Action Recommended to Secure the Cisco Nexus PowerOn Auto Provisioning Feature

Cisco Nexus devices support an automatic provisioning or zero-touch deployment feature called PowerOn Auto Provisioning (POAP). This feature assists in automating the initial deployment and configuration of Nexus switches. POAP is enabled by default and activates on devices that have no startup configuration or when Perpetual POAP has been configured using the boot poap enable command.

As with other automatic provisioning technologies, such as Cisco Zero-Touch Provisioning or Cisco Smart Install, some basic assumptions are made about the initial deployment environment. First, that administrators know that the feature exists and is enabled by default. Second, that the Layer 2 (L2) network on which a device initially connects is secure.

By design, the POAP feature leverages several unauthenticated protocols to obtain the initial configuration file for a device. When a device with POAP boots and subsequently fails to locate a startup configuration, such as on the first startup after unboxing or after a restoration of factory defaults, the device enters POAP mode. The device will attempt to locate a DHCP server through a connected management interface1. Then the switch will listen for a DHCP response that includes at a minimum the following:

  • An IP address
  • A default gateway
  • Option 66 (TFTP server name) or Option 150 (TFTP server address)
  • Option 67 (boot file name)

If the Nexus device receives multiple DHCP responses that meet these requirements, the first DHCP response received will be accepted, and POAP will move to the next stage of the device configuration. If no DHCP responses that meet these requirements are received prior to the timeout period, the device will exit POAP mode.

If a DHCP response is accepted, the Nexus device will attempt to connect to the provided TFTP server to retrieve the Python or Tool Command Language (Tcl) POAP configuration script specified within the boot file option. The switch will then execute the script to retrieve the specified software and device configuration. The Nexus device software and configuration may be retrieved using Secure Copy Protocol (SCP), FTP, or SFTP. The downloaded Nexus software will be assigned as the active image, with the configuration file scheduled to be applied when the device restarts.

Several steps in the POAP configuration process rely on a secure network segment to obtain critical startup information. While the POAP feature disables itself after a configurationis applied to a device2, it is critical that customers properly secure the networks in which POAP may be utilized. Some customers may want to disable the POAP feature and use other methods to configure a Nexus device out of the box. To this end, Cisco has added multiple new commands to disable POAP that will persist across a reset to factory defaults and the removal of a configuration. For guidelines on securing a POAP environment, as well as information about disabling the feature, see the Details and Recommendations sections.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-info-poap

1On some Nexus chassis-based devices, the DHCP solicitation may also be sent using all front-panel Ethernet interfaces of the installed router processor.

2The POAP feature will not be disabled if Perpetual POAP has been configured using the boot poap enable command and will run on each reload of the device.

Security Impact Rating: Informational

Related:

  • No Related Posts

Can't edit App layer, boot error 0xC000000F; but OS and Platform Layers work OK

First, verify this is not https://support.citrix.com/article/CTX238440 . The error message is normally different, but that’s the most likely cause: language issues.

Second, Add Version to your OS layer, run CMD As Administrator, and do the following. This will trigger a new scan of critical OS system files to update our list of critical system files.

CD Program FilesUnideskUniservice

Uniservice.exe /B

<Reboot>

Then finalize that and test creating a new app layer again.

Otherwise, this is a system driver that has not been properly copied to the boot disk. This does not apply to OS and Platform layers because the boot disk is handled differently. But with App Layers, the boot disk is a thin disk that contains just enough Windows to get minifilter drivers running. 0xC000000F means we missed copying something to the boot disk.

Unfortunately, you can’t tell what we missed. What you need to do is version your OS layer to get a record of a successful boot. Login, run msinfo32, Boot, and enable Boot Logging. This will create a boot log file called C:Windowsntbtlog.txt that conatins, in order, every file loaded during boot. Reboot to generate the log, and copy it to a file share. Leave the packaging machine for the OS layer open, you will need it again in a minute.

