Cisco ACE Modules with Windows Sharepoint 2010

I recently ran into issues with a Windows Sharepoint 2010 environment that is load-balanced by Cisco ACE modules. logo-wss

I’m no Sharepoint expert so if I get the WSS terminology slightly wrong – you’ll know why!

Basically the issues presented themselves in the following ways:

1. A Sharepoint site had some sort of webpart that enabled “live” view of Excel spreadsheets within the browser.

When you first visited the page, everything was fine and the spreadsheet loaded successfully, however upon navigating away to a different page, any subsequent requests were either met with a browser dialog box stating that an error occurred finding the file, or an HTTP 503 Gateway error.

2. Miscellaneous authentication issues (HTTP 401 Unauthorised)

From an networking perspective, this was occurring across a number of resilient pairs of ACE’s.  All were set for session persistency using a named cookie that was inserted by the ACE.

Nothing unusual so far!

Where it got interesting was when doing some packet captures, and Fiddler HTTP traces.

In these I could see that the cookie the ACE was insterting was present within the browser session, and an additional cookie set by WSS for keeping the session authenticated.  I also noticed that were two other entries in the cookie, that to me, looked like random characters, but I concluded that these were inserted by the WSS server.

After some investigation, I determined that the HTTP header was larger than 4096 bytes – the extra entries that WSS was added were around 3400 bytes each (there were two! ).

It transpires that there is a default number of bytes that the ACE checks for a cookie in the HTTP header is 4096 bytes. If a cookie, HTTP header, or URL exceed this 4096 value, the ACE drops the packet and sends a RST to the client.

The solution for our environment was to increase this value to overcome the large HTTP header size containing the WSS inserted data.

Changes needed on the ACE:

parameter-map type http HTTP_MAP_HEADER_LENGTH
set header-maxparse-length 16384

This defines a greater value. You can also set the ACE to passthrough any oversize packets if you choose to.

Then you need to apply that parameter-map to a policy.

policy-map multi-match my-policy-name
class my-class-name
appl-parameter http advanced-options HTTP_MAP_HEADER_LENGTH

Hope this helps someone out. Any questions or feedback is welcome via the comments link below.

Continue Reading

Cisco VPN authentication using NPS on Windows SBS 2008

Wow – what a title!!

Hopefully this post will make things a bit clearer.

I have a Cisco 1721 router configured to be a VPN server for a few IPsec client PC’s. Currently the user authentication part is just being done with local users setup within the router config.

However we have Windows SBS 2008 internally providing Active Directory services, amongst other things.

So, my aim in this piece of work was to get the Cisco VPN using the AD accounts for client VPN user authentication.

There were two main parts to getting this working – the config on the Cisco router, and the configuration of NPS (Network Policy Service (formerly IAS) on Windows. In this post I will cover the Cisco side, and will try to put up some notes on the Windows side when I get home where I am able to grab some screenshots.

Config required for Cisco router

This is the trimmed down version of the statements I had to add/change. If you need to see full config for understanding, drop me a note.

aaa new-model
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 group radius local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key 7 "removed"

Potential stumbling block

One snag I ran into was related to the VPN group authenticaion. During my config changes I applied the following line (remotely – DOH!!!) which killed the VPN completely.

aaa authorization network sdm_vpn_group_ml_1 radius local

The symptoms this presented was the VPN client would try to connect but fail almost immediately.

What I didn’t realise to start with was that this config statement was offloading the VPN group authentication part of the connection over to the Radius server, where I didn’t have any groups setup, as I was only looking to use Radius for the user authentication.

So by leaving removing the radius option with that statement, the Group authentication check is still done against the name/key within the crypto isakmp client configuration group section.

Hopefully this can be of use to someone else – feel free to add any comments/questions below.

Continue Reading

Saphir 40 Build Log

Here is a build log for my Dave Smith Model’s Saphir 40saphir-3

I first started building this plane about 18 years ago (when I was very young an inexperienced). I didn’t learn to fly until October last year, and since properly getting the ‘bug’ have been trying to complete it.

It’s nearly done, and will post a photo or two shortly.

It’s kitted out with a Tuned by West Magnum 70 FS. This is a standard Magnum 70 FS but with a modified head, and a different carb. It’s reported to be approx 20% more power, and snappier throttle response etc.

http://westonuk.co.uk/westonuk2_018.htm

I’m using Futaba S3003 servos for all functions.

Originally I was going to install fixed undercarriage, but following the 18 year break new retract technology has appeared, so I have opted to install some Servoless Retracts (http://www.hobbyking.com/hobbyking/store/uh_viewItem.asp?idProduct=14838).

They are quite inexpensive, and only time will tell how durable they are.

I have a Spektrum DX8, and so have installed an AR6200 receiver with the satellite receiver.

Hopefully will get to give it a maiden failty soon.

Continue Reading

Saphir 40

Well, with the sun shining, and a bit of breeze blowing it was time for the maiden yesterday, of my Dave Smith Models Saphir 40.

The Magnum 70 (Tuned by West) produced loads of power and with controls checked it was time to take to the sky.
After a bit of trimming out, Paul put the Saphir through it’s paces – it looked fantastic in the air, and flew brilliantly.
Once that flight was over, (and a quick cuppa) it was my turn.

Saphir 40
With my buddy box connected (I’m still a learner really), I took the controls – wow, what can I say – it’s brilliant. Very easy to fly – I can tell I’m going to have a lot of fun with this model.saphir-3

Continue Reading

Wot 4

wot4Well, here is a page about my little Chris Foss Designs Wot 4. (Ripmax version)

I bought it on eBay in April 2012.

Engine: Thunder Tiger F-54S Four Stroke

Prop: Master Airscrew

Servos:

Throttle: Futaba S3003

Elevator: Futaba S3003

Rudder: Futaba S3003

Ailerons: 2 x Spektrum DS821

Receiver: Spektrum AR6200

Battery: 4.8v NiMh

 

The Thunder Tiger F-54S engine is brilliant. It literally sips fuel. I ran it at the field the other day when it was too windy to fly – on 3/4 tank, at a variety of throttle speeds it ran for 22 minutes !

Update: 05/07/2012

First solo flights!! I went to our field in Egerton and I was the only one there.

So, in a fly-or-crash kinda moment I nervously took to the sky.

Due to the nerves on the first flight I forgot to start my timer – so I only flew circuits for 5-6minutes and then made my approach. First approach was a little off, so I went round for another go. This time was much better and brought the Wot 4 in for quite a reasonable landing (on the strip!).

My nerves needed a good 20mins recovery, before I went for it again, this time with timer running. Another succesfull flight.

Finished the evening off with a 3rd flight – this time landing was good, with touchdown about 10feet past me.

All in all a good session.

Continue Reading

Stream Spotify to Airport Express Using Airfoil

spotifyA friend recently introduced me to Spotify (http://www.spotify.com) and it’s superb!!! For those that don’t know, Spotify is a streaming music service. It has a huge database of songs, just search away, hit play and let your ears be filled! There are different account schemes available, starting with a Free service, that is advertisment-supported. I have to say, that is is a great way to listen to music as the frequency of adverts is so few and far between that it doesn’t distract from the music at all.

Now, the really great bit is that I have found an app that will run on Windows, Mac or Linux that allows you to stream the output of Spotify (in fact any audio from your system) to any or all of the Airport Express devices in your home. It’s called Airfoil

Check out http://rogueamoeba.com/airfoil/ – it’s about £18 but to me that seems good value for money and it works very well.

All in all a brilliant couple of apps that keep my music ears very happy

Continue Reading