Tuesday, 5 May 2015

Netapp OnCommand System Manager 3.1 TLS warning 'not configured'

Accessing to a Netapp filer using OnCommand System Manager 3.1 (the version I’m running is 3.1.2RC1), a warning message is displayed, complaining about TLS 'not configured':

Network Configuration checker also fails, because of the same reason:


This issue is resolved with a simple change in configuration, enabling TLS. It has to be done in BOTH controllers:

The warning message goes away.

Thursday, 9 April 2015

Solved: Autson Slideshow Clickjack Issue in Joomla

A client notified me that their Avast AntiVirus was blocking their own site because of clickjack attempts, more specifically JS:Clickjack-A [Trj] with a big shiny red TROJAN HORSE BLOCKEDalert.
Avast blocking clickjack trojan
It came down that the cause was a legitimate module, called Autson Slideshow. this nice slideshow module that has unfortunately now been discontinued and the develope's site is non-functional as well. 
I didn't want to remove the module, because the website had it on the front page, and I also didn't want to install and configure a different module with the same functionality. I needed a solution, and I found it on the net.
Here's how I recovered the usability of Autson Slideshow:
1. Open \modules\mod_AutsonSlideShow\tmpl\default.php
2. Around line 564 locate and delete this script that looks something like this:
< script language="JavaScript" >
function dnnViewState()
var a=0,m,v,t,z,x=new Array('xxxxxx'),l=x.length;while(++a<=l){m=x[l-a];
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();
< /script >

3. At the very end of the file, around line 788, locate and delete this code:

<p class="dnn">By A <a href="http://www.autson.com/" title="web design company">Web Design</a></p>

After removing these two chunks of code from Autson Slideshow Avast did not report a clickjack attempt on page load. I ran several online scanners and none of them reported anything suspicious so having made these changes, Autson Slideshow can be used with no warnings.

PS: I used sucuri and webinspector to run an online scan of the website for malware.
Solution found at http://joomlaboy.com/tutorials/joomla/88-solved-autson-slideshow-clickjack-issue

Tuesday, 7 April 2015

How ‘netmask ordering’ feature in Windows AD DNS affects the resultant queries

The netmask ordering feature is used to return addresses for type A DNS queries to prioritize local resources to the client. For example, if the following conditions are true, the results of a query for a name are returned to the client based on Internet protocol (IP) address proximity:
  • You have eight type A records for the same DNS name.
  • Each of your eight type A records has a separate address.
In the initial release of Microsoft Windows 2000 Server, this proximity is calculated based on the native class of address that is assigned to the client. If the client is assigned a native class A address, the responses that are sent to the client are prioritized by entries that match the client class A network membership. This is also true of native class B and native class C addresses. 

The round robin feature is used to randomize the results of a similar type of query to provide basic load-balancing functionality. In the earlier example, eight type A records with the same name and different IP addresses cause a different answer to be prioritized to the top with each query. Because a new IP address is prioritized to the top with each query, clients are not repeatedly routed to the same server.

This can be helpful if your subnets are perfectly configured in a multi site environment, but unfortunately it is not like that most of the times. It could make that a user located in London is using a domain controller in Hong Kong to authenticate or to resolve names. DNS resolution definitely affects your AD implementation! I've seen  enterprises where users are affected by this Windows 'feature', when they are connected to their corporate network or by VPN.
A "fix" is explained in the following article, very well explained, however, it is not applicable to all the cases, especially when diverse subnets exist in the same location, and that don't match with the subnet assigned to the DNS servers / Domain Controllers. It will work, again, if you design (or reorganize) your company's subnets. A workaround is to create additional A records and Cnames to allow DNS resolution of your clients to closest DNS / AD nodes... Every case is be different, but it can be done!

