Sunday, April 24, 2011

Na to Roop hai, Na toh rang hai (Lyrics)

One of the most beautiful bhajan I encountered . This Bhajan is written by Shri Bindu Goswami. It elucidates that we are full of deficiencies, yet given a chance for salvation. 

न तो रूप है न तो रंग है , न गुणों की कोई भी खान है |
 मेरे श्याम कैसे शरण में लें, इसी सोच में मेरे प्राण हैं |
 न तो रूप है , न तो रंग है ||

नफ़रत है जिनसे उन्हें सदा, उन्ही अवगुणों में मैं हूँ बंधा | 
कभी कुटिलता है कपट भी है, मद भी  है और अभिमान है |
मेरे श्याम कैसे शरण में लें इसी सोच में मेरे प्राण है |
न तो रूप है न रंग है |

मन क्रम वचन से विचार से लगी लौह इस संसार से, 
पर स्वप्न में भी तो भूल कर कभी उनका कुछ भी न ध्यान है|
मेरे श्याम कैसे शरान में लें , इसी सोच में मेरे प्राण हैं ||
न तो रूप है, न रंग है |

सुख शान्ति की तो तलाश है , साधान न एक भी पास है | 
न तो योग जप तप कर्म है न तो धर्म पुण्य ही दान है |
मेरे श्याम कैसे शरण में लें इसी सोच में मेरे प्राण है ||
न तो रूप है, न रंग है |

एक आसरा है तो है येही, क्यों करेंगे मुझपे कृपा नहीं | 
एक दीनता का हूँ बिंदु मैं , वोह दयालाता के निधान है |
मेरे श्याम कैसे शरण में लें, इसी सोच में मेरे प्राण है || 
न तो रूप है न रंग है .... 

Most beautiful ...

Wednesday, April 20, 2011

Checkpoint R65 and Cisco ASA IPSec VPN Drop

I ran into this issue where the Checkpoint R65 IPSec tunnel kept on dropping with Cisco ASA. I actually had faced an issue in the past like this and I thought it will be a good idea to document the solution.
I had tough time digging up the solution which I used some time back. Fortunately I had a badly written OneNote document which came to my rescue.
To troubleshoot the issue and to make sure you need the below solution here is what you need to do.
  • Kernel Debug
  • IKE Debug
Both the above need to be done on the Checkpoint end (Honestly, debugging Cisco will give no results.
Kernel Debug
The Kernel debug is simple to execute. Make sure you execute this when the tunnel is down. Log into the enforcement module (The security gateway) and execute the below command
fw ctl zdebug

You may also choose to use other commands like
fw ctl debug –buf 12288

Once you execute, it will start spitting out errors like

vpn_ipsec_decrypt Reason: decryption failure: Could not get SAs from packet

This will prove half the story that the issue is indeed what we think it is.

IKE Debug

The IKE Debug must be done in parallel and this might be a tough one to catch. In order to debug, you need to execute the command

vpn debug trunc

You may use “vpn debug ikeon” (Just for IKE debugging), this will store the debug logs in a location ($FWDIR/log/ike.elg) . Just read this file (You can use Checkpoint tools to do this) or read it plain and see if the ASA has sent a SPI delete Packet.

If both the debugs show “green” in our test, then as they say, If it looks like a apple, tastes like a apple, smells like an apple, then it should be an apple Smile .


So now we know that we have to apply the below mentioned fix. But before that, I will need to bore you with the reason of why this happens and blah blah blah … Read on …

The way the SPI negotiations work are different in checkpoint and other vendors … (I know, we don’t need to be told this ). In any event, we know that the IPSec tunnel has 2 phases. The Phase 1 normally secures the phase 2 negotiations and we also know that there are 2 different timers for them (Anyone who has ever configured IPsec with any vendor will have gone through this drill) so, where are we headed with this, you ask ?

Please remember one point, the Phase 2 timers are lesser than the Phase 1 timers (and also in multiple), like 8 hrs for Phase 2 and 24 hrs for Phase1. Did you notice that the phase 2 is actually a subset (3 times 8 is 24, meaning the third time, both phase 1 and phase 2 will renegotiate).

This was done for a reason, Normally when some firewall sends a “Delete the Phase1 SPI” packet, Checkpoint goes ahead and also deletes the Phase 2 which were made based on that particular Phase1 SPI, which is good in some ways, but Cisco on the other hand, treats both the SPI as different , so it deletes the SPI only after the timeout on that one expires. Get the picture yet ?

