Welcome to Musing Sysadmin

When is a WISM Module not Hot Swappable?

We had a couple old WISM modules sitting in our server 6500 switches in our Primary Data centre and our Secondary Data centre left over from a migration to new WISM2s, and our Network admin thought it was time to do some house cleaning of the switches.  So, following procedures for removing the module (Discussion and links can be found at https://supportforums.cisco.com/discussion/11558476/how-remove-wism2-catalyst-6500-series-switch) he proceeded with removing the modules from both our  server switches.

And…..  all network traffic to our servers comes to a standstill.

A reload of the 6500s later and we're back in business, but it leaves us with many questions.  Nowhere did it say that the WISM is not hot swappable, so what's the deal.  So a ticket was opened with Cisco and logs were transferred and hoops were jumped through.  They came back to us with the opinion that the modules were removed too slowly.  The WISM backplane has 3 different length pins, when only the longest pins are touching it pauses switching on the switch.  Apparently removing the module too slow will cause the pause not to be just momentary, in our case a reload of the switches was required.

So, just a heads up if you happen to be in the spring cleaning mood.

9 years ago

AutoIt GUI script for Generating RSA Soft Token QR

While we were deploying some new RSA Soft Tokens, I encountered an issue getting the SDTID token file imported on to some users phones that were running older versions of Android.  I found the lovely post at http://www.techtips.co.za/generate-qr-code-from-rsa-sdtid-file/ that contains a link and instructions for a Java utility to convert the SDTID file to a QR code that can be scanned into the RSA application on the phones.  Works great, though a little command line heavy for our Helpdesk.

So I spent a little time to throw together a little quick and dirty GUI with AutoIT to generate the RSA Soft Token QR code.  Well, a little bit longer than quick as it took me a little bit to figure out that the Java file doesn't like the full path to the input file.  Hence the first three lines borrowed from this thread, which returns just the filename.

 $sFile = FileOpenDialog("Please select a file", "", "Token File (*.sdtid)") 
If @error Then Exit 
    
$fName = StringRegExpReplace($sFile, "^.*\\", "") 

#include <ButtonConstants.au3>
#include <EditConstants.au3>
#include <GUIConstantsEx.au3>
#include <GUIListBox.au3>
#include <WindowsConstants.au3>
$Form1_1 = GUICreate("Token Cvt", 174, 208, 192, 114)
$Input1 = GUICtrlCreateInput("User", 24, 136, 121, 21)
$Button1 = GUICtrlCreateButton("Submit", 48, 168, 75, 25)
$Input2 = GUICtrlCreateList("", 24, 24, 121, 97)
GUICtrlSetData(-1, "android|iphone|winphone")
GUISetState(@SW_SHOW)
While 1
    $nMsg = GUIGetMsg()
    Switch $nMsg
        Case $GUI_EVENT_CLOSE
            Exit

        Case $Button1
            $user = GUICtrlRead($Input1)
            $phone = GUICtrlRead($Input2)
            $options = ' -jar TokenConverter.jar ' & $fName & ' -' & $phone & ' -d 5 -o ' & $User & '.jpg -qr'
            ShellExecuteWait('java', $options)
            ShellExecuteWait( $user & ".jpg" )
            Exit
    EndSwitch
WEnd

The first three lines are the file selection chunk, followed by the GUI portion that allows you to select the type of phone you're generating the QR for and to input the users name so that the generated file can be unique.  After the submit button is pressed it takes the input and passes it through to the Java app to do the heavy lifting of generating the QR file, after which the file is displayed using your default application for displaying JPG files.

Hopefully can be of use to someone.


Added file to my Github repository - https://github.com/musingsys/AutoIT 

9 years ago

Temperature Monitoring with Zenoss

A while back I added our AVTech Room Alert 3E environment monitors to our Zenoss Core server for monitoring and trending temperature in our network closets and data centres, but recently brought up a new Zenoss Core server running version 4.2.5.  So I thought I'd take the opportunity to write up how to integrate the Room Alert 3E devices with Zenoss Core 4.2.5 while adding them back in.  As a note, the Room Alert devices have a number of different sensors available including Humidity and Air Flow that you'd be able to integrate with Zenoss the same way.

First you want to import the MIB file for the device.  This is accomplished by navigating to 'Advanced', 'MIBs', click on the '+' sign in the bottom right corner and select 'Add MIB from Desktop'.  Select your MIB file for your device and go ahead with the import.  Your new MIB entry will show up after you reload the MIB page.  The screen shot below shows the MIB that I want to monitor for the internal temperature sensor in degrees Celsius.

MIBs_3E

I created a device class 'Environmental' and added my Room Alert 3E device into it.

3E_addedSo, now we want to add a monitoring template for the device.  Navigate to 'Advanced', Monitoring Templates' and click on the plus sign in the bottom left again.  Name your new template 'Environmental' and for the path select the new Environmental class that was created.

Template_pathWith your newly created template selected you want to add a Data Source, which you do by clicking on the plus sign under the Data Sources label.  It prompts for a name and type, type being SNMP in this case.  Enter your name and click submit.

data_sourceYou'll now want to 'View and Edit Details' for your Data Source so that you can add the OID for the MIB entry that you want to monitor.  Zenoss apparently likes you to add a '.0' to the end of the of the OID, so keep that in mind when you're entering it. You can also test your configuration against your device to make sure that you're getting back from it what you're expecting.

edit_data_sourceNow you can select 'Add Data Point' and you can give it the same name as your data source. You shouldn't need to change anything on the Data Point configuration unless the OID data that is returned needs to be adjusted (you know like a decimal point moved around to make it an actual temperature that is returned).