All clients are in the Chicago site. If the user did a DNS look up from Client01 ( on the domain name Contoso.com the following DCs were returned in order

If they would run the same query a second time from the same machine the list would tend to look like this.
If they would run it a third time, it would be identical to the first time. The 4th time would be identical to the 2nd time. The DCs in their AD site would always be returned as number 1 and 2 in the list. This is what the desired and expected behavior was. However, if Client02 ( or Client03 ( did a DNS look up the list would frequently look like those above, but sometimes it would look something like this
The customer first suspected it to be a DHCP vs Static IP issue as that appeared on the surface to be the only real difference between them. The clients were getting different records returned in a round robin fashion but ONLY in their site when using a static address but when it was DHCP it would round robin through all the different records. The devil they say is in the details.
There is a setting on the DNS server on the advanced tab called Netmask Ordering. The purpose of netmask ordering is to try and prioritize local resources for clients. For example if an A record exists in 2 places, 1 on the same subnet as the client and 1 on a different subnet, return the A record on the same subnet client. It assumes since the subnets match, the resource must be closer to the client so return that address.

So what is the problem here? Netmask ordering was enabled on both DC01 and DC02. Why are the DHCP clients behaving differently? Turns out Netmask ordering by DEFAULT matches to Class C addresses ( I’ve highlighted in red to show the Class C octet for the environment.

Since Cilent01 Class C octet matched DC01 and DC02 Class C octet those were always being returned in a round robin fashion. However Client02 and Client03 did not match any Class C octet for any DC so all results were returned in a round robin fashion since none were considered to be close for that client.
For this environment we wanted to actually match on the Class B octet, 172.10.x.x. In order to do this we ran the following DNS command, Dnscmd /Config /LocalNetPriorityNetMask 0x0000FFFF.

Now all DHCP clients in the Chicago site behaved like the statically defined client since the Class B octet ( matched the octet for the DCs. DC01 and DC02 are being returned in a round robin fashion as expected.
For more info around this read http://support.microsoft.com/kb/842197
Ref: http://blogs.technet.com/b/askpfeplat/archive/2013/02/18/how-netmask-ordering-feature-in-dns-affects-the-resultant-queries.aspx

Monday, 6 April 2015

Password Recovery Procedure for the MDS 9000 Series Multilayer Directors and Fabric Switches


This document describes the procedure to recover a lost administrator password from the console port of a Cisco MDS 9000 Series Switch.



You must perform the password recovery procedure on the Supervisor Engine module that will become the active Supervisor Engine module after completion of the recovery procedure. In order to ensure that the other Supervisor Engine module does not become the active module, perform one of these two options:
  • Physically remove the other Supervisor Engine module from the chassis.
  • Change the console prompt of the other Supervisor Engine module to one of these two prompts until you complete the procedure:
    • loader>
    • switch (boot)#
    Note: Refer to the Cisco MDS 9000 Family of Multilayer Directors and Fabric Switches configuration guide for more information about these prompts.


Refer to Cisco Technical Tips Conventions for more information on document conventions.

Step-by-Step Procedure

Perform these steps in order to recover a lost administrator password from the console port of a MDS 9000 switch:
  1. Perform these steps in order to establish a console session to the MDS 9000 switch:
    1. Connect one of the supplied RJ-45-to-DB-9 adapters to the PC serial (COM) port.
    2. Connect the other end of the supplied RJ-45-to-DB-9 adapter to the RS-232 management port on the MDS 9000 switch.
      Note: The RS-232 management port is labeled CONSOLE.
    3. Launch HyperTerminal on the PC.
      Terminal emulation software enables communication between the storage router and your PC during setup and configuration. The terminal emulation software is frequently a PC application such as HyperTerminal or ProComm Plus.
    4. Choose these settings:
      • Bits per second: 9600
      • Data bits: 8
      • Parity: None
      • Stop bits: 1
      • Flow control: None
      Note: You can set the Bits per second field to 38400 if this configuration connects to an MDS 9500.
  2. Reboot the switch in one of these ways:
    • Issue the reload command if there is a Telnet session with administrator rights.
      The supervisor is going down for reboot NOW!
    • If the command is not available, power reset the switch.
  3. When the switch begins its SAN-OS software boot sequence, hold the Ctrl key and press the ] key to generate the Ctrl-] key sequence.
    This key sequence brings up the switch(boot)# prompt.
    Note: If you use different terminal emulation software, the break key sequence can differ. Refer to Standard Break Key Sequence Combinations During Password Recovery for commonly used break key sequences.
    Note the bin image file name that is displayed on the screen after the "Booting kickstart image" message while the device is booting.
  4. Change to configuration mode.
    switchboot#configure terminal
  5. Issue the admin-password command in order to reset the administrator password.
    In this example, the password is set to “password”.
    switch(boot-config)#admin-password password
  6. Exit to the EXEC mode.
  7. Issue the load command in order to load the SAN-OS software image. This is the image name that was noted as part of step 3.
    In this example, san-ios.img is the name of the software. Most likely, the format looks like m9500-sf1ek9-mz-2.1.2b.bin.
    switch(boot)#load bootflash:san-ios.img
  8. Save the software configuration.
    switch#copy running-config startup-config
    Note: The next time that you try to connect to the console port of the MDS 9000 switch, you must enter either the new administrator password or the monitor password that you created.
  9. Insert the Supervisor Engine that you previously removed, log in, and verify the changed password.

Monday, 18 August 2014

Install Cisco MDS9124 / MDS9148 additional FC port licenses

Install Cisco MDS9124  / MDS9148 additional FC port licenses
Login to Cisco License portal at www.cisco.com/go/license
Use the PAK (Product Authorization Key) number that came with the printed card beside the switch or SFPs.
To obtain the license, you will be required to provide the switch serial number along with the PAK. Use the following procedure to obtain the switch serial number:
Login to the switch command console
Issue the “show license host” command. The serial number is the character string after the “=” sign.
For example:
CISCOSWITCH# show license host
License hostid: VDH=FOX12345ABC
Here, the switch serial number is “FOX12345ABC”
Follow the wizard in Cisco’s web site to obtain the license. It will arrive to your email mailbox, or it can be downloaded directly from this portal.

Login to Cisco device manager app as admin
Go to the menu Admin, Flash Files
Click Copy …
Direction: Server - > Switch
Protocol: tftp
Server Address: Type in the IP address of the tftp server where the “.lic” file is
Server file: locate the file in the tftp server, but remove all the path, except for the filename. This is because it needs to be relative to the tftp server root
Switch File: use “bootflash:/FILENAME.lic”, being FILENAME.lic the same name as the original file.
Most of the parameters here will be auto-populated, but need to be verified.
Click Apply.
Then Close and refresh the previous window. The file should be listed in the bootflash:
Click Close
At this point, there are two ways to install the license in the switch:
Option 1, using the command line
Login to the switch using a ssh session and type the command to activate the license as follows:
CISCO-MDS9124 login: admin
Cisco Storage Area Networking Operating System (SAN-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2007, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software may be covered under the GNU Public
License or the GNU Lesser General Public License. A copy of
each such license is available at
http://www.gnu.org/licenses/gpl.html and
CISCO-MDS9124# install license bootflash:FILENAME.lic
Installing license .......done
CISCO-MDS9124# exit

Option 2, using the device manager:
Go to the Cisco device manager and goto admin, Licenses
Click the Install tab and click the arrow at the end of the “URI” box. It will show a drop down list of the license files present in the switch. Select the one that was recently transferred to the switch.
Both boxes, URI and Target Filename will be automatically populated
Click Install
After a few seconds the Status should say “success”

Verify that the licenses were installed properly:
Go to the Cisco device manager and goto admin, Licenses
The additional licenses should show up in the Features tab, Installed Count column

And on the main window, also the ports should be activated.