wasabi2k.com tech articles and general randomness

CA ArcServe r15 SP1 Upgrade – The path is invalid:

I had great fun today trying to upgrade an ArcServe r15 server to SP1.

I could quite happily click my way through setup, right up the screen where you select which components to upgrade. The already installed components all selected themselves and marked for upgrade.

However, when I click Next I got a very helpful error message:

The path is invalid:

Followed by a blank line, then a suggestion to check the path had no special characters and retype it. Problem being I couldn't change any of the paths, they were all greyed out! A quick check showed all the items selected had the correct paths anyway.

I tried many things:

• Setup Logs - stored in %TEMP%
• Process Monitor - checking for Data returning blank strings from registry
• Reinstall components from original r15 media - same error
• CA SupportConnect and Forums - useless

Now this server had originally been setup as a member, then promoted, then demoted again. As such it had the SQL Agent installed at some point in the past, however this didn't show up in the upgrade components screen.

After much digging, I came across c:\program files (x86)\CA\SharedComponents\setup\r15. In that folder is a utility called uninstall. You have to run it as follows:

uninstall.exe /p {Product ID}

Luckily, the file Uninstall.ini has a list of all the components and their appropriate Product IDs. I found that SQLX64 maps to {CAABD412-EFC0-45AD-AE7F-6A09675E94A7}. So:

uninstall.exe /p {CAABD412-EFC0-45AD-AE7F-6A09675E94A7}

Which then brought up a menu asking which components to remove. Low and behold the SQL Agent was present. I selected it and ran through the uninstall.

Back to SP1 Setup and everything worked just fine, I'm watching progress bars (and charging appropriately) right now.

Good Job CA on your useless error messages.

Orcon vs Telecom – a West Auckland Story

My wife recently changed jobs, which unfortunately meant that our free internet connection through Telecom was no longer free. With iSky coming along I thought we'd give Orcon a go, as they offer unmetered usage of both iSky and TVNZonDemand as well as working out a bit cheaper.

Sign up was a breeze, all online and swapped over within two days. Everything was hunky dory, speeds in the 12Mb range and a static IP without even asking. All was well.

Until a week later, when speeds went south. I mean really south. Speedtest.net reporting 2Mbps at best and this eventually slowed to sub 1Mbps. The whole time my ADSL router was trained at 16Mbps!

I emailed the helpdesk twice but got no response. They replied on twitter but I still didn't get anything meaningful. Forum posts got responses from people that had the same issue on and off for YEARS. My wife noticed the internet was slow just browsing. I couldn't stream anything, let alone download.

Then in a moment of impeccable timing, I saw a Telecom ad. Total Home - 60GB caps, free national calling and for $20 LESS a month than Orcon.

Rang them the next morning. 2 day wait and a $60 fee for connecting the phone back to Telecom. Choice of slowdown or overuse charges ($2 a gig now, used to be 2c a MB) and my choice of interleaving on or off (off for awesome pings).

Did a final set of speedtests before I went. Orcon - 1.3Mbps down, 0.8Mbps up. One hour later through Telecom - 13.2Mbps down, 0.9Mbps up.

Sorry Orcon, I really wanted to like you, but something is definitely not right there. I'll stick with big bad Telecom thanks.

On a side note, iSky is terrible. Bizarre system makes it hard to find content, very little available if you aren't a multi-room subscriber and the quality is TERRIBLE! TVNZonDemand is far superior.

Telecom - www.telecom.co.nz
Orcon - www.orcon.net.nz
iSky - www.isky.co.nz

Telecom BigTime: Unleash the Internets! (or not)

You may have noticed the ads for Telecom Big Time on TV recently. Flat rate! No Caps! Traffic Managed! uh oh.

First off, flat rate never ever works for long. Second, Traffic Management is never a good thing. It is normally sold as keeping it fair for everyone and only affecting those dastardly pirates. In reality in usually means making everyone suffer.

I had a colleague at work switch to Big Time. He had nothing but positive things to say. Slow to 200k from 5PM-12AM, but then full rate, perfectly usable during the day etc. He had pulled down something like 100 gig in a week or so. He also said that his SSL usenet downloads were unaffected. As I had recently hit my 40 Gig cap on my Telecom Pro plan, I thought I would give it a go.

One point: no static IPs on Big Time!

