always remember

Nothing is foolproof to a sufficiently talented fool... Make something
idiot proof, and the world will simply make a bigger idiot.

How To: Fix “Packet to client reached max retries, removing the client” – Cisco Aironet AP 1142

During a recent deployment of Cisco Aironet LAP1142’s I came across a rather annoying handling of low signal client devices by the default config of Maximum Data Packet Retries when configured via the WebGUI.

The Problem:
Clients in low signal areas or at great distances from the AP would experience constant disconnects and WPA2 rekeys, when they should have been able to persist on the wireless network, just with greater latency and packet loss at low signal strength. This is evidenced in the Cisco AP log with the following lines (that will often repeat many many times)

May 19 13:31:01.885: %DOT11-4-MAXRETRIES: Packet to client aabb.ccdd.eeff reached max retries, removing the client
May 19 13:31:01.886: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station aabb.ccdd.eeff Reason: Previous authentication no longer valid
May 19 13:31:05.213: %DOT11-6-ASSOC: Interface Dot11Radio0, Station aabb.ccdd.eeff Associated KEY_MGMT[WPAv2 PSK]

Why This Happens:
It turns out, that although you can control the Max Data Packet Retries variable in the WebGUI, you do not get given any contextual information, or the ability to set the additional parameter of “drop-packet”

Without settng “drop-packet”, the AP resorts to it default behaviour of dealing with a MAXRETRIES event by outright disconnecting the client and forcing a rekey.

The Fix:
Via CLI (either SSH/Telnet or serial console), modify the interface config for the Radio in question (or all of them), set the packet retries setting to 128 and enable drop-packet:

en
conf t
int Dot11Radio0
packet retries 128 drop-packet
int Dot11Radio1
packet retries 128 drop-packet
do write mem

This resolved my issue, low signal clients and clients at great distances from the AP now have low signal, lower speed and increased latency, but they DO stay connected to the network. In my opinion, this is far more typical behaviour for a WiFi network, and in most cases, general public users excuse the speed and latency when they notice they have poor WiFi signal. They DO NOT excuse being constantly booted from the network over and over again.

To be clear, the correct fix for this would be to ensure good signal coverage in all service areas, and avoid Radio band interference. However, this is not possible in this scenario, and the fix above works.

This is a working fix on an AIR1142, but will work on all 1140 series, 1200 series, 2800 series and 3800 series (And probably more IOS based access points of the same era)

dave / May 19, 2020 / Cisco

F5 BigIP LTM – iRule Accept Only UserAgent to Hostname

The following code snippet assumes you have a wildcard virtual host within the F5 LTM device, and that you wish to only allow traffic into that virtual host if a specific user agent string is matched and that the hostname is matched.

when HTTP_REQUEST {
    if {{ [class match [HTTP::header "User-Agent"] = "Browser 2.1.0"] } and { ([string tolower [HTTP::host]] starts_with "subdomain.domain.com") }} {
        return
    } else {
        drop
    }
}

It should be modified to suit your specific requirements.

dave / April 14, 2020 / Code, F5 BigIP

F5 BigIP LTM – iRule Unblock Violation Name

In the event you need to unblock a triggered ASM block event within F5’s BigIP LTM/ASM appliances, the following iRule may be of use. The one shown below specifically unblocks illegal redirection attempts that match a URI partial string.

when ASM_REQUEST_DONE {
    if {{[ASM::violation names] contains "VIOL_REDIRECT"} and 
    {[string tolower [HTTP::uri]] contains "/string1/" || 
    [string tolower [HTTP::uri]] contains "/xyz-location/" ||
    [string tolower [HTTP::uri]] contains "/abc/"}}
    {
        ASM::unblock
        log local0. "ASM unblocking [HTTP::uri] - (XYZ Manual iRule Unblock)"
    }
}

Additional Violation Names can be found under: Security -> Options -> Application Security -> Advanced Configuration -> Violations List -> Built-In Violations. You must use the internal ASM Violation Name in the iRule, not the friendly name shown in the event logs or the rest of the GUI.

