Cisco :: 4402 Light Weight APs Drop Out After Land Attack
Sep 12, 2012
We have a WLAN consisting of a WLC 4402 and 11 lightweight APs. For security/compliance reasons we have a Cisco PIX firewall that sits between the WLC (outside) and the APs (inside). The APs are allowed to form LWAPP tunnels through the firewall (inside access-list) to the WLC and the WLAN works as expected.The firewall then limits traffic from the WLAN (outside access list) to certain the internal systems.I have noticed that every so often the firewall logs show continuous "Land attack from 0.0.0.0 0.0.0.0" messages then all APs are disconnected (all lights flash).
We are getting continuously log created as below in ASA 5510. I suspect something is going wrong (like system is getting compromised ? )
Note: I have changed the actually public IP to 126.96.36.199 for some security cause.
Mar 18 21:46:19 188.8.131.52 Mar 18 2011 21:46:22: %ASA-2-106017: Deny IP due to Land Attack from 184.108.40.206 to 220.127.116.11Mar 18 21:46:19 18.104.22.168 Mar 18 2011 21:46:23: %ASA-2-106017: Deny IP due to Land Attack from 22.214.171.124 to 126.96.36.199Mar 18 21:46:20 188.8.131.52 Mar 18 2011 21:46:23: %ASA-2-106017: Deny IP due to Land Attack from 184.108.40.206 to 220.127.116.11Mar 18 21:46:21 18.104.22.168 Mar 18 2011 21:46:24: %ASA-2-106017: Deny IP due to Land Attack from 22.214.171.124 to 126.96.36.199(code)
I try to launch a LAND Attack against my firewall ASA 5520. Everything will work fine. But why, I think it should not work. I use a little tool where I can user a spoofed address, with a cluster shell and attack the firewall interface with the source of 127.0.0.1 ore the ip address of the interface as the source and destination. Then I get a cpu load of 89% with only two host. With IP tables I can use kernel processes to prevent this. But I don´t find anything for ASA.
At the present, we have two WLCs (5508). There are a total of 84 LAPs (1242AG). One controller is configured as the master controller in which all our APs associate to. It's currently running software version 188.8.131.52 and some of our BYODs using Windows 8 are unable to connect to the wireless. The fix for this is to upgrade the software of the WLC so that the LAPs can obtain the update to solve this problem. Simple! However, before rolling this out into the production wireless network, I would like to test it out on our second WLC which has no LAP associations, a test WLAN configured, and a newer software image loaded (184.108.40.206). I have a spare LAP that was previously associated with the master controller running the same software version (220.127.116.11). What I'm looking to do is associate this LAP to the 2nd WLC instead of the master so that I can ensure that the LAP gets the newest software. Then, I would like to test a Windows 8 device to make sure it connects.So far, I have done the following:
1. Disabled the 1st WLC from using Master Controller Mode and rebooted AP - result was unsuccessful; still associated to 1st WLC.
2. Reset LAP configuration excluding static IP info and reset AP - result was unsuccessful; still associated to 1st WLC.
3. Compared config for both WLC but since I'm new to these devices, I'm not sure what needs to be configured/changed.
I have been installing Light Weight AP's and these make LMS device discovery take much longer because they are found via CDP but do not run SNMP. So you suffer the SNMP retry and wait time for each one which adds up with several hundred AP's. I added the CDP platform description they announce via CDP to system-config.xml but this didn't do the trick. I have updated system-config.xml successfully in the past to add ATA's and 7936 conference phones and this stopped discovery from processing these devices. So I was surprised when this didn't work for LW AP's. The CDP platform of the AP's looks like this (from show cdp n):
So you can see cisco is all lower case and there appears to be spaces at the end before the comma. I thought the spaces might be the problem so I added them in system-config.xml but this didn't work. When I display system-config.xml with the XML editor in IE it does not show spaces at the end even though they are their when I look at the file with notepad. When I enable debug for discovery it shows these being added to the bypass table for CDP discovery but it still tries to process them. This is LMS 3.2 on Windows Server 2003. I use the CDP module for discovery.
