I recently picked up some used blade servers on ebay. The problem was though the onboard administrator on the C7000 recognized them, neither Firefox nor IE could manage the web component of the blade as the certificate was long expired and from an untrusted CA (HP's self signed CA.)
The error message was:
*my ilo site* uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown.
(Error code: sec_error_unknown_issuer)
Adding an exception for the certificate failed. I found this link:
Mozilla's support site
Basically, you close firefox, delete cert8.db and start firefox again. After that, add the exception.
Tuesday, December 30, 2014
Saturday, November 29, 2014
RedHat Enterprise/CentOS Kickstart with Bonding
In order to set up the bonded interfaces (in 802.3ad mode) when first booting, you'll need to supply the following arguments to kickstart:
ks=http://name_of_apache_server/myconfig.cfg ip=your.ip.address netmask=yournetmask gateway=yourgateway dns=nameserver1,nameserver2 hostname=yourfqdn bond=bond0:eth0,eth1:mode=802.3ad:miimon:100
ks=http://name_of_apache_server/myconfig.cfg ip=your.ip.address netmask=yournetmask gateway=yourgateway dns=nameserver1,nameserver2 hostname=yourfqdn bond=bond0:eth0,eth1:mode=802.3ad:miimon:100
Friday, October 31, 2014
OTRS ITSM - Simple template for CAB-Free Change
OTRS ITSM - Simple template for CAB-Free Change
ITSM with OTRS is a rather manual process. You can create conditions and move the state around, but the controls are limited; you cannot readily create a template that locks workorder state changes until the change is approved.
What you can do is create a template that simplifies some of the changes. The following flow adds an approval workorder, and requires that work order to be set to "closed" before the ticket changes to "approved."
1. Create a new change request with a name such as "my template"
2. Create a worked called "approval" with the type "approval" and with the text "APPROVAL TEMPLATE TEXT. PLEASE REPLACE"
3. Create a condition called "before approval" using the "AND" operator
add the following expressions:
object: workorder
selector: 1-approval
attribute: workorder
state operator: is
value: Accepted
and
object: change
selector: (pick the only change listed, the change you are on)
attribute: change state
operator: is
value: requested
It'll look something like this:
Then, add the following action:
object: change selector: (same change number as above) attribute: change state operator: set value: pending approval
4. Save that condition and create a new condition "approved"
add this expression:
object: workorder
selector: 1-approval
attribute: workorder state
operator: is
value: closed
and this action:
object: change
selector: (same change number as above)
attribute: change state
operator: set
value: approved
and save it.
It'll look like this:
5. Save this and click "template" on the menu. Choose a name.
6. When you create a new change, select "New (from template)"
ITSM with OTRS is a rather manual process. You can create conditions and move the state around, but the controls are limited; you cannot readily create a template that locks workorder state changes until the change is approved.
What you can do is create a template that simplifies some of the changes. The following flow adds an approval workorder, and requires that work order to be set to "closed" before the ticket changes to "approved."
1. Create a new change request with a name such as "my template"
2. Create a worked called "approval" with the type "approval" and with the text "APPROVAL TEMPLATE TEXT. PLEASE REPLACE"
3. Create a condition called "before approval" using the "AND" operator
add the following expressions:
object: workorder
selector: 1-approval
attribute: workorder
state operator: is
value: Accepted
and
object: change
selector: (pick the only change listed, the change you are on)
attribute: change state
operator: is
value: requested
It'll look something like this:
Then, add the following action:
object: change selector: (same change number as above) attribute: change state operator: set value: pending approval
4. Save that condition and create a new condition "approved"
add this expression:
object: workorder
selector: 1-approval
attribute: workorder state
operator: is
value: closed
and this action:
object: change
selector: (same change number as above)
attribute: change state
operator: set
value: approved
and save it.
It'll look like this:
5. Save this and click "template" on the menu. Choose a name.
6. When you create a new change, select "New (from template)"
Tuesday, September 30, 2014
Cisco VPN 3005 - Import XML Config
The Cisco 3005 VPN concentrator is most definitely a device past its prime. However, I still see them in the field (even though they should not be used.)
One problem that I've seen is that the GUI does not provide for a way to import the XML file that it so readily exports.
