Ubuntu cannot connect to Cisco Router

Please follow these steps if you cannot can connect to a router. For example

ssh [email protected]

Output

Unable to negotiate with blog.wapnet.nl port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

use the -o parameter

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 [email protected]

Output:

Unable to negotiate with blog.wapnet.nl port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

and add the -c parameter

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-cbc  [email protected]

and you are connected 🙂

The authenticity of host 'blog.wapnet.nl' can't be established.
RSA key fingerprint is SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Windows 2012 R2 unstable internet connection

I had 2x HP DL 380 G6 servers with Windows 2012 R2 whit the same problem. When I start a download (I try a lot of different sites) the download drops and fluctuate. When I connect my laptop or another server on the same cable the download is stable. So my conclusion was the onboard nic.

What I tried:

  • Update latest HP SSP (2014_2)
  • Update firmware NIC
  • Update driver NIC
  • Update Windows (patches)
  • change all the default nic settings like disable tcp offload for example
  • Try another switch

Bandwidth during download:

hp ethernet

I thought the problem must be the NIC so I added an intel pro to my server with the same result 🙁

Then I found the command netsh interface tcp show global

Output:

C:\Windows\system32>netsh interface tcp show global
Querying active state...

TCP Global Parameters
----------------------------------------------
Receive-Side Scaling State          : enabled
Chimney Offload State               : disabled
NetDMA State                        : disabled
Direct Cache Access (DCA)           : disabled
Receive Window Auto-Tuning Level    : enabled
Add-On Congestion Control Provider  : none
ECN Capability                      : enabled
RFC 1323 Timestamps                 : disabled
Initial RTO                         : 3000
Receive Segment Coalescing State    : enabled
Non Sack Rtt Resiliency             : disabled
Max SYN Retransmissions             : 2

I dived in to these settings and I found the “Receive Window Auto-Tuning Level on enabled”. So I disabled the setting with:

netsh int tcp set global autotuninglevel=disabled

After that setting the network connection to the internet was stable 🙂

fixed

I found an article on the net that Cisco PIX IOS 8.0 doesn’t support “TCP Window Scaling”. Source: http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/71613-iosfw-tcp-scaling-ts.html

So I use the workaround to disable the Automatic Windows Scaling in Windows because I can’t update our old PIX.

Problem solved 😀

 

Cisco router change access list (ACL)

  • First check accesslist with show run
  • Then check the dialer

!
interface Dialer1
description Internet
ip address negotiated
 ip access-group 111 in
ip nat outside
ip inspect list1 out
ip virtual-reassembly

  • Copy the access group line (bold) to notepad
  • Now do a show run and copy the specific (111 in my case)  accesslist to notepad

access-list 111 permit tcp any any established
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any any eq www
access-list 111 deny   ip any any log

  • Now change the ACL with the new line (bold) still in notepad

access-list 111 permit tcp any any established
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 443
access-list 111 deny   ip any any log

  • now type conf t
  • and type interface dialer1
  • now temporary disable the accesslist with: no ip access-group 111 in
  • type exit to exit the Dialer1 interface
  • type no access-list 111 to clear the current ACL
  • Past the new modified ACL fro notepad to your router
  • Type interface dialer1
  • Type ip access-group 111 in to enable new new access lists
  • Type exit
  • Test the new rule
  • Type wr mem to write the config from RAM to ROM