I decided to split up the links on this site to Tech Links and Other. Tech Links will be filled with sites that I used on a regular basis, or sites that I recommend to others. For example, I use Wireshark on many an occasion to troubleshoot client-server software and analyze IP traffic patterns. I use Cisco devices on an almost daily basis. And Gizmodo is just a cool site for new tech info and devices.
I had a fairly strange issue recently involving an ASA5510, an IPSEC tunnel, and a client-server application. The setup is this: ASA5510 firewall configured with an IPSEC tunnel to a far-end Cisco VPN Concentrator. Behind the firewall at the far end sits a web server. Behind the firewall at the near end is a Windows server running a software program.
The software opens a socket on the Windows server and initiates a TCP connection to the far-side web server on port 80. Then it sends a GET xxxxx command, reads the returned data, and terminates the connection.
What was happening was that at times the software would fail and kick out a bunch of Winsock errors. I couldn’t troubleshoot the far-end web server, as it belongs to a different company. Even though I had the source code for the Windows application, I didn’t have permission to make changes to do any debugging. So I did the only thing I could and started sniffing packets. I used the “capture” command on the ASA to monitor the TCP traffic entering and exiting the tunnel. I used a laptop, Wireshark, and a “monitor” port on a Cisco Catalyst outside the ASA to monitor the IPSEC traffic across the tunnel. I also wrote a quick test program in C to open a socket, connect to the web server, and wait for awhile to see the unexpected disconnect.
Upon inspection of the traffic, I saw that the Windows server and the web server were connecting, but then after a few seconds the web server would send a FIN packet to the Windows server. The Windows application would then send it’s GET command, but the web server had already dropped the connection and a TCP RST packet would be generated back to the Windows server.
What I found out was that when my test program initiated the connection, I was able to see the 3-way handshake (SYN, SYN-ACK, ACK) on the ASA, but I never saw the traffic outside the ASA on the tunnel. Yet something was answering and establishing a connection. The ASA somehow was hijacking the session and connecting to the Windows server and not passing the packets on to the web server like I expected it to.
After a lot of research and testing, I ended up isolating the problem to a CSC module installed in the ASA. The module had been installed since the original turn-up of the ASA. We’d had some issues in the past with it and hadn’t renewed the TrendMicro licensing, so I’d logged into it a long time ago and disabled all the scanning. However, I’d never adjusted the service policies to stop sending traffic through the CSC.
Anyway, I changed the policy on the outside interface to remove the directive to send the traffic to the CSC, and the issue was immediately resolved.
What I found out was that when I ran the test program with the CSC directive removed, I was able to see the connection outside the ASA at the same time as I saw it on the inside. The connection established and held for several minutes without dropping. I turned the CSC back on, and the connections started getting terminated again.
I’ve yet to figure out why the CSC was behaving this way. The whole setup had worked fine for a couple months, and nothing had changed on the ASA or CSC config. Yet that’s definitely where the problem was coming from.
I you happen to read this and have any info on what could cause this, please let me know.
I’ve got a Dell Latitude D630 with built-in Intel wireless. Recently I installed Cygwin/X, as I wanted an X server to use. I ended up not using it, as it wasn’t working like I expected, but hadn’t gotten around to uninstalling it.
About the same time, I started having problems with my wireless adapter. It would drop connection and not see any available access points. Turning it off and on with the switch on the laptop didn’t make a difference. However, disabling and enabling under Network Connections would fix it for awhile.
Anyway, I didn’t connect the two things in my head at first, mainly because it didn’t seem likely that one would have any affect on the other. I assumed I had a hardware problem, so I asked the IT guys at work to re-seat my wireless card. When that didn’t make a difference, I started checking my drivers and such to make sure everything was up to date. I ran all my Windows updates and installed a few new Dell releases. Still no change.
When I thought about it some more, I realized the problem had started about the time Cygwin was installed. I had been wanting to remove it anyway, so I figured it was worth a shot. I was a little surprised to find that Cygwin doesn’t have an uninstall program. Instead I had to manually remove the program folder. Kinda cheesy if you ask me.
Amazingly enough, since then I’ve had no problems. In fact, I’ve been on the wireless for at least 4 hours straight this evening without a hitch. At this point I’m assuming the Cygwin was the culprit. I’ll post a status update in a few days to confirm.
Dave Lalande at 2 Peas Consulting recently made CNBC news with this article about their new DWDNS product. Give it a quick read, then come back to my comments.
I’ve been in the business a long time. By business, I mean the Internet, and a long time – well, when I started working for the first ISP my area, we were on Supra 9600 modems and everything was still character-based. WAIS, Gopher, Archie, Telnet, FTP, IRC…. no WWW, no pictures, no GUI. Because I’ve been around this stuff a long time, I’ve gotten to see it evolve. Back then to register a domain you filled out a text form and emailed it to Internic. If you were smart/lucky enough to not screw up the form, they’d evetually respond in days or weeks, depending on the load, to let you know your domain was accepted. It might be another couple days for it to hit the root servers and actually work. But, on the plus side, it was free.
