Check if reboot required after installing updates.

September 9, 2014 at 11:19 am (linux, TechTips) ()

After you apply updates to your Fedora system using the shell, you can quickly and easily query your system to determine if it needs a reboot or not for the updates to fully take effect.

First, make sure that you have the RPM package: yum-utils    installed.

This package includes the Python script:

/usr/bin/needs-restarting

You must run this script either as root or using sudo.  The output of the script will be a list of all the running applications that were updated after they were started.  This output will help you decide if a reboot is desired now or later.  If you are running this on your personal computer and there is any output, simply reboot now to make sure the updates have been applied.

Advertisements

Permalink Leave a Comment

Can’t mount a Windows 2008 share?

September 27, 2011 at 10:34 am (linux, TechTips, windows)

If you are trying to mount a Windows 2008 (or potentially other versions of windows) share using mount.cifs and you keep getting an input/output error like the one below, then read on.

[jason@superfreak ~]$ sudo mount //powerhouse-smb.mydomain.com/LogFiles /mnt/ecomm/ -tcifs -orw,username=doctor
Password:
mount error 5 = Input/output error
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)

The error reporting that is provided by mount.cifs is really not that good.  That input/output error could really mean anything.  Let’s use smbclient to attempt a connection to the share.  smbclient is sort of like a FTP client, but used to connect to a SMB share.  However, the real reason why we are using it is because it gives much more detailed error reporting by default.  Also, you could increase the debug level to some truly insane detail.

[jason@superfreak ~]$ smbclient //powerhouse-smb.mydomain.com/LogFiles -U doctor
Enter doctor’s password:
Domain=[POWERHOUSE] OS=[Windows Server 2008 R2 Standard 7601 Service Pack 1] Server=[Windows Server 2008 R2 Standard 6.1]
tree connect failed: NT_STATUS_DUPLICATE_NAME

Finally, some more detail.  The error message ‘NT_STATUS_DUPLICATE_NAME’ indicates that the connection was denied by the windows server because the destination host name that I provided was different then the computer name set on the actual destination server.  This is a security feature in Windows Server 2008 (and likely other versions of Windows).  In my case this is because I access the server through a load balancer.  There is a special virtual service on the load balancer to allow the SMB connection into the server.  However, for you the mismatch might be caused by a alias in your hosts file, bad DNS entry or simply even a mistype.

Now try the mount operation using the IP addresses instead of the hostname.  Using just the IP address will not cause that security check to trip.  Now it should work with no issues.

Happy Hacking.

Permalink Leave a Comment

Ping inside interface of ASA accross a VPN tunnel.

October 14, 2010 at 12:15 pm (TechTips) (, )

Do you need to ping the inside interface of a ASA across a VPN tunnel?
Maybe you need to do this for monitoring purposes, or whatever.

Allow access of ICMP to the inside interface:
icmp permit host 192.168.1.10 inside

Monitoring station —> 192.168.1.10
Inside interface —> inside

Permalink 2 Comments

Notes on ASA 8.3 NAT

October 13, 2010 at 11:19 am (TechTips) (, )

Cisco ASA 8.3 has introduced major changes in how NAT is configured and operates.

This video is a excellent resource for a basic introduction to NAT on ASA 8.3 software:

https://supportforums.cisco.com/docs/DOC-12324

Here are some quick notes that I have gathered for my reference.  Feel free to post any additional comments and notes you may have to share:

COMMANDS

show run objects

(Displays network and service objects that are in the running confg)

show run object id

(Displays a specific object)

show run nat

(Displays running config NAT configurations)

show nat

(Displays NAT policies and counters)

Use packet-tracer for testing NAT (and other things)

packet-tracer input inside tcp 10.0.0.40 4444 198.133.219.25 80

    Configure Auto-NAT:

object network inside
   subnet 192.168.1.0 255.255.255.0
   nat (inside,outside) dynamic interface

Note: This will configure PAT onto the outside interface for the inside subnet, while at the same time configuring the network object for the inside subnet.

    Configure Twice(manual) NAT:
nat (inside,outside) source dynamic inside-net translated-ip destination static cisco-dot-com cisco-dot-com

Note: You must first define the network objects for the source and destination before configuring manual NAT. In this example, the source IP address of the inside host is translated to “translated-ip” only when the dynamic host is sending a packet that is destined to “cisco-dot-com”. cisco-dot-com is entered twice because we are not translating the destination. If we wanted to translate the destination, we would do it here.

