Tuesday, December 30, 2014

Secure Connection Failed With HP BL460c Blades in a C7000

I recently picked up some used blade servers on ebay. The problem was though the onboard administrator on the C7000 recognized them, neither Firefox nor IE could manage the web component of the blade as the certificate was long expired and from an untrusted CA (HP's self signed CA.)

The error message was:

*my ilo site* uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)

Adding an exception for the certificate failed. I found this link:

Mozilla's support site

Basically, you close firefox, delete cert8.db and start firefox again. After that, add the exception.

Saturday, November 29, 2014

RedHat Enterprise/CentOS Kickstart with Bonding

In order to set up the bonded interfaces (in 802.3ad mode) when first booting, you'll need to supply the following arguments to kickstart:

ks=http://name_of_apache_server/myconfig.cfg ip=your.ip.address netmask=yournetmask gateway=yourgateway dns=nameserver1,nameserver2 hostname=yourfqdn bond=bond0:eth0,eth1:mode=802.3ad:miimon:100

Friday, October 31, 2014

OTRS ITSM - Simple template for CAB-Free Change

OTRS ITSM - Simple template for CAB-Free Change

ITSM with OTRS is a rather manual process. You can create conditions and move the state around, but the controls are limited; you cannot readily create a template that locks workorder state changes until the change is approved.

What you can do is create a template that simplifies some of the changes. The following flow adds an approval workorder, and requires that work order to be set to "closed" before the ticket changes to "approved."

1. Create a new change request with a name such as "my template"

2. Create a worked called "approval" with the type "approval" and with the text "APPROVAL TEMPLATE TEXT. PLEASE REPLACE"

3. Create a condition called "before approval" using the "AND" operator

add the following expressions:

object: workorder
selector:  1-approval
attribute: workorder
state operator: is
value: Accepted


object: change
selector: (pick the only change listed, the change you are on)
attribute: change state
operator: is
value: requested

It'll look something like this:

Then, add the following action:

object: change selector: (same change number as above) attribute: change state operator: set  value: pending approval

4. Save that condition and create a new condition "approved"

add this expression:

object: workorder
selector: 1-approval
attribute: workorder state
operator: is
value: closed

and this action:

object: change
  selector: (same change number as above)
attribute: change state
operator: set
value: approved

and save it.

It'll look like this:

5. Save this and click "template" on the menu. Choose a name.

6. When you create a new change, select "New (from template)"

Tuesday, September 30, 2014

Cisco VPN 3005 - Import XML Config

The Cisco 3005 VPN concentrator is most definitely a device past its prime. However, I still see them in the field (even though they should not be used.)

One problem that I've seen is that the GUI does not provide for a way to import the XML file that it so readily exports.

The answer is to use the CLI. First, upload the XML file to the file system in the GUI under file management and remember the name you used. Then connect to the device via serial or some other manner:

               Welcome to
               Cisco Systems
       VPN 3000 Concentrator Series
          Command Line Interface
Copyright (C) 1998-2005 Cisco Systems, Inc.

1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit

From there, select 2, and you'll see:

1) Administer Sessions
2) Software Update
3) System Reboot
4) Reboot Status
5) Ping
6) Traceroute
7) Access Rights
8) File Management
9) Certificate Management
10) Back

Select 8

Which File to import XML from

Put in the name of the file you copied to the system using the GUI and you'll see:

Import successful.
Back out: 10 followed by 10 again, and save config. Reboot the system. You may need to re-import the XML as sometimes things like default gateways don't get set correctly on the first import.


Saturday, August 30, 2014

Kickstart Command Line Options/Arguments

Here are a bunch of handy arguments taken from this page:

Redhat Documentation

So, typically I interrupt a Redhat boot and choose the following:

(appended to the normal boot line)

ksdevice=eth0 ip= netmask= gateway= dns=, ks=http://url/to/my/kickstart.cfg

Wednesday, July 16, 2014

Converting a Cisco 1141N Lightweight Access Point to Autonomous Mode

The biggest challenge in performing this operation is that the config terminal mode is not readily available.

