Setting up multiple IPSEC VPN peers on Cisco IOS & IOS XE

When working with CISCO router based IPSEC VPN tunnels, we might need to enable HA feature for the continuous connectivity with the remote peer. By default, we use just a single peer IP address. But if the remote peer is dead for some reason, we face issues with IPSEC tunnel failure. In order to mitigate that risk, we can use the feature called “default peer” . What it does is, it enable us to define multiple redundant peers instead of a single peer.

The most preference is always given to the “default” peer. If the default peer IP address is unreachable for any reason, the next available peer will be elected as the tunnel peer. The peer status is detected by a feature called “Dead Peer Detection (DPD)”. So, lets jump into the config,

(NOTE: always verify whether these command-lets are supported by the router)

Configuring a Default Peer

enable
configure terminal
crypto map map-name seq-num ipsec-isakmp profile profile-name
set peer ip-address default
exit

Continue reading “Setting up multiple IPSEC VPN peers on Cisco IOS & IOS XE”

How to Unlock ESXi hosts – you can not login at all

The root account of the ESXi hosts can be locked due to many failed login attempts. In this instance, you will not be able to connect to the host via web GUI or SSH. This can be due to many reasons, such as expired credentials / Brute force attacks and can cause Monitoring systems. Most of the time, I ended up with monitoring system related issues.

So, today we will look at the resolution steps.

There are requirements to be checked in advance following the below steps

Need physical console access or DCUI access (either using the iLO/iDRAC console)

The steps are as below (commands are in Italic and Bold)

1. Login to the DCUI console with the root credentials (do not worry you can access)

2. Enable SSH and shell access under the “Troubleshoot options”

3. Go to view logs and select syslogs and find the causing IP address

4. Then come back to DCUI main menu and press Alt + F1 to get the console

5. Execute the command pam_tally2 –user root to check how many failures and to identify the causing the IP address (in my case, the IP address of the monitoring system)

6. If you are confident on the source IP, you may unlock the root account by executing the pam_tally2 –user root –reset command

7. Just monitor for 15 minutes, if you notice re occurring failed attempts, you will have to change the IP or Power off the source (which we identified in step 3 & 5)

8. If you don’t notice any issues, you are good to go.