At some point, and I don’t remember years very well, they started charging for domains. I think the first charge was 100 for 2 years, 50 per year after that. It was worth is, because the influx of money greatly improved response times and such. Remember, before that it was a free service by a government agency.
Now I can buy a domain from lots of different places and have it up and running within hours, if not minutes. Prices are low, lots of tools are provided – life is good. Or at least it was. Now the issue is that so many domains area registered and either in-use or being held by squatters that all the nice, simple, memorable ones are used up. People are having to resort to longer and longer domain names to find something unique and unused.
Dave has a suggestion, and that’s his DWDNS project. He wants to offer you a new domain name with any 3-letter domain as the TLD (right-most part), except for TLD’s already in use, such as .net, .org, .com, .biz, etc… Including numbers, this is somewhere upwards of 46000 new TLD’s. Here are the “benefits”:
1) Trademarked names are protected. Supposedly trademarked names are pre-determined and allocated ahead of time to their respective trademark owners so that noone else can register them and “hold them ransom”, so to speak. Yes, that does happen at times – a squatter picks up a cool domain and holds it, hoping someone will want it someday and be willing to pay for it. If you had thought about myspace.com before anyone else did, you could register it and hold onto it. Eventually when they created Myspace, they would have had to buy that domain to get it from you. However, if they trademarked Myspace first, and they you squatted on a domain using their trademark, they’d just sue to get it released.
Along with this is the problem of when a new TLD is released. I might have ford.com and ford.net, but when .biz is released I need to snatch it before someone else. Then .org, snatch it as well. Then .name, .info, etc… But nothing about DWDNS will fix that. 2peasconsult.ing is going to still want to register all the 2peasconsulting.net, .com, .biz, etc… to protect their trademark.
2) does not operate under a set number of top level domains (TLDs) – Sure it does. There are just 46000+ of them. You’re counting on the name of the company to make enough sense and be memorable enough that there is no doubt as to the last 3 characters of the domain name. Is it 2peasconsult.ing, 2peasconsulta.nts, 2peasconsulting.llc? Better register all the possibilities to make sure you get all the requests.
3) Infinitely more possibilities – not truly infinite, but yeah, lots more. Lots.
However, this idea isn’t unique. I found UnifiedRoot, a company which does essentially the same thing as DWDNS, except they allow ANY TLD, not just 3-digit ones. Also, ICANN, the Internet Corporation for Assigned Names and Numbers, who actually regulates the real top-level TLD’s, has been discussing since mid-2008 opening up to ANY TLD.
The DWDNS and the UnifiedRoot system are ideas that are kinda neat, but both rely on browser plugins to work, as they aren’t REALLY part of the ICANN TLD and root server system. I can register virtad.ept and load up the browser plugin, and it will work. But noone else will be able to access www.virtad.ept unless they load the plugin as well. The only way for them to really catch on is if everyone uses them, and ICANN will implement their unrestricted TLD’s way before that happens.
I did want to throw out something I noticed about Pidgin that I haven’t had a whole lot of time to look into.
In my company, we have, I think, an Openfire server that we use for internal IM communications. We also have an Asterisk phone system with VoIP phones that sit inline on the network drops that our PC’s plug into. The majority of the company uses an IM client called Spark. Their Spark client somehow knows when the have an incoming call on the VoIP phone and pops up the caller ID on their screen.
My Pidgin client, although it somehow can tell me if someone is on the phone, doesn’t seem to know how to sense that incoming call and display the caller id.
If someone can explain why this doesn’t work, let me know.
Had a small glitch today in a Cisco router config that I had to figure out. The main router had a couple static translations of public IP’s to privates for incoming connections to go directly to internal servers, as well as for outgoing connections from those servers to be translated as well. Problem was, outgoing [...]
Finally, I took the time to put this together. This is a quick-and-dirty guide to replicating a project that I did for someone. It’s not going to tell you every detail of what to type, but it should get you going in the right direction if you’re needing some guidance. Bookmark to:
Found out a surprising limitation today on the Cisco ASA5505. Apparently you cannot have more than 1 subnet assigned to a VLAN. For instance, if a company is using 192.168.0.0/24 for their servers and 192.168.1.0/24 for their PC’s, and they haven’t graduated to the point of managed VLAN-aware switches, there is no way to put [...]
Sometimes things go right for a change. I finally got my dual-ISP single-hub DMVPN with mGRE, ipsec and EIGRP working. I may have to do some tuning of the failover to smooth things out, but it’s working, and that’s what’s important. I can kill the primary ISP connection and after a short delay of 20 [...]
I said before that I thought I had discovered a Cisco bug. Turns out that’s probably not the case, although I have discovered a problem and don’t have a solution – yet. Bookmark to:
| © 2010 Virtual Adept | Suffusion WordPress theme by Sayontan Sinha |