To enable it:

debug capwap console cli

After that, let the ethernet interface (gi0) obtain an address over dhcp

1. archive tar /xtract tftp://myserver/myiosimage.tar flash:

2. After that finishes, wipe the config:

erase startup-config

3. conf t

4. boot system flash:/nameOfYourIOSIMAGE/imagefile

(i.e., boot system flash:/c1140-k9w7-tar.152-4.JB5.tar/c1140-k9w7-tar.152-4.JB5)

5. reload

6. After a successful boot, you can delete the old IOS image with something like:

delete /recursive /force flash:/name_of_old_ios_image

Monday, June 30, 2014

FreePBX Distro's Commercial Endpoint Manager and Polycom VVX Phones

A few pointers:

  • To enable onetouch voicemail (i.e., press the voice mail button and have it connect automatically) - go to the endpoint manager, go to advanced, basefile edit and select the template you created for the given model of phone (i.e., vvx410.) Click "SIP-interop.cfg." Look for a line stating:
oneTouchVoiceMail      0

And set it to 0.

Now, go back to "Extension Mapping" - select your extension and select "rebuild config." After this, reboot your phone.

Tuesday, May 27, 2014

Acme SBC & ASC - Two Legged Call Issues

I recently ran into a strange problem using Oracle's (formerly Acme Packet) SBC. In this situation, the SBC gets authorization from calls by querying the ASC (Application Session Controller) - which, in turn, queries an application server. If the person calling is acceptable or the person being called is acceptable (in the case of inbound.)

This is useful in a couple of scenarios:

  • You're presenting a virtual number. For instance, you want customers to be able to call a sales rep, but you don't want to give out the direct DID/number for the salesperson. In this case, the SBC accepts the inbound call, matches on the destination DID in the LRT (provided you are using an LRT) and sends the call to the ASC. The ASC either rejects the call (if the number is not authorized) or accepts the call. If it's the latter, it will open a second call (using the SBC) to the "real" number (which the ASC obtains from the application server) and then bridges the two calls together. Thus, a two-legged call. In this case, the ASC leaves the from field the same and changes the to field and the number on the invite to be the "real" number."
  • You want to do some sort of processing/reporting on the call from a call manager. In this scenario, the call is routed to the SBC from another SBC or PBX. The SBC accepts the call based on the "FROM" key in the LRT. The SBC sends the call over to the ASC. If the ASC is okay with the call, it creates the second leg and bridges the call. It's possible to even send the call back to the originating call manager or SBC.
I ran into a strange problem  in the second scenario. I had restricted the codecs on the SBC for a given session-agent. The first leg was established with no issue. The call was forwarded over to the ASC. However, the second leg was the problem. The ASC opened the second leg, but the TO and FROM fields were reversed, breaking the call.

After investigating the issue (the logs from the ASC were not helpful,) I realized that the ASC was missing the appropriate codec (in this case, G729) and, I believe, was trying to send back an error message from the sender.

The fix, of course, was to enable the codec on the ASC.

Friday, April 25, 2014

Sangoma A101 Shows Up as Wrong Device On FreePBX Distro

After installing a Sangoma TDM card (the A101DE, a 1 port pci-e PRI card) on a FreePBX Distro system, I noticed that the system was detecting the wrong card... 

lspci showed something like:

02:04.0 Network controller: Sangoma Technologies Corp. A200/Remora FXO/FXS Analog AFT card

After looking around for quite a while, I decided that I wanted to run this card through DAHDI and not through the standalone system that I've used for years with Asterisk. The goal was to make this card managed as much as possible using the GUI.

Here are the steps I had to take:

1. Update the drivers in the OS:

sudo yum update dahdi*
sudo yum update kmod-dahdi-linux
sudo yum install wanpipe
2. Configure the card:
sudo depmod -a
3. which requires a reboot 

sudo shutdown -r now
 4. Now, get wanrouter to load the right kernel module

sudo wanrouter hwprobe
5. configure the card:
sudo wancfg_dahdi      
Your configuration here will vary. Make sure it lists the card you have. This script really just ends up calling the setup-sangoma script. You'll have to choose what's appropriate for your system. Note: I selected the option at the end to simply save the config files and not restart the modules, as I found that the option to restart the modules failed.

You'll want to make wanrouter/wanpipe start on boot (yet another script question.)

6. reboot, again
sudo shutdown -r now 

7. Go into the GUI to settings -> dahdi config -> sangoma and enable DAHDI management of Sangoma

8. reboot the system

sudo shutdown -r now

Now, you should see the right card in the DADHI section of the GUI.

Wednesday, April 23, 2014

Problems Joining OS X Mavericks to an Active Directory Domain

When joining a mac to an Active Directory domain, you might see this error:

Unable to add server. Node name wasn't found. (2000)
 One of the things that confuses people is that it asks for a clientid. This should be the computer name you want to use on the domain for the mac. Don't try to use your username or "domain admins" or anything like that.

