I just love coming back from a week long vacation, containing 5 business days, to over 1000 emails. I feel so, so, overwhelmed.
Category: life
-
Graduation
Congratulations to all the people graduating from the Midwestern Physical Therapy program today! In particular, way to go Bree and Erin! I’m so proud of you guys 😉
-
ISA Site-to-Site IPSec VPN
I wasn’t necessarily going to post this, but since ISA seems to be the most linked to thing on this site because of only 2 articles, I figure it can’t hurt to talk about it. Especially since it was a very strange problem I had with it and I’m sure I won’t be the only one with it.
Anyways, at work I am utilizing ISA 2006 Std edition in a front and back wall scenario. Site-to-Site VPN terminate on the external firewall, and all of our local VLANs (55 of them) are routed off of the internal firewall. So far, nothing that complex. It’s just a simple DMZ between the external and internal network setup.
Anyways, I had a site-to-site VPN (IP pre-shared key) between a customer and us. Basically, we just need to hit a single machine, so the remote network contained two IP addresses, one for the client’s gateway (this is added by default in ISA 2006, DO NOT delete it, also be sure that the remote site has added your gateway in as a remote network too!) and another for the machine we needed to hit on their local network. Anyways, it was working fine. Well, actually, nobody was using it quite yet, but testing had been completed, and I was able to access everything that the developers would need. Anyways, the customer decides that they need to add another IP address that we’ll need to access. Again, no big deal. I’ll just add the IP to the network list for this client. Just to make sure everything’s working, I test it. Nothing works to the new IP. However, the old IP still works fine. What the hell?!
For those of you unfamiliar with ISA, it’s not like I created a new VPN for this new IP addition, or anything like that. I simply added the new IP to the existing network. All the routing and firewall rules remained the same. Adding the new IP to the list of remote networks should have allowed it to work.
Working with the IT person at the customer, I learn that when I try to hit the new IP address, the Quick Mode authentication was failing because the ISA server was sending the wrong local network that the request was coming from. The local network that was defined in the rule (by putting a subnet destination in the network rule) was 10.254.95.192/27. However, on the client’s side, he was seeing the request coming from 10.254.64.0/19. In order to create the IPsec tunnel, both the local and remote networks on each end of the tunnel must be identical, but switched (i.e. my local is his remote, and his local is my remote). Needless to say, this 10.254.64.0/27 was screwing everything up. However, when I connected to the original IP that worked, it was sending the correct network of 10.254.95.192/27.
Of course, no where in ISA 2006’s logging can you see it making the IKE requests. All I could see is that requests were being routed correctly from the internal ISA to the external ISA, and then from the external out to the correct network for the customer VPN. In essence, traffic was going in to a black hole. I could also see that the VPN connection (Main Mode) was up and running. I was completely reliant on the customer to let me know what was coming down the pipe to him. That right there is not really something I’m comfortable with, but he seemed to be OK with it. I’m sure it’s because he knew it wasn’t on his end, but on mine.
After deleting the VPN multiple times and recreating it to no avail, restarting the machine, etc, I knew that I would have to get some help from someplace else. Thankfully we have an awesome community of people at work that I could bounce ideas off of. Unfortunately, I never received a response. Also, ISAServer.org is a great place to get information. They have forums there that people keep an eye on. Unfortunately, ISA 2006 is still quite new and not as many people deal with it. I also did not receive a response from there. Needless to say, I was on my own for this one. Not a place I really wanted to be, since I thought I was at the end of my ability.
Actually, the IP isn’t really done in ISA server at all. Much like everything else that ISA server does, it’s just an application that sits on top of the OS and utilizes things that are already built into the OS (in my case Windows 2003 R2). This means that all IP policies, rules, etc are done by Windows and this can be monitored using the IP Security Monitor MMC Snap-in.
Since the VPN tunnel was being created successfully, I knew that Main Mode IKE Policies were correct, it was the Quick Mode policies that were causing me grief. Since we have multiple VPN connections terminating on this firewall, there are a lot of Quick Mode IP policies in place. Especially since all of them use pre-shared keys, which require that two IP policies are created, one for inbound and outbound (otherwise you can have one policy that does both inbound and outbound).
Scanning through the policies I was able to find the inbound and outbound policies for the original customer IP address to the 10.254.95.192/27 network, but I wasn’t able to find it for the new customer IP address. Alas, the problem! The next best policy for the new IP address was for the 10.254.64.0/19, since this policy encompasses the 10.254.95.192/27 subnet. Finally, I felt like I was making progress. Unfortunately, ISA should have been creating these policies when I edit the customer VPN networks. Actually, I still have no idea why ISA isn’t creating these policies. This is why I think there’s a bug which I’m going to submit to Microsoft (via this post actually).
