Blog

  • Pending Microsoft Price Hikes May be Your Office 365 Catalyst

    Pending Microsoft Price Hikes May be Your Office 365 Catalyst

    September 17th, 2018
    Read More

    Looming price increases from Microsoft are designed to make cloud skeptics and organizations with large on-premises footprints take another look at moving to the cloud.

     

    In a recently published article, Microsoft has made clear that they will be raising the price of Office 2019 by ten percent beginning October 1. According to a Microsoft spokesperson, this price jump "represent(s) the significant value added to the product over time and ... better reflect costs and customer demand and align with cloud pricing”

     

    Price isn’t the only thing changing. According to this announcement, beginning with Office 2019, the normal support lifecycle of five years mainstream plus five years extended support is being trimmed down to just two years of extended support. In addition, Microsoft will only support Office 2019 on Windows 10, not Windows 7.

     

    If these changes to Office are not cause enough to reassess your cloud strategy and timelines, get ready to see an increase in your on-premises server licensing costs as well. Come October 1 Windows Server 2019 Operating System licenses, “Productivity” server licenses, such as Exchange, SharePoint and Project Server, and Client Access Licenses (CALs) that enable personal computers to connect and access information on Microsoft servers, and Enterprise CAL and Core CAL suites will all see a ten percent price jump.

     

    Never a Better Time to Migrate

    For organizations who continue to hold on to their on-premises infrastructure, the handwriting is on the wall: at least some workloads should be transitioned to the cloud. This price hike from Microsoft presents an opportunity to create a migration strategy designed to modernize your business, increase scalability and flexibility, plus save money in the long run.

     

    Partner for Success

    A properly designed and implemented migration to Office 365 and Azure is key to your org’s success and you should not go it alone. Working with an experienced Microsoft partner will allow you to plan the proper migration strategy, prepare your end users and ensure a smooth cloud transformation while controlling potential runaway costs usually found in the “DIY” model.

    High Availability is a Microsoft Gold Partner with experience Office 365 and Azure migration specialists who will work together with your IT team to ensure a well-crafted migration that minimizes user impact, reduces downtime (and costs), and gets all your data to the cloud successfully. Contact us today to find out how to begin your cloud transformation.

  • High Availability, Inc. Named Best Place to Work in Pennsylvania

    High Availability, Inc. Named Best Place to Work in Pennsylvania

    September 12th, 2018
    Read More

    High Availability, Inc. Named Best Place to Work in Pennsylvania

    Audubon, PA, September 12th, 2018 - High Availability, Inc. has been named one of the Best Places to Work in PA for 2018. The awards program, created in 2000, is one of the first statewide programs of its kind in the country. The program is a public/private partnership between Team Pennsylvania Foundation, the Pennsylvania Department of Community and Economic Development, the Pennsylvania State Council of the Society for Human Resource Management, and the Central Penn Business Journal. 

    This survey and awards program was designed to identify, recognize and honor the best places of employment in Pennsylvania, who are benefiting the state's economy and its workforce. Employers are categorized based upon the total number of employees they have in the United States, 15 to 99 employees, 100 to 250 employees, or more than 250 employees.

    To be considered for participation, companies had to fulfill the following eligibility requirements:

    • Be a for-profit or not-for-profit business
    • Be a publicly or privately held business
    • Have a facility in Pennsylvania
    • Have at least 15 employees working in Pennsylvania
    • Be in business a minimum of one year

    Companies from across the state entered the two-part process to determine the 100 Best Places to Work in PA. The first part of this process was evaluating each nominated company's workplace policies, practices, philosophies, systems and demographics. This part of the process was worth approximately 25% of the total evaluation. The second part consisted of an employee survey to measure the employee experience. This part of the process was worth approximately 75% of the total evaluation. The combined scores determined the top companies and the final ranking. Best Companies Group managed the overall registration and survey process.

    High Availability, Inc. will be recognized at the Best Places to Work in PA awards banquet on Thursday, November 29, 2018, at the Lancaster County Convention Center in Lancaster, PA. Rankings will be revealed at the ceremony. Tickets may be purchased online at www.CPBJ.com/events.