Recently, our company wireless AP 1262 connected more than 40+ clients, and sometimes the wireless access speed is too slow. those clients are only for MES data transfer, the date no more than 10K of each stations. So I'd like to know if the one AP can support the network traffic if whole testers transfer the data to Database via this wireless AP1262? and the WLC no clients roaming option for which clients can connect to another AP around. I have checked the WLC and AP configuration. no option for clients roaming to another APs, do you know how to configure this AP's Clients move to another APs?If we setup the new APs in the location, does the clients will be auto connect to this new AP?
I have configued Cisco LAP 1242AG with statis IP.I have connected LAP to WLC.I am able to ping WLC management interface IP Address from LAP's console.LAP is failed to Join WLC with error "Could not resolve CISCO-SAPWAP-CONTROLLER"
Is the process for converting 1260 APs to lightweight mode any different from converting 1140s or 1250s? I've converted several APs to LWAP mode but this is my first 1260. Four 1260s need to be converted.I have one in a remote location that seems to be comatose. Here are the steps I took to convert the AP. Did skip/miss a step?
1. uploaded code to the AP ap3g1-rcvk9w8-tar.152-2.JB.tar 2. configured the AP for DHCP. It successfully leased a DHCP address. Controller information is provided via DHCP Option 43. 3. saved the configuration 4. verified the code, successful 5. disabled wireless radios 6. installed the lightweight code using the command archive download-sw /safe flash:/ap3g1-rcvk9w8-tar.152-2.JB.tar.The installation was successful 7. rebooted the AP
After that nothing. The AP has not leased another IP address. The switchport is active. The APs MAC address is registering in the switches MAC address table. The AP is receiveing PoE from the switch. I noticed that this AP is only receiving 6.2W of power where the three are getting anywhere between 8.8W and 9.3W. I am unable to ping the old static IP of the AP too.
I have 1042 Light weight AP and i want to convert it to Autonomous mode . i dont find any particular image for this conversion ..when i try to find autonomous image for 1040 its showing "c1140-k9w7-tar.124-25d.JA1.tar"........can i use this image ?...
One of my customers asked me to configure a WLC 2106 and 2 LAP 1131AG (lightweight) for corporate/guest Wifi. Basically they want to implement a good wifi connection for internal use and a guest one with different QoS. The two lans should both have dhcp but they must bet kept segregated so that none from the Guest wifi can access corporate resources.
Since i've never configured a WLC from scrath i lightly supposed it would be quite straigh forward as routers and switches from Cisco.Unfortunately i was totally wrong.
I've downloaded the "Cisco Wireless LAN ControllerConfiguration Guide" (Soft.Release 6.0 June 2009) and after i red it i made up this workflow for the configurations:
1) Configure Controller: (via serial) - Set Management Interface parameters (IP- SM - Def GW - Dhcp server IP) - Set Ap-Manager Interface parameters - Virtual Interface parameters - Set Admin Credentials - Dhcp Configuration (internal and/or external)
2) Ap registration on the controller - Configure vlan with dhcp request redirection to the dhcp server
3) Configure Wlan following customer's requests. - Configure Wlan Auth for Corporate/Guest Wifi - Configure QoS for both Wlans
Unfortunately i'm experiencing issue while trying joining the AP to the WLC.It appers that the IT guy of my customer tried to configure one of the Ap.In that Ap's flash i find files referring to a "mesh" configuration like: [code]
I previously asked if I should be concerned that the Internet light on my Linksys E3000 router doesn't light up when I have Internet access. Well recently I had to do a reset and I noticed that during the reset it does in fact light up, but it doesn't come on when the router is done with the reset!
I am trying to light up every port light on a 3750g. There is not anything plugged into them and I would like to know (just for fun) is there a way to make every port light 1 - 48 turn on using a command?
I manage a CISCO 4404 WLC with about 46 access points across our WAN. System works very well, serving trusted users, guests etc very well.However, over the last month or two we have had an issue where we have had high load on our WAN.We have traced this down to the CISCO 4404, about 3-4 times a day, the controller connects to every access point and transmits about 5-8mb of data on port 5427. This in itself would not be a problem, but it connects to all 46 at the same time.