    Exempt subnets from NAT because of VPN tunnel:
nat (inside,outside) static inside-net inside-net destination static vpn-subnets vpn-subnets

This statement will catch traffic on the inside trying to go to the outside. Traffic that matches the source and destination is operated on but no change is made.

    General Notes:

ASA 8.3 has two types of NAT: Auto-NAT and Twice (manual) NAT. You can use Auto-NAT for most NAT/PAT operations, except for ones that need to make a decision based upon the destination address of a packet.

With ASA 8.3, a new change called “Real IP” was introduced. Real IP means that NAT translation happens BEFORE a ACL is checked. Therefore ACLs must contain the real IP address of the host that the inbound packet is headed towards. In other words, do not write the ACL to match on the “mapped” IP address. The real IP address is normally a non-routable IP address.

Permalink 2 Comments

Getting err-disable when trying to bring up EtherChannel.

June 21, 2010 at 11:51 am (Technology, TechTips, Uncategorized) (, , )

Recently I was trying to bring up a EtherChannel connection between a Catalyst 3750 and a Catalyst 4507.

I was going to join 4 ports together.  One from each of the first 4 blades on the 4507.  It is good to use several blades to protect against a blade failure.

However, when I went to bring up the bundle using LACP, within seconds all bundled ports were shut down and this logging message popped up:

%PM-4-ERR_DISABLE: channel-misconfig (STP) error detect on GigabitEthernet1/0/45.

I was really stumped as to what was causing this.  Google searching did not really return any clear answers.

The message was stating that there error was somehow related to Spanning Tree Protocol.  I turned on all Spanning Tree debugs and re-enabled just the first port again, but the debugs didn’t show anything unusual happening.  What was interesting is that this error was only occurring on the 3750, no errors were showing up on the 4507.  I double checked the STP root bridge priorities, etc.

I started to comb the running-config with a fine toothed comb on the 3750.  It was then that I noticed this config towards the top:

spanning-tree etherchannel guard misconfig

This config intrigued me.  I had not noticed it before and I was unclear as to what it might do.  I no’d out the command and again tried to bring up just the first interface in the bundle.  No cigar, same epic fail.  At this point, I saved the config (write me) and reloaded the switch.  Once the switch was back up, I again tried to bring the the bundle members, but in reverse order, starting with gi1/0/48 and moving towards gi1/0/45.  One by one, they were each able to join the bundle.  Finally, I went to  bring up the last interface, gi1/0/45.  It came up, however the command show etherchannel 2 summary showed that it was in the waiting state.  This is indicated by state w.  It seemed to stay in waiting for about a minute until it changed to I.  The status I indicates that the port is individual and not part of the bundle.

I thought that it was strange for gi1/0/45 to go to individual mode.  I then traced the cabling from gi1/0/45 on the 3750 to fa3/3 on the 4507.  “Now just you wait a sec!”  I found that I had accidentally cabled to port fa3/5 instead.  This was the wrong port and was not configured to be part of the etherchannel.

Wow, so

spanning-tree etherchannel guard misconfig

Was trying to tell me that I had a mis-cabled port!  That’s pretty sweet.  I did a quick google search on the command and found that essentially it allows EtherChannel to use STP to attempt to find misconfigurations (including messed up cabling).

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/stp_enha.html#wp1029499

This story has two morals:

1) Definitely configure STP etherchannel guard misconfig.  That command is just another of those that will watch your back.  You just gotta love those commands.

2) If your ports are going err-diable and your getting that odd STP misconfig error.  Remember to go check your cabling and which ports are config’d.

Happy Routing!

Permalink 3 Comments

IRC channel for RHEV chat and un-official support

May 28, 2010 at 11:35 am (linux, TechTips, Uncategorized) (, )

Do you work with Red Hat Enterprise Virtualization or interested in it?

Why not head on over to the unofficial IRC channel for all things RHEV?

There’s a great group of people hanging out there that can try to offer assistance and great insights.

We can be found at: chat.freenode.net  #rhev

Hope to see you there!

NOTE: This IRC channel is in no way officially related to Red Hat, Inc.

Permalink 2 Comments

Help iSCSI initiator commands for linux.

