The world seen from an IT consultant's perspective

How to create a certificate request with a SAN extension

2017-09-19T10:17:00.002+02:00

Here is how to create a SSL certificate with subject alternate names (SAN). This extension is required by newer browsers.

First you need to create a private key to use with your certificate.

openssl genrsa 2048 > priv.key

We now need to create a configuration file with the needed details. An example for www.helge.net is provided. Save this file as openssl.cnf.

[ req ]
default_bits = 2048
default_keyfile = priv.key
distinguished_name = my_DN
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ my_DN ]
C = NO
L = Oslo
O = Helge Olav Helgesen
CN = www.helgenet

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: www.helge.net, DNS: helge.net, IP:1.1.1.1

[ req_distinguished_name ]
0.organizationName = Helge Olav Helgesen
organizationalUnitName = IT
commonName = www.helge.net

When this is done you have to create the request.

openssl req -new -key priv.key -out cert.csr -config openssl.cnf -days 1000 -sha256

You can now send your CSR to an online certificate authority. They will know what to do with it. In return they will send back a certificate you can use with your web server.
More detailed information can be found here.

Disable device tracking on 4500X

2015-09-29T13:51:00.001+02:00

Today I came across an issue that does not appear to have a good solution. Cisco’s device tracking feature is known to cause IP conflicts on Windows based clients. So you won’t turn it on unless you really need it.

Cisco has lots of ways to try solve this issue but none worked for me. The 4500X is running 03.07.01.

After upgrading some Cisco 3750X switches to 4500X on a network with MACSec encryption enabled between switches it appears that ipdt is automatically on port that you encrypt causing lots of IP address conflicts. If you look at the output you’ll see that the port has registered two features:

switch#show ip device tracking int t1/32

--------------------------------------------

Interface TenGigabitEthernet1/32 is: STAND ALONE

IP Device Tracking = Enabled

IP Device Tracking Probe Count = 3

IP Device Tracking Probe Interval = 30

IPv6 Device Tracking Client Registered Handle: 2

IP Device Tracking Enabled Features:

HOST_TRACK_CLIENT_CTS

HOST_TRACK_CLIENT_SM

The port configuration is as follows:

interface TenGigabitEthernet1/32

switchport mode trunk

cts manual

no propagate sgt

sap pmk my-key mode-list gcm-encrypt

end

The only way I have found to solve this issue is to apply the command below.

interface TenGigabitEthernet1/32

ip device tracking maximum 0

After this change device tracking was disabled on the port.

switch#show ip device tracking int t1/32

--------------------------------------------

Interface TenGigabitEthernet1/32 is: STAND ALONE

IP Device Tracking = Disabled

IP Device Tracking Probe Count = 3

IP Device Tracking Probe Interval = 30

IPv6 Device Tracking Client Registered Handle: 2

IP Device Tracking Enabled Features:

HOST_TRACK_CLIENT_TRACK_HOST_UPTO_MAX

HOST_TRACK_CLIENT_CTS

HOST_TRACK_CLIENT_SM

Some additional reading:

How to list certification authorities in a domain

2014-11-18T17:55:00.001+01:00

Often when you go to a customer you need to see if they have a certification authority. The easiest way to do so is to run this command:

certutil -config - -ping

And you will get a list of CA in the domain.

NPS events not showing up in event viewer

2014-11-11T10:07:00.001+01:00

Issue: Windows 2008 event viewer, can’t find any event logs for successful or rejected authentications even if the NPS is configured to log to the event viewer.

Solution is to run this command:

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

Source: Microsoft KB 951005

iperf performance on Raspberry PI model B

2014-10-04T00:21:00.001+02:00

iperf is a great tool to measure the performance on your network. It works by measuring how much data can be sent between two hosts.

When using iperf many variables come into play; like latency, bandwidth between the hosts, OS performance, the switches and the hardware on your computers. Because of this it is good have an idea of what the Raspberry can perform and what you can expect from it.

In my test there was a big difference between inbound and outbound traffic as seen from the Raspberry.

Traffic from Pi: 93Mb/sec
Traffic to Pi: 70Mb/sec

During the test the Pi CPU load was about 95 %, indicating that without overclocking you can’t expect more from this box.

Test configuration

This is the configuration I ran for test. The test was done by sending traffic in one direction successively.