On the packaging machine for the App Layer that fails to boot, attach your Windows installer ISO. Boot from that. When you get the the first Windows Setup dialog, type Shift-F10, which will bring up a command prompt window. In this machine, X: is the CD-ROM, C: is the mini boot disk, D: is the OS layer, and E: is the package disk. We care about C: and D:. Specifically, we care about what is in D: that is not in C: but should be.

Load up ntbtlog.txt in Notepad. In the command prompt window, type “C:” to get to the C drive, and then “CD Windowssystem32”. All of your important files will be in Windowssystem32 or windowssystem32drivers. Read through the ntbtlog.txt, and check that each file is on your C: drive. For any files which are not, copy them from the D: drive with a command like this:

XCOPY /CHOK D:Windowssystem32driversntosext.sys C:Windowssystem32drivers

The parameters to XCOPY ensure that the permissions and attributes are copied as well. Note every missing file. Once you have found and copied in the missing files, reboot from the hard drive, not the CD-ROM. Verify that your app layer now boots. Cancel the App Layer.

Back in the OS layer, edit C:Program FilesUnideskUniservicebootfile.txt. Add the correct path for the missing files to the bottom of bootfile.txt. Note that the directory separators are / instead of . So for instance, add the following line:

C:/Windows/system32/drivers/ntosext.sys

C:/Windows/system32/drivers/clipsp.sys

Save the file, finalize, and attempt to create a new app layer with the new OS version. If this works, please open a Support Case and let Citrix know about this file. Normally we would have picked it up with the Uniservice /B scan. We will likely ask for other information from your OS layer, including if you know what updates might have triggered this. However, with the modified bootfile.txt, you should be able to continue your deployment.

Related:

  • No Related Posts

PPG may reject MMSC connections

By default the PPG is configured with the tw_recycle setting enabled:

[root@ppg2 ~]# awk '/# Added by Gemini Mobile/,/recycle/' /etc/sysctl.conf# Added by Gemini Mobile 'factory' framework:##net.ipv4.tcp_tw_recycle = 1

This allows the fast reuse of connections in the TIME-WAIT queue. As an extra check it rejects the connection if a SYN packet arrives with timestamp (TSVal) smaller than the last known timestamp from this peer. This check is additional to the PAWS protection, but it only works if the TSVal values of the packets received from the same IP address are monotonically increasing.

This requirement is not met when the MMSC is behind NAT. The man page is also clear that this causes problems with NAT:

 tcp_tw_recycle (Boolean; default: disabled; since Linux 2.4) Enable fast recycling of TIME_WAIT sockets. Enabling this option is not recommended since this causes problems when working with NAT (Network Address Translation).

Because reuse of connections in the TIME-WAIT state may be needed for a high rate of requests, the tw_reuse option should be set:

 tcp_tw_reuse (Boolean; default: disabled; since Linux 2.4.19/2.6) Allow to reuse TIME_WAIT sockets for new connections when it is safe from protocol viewpoint. It should not be changed without advice/request of technical experts.

Related:

  • No Related Posts

Updating 14.0.1 to 14.2 MP1 – how long can I go without a restart

I need a solution

I’d like to start pusing out 14.2 MP1 via the “Admin > Install Packages > Upgrade Clients with Package” command.

I know that doing so will require a reboot of the endpoints,but I won’t be able to reboot some of my servers right away.  Will the endpoint still be fully functional if I let it sit without the restart for a couple of weeks?  Or do I need to restart within a day or two?

Thanks,

Brett

0

1545152257

Related:

  • No Related Posts

ghost64.exe license query

I need a solution

Hi,

I am working on create the windows 10 reference image. I created WinPE bootable USB with the ghost64.exe included. I will use the WinPE Boot to boot into the reference PC and clone the reference image for later deploy image to other machines on network.

My question is do I need to purchase a license for this scenario and how many license do I need for hundred laptops?

