More fun with UnetLab today!
I am back to running it on the ESXi server, so have plenty of memory and CPU cores. It should be nice and fast!
vIOS on UnetLab
Following the documentation through (or so I thought), I then created a lab, added a network, and tried to add a vIOS node.
But the list was empty.
So, I read through the doc again, and some of the comments. Andrea tells us what the image name should be, so I created a folder to match the version, and moved the HDA file into there:
So let’s try configuring the routers!
Router(config)#ho vIOS-1 vIOS-1(config)#int gi 0/0 vIOS-1(config-if)#ip add 10.1.1.1 255.255.255.0 vIOS-1(config-if)#no shut vIOS-1(config-if)#cdp enable vIOS-1(config-if)#exit vIOS-1(config)#cdp run vIOS-1(config)#exit vIOS-1#sh ip int bri Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.1.1 YES manual up up GigabitEthernet0/1 unassigned YES unset administratively down down GigabitEthernet0/2 unassigned YES unset administratively down down GigabitEthernet0/3 unassigned YES unset administratively down down vIOS-1# Router(config)#ho vIOS-2 vIOS-2(config)#int gi 0/0 vIOS-2(config-if)#ip add 10.1.1.2 255.255.255.0 vIOS-2(config-if)#no shut vIOS-2(config-if)#cdp en vIOS-2(config-if)#exit vIOS-2(config)#cdp run vIOS-2(config)#exit vIOS-2#s Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.1.2 YES manual up up GigabitEthernet0/1 unassigned YES unset administratively down down GigabitEthernet0/2 unassigned YES unset administratively down down GigabitEthernet0/3 unassigned YES unset administratively down down vIOS-2#sh cdp neigh Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID vIOS-1 Gig 0/0 150 R B IOSv Gig 0/0 Total cdp entries displayed : 1 vIOS-2#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/5/12 ms vIOS-2#
I took the first screenshot at 13:22, it’s now 13:58, and I have written this whilst setting it all up. 30 minutes or less!
ASA on UNetLab
Not sure how this will go. There isn’t a guide for it, so It’s going to be a lot of guess work!
I start by copying the two VMDK files I have to the /tmp directory:
[email protected]:/# ls /tmp ASA-8.42-1.vmdk ASA-8.42.vmdk [email protected]:/#
Then I convert them:
[email protected]:/tmp# qemu-img convert -f vmdk -O qcow2 ASA-8.42.vmdk hda.qcow2 [email protected]:/tmp# qemu-img convert -f vmdk -O qcow2 ASA-8.42-1.vmdk hdb.qcow2 [email protected]:/tmp#
I then move to the right directory, and move the files there:
[email protected]:/opt/unetlab/addons/qemu# mkdir ASA-8.42 [email protected]:/opt/unetlab/addons/qemu# mv /tmp/hda.qcow2 ASA-8.42/ [email protected]:/opt/unetlab/addons/qemu# mv /tmp/hdb.qcow2 ASA-8.42/ [email protected]:/opt/unetlab/addons/qemu# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions [email protected]:/opt/unetlab/addons/qemu#
Surprisingly… There is nothing there when I try and add a node:
At this point I started reading some of the other documents. I went through all of them until I got to the F5 BIG-IP document. Here we have another example of a 2 part system. I was happy that I had named the files hda and hdb, but then I thought – let’s just try making the folder name lower case. So I edited it in FileZilla:
[email protected]:~# ls /opt/unetlab/addons/qemu/ asa-8.42 vios-adventerprisek9-m15.4-1.2.0-173 xrv-k9-5.2.2 [email protected]:~#
All of a sudden, I have the option for ASAs!
ciscoasa(config)# hostname ASA1 ASA1(config)# int gi 0 ASA1(config-if)# ip add 10.1.1.1 255.255.255.0 ASA1(config-if)# nameif Outside INFO: Security level for "Outside" set to 0 by default. ASA1(config-if)# ASA1(config-if)# no shut ASA1(config-if)# ciscoasa(config)# hostname ASA2 ASA2(config)# int gi 0 ASA2(config-if)# ip add 10.1.1.2 255.255.255.0 ASA2(config-if)# no shut ASA2(config-if)# nameif Outside INFO: Security level for "Outside" set to 0 by default. ASA2(config-if)# ASA1# ping 10.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms ASA1# ASA2# ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms ASA2#
So, in two days, with a total of about three hours, I now have one environment that will run IOL routers, XRv routers, vIOS routers and ASAs.