    In addition to the public/private partnership, the program is supported by the following organizations: Presenting Sponsor – Highmark; Lead Sponsor—Team Pennsylvania Foundation; Major Sponsors—Bybel Rutledge, Robertson Insurance & Risk Management, Spooky Nook Meeting & Events & S&T Bank; Founding Partners—Team Pennsylvania Foundation, the Pennsylvania State Council of the Society for

     

    Human Resource Management, and the Central Penn Business Journal; Program Partners—The Department of Community and Economic Development and PA SHRM.

    For more information on the Best Places to Work in PA, visit www.bestplacestoworkinpa.com or contact Emily Winslow, event coordinator at the Central Penn Business Journal at 717-323-5268 or ewinslow@cpbj.com. High Availability, Inc. is a premier solution provider and integrator of data center products and cloud services.

    High Availability, Inc. solves complex business challenges by architecting and implementing forward-thinking technical solutions, while forming trusting, collaborative relationships. By taking a hands-on, consultative approach, the High Availability, Inc. team creates custom tailored systems and solutions to fit both current requirements and future IT and business needs.

    ###

    Media Contact:

    For more information about High Availability, Inc., please contact Liz Thompson, Marketing Manager, at (610) 254-5090 ext. 256 or lthompson@hainc.com

  • Nutanix Flow with Microsegmentation

    Nutanix Flow with Microsegmentation

    August 22nd, 2018
    Read More

    Nutanix flow is like your left hand and Microsegmentation is your right. You can use one without the other, but it sure will make your life more difficult.  Using Flow for the first time totally opened my eyes. I could finally see, in complete detail, which computers and ports are talking to an application stack. No more "Let’s lock down that windows firewall port and see what happens.” Now you can finally see in real time what’s coming in and going out from a server. Once you have that wonderful knowledge. Simply switch from monitoring mode to applied.  That’s when Microsegmentation (VM firewall) applies all the rules that were already discovered. Let’s not short change Microsegmentation. Not only can it apply VM firewall rules to a cluster, it treats multiple clusters as single firewall entity. It doesn't even matter if its across geographic sites. No Nutanix configuration changes are needed when moving a VM from site A to site B. Normally providing east/ west firewall rules would be a dauting task. Luckily, it’s no longer the case with Nutanix Flow and Microsegmentation. In fact, having Microsegmentation could have potentially saved several of my customers from CryptoLocker ransomware this year. Attacks are usually spread easily once inside the network. This is another way to keep the bad guys away from talking to servers that they shouldn’t have access to. Now let’s get to some examples.

    Note: To minimize the length of this blog, I won’t be showing all steps that are required to setup Nutanix Flow with Microsegmentation.

     

    Scenario

    • Client VMs have no protocol/ port restrictions to web servers
    • Use Nutanix Flow to view network traffic to and from web servers
    • Use Nutanix Microsegmentation to only allow the following:
      • Port 80 traffic inbound to web servers
      • Block all communication between Web servers
      • Only allow ICMP outbound from web servers to client VMs

     

    Requirements

    • Prism central with at least 32 GB memory
    • AOS 5.5 or later
    • AHV 20170830.58 or later. Not supported with VMware or Hyper-V.

     

    VM Environment.

    • AppA_Client1    IP Address 10.21.193.210
    • AppA_Client2    IP Address 10.21.193.230
    • AppA_Web1      IP Address 10.21.193.75
    • AppA_Web2      IP Address 10.21.193.60

     

    Step 1. Create some categories. Categories are a way to logically group a set of VMs

    • AppType: AppA_Client
    • AppType: AppA_Client_Tier
    • AppType: AppA_Web
    • AppType: AppA_Web_Tier

     

     

    Step 2. Apply categories to VMs

     

    The following categories have been applied to VMs:

    • AppA_Client1 and AppA_Client2
      • APPTier:AppA_Client
      • APPTier:AppA_Client_Tier
    • AppA_Web1 and AppA_Web1
      • APPTier:AppA_Web
      • APPTier:AppA_Web_Tier

     

     

    Step 4. Create Security policies

     

    “Security policies are applied to categories (a logical grouping of VMs), and not to the VMs themselves.

    Therefore, it does not matter how many VMs are started up in a given category. Traffic associated with

    the VMs in a category is secured without administrative intervention, at any scale.”

     

     

    Port 80 is allowed to all VM’s that are in AppA_Web_Tier category.

