711	85kPayload: 64k	Toll Quality (used by phone company)	No
G722	85kPayload: 64k	Hi-Def	No
G729	30k	Filtered (Less than Toll Quality, high and low frequency removed. Doesn’t sound well with music)	No
iLBC	30k	Filtered (Less than Toll Quality, high and low frequency removed. Doesn’t sound well with music)	Yes

Codec means:
Code
Decode

When you pick up a regular phone and call your neighbor, the phone is using G711.
G711 and G722 work well for LAN.
G729 work well over the WAN with the proper bandwidth and QOS
iLBC was designed for use over the Internet, voice over a VPN tunnel.

Survivable Remote Site Telephone (SRST): the remote office router is running a “lite” version of call manager. When the WAN link goes down, the phones re-registers itself with the local router. The router is running SRST and it can now make calls.

MPLS is important because it is QOS aware and you can run SIP over it. T1 and frame relay are not QOS aware (need to check this).

Digital Signal Processors (DSP): are like memory chips. The DSPs goes on a PVDM. DSP will transcode one codec to another codec.

PVDM2 works on 2800/3800 router
PVDM3 works on 29000/3900 router

G711 is a low complex codec, you can run more channels on the same PVDM chip (64).
G729 is a medium complex codec (42).
iLBC is a high complex codec, you can run the least amount of channels on the same PVDM chip (24).

You can run SIP over the MPLS. This setup allows for end to end QOS control.
You can run SIP with the Internet. The key word is with Internet. The ISP will run a ckt with Internet and SIP. SIP does not run over the Internet link. This allows the provider to QOS the SIP connection.
You can run SIP over the Internet. QOS is limited in this setup. You would use iLBC in this setup. This is the cheapest and easiest to setup.

E911 gives more info than just the street address. i.e. Floor of the building, Ste 430, etc.

A PRI sends the caller ID info.

Fax pass through
Fax relay
T.37 (store and forward)
T.38 (real time, used most of the time)

Fax machine to fax machine uses G711, pass through, and relay.
PRI to a fax server and the fax server will email you the fax normally uses T.37 or T.38