Chrome Destroys URLs in the Location Line

Posted on 2. August 2019 by alex

Problem: current Chrome browsers cut URl parts and hide the correct URL. https://www.derstandard.at/ is shown as derstandard.at. This is simply wrong from the technical point of view. And it might even be dangerous for some URLs form a security standpoint.

Solution: there is an option to disable this bug:
chrome://flags/#omnibox-ui-hide-steady-state-url-trivial-subdomains

APT sources list

Posted on 10. June 2019 by alex

Problem: when debian goes from “testing” to “stable” to “oldstable” the package sources change. eg. jessie-updates are remove, same happened to jessie-backports

The current file /etc/apt/sources.list for jessie (currently oldstable) could look like this

deb http://ftp.debian.org/debian/ jessie main contrib non-free
deb http://security.debian.org/ jessie/updates main contrib non-free

Configure WLAN Statically in Debian/Linux

Posted on 26. April 2019 by alex

If you want to configure WLAN settings on a Linux machine statically you can use the normal /etc/network/interfaces configuration method of Debian. For WPA-PSK you can use this 3 steps:

Install the “wpasupplicant” package

Generate a psk line with “wpa_passphrase” and copy the hex string after “psk=”

root@server:~# wpa_passphrase WLANNAME
# reading passphrase from stdin
thepassword
network={
         ssid="WLANNAME"
         #psk="thepassword"
         psk=fe5409c4831b3daafff41fe2e6ed15ba7ed18c87bab254315e0be5f9180573d3
  }

Add some lines to /etc/network/interfaces using this hex string

allow-hotplug wlan0
iface wlan0 inet dhcp
        metric 4
        wpa-essid WLANNAME
        wpa-scan-ssid 1
        wpa-psk fe5409c4831b3daafff41fe2e6ed15ba7ed18c87bab254315e0be5f9180573d3

The line “wpa-scan-ssid 1” allows to use hidden WLAN that are not broadcasted. With “metric 4” you can make WLAN less preferred if there is a second LAN connection that should be preferred (default is “metric 1”).

Debugging Akamai

Posted on 12. April 2019 by alex

Akamai just works, … most of the time. But sometimes you have to check what’s going on, and Akamai gives you a handy tool for this.

There is an HTTP request header that tells Akamai to respond with some internal information.

Pragma: akamai-x-cache-on, akamai-x-cache-remote-on, akamai-x-check-cacheable, akamai-x-get-cache-key, akamai-x-get-ssl-client-session-id, akamai-x-get-true-cache-key, akamai-x-get-request-id

With this request header Akamai includes this in the response header

X-Cache: TCP_MISS from a84-53-161-127.deploy.akamaitechnologies.com (AkamaiGHost/9.6.2.0.1-25325260) (-)
X-Cache-Key: S/L/16382/612780/0s/www.yourdomain.de/ cid=what_TOKEN=dings_
X-Cache-Key-Extended-Internal-Use-Only: S/L/16382/612780/0s/www.yourdomain.de/ vcd=1948 cid=what_TOKEN=dings_
X-True-Cache-Key: /L/www.yourdomain.de/ vcd=1948 cid=what_TOKEN=dings_
X-Akamai-SSL-Client-Sid: lZWwRTj17XXXXXXXXXU5Cw==
X-Check-Cacheable: NO
X-Akamai-Request-ID: f82516c

Some important parts:

TCP_MISS shows that Akamai didn’t use it’s cache for this request, but the origin
X-Cache-Key shows what Akamai used to reference the cache position. In this case the url was http://www.yourdomain.de/?what and a cookie named TOKEN was included in the cacheID (“cid=…”)

MikroTik Automatic IPSec Failover

Posted on 23. March 2019 by alex

Problem: Mikrotik allows only one ipsec policy per network-to-network pair. If you want to have redundant tunnels between two locations with two upstreams you cannot configure ipsec redundancy on Mikrotik because one ipsec policy is always marked as “invalid” by the OS.

Solution: I made a Mikrotik script that checks the status and reachabilty of the ipsec tunnel and endpoint, and switches between a primary and secondary tunnel policy and peer. You can add this script to the scheduler, for automatic failover. (Source: “/system script run 0” if this script is script “0”)

{
   :local PrimaryPolicy 2
   :local SecondaryPolicy 3
   :local PrimaryPeer 0
   :local SecondaryPeer 1 

   :local PrimaryOK [:ping count=3 src-address=localAip remoteAip];
   :local SecondaryOK [:ping count=3 src-address=localBip remoteBip];
   :local PrimaryActive [/ip ipsec policy get $PrimaryPolicy active];
 
   # :log info "Status: $PrimaryOK $SecondaryOK $PrimaryActive";
   # Test case: set $PrimaryOK 0;
 
   :if ($PrimaryOK < 1 && $SecondaryOK > 1 && $PrimaryActive) do={
         :log warn "switch to failover";
         /ip ipsec policy disable $PrimaryPolicy;
         /ip ipsec policy enable $SecondaryPolicy;
         /ip ipsec peer disable $PrimaryPeer;
         /ip ipsec peer enable $SecondaryPeer;
   }
   :if ($PrimaryOK = 3 && !$PrimaryActive) do={
         :log warn "switch to primary";
         /ip ipsec policy disable $SecondaryPolicy;
         /ip ipsec policy enable $PrimaryPolicy;
         /ip ipsec peer disable $SecondaryPeer;
         /ip ipsec peer enable $PrimaryPeer;
   }
}

Version: tested with RouterOS 6.44.1

Control a Rotel Amp with a Panasonic Remote

Posted on 13. February 2019 by alex

I released a small open source DIY project that converts Panasonic LCD TV IR remote signals to serial control signals for a Rotel RA-12 amp. If anybody needs that (?), have fun!

https://github.com/alexte/PanasonicRotelRemote

FortiGate HA Synchronization Fail

Posted on 8. February 2019 by alex

Problem: Two FortiGate firewall show “not synchonized” in the HA status.

Discussion: the problem with this is, that FortiGate does not show why it fails. I found no log file with a reasonable error message. So I tried to synchronize the config myself, which is exactly what should NOT be necessary when using HA synchronization.

Solution: When an ipsec-phase1 setting in the master is removed while the slave is not online, the ipsec-phase1 removal fails during synchronization. Why Fortinet, doesn’t your box log this? Removing the phase1-section by hand did not work ether:

FortiGate-Master # execute ha manage 1
FortiGate-Slave $ config vpn ipsec phase1-interface
FortiGate-Slave (phase1-interface) $ delete VPN-PEER
This phase1-interface is currently used
command_cli_delete:5937 delete table entry VPN-PEER unset oper error ret=-23
Command fail. Return code -23

Like with most cheap software I had to reboot the slave, and then I could remove the phase1-interface section, and then the synchronization worked again.

I don’t remember if I ever had to reboot a Cisco or Linux box to fix a bug.

Version: FortiGate 6.0.4

Annoyances While Setting Up FortiGate 100E

Posted on 19. January 2019 by alex

After unboxing and starting two Fortigate 100E firewalls the following things failed. Fortinet should really work on QA I think:

When starting the Webgui for the first time the box asks to register or login to activate the box. I tried to register and the box asks so many questions, doesn’t Fortinet know GDPR ? Don’t force users to enter data that you don’t need to provide your service. We are not talking about a free service that tries do sell ads. This is a paid product , I don’t want to give you information about my company the number of employs and so on.
The registration on the box itself does not work, after filling out the form and clicking “OK” nothing happens, no error message. no response.
After registering on the Fortinet webpage, I entered login/password, the system complained about “username password wrong”. This error message was wrong, because it actually activated the box, despite the error message.
Then I tried to update the software (was 6.02). First the System Firmware page said there is no update. I downloaded a new version. When coming back some minutes later the “firmware” page says, that there is an update. (6.03). I installed it with a mouse click.
Then I tried the update on the second box. Some behavior “there is no update” wait some minutes “there is an update”. But now 15 minutes after the first update it says 6.04!
Start over with the first box. Which says there is not update for 6.03. This time I used the downloaded update from the Fortinet website.
Then I tried to connect them to a cluster. I tried several settings double, tripple checked cluster name, password, percentages. No success no error messages.
While checking back and forth, I was connected to one mgmt port directly and to the WAN side of the other box using the local notebooks WLAN. I recognized that the box connected to WAN often lost the connection. The reason: both boxes seem to have the same MAC and therefor the same IP! Two boxes not connected to a cluster have the same MAC? Fortinet, really ?
The cluster was still not connected. No error message, no hint, until I recognized that HA1 was connected to HA2 of the second box, and the other way round. After swapping cables the cluster nodes saw each other. Why does this matter ? And if the developers think I is ok to let the sysadmins swap the cable for them, why is there no reasonable logfile information. I didn’t find any.
Cluster was still not in sync, I had to enter a CLI execute command to activate synchronization

I work a lot with hardware from different vendors like Cisco, F5, Juniper, HP Flexfabric, Ubiquiti, Mikrotik. This user experience was the worst in the last years.

F5 iRule Class Match Crash

Posted on 3. December 2018 by alex

Problem: F5 iRules with “class match” crash sometimes with this message:

/Common/UA_DETECT – ambiguous option “-“: must be -all, -index, -element, -name, or -value while executing “class match [string tolower [HTTP::header User-Agent]] contains UA_STRINGS”

Discussion: the class match command has optional parameters, when the HTTP header User-Agent starts with a “-” it gets intepreted by the tcl interpreter. This is dangerous, because it’s actually a kind of code injection, with possible terrible impact.

Solution: add “‐‐” as first parameter to the class match command

class match ‐‐ [string tolower [HTTP::header User-Agent]] contains UA_STRINGS

Version: F5 LTM 12.1.2

AlexT Debugs

YAITB: Yet Another IT Blog

Author Archives: alex