     

     

    Summary of security policy:

    • All VMs in AppA_Client_Tier will have access to AppA_Web_Tier on port 80
    • VMs in AppA_Web_Tier cannot talk to each other.
    • VMs in AppA_Web_Tier have no outbound access
    • Monitoring mode is only being applied so there won’t be any restrictions

     

     

    Pinging from AppA_Client1 to the two web servers. Its successful because there is no blocking.

     

    This is where Nutanix Flow shines:

    • Dotted blue lines to AppA_Web_Tier shows web port 80 traffic.  This is allowed.
    • Dotted inbound yellow lines to AppA_Web_Tier shows pings from VMs in AppA_Client_Tier. Only web traffic port 80 is should be allowed. Policy is still in monitoring mode, so all traffic is allowed inbound.
    • Dotted outbound yellow lines from AppA_Web_Tier are pings to VMs in AppA_Client_Tier. This has not been approved. AppA_Web_Tier should have no outbound access. Policy is still in monitoring mode, so all traffic is allowed outbound.
    • All the other outbound dotted yellow traffic are connections to DNS, DHCP, and pings to internet. In a production environment we would evaluate what dependencies are needed. Wanted to demonstrate how Nutanix Flow will find other dependencies.
    • Hovering over dotted lines gives additional detail information on source IP/port.

    Step 5. Apply security policy.

    • AppA_Client_Tier VM’s will only have port 80 access to AppA_Web_Tier VMs
    • Allowed all outbound traffic to 10.21.193.255/32 subnet

     

      

    Security Policy Results:

     

    Can no longer ping VMs in AppA_Web_Client_tier. Notice that web traffic still works to AppA_Web_Client_tier.

     

    VMs in AppA_Web_Client_tier cannot ping each other nor to google.com per policy. Can only ping VMs in AppA_Client_tier. Everything is working as expected since security policies have been applied.

  • For the 3rd Time, High Availability, Inc. Appears on the Inc. 5000

    For the 3rd Time, High Availability, Inc. Appears on the Inc. 5000

    August 16th, 2018
    Read More

    For the 3rd Time, High Availability, Inc. Appears on the Inc. 5000,  Ranking No. 3898 With Three-Year Revenue Growth of 91% Percent
     

    Audubon, PA, August 16th, 2018 - Inc. magazine revealed that High Availability, Inc. is No. 3898 on its 37th annual Inc. 5000, the most prestigious ranking of the nation’s fastest-growing private companies. The list represents a unique look at the most successful companies within the American economy’s most dynamic segment—its independent small businesses. Microsoft, Dell, Domino’s Pizza, Pandora, Timberland, LinkedIn, Yelp, Zillow, and many other well-known names gained their first national exposure as honorees on the Inc. 5000.

    Not only have the companies on the 2018 Inc. 5000 (which are listed online at Inc.com, with the top 500 companies featured in the September issue of Inc., available on newsstands August 15) been very competitive within their markets, but the list as a whole shows staggering growth compared with prior lists. The 2018 Inc. 5000 achieved an astounding three-year average growth of 538.2 percent, and a median rate of 171.8 percent. The Inc. 5000’s aggregate revenue was $206.1 billion in 2017, accounting for 664,095 jobs over the past three years.

    Complete results of the Inc. 5000, including company profiles and an interactive database that can be sorted by industry, region, and other criteria, can be found at www.inc.com/inc5000.

    “If your company is on the Inc. 5000, it’s unparalleled recognition of your years of hard work and sacrifice,” says Inc. editor in chief James Ledbetter. “The lines of business may come and go, or come and stay. What doesn’t change is the way entrepreneurs create and accelerate the forces that shape our lives.”

    High Availability, Inc. is a premier solution provider and integrator of data center products and cloud services. High Availability, Inc. solves complex business challenges by architecting and implementing forward-thinking technical solutions, while forming trusting, collaborative relationships. By taking a hands-on, consultative approach, the High Availability, Inc. team creates custom tailored systems and solutions to fit both current requirements and future IT and business needs.

