Cricalix.Net

As I grow older, I find myself less and less interested both in celebrating my birthday, and receiving material gifts for Christmas. With a friend of mine afflicted by a rare form of cancer (multiple myeloma – essentially a terminal cancer), I’m finding that my feelings on the matter are even stronger this year than in years gone by. I’m quite content for family and friends, contemplating material gifts, to put the money to another use – be it a charity donation or otherwise. All I want for Christmas is time – time to spend with my friend. Of course, with her being several thousand miles away, it won’t be the easiest thing to do. If it will make her Christmas better though, I’ll find a way to do it.

There are certainly material things that I’d like to have, but they’re not essential, and I can eventually acquire them the old fashioned way – by earning money, saving that money for a period of time and then buying the item. Modern society seems hooked on instant gratification, even if it means large debts. I’m certainly not immune to this, but I do try very hard to avoid it. Alternately, winning a few hundred thousand £ on the bonds would also work.

Leave them a note saying ‘So long and thanks for all the fish’, when they’ve never read HHGTTG by Douglas Adams.

Cisco’s WCCP protocol is a nifty thing – it transparently redirects all port 80 traffic coming from a local subnet over to a WCCP enabled web cache (that’s ostensibly running on the external subnet of the router). Multiple caches are supported, and a router implementing WCCP uses a hashing algorithm to pick which cache gets which request. $dayjob had it working at one point in our product, but a recent OS upgrade has broken things, and we have to find where and why.

Step 1:
Can the ‘private’ routed subnet talk to the web cache on port 80 without WCCP loaded? Yes.

Step 2:
Turn on WCCP on the internal interface. Does port 80 to anywhere in the world work? No.

Bugger.

Step 3:
Actually enable the global wccp flags. Does port 80 to anywhere in the world work? No.

It looks like the packets come over the GRE tunnel, and instead of hitting the iptables redirection from 80 to the proxy port, just fall into dead space, as if they walked off the end of the chain. Changing the final rule of the firewall to REJECT instead of ACCEPT or DROP shows the packets get rejected. Bummer. Back to the research board!

I can now add to my list of skills ‘Able to dismantle, change components in, and reassemble a Dell Inspiron 8200′.

The new fan assembly has been installed, and it’s so much quieter than the one I took out. I managed to lose a few screws along the way (and I don’t know how, as I placed each screw on my desk as I took it out [and they're not on the floor]), but the machine still works! Even managed to clean the guts a bit, removing stray hairs, what looked like cereal bits and a fair bit of dust.

The fans I took out – when they fired up at low speed, I could hear the laptop in the next room. Not good. The laptop was remarkably easy to disassemble, once I read the instructions on how one particular bit of plastic was meant to be removed. The display is 2 screws, the display cable is 1 screw. The casing is 10+ screws. A screw here and there holding components together, and that’s about it.

Microsoft is fairly infamous for the absolute lack of detail in the error messages that their applications generate. This morning was a classic example for me – got to work, and had no internet connectivity. Our LAN runs through an ISA 2004 firewall/proxy at the moment, and when I left yesterday, everything was working fine. This morning, the ISA console said that the firewall couldn’t start.

The only clue in the ISA console was that the web filter could not init, and that it encountered error 0×80092004. A Google search for things like ‘isa 2004 web filter 0×80092004′ turned up nothing useful. Searching for the 0x error code showed error logs all over the place for everything from Windows Genuine Advantage to service pack installations to SSL certificate errors. That last one is critical, even though there was no mention of ISA in any of the pages (that I read).

The real key showed up in the event log. Event ID 14177. Microsoft’s own knowledgebase only acknowledges that ISA 2000 can have trouble with SSL certificates, and recommends running mmc to look in the Certificates store for the computer. Tried that, no dice. In the end, I started walking through the entire firewall policy, looking for uses of the HTTP filter module, and in particular, rules that dealt with SSL.

Turns out a new rule got added last night, to publish OWA to one of our public IP addresses. When I tried to click on one of the property tabs, the system kindly informed me that it couldn’t load the certificate. At that point, rather than try and find the certificate it was looking for, I just disabled the rule. Presto, internet access.