Wednesday, 22 May 2013

Ubuntu 12.04.2 LTS Interface bonding (802.3ad / LACP) with vlan tagging (802.1q)

Ubuntu 12.04.2 LTS Interface bonding (802.3ad) with vlan tagging (802.1q)

I just had a little wrestle to get this working on 12.04.2 so thought I would write it down quick!

Not sure why but the interface configuration changed between earlier versions of Ubuntu and 12.04.2 LTS.

I followed this guide to get bonding working. My switches support 802.1q / LACP make .  I must admit to already having vlan tagged interface and I cannot remember all of the steps, but my interface config works.

Before you start think about how you are connecting to this server. Are you changing an Interface that you are using to connect to the server? Do you have a backup plan to control it if your config does not work first time?

Install the bonding package. (I am using aptitude, if you use apt-get use that instead ;-)

sudo aptitude install ifenslave

Install the vlan package.

sudo aptitude install vlan

Add the modules bonding and 8021q so they are loaded by the kernel.

nano /etc/modules

# /etc/modules: kernel modules to load at boot time.
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.


Edit the interface config.

sudo nano -w /etc/network/interfaces

Example config.

# Create a bond0 interface that binds eth1 and eth3 together.
auto eth1
        iface eth1 inet manual
bond-master bond0

auto eth3
        iface eth3 inet manual
bond-master bond0

# Next configure bond0 interface, I had to set an IP, I would prefer to use null..

UPDATE: if you don't want to set an IP address then instead of "iface bond0 inet static" make it "iface bon0 inet manual". Thanks to Sean for the tip.
# NB the bond-mode, try bond-mode 0 if LACP fails.

auto bond0
        iface bond0 inet static
        bond-slaves none
        bond-miimon 100
bond-mode 802.3ad

If you need more bonding modes have a look at this it might help.

# Next create as many vlan tagged Interfaces as you need!

auto bond0.140
        iface bond0.140 inet static
        dns-search w00t.local
vlan-raw-device bond0

auto bond0.10
        iface bond0.10 inet static
vlan-raw-device bond0

auto bond0.180
        iface bond0.180 inet static
vlan-raw-device bond0

Save the changes and reboot your server. You can restart the networking service if you prefer.
Now when you issue the ifconfig command you will see bond0 and bond0.vlanx interface.

Additional useful commands.

Check your bonded interfaces are working as expected, this will also show the LACP actor and partner keys.

cat /proc/net/bonding/bond0

Hope this helps someone.

Friday, 19 April 2013

Checkpoint VE R71 Failed to Load Security Policy: No such file or directory

I use Checkpoint VE R71 clusters on ESXi to host bespoke cloud solutions for a number of customers. 

This week I had an irritating problem where after a reboot of the passive firewall it was unable to fetch a policy from the management server.
No amount of cpstop/cpstarts, manual fetches and reboots helped.

The error message was as follows.

fw fetch
Fetching Security Policy From:
Installing Security Policy vfw1 on all.all@ vfw1
 Failed to Load Security Policy: No such file or directory
 Failed to Load Security Policy: No such file or directory
 Fetching Security Policy Failed

The firewall was able to ping its ESX host, the virtual centre server and the firewall management station..

The solution in the end was to run sysconfg and take the “Configure vSphere connection settings” option. Then run through the establishing the connection to the Virtual Centre server again. 

Once this was done, fetching a policy worked.

I am assuming somehow the firewall was unable to authenticate itself to the virtual centre server by losing the cached copy of the certificate?

No one I have spoken to is sure why when operating in “network mode” not “hypervisor mode” the firewall needs to talk to the virtual centre server at all. If I had to guess I would say it need this for licensing..

Anyway, hope this helps someone.


Friday, 25 January 2013


 I spent a lot of time getting this working, SNMPTRAPS are hard work.

There are plenty of guides on installing and configuring SNMPTRAPS, however I seem to have run into several pit falls so thought I would put them here in case it helps someone. 

It’s more of a list of things to check..
I installed Ubuntu snmpd version: 5.4.3~dfsg-2.5ubuntu1

Commands that help to test things are working.

To display the path being searched for MIBS, this is created via the export option.
Sudo net-snmp-config --default-mibdirs

Test OID translation is working? If it is you will get sysUptime.0 as output.

Sudo snmptranslate .

Does the reverse translation work? 

Sudo snmptranslate –On SNMPv2-MIB::sysUpTime.0

Do you have any MIBS?

MIBS do not come with the install! There is another package that will fetch the MIBs for you. This is because of copyright issues apparently.

Search for anything with MIB in its name.

sudo find * / |grep MIB

Else install snmp-mibs-downloader (I installed version 1.1)

sudo aptitude install snmp-mibs-downloader
Then download the MIBS

I found I still had missing MIBs so had to Google for them and download them. Ensure if you do this that the file name does not have an extension .txt or whatever, else it will be ignored. Also check the first line of the MIB to confirm it is indeed a MIB..

sudo head nameofmib

It should have something like DEFINITIONS ::= BEGIN as its first line.

Now because I spent a lot of time and made many config changes install / reinstall to get it working I gave up trying to get multiple mibdirs working. I decided instead to move all mibs to the first search location /root/.snmp/mibs.

Config files and starting and stopping the service.

Snmptrapd is started and stopped by snmpd,
Service snmpd start / Service snmpd stop

There are two config files you will also need to visit, this is the contents of mine.

cat /etc/snmp/snmptrapd.conf

# Run trap.
# Disable authorisation, it’s on by default, though if you have time you should use this!
disableAuthorization yes
# the IP address you want the trap to run on ( will use port udp 162)
# Output to the following file.
logOption f /var/log/snmptrap.log
# You will not need the following line unless you are using JFFNMS (Just For Fun Network Monitoring System)
traphandle default /usr/share/jffnms/engine/

cat /etc/default/snmpd
# Make sure this works, some guides say to use export MIBS, some export MIBDIRS, if you have
 # more than one location, you can add a second location using a : as a separator.

# export MIBS=/root/.snmp/mibs <- did not work for me!
export MIBDIRS=/root/.snmp/mibs

# SNMP Bit.
# snmpd control (yes means start daemon).
SNMPDOPTS='-LS6d -Lf /dev/null -u snmp -I -smux -p /var/run/ -c /etc/snmp/snmpd.conf'

# snmpd control (yes means start daemon).
TRAPDOPTS='-Lsd -m ALL -p /var/run/ -c /etc/snmp/snmptrapd.conf'
# Note the –m ALL load all MIBS, if your location export works.
# See MAN page for a full list of options:   
# create symlink on Debian legacy location to official RFC path

When things don't work. 

I used nmap to confirm the trap ports were open (or not) you could of course send a trap from another device which is the point of this exercise.
nmap -sU -p 161,162
To confirm you are being sent a trap, you can use tcpdump to look for the incoming packets. 
tcpdump -i eth2 dst port 162
Or watch the log live

tail -f /var/log/snmptrap.log
You can search for the process, this is useful because you can also see the commands its running.
ps -aux |grep snmp
You can also stop the process using kill -9 (process id)

To run the trap from the cli and output to /var/log/snmptrap.log

snmptrapd -m +ALL -Lf /var/log/snmptrap.log --disableAuthorization=yes

I had a problem in that running the command from the cli meant that the OID was translated, but running it as a process meant the OID was not translated. This was fixed by changing the "export" option in /etc/default/snmpd but took me sometime to work out that was the problem. 

Happy trapping.