Now that I knew the source of the problem, I had to fix it. Some days diagnosing the problems take longer than fixing them, and some days it’s the other way around. Since it had already taken me about a day to find the problem, I hoped that it wouldn’t take that long to actually fix it.
Needless to say, you can’t add IP policies from the IP Security Monitor MMC Snap-in, because, well, it’s a Monitor not an editor. The IP Policy Manager MMC Snap-in was no use either, as it defines computer level policies. Doh. Well, I can finally say that one of my certifications actually came in handy. That “+ Security” portion of my MCSE gave me the knowledge that there is a way to edit IP policies from the command line. Going on this, a quick Google search gave me exactly what I was searching for. Now which command to actually use?
At first I tried to just create a filter. However, I didn’t know of any filterlist, and none of the current filters were a member of a filterlist. Thankfully you can just make up a name and it creates on. Unfortunately this didn’t solve anything. Nothing showed up in the Quick Mode filters. Lets try again, yeah?
Turns out it’s not a static setting, but a dynamic setting, which makes more sense. Anyways, you can add Quick Mode rules pretty much the same. In that I mean, the command is just as long and gross. Just be aware, that since I wanted to add a Quick Mode rule and not a Main Mode rule, I had to put in the Quick Mode Policy variable.
Another thing that made this so confusing was that in IP Monitor, they are called Quick Mode Filters and at the command line they’re called Rules. Ugh. At least it’s taken care of. And now I think I know more than I ever wanted to about ISA and IP.
-
New Glasses
Well, I’ve finally gotten around to going to the optomitrist. It’s probably been two years or so since the last time. I just find it hard to justify going when I know I can see just fine. However, I wanted a new pair of glasses. The $300 alotment was burning a hole in my pocket. Plus, I’ve had my current ones for over two years. It was time to freshen up the style.
I wanted a pair that was more dressy than the current ones I have. I ended up with a pair of frameless ones. They even came with clip on sunglasses too, which made the deal even sweeter.
I’ve actually had the new glasses for awhile. However, when I originally got them, the end of one of the stems was cut off and they weren’t fitting quite right, so I returned them. However, when I dropped them off, I didn’t bring the sunglasses clip that I received.
Two days ago I received the call that my glasses were back in and fixed. Low and behold I got another pair of sunglasses with these! Now I can keep one pair in the car and carry the other. Awesome!
Pictures may follow later today if I can find some decent lighting at home.
Merry Christmas to me!
-
Congratulations!!
Congratulations Bree and Eric!! It’s about time 😉
-
Eye Exam
How can places only charge $44 for an eye exam? I guess it just goes to show how much they overcharge on glasses and contact lenses.
-
NetApp Certified
Well, I have another acronym to stick at the end of my name, NACA.
-
Services Companies
I find it funny how a services based company, that is based on consumer satisfaction, can be so unhelpful to the consumer. Let’s take Comcast for example. It’s a $22.23 billion revenue ($14.2 billion profit [how can I create a company like that?!]) company. Why is it so hard to make customer service decent. Don’t get me wrong, I rarely use it as it is, and normally when I do it is quickly resolved, but today was different.
On Friday we started having problems with the HD stations we get. Everything keeps going pixelated every few seconds or so, and the sound cuts in and out. Basically, the channels are useless. However, the SD channels are fine. Another little annoyance is if you happen to be on an HD channel, the remote seems to stop functioning at all. In all actuality it works, but there is so much latency that it takes a minute or more before your button presses on the remote show up. Hell, even using the buttons on the front of the cable box didn’t do anything.
Needless to say, I finally got around to calling them about this. The first lady I spoke to said she would “send a signal” to the box and everything should be ok. For what ever reason I believed her, hung up and tested it out. Only to my surprise did it not work. So, I called back. This time I was given a guy that seemed very new, or just crazy slow (I’m not sure which yet). He had me do a few things, which completely locked the cable box up, and then said he’d have to schedule a technician to come out.
“The first available time is 10-12 tomorrow. Are you available?” he inquires.
“Do you have anything after 5?” I respond.
“No, we don’t offer appointments after 5, but we do have slots available on the weekends.”
What the hell?! So, I basically have to either take time out of my, already incredibly, busy schedule at work, or waste my free time on the weekend?! I think not. I let him know this seems pretty sleazy as this is a problem on Comcast’s side, but he tells me there’s not much he can do. I ask to speak to his manager, even though I too know there’s nothing this person can do either.