My Pi was installed with Raspbian GNU/Linux 7 3.12.28 and iperf installed from apt-get. My Mac was running iperf installed via Brew. The Pi was a fresh install and only with other default daemons running.

The Raspberry Pi is equipped with a 100Mb interface.

Watch out for your SHA-1 signed certificates

2014-09-26T15:04:00.001+02:00

Microsoft and Google are with their browsers two major consumers of SSL certificates. They have both announced that they no longer will support certificates signed with SHA1.

But they both hanlde this differently. Google Chrome will on their side give a certificate warning for all SSL certificates signed with SHA1 beginning in January 2015 for certificates that expire after 2017. Microsoft will (from current statements) only give a warning after 2017 for SHA-1 signed certificates.

To ensure a smooth migration you need to make sure that both your servers and clients support the new SHA-2 (SHA-256) signing scheme. Expect older servers not to support this and plan for an upgrade.

Sources:

Microsoft SHA1 deprecation policy
SHA-256 compatibility list, from GlobalSign.
Google Chrome policy.

The exact route limit on the Cisco 3850

2014-09-18T00:07:00.001+02:00

In a previous post I wrote about the route limit on the Cisco 3850 platform. After the issue earlier this year with the Cisco routers hitting the limit of 512k routes in hardware I think I have to clarify how many routes the Cisco 3850 platform supports. Cisco only releases these numbers for their big routers. The specification states 27000 routes.

To see the exact number of routes you can query the router directly.

my-switch#sho platform tcam utilization asic all

CAM Utilization for ASIC# 0

Table Max Values Used Values

--------------------------------------------------------------------------------

Directly or indirectly connected routes 32768/7680 119/4538

As you can see the router support 32768 directly connected routes and 7680 indirectly connected routes. A directly connected route is a host connected via L2 to the switch (like a host on a directly connected subnet) whereas indirectly connected routes are routes that are routed via another IP address.

How to properly downgrade your MirkoTik

2014-09-17T23:53:00.001+02:00

It is not easy to downgrade your MikroTik router. In the documentation you’ll find that you can use the “/system package downgrade” to downgrade your router. But this often leaves you with a router that only partially works after the downgrade. IPSec related stuff is known to stop working after the downgrade.

So how to downgrade? I do it this way:

Get a backup of your configuration using “/export compact”. If you already downgraded your firewall this will not work. You then have to extract just parts of the configuration like “/ip addr ex com” and “/ip route ex com” to get the basic stuff.
Downgrade your router to the version you are aiming for.
Create a script file basic.rsc and upload it to the router. This file should contain as little as possible. Just what you need to log on to the router again.
Do a factory reset using “/system reset-configuration keep-users=yes run-after-reset=basic.rsc”.

You have to use the extension .rsc or the script won’t run. If there are any configuration errors in this file nothing is executed. That is why you should keep it as small as possible. Just add the lines needed to log into the router. You usually need some IP addresses, routes and perhaps VLAN configuration.

There is a bug on many versions of the RouterOS that is important to notice. If the script file is less than about 512 bytes the router can’t read it either. If your file is small you will have to add some lines like “# dummy text to make this a big file” to the end of the file.

RouterOS ICMP fragmentation needed bug

2014-09-17T23:40:00.001+02:00

On several MikroTik routers, at least one tile and ppc platforms the router won’t send back “ICMP fragmentation needed” packets to the sender if the packet is to big to be sent out on another interface. This bug makes PMTU not work and many applications is broken because of this.

This issue is found on at RouterOS 6.19. By downgrading to 6.6 this issue disapperars.

Configure WLC to block client-client traffic

2014-09-16T18:52:00.001+02:00

When you configure a guest network where the network is unencrypted you often want to block client-to-client traffic so end users cannot communicate directly.

This is easy to implement in a setting with only one wireless controller as shown in the diagram.

To configure you need to find the WLAN ID. This is easy to see by typing the command “show wlan summary” on the CLI. When you have found the ID from display you enable it by typing the command "config wlan peer-blocking drop #”.

IPv6 fail on Fortigate

2014-08-14T17:16:00.001+02:00

Issue: Clients does to receive IPv6 addresses using stateless autoconfiguration. Clients with static IP works as normal. In the system log we see lots of message like “sendmsg: no buffer space available”.