    ###

    Media Contact:

    For more information about High Availability, Inc., please contact Liz Thompson, Marketing Manager, at (610) 254-5090 ext. 256 or lthompson@hainc.com

  • High Availability, Inc. Named to 2018 CRN Fast Growth 150 List

    High Availability, Inc. Named to 2018 CRN Fast Growth 150 List

    August 9th, 2018
    Read More

    High Availability, Inc. Named to 2018 CRN Fast Growth 150 List
    Recognizing Thriving Solution Providers in the IT Channel

    Audubon, PA, August 9th, 2018 - High Availability, Inc. announced today that CRN®, a brand of The Channel Company, has named High Availability, Inc. to its 2018 Fast Growth 150 list. The list is CRN’s annual ranking of North America-based technology integrators, solution providers and IT consultants with gross sales of at least $1 million that have experienced significant economic growth over the past two years. The 2018 list is based on an increase of gross revenue between 2015 and 2017. The companies recognized this year represent a remarkable combined total revenue of more than $50 billion.

    “It is a tremendous achievement to be named to CRN’s Fast Growth 150 for the 4th year in a row,” said Steve Eisenhart, Chief Executive Officer of High Availability, Inc. "Our investment in existing/new employees, our strategic partners, new/emerging technologies and our Cloud and Managed Services Division have led to incredible year-over-year growth.  We are fortunate to have such amazing clients who continue to excel and thrive in their own sectors. We are excited about where we are as an organization and look forward to figuring out a way to make this list again next year.” Eisenhart concluded.

    “CRN’s 2018 Fast Growth 150 list features companies that are growing in an ever-changing, challenging market,” said Bob Skelley, CEO of The Channel Company. “As traditional solution providers are moving towards a services-focused business model, this extraordinary group have been able to successfully adapt; outperforming competitors and proving themselves as channel leaders. We are pleased to recognize these organizations and look forward to their continued success.”

    The complete 2018 Fast Growth 150 list is featured in the August issue of CRN and can be viewed online at www.crn.com/fastgrowth150.

    High Availability, Inc. is a premier solution provider and integrator of data center products and cloud services. High Availability, Inc. solves complex business challenges by architecting and implementing forward-thinking technical solutions, while forming trusting, collaborative relationships. By taking a hands-on, consultative approach, the High Availability, Inc. team creates custom tailored systems and solutions to fit both current requirements and future IT and business needs.

  • What’s New in Azure Storage?

    What’s New in Azure Storage?

    August 8th, 2018
    Read More

    Azure is now a fully mature, platform neutral, public cloud provider that gives every business from the small manufacturer to the global enterprise the ability to move their entire IT workload to the cloud from webhosting, to e-commerce, to service for internal services such as databases, collaboration and messaging services and on and on. But at the end of the day, all these services, both internal and customer/partner, facing rely on the life blood of modern business: information.  That information exists in the form of data.

    Data must be housed somewhere and with the latest general release for storage, Azure has something for everyone.  Azure Files.  Azure Blobs.  Azure Disks.  So which one is right for your data needs?  Well of course that depends on the format and type of data, how you want to access and present it, and how often it needs to be accessed.  Let’s take a look.
     

    Azure Disks

    The most direct cognate of what we think of in traditional terrestrial computers and servers, disk are exactly what they sound like: Azure hosted disk drives of various sizes and capacities either HDD or SSD from 32 GB to 4 TB, all with 500 IOPs per disk, and throughput speeds of 60 MB/sec. Azure Disks are lift and shift certified for a range of Microsoft enterprise applications such as AZURE SQL Databases, Dynamics AX and CRM, Exchange Server and more. Choose Azure disks for applications for which you require native file system APIs, with persistent storage for read and write operations.  Azure Disks are the answer when you need to store data that doesn’t need to be accessed outside of the virtual machine the disk is attached to.

    An integral feature is built in, automatic, redundancy.  All Azure disks are automatically copied to three locations.  This is basic Locally Redundant Storage (LRS). All copies reside in the same data center, but in different racks. You also have the option to increase resiliency by choosing from the following upgrades. Zone Redundant Storage (ZRS) which places one of the hosted copies on a disk in a second, fully isolated, Availability Zone. Or you may choose the option of Geo Redundant Storage (GRS), that replicates your data to a second data center in a different Azure region for read access in the case of a Microsoft declared disaster.

    All redundancy models are designed to provide at least 99.999999999 (11 9s) availability of your data (LRS).  ZRS provides 12 9s and GRS provides 16 9s.  Unless you are a global enterprise the size of , well Microsoft, your data center is quite unlikely to provide that kind of data availability.

