Latest posts

Cisco Aironet Won’t Connect to Wireless LAN Controller

I ran into an issue where some older Cisco Aironet APs (Access Points) stopped connecting to a Cisco WLC (Wireless LAN Controller). No config changes had been made and some of the Cisco Aironet APs would connect and some wouldn’t. All of them were the same model, the Cisco Aironet APs were able to ping the Cisco WLC and vice versa.

What happened is the Cisco MIC (Manufacture Installed Certificate) expired and the default setup of a Cisco WLC is to reject any Cisco Aironet AP with an expired MIC.

It looks like this could impacts every Cisco WLC when used with older Cisco Aironet APs that have an expired Cisco MIC. Cisco has a Field Notice about this issue, you can read it here FN63942.

Any Cisco Aironet AP that was manufactured from July 18, 2005 until 2017 will have a Cisco MIC that expires 10 years after the manufacture date. There seems to be no way to replace or renew that Cisco MIC, this will keep being an issue that could randomly show up until 2027 when all of them should be broken.

The reason some of my Cisco Aironet APs worked and some didn’t is because they were manufactured at different times even though they have the same model number.

The fix is super quick we just need to tell the Cisco WLC to ignore expired Cisco MICs.

Cisco UCS Upgrade with Firmware Auto Install

Recently I needed to upgrade a Cisco Unified Computing System (UCS) system and while Cisco does have documentation about it. The process can be scary and could use more screenshots. Here is my step by step guide on how to upgrade a Cisco UCS via the Firmware Auto Install with the Cisco UCS Manager.

Fully planning your Cisco UCS upgrade is very important. There are a lot of things that need to be checked to make sure the upgrade is a success and that everything is compatible. In the past I’ve needed to upgrade my ESXi to as high as they can go based on the VMware and Cisco Compatibility Matrix and then upgrade the Cisco UCS. Then go back and upgrade ESXi again and then upgrade Cisco UCS again.

Quick Cheat Sheet

Fixing Teams needs an update

Recently I’ve ran into an issue with Microsoft Teams where the user sees a blocking message that says “Teams needs an update”. The user needs to action it before they can use Microsoft Teams again. Typically the user can just click on Update Teams which will take them to a download page for Microsoft Teams, they also need to pick the correct version of Microsoft Teams because now there are two of them.

Let’s have some faith in the user and say they do download the correct version, now they need to run the downloaded file and then it will update Microsoft Teams for them and finally they can use Microsoft Teams again.

That whole process isn’t a good user experience and that’s way too many steps. It’s worse if the user is in a rush because let’s say the system with the outdated version of Microsoft Teams is a meeting room computer and they are trying to load Microsoft Teams for their meeting.

There has to be a way to prevent this and a way to reliably solve the Teams needs an update problem. Here’s what I found in this rabbit hole along with the solutions I found.

Cloudflare Tunnel with Docker

There’s been a few times where I needed to setup access to an internal web application but I couldn’t put it on 443 or 80 because something else was using those ports and a reverse proxy would break one of the applications. A solution to this is Cloudflare Tunnel.

Cloudflare Tunnel used to be called Warp when it was in beta and was eventually renamed to Argo Tunnel. When Cloudflare made Argo Tunnel free they renamed it to Cloudflare Tunnel. The magic of Cloudflare Tunnel is handled by a small but powerful client that is known as cloudflared.

What makes a Cloudflare Tunnel awesome is the fact that you can use it to host an application externally without opening any ports on your firewall. It does this by creating an outbound only tunnel directly to Cloudflare.

For my situation I needed to setup access to an internal web application but I didn’t want to do another port forward to make it work. My solution was Cloudflare Tunnel with Docker.

The way I set it up is slight different than what Cloudflare’s documentation says as I wanted to use the Zero Trust dashboard and Docker but also have it in a Docker Compose file, as cloudflared seems to get updated at least once a month and I wanted it to be easy enough to recreate. Here’s how I did it and how everything works.