I am wondering how to change my internet IP address as someone is DDOS attacking me on a daily basis. I have tried all the ipconfig stuff, and unplugged my modem for an hour. Not sure what to do at this point. Plugging my PC directly to the modem changes my IP, but then when I plug my PC back into my router, it changes back.
I have multiple questions about the PIX 525 software version 8.0(2) ASDM 6.0 (2)I am a windows network admin that is new to Cisco and routing in general. I have read through the forums and the Cisco documentation, but have not been able to fully understand the topics discussed within.
This option is currently DISSABLED for all interfaces.I know what ip address spoofing is, but what is the functionality of these options specifically? How does it work and should I enable it and for which interfaces? Second Question: Scanning Threat Detection - Auto Shun
I found this option in ASDM under: Configuration --> Firewall --> Threat Detection.Enable Basic Threat Detection and Enable Scanning Threat Detection are both currently ENABLED, but Shun Hosts detected by scanning threat is currently DISABLED. Also, the Networks Excluded from Shun field is empty. I know what the shun command does. I have used it many times when I have been fortunate enough to catch some piece of **** trying to spam my mail server or gain access to it.
What I am asking specifically is how does the Auto Shun work? Should I enable it and what are the potential consequences? Also, what exactly is a scanning attack?
I am not familiar enough with the PIX and with the topics discussed in the document to successfully apply the info within. Plus, I'm not sure it covers the kind of basic, all-inclusive bandwith cap I would like to put in place.
The goal is to cap the maximum internet (outside) bandwidth that inside5 can use to a reasonable percentage while allowing the other interfaces to have the remainder.
How would I go about this implementation? 2. Is there a way to allow inside1 - inside4 to use max bandwidth when there is no traffic on inside5?
I am probably, at least, the third owner of this device and I do not have an account with Cisco nor can my tiny (perhaps non-exsistant given the current economic state) IT budget afford any form of support or software licensing with them.My goal is to backup the IOS and ASDM data in the event that I have to replace the device due to a hardware failure.
I found a file transfer function within ASDM which allowed my to copy the files pix802.bin, asdm-602.bin and tfp from flash to my desktop computer. I also have a copy of the activation key info and my current configuration.
1. Have I backed up all the data/info I would need to restore this software and ASDM to another unit. 2. The activation key screen also has a serial number field. Is this the hardware serial number or is it for the software? and is it tied to this device specifically or can I use it to restore another unit if necessary? 3. Is there anything else I should do or be aware of regarding backup and restore for the PIX? 4. What is the tfp file?
Is there anyway to block a DDOS attack? I dont know to much about DDOS attacks and how they work, but i think i understand a little bit of it. Is there no way to configure a firewall to detect rapid, spontaneous,continuous amounts of fragmented, random data coming from an IP address? Wouldn't the data coming in from a DDOS server be somewhat distinct from data that flows normally
I'm on my 3rd Virgin media 615 today, the last one arrived yesterday and I opened the box to fine a rev d with old bios installed, throw hands in air and all that and then proceeded to upgrade to 4.13 which I have found to be stable and work ok, the other two grow to have the wireless failure issue, I could moan here about VM but hey there's no point so I have come here for adviseafter I found the last one wireless going down, daily trips from the kids down to me to ask why the internet isn't working etc etc I started to investigate, I found the 4.13 and gened up a bit, looked at the 3rd party code and came back to Dlinks own code, anyway I have seen in the last few days hundreds of similar port scans. [code]
Now is the the router being a little sensitive to harmless software companys scans to see if products installed etc or are they something to worry about now I know whats going on if its the latter, and I don't think anyones got in yet but I would like to ban these ip's and to be honest I'm not sure of the best way also I noted a UDP active session that not a part of my subnet too mine being a standard 192.168.0.*and the other being 192.168.4.*.
I have a Cisco asa 5510. I am doing attack a my firewall, using n map. I am seeing in the log the attack but i like that firewall send only alarm of attack by email . I have active email with warning and i received very much email.
I observed that graph show attack, but not ip of attacker, is possible that Cisco asa show the ip too ? The log show scanning with n map but not shunning IP and not send alarm. How i can send alarm ? The graph no show ip, it's possible show it.