Now that is impressive!
I might even try and add Titanium to UNetLab as well! But not today.
I follow your post about the ASAs, but when the ASA boot, show me some errors abot the NICs. I had running the ASA with VMWare Workstation, and I use the vmdk files from there. Do you can give us what settings do you have in the workstation to boot the ASA.
Thanks a lot.
Hi, I am not using workstation, I am using ESXi, I have never tried running the ASA on workstation. Because you have used the version that was already running on vmware, that probably where the problem with the NICs is coming from. I would suggest starting from the original media you used to create the ASA. Try starting from scratch and it'll probably work 🙂
I tried for VIos-L3 and got it working but L2 is not even showing in image option what can be the exact foldername for Vios-L2.
Check this post: https://www.802101.com/unetlab-image-folder-naming-convention/
have you tested switching with unetlab
how much of switching can you do using arista switch for ccie security
I have not tested switching yet, I will do soon.
I have no idea about the Aristas for CCIE security, I havnt looked at that exam at all yet.
Hello Thanks for the post.
I follow your step but my node does not have firewall and CiscoASA which of the version UNL version did you use?
Hi, have you ever had the log message:%PLATFORM-2-SIGNATURE_FAILED: Image 'flash0:/vios_l2-adventerprisek9-m' failed code signing checks, error 'Invalid key storage handle'. Ethernet switching has been disabled to protect against attack.
know what it can be about?
I follow your step.
When I drag and drop the node …nothing..
What did you do to let asa show up in node
Did you run the fixpermissions script?
Hello, does it run on Xenserver? has anyone tried?
Nice post, especially ASA part. The only mistery for me is how to create those.vmdk files, cause I've got only .bin image of ASA. Anyway, finally I found ASA for ESXi.
You can google ASA image:
asa 8.4.2 ESXi rutracker.org
All my vIOS and ASAv started successfully on UnetLab web interface and I could telnet to these devices. However, the telnet window was blank. Hitting return key didn't make any difference.
how long did you wait? It can take some time for them to start showing on the console. You could always check the UNL logs to see if there are any problems, but I'd probably just wait longer…
I followed the steps on vmware. but I am getting Connected
Escape character is '^]'.
Any solution. Thanks
How long are you waiting? It can take some time to see anything on the console. have you checked the logs of UNetLab? if you SSH into UNetlab and type in "top" can you see the processes working?
This comment has been removed by the author.
This comment has been removed by the author.
Stuart i keep getting this message, any idea?
"Undefined message, check if the UNetLab VM is powered on. If it is, see logs."
Thank you for the post. I would like to ask whether you encounter the following too:
When starting the ASA (8.4.2), it took ages and there is the following message at the beginning:
main-loop: WARNING: I/O thread spun for 1000 iterations
Then it finally boots. What i noticed also is that sometimes it boots with all interfaces configured for that node in Unetlab, sometimes just with few of them 🙁
Also, I would like to ask if you know how to setup the ASA in ESXi or Workstation. I made ASA ISO, but when booting for the first time it just get stuck with Booting the kernel. I tried it with Linux 2.6.
Thanks for the post. I am using a qemu image for 8.4(2) and while it works, it completely pegs my Unetlab cpu usage to 100%. I am running it on an ESXi host with an allocated 4 sockets, 1 core each. Do I need to allocate more? I have a lot of other things running and was wondering if you could chime in on this.
Hi Stuart, i followed step by step to simulate vIOS, It works very well, but once I reboot the VM, i loose http access to VM. I am not able to access the VM via http on IP address, It was working nicely before I simulated vIOS. If you can across this issue, please advise any solution.
does the VM have an IP address? Should show it on the console, or login and do ifconfig…
Hi, I followed your awesome post and now I have ASA 8.4 and IPS 7 running.Thanks alot. Please could you also kindly guide us on how to load ASA 8.02 in UnetLab. I need it for my ccie security studies. Thanks again.