I filled out the online form (hooray for not having to call!) and the next day I was on Big Time. I did a speed test at 8:00AM that morning and I got ok speeds (8Mb down, 0.6 up) which were below my previously plan speeds (12Mb down, 1.4 up). I left for work excited at the prospect of massive downloads. Getting home that evening I fired up a few downloads using Free Download Manager, a multi part download tool. My speeds hit around 900k down using HTTP and HTTPS. Fantastic!

Youtube videos also loaded really quickly. Apparently due to some fancy caching going on at Telecom's end.

However, about half an hour later bad things started to happen.

• My downloads slowed to 100k, then 60k.
• I started having problems with my download accelerator. Somehow the HTTP/S traffic was being mangled to the point that my app was reporting that the server didn't support resuming downloads, which meant no multi part downloads.
• Single stream downloads would range from about 150k to an awesome 3k/sec. This is regardless of protocol (HTTP or HTTPS) or source (US, NZ)
• The same single stream downloads would periodically stop completely. Couple with the HTTP mangling meant no resuming.

In short, my internet connection was an inconsistent, unpredictable pile of shit. Some examples:

• My stepson jumped on to play Battlefield Heroes. A new version was released so we left it to download. It took over 5 hours.
• I went to Windows Update my laptop, 186MB of updates (Office 2007 SP2) took over 2 hours.
• My wife's VPN connection dropped every 10 minutes.

Long story short, I changed plan on the 21st of October. I changed back on the 26th. I would rather pay the extra 2c a MB than sit with this pathetic excuse for an internet connection.

To be fair, I did download 30GB of stuff over the 4 or 5 days I was on this plan. Also Telecom were very prompt with changing me back and forth. It is great to be able to do this all online without having to call them.

In conclusion, Big Time delivers exactly what you expect from a traffic shaped flat rate service. terrible, terrible performance.

Detective Work with RADIUS, VPN and Wireshark

Introduction

The best projects are those that teach you something new. I've recently been tasked with decomissioning a RADIUS Server. Not a major task when you first think about it, but the plot thickens.

1. This RADIUS server is running Netware 6.
2. RADIUS is provided by BorderManager.
3. It is used to authenticate ADSL Routers, CDMA Devices and dial up connections all over the country.
4. It authenticates against E-Directory.
5. That particular E-Directory tree is not replicated anywhere.
6. Noone knows the usernames and passwords for the ADSL Routers around the country, so we can't change user credentials on them.
7. Noone knows the shared secret for the RADIUS Clients.
8. Once connected users connect a PPTP VPN to a Windows Server which authenticates against AD.
9. Some connections have multiple users behind them.

Investigation
Oh man this is going to be fun. I've got no Netware or Borderware experience and the people who setup this system are long gone. There is no record of anything and we have no idea as to the number of connections in use, what they are used for and who uses them.

The first step is to figure out our current state. To do this we have to do some pretty heavy log analysis. Our data sources are:

1. RADIUS Debug logs: Shows all Access-Request, Accounting and other RADIUS Requests for a 6 month period.
2. VPN logs: Shows all PPTP VPN connections for a 6 month period.
3. Export of E-Directory accounts.
4. Export of Active Directory accounts.

The initial stats from these were a great start. We were able to export a list of unique connections over the past 6 months, with an idea of frequency of use. We were then left with a list of RADIUS connections (ADSL, CMDA and Dial-Up) and a list of VPN Connections, both with a fair amount of contact info such as name or telephone number. The next hurdle was mapping WHICH VPN users used which RADIUS connection.

We first matched the obvious ones, those connections with E-Directory and AD accounts with the same names. We were still left with a large number of unmatched accounts. Had the RADIUS connections had static IPs matching these would have been trivial. Unfortunately they were all dynamic, meaning that one address could be mapped to any number of RADIUS connections over the time period. After much hacking at the data I ended up importing it into Access so I could try and perform some SQL magic. Much googling later I ended up with the following query:

SELECT RADIUSLogs.Date AS RADIUSLogs_Date, RADIUSLogs.Time AS RADIUSLogs_Time, RADIUSLogs.[User-Name], RADIUSLogs.[Framed-IP-Address], VPNLogs.Date AS VPNLogs_Date, VPNLogs.Time AS VPNLogs_Time, VPNLogs.Username, VPNLogs.RemoteIP

FROM RADIUSLogs INNER JOIN VPNLogs ON (RADIUSLogs.Date=VPNLogs.Date) AND (RADIUSLogs.[Framed-IP-Address]=VPNLogs.RemoteIP)

WHERE VPNLogs.Time>=dateadd("n",-15,RadiusLogs.Time) And VPNLogs.Time<=dateadd("n",+15,RadiusLogs.Time) And VPNLogs.Time>RadiusLogs.Time

ORDER BY RADIUSLogs.[User-Name], VPNLogs.Username;

which joins the RADIUS and VPN logs by Date and IP Address and shows results where the VPN connection was connected within 15 minutes of the RADIUS connection connecting, bearing in mind that connected RADIUS connections sent accounting requests every ten minutes. This query can then be used to populate a Pivot Table mapping RADIUS connections to VPN connections, giving me a list of VPN users per RADIUS connection. This is by no means full proof. I can think of several situations in which the results returned will be invalid, but it is a first step. The output of this was run by a business user who helped identify those entries that didn't make much sense and they were removed. We now had a list of RADIUS connections and the VPN users behind them.

RADIUS Migration
At this stage we decided to migrate the RADIUS functionality to a Windows IAS Server. This would mean that authentication would be performed against Active Directory rather than E-Directory. By a stroke of luck a decent number of the E Directory accounts used were already synchronised with AD using Identity Manager. Unfortunately a large number were not, which left us in a difficult situation. As stated we are unable to change the usernames and passwords used on the ADSL routers as we don't have passwords for them and now we have accounts that we don't have passwords for.

I did a bit of Googling. It is possible to capture RADIUS traffic, but the password is encrypted with a shared secret. Then I found the Wireshark Wiki page on RADIUS (http://wiki.wireshark.org/Radius). Wireshark can quite happily decrypt RADIUS if you configure the RADIUS shared secret within the app. To do this:

1. Open Wireshark. Go to Edit, Preferences
2. Expand Protocols, then go to RADIUS.
3. Populate the Shared Secret field.

So now all I needed was the RADIUS shared secret. This is stored in BorderManager and cannot be exported. I tried various asterisk reveal apps with no luck. Luckily the company who maintains the RADIUS proxy servers which forward the authentication requests (Telecom) were able to give this to me.

Next problem, how do I capture network traffic on a Novell server? I can't install Wireshark locally (it may be possible but god knows how!). Network Team to the rescue here. I got a colleague to mirror the port that the RADIUS server was on to an unused NIC on an old server. This means that all traffic to and from the RADIUS server also shows up on this unused NIC. I installed Wireshark, unbound TCP/IP from the spare adapter (just in case it caused issues) and started capturing.

It is impossible to try and watch unfiltered traffic so I started with the following display filter: radius

This shows all RADIUS traffic. Simple and effective. However it soon became apparent that I was only interested in the

Access-Request packets, not the accounting ones. So after a bit of playing I had the following: radius.code==1. RADIUS code 1 is Access-Request, which is the packet that contains the username and password.

Now I could catch every authentication request sent to the Novell RADIUS server and hopefully see the username and password used. I crossed my fingers and waited.

It worked. As you can see from the  packet below we can now see the username and decrypted password!

We left Wireshark Capturing for a week and managed to capture all but 5 of the passwords we needed. Phone calls to the remaining sites asking them to reboot their routers got the rest.

All that is left to do is configure IAS on the Windows Server and perform the change. I'll write about those in another post soon. In the meantime I'm going to be sitting here feeling happy with myself for learning something new.

How to change VMWare Virtual Centre and ESX Host IP Addresses

I'm in the middle of a Network Segmentation project at the moment, which involves splitting a previously flat network into various subnets/vlans for security and management reasons. End of the day it involves changing IP addresses on servers.

I recently completed the segmentation of the VMWare environment, which includes around 50 hosts and a VirtualCentre server. I ran into some issues which took a bloody long time to fix, so I thought I'd share my experiences.

First off you will need the following:

1. Out of band management (such as iLO or Console Access) to your ESX hosts. SSH is NOT out of band management. You WILL lose IP connectivity to your host during these changes.
2. root logins for your esx hosts.
3. Knowledge of your network, specifically what VLAN your new ESX host Service Console is going to be on and what IPs/Gateways to use. For this guide I am assuming that the Service Console will be on a tagged VLAN presented to the ESX host. If you don't know what that means then ask your network person.
4. An outage window for the VirtualCentre move. You will have to disconnect and reconnect ALL your ESX hosts after this change, which will mean they won't be able to be managed for a while.
5. If you do not have licenses for VMotion this is going to be a lot harder and more disruptive. For the purposes of this guide I will assume you DO have VMotion available.

Before we start, a word about name resolution. VMWare is very reliant of DNS for operation of its various services. It is necessary for you to know how your name resolution works. In my case, each host used a HOSTS file (/etc/hosts) to resolve names. You may use this method, or a DNS server. Find this out now.

Also before we start, disable HA on your clusters if you can, this will stop any migrations while you are trying to disconnect/reconnect hosts. You can do this by right clicking your cluster and clicking Edit Settings, then removing the checkbox from VMWare HA.

Section 1: Change VirtualCentre IP

1. Log on to Server hosting VirtualCentre. Stop VirtualCentre service.
2. Change IP Address/Gateway
3. Change port VLAN assignment if required
4. Reconnect to Server.
5. Run ipconfig /flushdns, ipconfig /registerdns and nbtstat -RR
6. Start VirtualCentre Service.
7. Test connectivity from your VirtualCentre server to your hosts (ping).
8. Connect to VirtualCentre using Virtual Infrastructure client.
9. Confirm it loads cluster information successfully (lists Clusters/Hosts etc, disregard their status for now, if they show as offline that's OK. Don't worry your VMs are still running).

At this point you will need to update either your /etc/hosts file on each server or make sure that your dns server returns the correct address when you lookup the name of your VirtualCentre server. If not, update the A record.

Your hosts will probably all be showing up as offline at this stage. Don't worry. We'll soon fix that.

1. In the Virtual Infrastructure client, right click the first host in your cluster and select disconnect. Wait for this to complete, then right click again and select connect. Once this is complete the host will show up online and be able to be managed again.
2. Repeat for each host in the Cluster. Again, this will NOT pause or stop any VMs running on the affected host.

Once you've disconnected and reconnected all your hosts your VI Client should look all happy campers again, with all your hosts online. If you are not going to change the ESX Host IPs you're done. Re-enable HA and test VMotion, Cloning etc.

Section 2: Change ESX Host IP

1. Open your VI Client and connect to your VirtualCentre Server.
2. Right click on your first host and select "Enter Maintenance Mode". At this point all the running VMs should be VMotioned off to another server automatically. If this doesn't occur you will need to manually migrate them by clicking each VM and selecting Migrate, then selecting a destination. Don't move them all to one host or you will probably hit major performance issues.
3. Once the host is in Maintenance Mode, right click it and select Remove. Once this is complete the ESX host should no longer be in the console.
4. Connect to the Host using iLO or a Keyboard and Mouse.
5. Push Alt-F1 to get a console, you should be presented with a username prompt.
6. Login as root.
7. Run the following command, where XX is the VLAN that your new Service Console IP address is on: 'esxcfg-vswitch -p "Service Console" -v XX vSwitch0'. This will change the VLAN that your Service Console listens on.
8. Run the following command, where X.X.X.X is the new IP address of your Service Console: 'esxcfg-vswif -i X.X.X.X vswif0'. This will change the IP address of the Service Console.
9. Add a new default route using the following command, where X.X.X.X is the default gateway for your new service console: 'route add default gw X.X.X.X'.
10. Test connectivity to the VirtualCentre server using ping.
11. You can now log out of the console using Ctrl-D and close your iLO.
12. At this stage you need to update any DNS/Hosts files to make sure the Host's name resolves correctly to the new IP address (especially on the VirtualCentre server).
13. Go back to your VI client, right-click your Cluster and select "Add Host".
14. Put in the hostname, username and password for the host you just changed the IP address on.
15. The host should be discovered and added to the cluster, and should still be in maintenance mode.
16. Click on the host, and in the right pane select Configuration then Networking. Click Properties on vSwitch0.
17. Select your Service Console and click Edit. When prompted select "Continue modifying this connection"
18. VLAN ID, IP address and Subnet mask should all be populated, but Default Gateway will be blank, Click Edit.
19. Fill out the Default Gateway field under Service Console, then click OK and exit the configuration.
20. Right click your host and select "Exit Maintenance Mode". Once this is complete your host is ready to go.
21. Repeat this process for all your other hosts, making sure to update either your DNS server or hosts file each time you change an IP.
22. Once all your hosts are done, you will need to test that your Cluster is still functioning.

If you do not remove and re-add the host, the VI client will still show it and it will appear healthy. However some automated operations, such as Cloning or VMotion will fail with cryptic, unhelpful messages. Removing and re-adding the hosts is the ONLY way to successfully resolve this.

So there it is. In my case I didn't discover the need to remove and re-add hosts until after I had made all my changes (only disconnecting and reconnecting rather than removing). This meant that I had to do all my changes 2 or 3 times.

Save yourself some time and follow the process.