I study at University of Ostrava and currently I am working on my master thesis. Its content is realization of few attacks on network. Now I am trying to implement ICMP redirecting attack by using Intercepter program. Diagram of my netwok you can see on enclosed picture (Schema.jpg). Through Intercepter program I generate packets ICMP redirect (ICMP type 5), which are successfully sent from PC Attacker, but these packets do not arrive to PC Victim and Warshark shows me messages „ Destination Unreachable (Host Unrecheable).“ When I use instead of Cisco switch non Cisco switch (for example: Edimax) or hub, ICMP redirects packets arrive to PC Victim and I can continue in the attack?
SW: Switch is in the defautl setting Cisco Catalyst 2960 IOS: c2960-lanbasek9-mz.122-50.SE3.bin Router: Set only IP address on FastEthernet interfaces Cisco 2801 IOS: 2801-ipbasek9-mz 124.25f.bin
Currently in my office have a TPlink wireless router (WR1043N), and Dlink 615 router.Below is my office's network organization.Internet-->TPLinkRouter(192.168.2.0)-->DlinkRouter(192.168.0.0)We want to host a demo website but we are afraid our network being attacked. So we wish to implement a DMZ network to hide our internal network from outside. My question is can i setup a dmz network with the above capabilities by using home routers?
Does Cisco ASA5510 or 5520 can protect DDos attack and sync flood ?I have problem on this, so how can i protect on this, some time i saw on my log like this"sync flood " or "ddos to xxx.xxx.xxx.xxx" the ip address random .
As per CISCO QoS document URL, IOS from 12.2(13)T support drop command in policy map. But our CISCO ASR 1013 having IOS of Version 15.2(1)S1 doesn't have drop syntax.How can we drop specific application using QoS in ASR 1013 of IOS version 15.2 and higher?,Can I allow few users for a particular application (like P2P) and drop other users based on users source IP?
I having a basic query in troubleshooting E1 link , here im facing packet drop in the link and we are testing by providing local loop and remote loop from the CSU/DSU at local point and at remote point . I have tried ping test while the loop is given at local point and remote point ie i have pinged my local serial interface IP address (eg 10.0.0.1 -local & 10.0.0.2 -remote ) in Remote Loop i could see no errors and drops and also the traffic on the interface output and input is the same(eg input rate 1000bps and output rate 1000bps) .My query is that when i am pinging the local interface IP does the icmp packet travels till the loop point and comes to the same interface(like a boomerang) .
ICMP packet ->->->->->->->->->->->->->->-> R1 Local CSU/DSU | Remote CSU/DSU (remote loop given )
We've had Cisco 1252 APs running on PoE (3750E gives the port 20W of power) for well over 3 years with no problems. These have not been touched, moved or configured since they went in.
All of sudden we're seeing these APs drop off the network and investigations reveal that they show as IEEE PD when you do a show power inline.
Some of these are slated to be replaced after the ports were changed, the cables replaced and port reset (also an old spare 1252 was inserted in to one of these ports and it came up fine, indicating an issue with these APs).
If it was one or two then maybe I could believe that the APs are at fault, but with so many (10 so far) I'm struggling to believe it. Could it be the code we are running on the switches? We are running 12.2(50)SE3.
my Cisco anyconnect VPN clients are able to access all of my internal networks accept to another site which has a IPSEC VPN site-to-site. The Cisco ASA forwards the packets destined to this remote site to a Cisco router which NATS the source addresses (pool 10.17.252.0/24) to a 192.168.46.0 range. The remote network is 155.x.x.x which I have included in my internal subnets object-group and added a route on the ASA to route it inside.
I have configured NAT so that it does not NAT anything from the anyconnect client range to the internal subnets. I am using version 8.3(2) and the NAT rule is:
i see that the wifi on the SRP Freezes. If i am connected via lan, i can still surf the net or connect to another access point on the network and surf. But the wiress devides connected to the SRP loose connectivity even though it shows that the wifi connection is connected. I am running on the latest firmware. this problem has started occcuring only recently