Thanks

Regards

Chi Chung

0

Related:

  • No Related Posts

SSD Drives and Windows 10

I need a solution

Hello,

When trying to create an image of this device, receiving error 11030, Invalid Source Drive

Methods Tried:

  1. Tried to create image Using GSS console version 3.2 RU7 – when the laptop boots into automation partition, it tries to initialize the boot drive but is unable to determine the boot disk.  It states it’s going to use the X drive.  Process fails with error 11030.
  2. Created a usb boot disk using Boot Disk Creator.  Booted off usb drive and started ghost64.exe.  Connected to Multicast session. On the screen to select the local Source Drive, it displays Drive 80 Location Local Model OS Volumes Type Basic….
     
    If we choose it and click on OK, the error is:  Selected drive has no partitions to clone (11093)

We are using a Dell Latitude 5591 with a Toshiba SSD drive on Win 10. Any help would be great!!

0

Related:

  • No Related Posts

App Layering/Unidesk: If user logs in before Office activation script runs, Office licensing will break

When an App Layering image boots (or a Unidesk desktop), there is a system startup script called kmssetup.cmd which performs Windows and Office licensing actions to ensure that the product is properly activated. In Windows 10 (and possibly other Windows versions), system startup scripts are delayed by a few minutes, meaning it’s possible for a user to login to the VM before the activation scripts have run. A user having logged in may experience licensing anomalies until our script has run. They will definitely interfere with Office licensing in a way which causes the licenses to not appear at all, and cause Office to have to do an installation repair on its own.

Unfortunately, there is no way we can perform licensing functions before our startup script runs, and no way we can force Windows to run our script sooner. The only option is to delay initial user logins until after the script has run.

Note that if you let the Office repairs run, they will eventually succeed and restore Office licensing. That’s usually not an acceptable option, however. Certainly not in App Layering, where the repair has to happen on every boot.

For nonpersistent Unidesk desktops, this delay is automatically part of the desktop creation process. For persistent Unidesk desktops, you should just add to your creation process a delay before allowing users to login, if at all possible. Once the licensing has happened once on the Unidesk desktop, it will be fine going forward.

For App Layering images, however, that licensing is going to happen on every boot, because every boot is the first boot. So on every boot, our script has to run, overwrite the license information with the captured Office licenses, and activate against the KMS server. For App Layering, you need to make sure no user can login in the middle of that.

There are two approaches we know of. The problem is that your Connection Broker may allow users to login quite early in the boot process. Delaying the machine’s availability to the broker will also delay the user logging into the machine. Add Version to the platform layer. You can identify the broker agent service in the platform layer and set it to “Automatic (Delayed Start)”. To set the specific delay, create a DWORD named AutoStartDelay within the broker agent service folder, and set it to the number of seconds to delay before the service will start.

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices<Service name>]

AutoStartDelay=240

The other approach is XenDesktop-specific, where you can set a “settlement period” for all machines in a delivery group, preventing them from accepting a user login until the delay is complete. See this:

https://citrix.github.io/delivery-controller-sdk/Broker/Set-BrokerDesktopGroup/

set-brokerdesktopgroup -SettlementPeriodBeforeUse

Related:

  • No Related Posts

Re: Unable to boot to utility partition on VNX5300, help!

System is out of warranty and a lab system, its working but i want to reload the image on it because some configuration won’t let me delete it.

I boot it up with serial cable attached, and hit ctrl-c and per “Backrev Array” solution it’s supposed to do a Minisetup and reboot a few times. It never reboots it just sits at the “int13 – EXTENDED READ (4000)” and never goes further.

I rebooted it manually myself and try to start the process again but I just get this… any ideas?

ABCDabcdEFabcd << Stopping after POST >> GabcdefHabcdefIabcdefJabcdeKLabMabNabOabcPQRSTUVWabXYabZAABBCCabDDabcEEabcFFabcGGabcHHabcIIabJJabKKLLMMNNOOPPQQRRSSTTUUVVWWXX