May 27, 2010 at 1:53 pm (linux, TechTips, Uncategorized) ()

I’ve been doing a lot of work lately with Red Hat Enterprise Virtualization.  The hosts that I am using are currently connecting to the SAN using iSCSI.  However, in the future they will be connecting with Fiber Channel instead.

I find myself having to remember how to use the iSCSI initiator a lot.  Here are some quick notes on how to do the most common tasks.

Discover available targets from a discovery portal

iscsiadm -m discovery -t sendtargets -p ipaddress

Log into a specific target

iscsiadm -m node -T targetname -p ipaddress -l

Log out of a specific target

iscsiadm -m node -T targetname -p ipaddress -u

Display information about a target

iscsiadm -m node -T targetname -p ipaddress

Display statistics about a target

iscsiadm -m node -s -T targetname -p ipaddress

Remove the portal address to receive information or statistics about all targets.

Display list of all current sessions logged in

iscsiadm -m session

View iSCSI database regarding discovery

iscsiadm -m discovery -o show

View iSCSI database regarding targets to log into

iscsiadm -m node -o show

View iSCSI database regarding sessions logged into

iscsiadm -m session -o show

View if the targets are multipathed (MPIO)

multipath -ll

If it is multipathed, you will see output like below (this is an example of two LUNs, both multipathed).  Note that this show the MPIO mode is round-robin:

36000d77100000b117de986015d5d5746 dm-7 FALCON,IPSTOR DISK
[size=20G][features=0][hwhandler=0][rw]
\_ round-robin 0 [prio=0][active]
 \_ 12:0:0:0 sdb 8:16  [active][ready]
 \_ 13:0:0:0 sdd 8:48  [active][ready]
36000d771000002767de9860330139e10 dm-8 FALCON,IPSTOR DISK
[size=200G][features=0][hwhandler=0][rw]
\_ round-robin 0 [prio=0][active]
 \_ 12:0:0:1 sdc 8:32  [active][ready]
 \_ 13:0:0:1 sde 8:64  [active][ready]

Here is a very helpful article that covers similar commands, etc.
http://kbase.redhat.com/faq/docs/DOC-6388

Permalink 4 Comments

Can’t SSH into ASA?

May 19, 2010 at 11:04 am (Technology, TechTips) (, , )

Something strange happened today when I went to SSH into my ASA cluster.

Upon running ssh I got this error message:

ssh_exchange_identification: Connection closed by remote host

I started Google searching for information on this error message and found some people writing that the error could be resolved by making some changes on the client.  If you view the log on the ASA, you will see a error message that states:

Fail to establish SSH session because RSA host key retrieval failed.

This indicates that the problem is not with the client at all.  Rather, the problem is with the server end, in this case, the ASA.  The issues is that the ASA does not have a RSA host key.

Resolve this issue by running these commands below in the CLI.  Remember that you can still run CLI commands from the ASDM.  Launch the ASDM.  Click on Tools.  Click on Command Line Interface.  Click on Multiple Line.

Commands to run:

conf t
crypto key generate rsa modulus 2048
wr mem

Now you should be able to log in just fine.

See this link for more information on SSH configuration on the ASA:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml

Permalink 11 Comments

Great WMI CLI article.

March 10, 2010 at 10:49 am (TechTips, windows) (, )

I used to great article as a reference when trying to find how to kill a process on a remote windows machine using WMI CLI.

http://isc.sans.org/diary.html?storyid=2376

Permalink Leave a Comment

iQstor report commands

March 8, 2010 at 4:22 pm (Technology, TechTips) (, )

Are you like me and need to generate system reports from your iQstor SAN units for debugging purposes?

Well then you’re in luck!  Below you will find the commands that will run the report command on both controllers.  It will also run the syslogd command on both controllers.  Simply specify the start and end dates for the syslogd command.

This will send the output to the terminal that you are on.  So, if you are going to telnet into the controllers, I suggest that you use the script tool to start your telnet session with.  Then when you are done, you just ctrl-d out of script and you’ll have the output files ready to send back into iQstor for them to look at.

And without further delay, here are the commands:

report
rrcii -C report
syslogd -q -a 3/4/10 -b 3/8/10
rrcii -C {syslogd -q -a 3/4/10 -b 3/8/10}

Permalink Leave a Comment

Next page »