Upgrade Palo Alto Firewall HA Pair (Active/Passive)

Palo Alto has some great documentation about how to do basically everything. Sometimes it’s a bit buried. This is my short and long cheat sheets for upgrading a Palo Alto Networks firewall in an Active/Passive High Availability Pair.

Quick Cheat Sheet

Long Cheat Sheet

Upgrade path and sanity checks

For my example FW01 is the Primary firewall and currently Active firewall and FW02 is the Secondary firewall and currently Passive firewall and they are both running PAN-OS 10.1 version 10.1.6-h6 which is the current preferred release for that version. We will be upgrading them to PAN-OS 10.2 version 10.2.2-h2 which is the current preferred release for that version.

Azure AD Connect 2.0 Won’t Start

I recently ran into an issue where an install of Azure AD Connect failed to start. It seems like the root cause was due to the SQLLocalDB Model database becoming corrupt, which caused it to fail at upgrading itself. This is a known issue in versions older than 2.1.1.0 of Azure AD Connect.

While looking at the event logs it looks like the chain of events was that it tried to do the auto upgrade as auto upgrade is enabled but then failed to restart the SQLLocalDB due to the corruption which then caused Azure AD Connect to break.

Setting Up Cloudflare Access

I’ve been a fan of Cloudflare for a while now. I love how fast they can propagate DNS changes and I typically like to use them as a DNS resolver. An issue that I’ve ran into many times, is how to protect something with MFA (Multi-Factor Authentication) that doesn’t have any support for MFA.

This problem is common with legacy web applications and very common with SCADA (Supervisory Control And Data Acquisition) web applications. The issue I was trying to solve was how to put MFA in front of a SCADA web application.

I decided to use Cloudflare Access. Cloudflare Access goes by a few names some of them are Cloudflare Zero Trust Network Access (ZTNA), Cloudflare Access, and Cloudflare Zero Trust Access. For simplicity I’m going to refer to it as Cloudflare Access.

Cloudflare Access is really nice because you can put it in front of any web application and it will require the user to authenticate before they can even reach the website.

If you have a lot of applications like this you can even set it up so the users can login to a portal to see all of the applications that are available to them. You can do all of this without the user having to install anything. What’s even better is that it’s free for 50 users.

Here’s how I setup a SCADA web app with Cloudflare Access.

Windows Recovery Partition

When you install Windows it always creates a Recovery Partition, which runs a very lite version of Windows with a few tools. There’s been a few times where I’ve used those tools to fix a system.

I wanted to know what would happen if I deleted the Recovery Partition. This is what I found down that rabbit hole.

Your Windows partitioning will look something like this.

Disk Partitioning with Recovery Partition

geoSCOUT published remote access

I needed to get geoSCOUT working in VMware Horizon but geoLOGIC doesn’t officially support publishing geoSCOUT to systems like Citrix, RD Web, and Horizon. Due to the way that geoSCOUT works you can’t just launch the geoSCOUT exe and have it work.

On the first launch a user would normally run the geoSCOUT Desktop_Build_NonAdmin_v8.exe installer which will create the App Data and the document files for the user. The creation of the App Data part is important because that is when it creates the reference to the geoSCOUT license file. If you try to just run the geoSCOUT Desktop_Build_NonAdmin_v8.exe install file outside of the path of your geoSCOUT license file it won’t install correctly.

Now a way to get around the issue is to have the user RDP into your session host that is publishing the application and have them run the non admin installer but that isn’t very seamless and is very time consuming.

My solution was to write a PowerShell script that launches before the user launches geoSCOUT.

FortiGate Hair-pinning

I have been playing around with Policy mode on the FortiGate and an issue that I’ve ran into a few times is if you have something hosted internally that also needs to be accessed externally it doesn’t work internally when you use the external address, for example a reverse proxy.

In my setup I use a reverse proxy in front of my WordPress Docker containers. Due to this they are running on random ports. When I need to access them I need to use the external address not the LAN address. A half workaround that I was doing, was using CloudFlare proxied mode which did work but I wanted to fix it without needing to do that.