To explain the above solution, I have drawn a diagram , As you can see, after the phase 1 goes down, the Cisco end keeps the phase 2 (Green Box) but the Checkpoint has lost it. Since the Cisco has the phase 2, it will not try and re negotiate, but the Checkpoint will expect the cisco to renegotiate it.


Now, in a fraction of second, there is a rat race that begins and the firewalls try and re use SA’s and renegotiate and stuff, which brings down the tunnel for 10 – 15 mins


To fix this issue, we need to edit the registry. I would recommend you take full back up of every thing before you make the change.

The registry file is located in the checkpoint in the following location


To make the change

execute the following

ckp_regedit -a SOFTWARE/CheckPoint/VPN1 DontDelIpsecSPI_OnP1Del -n 1

As you can see the first line adds the registry entry that don’t delete the IPsec on P1 delete, then we need to execute the “cpstop” and “cpstart”

We should bed done at this point.

To verify, that the change is done properly, you can execute the following command
cat  $CPDIR/registry/ | grep DontDel

You will see an output and a line added in the registry which will confirm the change is done.

In the worst case, if you want to revert the change, please use the following

ckp_regedit -d SOFTWARE/CheckPoint/VPN1 DontDelIpsecSPI_OnP1Del -n 1

If you see the difference is “-a” has been replaced with “-d” (standing for add and delete respectively), once you have done this, you can again verify the line is gone by the above command

Hope you like this and this is helpful to you.  I am not very sure, but I think the same applies to R70 as well.

Thursday, April 14, 2011

Design Strategies in F5 LTM–Part 1

A key to an effective, resilient and robust network is a good design. Big IP design is a key for faster and more effective failover leading to greater availability and lesser convergence time. This blog is written with the deployment considerations that are done.
A Big IP works like a switch, having VLAN’s and Spanning Tree Protocol. This enables the Big IP to fit right into your LAN design. You are offered with choices of Active/Standby (Failover) pair or Active/Active or as I like to call it, the “load balance your load balancer” pair, which doubles up on covering for each other. All this is feasible with the concept of “Floating IP”, “Gratuitous ARP” or “Mac Masquerading”.
When the initial configuration of Big IP is done, these are things you need to consider,
  1. What business purpose will this need to serve?
  2. How many businesses are going to be using it?
  3. Where is the load balancer going to be located physically?
  4. Where are the Servers that need to be load balanced going to be located?
Well I have assumed that the Big IP is rightly sized based on the Capacity Planning and licensed as per needs. The above questions will lead us to the answers for one of the most critical things in design, (i.e.) The number of VLAN’s that will be on the Big IP.
We have the following options when designing the Big IP deployments
  1. One Arm Mode
  2. Two Arm Mode
  3. Multi Arm Mode
The number of Arm’s are nothing more but the number of VLAN’s that are created and active on the Big IP. We in this blog will only detail the One Arm Mode:
One Arm Mode is the most common kind of deployment seen nowadays. This is very easy to achieve, this means, creating just one VLAN on the Load Balancer, both the physical servers to be load balanced and the Clients that are try to reach the servers use the same VLAN. So if the Load balancer can reach the clients and servers using that VLAN, we are all set.
This causes the minimum impact on the existing LAN / WAN Design. But it is to be noted that for this to work, we need to enable SNAT (Source NAT) settings on our load balancer.
The below diagram shows the functioning of the One Arm Mode and traffic flow with and without SNAT.
One ARM Mode – Physical Connection
Traffic Flow (Without SNAT)
As you can see without SNAT the traffic flow will be asymmetric and the F5 will block the next packet and so the above will not work. (There is a way to make this setup work as well, that is called n-path in F5 terminology and DR mode (Direct Routing Mode) load balancing in general terms. More on that later.
With SNAT:
As you can see with SNAT the traffic flow Normalizes and the connection starts working again.
Thus this is one of the most commonly deployed scenarios in the Load Balancer world, I will be detailing the other modes in my future blog posts, so till then, take care …