 The other is the "server" field. If you were using LDAP for directory service, you would put in one of the LDAP servers. If you're using Active Directoy, put in the fully qualified domain name of your AD domain.

In this case, the time was too far out of sync on the Mac. Because AD uses Kerberos, the client machine's time must be within a few minutes of the same time as the domain controllers. By default in AD, this is five minutes. The time requirement is necessary as kerberos uses it as an anti-replay control.

Monday, April 7, 2014

Lenovo Thinkpad Laptops Failing to Connect to Wifi

I ran into a recent problem where a Windows 7 Thinkpad would not connect to wifi access points properly. It would connect to the Thinkvantage wifi profile, but networking was unavailable. Wired access worked fine, as did everything else. The problem ended up being the Thinkvantage tools.The advanced wifi settings of the network profile showed a power savings setting of maximum savings. Switching that to medium savings enabled networking. I suspect the laptop would have worked if the WAP was only a few feet away, but this user was over 30 feet away.

Tuesday, March 18, 2014

Moving from Ntop to Ntopng

I used to start ntop this way:
screen -d -m ntopng -u ntop  -m my.subnets,myothersubnets -i eth2,eth3 -W 4443 -w 40000 -M &

But this failed as the redis cache was not running (but was installed as part of the dependencies):

18/Mar/2014 16:50:33 [Redis.cpp:43] ERROR: ntopng requires redis server to be up and running
18/Mar/2014 16:50:33 [Redis.cpp:44] ERROR: Please start it and try again or use -r
18/Mar/2014 16:50:33 [Redis.cpp:45] ERROR: to specify a redis server other than the default

I now need redis to be running. I modified  /etc/redis.conf to point to /opt/redisdb for its "dir" variable and changed the owner of the dir to redis as well as chmoding the directory to 700.
So, in redis.conf,

#dir /var/lib/redis/
dir /opt/redisdb/

You'll probably want to copy the selinux context info, if you're using selinux:

As you can see:
ls -laZ /var/run/redis/
drwxr-xr-x. redis root  system_u:object_r:var_run_t:s0   .
drwxr-xr-x. root  root  system_u:object_r:var_run_t:s0   ..
-rw-r--r--. redis redis unconfined_u:object_r:initrc_var_run_t:s0 redis.pid

chcon --reference /var/run/redis /opt/redisdb

 I started redis, which was listening to 6379 on localhost only (sudo service redis start)

Ntopng also likes to have a data directory, so I created /opt/ntopng:

sudo mkdir /opt/ntopng
sudo chown ntop /opt/ntopng
sudo chmod 700 /opt/ntopng

sudo screen -d -m ntopng -u ntop  -r localhost:6379 -m my.subnets,myothersubnets -i eth2,eth3 -W 4443 -w 40000 -M &

But now, it was listening on eth0 as it didn't like the ordering of arguments. I saw this error:

18/Mar/2014 16:45:58 [NetworkInterface.cpp:79] WARNING: No capture interface specified
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1438] Available interfaces (-i ):
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 1. eth0 (eth0)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 2. eth1 (eth1)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 3. usbmon1 (USB bus number 1)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 4. eth2 (eth2)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 5. usbmon2 (USB bus number 2)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 6. usbmon3 (USB bus number 3)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 7. usbmon4 (USB bus number 4)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 8. any (Pseudo-device that captures on all interfaces)
18/Mar/2014 16:45:58 [NetworkInterface.cpp:1459] 9. lo (lo)
18/Mar/2014 16:49:52 [PcapInterface.cpp:68] Reading packets from interface eth0...
18/Mar/2014 16:49:52 [Ntop.cpp:573] Registered interface eth0 [id: 0]

Not desirable, so that becomes (I removed -M (I'm not sure what replaces "don't merge interfaces") as well as changed -u to -U and added -n 1 to resolve only ip addresses listed in -m (local))

sudo screen -d -m ntopng -i eth1 -i eth2 -d /opt/ntopng -n 0 -W 4443 -w 40000 -m mysubnets -r localhost:6379 -U ntop &

One last thing, you now need to set the password for admin, either via a file, by the gui (after logging in as admin/admin) or by the redis-cli client. I chose the latter.

redis-cli SET user.admin.password `echo -n "mylousypassword" | md5sum | cut -f 1 -d " "`