The answer is to use the CLI. First, upload the XML file to the file system in the GUI under file management and remember the name you used. Then connect to the device via serial or some other manner:
From there, select 2, and you'll see:
Put in the name of the file you copied to the system using the GUI and you'll see:
One problem that I've seen is that the GUI does not provide for a way to import the XML file that it so readily exports.
The answer is to use the CLI. First, upload the XML file to the file system in the GUI under file management and remember the name you used. Then connect to the device via serial or some other manner:
Welcome toCisco SystemsVPN 3000 Concentrator SeriesCommand Line InterfaceCopyright (C) 1998-2005 Cisco Systems, Inc.1) Configuration2) Administration3) Monitoring4) Save changes to Config file5) Help Information6) Exit
From there, select 2, and you'll see:
Select 81) Administer Sessions2) Software Update3) System Reboot4) Reboot Status5) Ping6) Traceroute7) Access Rights8) File Management9) Certificate Management10) Back
Which File to import XML from
Put in the name of the file you copied to the system using the GUI and you'll see:
Import successful.Back out: 10 followed by 10 again, and save config. Reboot the system. You may need to re-import the XML as sometimes things like default gateways don't get set correctly on the first import.
Saturday, August 30, 2014
Kickstart Command Line Options/Arguments
Here are a bunch of handy arguments taken from this page:
Redhat Documentation
So, typically I interrupt a Redhat boot and choose the following:
(appended to the normal boot line)
ksdevice=eth0 ip=10.2.3.4 netmask=255.255.254.0 gateway=10.2.3.1 dns=10.10.10.2,10.10.10.4 ks=http://url/to/my/kickstart.cfg
Redhat Documentation
So, typically I interrupt a Redhat boot and choose the following:
(appended to the normal boot line)
ksdevice=eth0 ip=10.2.3.4 netmask=255.255.254.0 gateway=10.2.3.1 dns=10.10.10.2,10.10.10.4 ks=http://url/to/my/kickstart.cfg
Wednesday, July 16, 2014
Converting a Cisco 1141N Lightweight Access Point to Autonomous Mode
The biggest challenge in performing this operation is that the config terminal mode is not readily available.
To enable it:
6. After a successful boot, you can delete the old IOS image with something like:
delete /recursive /force flash:/name_of_old_ios_image
To enable it:
debug capwap console cli
After that, let the ethernet interface (gi0) obtain an address over dhcp
1. archive tar /xtract tftp://myserver/myiosimage.tar flash:
2. After that finishes, wipe the config:
erase startup-config
3. conf t
4. boot system flash:/nameOfYourIOSIMAGE/imagefile
(i.e., boot system flash:/c1140-k9w7-tar.152-4.JB5.tar/c1140-k9w7-tar.152-4.JB5)
5. reload
6. After a successful boot, you can delete the old IOS image with something like:
delete /recursive /force flash:/name_of_old_ios_image
Monday, June 30, 2014
FreePBX Distro's Commercial Endpoint Manager and Polycom VVX Phones
A few pointers:
- To enable onetouch voicemail (i.e., press the voice mail button and have it connect automatically) - go to the endpoint manager, go to advanced, basefile edit and select the template you created for the given model of phone (i.e., vvx410.) Click "SIP-interop.cfg." Look for a line stating:
oneTouchVoiceMail 0
And set it to 0.
Now, go back to "Extension Mapping" - select your extension and select "rebuild config." After this, reboot your phone.
Tuesday, May 27, 2014
Acme SBC & ASC - Two Legged Call Issues
I recently ran into a strange problem using Oracle's (formerly Acme Packet) SBC. In this situation, the SBC gets authorization from calls by querying the ASC (Application Session Controller) - which, in turn, queries an application server. If the person calling is acceptable or the person being called is acceptable (in the case of inbound.)
This is useful in a couple of scenarios:
After investigating the issue (the logs from the ASC were not helpful,) I realized that the ASC was missing the appropriate codec (in this case, G729) and, I believe, was trying to send back an error message from the sender.
The fix, of course, was to enable the codec on the ASC.
