We lit up a new site earlier this year with Charter fiber and needed to connect it back to HQ. Then another site in our area needed to be connected back to HQ, presenting a firewall decision. Should we look to next generation Cisco ASA gear to replace our aging (and soon out of life) 5505s and 5510, look at a different type of product for a firewall, or look at UTMs as a viable option? Our network has been a hub and spoke for a while now with a 5510 at HQ and 5-6 other ASA 5505s out in the wild.

After much research and deliberation, we landed on Meraki MX gear. We got a MX84 for HQ and MX64s for the remote sites. This post is a little bit about the implementation and some hurdles we needed to jump to get the different gear working for site-to-site VPN capabilities to work as expected.

The plan was to take care of the spoke sites first, get all of the ASA 5505s replaced with MX64s, and connect them back to HQ's 5510 using IPSec. Then we'd replace the ASA 5510 with the MX84 and connect all sites again. I started reading up on this before we got the Meraki gear to prepare for what was coming. When deploying ASAs in the past, we had hired a consultant to do the configuration for us since none of us are Cisco proficient. I know enough to be dangerous within ASDM, but I cannot say the same from the command line. After several years in IT, I had never once tried to setup an IPSec tunnel on my own. This was the time. I'd save the company consultant fees for every device by tackling it myself.

Here's the KB from Meraki on creating a tunnel between Cisco ASAs and Meraki MX: https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Cisco_ASA_Site-to-site_VPN_with_MX_Series. That article is written for ASA version 8.3 and higher. We just happened to be on version 8.4(4)1 across the board, so things looked a little different. In any case, the directions were pretty easy to follow. Here's a click by click using ASDM in the version we had. The steps were similar to this and performed on our ASA 5510

• Go to Wizards -> VPN Wizard -> Site-to-Site VPN Wizard, and click Next to continue.
  

• Leave the VPN interface as outside, and enter the peer ip (which, in my case, was the WAN ip of one of the MX64 devices).
  

• Turn off IKEv2 since Meraki only supports v1.
  

• Identify local and remote networks. We liked using network objects in the ASA.
  

• Enter the pre-shared key for your tunnel. No device certificate is needed here.
  

• There is no need to change anything here. As the Meraki KB states, the MX security appliance can accept any of the following Encryption algorithms: DES, 3DES, AES-128, AES-192 and AES-256. Additionally the MX can accept either SHA1 or MD5 as the authentication hashing algorithm.
  

• Be sure to check the option to exempt ASA side host/network from address translation, and leave it set to inside interface.
  

• Now you see the summary of the changes, so go ahead and click finish to setup the connection profile on the ASA side.
  

As seen in the connection Profiles list...

• As we all know, sometimes using a wizard enables some options you don't want. At this point, I like to go to Configuration -> Site-to-Site VPN in ASDM and edit the connection profile. Once the edit profile window opens, expand Advanced from the left-hand tree, and go to Cryptomap Entry. Uncheck the option for NAT-T (since we have no other NAT device between the ASA and the MX). Click ok, and apply the changes. Be sure to save those to the startup configuration of the ASA as well.
  

• That's all that should be needed on the ASA side in terms of changes, so the rest we do on the Meraki MX side. This involves jumping into the Dashboard and setting up a Non-Meraki Peer (under Security Appliance -> Site-to-Site VPN on the Meraki network in question). We'll assume the public ip of the ASA is 2.2.2.2. Use the same pre-shared key for the tunnel as you entered on the ASA side. Save your changes, and wait a couple of minutes.
  

• If you start testing after making these changes to the MX, you will find that the tunnel connects, and you can send traffic between networks. It may even work for the better part of a day, but the tunnel will eventually drop unexpectedly. The root cause here is that the phase 1 and phase 2 negotiations for IKE / IPSec start to fail according to what you see in the Meraki event logs. But I followed the article. Everything should be fine, right? Wrong.

*Here's another article Meraki links to at the bottom of that first article - https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_Peers. Inside that article they finally tell you the default settings a MX uses when connecting with a 3rd party vendor's gear:

Cisco Meraki devices have the following requirements for their VPN connections to non-Meraki peers:
Preshared keys (no certificates).
LAN static routes (no routing protocol for the VPN interface).
IKEv1 (IKEv2 not supported) in Main Mode (aggressive mode not supported).
Access through UDP ports 500 and 4500.

• Go back to the ASA for a second, and dig into the connection profile you setup earlier. In the Basic settings, you see the IKE Policy list. Click the Manage button next to that to see a listing of all IKE policies.
  
  If you highlight one of the polcies and choose to edit, you will see the default negotiation settings the ASA is using.
  

At this point there are two options - change negotiation settings on the ASA side to match the Meraki MX, or change the Meraki MX negotiation settings to match the ASA side. I went with the latter option since I had the ASA 5510 connected to several 5505s and did not want to have to touch all of them.

• Back inside the same Site-to-Site VPN area of Meraki Dashboard as before, click the Custom link under IPsec Policies.
  

*Once that opens, you can adjust all of the parameters so that the lifetime matches and the encryption and authentication settings for both settings match everything being used in your IKE Policies from the Cisco ASA. The settings below are what worked for me.

Once these changes were made, the tunnel was solid. I learned this the hard way so hopefully this can benefit someone else. I will also say that every MX device you want to connect back to a 3rd party device must be in Hub mode (can't just be in spoke mode). The Non-Meraki peer you setup will be available to connect to any other MX devices in your Meraki Organization.

Deep inside you lies an impostor. Rather than an opinion, this is a fact for many of us, regardless of profession. The impostor exists in that deep, dark place you hope no one can see, waiting to ruin everything you’ve achieved professionally.

Is this impostor your alter ego like Dr. Jekyll’s Mr. Hyde? Perhaps. Does he / she even resemble the real you? How do you keep the impostor at bay? Is it even possible?

Back up for a second. The impostor is someone you have let yourself become, existing because of fear and doubt. These two feelings shackle your mind and change your own self-perception. Do you ever wonder if others feel the same? I guarantee you they do. I suspect these feelings come easier to folks who have achieved things they didn’t think were previously possible. Let’s take some examples.

An Example from the Realm of Education
When I was teaching high school math several years ago, I made students write a paper at the beginning of the year describing their general attitude toward math and what had shaped it in the past. I asked for brutal honesty, and in most cases, I got it. Many students hated math because they were never good at it, were discouraged because of previous teachers, or didn’t feel the subject was worth their time. My goal was to help these students put aside the previous experiences and to help them keep an open mind to the possibility of being able to succeed. While it certainly did not work in every case, a number of students were able to reach new heights only because they began to believe they could. It was easy to see the pride on their faces as their grades began to soar higher than they had in previous years.

Read the rest of the article here - http://blog.thenetworknerd.com/2018/06/30/fighting-the-impostor-within.

When is the last time you remember having a dream of some sort of achievement? Maybe it was what you wanted to be when you grew up as of Kindergarten graduation, or perhaps it was something else. Are the young the only ones who dream? Are they the only ones who would pursue a dream? With age comes responsibility. Marriage, children, a mortgage, and a job that supports the family are all part of it. And as responsibility comes, we tend do give up on our dreams. We give up our own dreams for those of our children. The dream becomes, as Langston Hughes put it, deferred.

I’d like to share the story of one of my dreams. And in a way, it’s a dream that, rather than me chasing it for many years, found me.

Ten years ago I walked out of my classroom for the last time. After 3.5 years teaching high school math, it was time for a new adventure. I told the principal I was giving up something I loved for something I loved even more, which was the dream of someday being a dad.

I went from math teacher to support analyst. Six months later I took a role that was part analyst and part IT. Over the course of nine years with the company, the role took me into full blown IT systems administration. I made a move one year ago to a different company to help rebuild the server infrastructure. While I enjoyed the work I was doing, something unexpected happened.

You can read the rest here - http://blog.thenetworknerd.com/2017/12/04/a-letter-to-the-dreamer-be-brave-enough.

For about 25 years now, my family has been carving pumpkins at Halloween as a tradition started by my aunt when she brought home a Pumpkin Masters kit on that fateful day. Ever since, we have been hooked. Each year we seem to carve more pumpkins, often times with better or more difficult patterns. It's literally our favorite holiday.

I remember my aunt from Texas would come to Tennessee where we lived (until I finished college) to carve pumpkins at Halloween. She would stay for the week, often using all of her vacation time. We became "those people with all the pumpkins." Then, when we moved to Texas in 2003, we became The Pumpkin People. I got married in 2005, and my wife got involved. My sister got married a few years ago, and her husband joined in the crew. It's still a family thing.

Even though Aunt Tonie (the one who started it all) passed away back in 2006 after losing her battle with cancer, the tradition carries on each year. Now it's sort of become our way of honoring her memory because it's something she loved to do, and we all loved to do with her. And we love it when people come by the house to get some candy on Halloween to see the display.

So if you want to check out some of our designs this year, have a look:
https://www.facebook.com/pumpkinpeople
http://brandibug.blogspot.com/2014/10/halloween-2014-lets-get-started.html

My employer is a PEO and encourages employees to write blog posts for their website. I thought it was time they had one in there from someone in IT. This one recommends some ways you can prevent Shadow IT in your organization. Let me know what you think.

https://www.staffone.com/avoid-threat-shadow-it-tech-policies/

A few months ago I agreed to participate in a beta test program for Artic Wolf. They are a Spiceworks partner and have a really interesting product. They send you an appliance that just analyzes traffic on your network, nothing more than a passthrough device. But they have a security concierge service that actively watches and manages customer devices for threats. They've detected some threats that we did not even know existed (some that even VIPRE did not catch).

Today we got an alert from VIPRE about active protection and it blocking an attempt to run FileExtractorSetup.exe on someone's machine. That was good. We started scrubbing that machine pretty soon afterward. Then, only a few minutes later, we get the following message from Artic Wolf:

Nick,
A file was recently seen being downloaded to a workstation within your network that may have undesired results if installed. The file is called "FileExtractorSetupG.exe", and was downloaded to the following workstation: ipdaddress\WorkstationName.
I ran an analysis on the file and it came back with the following results:
SHA256: 6f8f317a612e1f20a5810210554ef24fb099a0b2263bef429c58cfd1f3723eac
File name: FileExtractorSetupG.exe
AV Detection ratio: 3 / 50
Analysis date: 2014-03-07 15:41:44 UTC ( 0 minutes ago )

AV Agent Virus Signature AV Date
DrWeb Adware.Downware.1838 20140307
Norman FakeNSIS.A 20140307
VIPRE InstallCore (fs) 20140307
If you have any questions please let me know.

---

I must say I have been very impressed with their product, especially the security concierge service. They analyze traffic to see trends, if devices on your network might be attempting to access systems in other countries, etc. They do all of the analysis and log review that you wish you did. Definitely check them out if you get the chance.

Now I just need to try and convince management to keep their service for the next year (which will be a paid endeavor).

I was asked a couple of times about sending the slide deck to people and wanted to post it here. Here's a list of what I have prepared for those who asked:

• PowerPoint slides

• Link to video of the presentation

• Transcription of best comments from audience in the presentation

• Answers to questions people sent out via Twitter during the presentation

You can find it all here:

http://blog.thenetworknerd.com/2017/10/21/spiceworld-2017-session-the-it-managers-guide-to-shadow-it...

Thanks so much to everyone who came and made this such a great discussion. I think my favorite question was the one @JaredBusch asked about keeping yourself from Shadow IT. And I want to give a special shout out to Paul Mai for recording the session for me.

Also, thanks to the Mango community for vetting the original blog post I wrote months ago that gave me the idea for a presentation. @MattSpeller

I know in the not so distant past there was a large following who dropped LogMeIn because of pricing and the communication thereof. This thread is not really about that particular instance, nor is it meant to bash LogMeIn. I just want to share a conversation I had with someone there yesterday afternoon.

We still use LogMeIn and really like it. We have about 180 servers / pcs with LMI installed that we manage (and even some on which it is not installed yet).