     

    Azure Files

    Azure files provides the ability to set up structured file shares that that can be mapped the same way network drives are, via Server Message Block protocol (SMB).  This allows multiple Azure VM’s to reference the same files simultaneously. Your premise servers can map drive shares the same way, if you’ve extended your active directory into Azure.  Azure Files also allows you to share these file stores with outside users, if needed, with full security provided through shared access tokens which can be managed centrally, even by setting expiration dates if you like.  Think shared file exchange locations with business partners, without having to provide them with user names and passwords or access to your network, whether cloud of on premise.

     

    Azure Blob Storage

    If you run an art house, music service, or any number of businesses that depend on storing a large number of unstructured files that need to be individually accessed without need of traditional paths, Azure Blob Storage is your Huckleberry. Think of Blob Storage when you need to serve files or images directly to a browser through your spiffy new web site. Or when you need to serve files through distributed access from a location off network. But Doug I need to serve streaming video or audio? Glad you asked, Azure Blob. I need a place to throw by daily backups and keep them for 99 years!  Azure blob has you covered.  Generate a ton of log and diagnostic files that need to be available for analysis by on premise or Azure hosted services?  Azure Blob.

    The best part?  These files are available from anywhere in the world that has an internet connection via HTTP or HTTPS, using the Azure REST API, Azure PowerShell, Azure CLI or Azure Storage client libraries. Oh, did I mention that client libraries are compatible with .NET, Java, Python, PHP and Ruby?  Well you guessed it.  Azure Blob’s got you covered.

    So step away from maintaining all that hardware in your SAN. The biggest most complicated SAN is what makes you cool. Being able to preserve, protect, and securely serve that data to who you want (and only who you want to) without worrying about keeping a stock of hot swappable disks 9and the capital expenses) in your server room is what makes you cool. Cool as Azure blue.
     

  • Top Technology Buzz Words

    Top Technology Buzz Words

    July 9th, 2018
    Read More

    When I was given this assignment, it brought me back to my fist day in technology 16 years ago (yes, I’m old and social media still scares me a bit). I remember thinking I have no idea what anyone is talking about and I wished everyone would speak in complete sentences and stop using “Buzz Words” that I don’t know. What I really realized is I had a lot to learn. So how did I come up with the five Buzz Words below? It’s a combination of what I hear every day, talking with peers and doing some research.

    Artificial Intelligence (AI)

    This is an obvious one and even people who aren’t in technology have heard of it. Self-driving cars comes to mind first.  The formal explanation is AI refers to the autonomous intelligent behavior of software or machines that have a human-like ability to make decisions and to improve over time by learning from experience. Different approaches include statistical methods, computational intelligence and traditional symbolic AI. There are a large number of tools used in AI, including versions of search and mathematical optimization, logic and methods based on probability and economics. In business intelligence, there has been movement from static reports on what has already happened to real-time analytics assisting businesses with more accurate reporting. The ability to make changes in real time that could impact revenues is incredibly powerful. Think of tracking customers movements (not just traffic patterns but eye movements and body language) in stores so you could sell shelf space at a premium daily (think supermarkets). AI enables you to see what is happening at every moment, and send alerts when something isn’t following the norm.

    Finally, there is the social impact of AI. Robots have been around for a very long time but performed the same task in repetition. This enabled factories to perform certain tasks at a speed and pace that humans couldn’t compete with causing job loss. Now, Robots (software and machines) have the ability to learn in real time enabling them to take on more human like task and take even more jobs from humans.  Think of the success of Uber and how many people the company employees. The real profits come when the cars drive themselves!

    Blockchain

    Blockchain and Bitcoin have been all over the news as well and have been the most talked about Buzz Words since late 2017. Blockchain and more specifically Bitcoin have been constantly discussed at the water cooler after Bitcoin went crazy and surpassed the price of gold for the first time. In 2017, its value climbed from less than $1,000 to over $10,000. Although the price as dropped significantly in 2018 the technology is here to stay.