All I can say is, this lady was pro. She’s either been there awhile or has taken a whole lot of classes. I dropped the “moving to satellite” line and she didn’t even flinch. She did mention that she could have someone come out between 4-6 on Friday. I said I’d be here at 5. She said it didn’t have to be me that was in my house. I was tempting to ask her if she would leave anyone in her house just waiting for the cable guy, but I refrained. Finally she conceded and the best she could do was between 4 and 6. I said that was fine, but I wouldn’t be there until 5.
Now, actually, I could’ve been here from 10-12 tomorrow. I guess that’s not the point though, is it? Both support technicians reassured me that this was a problem on their end and that a technician needed to come out (they also dropped the “you won’t be charged for this visit” line, damn straight I won’t!). So why am I forced to bend my schedule or give up my free time just so that they can fix something wrong on their end? Why do the 21.4 million subscribers to Comcast think that it’s ok to play with their schedule for a service they, themselves, pay for? It just doesn’t seem right to me. What makes it even more absurd is that the technicians that come out (at least in Chicago) aren’t even Comcast employees. They’re hired out contractors. You can not tell me that these people refuse to work after 5. Give me a break.
Oh, and don’t let this lead you down the path that it’s just Comcast either. This isn’t an excuse to move to satellite or whatever, all large services based companies are like this. I guess that’s why so many people my age are enjoying “internet-based” businesses so much. They feel more like mom and pop stores because of the people that run them, but have the global appeal and size potential because of the internet.
I don’t even really watch TV that much anyways! Personally, I can’t wait till the technician shows up sometime between 4 and 5, while I’m not there, and then I get billed for not being there, even though I staunchly said I wasn’t going to be. Yet another battle because I’m difficult. *Sigh* All just to live and be hip in this, the 21st Century.
-
Busy
You can definitely tell when I’m busy and when I’m not based on how often I update this site. As you can image, from how infrequently I’ve been doing updates, that I’ve become incredibly busy. I received a promotion, and now I’ve taken on about 10x more responsibility than I had before. It’s definitely different than what I was used to, but it’s a good different (at least it still is right now). Instead of just being a worker bee assigned to a project, I now, in so few words, manage all infrastructure aspects of projects that come into the department.
This has resulted in a lot more work on my plate. And not just more work, but more work that I’ve never done before (at least not at this scale). Things like quotes and estimations. Plus, I’ve been traveling some and trying to get some training done through NetApp. Oh, did I mention all this responsibility was done by a person that was twice my level before my promotion? Well, I can’t say that exactly because everything that he did didn’t just jump onto my plate, there’s a project manager that’s actually doing some of the work. However, regardless, everything needs to cross my plate because of my technical abilities and my knowledge of what my team is doing.
We’re also getting a NetApp FAS3050C cabinet in on Tuesday. This is why I’ve been doing some training on it, since I’ll be point-man on getting that all setup. We’ll primarily be using that as an iSCSI target for virtual machine hosts and SQL machines. I’m personally really stoked about that. ~30 TB of raw data to play with. I’m glad that I’ll be doing that though, as it helps to balance out the ever increasing management responsibilities. Toys are good.
In non-work related news, I’ve been taking another photography class: Portrait & Lighting I. It was actually one that I wasn’t really going to take, but I’ve definitely learned a lot. I was skeptical of taking it at first because I had heard that the teacher didn’t go into much of the technical aspects. However, that’s what I really like. I enjoy learning all the technical stuff and then be able to play with that knowledge for my own images. Well, the normal teacher is actually taking a break, so the same guy who taught our Photo II class is teaching this one. This is probably one of the reasons I decided to take the class, because I like the way he teaches. Unfortunately, there’s not a lot of “good shots” from this class as we’re basically just learning how to correctly use lights and many of the pictures are of different types of lighting or of a dummy head. It’s possible that something from this next shoot will show up on aaron spruit (.com) though. We’ll just have to see.
In other photography news, I’m looking at getting a new 105mm macro lens and flash. I’ve also been contemplating getting a light meter, and I’ve actually bid on a few on eBay, but I just don’t think I’d use it all that much.
I think that’s about it, and be sure to check out aaron spruit (.com), since it gets updated every weekday. Oh, and there should be some pictures taken in the last month showing up now, as I finally got out last weekend to take some pics. Out of 100ish pictures, I’m probably going to throw up 29 or so. It was nice last weekend; I just put some newish music on my iPod, threw on the headphones and took the camera out with me. It was actually quite relaxing, but still amazing how many strange looks people gave me.
-
Motivation
It’s funny how easily motivation can be swayed one way or the other.