This is seen on FortiOS 5.0.7.

Solution: kill the radvd process on the firewall. This has no side-effects as the process only implements IPv6 routing messages.

In case you can’t find the process ID, try “diag sys top 10 99” and see if you can find it. You kill the process with the command “diag sys kil 9 <pid>”.

Sources:

radvd on Wikipedia.

NPS event 6273 reason code 16

2014-08-11T14:24:00.001+02:00

Issue: can not authenticate users or computers, “Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.”

All RADIUS secrets and NPS policies are correct.

Environment: NPS running on Windows 2012 R2 domain controller, client on Windows 7 enterprise. Using either Allied Telesis or Cisco switches.

Cause: Windows 7 validates the server certificate only by using the Subject field on the certificate. When NPS is installed on a domain controller it will use a certificate template for domain controllers. These sertificates does not fill in the subject field of the certificate.

Solution: Grated domain controllers access to the Computer template and issued a new certificate based on this template. Reconfigured NPS to use that one instead.

Source: By reading trough a very long article from Technet about this error this solution appeared to me.

Multicast drop with LACP

2014-06-16T00:59:00.001+02:00

Today I had a strange problem on a network with a stack of Cisco 3750X running IOS 15.0(2)SE4.

All unicast traffic was working but for some reason I noticed that multicast traffic (more specifically OSPF Hello packets) between routers did not pass. One of the routers was configured as a trunk ports with many VLANs and LACP.

What I saw was that the firewall could se one router, one router could see both the firewall and the other router and the second firewall could only see the first router.

This happened after a reload of the entire switch stack, something that I have done many times before. So I can not tell for sure exactly what I did different to cause this problem this time. The switch is configured for src-dst-ip load balancing.

This seems to be a bug within the Cisco switch as the quick fix that worked for me was to take down one of the ports in the port-channel and later bring it back up.

Troubleshooting commands that you can use. I did not so I am not sure what its result would be.

show platform forward gigabitEthernet 1/0/2 vlan 333 1111.2222.3333 3333.2222.1111
test etherchannel load-balance interface po 2 mac c000.1111.1111 2222.2222.2222
test etherchannel load-balance interface po 2 ip 172.30.126.1 224.0.0.5

Cisco IOS 15.0(2)SE6 is buggy

2014-06-16T00:31:00.001+02:00

I just upgraded a few Cisco 3750X stacks to this version and all stacks started to misbehave. What I saw before I had to roll back to 15.0(2)SE4 was that:

99 % CPU load, shared between a 802.1x process and a hrpc hlfm request process.
Slow console, probably because of the CPU load.
The switch did not learn MAC addresses on many ports, both port-channels and standalone ports. (All ports I checked was trunk ports.)
MACSec (using the service module) rekeying timed out and dropped its association to the other party. (Using a pre-shared key.)
Lots of packet loss.

Cisco hpm main process

2014-06-06T17:52:00.001+02:00

This process does not show up often in Cisco documentation but it can still do CPU hogs.

%SYS-3-CPUHOG: Task is running for (2098)msecs, more than (2000)msecs (3/1),process = hpm main process.

The “pm” part of the name is for “Port Manager”, I have still not figured out what the first letter is for. You will find these processes at least on all Cisco 2960, Cisco 3560 and Cisco 3750 series switches.

The hpm processes (there are three of them, at least on the Cisco 3750 series) handles events related to port changes. This includes link up/link down events, configuration changes etc. If you experience CPU related issues to this process you should check for flapping ports (cabling) first and then spanning-tree issues.

Related commands:

show platform pm counters
debug platform pm hpm-events

Error connecting with openssl s_client towards ADFS 3.0

2014-06-06T11:17:00.001+02:00

OpenSSL is your friend for whatever you want to do. But sometimes you get strange error messages like this one:

openssl s_client -connect 172.16.1.1:443

CONNECTED(00000003)

write:errno=104

openssl s_client -connect 172.16.1.1:443

CONNECTED(00000003)

write:errno=54

But what does it mean? The difference in the two outputs above is the version of OpenSSL used to connect to the ADFS server.

