Showing posts with label Riverbed. Show all posts
Showing posts with label Riverbed. Show all posts

Tuesday, December 17, 2013

ICMP Fragmentation and Firewall

Following an installation of new firewalls, I was facing an issue of communication between a CMC (Central Management Console) and a Riverbed Steelhead.
In a normal way, the CMC open a SSH session to push rules to the Riverbed. But after the installation, it was not working anymore. I have investigated and found the root cause of this issue.

Packets between the CMC and the Riverbed are fragmented. Without firewalls, CMC and Riverbed use PMTU in order to discover the MTU small enough to traverse the entire path without fragmentation.
In a first step, Path MTU uses the option Don't Fragment (DF). When a packet is sent with this option, it cannot been fragmented. If a router with a smaller MTU receives this packet, it will drop it and send to the sender an ICMP Fragmentation Needed. This step is repeated until the source has reached the destination without fragmentation.

As you can see below, our problem come from this ICMP Fragmentation Needed packet.
When the steelhead sends a packet (with option Don't fragment) to the CMC, a router on the path sends a ICMP fragmentation Needed. However, the new firewall filters this packet and now the handshake failed.






Workaround:

  • Allow ICMP option on the firewall.
  • Reduce MTU on primary interface of the Riverbed.

Monday, November 18, 2013

TACACs Attributes

You will find below a compilation of attributes used for authenticate several components with an ACS server. The ACS returns this attribute to the server in order to be authenticated with the good shell privilege.

Nexus:
  • Attribute: cisco-avp-pair
  • Requirement: Mandatory
  • Value: shell:roles*"network-admin vdc-admin"

Riverbed (Steelhead):
  • Attribute: local-user-name
  • Requirement: Mandatory
  • Value: admin
WLC (Cisco Wireless Controller):
  • Attribute: role1
  • Requirement: Mandatory
  • Value: ALL

These equipment have been tested with an ACS 5.4. Don't hesitate to add your remarks.