So now that we have data we can do something with it, like add a graph.  So if you scan to the right in Zenoss you'll find the Graph Definitions window.  Click on the plus sign for this window and enter what you'd like this graph to be named.  In my case it's 'Internal Temp' for the internal temperature sensor on the 3E.  Now you can select 'View and Edit Details' for your graph and enter into the units field 'Celsius' (or Fahrenheit, depending on your monitored OID).

graph_defAfter you click submit you can associate your data with the graph.  You do this by highlighting your data point, clicking on the gear symbol above it and selecting 'Add Data Point to Graph', and then selecting your graph from the drop down list that appears.

Now that we have that all taken care of we can bind the template that we've created to our 'Environmental' class.  Click on the Infrastructure tab, then on the Environmental class, then click on the gear at the bottom of the window and select 'Bind Templates'.  On the window that opens select the Environmental template on the left and move it to the selected side on the right and click Save.

If you give things a few minutes to collect data you can now go into Graphs under the device and it should now be happily graphing out your temperature information.  This is all well and good, but we really want to be alerted before our network closets become saunas.

So we head back into our monitoring template, and on the top right we have the Thresholds section.  Click on the plus sign to add a new threshold entry and give it a name, and select MinMaxThreshold as the type.  Click on the Gear to edit the threshold entry and scroll down until you see 'Maximum Value'.  You'll want to set this to the highest the temperature can get before it goes into alarm, so if you set it to 30 it wouldn't go into alarm until the temperature reading reached 31C. You could also change the severity of the alarm from this window, and change the event class the alerts show up under.

Edit_threshold

With all that in place you can set up your event triggers to alert you that there's an environmental issue, and you've got a lovely trending temperature graph that you can check to see if your temps are slowing rising over time.

graph

So that's all for now, hopefully you'll find this useful for your Temperature Monitoring with Zenoss.

9 years ago

VWware – Disabling Balloon Driver

vmware

Experienced this little gem when we upgraded from VMware 4.0 to 5.5.  We had a few servers with some custom memory settings in the 4.0 environment.  When we migrated we suddenly had issues with the memory use on these servers shooting up to 100%, and memory being paged causing performance issues.  Needless to say this was not a good situation.

The issue is caused by the Balloon driver when there is an inconsistency between the VM's allocated memory and the reservation settings, and in our case didn't show up until we upgraded from 4.0 to 5.5.

The solution to clean up this issue is to disable the balloon driver, which can be accomplished via the vSphere client or in the Windows registry of the VM. Both methods to disable the driver are described here.

9 years ago

Surface WPA2 Enterprise 802.1x Computer Authentication

We have a number of laptops that are joined to our domain that are configured to connect to a wireless network via 802.1x and authenticate with their domain computer account.  This allows our users to then log in with their domain account on the devices.

I was given a Microsoft Surface Tablet to configure the same way

  • Login using the local admin account on the Surface
  • apply any available updates and reboot
  • join the Surface to your domain and reboot
  • open a command prompt and enter "netsh"
  • enter "wlan"
  • enter "show profiles"
  • if there are any WLAN profiles you'll want to delete them using 'delete profile name=<profilename>'
  • Press Winkey+X and select Control Panel
  • Go to 'View network status and tasks'
  • Select 'Set up a new connection or network'
  • Select Manually connect to a wireless network
  • Enter Network name, select Security type & Encryption type which in my case was WPA2 Enterprise and AES
  • Press Next, and then select Change connection settings
  • Select the Security tab
  • Confirm the network authentication is Microsoft: Protected EAP (PEAP) then select Advanced settings
  • Pleace a check on Specify authentication mode: change drop list to computer authentication
  • Click OK, OK and then Close

Assuming all the stars have aligned then you should be all set.  You'll want to give it a reboot and when it comes back up you can check the network status in the bottom left corner before trying to log in with a domain account.

10 years ago

S/MIME Email Encryption and You

I've been a reading a little too much Cory Doctorow  recently and decided I should look at digitally signing/encrypting my email.  When I first looked at email encryption it was a pretty manual process with PGP(back in like the mid to late '90s), and pretty much no point to doing it as no one else was (Gee, I can send something to myself...  wee).

Step into the current status and most smartphones support the use of S/MIME certificate signing, even iPhone natively now (we won't get into the debate over NSA access to your iPhone)

Justin Rummel has a great primer on S/MIME Encryption and why you should be using it (as well as some posts on using S/MIME Encryption targeted at the Apple crowd).

To get started you need to get yourself a certificate for your email address, and a good place to get a free certificate for S/MIME is StartSSL

They provide digital certificates for different uses and different security levels, and generally have been very helpful.

If you go to their web-page and click on the icon in the top right hand corner, then click on Sign-up you can start the process...

Screenshot from 2014-01-03 15:25:57

startssl_signup

Fill out the form with your relevant info

enrollment

 

You will be emailed a verification code to your email address you enter into the form, copy and past it into the prompt for your code on the website.

You will then receive the prompt to install the certificate in your browser.  You may now rejoice, as you have managed to complete the first part of securing your email.

In my next post I'll show you what to do with your shiny new certificate to be able to Sign/Encrypt your email.

And no, I'm not affiliated with StartCom.org who provides the service.  I'm just a happy user of their services since 2010.

10 years ago