Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information.

The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information.

Cisco has released firmware updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info

Security Impact Rating: High

CVE: CVE-2019-1653

Related:

  • No Related Posts

Re: Adding static route in Avamar

Hello All,

I don’t know whether this is a right question to ask but as a newbie to Avamar product,I want someone to answer my question regarding adding static routes to Avamar (single node grid). is it even possible ?

We have two networks (network 1, network 2) which are isolated but recently we decided to backup all the clients from network 2 to network 1. since both the networks are segregated the networking team created a routing interface for devices in network 1 to talk to devices in network 2 and vice versa. so my question is, is it possible to add static route in (Avamar)IDPA for all the devices in network 1 to talk to devices in network 2

Note : the networking team did a ping test from all the routers (16) in network 2 to Avamar and to routing interface everything is reachable. Even the Avamar in Network 1 can reach the routing interface that’s created but cannot reach any router (16) in network 2. There are no firewalls on the routers in network 2.So what changes need to be made on Avamar/DD. Is it even possible ?

I hope this makes sense. Let me know if you have any questions. I can provide more details if needed.

Thanks in Advance

PK

Related:

  • No Related Posts

Adding static route in Avamar

Hello All,

I don’t know whether this is a right question to ask but as a newbie to Avamar product,I want someone to answer my question regarding adding static routes to Avamar (single node grid). is it even possible ?

We have two networks (network 1, network 2) which are isolated but recently we decided to backup all the clients from network 2 to network 1. since both the networks are segregated the networking team created a routing interface for devices in network 1 to talk to devices in network 2 and vice versa. so my question is, is it possible to add static route in (Avamar)IDPA for all the devices in network 1 to talk to devices in network 2

Note : the networking team did a ping test from all the routers (16) in network 2 to Avamar and to routing interface everything is reachable. Even the Avamar in Network 1 can reach the routing interface that’s created but cannot reach any router (16) in network 2. There are no firewalls on the routers in network 2.So what changes need to be made on Avamar/DD. Is it even possible ?

I hope this makes sense. Let me know if you have any questions. I can provide more details if needed.

Thanks in Advance

PK

Related:

  • No Related Posts

Placement of ProxySG in Network

I need a solution

Hello All,

This is regarding installing 2x ProxySG appliances in the network.

I’m new to ProxySG appliances, was wondering which place would be best to place ProxySG appliances in the existing network architecture; should be installed between Edge/Internet Router and Perimeter Firewall or behind the Perimeter Firewall. Current purpose of the appliance is to perform content filtering for the users.

0

Related:

  • No Related Posts

BGP route advertisement packets are getting dropped on NetScaler.


It is observed from the newnslogs that the LA/1 interface is flapping. Since LA/1 is bound to VLAN 128,when LA/1 goes down VLAN 128 also goes down.

This triggers the automatic router id selection process and this results in the BGP session is being reset. The reason for LA channel flap is below.

The VPX which had the issue is 10.236.25.73_13. When checked in xenstore_info.out [/var/shell in collector] the LA channel configuration is not found. If LA channel is configured from SVM, it will be seen in the Xenstore_info output. This value is fetched from XenServer at the time the collector was captured. If LA channel is added from VPX, it is not observed in the XenStore_info. Hence it is assumed that the LA channel was added/created at the VPX level.

On observing the VPX which was working in 10.236.25.45, it can be seen that the LA channel configuration in Xenstore_info.out.

Logs:

[jobinb@sjanalysis-1 /upload/ftp/70327476/collector_S_10.236.25.73_13Jul2015_10_31/shell]$ more xenstore_info.out vmname_mac_table = “{‘cdl128-bda01ma-wius’:[‘3a:20:0b:66:4b:0b’,’ca:9b:0d:5d…”

interface = “”

mtu = “[10/1:1500,10/2:1500]”

L2mode = “0”

dedicated = “0”

gateway = “10.236.25.1”

ip = “10.236.25.73”

netmask = “255.255.255.0”

nsvlan_id = “0”

nsvlan_intflist = “”

nsvlan_tagged = “0”

physical_intflist = “”

priv = “b84ac6745ffa4cd4819c19a3a0b9f022”

priv2 = “ce8299aad9866985ac44c430119d528854a60381941eafaabf57e2e4e437ca36eb6…”

pw = “1cb5e4e3103eee2d53c282ef0ef677de3841a6f25610d5247”

vlan_id = “0”