Tuesday, April 12, 2011

Configure MLFR (Multilink Frame Relay) on Juniper SRX Firewalls

I came across one of the Integrated Services type firewall, and was asked to configure a MLFR bundle on it. The firewall was Juniper SRX (I admit, I love these boxes). But MLFR on a firewall … who has heard of those. I had prepared for doing a MLPPP but on the turn up call, the service provider wanted us to use MLFR as that’s what they supported for that particular site.
For the non techy gurus who are wondering what the MLFR is, it’s a simple Multilink Frame Relay Bundle, meaning you have more than one T1/E1 Link and you bundle them on frame relay (Yes … some of us still use Frame Relay Smile )
More often you would have done MPPP bundling, but the exciting part was to do a MLFR between Juniper and Cisco and on the Juniper end it was a firewall.
Here is a simple diagram

As you can see the connectivity from customer perspective is pretty simple. There are 2 Physical links going on the Service Provider network (T1 Links) and we need to create a bundle logical connectivity (The Solid red line ) between us and the service provider.

Points to Note:

  • Since we are creating the MLFR bundle between Cisco and Juniper, we can only use FRF.16 specification for the MLFR bundle.
  • To read about the FRF.16 Specification Click Here
Since we will talk in detail about the juniper end, I would briefly mention the Cisco end Configuration

Cisco Sample Configuration:

controller T1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64 
controller T1 0/0/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64 
interface MFR1
description MultiLink Bundle 
no ip address
encapsulation frame-relay IETF
frame-relay multilink bid
frame-relay lmi-type ansi
no shutdown
interface MFR1.100 point-to-point
ip unnumbered Fastethernet0/0
frame-relay interface-dlci 100 IETF
interface Serial0/0/0
description MultiLink Circuit 1 
no ip address
encapsulation frame-relay MFR1
no arp frame-relay
interface Serial0/1/0
description MultiLink Circuit 2
no ip address
encapsulation frame-relay MFR1
no arp frame-relay


Juniper Configuration:

To configure a MLFR bundle on Juniper routers and Firewalls are the same thing, execpt for the few extra steps on Firewall
  • Configure the T1 Links
  • Bring up the virtual Interfaces
  • Configure the Virtual Interface
  • Assign the Virtual Interface in a Security Zone (Firewall Only)
As you can see the first 3 steps are similar in the Juniper Routers and SRX firewalls

Configure T1 links:
By far the simplest, most of the values for this will be given by the service provider itself
  • Clocking
  • Encapsulation
  • Line Encoding
  • Framing
These are the configurations needed. We first need to boot the SRX and see the T1 cards are recognized or not. You can do that by issuing the “show interface terse | match t1”
root@DEMOSRX> show interfaces terse | match t1
t1-3/0/0                up    up
t1-4/0/0                up    up

As you can see above the 2 T1 cards are detected in FPC 3 and 4. Now we need to bundle that. Here is the configuration sample for one (Please make sure both have identical configuration) (Under edit Interfaces)
t1-3/0/0 {
clocking external;
encapsulation multilink-frame-relay-uni-nni;
t1-options {
timeslots 1-24;
line-encoding b8zs;
framing esf;

So you can see that we have set the T1 options for the first t1 card, we will need to do the same for the second one as well.
Bring up Virtual interface
In JunOS, we need to explicitly bring up the virtual interfaces. The virtual interfaces is a multipurpose one. We will not go into detail. But please remember in version 10.x of the JunOS, in SRX, the virtual interfaces are called “lsq” interfaces and in the old versions and the routers we have them as “ls” interfaces.
We need to create the virtual bundles by the following (Under Edit)
chassis {
fpc 0 {
pic 0 {
mlfr-uni-nni-bundles 1;

So here we say that we need to create a single mlfr bundle. We can create upto 32 of these bundles, but I don’t think practically on a SRX, we would go that far.
Once you commit the above configurations you should have new interfaces created, Just type the command “show interface terse | match lsq”
root@DEMOSRX> show interfaces terse | match lsq
lsq-0/0/0               up    up
lsq-0/0/0:0             up    up
As you can see the new Interfaces “lsq-0/0/0:0” was created. So we have created the virtual interface
Configure the Virtual interface:
In configuring the Virtual interface, there are 2 steps, we need to add the T1 interfaces on the virtual interface and we will need to configure the interface itself.
This is how the interface t1-3/0/0 looks
root@DEMOSRX> show configuration interfaces t1-3/0/0
clocking external;
encapsulation multilink-frame-relay-uni-nni;
t1-options {
timeslots 1-24;
line-encoding b8zs;
framing esf;
unit 0 {
family mlfr-uni-nni {
bundle lsq-0/0/0:0;
Here you see that we created a unit and then mentioned the name of the lsq interface, which will associate the t1 link to that bundle. Similarly, we need to do that on the t1-4/0/0 as well
AS far as the configuration of the lsq interface itself is concerned, here is how it looks

root@DEMOSRX> show configuration interfaces lsq-0/0/0:0
description ***MLFR Bundle Logical Interface***;
encapsulation multilink-frame-relay-uni-nni;
mlfr-uni-nni-bundle-options {
cisco-interoperability {
lmi-type ansi;
unit 0 {
dlci 100;