This is useful in a couple of scenarios:
- You're presenting a virtual number. For instance, you want customers to be able to call a sales rep, but you don't want to give out the direct DID/number for the salesperson. In this case, the SBC accepts the inbound call, matches on the destination DID in the LRT (provided you are using an LRT) and sends the call to the ASC. The ASC either rejects the call (if the number is not authorized) or accepts the call. If it's the latter, it will open a second call (using the SBC) to the "real" number (which the ASC obtains from the application server) and then bridges the two calls together. Thus, a two-legged call. In this case, the ASC leaves the from field the same and changes the to field and the number on the invite to be the "real" number."
- You want to do some sort of processing/reporting on the call from a call manager. In this scenario, the call is routed to the SBC from another SBC or PBX. The SBC accepts the call based on the "FROM" key in the LRT. The SBC sends the call over to the ASC. If the ASC is okay with the call, it creates the second leg and bridges the call. It's possible to even send the call back to the originating call manager or SBC.
After investigating the issue (the logs from the ASC were not helpful,) I realized that the ASC was missing the appropriate codec (in this case, G729) and, I believe, was trying to send back an error message from the sender.
The fix, of course, was to enable the codec on the ASC.
Friday, April 25, 2014
Sangoma A101 Shows Up as Wrong Device On FreePBX Distro
After installing a Sangoma TDM card (the A101DE, a 1 port pci-e PRI card) on a FreePBX Distro system, I noticed that the system was detecting the wrong card...
lspci showed something like:
After looking around for quite a while, I decided that I wanted to run this card through DAHDI and not through the standalone system that I've used for years with Asterisk. The goal was to make this card managed as much as possible using the GUI.
Here are the steps I had to take:
1. Update the drivers in the OS:
lspci showed something like:
02:04.0 Network controller: Sangoma Technologies Corp. A200/Remora FXO/FXS Analog AFT card After looking around for quite a while, I decided that I wanted to run this card through DAHDI and not through the standalone system that I've used for years with Asterisk. The goal was to make this card managed as much as possible using the GUI.
Here are the steps I had to take:
1. Update the drivers in the OS:
sudo yum update dahdi*
sudo yum update kmod-dahdi-linux
sudo yum install wanpipe
2. Configure the card:
sudo depmod -a
3. which requires a reboot
sudo shutdown -r now
4. Now, get wanrouter to load the right kernel module
sudo wanrouter hwprobe
5. configure the card:
sudo wancfg_dahdi
Your configuration here will vary. Make sure it lists the card you have. This script really just ends up calling the setup-sangoma script. You'll have to choose what's appropriate for your system. Note: I selected the option at the end to simply save the config files and not restart the modules, as I found that the option to restart the modules failed.
You'll want to make wanrouter/wanpipe start on boot (yet another script question.)
6. reboot, again
sudo shutdown -r now
7. Go into the GUI to settings -> dahdi config -> sangoma and enable DAHDI management of Sangoma
8. reboot the system
sudo shutdown -r now
Now, you should see the right card in the DADHI section of the GUI.
Wednesday, April 23, 2014
Problems Joining OS X Mavericks to an Active Directory Domain
When joining a mac to an Active Directory domain, you might see this error:
The other is the "server" field. If you were using LDAP for directory service, you would put in one of the LDAP servers. If you're using Active Directoy, put in the fully qualified domain name of your AD domain.
In this case, the time was too far out of sync on the Mac. Because AD uses Kerberos, the client machine's time must be within a few minutes of the same time as the domain controllers. By default in AD, this is five minutes. The time requirement is necessary as kerberos uses it as an anti-replay control.
Unable to add server. Node name wasn't found. (2000)One of the things that confuses people is that it asks for a clientid. This should be the computer name you want to use on the domain for the mac. Don't try to use your username or "domain admins" or anything like that.
The other is the "server" field. If you were using LDAP for directory service, you would put in one of the LDAP servers. If you're using Active Directoy, put in the fully qualified domain name of your AD domain.
In this case, the time was too far out of sync on the Mac. Because AD uses Kerberos, the client machine's time must be within a few minutes of the same time as the domain controllers. By default in AD, this is five minutes. The time requirement is necessary as kerberos uses it as an anti-replay control.