I called to ask a question about our renewal price and why it was more than triple what we paid to renew in 2013. They told me about the changes made to LogMeIn Central and how they have now split it into 3 different products - Basic, Pro, and Premium. There's one LMI client, and based on your version of Central, the client software features get unlocked automatically (no separate installer). They told me how they did away with the mix of LMI Pro and LMI Free clients and let Central dictate what features are unlocked for all clients. They put more development into the product for newer features, etc. They analyze your usage and try to help you make a decision on which version of Central to pick, which I found pretty helpful. They had me on the right tier for 101 - 250 computers and didn't really try to upsell me on going from Basic to Pro.

So here's the kicker...I was given a renewal price to stay with Basic or to go up to Pro, and honestly, both were pretty reasonable. The Basic renewal price I got over the phone was more than even my "discounted" renewal price online (so shocker there). I don't really think it is that expensive to renew based on our usage. But to be thorough, I asked the question, "what happens if at some point during the subscription year I exceed the 250 clients and need to move up to the next tier (which is 251 - 500 clients)?"

The person on the other end told me that whether I was on the Basic or on the Pro version of Central, moving up to the next tier requires me to pay FULL LIST PRICE for the next tier. Now, you do have to manually request to move to the next tier, which is good. But it does not matter if I decide to change to the next tier 1 month after my renewal, 7 months into it, or even 4 weeks before the next renewal. I get hit with the FULL LIST PRICE of the next tier. And then, they will credit back to me the portion of my former subscription (the one on the 101 - 250 computer tier) that I was unable to use because I had to change tiers. That does not renew you for another year once you hit the next tier. You just get hit with the full price of the next tier.

What I took from that is there is no incentive to upgrade past the tier where I am currently. I even asked if they prorated the next tier's list price if you change tiers in the middle of a subscription. They said no. That seems really backward to me. Basically, they will get your money one way or another, whether through price hikes on your current subscription (as people have seen) or by getting you when you have to go to a new tier. Has anyone else heard a similar story?

I'm not bitter toward LogMeIn or anything, but this makes no logical sense. I will likely renew with them this year and then look to move away in the coming subscription year if we get closer to our tier ceiling of computers.

The work day is almost over when you’re interrupted with an emergency. A certain time sensitive financial function of one of your information systems isn’t working. As luck would have it, the error is something you’ve never seen. And the business is counting on you to fix it quickly, or this could be a very expensive problem. I found myself in that exact scenario a couple of days ago. But in this case, it was the end user who really saved the day. Keep reading.

The rest of the story can be found here -
http://blog.thenetworknerd.com/2017/10/07/when-the-end-user-saves-the-day/

I think we need a video talking about what HA actually is, what people seem to think it is different levels of HA (hypervisor, application, etc.), and what vSphere HA is / how it works.

We're still a green light for this event. Join us if you can for stories of job change during the pandemic, and bring your questions.

Any possibility of doing it 100% virtual?

Date: 2/22/2021
Start Time: 6:30 PM Central
Format: Zoom

This will be our first virtual meeting of the year (open to all who would like to attend). Maybe you, like many others, want to start to the year by setting a goal to get a new job or change your career in some way. Come join us and get the scoop from people who have been there!

In this meeting, we will focus on the career progression of two technologists who changed jobs during the global pandemic. We'll get the scoop on the why, the interview and onboarding process and how it changed as a result of the pandemic, what it was like on the other side of the job change, how each adapted to new managers in teams, and how they have grown as professionals in the process.

Each of our guests will be sharing their experience and have time to answer your questions.
-Paul Mai (a member of our SpiceCorps) - Systems Administrator at Allied Electronics
-Jeff Eberhard - Oracle Cloud VMware Solutions Leader at Oracle

I'll open the bridge early for anyone who wants to hop on a few minutes before we start. Remember to register here to get the Zoom meeting details. You can also RSVP in the community.

@EddieJennings said in Free / Cheap Unattended Remote Access Utility for Windows PCs:

@NetworkNerd

My MeshCentral VM is in Vultr.

Oh nice - it looks like they have 3 different options at $5 / month or less.