    Everyone has heard of the blockchain, but few understand how it works due to its complexity. The blockchain works with Bitcoin, and depending on the circles you run in, Bitcoin was either:

    • The shadiest thing that has ever happened to the internet
    • The coolest innovation in modern currency, ever
    • A non-factor since you had no idea what it was

    Bitcoin is a system of currency that doesn’t rely on banks, countries, or any outside institutions. This is potentially a very big deal, as there are many people living in developing countries that have to deal with issues like hyperinflation, not being able to exchange their currency for others, and having to exchange currency on the black market. In addition, think of the overhead (cost) the financial system charges us every day to protect, manage and move money. Bitcoin together with the protection of Blockchain has the potential to eliminate this costly layer and crush banking profits.

    Bitcoin has the ability to solve the previously mentioned – but the technology underlying Bitcoin, called Blockchain, is the where the rubber meets the road. Blockchain is what enables Bitcoin users to be able to exchange currency without any being ripped off or getting “counterfeit” Bitcoin. Basically, blockchain works by keeping a record of each transaction that happens using Bitcoin as a currency. This record is completely transparent to everyone and is part of the fundamental structure of Bitcoin.

    The Blockchain structure makes it very difficult to forge Bitcoin or do any sort of fraudulent activities involving the currency.  Even though Bitcoin and Blockchain technology is viewed as a threat to the banking system many of the banks have started using it to pay large amounts of money with less time spent on security, thanks to the safety of the Blockchain.

    Serverless Architecture

    Another IT buzzword is the Serverless architecture. It refers to an application that relies on third-party services (or “BaaS”, Backend as a Service), or on custom code run in ephemeral containers (also called “FaaS”, Function as a Service). The name can be confusing but Serverless computing is not running code without servers. It is called Serverless from a developer’s point of view. The person or the business who owns the systems doesn’t need to buy, rent or provision servers or machines to run the backend code. Basically, they don’t have to manage servers.

    It works because it lets developers focus on their central business problem instead of worrying about patching servers another time, or spending too long on building complex systems. Unfortunately, not all applications can be implemented Serverless-style. Legacy systems or public cloud bring limitations. Serverless architecture does bring benefits like reduced operational and development costs, reduced time to market, and an enhanced productivity but there are some downsides. It is not optimal for high-performance computing and its workload because of the resources limits imposed by cloud providers.

    Internet of Things

    Without question, Internet of Things (IoT) is one of the most popular buzzwords in recent memory and will continue to go mainstream as its applications become more physical.

    As society continually becomes more plugged in, the physical world around us is right behind and will become one big information system. The amount of digital data consumed and digested will be endless. Everyday physical objects will be connected to the Internet and to each other creating a stream of intelligence. The challenge for manufacturers will be creating an end user experience that will be seamless across devices.  Imagine an endless set of end points where people access applications and information. The use cases are endless, mobile devices, wearables, home electronics etc. Basically, anything you want to monitor and have access to will be available.   

    So, the obvious question is why aren’t we monitoring everything now. Sounds easy right? The answer is us, meaning there is a race to own the market. There are too many competing platforms to have seamless integration at this point in time. Think of the big three (Google, Amazon & Apple), they all have different eco systems that make cross platform integration challenging. But, like anything involving money I am sure it is only a matter of time for them to figure it out. 

    Digital Detox

    By far, Digital Detox is my favorite technology buzz word and for one simple reason. I’m a father. I’m not anti-technology and it’s safe to say the digitization of everything has brought endless advancements to our world. The advancements in healthcare alone are stunning. But at the same time, where has the off button gone? My generation (Gen X) struggles as parents because we remember what is was like to be raised without technology but are forced to embrace it because our children are engulfed in it.  The anxiety are children (adults as well) feel when not connected is very real. The prioritization of a Digital Detox needs to be as important as sleeping or eating.

    Many people have developed the “phantom vibration syndrome”, that sensation to feel or hear our phone buzzing while it doesn’t. Everyday there is a new article discussing the negative impact of social media and smart phones on our brains. FOMO, Fear of Missing Out, is a real issue for many of us. Professionally speaking, being always connected has increased efficiencies and improved customers access to problem resolution but at what cost? If we leave our smart phones in the car while we eat are we bad employees?

    With such an exponential innovation pace in technology, it can be nice to remind ourselves and the world around us that humans and human brains are not machines and not computers and a digital detox is all we need to reconnect with ourselves.