Monday, April 7, 2014
Lenovo Thinkpad Laptops Failing to Connect to Wifi
I ran into a recent problem where a Windows 7 Thinkpad would not connect to wifi access points properly. It would connect to the Thinkvantage wifi profile, but networking was unavailable. Wired access worked fine, as did everything else. The problem ended up being the Thinkvantage tools.The advanced wifi settings of the network profile showed a power savings setting of maximum savings. Switching that to medium savings enabled networking. I suspect the laptop would have worked if the WAP was only a few feet away, but this user was over 30 feet away.
Tuesday, March 18, 2014
Moving from Ntop to Ntopng
I used to start ntop this way:
screen -d -m ntopng -u ntop -m my.subnets,myothersubnets -i eth2,eth3 -W 4443 -w 40000 -M &
But this failed as the redis cache was not running (but was installed as part of the dependencies):
I now need redis to be running. I modified /etc/redis.conf to point to /opt/redisdb for its "dir" variable and changed the owner of the dir to redis as well as chmoding the directory to 700.
So, in redis.conf,
#dir /var/lib/redis/
dir /opt/redisdb/
I started redis, which was listening to 6379 on localhost only (sudo service redis start)
Ntopng also likes to have a data directory, so I created /opt/ntopng:
sudo screen -d -m ntopng -u ntop -r localhost:6379 -m my.subnets,myothersubnets -i eth2,eth3 -W 4443 -w 40000 -M &
But now, it was listening on eth0 as it didn't like the ordering of arguments. I saw this error:
18/Mar/2014 16:45:58 [NetworkInterface.cpp:79] WARNING: No capture interface specified
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1438] Available interfaces (-i):
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 3. usbmon1 (USB bus number 1)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 4. eth2 (eth2)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 5. usbmon2 (USB bus number 2)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 6. usbmon3 (USB bus number 3)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 7. usbmon4 (USB bus number 4)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 8. any (Pseudo-device that captures on all interfaces)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 9. lo (lo)
One last thing, you now need to set the password for admin, either via a file, by the gui (after logging in as admin/admin) or by the redis-cli client. I chose the latter.
You can see the users in the gui or here:
You can a new user either through the gui like so:
screen -d -m ntopng -u ntop -m my.subnets,myothersubnets -i eth2,eth3 -W 4443 -w 40000 -M &
But this failed as the redis cache was not running (but was installed as part of the dependencies):
18/Mar/2014 16:50:33 [Redis.cpp:43] ERROR: ntopng requires redis server to be up and running
18/Mar/2014 16:50:33 [Redis.cpp:44] ERROR: Please start it and try again or use -r
18/Mar/2014 16:50:33 [Redis.cpp:45] ERROR: to specify a redis server other than the default
I now need redis to be running. I modified /etc/redis.conf to point to /opt/redisdb for its "dir" variable and changed the owner of the dir to redis as well as chmoding the directory to 700.
So, in redis.conf,
#dir /var/lib/redis/
dir /opt/redisdb/
You'll probably want to copy the selinux context info, if you're using selinux:
As you can see:
ls -laZ /var/run/redis/
drwxr-xr-x. redis root system_u:object_r:var_run_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_run_t:s0 ..
-rw-r--r--. redis redis unconfined_u:object_r:initrc_var_run_t:s0 redis.pid
chcon --reference /var/run/redis /opt/redisdb
I started redis, which was listening to 6379 on localhost only (sudo service redis start)
Ntopng also likes to have a data directory, so I created /opt/ntopng:
sudo mkdir /opt/ntopng
sudo chown ntop /opt/ntopng
sudo chmod 700 /opt/ntopng
sudo screen -d -m ntopng -u ntop -r localhost:6379 -m my.subnets,myothersubnets -i eth2,eth3 -W 4443 -w 40000 -M &
But now, it was listening on eth0 as it didn't like the ordering of arguments. I saw this error:
18/Mar/2014 16:45:58 [NetworkInterface.cpp:79] WARNING: No capture interface specified
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1438] Available interfaces (-i
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 1. eth0 (eth0)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 2. eth1 (eth1)18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 3. usbmon1 (USB bus number 1)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 4. eth2 (eth2)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 5. usbmon2 (USB bus number 2)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 6. usbmon3 (USB bus number 3)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 7. usbmon4 (USB bus number 4)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 8. any (Pseudo-device that captures on all interfaces)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 9. lo (lo)
18/Mar/2014 16:49:52 [PcapInterface.cpp:68] Reading packets from interface eth0...