The above is tested/working within F5 BipIP LTM VE v15.0.1

dave / March 18, 2020 / Code, F5 BigIP

Using LogDump & RBA’s to Reposition a REPLICAT Process

When a REPLICAT process ABEND’s it can be dificult to pinpoint why, and trying to get over the error and allow the REPLICAT to continue can be tricky.

In this example, my source is an Oracle Linux 12c machine running EXTRACT, my target is a Windows Server 2016 machine running MSSQL/REPLICAT.

The Error:

In this example, we are presented with the following errors in the REPLCIAT report after it has ABENDED

2019-08-15 18:21:20  WARNING OGG-03014  Source column COLUMN_NAME has more characters than target column COLUMN_NAME can hold. Some source characters will not be mapped during conversion from source character set UTF-8 to target character set UTF-16.

2019-08-16 09:28:56  ERROR   OGG-01163  Bad column length (357) specified for column COLUMN_NAME in table TABLE.X, maximum allowable length is 255.

From the same report, we need to garner what RBA the fault occured at, you can see this here:

Last log location read:
     FILE:      C:GoldenGatedirdat/1p000003921
     SEQNO:     3921
     RBA:       4982061
     TIMESTAMP: 2019-08-16 09:28:53.053432
     EOF:       NO
     READERR:   0

With this information, open LogDump, prepare the application, and move to your RBA:

Logdump 1 > open C:GoldenGatedirdat/1p000003921 (use your filename here)
Logdump 2 > ghdr on
logdump 3 > detail on
logdump 4 > detail data
logdump 5 > ggstoken on
logdump 6 > ggstoken detail
logdump 7 > pos 4982061 (use your RBA here)

Read On… ->

dave / September 3, 2019 / Code, Oracle

How To: Configure multiple VLAN interfaces in SolusVM

There may be times when you wish to give VM’s on one of your SolusVM nodes access to IP resrouces that are segmented into discrete VLAN’s at network level. If this is the case, you need to create network bridge interfaces on the node, and suply them with your VLAN interfaces. This is explained below.

  1. Configure the base interface, in this example, we ahve trunked eno2 with vlan’s 220 and 221, as we have group of VM’s that require to bind IP’s within this VLAN.
  2. [root@solus-node01]# cat ifcfg-eno2
    DEVICE=eno2
    BOOTPROTO=none
    UUID=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    ONBOOT=yes
    TYPE=Ethernet
    NM_CONTROLLED=no
  3. Configure your VLAN sub interfaces, note that we designate each interface to its own new bridge interface, this is required.
  4. Read On… ->

dave / October 24, 2018 / Code, Guide

OGG-00730 – No minimum Supplemental Logging is enabled

This issue was encountered whilst shipping an Oracle 12c schema to an MSSQL Server 2014 instance using OGG 12.3.

During the Change Data Capture configuration and EXTRACT setup and start processes, you may find your EXTRACT abends with:

OGG-00730  No minimum supplemental logging is enabled.

There are 2 reasons this may occur, the first is that you actually don’t have any supplemental logging enabled… The second is a documented Oracle bug, in which the GoldenGate process detects the presence of LOG DATA, but reports back on it incorrectly. Both scenarios are explained below.

CHECK TO SEE IF DATABASE LEVEL SUPPLEMENTAL LOGGING IS ENABLED OR NOT:

SQL> SELECT force_logging, supplemental_log_data_min FROM v$database;

FORCE_LOGGING             SUPPLEME
------------------------- --------
NO                        NO

SQL>

In this case, there is no logging, so OGG is correct. We can enable it with:

SQL> ALTER DATABASE ADD SUPPLEMENTAL LOG DATA;
Database altered.

Read On… ->

dave / July 27, 2018 / Code, Oracle