So you can see that here is where we mention the DLCI and the LMI type.
If you are on a router, the link is now going to be up, you can verify that by looking at the show interface terse and the lsq sub interface will show as up – up
Associating Security Zone:
Once you are trying to do it in a SRX, you will need to associate it to a security zone and the interface needs to be bound to the zone and the policies need to be applied.

root@DEMOSRX> show configuration security zones security-zone external-zone
screen untrust-screen;
host-inbound-traffic {
system-services {
interfaces {

So here we created a zone called external-zone and map the interface lsq-0/0/0:0.0 to this zone. Once this is done, and you have made a security policy and applied for this zone and added routes, you should be up and running.
Hope you find this informative and please let me know if you have questions, I will try my best to answer them.

Monday, April 11, 2011

Trip to Portland, OR

I have been recently travelling for work and I got to travel to the West Coast for work. I was travelling to Portland in Oregon to work for a Client and redesign their network. The work was fun !!! (I know what you are thinking … Yeah right Smile )

Well, Honestly, the work was not bad. I actually enjoyed working there, there is one more thing that I really enjoyed….. Natural Beauty !!!

Portland (and Nearby places) was one of the most beautiful destinations I had seen in US from a Natural Beauty standpoint. Over the weekends, I could just pick a direction and drive and I was sure to come across some awe inspiring natural beauty (Which did inspire me to go learn HDR photography). I did visit a lot of places over weekends out of which a few were

  • Crater Lake
  • Mount Rainier
  • Mt. Hood
  • Washington Park – Rose Garden
  • Cannon Beach

So On and so forth…. Every place had its own charm (Though it got boring after a while… it was really beautiful)


My first visit was to Crater Lake. I drove down to Crater Lake from Portland with one of my colleagues. Since we started a little late, We decided to go to Grants pass and then the next day get to Crater Lake.


The whole experience was Chilling and Thrilling, we had fun snow fighting, but we did really miss skiing as we did not have the skiing gear with us. Though we travelled during Jan 2011, we were lucky not to have rains and was a clear day.

The other trips were as beautiful as this one. I was so impressed  by the complete experience. I am told that the place looks beautiful during the summer , so I am looking forward to another visit during summer and hope it is worth the visit ….

I will upload more pictures as soon as I have them (They are still sitting in my Cameras memory card)

Upgrade currently unlocked 3G[s] iPhone (Using Black Rain) from 3.1.2 to 4.1

Not long ago, there was a time when the iPhone 3G[s] was very famous and people used to buy it and Jailbreak and unlock it for the use with other carriers. One of the famous tools for jailbreaking at that point in time was blackrain. Almost every one I know used the black rain on the iPhone version 3.1.2 and used the blacksnow for the unlock. 
This works great but there is one issue. Most people on the New boot rom got a tethered Jailbreak, which means they have to use blackrain every time ( ). After that a lot of untethered jailbreaks were released and they want to go there. 
I had the same experience, so I thought I would document it here, 
DISCLAMER: Please use this guide on your own risk. I am not responsible for anything that happens to your phone due to this. I have used the same procedures and it worked for me.If you have any questions, put those on the comments and I will try to answer them. 
All the software is also available from the internet. I claim no ownership of the software. I merely provide the links to the software.
This is what your phone will be now. 
  • OS : 3.1.2
  • Baseband : 5.11.07 (Any baseband that is unlocked / unlockable ) - Currently Unlocked
  • iPhone : 3G[s] (It can be 3G as well, but then you have to do additional reading)
  • SHSH should be saved for 4.1
  • Currently Jailbroken & Unlocked by Black rain,  Black snow respectively
In this guide, we will need the following 
  • Computer (Duh !!) - If you are reading this, you already have one.
  • OS: Windows (For MAC, you will need to use the Pwnage tool, but this guide is not for you, there are a lot of hackintosh articles)
  • Snow Breeze v 2.1
  • Tiny Umbrella
  • iREB
If you are using a work computer, make sure you have access to create files on the desktop. (Believe me a lot of companies block this to enforce a clean desktop policy) 
After the process, you will find a 4.1 version of the iOS and unlocked phone, plus the jail break will be untethered (You can reboot the phone without having to run black rain). 
Backup :
Please backup your phone in iTunes (Right click on the phone and say backup). This will backup contacts, Pictures, songs, etc .
Please note that this will not backup jailbroken applications, in order to back them up, please read the guide here ( I normally don’t have much of apps, so I dint have to do it. I would install them later anyway Smile 
Step 1: Download the required software
  • iOS
    • Please download the iOS for your phone from here - (This is the iClarified link) Please select iPhone 3G[s] 4.1 iOS (This is  huge file, you might want to download after step 2)
  • Other Tools :
    • I have zipped other tools (The versions which worked for me in a single file). I will also mention them here
      • Snow Breeze 2.1 (Windows Counterpart of Pwnage tool)
      • iREB RC4
      • Tiny Umbrella 4.30.05
You can search the internet and get them individually or If you want to download as a single pack, please use the link below – To get all the 3 files
  • iTunes:
    • Assuming you have an iPhone, I can safely assume you have iTunes as well. In this I am using the latest version of iTunes
Step 2: Check if the Phone is upgradable:
Start the Tiny Umbrella and Click on Save SHSH
This will save the SHSH that are signed on your phone. Please note that Apple signs SHSH only for some time. So when you installed Cydia and clicked on make my life simple, Cydia would have saved the SHSH on its servers. Please make sure the SHSH for 4.1 is saved. (You can move to any OS for which you have the SHSH saved, but this guide is only for 4.1)
If you have the SHSH saved, you are good to go. The tiny umbrella will also save the SHSH files locally.
Now once this is done and it says that Cydia has your SHSH you can proceed. If the SHSH are not saved, then you are out of luck and the below method may not work for you.
Step 3: Create a Custom iOS
We will need to create a custom iOS, so that the baseband doesn’t get upgraded. If it does, then the phone might not be unlockable. The creation of the custom iOS will also jailbreak the system.
We will use SnowBreeze for that.
Open Snow Breeze (v 2.1) and select the IPSW file that you downloaded (iOS file) . The snow breeze version is iOS specific, so we will have to use a version 2.1 (the latest version 2.5 doesn’t work)
Browse the iPSW file
It will then point whether it is a valid IPSW or not (It will check the checksum, if your browser saved the IPSW as a zip, please rename it to ipsw, else use a different browser like safari (for windows))
Click on Simple Mode and that’s it, let the magic run. It will create a file on your desktop like this
The new IPSW is ready to be restored on your iPhone, but before that you will have to put the phone in DFU mode. Here is a tutorial to that (
Step 3: Recovering your OS
Since now your phone is in DFU mode (an you have your iTunes open) Shift + Click on Restore, select the newly created custom firmware and click ok. You should be fine.
But most times, you will get an error (16xx) or some thing. If you do, you will have to use the iREB
To use iREB, put your phone in the DFU mode ( more like ly since you must already be in a DFU mode, you can just fire up the software and click on the phone model (in Our case 3G[s])
Once you do, it will use the limerain exploit and jailbreak your phone. After this, just restore the phone using iTunes (Like mentioned above)
Reminder on how to do that :
Connect your iPhone via USB cable and put it in DFU mode. To put it in DFU mode, turn the phone off. Hold power and home together for precisely 10 seconds. Release power but keep holding home until the pc beeps as a USB device is recognized. At no point will the display come on. If this doesn’t work, try to press and hold power only. Keep holding power. As soon as you see any display on the screen of any sort press and hold the home button. Hold power and home together for precisely 10 seconds. Release power but keep holding home until the pc beeps as a USB device is recognized.

Once you are done, you will be running the iOS 4.1 on your 3G[s] and you can reboot as many times without the blackrain Smile (Make sure the Cydia is installed)
For some people they might need to re-unlock the phone. Just go to cydia,
Click on Sources
image is the URL . Now search for Ultrasn0w and click install
It will install the ultrasn0w and you will be unlocked for any carrier.
You may have to apply a fix for Youtube videos not working. Please read the guide here ( . Please restore the phone from the backup and you will have all your data back.
Hope you find this informative. Let me know how it goes in the comments. Thanks !!! and enjoy your untethered phone.