The root cause of not being able to connect lies within the SSL protocol and how Microsoft chose to implement it on Windows 2012 R2. In the SSL specification you have something called SNI that let the client specify what host it want to connect to. Windows does not return a default certificate when SNI is not present and just tears down the connection. SNI is created to share an IP / port between several SSL certificates.

There are two viable ways to solve this issue, depending how you want to proceed.

You can run openssl with the parameter "-servername xxx.com” to send the name of the virtual host you want to bind to.
You can change the binding on the AD FS server to bind for an IP address instead of a host name. You can read more here.

If you are interested in SNI on Windows you can read more here.

Fortigate SNMP interface counters is broken on most platforms

2014-05-24T12:34:00.001+02:00

SNMP is one of the most important protocols for managing network equipment. All vendors have some kind of support for SNMP.

The only thing worse than not supporting SNMP is actually a broken SNMP support. And here we have the Fortigate firewalls. By reading the technical documentation, FortiOS 5 hardware acceleration handbook you’ll find this:

Except for the NP6, network processors do not count offloaded packets, and offloaded packets are not logged by traffic logging and are not included in traffic statistics and traffic log reports.

NP6 processors support per-session traffic and byte counters, Ethernet MIB matching, and reporting through messages resulting in traffic statistics and traffic log reporting.

Basically this means that the SNMP interface counters are incorrect for all traffic that is offloaded by the hardware (FortiASIC) except for on units with an NP6 processor. As of writing the only models with an NP6 processor are the 1500D and the 3700D. Most other models will, when a session can be hardware offloaded, report incorrect values.

This is most important on VLAN interfaces as you can’t see where the traffic is flowing unless you have other equipment on your network that can report this correctly.

Other limitations with the Fortigate network processors

If you read the hardware accel guide thoroughly you’ll also find lots of other limitations on hardware accelerated traffic. Please note that what features are supported varies with the different network processors.

No IPv6 support (all IPV6 packets are handled in software).
Traffic must enter and exit on the same FortiASIC chip. Older units may have more than one NPU that are separated from each other. Newer units seems to have removed this limitation.
Traffic shaping counters are separate for NPU and CPU leaving you with no good shaping.
QoS is in general not supported on the NPU.

Why do we want hardare acceleration?

If you read the product specification you’ll see that a given model have some performance parameters, including firewall throughput, IPS troughput, antivirus throughput and IPSec throughput. All these numbers are based on maximum performance, that is hardware accelerated performance.

As soon as packets are processed by the CPU the performance drops significantly. If you compare the numbers on the Fortigate 90D (with an NP4) and the Fortigate 100D (with a content processor instead of an NPU) you’ll see how the FortiASIC performs.

On their mid-range and high-end products the performance is only met by using FortiASIC.

Missing session table from FortiOS5

2014-05-22T19:16:00.001+02:00

If you have used Fortigate firewalls for a while you probably have found - and learned to love - the current session table. This tab disappeared with FortiOS5, leaving us only with the policy monitor, showing us only the top policies.

A way to get around this is to either search for the session using the CLI or enter your browser into /system/widget/session_table on the firewall.

Tested on FortiOS 5.0.7. This widget seems to work very slow on firewalls with lots of concurrent sessions.

Upgrading a Fortigate firewall

2014-05-19T13:32:00.001+02:00

Even though Fortigate upgrades often are painless if you read the release notes I have seen that some times configuration objects disappear. As a last step of each upgrade you should log in to the CLI and see if any commands was rejected during the upgrade.

config global
diagnose debug config-error-log read

If you are using VDOMs this command has to be run from the global configuration.

Configuring SNMP on a Meru controller

2014-05-10T14:55:00.001+02:00

Often you want to configure SNMP on a device in order to be able to poll it. On the Meru it is easy to configure SNMP, as it is available in both the GUI and CLI. The hard part is to start the SNMP daemon as it only can be done from the CLI.

To add a new community from CLI go into configure mode ("configure terminal” from the login menu) and type something like “snmp-server community mycommunity 0.0.0.0 ro”. You have to replace mycommunity with your community and if you want to limit who can query the controller replace 0.0.0.0 with the IP address you want to query from.

To start the SNMP daemon log in to the controller and type “snmp start”. This command is persistent on reload.

