Monday, December 23, 2013

Easy transfer of files to/from Cisco Router

As a consultant, I'm constantly working remotely with people but still need an easy way of transferring files with a router (captures, OS files, etc).  This tip is 101 stuff but since I needed to help someone today with this I thought I would pass it along.

My little scenario here is an example using IOS routers but I've also tested it on XE.

When I need to upload or download files to/from a router, I like to use SCP to transfer the files.  I like this better then trying to stand up an FTP or TFTP server.  This is especially handy when working with devices outside the firewall.  SCP uses Secure Shell (SSH) to securely copy files.  With SCP you connect directly to the device and transfer files back and forth.  This is useful for transferring captures or OS files.

On the router, you'll need to enable SSH, AAA, and SCP.

ip domain-name company.com

hostname routername

crypto key generate rsa general-keys modulus 2048

ip ssh version 2

username someuser privilege 15 secret somepassword

aaa new-model

aaa authentication login default local

aaa authorization exec default local

Enable SCP on the router.

ip scp server enable

Starting in 6.0(2)N1(1), NX-OS also supports SCP.
Enable with:

feature scp-server

On Mac or Linux, to push or pull the files, you can use the built in command line.

You don't have to but I suggest going to the directory on your computer where the file you want to upload is or where you want to download the file to.  Open terminal on your Mac or Linux to run the commands below.

Download file:
In this example I'm downloading the file callfail to the current local directory.  In case you don't catch it, the dot at the end means the current local directory.
scp username@5.5.5.5:flash:callfail .

In this example I'm downloading the file callfail to my Documents folder.
scp username@5.5.5.5:flash:callfail Documents/


Upload file:
In this example I'm uploading the IOS from the local directory to the router.
scp c2900-universalk9-mz.SPA.151-4.M7.bin username@5.5.5.5:flash:c2900-universalk9-mz.SPA.151-4.M7.bin

If you happen to be on Windows, WinSCP and PSCP (from the makers of putty) are pretty popular.  WinSCP is a GUI based option, PSCP is CLI like above.

Cisco Reference Doc:
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_copy_ps6922_TSD_Products_Configuration_Guide_Chapter.html

I recommend disabling the SCP server when not needed.

Update: I received a response on Twitter from John Spade (@DaSpadeR) that he once had an IOS router that would reboot when accessed this way.

So, as with everything in our field your mileage may vary.

Monday, December 09, 2013

Cisco Jabber on iPhone through ASA VPN bug

When you are the 'network person', you need to troubleshoot the network to prove the network is not the problem.  I'm writing about this bug because I couldn't find anything online about it and Cisco TAC says it has not been published yet.

Problem

Cisco Jabber 9.5 on the iPhone works on the network internally but not through the ASA VPN.

Confirm it actually does work internally: check
Everything else works through VPN, on the phone: check
Simple ping to CUPS server on the phone: check
Can bring up web page of CUPS server via DNS through the phone: check
No over-engineered filters or acl's in place hindering traffic: check

I'm not much of a voice tech so I had one of the voice engineers check the configs on CallManager.  Says everything is good to go.

I ran a capture on the ASA and see traffic going back and forth to the client as expected.  Not sure if it's the correct ports, but whatever I see bidirectional traffic.

Sadly, I opened a TAC case.  Worked with both the application team and ASA team.  Ran captures on the ASA again, iPhone Anyconnect Client and also on the CUPS server.

The Apps person found this error:

OnLoginError: LERR_JABBER_UNREACHABLE:

TAC Suggested the phone client couldn't not resolve the name of the CUPS server through the VPN.  This didn't make sense to me since I could resolve the name (hostname, and FQDN).

Resolution:

Luckily, they had a fix on the CUPS server that would actually resolve the issue:
Change the xmpp server name to the IP address.

Step1. Login CUP server as admin. Click menu "System"  -  "Cluster Topology".
Check the picture below.



Step2.  After Step1, You will see the CUP servers listed in the Subcluster.  The CUP nodes are shown as xmpp server names, in this example as “cups1” and “cups2.” Click the node. You can change the name to the IP address.  In the picture below the node name was cups1, and I changed it to "10.201.216.201".




After you change the node name to the IP address, you can now test over VPN.  This change was not service impacting, but it may be best to perform this change after business hours.  You never know.

The bug id is not yet public: CSCul54468
According to Cisco, this should be fixed in Q4 2013 but posting here in case anyone runs in to this problem during troubleshooting.

Side note: If you are curious on the ping client I used on the iPhone, it was iSys.