     

  • Troubleshooting Tool Enhancements in ASA v9.9 Code – Part 1

    Troubleshooting Tool Enhancements in ASA v9.9 Code – Part 1

    July 9th, 2018
    Read More

    *** Packet-tracer Enhancements in ASA 9.9 code ***

     

    The packet-tracer and capture utilities built into Cisco ASA's, and now Firepower appliances as of v6.1, are great "go to" troubleshooting tools for Cisco firewall administrators.  The packet-tracer and the capture utilities can be used in combination or used as separate tools depending on the situation. 

     

    Packet-tracer allows the simulation of a particular traffic flow to see how it will be handled while being processed by the firewall.  The capture utility allows administrators to run packet captures directly on the firewall appliance which can then be reviewed directly on the ASA or can be downloaded and reviewed using a protocol analyzer such as Wireshark.

     

    Some of the useful information that the packet-tracer utility provides once a trace is completed includes: which interface the packet will exit, if the flow matches any particular access-lists and if the traffic is permitted or denied, if and how the traffic will be translated, if the packet will be encrypted, as well as many other useful items.  This tool allows for us engineers to validate configuration changes confirming functionality prior to closing out a change request. 

     

    With ASA v9.9 code, Cisco has included some extremely welcome additions to the already-awesome packet-tracer and capture utilities.  A few of the enhancements that I'm excited about include now being able to actually send the simulated packet to the destination address in order for the remote host to receive and process the packet.  This ability to now transmit the simulated packet assists with verifying that the remote destination host receives the traffic and if the ASA receives a response if expected.

     

    Using the sample topology below, I wanted to demonstrate the new packet-tracer transmit feature.

     

     

    In this sample topology, I will be using R01 as the client workstation and will use R02 as the destination web server.  Between these two routers include ASA1, a provider router, and ASA2.  The ASA's have an IKEv2 IPsec VPN tunnel established and the Provider router is acting as a transit router between the two firewalls.

     

    For these examples, I will be sending a tcp/80 request from R01 (10.0.1.1) acting as the client over to R02 (10.0.2.1) acting as the server.

     

    During this example, I will also be running a packet capture on ASA1 filtering traffic specifically between R01 and R02.

     

    ASA1(config)# sho run access-l cap

    access-list cap extended permit ip host 10.0.1.1 host 10.0.2.1

    access-list cap extended permit ip host 10.0.2.1 host 10.0.1.1

    ASA1(config)#

    ASA1(config)# sho cap

    capture cap type raw-data access-list cap interface inside [Capturing - 0 bytes]

    ASA1(config)#

     

    The first example below, we will take a look at using packet-tracer without using the new “transmit” option.  During the packet-tracer, we can see each step including any ACL's being hit, which exit interface the traffic will use, if/how how the traffic will be translated, etc. 

     

    ASA1(config)# packet-tracer input inside tcp 10.0.1.1 32000 10.0.2.1 80

    Phase: 1

    Type: CAPTURE

    Subtype:

    Result: ALLOW

    Config:

    Additional Information:

    MAC Access list

    Phase: 2

    Type: ACCESS-LIST

    Subtype:

    Result: ALLOW

    Config:

    Implicit Rule

    Additional Information:

    MAC Access list

    Phase: 3

    Type: ROUTE-LOOKUP

    Subtype: Resolve Egress Interface

    Result: ALLOW

    Config:

    Additional Information:

    found next-hop 198.18.1.1 using egress ifc  outside

    Phase: 4

    Type: UN-NAT

    Subtype: static

    Result: ALLOW

    Config:

    nat (inside,outside) source static inside inside destination static site2 site2 no-proxy-arp route-lookup

    Additional Information:

    NAT divert to egress interface outside

    Untranslate 10.0.2.1/80 to 10.0.2.1/80

    Phase: 5

    Type: ACCESS-LIST

    Subtype: log

    Result: ALLOW

    Config:

    access-group inside in interface inside

    access-list inside extended permit ip any4 any4

    Additional Information:

    Phase: 6

    Type: NAT

    Subtype:     

    Result: ALLOW

    Config:

    nat (inside,outside) source static inside inside destination static site2 site2 no-proxy-arp route-lookup

    Additional Information:

    Static translate 10.0.1.1/32000 to 10.0.1.1/32000

    Phase: 7

    Type: NAT

    Subtype: per-session

    Result: ALLOW

    Config:

    Additional Information:

    Phase: 8

    Type: IP-OPTIONS

    Subtype:

    Result: ALLOW

    Config:

    Additional Information:

    Phase: 9

    Type: QOS

    Subtype:     

    Result: ALLOW

    Config:

    Additional Information:

    Phase: 10

    Type: CAPTURE

    Subtype:

    Result: ALLOW

    Config:

    Additional Information:

    Phase: 11

    Type: VPN

    Subtype: encrypt

    Result: ALLOW

    Config:

    Additional Information:

    Phase: 12

    Type: NAT

    Subtype: rpf-check

    Result: ALLOW

    Config:      

    nat (inside,outside) source static inside inside destination static site2 site2 no-proxy-arp route-lookup

    Additional Information:

    Phase: 13

    Type: VPN

    Subtype: ipsec-tunnel-flow

    Result: ALLOW

    Config:

    Additional Information:

    Phase: 14

    Type: QOS

    Subtype:

    Result: ALLOW

    Config:

    Additional Information:

    Phase: 15

    Type: NAT

    Subtype: per-session

    Result: ALLOW

    Config:

    Additional Information:

    Phase: 16

    Type: IP-OPTIONS

    Subtype:

    Result: ALLOW

    Config:

    Additional Information:

    Phase: 17

    Type: CAPTURE

    Subtype:

    Result: ALLOW

    Config:

    Additional Information:

    Phase: 18

    Type: FLOW-CREATION

    Subtype:

    Result: ALLOW

    Config:

    Additional Information:

    New flow created with id 37, packet dispatched to next module

                 

    Result:

    input-interface: inside

    input-status: up

    input-line-status: up

    output-interface: outside

    output-status: up

    output-line-status: up

    Action: allow

    ASA1(config)#

     

    With the packet-tracer complete, when we take a look at the capture below, we will see that the ASA processed the packet and created the flow, but the packet did not leave the ASA.

     

    ASA1(config)# sho cap cap

    1 packet captured

       1: 16:38:36.544115       10.0.1.1.32000 > 10.0.2.1.80: S 1550136167:1550136167(0) win 8192

    1 packet shown

    ASA1(config)#

     

     

    In this next example, we will add the "transmit" option to the same packet-tracer.  In this new packet-tracer, we will see the same results in the packet-tracer output, only this time the packet exited the ASA and was sent to the remote destination host.  We can verify this within the capture.

     

    ASA1(config)# packet-tracer input inside tcp 10.0.1.1 32000 10.0.2.1 80 transmit

    Phase: 1

    Type: CAPTURE

    Subtype:

    Result: ALLOW

    Config:

    Additional Information:

    MAC Access list

    .....

    omitted for brevity

    .....

    Phase: 18

    Type: FLOW-CREATION

    Subtype:

    Result: ALLOW

    Config:

    Additional Information:

    New flow created with id 39, packet dispatched to next module

                 

    Result:

    input-interface: inside

    input-status: up

    input-line-status: up

    output-interface: outside

    output-status: up

    output-line-status: up

    Action: allow

    ASA1(config)#

     

    Taking a look at this new capture, we can see that the packet-tracer output appears the same, but this time, the packet was sent to the remote destination, the remote destination processed the request, and responded to the simulated packet back to the client, R01.  Since R01 did not send the actual request, R01 then responded with a reset back to R02.

     

    ASA1(config)# sho cap cap

    3 packets captured

       1: 16:43:19.486852       10.0.1.1.32000 > 10.0.2.1.80: S 115026015:115026015(0) win 8192

       2: 16:43:19.611677       10.0.2.1.80 > 10.0.1.1.32000: S 4195304887:4195304887(0) ack 115026016 win 4128 <mss 536>

       3: 16:43:19.623380       10.0.1.1.32000 > 10.0.2.1.80: R 115026016:115026016(0) win 0

    3 packets shown

    ASA1(config)#

     

    As you can see, with being able to simulate and now transmit a packet to a remote destination address, we can test and verify connectivity on behalf of a particular host.  This could also assist a remote engineer with troubleshooting connectivity on other end without having to engage other groups or departments requiring their time to test the connectivity.

     

     

     

Join the High Availability, Inc. Mailing List

Subscribe