Priv2 = ce8299aad9866985ac44c430119d528854a60381941eafaabf57e2e4e437ca36eb69890905d912e0c57134fb4e40844c2366c56c25daff722646e505c220ebb7

Mac_interface_list = 8e_85_a3_63_f0_15-0/1,ee_82_8a_8a_ed_f5-0/2,3a_20_0b_66_4b_0b-10/1,ca_9b_0d_5d_29_1e-10/2


[jobinb@sjanalysis-1 /upload/ftp/70327476/collector_S_10.236.25.45_11Aug2015_01_44/shell]$ more xenstore_info.out | more vmname_mac_table = “{‘cdl100-bda01ma-wius’:[’42:f7:5c:c3:ca:80′,’9a:2e:09:9a…”

interface = “”

mtu = “[10/1:1500,10/2:1500,LA/1:1500]”

L2mode = “0”

dedicated = “0”

gateway = “10.236.25.1”

ip = “10.236.25.45”

netmask = “255.255.255.0”

nsvlan_id = “0”

nsvlan_intflist = “”

nsvlan_tagged = “0”

physical_intflist = “”

priv = “7831c14f1eba5d6550ccaee1e7ff2659”

priv2 = “a6b0193917bc48f68f165c69408db2a611780aa76f1005de5ae5bbd571fdb319b44…”

pw = “157bec273b3ceb5cad5a442d070864fd2306c616af58bc09c”

vlan_id = “0”

LA = “”

1 = “”

interface_list = “10/1,10/2”

mac = “00_e0_ed_44_9e_69”

type = “LACP”

Priv2 = a6b0193917bc48f68f165c69408db2a611780aa76f1005de5ae5bbd571fdb319b448e37d1d570dc49f8f2ab17336632d507727fdcc5673a504d569fa32f9aa77

Mac_interface_list = 72_01_22_66_6b_ae-0/1,ea_80_88_b2_65_73-0/2,42_f7_5c_c3_ca_80-10/1,9a_2e_09_9a_ac_94-10/2

Related:

  • No Related Posts

SD-WAN: Routes Learned by One Site using BGP Are Not Getting Installed on Another Site Over Virtual Path

Consider 3 sites : A (MCN), B (Branch) and C (Branch).

Issue : Site A is running BGP locally with a router and learning local site routes and then advertising them to Site B and Site C over the Virtual Path. However, Site B is learning those routes but Site C is not.

Symptoms : If we check the route logs from Site A, we can see that it is correctly forwarding the routes to the Virtual WAN plane as can be seen in the following :

2018-08-08 00:36:21 <INFO> <Got route notify>prefix: 10.1.1.1/32, Table: T0 new:00000000006989d8 old:00000000006f8828

2018-08-08 00:36:21 <INFO> <ADD_ROUTE_TO_Virtual WAN> prefix: 10.1.1.1/32, protocol: BGP, Router IP : 10.10.10.2, Table: T0

However, these prefixes are being ignored by Site C device as can be seen in the logs :

12994:234:661:860 ERR handle_rcvd_dynamic_routes_from_neighbor@control/route_db.c:5682 Ignore received 90 Dynamic Local Routes to SYNC from site 2 with routing domain ID 0 via Virtual_Path SiteA-SiteC, received route version:215 current:1172

The issue is not restricted between MCN and Branch only and can be seen between two branches as well.

Related:

  • No Related Posts

Citrix SD-WAN WANOP: Troubleshooting

CloudBridge Troubleshooting Guide: HA Pair Going Out of Synchronization and HA Pair Unable to Synchronize Settings for Non-CloudBridge4000/5000

CloudBridge Troubleshooting Guide: HA Failures Because of Certificate/Key Issues on Non-CloudBridge4000/5000

CloudBridge Troubleshooting Guide: Unable to Establish High Availability on CloudBridge

CloudBridge Troubleshooting Guide: Cisco Router and CloudBridge Negotiate WCCP but CloudBridge Does Not Receive Traffic for CloudBridge4000/5000

CloudBridge Troubleshooting Guide: WCCP Connections Show Under Unaccelerated Connections Table with a UR3/UR4

CloudBridge Troubleshooting Guide: Cisco Router and CloudBridge Negotiate WCCP but CloudBridge Does Not Receive Traffic for CloudBridge4000/5000

CloudBridge Troubleshooting Guide: Cisco Router does Not Respond to WCCP Messages in CloudBridge Single Cache

CloudBridge Troubleshooting Guide: Cisco Router and CloudBridge Negotiate WCCP but CloudBridge Does Not Receive Traffic for Non-CB4000/5000

CloudBridge Troubleshooting Guide: Unable to Establish High Availability on

CloudBridge Troubleshooting Guide: WCCP Clustering CloudBridge

CloudBridge Troubleshooting Guide: Unable to Successfully Configure Secure Peering with CloudBridge for Non-CloudBridge4000/5000

CloudBridge Troubleshooting Guide: Unable to Configure Secure Peering with CloudBridge for CloudBridge4000/5000

CloudBridge Troubleshooting Guide: HA Pair Going Out of Synchronization and HA Pair Unable to Synchronize Settings for Non-CloudBridge4000/5000

CloudBridge Troubleshooting Guide: Cisco Router does Not Respond to WCCP Messages in CloudBridge Single Cache

CloudBridge Troubleshooting Guide: HA Failures Because of Certificate/Key Issues on Non-CloudBridge4000/5000

CloudBridge Troubleshooting Guide: WCCP Connections Show Under Unaccelerated Connections Table with a UR3/UR4

CloudBridge Troubleshooting Guide: Cisco Router and CloudBridge Negotiate WCCP but CloudBridge Does Not Receive Traffic for Non-CloudBridge4000/5000

CloudBridge Troubleshooting Guide: WCCP Cluster

Cisco Router and CloudBridge Negotiate WCCP but CloudBridge Does Not Receive Traffic for CB4000/5000

CloudBridge Troubleshooting Guide: Unable to Successfully Join a Domain for Non-CloudBridge4000/5000

CloudBridge Troubleshooting Guide: Unable to Successfully Join a Domain for CloudBridge4000/5000

CloudBridge Troubleshooting Guide: Unable to Successfully Add Delegate User for Non-CloudBridge4000/5000

CloudBridge Troubleshooting Guide: Unable to Successfully Add Delegate User for CloudBridge4000/5000

Related:

  • No Related Posts

Re: Questions regarding Brocade FC-FC Routing

Hi,

That are indeed several questions.

1. Can I implement FC-FC Routing between two NO Virtual Fabrics-capable switches ?

A: yes

Or between one Virtual Fabrics-capable switch and one NO Virtual Fabrics-capable switch?

A: also yes.

Since the NO Virtual Fabrics-capable edge switches doesn’t have a Fabric ID, how can I setting the edge fabric ID on the FC router ?

A: That can be done with the “portcfgexport –f” option.

Fabric ID Rules:

If there are multiple EX or VEX ports connected to the same fabric then they must have the same FID.

If EX or VEX ports are connected to different edge fabrics, then they must use unique FIDs for each edge fabric.

If two different backbone fabrics are connected to the same edge fabric then the two backbone fabrics must have unique FIDs.

2. How can i connect two fabric with the same FID via FC-FC routing ?

A: See the page 541, of the Fabric OS Administrator guide 7.4.1, Chapter “Using FC-FC Routing to Connect Fabrics”.

For example, two virtual fabric with the same default FID 128, should I change the FID in one fabric ?

A: No, it should be possible, because the EX port on the router will get the FID you set on the EX port.

3. How to change the FID ?

A. I assume you meant in a Virtual fabric -> that can be done with the lscfg command. See the Fabric OS Command Reference Guide.

Is it disruptive or non-disruptive ?

A. Setting up a new LS with a new FID will be disruptive.

Will the zone configuration still be valid after the FID change ?

A. No, all zoning is gone and need to be re-applied.

4. Can I implement FC-FC Routing via a FC router or router-capable switch instead of the virtual fabric base switch inside the Virtual Fabrics-capable switch ? See the topology below

A. Yes, that should be possible.

I recommend you to contact our DELL EMC local team to get the real Implementation specialist, who should be able to design and assist you with the Fibre Channel Routing tailored to all your needs.

Best Regards,

Ed

Related:

Questions regarding Brocade FC-FC Routing

Hi experts,

Can i ask several questions regarding Brocade FC-FC Routing ?

1. Can I implement FC-FC Routing between two NO Virtual Fabrics-capable switches ? Or between one Virtual Fabrics-capable switch and one NO Virtual Fabrics-capable switch?



Since the NO Virtual Fabrics-capable edge switches doesn’t have a Fabric ID, how can I setting the edge fabric ID on the FC router ?