Thanks for the recommendations. It looks like the best practice here is to run your own server for either Guacamole or MeshCentral. I imagine no one here would risk running on the public MeshCentral server (don't think I would).

Maybe this is my chance to tinker with ESXi on Arm with some Raspberry Pi 4s. Either that, or I can provision something in AWS / GCP / Azure for pretty cheap.

It's been a while since I have needed something like this, but what's the current recommendation for some free tools for unattended access to non-domain Windows PCs? I can spend a little if needed but would prefer free if there are some options to support friends, family, etc. I was thinking TeamViewer but seem to remember the unattended access option was a paid feature.

After way too much time spent on this, we found the problem is twofold. Hopefully this will help someone else in a similar situation.

• In the Lumens, to get it to recognize a new stream key for Facebook, we had to put in some random text characters in the stream key field, save the changes, paste the new stream key, and save the changes. That would generate the preview and allow streaming to Facebook no problem.

• We found there was a greater issue present. The internet speed at the building where the encoder sits was supposed to be 100 / 7, but they were not getting anything close to that. Once we got Facebook working in addition to YouTube, we found streaming both caused them to be extremely choppy.

• After having an ISP technician out to the building last week, they said the wiring in the box outside the building was awful, we were at the end of the line, and that he was surprised we ever got internet signal to the building. They are working on clearing up the pipe now so the signal is strong and clean, and we're upgrading to 200 / 10 pretty soon. We also changed the video resolution we're sending to YouTube and Facebook so we're using a lot less bandwidth to ensure we don't use the entire upload pipe.

@dbeato We don't have web filtering capabilities at this location. It's just a Linksys gateway router (not sure there are filtering capabilities on it). Access to this device is limited to 1 person, and no configs changed.

I've been trying to help launch a live stream for a church lately. They have a Lumens LC200 appliance and one camera (also a Lumens, cannot remember the model number). They are using this with a Presonus sound board / mixer.

They got the LC200 configured to pull in the camera feed, set all camera presets, etc. with no issues. For streaming specifically, the setup it's that hard. You enter the RTMP / RTMPS server address and stream key from Facebook / YouTube, and you're on your way. At least you would think so, right?

We tested Facebook Live the other day twice successfully (once at noon and once at 5 PM). The first was a private post, and the other was public. The church has a page on Facebook, so as long as you are an admin of the Facebook page you can Go Live on the church page.

The third time we tried to stream to Facebook Live (later on the same day as the two successful tests), the video stream never made it to Facebook to preview (so no way to go live). The lumens showed a stream error inside the Director software that someone uses to activate the stream. We double and triple checked stream keys, tried different ones, rebooted the Lumens, blew away configs and added them back. I thought maybe the church was having an internet issue, but there were no problems getting to the internet from any PC there (could always get to Facebook to attempt to go live but never get a video preview).

Yesterday we went back when no one was there to test again. I thought maybe there was an outside chance it would work. But nope...the same stream error happened. We updated firmware on the LC200 and the camera and tried Facebook again. No dice.

But then we tried streaming to YouTube (basically same config parameters). That worked like a champ every time we tried (video preview comes in as expected in seconds once you start the stream from the Lumens).

I have a ticket open with Lumens on this, but I don't see how this could have worked twice successfully and all the sudden stopped working. This video shows the simplicity of the setup on the Lumens side.

I should also add that anyone can Go Live from a mobile device with no issues like they did before the camera and Lumens device came in to play.

Has anyone seen this? I'd love to hear ideas from folks here on what we might be missing. I would rather have had this never work streaming to Facebook Live than to work twice and then fail after that, especially since YouTube works. I checked permissions on the church page, and the account used to login to Facebook is still an admin of the page. We even tried a different user login who is the admin of the page with no success.

I see an empty conference center where VMworld once sat.

If you’ve never attended VMworld in person, it’s a completely overwhelming experience for the first time attendee. Now that it’s virtual and free to attend, it’s more accessible to us all. But it can still be overwhelming. I wanted to take a few minutes to educate the community on some hidden gems that will allow you to make the most of your experience.

Get the full story here.