Thursday, May 7, 2015

How to install Flow-tools and Flow-viewer on Centos 6.5

This document is specifically made for installing the Flow-tools on Centos 6.5 and Below version of Flow-tools and Flow-viewers are used in it.

    Flow Tools:   flow-tools-0.68.5.1
    Flow Viewer:  FlowViewer_4.6

Flow-tools Installation:

Download the flowtools and install it...
        wget https://flow-tools.googlecode.com/files/flow-tools-0.68.5.1.tar.bz2
        tar -xvjf flow-tools-0.68.5.1.tar.bz2
        cd flow-tools-0.68.5.1
        yum install make tcp_wrappers zlib gcc
        ./configure
        gmake
        gmake install


Install FlowViewer Dependencies:
           yum install gd libgd gd-devel rrdtool
    Download  and install GD for cpan:      
           wget http://search.cpan.org/CPAN/authors/id/L/LD/LDS/GD-2.56.tar.gz
           tar -zxvf GD-2.56.tar.gz
           cd GD-2.56
           perl ./Build.PL
           ./Build
           sudo ./Build install       
           yum install perl-ExtUtils-MakeMaker*
    Download and install ExtUtils-makeMaker
           wget http://search.cpan.org/CPAN/authors/id/M/MS/MSTROUT/ExtUtils-MakeMaker-6.58_01.tar.gz
           tar -zxvf ExtUtils-MakeMaker-6.58_01.tar.gz
           cd ExtUtils-MakeMaker-6.58_01
           perl Makefile.PL
           make
           sudo make install
FlowViewer installation and configuration:
           wget http://downloads.sourceforge.net/project/flowviewer/FlowViewer_4.6.tar
          tar -xvf FlowViewer_4.6.tar
          yum install httpd
          mv FlowViewer_4.6 /var/www/cgi-bin/flowviewer

FlowViewer Configuration:

Edit the FlowViewer_Configuration.pm file and update the path.. make sure the Paths are Valid if the Floders are not exist.. Please create it manually.
Copy the config file to the correct directory.
          cp /var/www/cgi-bin/flowviewer/tools/flow-capture-table.conf /etc/flow-capture-table.conf

Edit the flow-capture-table.conf file and update the router and port number details.
Copy the flowcapture init script to the init.d directory.
           cp /var/www/cgi-bin/flowviewer/tools/flowcapture_restart /etc/init.d/flowcapture

Start the flowcapture..
            /etc/init.d/flowcapture start

Point your browser to http://<YOUR -SERVER_IP>/cgi-bin/flowviewer/FV.cgi

P.S: flowgrapher Setup is not updated in the installtion. I will add it in future..

P.S: Use http://ipsubnetcalculator.net/  for calculating IP subnet mask Online
Posted by at 2 comments:
Labels: , , , , , ,

Thursday, December 11, 2014

SIP Normalization Script for removing the Diversion Header

When we forward a call from one  phone to another or from one hunt group to a phone, the Diversion header gets added to the SIP messages.
Some of the SIP gateways or Voice mail systems doesnt have the ability pick the required Diversion header.  For example look at the below message, we are calling the operator(1408) and the operator forwards the calls to Vishnu on 1100  so the Diversion headers are added to it.
When the call is forwarded to the Voice mail system. The server looks at the latest Diversion that is 1408 and provides the voice mail of Operator, instead of Vishnu.
If there is no Voice Mail box exist for 1408 then the System will say "The person you have tried does not have a valid Voice mail box configured on this system"  error message.

INVITE sip:9997@172.17.8.6:5060 SIP/2.0
Via: SIP/2.0/TCP 172.16.8.4:5060;branch=
From: <sip:1112@172.16.8.4>;tag=470449ec-8a27-f7e4c9c946e7-30683727
To: <sip:9997@172.17.8.6>
Date: Thu, 11 Dec 2014 13:41:36 GMT
Call-ID: 6bcc2d80-48919f10-704b6-40810ac@172.16.8.4
Supported: timer,resource-priority,replaces
Min-SE:  1800
User-Agent: Cisco-CUCM10.5
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY
CSeq: 101 INVITE
Expires: 180
Allow-Events: presence, kpml
Supported: X-cisco-srtp-fallback
Supported: Geolocation
Call-Info: <sip:172.16.8.4:5060>;method="NOTIFY;Event=telephone-event;Duration=500"
Call-Info: <urn:x-cisco-remotecc:callinfo>;x-cisco-video-traffic-class=VIDEO_UNSPECIFIED
Cisco-Guid: 1808543104-0000065536-0000008029-0067637420
Session-Expires:  1800
Diversion: "Vishnu" <sip:1100@172.16.8.4>;reason=no-answer;privacy=off;screen=yes
Diversion: "Operator" <sip:1408@172.16.8.4>;reason=no-answer;privacy=off;screen=yes

So We need to need to configure the Voice mail server to pick the other Diversion .I.e 1100 instead of 1408
Cisco Unity connection or Microsoft Unified messaging has the option of selecting the Diversion header. But Microsoft Office 365 or any other voice mail servers doesnt have this option.

We need to remove the Extra Diversion from the SIP messages while sending out of the SIP trunk to the Voice mail server.
This can be acheived by using the SIP Normalization Script in the CUCM.
We need to create a Script in the CUCM server and assign it in the SIP trunk.
Step1: Login to Call manager.
Step2: Click Device --> Device Settings --> SIP Normalization Script
             Click Add New and add the below config and save the script  

Step 3: Then go to the  SIP truck.
              Click Device ---> Trunk and select the SIP trunk which goes to Voice mail server.
              Go to Normalization script section and select the UseLastDiversion script
              Save the Config.
              Reset the trunk.
After applying the script the script will remove the Lastbefore Diversion
So the output of SIP Message will look like below.

INVITE sip:9997@172.17.8.6:5060 SIP/2.0
Via: SIP/2.0/TCP 172.16.8.4:5060;branch=
From: <sip:1112@172.16.8.4>;tag=470449ec-8a27-f7e4c9c946e7-30683727
To: <sip:9997@172.17.8.6>
Date: Thu, 11 Dec 2014 13:41:36 GMT
Call-ID: 6bcc2d80-48919f10-704b6-40810ac@172.16.8.4
Supported: timer,resource-priority,replaces
Min-SE:  1800
User-Agent: Cisco-CUCM10.5
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY
CSeq: 101 INVITE
Expires: 180
Allow-Events: presence, kpml
Supported: X-cisco-srtp-fallback
Supported: Geolocation
Call-Info: <sip:172.16.8.4:5060>;method="NOTIFY;Event=telephone-event;Duration=500"
Call-Info: <urn:x-cisco-remotecc:callinfo>;x-cisco-video-traffic-class=VIDEO_UNSPECIFIED
Cisco-Guid: 1808543104-0000065536-0000008029-0067637420
Session-Expires:  1800
Diversion: "Vishnu" <sip:1100@172.16.8.4>;reason=no-answer;privacy=off;screen=yes


P.S: Use http://ipsubnetcalculator.net/  for calculating IP subnet mask Online





Posted by at No comments:
Labels: , , , , , ,

Saturday, December 6, 2014

How to Install Cacti on Centos



This procedure explains the Cacti installation on Centos Server using Yum.


Step1: Install the dependencies.

[:vishnu:root@sandbox ~]# yum install mysql-server mysql php-mysql php-pear php-common php-gd php-devel php php-mbstring php-cli php-snmp php-pear-Net-SMTP php-mysql httpd

[:vishnu:root@sandbox ~]# yum install net-snmp-utils php-snmp net-snmp-libs


Step2: start mysqld and configure it

[:vishnu:root@sandbox ~]# service mysqld status
mysqld is stopped
[:vishnu:root@sandbox ~]# service mysqld start

Initializing MySQL database: Installing MySQL system tables...
OK
<<Output Suppressed>>
[ OK ]
Starting MySQL: [ OK ]
[:vishnu:root@sandbox ~]#
[:vishnu:root@sandbox ~]# /usr/bin/mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In <Output Omitted>
Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.
Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] Y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y
... Success!
By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] Y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MySQL
installation should now be secure.
Thanks for using MySQL!

Step3: Install Cacti

[:vishnu:root@sandbox ~]# yum install net-snmp-utils php-snmp net-snmp-libs
[:vishnu:root@sandbox ~]# yum install cacti
If cacti package is not available. Add the below repo to your machine and run the command again.
#vim /etc/yum.repos.d/dag.repo:
[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
gpgkey=http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
enabled=1

Step4: Install Spine

Download the latest file from the cacti.net

tar xvzf cacti-spine-*.tar.gz
cd cacti-spine-*
./configure
make
sudo make install
Spine Path /usr/local/spine/bin/spine ​


Step5: Update the correct database details in /var/www/cacti/include/config.php

$database_type = "mysql";
$database_default = "cacti";
$database_hostname = "localhost";
$database_username = "cacti";
$database_password = "cacti";
$database_port = "3306";
$database_ssl = false;


Step6: Spine config: update the below variables in spine.conf file
###Copy the config file first
cp /usr/local/spine/etc/spine.conf.dist /usr/local/spine/etc/spine.conf

DB_Host localhost
DB_Database cacti
DB_User cacti
DB_Pass cacti
DB_Port 3306
DB_PreG 0

step:6 create a database called cacti in mysql
#mysql -u root -p
#mysqladmin --user=root create cacti
#mysql --user=root mysql
mysql# GRANT ALL ON cacti.* TO cactiuser@localhost IDENTIFIED BY 'somepassword';
mysql# flush privileges;​

Step:7 Correct the Folder permission:
cd /var/www/cacti/
chown -R cacti rra/ log/

Step:8 Edit the cacti.conf file and add the "allow from all" in it.

#vim /etc/httpd/conf.d/cacti.conf
Alias /cacti/ /var/www/cacti/
<Directory /var/www/cacti/>
DirectoryIndex index.php
Options -Indexes
AllowOverride all
order deny,allow
deny from all
allow from all
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc on
php_flag track_vars on
</Directory>

Step:9 reload httpd config file.
# service httpd reload


Step 10 point your browser to:
http://your-server/cacti
P.S: Use http://ipsubnetcalculator.net/  for calculating IP subnet mask Online
Posted by at No comments:
Labels: , , , ,

Shell Script to generate Reverse DNS file for Core links

This is Shell script i created which Collects the IPaddress details from the WAN routers using SNMP and creates the reverse DNS file for the same. Some times the reverse DNS of the links will be very helful for identifying and troubleshooting the link issue, without looking at your database.

 Create a file called device_list in /var/named folder. Enter the device detail hostname or IP address from where you need to retrive the IP address details.

 eg:
core1.pop1
core2.pop1
( or )
10.1.1.1
10.2.1.1

 update the grep commands to include the links which you want reverse_dns 
=================================================
#!/bin/bash
#This is a script to generate reverse DNS file for core links

 DEVICELIST=/var/named/device_list
ALIASFILE=/tmp/ifalias
ADDRESSFILE=/tmp/ipaddress
REVERSEDNS=/tmp/reverse_dns
COREDNSFILE=core-reverse.inc
TMPCOREDNS=/tmp/$COREDNSFILE
BINDBASE=/var/named/inc-reverse
POPFILE=$BINDBASE/reversedns

 ##Empty the files
echo > $ALIASFILE
echo > $ADDRESSFILE
echo > $REVERSEDNS
echo > $TMPCOREDNS

 for  DEVICE in `cut -d " " -f 1 $POPLIST`
                       do echo "$DEVICE"
                snmpwalk -v2c -c a0xCOWTF^@gXhgphcxMX!  $DEVICE ifAlia | egrep 'pl2'| grep -v trunk | sed 's/-/ /g' | sed 's/::ifAlias./ /g' | sed 's/_/ /g' | cut -d ' ' -f 3,6,7,8,9,10 > $ALIASFILE  2>/dev/null
                sed -i 's/[^ ]*/'$DEVICE'/6' $ALIASFILE
                snmpwalk -v2c -c a0xCOWTF^@gXhgphcxMX!  $DEVICE ipAdEntIfIndex | sed 's/-/ /g' | sed 's/::ipAdEntIfIndex./ /g' | sed 's/_/ /g' | cut -d ' ' -f 3,6 > $ADDRESSFILE  2>/dev/null
                awk 'NR==FNR {a[$2]=$1;next} {$1=a[$1];print}' $ADDRESSFILE $ALIASFILE | sed 's/\./_/g' | sed 's/ /_/g' >> $REVERSEDNS
        done
done

 sed -i '/^$/d' $REVERSEDNS
awk -F '_' '{print $4"\."$3"\t""\t""IN""\t""PTR""\t"$5"-"$6"-"$7"-"$8"-"$9"-"$10"\."$11}' $REVERSEDNS > $TMPCOREDNS
#Move the files to bind base
mv $COREDNS $BINDBASE
chown root:named ${POPFILE}
chmod 640 ${POPFILE}
P.S: Use http://ipsubnetcalculator.net/  for calculating IP subnet mask Online
Posted by at No comments:
Labels: , ,

Tuesday, November 4, 2014

How to Migrate/Move Cisco VPN Phones to Different CUCM and ASA

This document explains the procedure to migrate a VPN phone to a different call manager and ASA without taking the phone to office.

 As per the Cisco documents we cannot make  VPN configuration changes to the phone when the phone is outside of corporate network. But sometimes the User might be there in a remote location  and  cannot be connected to corporate network.
This document will help you to solve those problem. This is a tested procedure.

 Considering that there is a New ASA and New call manager is installed with different IP addresses and the phone needs to connected to these new devices.

 Step 1: Export the Certificate from the Old ASA and Import it to the New ASA.
        Use the below command on the old ASA. Once entered, the ASA will output a key. 
                    crypto ca export <trust-point-name> pkcs12 <passphrase>
        Copy the output and save it in a file. Save the file with the extension as .pki
        Please copy the BEGIN PKCS12  and END PKCS12 also to the file.
        If you dont remember the passphrase of the old ASA. Then you can use the below command.
                crypto ca export <trust-point-name> identity-certificate
        The problem with the identity-certificate command is that this will not export the rsa keys. so you have to figure out a way to export the rsa keys also.

 Step 2 :Import the CA Crtificate to new ASA.
         Enter the below command on the New ASA and this will ask you to enter the certificate. Paste the output from the old ASA to this New ASA (Paste the BEGIN PKCS12 and END PKCS12 line also.
                   crypto ca import <trust-point-name> pkcs12 <passphrase>

 Step 3: Import the CA  Certificate to New CUCM.
        From Cisco Unified Communications Operating System Administration, choose Security > Certificate Management.
        Click Upload Certificate and from the certificate name pull-down-menu, choosr Phone-VPN-trust
        Click browse to choose the file you want to upload .
        The remaining configuration (Phone and Cucm) can be copy pasted from old devices. 
Please refer Cisco for more details

 Step 4: Configure the VPN Phone Username/ Passowd in the New ASA
        Make sure the username and password matches the old ASA config.
                username vishnu password hRoasdasQoPWF/3 encrypted

 Step 5 : Configure the Phones  in the New CUCM
        Configure the VPN Phones in the New CUCM and make sure the ssl vpn profile is assigned to it and it matches the old CUCM

 Step 6: Change the TFTF Server in the VPN Phone Point to New CUCM
        Contact the Remote user and ask him to change the TFTP Server in the VPN Phone pointing to the New CUCM
  • Click on Setting --> Network Configuration --> IPv4 Configuration --> TFTP Server 1 
    • type **# to unblock the access to edit the setting
    • click edit and type <New CUCM IP> and click Validate
  • Click on Setting --> Network Configuration --> IPv4 Configuration --> TFTP Server 2
    • type **# to unblock the access to edit the setting
    • click edit and type <Nwe CUMP IP> and click Validate
         After Changing the Configuration VPN Disconnects and Connects again (No Password Asked). Wait for the Extension Number to Show up.

 Step 7 : Delete the ITL File from the VPN Phone
        Next delete the ITL file.
  • Click on Settings --> Security Configuration --> Trust list --> ITL File
    • type **# to unblock the access to edit the setting
    • click more --> erase
        Phone starts upgrading by taking the config from New CUCM. It takes minimum 2 hours to complete the UPgrade. This Upgrade time is totally detpends on the distance between the CUCM and VPN Phone(latency)
       Once the upgrade is done.You may need to Enable the VPN on the Phone again.
       At this point it will upgrade all over again but takes only 10 Minutes.

Step 8: Connects to the New ASA
       Once upgraded it pops up for the Username/password
       Enter the Username/Password
       Now it connects to the New ASA and updates its Locale and other files and disconnects from the VPN
       Again it pops up for the Username/Password. Enter the username/Password and wait for 10 Min. The phone connects to  US call manager.

 Step 9: Migration Completed.


Posted by at 2 comments:
Labels: , , , , , , ,

Configuring SSL/Anyconnect VPN phone in ASA and CUCM

Below are the Requirements for Configuring a VPN phone with CUCM
  • ASA runs 8.2 or higher IOS version
  • Anyconnect SSL VPN license 
Step1 : Create  Certificate on ASA and Upload it in CUCM

#crypto ca certificate chain localtrust

This will give you an output of the certificate, copy paste the output to an notepad file and save it as *.pem file
Upload this file to CUCM.

Step2 : ASA Configuration

# crypto ca trustpoint localtrust
# enrollment self
# fqdn sslvpn.test.com
# subject-name CN=sslvpn.test.com
# keypair sslvpnkeypair
# crl configure

#ip local pool vpnpool2 172.17.24.10-172.17.24.254 mask 255.255.255.0

#ssl trust-point localtrust outside
#webvpn
 enable outside
 no anyconnect-essentials
 svc image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
 svc enable
 tunnel-group-list enable

group-policy test-ssl-group internal
group-policy test-ssl-group attributes
 dns-server value 172.17.1.15
 vpn-tunnel-protocol svc
 default-domain value corp.test.com
 address-pools value vpnpool2

#tunnel-group test-ssl-group type remote-access
tunnel-group test-ssl-group general-attributes
 default-group-policy test-ssl-group
tunnel-group test-ssl-group webvpn-attributes
 group-alias SSLVPNClient enable
 group-url https://1.1.1.1/ enable


username vishnu password vishnu
username vishnu attributes
 service-type remote-access

Step3 : CUCM Configuration

Work in progress!!!!


Posted by at No comments:
Labels: , , , ,

CTI Route Point in VOIP

What is CTI route point and CTI port?

         CTI ports are like soft phones with extensions and CTI route points are like an Hunt group.
Normally this is used in IVR system. When the incoming call comes first it gets forwarded to the CTI route point which has an extension configured. That extension provides the IVR option to the user.
Based on the USer input the calls are forwarded to the CTI port which has the actual extension configured.
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)