2. How can i connect two fabric with the same FID via FC-FC routing ? For example, two virtual fabric with the same default FID 128, should I change the FID in one fabric ?



3. How to change the FID ? Is it disruptive or non-disruptive ? Will the zone configuration still be valid after the FID change ?



4. Can I implement FC-FC Routing via a FC router or router-capable switch instead of the virtual fabric base switch inside the Virtual Fabrics-capable switch ? See the topology below.



top.jpg

Thanks.

Related:

NetScaler SD-WAN Troubleshooting Guide: WCCP Clustering on NetScaler SD-WAN

Note: This article applies to Citrix SD-WAN WANOP.

Symptoms

The following are some of the symptoms:

  • Caches are not load balanced properly (traffic gets redirected only to one or more but not all caches).

    Access the GUI of each Web Cache Communication Protocol (WCCP) cluster member and verify if all connections are getting accelerated by only one WCCP Cluster member:

    Monitoring > Optimization > Connections > Accelerated Connections

    CloudBridge Appliance #1 Cache

    User-added image

    CloudBridge Appliance #2 Cache

    User-added image

  • Latency

  • Disconnects

  • Crashes

  • Frequent migration of connections between caches causing unaccelerated connections.

Troubleshooting Steps

The following troubleshooting steps will not apply if the issue seen is uneven load balancing of traffic within CloudBridge4000/5000.

Note: In WCCP cluster, router load balances between CloudBridge4000/5000.

  1. Verify that all appliances within a cluster are same model and run the same software release. CloudBridge700 and VPX does not support WCCP clustering. For more information, see Citrix eDocs – Limitations.

  2. Verify if all appliances and instances (caches) are UP.

  3. Access one WCCP cluster member from Monitoring > Appliance Performance > WCCP and verify the following tabs:

    1. Cache Status:

      • Verify if all caches have an assignment, status should be displayed as “Has Assignment”.

    2. Routers:

      1. Verify if there is only one designated cache. For more information, see Citrix eDocs – Testing and Troubleshooting.

      2. Verify if all cache members of the cluster are correctly listed.

      3. Verify if all router members of the cluster are correctly listed. If there are multiple routers, ensure that all CloudBridge appliances have all the router’s IPs configured in the cluster Service Groups (SG).

      4. If all router members are not listed, then add them under Configuration > Appliance Settings > WCCP > Configure Service Group.

      5. The following are some troubleshooting commands for router configuration reference (it is strongly recommended to engage Cisco TAC to validate the router(s) configuration).

  • show ip wccp

  • show ip wccp <service group >

  • show ip wccp <service group > detail

  • show ip wccp capabilities

  1. If all caches have assignment but load is not equally distributed, then verify the following:

    1. LAN/WAN SG definition is defined equally on CloudBridge and the router:

      • WAN SG should be the SG that sees the largest pool of IP address.
      • LAN SG should be the SG that sees the smallest pool of IP address.
    2. Verify the value of the​ current mask used and confirm if this is the appropriate mask according to the cluster needs. For more information, see Citrix eDocs – Load-Balancing in the WCCP Cluster.

​Suggested Sanity Check: Count the number of caches and verify the range of mask elements that are assigned for the cluster. For example,

  • You have five caches.

  • Mask used is 0x1 (1 bit set), the number of mask elements of this mask is 2 (2 or less caches):

  • 2^N= mask elements (N is the number of bits set).
  • 2^1= 2 mask elements = 2 or less caches. Because there are five caches, this mask 0x1 is too small.
  1. If the issue still remains, collect the following data:
    1. Screen shots.

      1. Monitoring page of WCCP:

        Monitoring > Appliance Performance > WCCP > Cache Status.

        Monitoring > Appliance Performance > WCCP > Routers.

      2. Configuration page of SG:

        Configuration > Appliance Settings > WCCP (select the SG and click Modify).

    2. Technical support file. For more information, see CTX133765 – How to Collect Diagnostic Data by using the Command Line Interface on a Branch Repeater Appliance or Branch Repeater VPX Instance and CTX135546 – How to Collect Diagnostic Data by using the Graphical User Interface on a Branch Repeater Appliance or Branch Repeater VPX Instance.

    3. Router(s) configuration.

    4. Detailed network topology from all sites. Clearly depict the (switches, routers, firewalls, IPs, servers) connectivity points between the devices.

    5. IP range/subnets that you are trying to optimize.

Related: