Cisco IOS CA and DMVPN Certificate Terminal Enrollment

I have been struggled to solve the DMVPN certificate issue that the certificate is no longer valid after we relocate the office and re-IP the DMVPN WAN interface. The following are the error I have faced:

• CRYPTO-6-IKMP_NO_ID_CERT_FQDN_MATCH
• %PKI-3-POLLROUTERCERT: Polling Router certificate for DMVPN ..... (Unable to reach the remote IOS CA) 
• When run the command show crypto isakmp sa and nothing is listed (this is the separate issue that the router certificate is missing which required to run crypto key generate rsa to regenerate)

In this scenario we need to get offline enrollment for the spoke DMVPN router  using terminal mode:

• At the DMVPN Spoke router config mode:
• crypto pki trustpoint DMVPN (trustpoint name)
• Change the enrollment mode to terminal: enrollment termnial
• At the IOS CA router config mode:
• crypto pki export DMVPN pem terminal
• Copy the hex key without the header
• At the DMVPN Spoke router config mode:
• Run crypto pki authentication DMVPN (Trustpoint Name) and paste the hex from the CA router then enter and quit
• Enter crypto pki enrollment DMVPN then copy the pkcs10 request hex without the header
• At the IOS CA router Global mode:
• Enter crypto pki server DMVPN request pkcs10 terminal and paste the spoke router hex then enter and quit
• *Copy the generated certificate hex
• At the DMVPN Spoke router config mode:
• Run the crypto pki import DMVPN certificate and paste the hex from the IOS CA router
• To verify the connectivity, in global mode run show crypto isakmp sa for the connectivty and check the certificate info:
• show crypto pki certificates verbose (To show the signed certificate)
• show crypto pki trustpoint DMVPN status (Show the trustpoint certificate information and make sure the certificate is not pending)

*Wait a minute... it shows the certificate is pending for authorization. You may change it to grant automatically by the following commands:

• At the IOS CA router config mode:
• crypto pki server server_name
• grant auto (if you encounter any error you might need to issue shutdown command first then grant auto and no shut)

Please note that you have to ensure the security license is enabled else you might have issue for the VPN connection.

Injustice Gods Among Us - Android Cheat

There are 2 simple game cheats without rooting your Android device though it might be tedious:

Energy: Adjust the date or time to the next day to refill depleted energy. The following are the details steps:

1. Go to Settings then System Date & Time on your Android device
2. Uncheck Automatic date & time (If checked)
3. Touch the Set date and change the date to next day
4. Run the Injustice then go to the collection or battle mode to ensure all characters energy are refilled
5. Exit and repeat the 1 to 3 step to change back the date

Simple Challenge mode: You can repeat the Challenge in standard mode by changing date as well will additional steps (not suitable for impatient gamer... too tedious):

• After completed the challenge, open the Settings without closing the Injustice game (press the multi screen button) then make sure you are offline (Airplane mode) go to System Date & Time

• Unchecked Automatic date & time (If checked)
• Touch the Set date and change the date to the challenge expired date (usually 14 days later)
• Run or select the application from the multi-screen button for the Injustice
• Click on the Challenge  and you get the Challenge expired message
• Go to Shop and buy any Booster package
• Repeat step 1 to 3 and change the date back to present
• Click on Shop and you should receive new standard Challenge available
• Click on Challenge you should receive 25 credits

The following steps might help you get additional 25 credits (sometimes work)

• After obtained the 25 credits above, exit the game (Close)
• Turn on wireless or 3G/LTE and access the Injustice
• Click on Challenge and you might get additional 25 credits

Juniper Pulse - Host Checker not running/working properly

Recently I encountered the issue that the Pulse client version 3 or 4 always failed on Host Checker stage before get connected to the SSL VPN (Pulse 5 is working fine). The following are the 2 symptoms of the error:

• If you configured the Pulse client to connect to the VPN gateway using IP address then you will get the Non-Compliance for the antivirus error

• If you configured the Pulse client to connect to the VPN gateway using URL then you will get the Non-Compliance for the antivirus and firewall error

After compared all the parameters and found out that the issue was caused by the SSL certificate was not assigned to the interface. To rectify the issue just go to  Configuration→Certificates→Device Certificates then choose the certificate and assigned the interface (Internal or External depends on the network design)

Beijing Forbidden City Trip - Tips and tricks

Travel to Beijing Forbidden City what we need for the tips and tricks? It is near to the city area and what can be wrong for the journey?

