Category Archives: General

Wishes of Cisco Champion

I’ve thinking on this, a really cool thing could be Cisco providing extended trial licenses for those who live and breathe Cisco (true DNA of a Cisco Champion). Also part of the bundle could a Cisco VIRL license be included and/or a voucher for a Cisco Press ebook.

Maybe we can see some of these next year 2018.

Fingers crossed.


ALG breaking a Transfer Zone

This came when i tried to do a DNS Transfer Zone through a Cisco SOHO (877), which when triggered i received a RST packet from the router. Initially i was thinking that came from the server, but looking to the packet capture i observed the TTL was 254, which was the from router it self. Why? Answer ALG.

Because ALG can handle until a certain message size, the only way to fix this is DISABLE the ALG.

INTERNET#sh ver | i Vers
Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.2(4)M6, RELEASE SOFTWARE (fc2)

[[email protected] ~]# dig -y @ -t axfr;; communications error to connection reset

Looking at the NAT Debug…..

Jan 11 23:15:10.146: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.150:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.150: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.150:  NAT-L4F: Policy check successful
Jan 11 23:15:10.150:  NAT-L4F: received fd1: 1073742971 and
tcp flags = 0x2, payload_len = 0
Jan 11 23:15:10.294:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.294: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.294:  NAT-L4F: received fd2: 1073742972 and
tcp flags = 0x12,payload_len = 0
Jan 11 23:15:10.298:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.298: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.298:  NAT-L4F: Received final ACK from fd1 : 1073742971 and
tcp flags = 0x10
Jan 11 23:15:10.298:  NAT-L4F:Transistioning to proxy: rc 0 error 0
Jan 11 23:15:10.298:  NAT-L4F: Successfully proxied this flow
Jan 11 23:15:10.298:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.298: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.298: NAT-ALG: lookup=0 l7_bytes_recd=125 appl_type=12
Jan 11 23:15:10.298: NAT-ALG: DNS l7_msg_size = 125
Jan 11 23:15:10.298: NAT-ALG: after state machine:
Jan 11 23:15:10.298: NAT-ALG: remaining_hdr_sz=0
Jan 11 23:15:10.298: NAT-ALG: remaining_payl_sz=0
Jan 11 23:15:10.298: NAT-ALG: tcp_alg_state=0
Jan 11 23:15:10.298: NAT-ALG: complete_msg_len=125
Jan 11 23:15:10.298:  l4f_send returns 125 bytes
Jan 11 23:15:10.298:  Complete buffer written to proxy
Jan 11 23:15:10.298:  NAT-L4F:NO DATA to read
Jan 11 23:15:10.446:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.446: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.454:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.454: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.454: NAT-ALG: lookup=1 l7_bytes_recd=1452 appl_type=12
Jan 11 23:15:10.454: NAT-ALG: DNS l7_msg_size = 31751
Jan 11 23:15:10.454: NAT-ALG: Unsupported l7_msg_size = 31751
Jan 11 23:15:10.454: NAT-L4F:CSM isn’t able to accept the pkt
Jan 11 23:15:10.458:  NAT-L4F:read RST, aborting
Jan 11 23:15:10.458:  NAT-L4F:setting ALG_NEEDED flag in subblock


How to disable DNS ALG?

INTERNET-RTR(config)#no ip nat service alg tcp dns


New Year Resolutions for 2017

This is the right time on the year where we need to think what we want to do and define our goals to upcoming year, i consider this an important step to make you focus in your career and step away from the darkness (dead times). Comparing what i achieved this year it’s embarassing but i’m looking for a great 2017. This year i have to renew some of my Certs (2 years gone…) like Juniper and Checkpoint. This year i’m expecting to enhance my knowledge about Azure/AWS Platforms, Web Application Firewall, CyberSecurity, DNS RPZ , DDoS, SSL Decryption and maybe others a long run. Network Design and Automation stil my priority, but maybe my employer will challenge me next year, so i will add it later to my list :)

Likely maybe i will do some exams:

VMware Certified Professional 6 – Network Virtualization (VCP6-NV)

Cisco CCIE Service Provider Written+Lab(?)

Cisco CCDE Written+Lab(?)




Palo Alto Networks Certified Network Security Engineer (PCNSE)

F5 Certified BIG-IP Administrator

F5 Certified Technology Specialists ASM

Beta versions?


There are some books i’m still reading:

Art of Network Architecture, The: Business-Driven Design

MPLS Fundamentals – Cisco Press

CCDE Study Guide – Cisco Press

Lets the journey begins!



Cisco DNA Learning Track

On this new track you can learn about about the building blocks of the Cisco Digital Network Architecture (DNA), including an introduction to REST APIs, how to code in Python, and how to use programmability in the context of controllers and device-level interface. You have 10 module and 32 learning Labs, free, free, free!


Labs Available



DevNet Express for DNA


Renew your Expired Juniper Certification until March 2017

The JNCP is offering a recertification grace period to candidates whose certifications expired in 2016. Expired certifications may be renewed between January 1, 2017 and March 31, 2017 by taking the same or higher level exam or using the Continuing Education option. This means candidates with Specialist through Expert-level certifications that have expired do not have to start at the JNCIA-level.

To renew an expired certification, candidates must pass the appropriate exam or attend an appropriate course by March 31, 2017. See the Recent News section of the Certification Website for instructions on how to take advantage of this offer


VMware vSphere 6 Masterclass

ITMasters is offering a new course (VMware vSphere 6) , developed in partnership with ITPA, this short course is for administrators who are already comfortable setting up individual ESXi hosts, and configuring and maintaining VMs within.

Enroll here

Note: Course free of Charge! We love a bargain!

Starts in October 2016, scheduled time below.

  1. Wed, Oct 26, 2016 8:00 PM – 9:00 PM AEDT
  2. Wed, Nov 2, 2016 8:00 PM – 9:00 PM AEDT
  3. Wed, Nov 9, 2016 8:00 PM – 9:00 PM AEDT


Free University Short Courses