18/Mar/2014 16:49:52 [Ntop.cpp:573] Registered interface eth0 [id: 0]
Not desirable, so that becomes (I removed -M (I'm not sure what replaces "don't merge interfaces") as well as changed -u to -U and added -n 1 to resolve only ip addresses listed in -m (local))
sudo screen -d -m ntopng -i eth1 -i eth2 -d /opt/ntopng -n 0 -W 4443 -w 40000 -m mysubnets -r localhost:6379 -U ntop &
One last thing, you now need to set the password for admin, either via a file, by the gui (after logging in as admin/admin) or by the redis-cli client. I chose the latter.
redis-cli SET user.admin.password `echo -n "mylousypassword" | md5sum | cut -f 1 -d " "`
You can see the users in the gui or here:
redis-cli KEYS user*
You can a new user either through the gui like so:
redis-cli SET user.mynewuser.password `echo -n "mylousypassword" | md5sum | cut -f 1 -d " "`
Wednesday, March 12, 2014
Splunk: Importing Oneshot Files with a Source Rename
I had to import some old gzipped log files - so I simply did a:
splunk add oneshot /var/log/mylogfile.1.gz
The problem was that the source type was /var/log/mylogfile.1.gz and not /var/log/mylogfile - breaking some of the field extractions I use. I found that I could not use wildcards in the source to capture the field extraction, and I couldn't use sourcetype as there were multiples.
1. I figured out the ranges of the data and deleted it using a search
2. I readded the data using a oneshot with a rename-source
splunk add oneshot /var/log/mylogfile.1.gz -rename-source /var/log/mylogfile
(repeat multiple times for each compressed logfile of the same name)
Problem solved - though this will go against your quota as the data is being re-indexed.
splunk add oneshot /var/log/mylogfile.1.gz
The problem was that the source type was /var/log/mylogfile.1.gz and not /var/log/mylogfile - breaking some of the field extractions I use. I found that I could not use wildcards in the source to capture the field extraction, and I couldn't use sourcetype as there were multiples.
1. I figured out the ranges of the data and deleted it using a search
2. I readded the data using a oneshot with a rename-source
splunk add oneshot /var/log/mylogfile.1.gz -rename-source /var/log/mylogfile
(repeat multiple times for each compressed logfile of the same name)
Problem solved - though this will go against your quota as the data is being re-indexed.
Friday, February 28, 2014
Uninstalling Symantec Antivirus Client 10.2 from Windows 7 64bit Without the Uninstall Password
If you attempt to install Symantec Antivirus Win64 from Win 7 without the uninstall password, you'll probably find that people suggest that you change a registry key value:
HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security\UseVPUninstallPassword from 1 to 0.
That doesn't really work for the 64 bit variant as the key locations are different. I looked around a bit and found that the key was here, instead:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Intel\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security\UseVPUninstallPassword
After changing that 1 to 0, you should be able to uninstall without a password.
HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security\UseVPUninstallPassword from 1 to 0.
That doesn't really work for the 64 bit variant as the key locations are different. I looked around a bit and found that the key was here, instead:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Intel\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security\UseVPUninstallPassword
After changing that 1 to 0, you should be able to uninstall without a password.
Wednesday, February 19, 2014
Blocking Outbound File Attachments In MailScanner
MailScanner is a popular anti-virus/anti-spam open source package that supports several operating systems, including Linux and FreeBSD. It can be helpful for minor compliance work.
For exmaple, Company X wants to block outbound Microsoft Word Docs (both .doc and .docx) but allow people from outside to send them in. To set this up, you'll need to create a couple of files and modify the main config, Mailsca
In order to block only, say, word docs in Mailscanner, you need to do a few things.