Check this link, its got a lot of useful stuff: https://nbctcp.wordpress.com/2015/07/02/unetlab-installation-on-esxi/
Good luck with the studies, let me know how it goes as I am doing the same 🙂
This comment has been removed by the author.
This is probably coming in late, but it helped me with the ASA 8.02 issue:
Thanks a million for the above site. Has been extremely useful
This comment has been removed by the author.
It Looks like a bug. sometimes i lost HTTP access to the VM, and after doing some research I noted that port 80 is not open, the apache2 server is not working… even when i restart the service it won't work.
Why don't you do all of us a favor and give the step by step procedure for this saves a lot of time. Thanks
And how would you learn anything for yourself? The key is reading, learning and doing.
Why don't you do yourself a favour and be a little more polite?
i have an issue while run asav in unetlab..asav started message shown on notification, but its goes to offline.. i am using asa 941-200. please help me.
please send the instruction by email [email protected]
Anything in the logs? If you need help then you might want to post in the forum, then you can include screenshots, etc
Thanks for all the posts on UnetLAB, it seems that you have been working with it for a while now and the information is very informative.
Any chance that you might have loaded newer versions of ASA like 9.4.1 or 9.5 perhaps.
Reason I ask is that I am fairly new to UNL and have tried everything I could find so far. Followed the guide on UNL Docs for ASAv but my ASAv does not even start then tried your guide as well where I convert the VMDK files to hda.cqow2 and hdb.cqow2.
But with ver 9.4.2 one gets a boot.vmdk and disk0.vmdk.
I first tried boot.vmdk as hda0.qcow2 and disk0.vmdk as hdb.qcow2, got some errors when opening the terminal with wrong emulation and something about ee100.
I then thought perhaps I have it the wrong way around on the disks and changed boot to hdb0 and disk0 to hda0. The ASA starts and uses 100CPU but I never get the terlnet session to show anything.
also the 8.4.2 image you use seem to be dated and no longer available when I check under ASAv on Cisco.
Any advise or guidance would be much appreciated here.
Got my ASAv up and running, was a bit of a mission but I am on course now.
I have setup EVE-ng on Ubuntu baremetal, able to access the eve-ng web gui from another pc in the same lan. I have uploaded F5 image, ASA image downloded from official websites, but I am not able to add node object in eve-ng web gui, all I see is blue link for virtual pc in node objects, for rest of the devices I am not able to select the objects, any help will be apprecieated
Did you name the images correctly?
Working as expected 🙂
ciscoasa# sho version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is “Unknown, monitor mode tftp booted image”
Config file at boot was “startup-config”
ciscoasa up 11 secs
Hardware: ASA 5520, 512 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: Ethernet0 : address is 5000.0002.0000, irq 10
1: Ext: Ethernet1 : address is 5000.0002.0001, irq 11
2: Ext: Ethernet2 : address is 5000.0002.0002, irq 11
3: Ext: Ethernet3 : address is 5000.0002.0003, irq 10
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 20 perpetual
GTP/GPRS : Enabled perpetual
AnyConnect Premium Peers : 10000 perpetual
AnyConnect Essentials : 0 perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 5000 perpetual
Total UC Proxy Sessions : 10000 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: 123456789AB
Running Permanent Activation Key: 0x9933e843 0x88a03a01 0xdd60b0f8 0xd2886c64 0x0f28fd93
Configuration register is 0x0
Configuration has not been modified since last system restart.
ciscoasa# sho flash:
–#– –length– —–date/time—— path
3 4096 Mar 01 2013 10:49:58 log
13 4096 Mar 01 2013 10:50:00 coredumpinfo
14 59 Mar 01 2013 10:50:00 coredumpinfo/coredump.cfg
42 0 Jun 09 2017 11:46:42 nat_ident_migrate
50 16280544 Feb 05 2013 06:15:00 asdm-645.bin
51 260 Jun 09 2017 11:46:42 upgrade_startup_errors_201706091147.log
268054528 bytes total (226414592 bytes free)