You can see the users in the gui or here:

redis-cli KEYS user* 

You can a new user either through the gui like so:

 redis-cli SET user.mynewuser.password `echo -n "mylousypassword" | md5sum | cut -f 1 -d " "`

Wednesday, March 12, 2014

Splunk: Importing Oneshot Files with a Source Rename

I had to import some old gzipped log files - so I simply did a:

splunk add oneshot /var/log/mylogfile.1.gz

The problem was that the source type was /var/log/mylogfile.1.gz and not /var/log/mylogfile - breaking some of the field extractions I use. I found that I could not use wildcards in the source to capture the field extraction, and I couldn't use sourcetype as there were multiples.

1. I figured out the ranges of the data and deleted it using a search

2. I readded the data using a oneshot with a rename-source

splunk add oneshot /var/log/mylogfile.1.gz -rename-source /var/log/mylogfile

(repeat multiple times for each compressed logfile of the same name)

Problem solved - though this will go against your quota as the data is being re-indexed.

Friday, February 28, 2014

Uninstalling Symantec Antivirus Client 10.2 from Windows 7 64bit Without the Uninstall Password

If you attempt to install Symantec Antivirus Win64 from Win 7 without the uninstall password, you'll probably find that people suggest that you change a registry key value:

HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security\UseVPUninstallPassword from 1 to 0.

That doesn't really work for the 64 bit variant as the key locations are different. I looked around a bit and found that the key was here, instead:


After changing that 1 to 0, you should be able to uninstall without a password.

Wednesday, February 19, 2014

Blocking Outbound File Attachments In MailScanner

MailScanner is a popular anti-virus/anti-spam open source package that supports several operating systems, including Linux and FreeBSD. It can be helpful for minor compliance work.

For exmaple, Company X wants to block outbound Microsoft Word Docs (both .doc and .docx) but allow people from outside to send them in. To set this up, you'll need to create a couple of files and modify the main config, Mailsca

In order to block only, say, word docs in Mailscanner, you need to do a few things.


1. add a rule to split the filename processing. On CentOS, we'll call this /etc/MailScanner/rules/filenameconf.rules

The contents are:

From:   *@mydomain.com /etc/MailScanner/filename.mydomain.rules.conf
From:       default /etc/MailScanner/filename.rules.conf

2. copy /etc/MailScanner/filename.rules.conf to /etc/MailScanner/filename.mydomain.rules.conf

3. edit /etc/MailScanner/filename.mydomain.rules.conf and set the rules you want. To block doc/docs:

deny   \.docx?$        Windows Word Doc                                                               Word  documents may contain sensitive information or viruses

(note, the fields are tab delimited, not space delimited!)

4. modify the main config file, /etc/MailScanner/MailScanner.conf and comment out this line:

Filename Rules = %etc-dir%/filename.rules.conf

and replace it with this:

Filename Rules = %rules-dir%/filenameconf.rules

5. restart mailscanner (sudo service MailScanner restart)

Friday, January 31, 2014

Apache mod_jk to Tomcat/Jboss Connection Errors Related to Palo Alto Firewalls

I recently ran across a problem when sending mod_jk/AJP connections back to a Jboss app server running behind a Palo Alto firewall (PA500.) The error was a little mysterious as Jboss didn't really report anything interesting. I could see that traffic was passing (via tcpdump) but Apache generated 500 errors.
The only clue was the following error message in the mod_jk log:

[Wed Jan 29 17:23:44 2014][9283:16992576] [info] ajp_handle_cping_cpong::jk_ajp_common.c (876): awaited reply cpong, not received 
[Wed Jan 29 17:23:44 2014][9283:16992576] [error] ajp_connect_to_endpoint::jk_ajp_common.c (957): (WSERVICES) cping/cpong after connecting to the backend server failed (errno=104) 
[Wed Jan 29 17:23:44 2014][9283:16992576] [error] ajp_send_request::jk_ajp_common.c (1507): (WSERVICES) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=104) 
[Wed Jan 29 17:23:44 2014][9283:16992576] [info] ajp_service::jk_ajp_common.c (2447): (WSERVICES) sending request to tomcat failed (recoverable), because of error during request sending (attempt=1)

The cping/cpong message is talking about a failed keep alive.

I figured it was something related to the way the PA firewall manipulates the data via a proxy. I then created a rule defining 8009 as a service (as opposed to an application), turned off AV inspection of the traffic, and the problem went away.