My brief run-in with CDNs and Google DNS.

Practical Troubleshooting

I love pfSense. So far it's superior to every Linux-based routing appliance. No product is perfect, but the 2.0 release is very promising. I have been troubleshooting tunnels which inexplicably do not work. I have been recieving the following error during phase1 connection:

racoon: ERROR: couldn't find configuration

This usually means a significant mismatch exists in phase1 negotiations. Despite my meticulous efforts the tunnels would not start. I watched the IPsec logs hopelessly, trying many different things. What finally worked was connecting to the console, killing racoon and starting it manually as follows:

racoon -d -v -F -f /var/etc/racoon.conf

By monitoring the output, I discovered during debugging that the packets were coming from the wrong source IP address. One of my sites has multiple WAN links, and racoon was using the wrong source address for IPsec negotiation. The phase1 arrival was clearly logged and rejected - because it didn't match any existing configuration.

Once complete, I was quickly able to determine what to do. However, if you don't have access to a host behind the pfSense firewall then you may have problems creating IPsec tunnels. I used this to force a packet:

My firewall's LAN address, which is part of the IPsec local subnet scope, is 192.168.0.1. The remote network is 10.1.1.0/24. I need to create a single packet from 192.168.0.1 to something in 10.1.1.x.

ping -S 192.168.0.1 -c 1 10.1.1.3

What could be better.

Feedback for improvement would begin with one admonition: Don't trust the log output of Racoon. I should have used TCP-dump on both ends, watching for packets setting up sessions.

[2.0-RC1][root@gateway.site-a.com]/root(1): tcpdump -ni re0 port 500
16:39:07.697695 IP 192.168.81.126.500 > 10.1.101.217.500: isakmp: phase 2/others I inf[E]
16:40:26.980944 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg
16:40:36.982740 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg
16:40:46.983927 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg
16:40:56.985122 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg
16:41:06.986307 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg

Had I done this at both ends, I would have clearly seen that the wrong interface was emitting packets. Both ends. That was my mistake. I trusted logs at Site-A, and I never verified my problem at Site-B. Hours of painstaking troubleshooting for no good reason.

Work Around

My current imperfect workaround is to add the following line to each of my remote sites crontab:

cat crontab|grep newsys






root    /sbin/ping -S 192.168.0.1 -c 10.1.1.1

Obviously I turfed this above, I just thought I would share it with everyone. This has the net effect of a 60 second tunnel keep alive. May not be appropriate for some environments. Good luck.

In which Joshua attempts to clarify his thoughts and position on things like the Tea Party and his distrust of Democrats and Republicans.

In which Joshua updates and changes Zimbra's hostname, FTW, against odds and all known instructions.

In which Joshua makes a post elucidating his findings regarding advanced Gmail Searches, which despite availability of said information, was nonetheless challenging to locate.

In which Joshua discusses instructions from Ahsay regarding patch practices.

I thought that the first season of "Legend of the Seeker" was bad. But, the second season is worse. The writers don't know anything about the characters, and they haven't really read the books. Terry Goodkind put some effort and thought into constructing a realistic world. The show is nothing at all. Who are the writers? Did they eat paint chips?

I feel bad for the actors, in this case. Dollhouse gets canceled, but LoTS gets a second season. I hate the show, and I am reporting via second-hand knowledge. I have tried on a few occasions to watch it, yet the resoundingly bad writing is unbearable. Time travel, ridiculous character gaps, and senseless changes to everything. I see this as confirmation of a simple truth: They are writing as they go. There is not a plan, no clever architecture, no vision for a story. Absolute lack of any coherent ideas or reasoned thought. The bad guys are weaksauce, the good guys laughable and the plot was scraped together from shake-n-bake style bad sci-fi orgies.

So, in short, do the world a favor. Ignore Legend of the Seeker. Just... turn away and find something pretty.

I use Typo, and I have since the early 4.0 days. Each upgrade brings a slew of new messes to the table. I recently discovered that apparently there are only two people behind Typo development, and with it being a Ruby/Rail project that does offer some explanation as to the sucky edges. With newfound compassion, I will explain my work to the other peoples around.

I use PostgreSQL because it's awesome, MySQL sucks, and SQLite is dippy. In retrospect, I wish that my blog had used SQLite, but I didn't, and I have no idea how hard it would be to migrate to SQLite. So, I use PgSQL because it's rad. SQLite fits the bill, but didn't make the final cut.

When upgrading to from 5.0.x to 5.2, here's the rub:

• Backup your database first: pg_dump -U myuser -f pre-migration.db.sql mydb
• Save a copy of your typo directory
• Get the typo tarball, and untar it.
• Install RAILS locally (untar rails, copy all the stuff from vender/rails to your typo directory's vender.)
• Setup your database.yml
• Migrate your database by hand: "rake db:migrate"

Watch your postgresql output:

Missing Index

the db:migrate couldn't remove an index, because it didn't exist. So I killed it.

create index "index_contents_on_blog_id" on contents (id, blog_id);

Kill Sidebars

I grabbed my static content from my old blog, prior to upgrade, so when I had sidebar-related crashes, I just murdered them.

delete from sidebars;

_{note: people complained that 'misspelled Sidebards'. It was a failed joke.}

The Aristocrats

It may seem like a lot for dirty talk, but after that things are mostly complete. Next Week: Index Optimization for Typo.

It's Daylight Savings Time - Again. Time for a new round of FAIL from Microsoft.

Windows Mobile

A clients' Verizon Windows Mobile phone has changed all the appointments for the foreseeable future to an hour later than originally scheduled.

Entourage

Microsoft Entourage 2004, on my older PowerBook G4 is rendering dates, and /hour/ in the future. I caught it when an email I sent was CC'd to my Gmail account, and the account said, "11:16 AM (-57 minutes ago)". Special.

Windows Mobile

Another clients' BRAND NEW Windows Mobile Phone, running Palm, on DST-Day, experienced EPIC FAILURE and had to have the firmware reloaded. (???) If it wasn't THE day when they turned it on, I would not blame DST.... but.... Also, after speaking with them, I am really unclear on whom to blame. I haven't followed the latest Palm stuff, but is this actually Windows problem?

Windows Mobile: ceTwit

vkoser writes about a problem with date math in ceTwit - and, I am just going to blame Microsoft because of their consistent steaming piles on this one.

Zune

So far, I have heard of no new Zune problems, but the leap-second bug deserves a second mention. Well played Redmond. Nice quality control.

Wrap up

Well, that's about it for todays "Microsoft Sucks" rant. It's been a decade already, and they still have bi-annual issues with dates. Remember DST 2007? That was a FUBAR mess. Turned out that Exchange with OWA didn't put proper TZ info on some calendar entires, and and Mac/Entourage users were totally boned. You had to have an Outlook client, on Windows, to properly affect the fix. I know some admins who had to restore after the run. The tests went well, but the production run screwed everyone.

Last DST change I had three clients with messed up appointments. Not all appointments, about 5% of them. A secretary had to audit all of them. We finally back dated a PC, and it did work. We printed out and compared in order to locate the problems. EXCHANGE AND OUTLOOK SUCK!

MacOSX Strives to be more rigthteous than the next bloke:

Dec  1 20:38:22 xXxMac SyncServer[2205]: SyncServer: Truth vacuumed. 
Next vacuum date 2008-12-15 20:38:21 -0800

Wah-Hoo

• Flickr Example
• Apple regular discussion
• Yet Another Apple Discussion
• Apple Development Explains the Truth Database. (WTF is the truth?)