The Forbidden City/Palace Museum

Here you go:

The travel distance from the city area (SanHuan/SiHuan) is about 15 - 25 mins and cost about RMB30.00 to RMB 50.00. Beware the taxi driver might drop you at the exit of the Forbidden City that you are not allow to access from there. How to identify the exit? If you can see the hill opposite the Forbidden City then I am sorry that you have to either take the public transport (RMB 1.00 from the Forbidden City), walk 40 mins or take the RMB 100.00 taxi (even the tri-motorcycle) to the front entrance. 

By the subway, you may take the line 1 towards TianAnMen East or West station and walk around 300M (walk towards east if exit from West station) - 400M (walk towards west if exit from East station) to the Palace Museum.

Subway Map for TianAnMen East/West marking

The JingShan (Prospect Hill) Park - Opposite the Forbidden City Exit

The Forbidden City main entrance

The exit of the Forbidden City

The admission ticket cost about RMB 40.00 (low peak Nov - End of Mar) - RMB 60.00. While you walk towards to the main entrance, there will be a lot of sales people try to promote their package which include the express access, privilege transport and low admission price... I heard that they will either bring you to secluded alley or part of the place and ask for more. And also for their Great Wall package I heard that they will bring the tourist to the least crowded entrance instead of the BaDaLing so beware before you get the deal.

You may rent the mobile audio guide which cost about RMB 10.00 for Mandarin vocal; RMB 40.00 for English (both require to deposite RMB 100.00 and you may collect the deposite at the exit). The audio guide only provide the history and the building information which exclude the exhibition hall details.

Beijing Geat Wall Trip - Tips and tricks

Traveling in Beijing must beware of "unlicensed" or "unofficial" transportation or tour guide else you have to spend double, triple or more than the normal price. 

China Great Wall - BaDaLing Entrance

For China Great Wall - BaDaLing entrance (one of the most famous) transportation you may choose by Taxi which cost about RMB 800.00 or by public transport (air-conditional) which cost about RMB 24.00 for round trip. I strongly recommend to go there during weekdays instead of weekend which will double the travel time (3 - 4 hours) and over crowded (unless you depart at 6AM). 

By public transport, you may go to the DeShengMen bus terminal to take the bus 919 which cost about RMB12.00 one way trip and located at the back of the gate else you may take the "fake" 919 bus or buy the expensive ticket from the "unlicensed" bus conductor from the front. You may take the subway to JiShuiTan station and walk 1KM toward east from exit A or by taxi which will cost about RMB30.00 - RMB50.00 from the town area (SanHuan, SiHuan).

Front gate of DeShengMen

Back of the DeShengMen

* While you are waiting for the bus 919, you must firm your stance that the "unethical" bus conductor will persuade you to take bus 877 which is express bus, shorter travel time and cost only RMB 80.00 (they will told you the 919 cost RMB 60.00). The bus 877 is infrequence compare to 919 which might need to wait 20 - 30 mins.

For bus 919 there are 2 type (some said 3 or 4): one is express whereas the other is not. Make sure you see BaDaLing in the bus routes. If you take the non-express, there are few Great Wall entrances so make sure you alight at BaDaLing or ask the bus conductor to inform you when reach (or follow the crowd - by luck). 

For the route to TIYUCHANG XIAOQU is non express

When you reach the BaDaLing you need to take the free shuttle bus to the entrance which is 5 - 10mins distance and you need to walk about 3 - 5mins to the ticketing counter. The entry pass  cost about RMB80.00 which include the Great Wall admission and bamboo made certificate. 

*You may get your certificate before you start the Great Wall tracking else you might need to wait with others after your journey.

For the Great Wall hiking, some paths are steep as 45 degree or more so it is advisable to bring along support stick for elderly or whoever not so used to the hiking exercise. What if you wanna go rest room in the half way track? There are rest rooms in few Arrow Towers  (forth arrow towers on the right track), no worries!

Cisco 4500X and Cisco Nexus 5548UP with Cisco 2200 Fabric Extender - The design and setup

This is the documentation of the setup of the core and distribution switch which I might need to refer back for the next setup.

This design include 2 x Cisco 4500X (Core Switch) and 1 x Cisco Nexus 5548UP with 1 x Cisco Nexus 2200 Fabric Extender (Distribution). The design only cover the HA (High Availability) setup for the Core switch... why not Cisco Nexus? The Cisco Nexus is too expensive!!


Cisco 4500X Firmware Upgrade:
Firstly, I upgraded the firmware for the Cisco 4500X to 3.5.1E (minimum 3.4 is required for VSS - Virtual Switching System) and previously I am having issue for the 3.5.0 that will freeze one of the core switch randomly every few weeks.

*Do note that if you upgrade the switch remotely after you setup the VSS, you might encountered only 1 switch will reboot after you issue the reload command. One trick to solve the problem is issue "reload in 1" to reboot the core switch in 1 minute then issue "redundancy reload peer" to reboot the other unit first so this will prevent the reload command just to reboot one switch during the IOS upgrade and lost the connectivity. 

For the thumb drive I have which can be read by Cisco switches is Sandisk Cruzer. I tried Sony Microvault and Kingston DataTraveler without joy.


VSS Setup:
Next, configure the switch virtual domain ID and switch ID then configure the MEC (Multichassis Etherchannels). For this design I am using the physical ports T1/29-32 in order to have 40GB VSS throughput and also note that the Cisco 4500X default port mode is Layer 3 mode so we need to issue switchport to make it L2 before I can accept the switchport command.

Here for the switch 2 (switch ID and the port channel is different):

To verify the VSS after the switch reload (of course you need to connect both switches port 29-32 to each other) just issue the show switch virtual command:

Cisco Nexus 5548UP and Cisco Nexus 2200 FEX (Fabric Extender) Setup:
In this design, the Cisco Nexus 2200 FEX will connect to the Cisco Nexus 5548UP extended module (N55-M8P8FP) port 2/5-8. First, we need to enable the FEX feature on the Cisco Nexus 5548 then configure the FEX ID. Configure the port 2/5-8 to associate the FEX ID created above and also configure the switchport mode to fex-fabric.

To verify the FEX connection, run show inventory command to list all items and you will see the FEX module is listed there:

Now you can issue the show interface brief command to show all interfaces and you should be able to see the Ether100/1/1 listed at below:

Upgrade the Cisco Nexus Firmware:

The Cisco Nexus firmware upgrade is much different compare to the IOS switch. After copy the firmware we need to issue the install all kickstart bootflash:kickstart-firmware-ver system bootflash:system-firmware-ver to install the firmware:

*Before upgrading the firmware, you need to verify the MD5 hash key of the firmware to ensure it is intact with the publish version. You need to run show file bootflash:firmware-ver md5sum to show the MD5 checksum number instead of using verify IOS command.

Connect Cisco Nexus 5548 to Cisco 4500X:
For the Cisco Nexus 5548 and Cisco 4500X core switch connection, we used 4 physical connection with LACP aggregation. On the Cisco 4500X core switch, configure the port channel 10 and configure T1/1/1-2 for the LACP:

Here you go for the Nexus 5548 which used port channel 20: