blog.sarlok.com - Coffee!

System time:  Mon/12/17 : 09:11:21

Iconic

So, happy new year and stuff.
Should probably post something worthwhile sometime soon.
With any luck I'll have something useful to show for my suffering by the end of next month - enthusiasm permitting. Because yeah, I needed yet more random, unfinished junk.

Очень Очень

Happy non-denominational winter holiday
Happy Chalica
Merry Christmas
Happy Kwanza
Merry X-mas

And all that jazz, and stuff, and like, whatever.

You Never Can Tell

Of all the weekends to get almost no sleep. This week is going to suck. Immensely.

Once again, the worlds screwed up digital media distribution channels have left me aghast.
I wanted to buy this. Hell, I'd even buy a complete CD or single filled with useless junk for the one song (Ahhhh... those were the days). But alas, neither of the many available distribution channels had it available for legal acquisition. Granted, the greek store has it listed, but that just drives my point home. It's right there! I probably wouldn't mind so much if the afore-mentioned channels hadn't all but killed retail chains that deal with physical media. At least then I could order the item as an 'import', pay an obscene fee, and expect to have ownership some three and a half weeks later.
Seriously, I'm not the only one.

I received an e-mail from the good folks at Evernote, telling me that adobe.com's list of accounts was compromised.
"Huh. Good for them." I thought. I read on.
"We compared this list to our user email addresses and found that the email address you used to register for an Evernote account is on the list of exposed Adobe accounts."
This has left me wondering what cockamamy 3rd party created an account at adobe.com on my behalf, given I don't own any Adobe products past or present. Best guess is maybe they created an account for me after acquisition of some other product or company, but nothing in their current or unsupported products is relevant to me. My money's on a third party doing it on my behalf though… I recognize some of the bogus information I've given at least one enterprise.
Curious to find out how difficult it is to close the account by phone.
Oh, also - thanks Evernote folks, for doing Adobe's job for them. Either Adobe's too hammered by the recoil of this, or hasn't bothered to inform anyone at all.

Crimson Poenix

Well, I'm completely unenthused, and otherwise bored on the whole. Fair warning this post may have no point what-so-ever as a result of the aforementioned mental-state.

A mysterious grey bar I don't recall seeing appeared at the top of my blog recently. If the file timestamps are to believed, this would have been about the time I was mucking around with some backups. Can't believe I never noticed it before now.
In any event, It was buried deep within the festering pit that is nested style sheets and their irregular hierarchies.
<plug>Not sure if I've mentioned it before or not, but Coda is epic. Fired it up for the first time since the 2.x release for the afore-mentioned irritant, and was able find and squelch it within a couple of clicks. The built-in MySQL editor is also looking pretty handy.</plug>

Random new project, because I don't already have enough half-started things. No idea what will become of it, but have a few ideas.

Also, damn it. I don't even know why I googled it. Oh, that's right... bored.

I have nothing to say about this one, just listen to it. Or don't. Whatever.

Million Voices

Co-worker: How often do you clean your balls?
Me: out of context, that might seem like a peculiar question.
Once every couple months usually, otherwise whenver I notice they start to feel 'sticky'. ie; if there's any resistance starting from no motion.
Co-worker: That answer is better than the question, out of context :)
And now, I give you the context.

That out of the way, it's been one of those nights.
Suffered a colossal brain malfunction trying to redistribute static /32's into my stub area (derp).
Moved on from that and took a stab at trying to improve the efficiency of my VRRP setup, as well as work on ideas to only distribute subnets into OSPF based on VRRP status. While undertaking this task, I ran into a fun problem with scarecrone.
Trying to setup VRRP to use an address applied to a VLAN interface, doesn't appear to be supported. I've not found any documentation that explicitly states this fact either.
Disclaimer: Poorly obfuscated to prevent future confusion when I inevitably reference this.

-----e@scarecrone# run show configuration interfaces vlan.255
description "Public allocation from Initech"
family inet {
    address 1.2.3.2/29 {
        vrrp-group 255 {
            virtual-address 1.2.3.2;
            priority 255;
        }
        vrrp-group 254 {
            virtual-address 1.2.3.1;
            priority 128;
        }
    }
}

[edit interfaces vlan unit 255]
-----e@scarecrone# commit confirmed 1
[edit interfaces vlan unit 255 family inet address 1.2.3.2/29]
  'vrrp-group 255'
    IP address owner priority (255) not supported on this interface
error: configuration check-out failed

[edit interfaces vlan unit 255]
-----e@scarecrone#

This is the closest match to an explanation I've found so far today:

  • You cannot configure a virtual IP address to be the same as the interface’s address for an aggregated Ethernet interface. This configuration is not supported.

ref: http://www.juniper.net/techpubs/software/junos/junos85/swconfig85-high-availability/configuring-basic-vrrp-support.html
Subject to finding a better explanation somewhere, I'm forced to assume that this includes those of the ethernet-switching flavour.
I also find it odd that the JunOS doesn't default to a priority of 255, regardless of what's configured on respective VRRP groups since the parser suggests they are RFC 3768 compliant.

That aside, further testing revealed that this sort of lunacy is at least allowed on subinterfaces performing VLAN encapsulation.

-----e@scarecrone> show configuration interfaces fe-0/0/1   
vlan-tagging;
unit 0 {
    vlan-id 0;
    family inet;
}
unit 255 {
    vlan-id 255;
    family inet {
        address 1.2.3.2/29 {
            vrrp-group 255 {
                virtual-address 1.2.3.2;
                priority 255;
            }
        }
    }
}

So, I guess that means the next step is to try building some bridge-groups off the sub-interface assuming such a thing is possible. Assuming it is, I expect this will raise all kinds of hell with the SRX' Zone Based Firewalling.

Amusingly enough, my 1811 had no problems at all using a VLAN interface parent IP address as a VRRP address.
Game point to Cisco.

Wee!

Skip To The Good Bit

Installed scarecone, re-jigged my esx hosts to use both nic's.

Things I learned;

  • Juniper's reference-bandwidth is skewed. A reference-bandwidth of 1000M in Juniper does not produce the same metrics as 1000M on my 1811 or 2811. Had to crank the Juniper up to 10000M to advertise equivalent metrics.
  • Having an outstanding issue logging into the SRX from Cisco IOS doodads, even though the SRX appears to be using a 1024 bit cipher.

Not sure where the fault lies with the ssh thing yet... could be the Cisco client I suppose. Time will tell.

*Oct 26 22:18:24.404 PDT: SSH2 CLIENT 0:
Invalid modulus length
*Oct 26 22:18:24.404 PDT: SSH CLIENT0: key exchange failure (code = 0)
*Oct 26 22:18:24.404 PDT: SSH CLIENT0: Session disconnected - error 0x00

My next challenges;
Find a way to advertise prefixes based on VRRP status
Get NAT working on the SRX
Piggyback minecraft off an existing VM rather than run on its own
Hook-up touchstone
Get an SSL certificate
Move most of the VM's to myr
Re-build fluctuator with larger drives
And work out how to fit a UPS in the co-lo rack.

This is totally not a music video.
Warning: Tastefully garnished with gratuitous placement of the F word.
Warning Supplimentary: May not actually be funny, but made me smile in my current mental-state.

Mr. Night

Beaker as David Tennant? Awesome.

Ran into this bug the other day, trying to point some FTP ports at a PBX on a client-site (because VPN's are 'teh complicated' and in cahoots with the devil according to some people it would seem).
https://tools.cisco.com/bugsearch/bug/CSCuc55719
The config works perfectly, right up until you specify a port-range in your service-group. Once you have a range, the source-port range is ignored, and only passes if source and destination ports are in the specified destination range.
Explicitly setting your source range of 1-65535 (or 0-65535 for UDP respectively) instead of riding on the default ranges of any wouldn't do the trick either. The implicit deny would always get in the way.

Observe!

ciscoasa# packet-tracer input outside tcp 4.4.4.4 12345 8.8.8.8 21

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   8.8.8.8 255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


But, put source and destination ports both within the specified range, and...

ciscoasa# sh run | beg obj-pbx-tcp
object service obj-pbx-tcp
  service tcp destination range ftp-data ftp
!
<trimmed>

ciscoasa# packet-tracer input outside tcp 4.4.4.4 21 8.8.8.8 21

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,voice) source static any any destination static interface host-strata-cix service obj-pbx-tcp obj-pbx-tcp unidirectional
Additional Information:
NAT divert to egress interface voice
Untranslate 8.8.8.8/21 to 192.168.2.253/21

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object-group tcp-source-any any object-group DM_INLINE_TCP_2 log
object-group service tcp-source-any tcp
  port-object range 1 65535
object-group service DM_INLINE_TCP_2 tcp
  port-object eq ftp
  port-object eq ftp-data
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,voice) source static any any destination static interface host-strata-cix service obj-pbx-tcp obj-pbx-tcp unidirectional
Additional Information:
Static translate 4.4.4.4/21 to 4.4.4.4/21

<trimmed>

Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group voice_access_out out interface voice
access-list voice_access_out extended permit ip any 192.168.2.0 255.255.255.0
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,voice) source static any any destination static interface host-strata-cix service obj-pbx-tcp obj-pbx-tcp unidirectional
Additional Information:

<trimmed>

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 36559, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: voice
output-status: up
output-line-status: up
Action: allow

Ah, the joys of not paying for SmartNET.
Fortunately, as the bug tracker reports, it was fixed. Tests fine with 9.1.3.

She doesn't look anything like she sounds. Perhaps my mind just expects all asian-looking types to sound Japanese. My mind is pretty screwed up though, so who the hell knows.

время

Moooooonday.
My new toy.
Wrapped my head around the SRX100 for the most part. I do not enjoy having to type 'interfaces fe..' instead of 'interface fa..'. All the other cool stuff you can do with JunOS however will hopefully make up for that over time.

Hmm. Had more on my mind when I started this, can't seem to get it out of my thick skull.

Never in a million years, would I have thought to put Robbie Williams, and Dizzee Rascal together.
But there you go.

До свидания.

Good Is Bad

I ran into this problem some time back, trying to perform NAT/PAT from inside hosts, to an interface secondary address on an ASR1000.
While looking for something else this evening, I randomly happened across this solution, and immediately felt stupid.

  • Firstly, because it's so simple a fix
  • Secondly, because TAC told me to take a hike, as it was an unsupported config. This was after five weeks of back and forth and debugs.
  • Thirdly, because I've done this before... kindof.

It should have occurred to me that it was this same config when I had a /29 sitting on an ASR's loopback, being advertised upstream from within an NSSA. In that case, my NAT was exactly that - to pools with no secondary addresses. However, strictly speaking, there was no primary address either in that scenario. Situations required that config change, which moved the /29 from the loopback, to the outside interface as a primary, and secondary addresses.

Pseudo-config of what was for those still playing along.

router ospf 1
  router-id 1.2.3.1
  area 99 nssa
  network 1.2.3.0 0.0.0.7 area 99
  passive-interface default
  no passive-interface gi0/0/0
!
interface gigabitEthernet0/0/0
  ip address 10.10.99.1 255.255.255.248
  ip ospf 1 area 99
  ip nat outside
!
interface gigabitEthernet0/0/1
  ip address 192.168.0.1 255.255.255.0
  ip nat inside
!
interface loopback 255
  description Public allocation from Initech
  ip address 1.2.3.1 255.255.255.248
  ip ospf 1 area 99
!
ip access-list extended 100
  remark deny host for nat to second pool
  deny ip host 192.168.0.5 any
  remark permit everything else
  permit ip 192.168.0.0 0.0.0.255 any
!
ip access-list extended 101
  permit ip host 192.168.0.5 any
!
ip nat pool POOL-1-2-3-5 1.2.3.5 1.2.3.5 prefix 29
ip nat pool POOL-1-2-3-6 1.2.3.6 1.2.3.6 prefix 29
!
ip nat inside source list 101 pool POOL-1-2-3-5 overload
ip nat inside source list 100 pool POOL-1-2-3-6 overload
!

Any active translations built using either pool, could even be pinged from outside the network, and the ICMP replies were even sourced from the respective address.
That sh!t worked fine, as far back as 3.1.0, 15.0(1)S - which is pretty close to the first production release of IOS-XE as far as I can tell.

Oh-well.

I wanted to buy this, but iTunes only has it in the UK. Ministry of sound doesn't list it (probably because I'm coming from a IP address outside of Europe). Amazon and Beatport don't list it.
Honestly, what's wrong with this world and it's digital media distribution? Seriously, shut up and take my money!
/sigh. Wiretap to the rescue, once more.

Anyway

My new toys.

My experiences attempting to acquire a SIP trunk with a single DID were doubly disappointing. It seems the world is big on selling trunks to businesses, so picking something up for less than $expensive/month is out of the question. I'm sure I'm bound by some NDA which prevents me from going into details over the second disappointment, beyond saying I can very much relate to some of our (their?) customers.
That out of the way, it's significantly cheaper in the short and long term to buy an analogue line, and turn it into a trunk myself.
New problem: Good ATA's aren't inexpensive.
Not if you want something that won't generate scary echo, or scads of problems with Asterisk.
So, picked up an entire Cisco voice bundle and VWIC-2FXO for the same cost of two decent ATA's, so I'll probably just use that for the entire PBX setup.

Not sure what to make of the SRX yet. After playing with Olive, I was somewhat surprised to be presented with a FreeBSD prompt after logging in as root. Thought that was symptomatic of the Olive hacks.
Time will tell.

<rant>
Google strikes again.
Tried to setup my Apple TV to sign into my youtube account tonight. To coin a phrase, How hard can it be?
After failing to login after 4 attempts at my password, I figured something was up. I wouldn't have minded so much if I got a useful error message, though that one is probably on Apple.
It's also my fault for using two-factor authentication since my gmail account was compromised. So, time for random guessing. I figured out it was the afore-mentioned two-factor thing.
Great, setup an application specific password, punch it in. Spinner goes for a bit longer this time, and...

"This account cannot be used with Apple TV".

Seriously? What. The. блядь.
So, more screwing around, and apparently, one has to create a "Channel" in your account. Why, I'm not sure. The requirement of clicking some obfuscated link to feed you random garbage by default, seems like a bad idea in my mind. But I'm sure it made sense to someone at the time.

Also, second week with one of these. I am not impressed. I'm not sure why anyone would want to root them. I would rather wipe and re-flash it myself.
</rant>

Sigh.
Still working.
Bourbon's still nearly impossible to buy in this town.
Suppose it stands to reason I came across this after two days of solid rain. The instrumental version sounds amazing in the Volvo. Not sure which version I like best yet.

Astalabyebye

Screw The Plan

Falling behind on legitimate posts again... have about 3 cisco related things queued up for posting I should probably finish off.
Hmm. Placed an order for some VM time, also an SRX100, which I expect will take the place of portcullis.sarlok.com (which I just installed...) to force me to get a better feel for JunOS outside of an olive.
Got myr.sarlok.com racked. Backup for fluctuators VM's, as well as some more resources for the pool.

My new toy. Something other than my Volvo that I can ratbag, without being too upset if I wrap it around a telephone pole or something.

RIM seems to be slowly sabotaging apps on my 9900. Granted the Trillian thing is but happening on a per-user basis, but it's one of 6 apps I frequently use (used?) which have stopped working in no particular order. Perhaps my shockingly negative feedback for the Z10 is to blame. Although, it's their own fault for making it such a steaming pile of корма.

Me: you still has a blackberry?
Co-worker: Nope, iPhone 5
Me: msn via trillian still working on that?
Co-worker: Yep
Co-worker: Like this?
Me: weird. my blackberry's msn is half busted.
sez I'm not signed in, I see no contacts, but I receive messages you send me. wee
Me: but that could be because "Blackberry" I suppose
Co-worker: Trillian on blackberry, or the MSN client?
Me: sorry, the MSN account in Trillian.
Co-worker: Yeah... Blackberry would be my guess.
Co-worker: Maybe try upgrading to the HAHAHAHAHA

On a somewhat related note, no-one seems to be able to, or wants to sell me this.


I've wanted something along those lines for close to two years now.
Effectively what I'm looking for is a hosted PBX. John Doe phones my #, it rings to all my subscribed devices, regardless of location or connectivity method (Mobility Carrier, Wifi, Wired), and I answer at whichever device I please - or happen to be closest to.
At a cafe with wifi? iPod Wifi. Finished my coffee, and time to get going? Park the call, and pick it up on my Cellphone. Call goes on for far longer than it should, and I get home? Pick it up on my analog phone through an ATA (not pictured - I don't actually have a "phone" phone) wired into the house.
Google ruined GrandCentral and won't give me a Canadian number. Skype won't give me a Canadian number, their client isn't fully cross-platform, and has become outlandishly bloated of late. The countless third party offerings that exist are flawed, don't do anything like what I just mentioned, and/or are way, way too overpriced.
So, to hell with them all - I've finally started building something myself. Proof-of-concept testing has gone well so far... now if only TELUS wouldn't block SIP across their data network. Maybe, just maybe I can put an M2M SIM card in a phone, and run SIP over that...

If you're feeling bored, I think I'm up another 50 images in the /random folder.

Adios.

Until the Sun Comes

Blocked in my own street by the new parade route's blockades.
Cut-off from both Granville's and Starbucks but the clouds of people and same said route.
Damn it.