PHP based CRUD generators

2014-04-28T19:10:00.003+02:00

I found an interesting article about different CRUD rapid application development platforms. So I started to dig some more into this. After reading a bit about them I ended up with two applications that I decided to try out. It is AppGeni and ScriptCase. I also looked into a developer framework; Sencha Ext JS with their Architect that I will compare with.

AppGeni

AppGeni is a Windows based application. You run it from your PC and model your database offline. When you are ready you can deploy it onto your existing web server. When you the first time run the code on the web server it will ask for how to connect to the database and then create / modify the tables that are needed. AppGeni also creates its own tables for users, groups and permissions. It will also extend existing tables with fields needed by the application.

For its price AppGeni is a good CRUD generator for small datasets. I will not use it as an interface to existing databases because it also will extend / modify the database. There are no charting options in AppGeni, this can be a drawback depending on what you want to accomplish.

The generated web page adapts to different screen sizes (phone, tablet, PC) and can be customized with the right knowledge.

ScriptCase

My first impression of this product was “poor support” and “bugs not fixed for several years", something I found by reading the forums and looking for other reviews. This scared me a little and I started to look into other tools. But I soon realized that ScriptCase has some unique features and seem to have lots of features. The biggest win for them is that they have a web based approach. All editing is done by using a web browser.

In ScriptCase terms a project is a group of applications. An application is what you design and create. One application can be a grid view, something to enter data or a report. You design and tailor this application to your specific needs. Within a project (and sometimes even in an application) you can connect to several databases to collect data.

Unibox MAC mail client review

2014-04-28T19:10:00.001+02:00

Unibox is an email application for Mac OS X. As am really missing a good mail client to use I downloaded a trial to check it out.

How it differs from “traditional” mail clients are that it focuses on the other party, not on the thread, subject or date. So my inbox(es) are sorted by date on the parties that I have sent or received emails from. With an unread count for that party.

When I have selected a user I see all mails to/from that user sorted by date, as found in all my folders I have selected to be visible. From there I can select a thread that I want to review, and see all e-mails sent/received in that thread for all recipients.

Here is a list of my thoughts from using the eval:

It is not easy to move emails, for me they seem to stay in the inbox when I have read them. The way Unibox organizes emails make this work well.
When I send an mail that recipient moves to the top of the list with the recipients unread-count. Over time I have lots of emails I have not responded to, making it hard to see when I have new emails that I should attend to now.
Sent and deleted emails are shown for each user, it can take some time to scroll down to the unread emails.
When working with multiple accounts Unibox does not try to use the best outgoing account. (Even when working on just one account it want to send new mails using the default account.)
No calendar support built into Unibox.
No address book support in Unibox, it uses only the Mac configured address books.

This is tested on build 189.

Problems with memory card on Garmin GPSes

2014-04-13T21:51:00.003+02:00

I recently had a problem with a Garmin GPS (GPSMAP 60CSx) that crashed each time I updated the memory card with maps on my MAC. The root cause of the problem lies with the Mac writing some hidden folders into the memory card. It's some MAC metadata (._DS_Store, _.AppDouble, .Folders.)

The best solution I have found (except using a Windows based computer) is a small tool called BlueHarvest that removes these folders for you.

How to install Duplicity on CentOS

2014-02-26T15:54:00.000+01:00

Duplicity is a command line tool to back up your critical data. I don’t intend to explain how to use this tool here but just how to install it in three simple steps on CentOS 6.

First you’ll have to conncet to EPEL:

yum -y install http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

Then you have to install some dependencies.

yum install gcc librsync-devel python-devel python-lockfile wget

When this is done you can download the source file from the homepage, extract it and install it.

wget source.tar.gz tar xzf source.tar.gz cd to-new-dir ./setup.py install

And you are done.

OIDs for FortiOS 5

2014-02-26T11:01:00.000+01:00

A few years ago I wrote a note about OIDs on FortiOS 3. Fortinet have changed their MIBs so here are the values that can be used to do SNMP monitoring on FortiOS 5.

Here are the updated values:

CPU load	.1.3.6.1.4.1.12356.101.4.1.3.0
Memory usage	.1.3.6.1.4.1.12356.101.4.1.4.0
Number of current sessions	.1.3.6.1.4.1.12356.101.4.1.8.0

Technorati Tags: Fortigate,FortiOS5