The contents are:
From: *@mydomain.com /etc/MailScanner/filename.mydomain.rules.conf
From: default /etc/MailScanner/filename.rules.conf
2. copy /etc/MailScanner/filename.rules.conf to /etc/MailScanner/filename.mydomain.rules.conf
3. edit /etc/MailScanner/filename.mydomain.rules.conf and set the rules you want. To block doc/docs:
deny \.docx?$ Windows Word Doc Word documents may contain sensitive information or viruses
(note, the fields are tab delimited, not space delimited!)
For exmaple, Company X wants to block outbound Microsoft Word Docs (both .doc and .docx) but allow people from outside to send them in. To set this up, you'll need to create a couple of files and modify the main config, Mailsca
In order to block only, say, word docs in Mailscanner, you need to do a few things.
Steps
1. add a rule to split the filename processing. On CentOS, we'll call this /etc/MailScanner/rules/filenameconf.rulesThe contents are:
From: *@mydomain.com /etc/MailScanner/filename.mydomain.rules.conf
From: default /etc/MailScanner/filename.rules.conf
2. copy /etc/MailScanner/filename.rules.conf to /etc/MailScanner/filename.mydomain.rules.conf
3. edit /etc/MailScanner/filename.mydomain.rules.conf and set the rules you want. To block doc/docs:
deny \.docx?$ Windows Word Doc Word documents may contain sensitive information or viruses
(note, the fields are tab delimited, not space delimited!)
4. modify the main config file, /etc/MailScanner/MailScanner.conf and comment out this line:
Filename Rules = %etc-dir%/filename.rules.conf
and replace it with this:
Filename Rules = %rules-dir%/filenameconf.rules
5. restart mailscanner (sudo service MailScanner restart)
Friday, January 31, 2014
Apache mod_jk to Tomcat/Jboss Connection Errors Related to Palo Alto Firewalls
I recently ran across a problem when sending mod_jk/AJP connections back to a Jboss app server running behind a Palo Alto firewall (PA500.) The error was a little mysterious as Jboss didn't really report anything interesting. I could see that traffic was passing (via tcpdump) but Apache generated 500 errors.
The only clue was the following error message in the mod_jk log:
[Wed Jan 29 17:23:44 2014][9283:16992576] [info] ajp_handle_cping_cpong::jk_ajp_common.c (876): awaited reply cpong, not received
[Wed Jan 29 17:23:44 2014][9283:16992576] [error] ajp_connect_to_endpoint::jk_ajp_common.c (957): (WSERVICES) cping/cpong after connecting to the backend server failed (errno=104)
[Wed Jan 29 17:23:44 2014][9283:16992576] [error] ajp_send_request::jk_ajp_common.c (1507): (WSERVICES) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=104)
[Wed Jan 29 17:23:44 2014][9283:16992576] [info] ajp_service::jk_ajp_common.c (2447): (WSERVICES) sending request to tomcat failed (recoverable), because of error during request sending (attempt=1)
The cping/cpong message is talking about a failed keep alive.
I figured it was something related to the way the PA firewall manipulates the data via a proxy. I then created a rule defining 8009 as a service (as opposed to an application), turned off AV inspection of the traffic, and the problem went away.
The only clue was the following error message in the mod_jk log:
[Wed Jan 29 17:23:44 2014][9283:16992576] [info] ajp_handle_cping_cpong::jk_ajp_common.c (876): awaited reply cpong, not received
[Wed Jan 29 17:23:44 2014][9283:16992576] [error] ajp_connect_to_endpoint::jk_ajp_common.c (957): (WSERVICES) cping/cpong after connecting to the backend server failed (errno=104)
[Wed Jan 29 17:23:44 2014][9283:16992576] [error] ajp_send_request::jk_ajp_common.c (1507): (WSERVICES) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=104)
[Wed Jan 29 17:23:44 2014][9283:16992576] [info] ajp_service::jk_ajp_common.c (2447): (WSERVICES) sending request to tomcat failed (recoverable), because of error during request sending (attempt=1)
The cping/cpong message is talking about a failed keep alive.
I figured it was something related to the way the PA firewall manipulates the data via a proxy. I then created a rule defining 8009 as a service (as opposed to an application), turned off AV inspection of the traffic, and the problem went away.
Subscribe to:
Posts (Atom)