************************************************************

* Extended POST Messages

************************************************************

INFORMATION: POST Start

INFORMATION: MCU Operating mode changed from Linux to Clariion

INFORMATION: PSB not present

************************************************************

EndTime: 10/28/2018 15:29:59

…. Storage System Failure – Contact your Service Representative …

*******

Enclosure: 0x0008000B : Added to Table

Motherboard: 0x00130009 : Added to Table

Memory: 0x00000001

DIMM 0: 0x00000001

DIMM 1: 0x00000001

DIMM 2: 0x00000001

Mezzanine: 0x00100007

I/O Module 0: 0x00000001 : Added to Table

I/O Module 1: 0x00000001 : Added to Table

Power Supply A: 0x000B0014

Power Supply B: 0x00000001

0x00130009: MCU 0540

0x00130009: CMDAPP 0504

0x00130009: CMDTABLE 0096

0x00130009: CMDBOOT 0002

0x00130009: PLX 0305

0x000B0014: PS FW 0027

Checksum valid

Relocating Data Directory Boot Service (DDBS: Rev. 05.03)…

DDBS: K10_REBOOT_DATA: Count = 1

DDBS: K10_REBOOT_DATA: State = 0

DDBS: K10_REBOOT_DATA: ForceDegradedMode = 0

DDBS: **** WARNING: SP rebooted unexpectedly before completing MiniSetup on the Utility Partition.

DDBS: MDDE (Rev 600) on disk 1

DDBS: MDDE (Rev 600) on disk 3

DDBS: MDB read from both disks.

DDBS: Chassis and disk WWN seeds match.

DDBS: First disk is valid for boot.

DDBS: Second disk is valid for boot.

Utility Partition image (0x0040000F) located at sector LBA 0x1453D802

Disk Set: 1 3

Total Sectors: 0x013BA000

Relative Sectors: 0x00000800

Calculated mirror drive geometry:

Sectors: 63

Heads: 255

Cylinders: 1287

Capacity: 20686848 sectors

Total Sectors: 0x013BA000

Relative Sectors: 0x00000800

Calculated mirror drive geometry:

Sectors: 63

Heads: 255

Cylinders: 1287

Capacity: 20686848 sectors

Stopping USB UHCI Controller…

Stopping USB UHCI Controller…

EndTime: 10/28/2018 15:33:37

int13 – RESET (1)

int13 – CHECK EXTENSIONS PRESENT (3)

int13 – CHECK EXTENSIONS PRESENT (5)

int13 – GET DRIVE PARAMETERS (Extended) (6)

int13 – EXTENDED READ (200)

int13 – EXTENDED READ (400)

int13 – EXTENDED READ (600)

int13 – READ PARAMETERS (800)

int13 – READ PARAMETERS (802)

int13 – DRIVE TYPE (803)

int13 – CHECK EXTENSIONS PRESENT (804)

int13 – GET DRIVE PARAMETERS (Extended) (805)

int13 – READ PARAMETERS (806)

int13 – EXTENDED WRITE (846)

int13 – EXTENDED WRITE (847)

int13 – EXTENDED WRITE (848)

int13 – READ PARAMETERS (964)

int13 – DRIVE TYPE (965)

int13 – CHECK EXTENSIONS PRESENT (966)

int13 – GET DRIVE PARAMETERS (Extended) (967)

int13 – READ PARAMETERS (968)

int13 – EXTENDED WRITE (997)

int13 – EXTENDED WRITE (998)

int13 – EXTENDED WRITE (999)

int13 – EXTENDED READ (1000)

int13 – EXTENDED WRITE (1012)

int13 – EXTENDED WRITE (1013)

int13 – EXTENDED WRITE (1014)

int13 – EXTENDED READ (1200)

int13 – EXTENDED READ (1400)

int13 – EXTENDED READ (1600)

int13 – EXTENDED READ (1800)

int13 – EXTENDED READ (2000)

int13 – EXTENDED READ (2200)

int13 – EXTENDED READ (2400)

int13 – EXTENDED READ (2600)

int13 – EXTENDED READ (2800)

int13 – EXTENDED READ (3000)

int13 – EXTENDED READ (3200)

int13 – EXTENDED READ (3400)

int13 – EXTENDED READ (3600)

int13 – EXTENDED READ (3800)

int13 – EXTENDED READ (4000)

It doesn’t seem to ever go past this… so I cannot move on to the next steps in the solution.

any help or experience with this would be much appreciated!

-M

Related:

  • No Related Posts