Thursday, August 14, 2014

IPv6 fail on Fortigate

Issue: Clients does to receive IPv6 addresses using stateless autoconfiguration. Clients with static IP works as normal. In the system log we see lots of message like “sendmsg: no buffer space available”.

This is seen on FortiOS 5.0.7.

Solution: kill the radvd process on the firewall. This has no side-effects as the process only implements IPv6 routing messages.

In case you can’t find the process ID, try “diag sys top 10 99” and see if you can find it. You kill the process with the command “diag sys kil 9 <pid>”.

Sources:

Labels: ,

Monday, August 11, 2014

NPS event 6273 reason code 16

Issue: can not authenticate users or computers, “Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.”

All RADIUS secrets and NPS policies are correct.

Environment: NPS running on Windows 2012 R2 domain controller, client on Windows 7 enterprise. Using either Allied Telesis or Cisco switches.

Cause: Windows 7 validates the server certificate only by using the Subject field on the certificate. When NPS is installed on a domain controller it will use a certificate template for domain controllers. These sertificates does not fill in the subject field of the certificate.

Solution: Grated domain controllers access to the Computer template and issued a new certificate based on this template. Reconfigured NPS to use that one instead.

Source: By reading trough a very long article from Technet about this error this solution appeared to me.

Labels: , ,

Monday, June 16, 2014

Multicast drop with LACP

Today I had a strange problem on a network with a stack of Cisco 3750X running IOS 15.0(2)SE4.

All unicast traffic was working but for some reason I noticed that multicast traffic (more specifically OSPF Hello packets) between routers did not pass. One of the routers was configured as a trunk ports with many VLANs and LACP.

What I saw was that the firewall could se one router, one router could see both the firewall and the other router and the second firewall could only see the first router.

This happened after a reload of the entire switch stack, something that I have done many times before. So I can not tell for sure exactly what I did different to cause this problem this time. The switch is configured for src-dst-ip load balancing.

This seems to be a bug within the Cisco switch as the quick fix that worked for me was to take down one of the ports in the port-channel and later bring it back up.

Troubleshooting commands that you can use. I did not so I am not sure what its result would be.

show platform forward gigabitEthernet 1/0/2 vlan 333 1111.2222.3333 3333.2222.1111
test etherchannel load-balance interface po 2 mac c000.1111.1111 2222.2222.2222
test etherchannel load-balance interface po 2 ip 172.30.126.1 224.0.0.5

Labels: