Cisco WLC AP 1240 series – cert issue

Thanks to cjcott01 and his article “Cisco WLC AP cert issue: %DTLS-3-HANDSHAKE_FAILURE”  we could quickly solve the issue, where Cisco EoL AP 1240 series disassociated with wireless controller, based on an expired certificate on the ap.

Logs wihich can be seen within WLC:

*spamApTask2: Aug 08 09:40:27.824: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:823 Failed to complete DTLS handshake with peer xx.xx.xx.xx
*spamApTask4: Aug 08 09:40:21.927: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:823 Failed to complete DTLS handshake with peer xx.xx.xx.xx
*spamApTask4: Aug 08 09:40:05.573: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:823 Failed to complete DTLS handshake with peer xx.xx.xx.xx

Solution on WLC within CLI:
config ap cert-expiry-ignore mic enable

Import is, that this command is only available after, we upgraded to which is recommended at the moment. A few more details can be found within cj’s article.

Windows 10 (1709) – Activate SMBv1

Microsoft has deactivated SMBv1 with the Fall Creators Update (Version 1709).
To activate SMBv1 again, open Windows PowerShell (as Administrator) and type:

Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol

After executing this command in PowerShell you will be asked to reboot the computer.
SMBv1 is now enabled again.

Configure IMM/iDRAC/iLO from CLI

The following article descripes different possibilities to configure a server MGM interface on command line. The following interfaces/manufactures are listed:

– IBM Lenovo – Integrated Management Module (IMM)
– DELL – integrated Dell Remote Access Controller (iDRAC)
– HP – integrated Lights Out (iLO)

IBM Lenovo – Integrated Management Module (IMM)


You need the tool “asu64” in order to configure the IMM.

In case you get the following error, you have the wrong version of the tool:
asu64 Read of data store failed with completion code 10

cd /opt/ibm/toolscenter/asu

./asu64 show |grep ‘IMM.HostIPAddress1\|IMM.GatewayIPAddress1\|IMM.HostIPSubnet1’

./asu64 set IMM.DHCP1 Disabled
./asu64 set IMM.HostIPAddress1
./asu64 set IMM.HostIPSubnet1
./asu64 set IMM.GatewayIPAddress1
./asu64 rebootimm

./asu64 set imm.dhcp1 enabled

#IMM ASU MGM IBM ssl disable
./asu64 set IMM.SSL_Server_Enable Disabled


# asu64 show imm

asu64.exe set IMM.Password.1 PASSW0RD

asu64.exe set imm.hostipaddress1
asu64.exe set imm.hostipsubnet1
asu64.exe set imm.gatewayipaddress1
asu64.exe set imm.dhcp1 disabled
asu64.exe rebootimm

DELL – integrated Dell Remote Access Controller (iDRAC)


“Dell Drac Tools” + RACADM download and extract:
Install “Remote Access Core Component”

# show config
racadm getniccfg

# show MAC
racadm ifconfig

# change network settings
racadm setniccfg -s $IP $MASK $GW
set config


# “OpenManage Server Administrator Managed Node”
C:\Users\Administrator> racadm setniccfg -s

HP – integrated Lights Out (iLO)


hponcfg -w ilo.xml
vi ilo.cfg
hponcfg -f ilo.xml
Add user:
<LOGIN USER_LOGIN="user" PASSWORD="UsingAutologin">
<USER_INFO MODE="write">
USER_NAME="[Full Name]"
<ADMIN_PRIV value ="Yes"/>
<REMOTE_CONS_PRIV value ="Yes"/>
<RESET_SERVER_PRIV value =">Yes"/>
<VIRTUAL_MEDIA_PRIV value ="Yes"/>
<CONFIG_ILO_PRIV value="Yes"/>

Change default password:
<LOGIN USER_LOGIN="user" PASSWORD="UsingAutologin">
<USER_INFO MODE="write">
<MOD_USER USER_LOGIN="Administrator">
<PASSWORD value="Password"/>

Clear log:
<LOGIN USER_LOGIN="user" PASSWORD="UsingAutologin">
<RIB_INFO MODE="write">

Change network:
<LOGIN USER_LOGIN="user" PASSWORD="password">
<IP_ADDRESS VALUE = "x.x.x.x"/>
<SUBNET_MASK VALUE = "x.x.x.x"/>
<PRIM_DNS_SERVER value = "x.x.x.x"/>


# hponcfg for Windows Server download and execute .exe

Cisco Prime Infrastructure – low diskspace problem

Thanks to MystaJoneS’s article

I don’t need to open a TAC case for my low diskspace problem on our prime infrastructure, as the disk cleanup feature is for nothing. Growing the disk outside the VM and later adding it as new pv in the ade os works pretty fine.

if you have the same issue, just follow his guide.

Cisco SPAN

If you plan to use SPAN to mirror network ports, take care how you use it.

If you just use “monitor session # source interface xY” and “monitor session # destination interface xY” you can get unwanted results. Without  adding “monitor session # destination interface xY ingress vlan #” you can get frames from other uplink ports.

To preserve vlan tags you need to add “encapsulation dot1q” to the “destination interface” command. You also need to make sure, that your monitoring device, connected to the destination port, is able to understand dot1q tags, otherwise the monitoring device removes the tag. There are some registry hacks for monitoring devices with Windows and Intel network cards, but I can’t promise that those will work.

Also mind the duplicate packet issue with SPAN. Please see this link for details. Mike Schiffman explains it really good.

Summed up: SPAN works for me the best with following commands:

  1. “monitor session # source interface xY rx/tx/both”
  2. “monitor session # destination interface xX encapsulation dot1q ingress vlan id #”
  3. # stands for any number

Newer devices like the Cisco 3850 with the IOS XE release already include wireshark, but this is bound to ipbase or ipservice license. Please see this link for details. Hopefully they’ll also add it to lanbase later on.


One general hint: For debugging start from the first interface you know and handle forward through each interface you can, until you find the problem.


Cisco ISE VM performance problems

It shows that updating Cisco ISE VM from 1.1 up to 1.2.1 can lead to huge performance impacts. The original 1.1 version ran without problems, through the update of the VM to 1.2 the whole system got realy slow. The web interface was nearly unusable. Reboot of the VM solved the problem only for short term. Problem indicators are:

  • Non matching performance statistics between VMWare and Cisco Ise
  • Wrong alert messages from Cisco ISE concerning IO write performance
  • High authentication latency
  • Authenticators reporting dead radius server

The problem was solved through a fresh installation of Cisco ISE VM with 1.2 image and then updating to 1.2.1. The restore of the configurational backups works realy fine and even includes voucher codes if the ISE guest portal is used.

Please note that a restore requires to rejoin ISE VM to the domain and to rehost the installed license from the defect to the restored mashine. Also after restoring the backup, the VM gets the original ip address through the backup. So it has to be ensured, that the old mashine is offline or the restored one has no network connectivity while the old one is running.


Kron Bug Cisco 3850 and IOS XE 03.03.03SE

The Kron feature under Cisco IOS and Cisco IOS XE has multiple known bugs. Recently it showed , that a Ciscio 3850 running IOS XE 03.03.03SE with a configured Kron job for auto backup lost parts of it’s running configuration.

After the Kron job was executed, parts of the Kron configuration itself and also parts of interface configurations were missing. Mainly the execution time configuration of the Kron job got lost but also special port configurations of uplink ports, which made the bug critical.

We now use EEM scripts as alternative solution to the Kron feature. See for more information.

Access Point (Cisco AP 2602) can’t join Controller, “error opening flash”, “event 10 & state 5”

The access point can’t join the controller and the debug output of the access point shows outputs like:

“%CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.”

“%Error opening flash:/ap3g2-rcvk9w8-mx/info (No such file or directory)cisco AIR-CAP2602I-E-K9 (PowerPC) processor (revision A0) with 180214K/81920K bytes of memory.”

This is based on a faulty AP image and can be resolved through a console session on the AP and following commands:

  • debug capwap console cli
  • en
  • conf t
  • test mesh mode local

This forces the AP to get a fresh image from the wireless controller and he’ll join the controller after getting the image.


XenServer / Luks Verschlüsselung

In dieser Anleitung wird ein möglicher Weg beschrieben, wie man einen XenServer installieren kann. Hierbei wird auch auf die Einrichtung des Software Raids und einer Verschlüsselung mittels Luks eingegangen. Zu guter Letzt wird beschrieben wie man die ISO Files zur Installation der Gast Systeme in XenServer einbinden kann.

– Minimal Betriebssysteme (z.B.: Centos)
– Zweiter Server mit Webserver (z.B.: Apache)
– XenServer 5.5 Update 2 Installationsiso

Continue reading