Welcome …

Posted on

Captive Portal Fails to Load Properly or Returns 404

Captive Portal Fails to Load Properly or Returns 404

This article describes how to fix the issue whereby captive portal fails to load, is returned only partially without the user / pass fields or returns a 404 error. This also mitigates issues with:slow access to a Mobile Access gateway on wireless or lossy networks.

The mechanism responsible for the problems is “SACK” – an acronym for Selective ACKknowledgment. The “SACK-permitted” option and “SACK” option alter the acknowledgment behavior of TCP:

SACK-permitted

The SACK-permitted option is offered to the remote end during TCP setup as an option to an opening SYN packet. The SACK option permits selective acknowledgment of permitted data. The default TCP acknowledgment behavior is to acknowledge the highest sequence number of in-order bytes. This default behavior is prone to cause unnecessary retransmission of data, which can exacerbate a congestion condition that may have been the cause of the original packet loss.

A packet capture on the client or gateway will typically show many retransmitted packets and ends with the client eventually sending RST packets to the gateway.

SACK

The SACK option allows the receiver to modify the acknowledgment field to describe noncontinuous blocks of received data, so that the sender can retransmit only what is missing at the receiver’s end.

Solution

Disable Selective-ACK by setting the value of cpas_tcp_do_sack kernel parameter to “0” (zero).

Procedure:

To Disable Selective-ACK on-the-fly, run:

[Expert@gateway]# fw ctl set int cpas_tcp_do_sack 0

Check that the value was accepted:

[Expert@gateway]# fw ctl get int cpas_tcp_do_sack

To disable the parameter permanently:

Edit the $FWDIR/boot/modules/fwkern.conf file using Vi editor to add a line with the format “parameter_name=value", in this case:

cpas_tcp_do_sack=0

Reboot the gateway after any changes to the $FWDIR/boot/modules/fwkern.conf file.

Notes:

  • Disabling Selective-ACK can impact networking throughput when client/server are using large TCP Windows and there is packet loss between these hosts.
  • In Cluster, perform the procedure on all cluster members.

Related posts:

Posted on

CLI: Create a Self IP to Allow BigIP Management

Create a Self IP to Allow BigIP Management via the CLI

This article details how to create a self ip  to allow bigip management on the command line. The need arose when a primary firewall failed and the only entry to the network was an ssh session to the DR BigIP via a jump box.

For the purpose of this article we are using the following IP representations:

x.x.x.100 – eXternal IP

i.i.i.100 – Internal IP

1. Enter the traffic management shell tmsh:

[admin@bigip:Active:Standalone] tmsh
admin@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)#

2. If there is already a self IP on the external vlan you can modify the port lockdown settings to allow https to the machine but only if you have no virtual servers already using the https port.

admin@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify net self x.x.x.100 allow-service default

This will allow all the default ports, shown by “list net self-allow”:

admin@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net self-allow
net self-allow {
defaults {
ospf:any
tcp:domain
tcp:f5-iquery
tcp:https
tcp:snmp
tcp:ssh
udp:520
udp:cap
udp:domain
udp:f5-iquery
udp:snmp
}
}

3. In this case the self IP was already used by a virtual server with a pool of https machines behind it so a new self ip was necessary. Choose another ip on the same external subnet:

admin@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net self x.x.x.101/32 vlan external allow-service default

4. We can now list our self ips and the level of access associated with them:

admin@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net self
net self x.x.x.101/32 {
address 90.152.115.244/32
allow-service {
default
}
traffic-group traffic-group-local-only
vlan external
}
net self x.x.x.101 {
address 90.152.115.243/29
allow-service {
none
}
traffic-group traffic-group-local-only
vlan external
}
net self i.i.i.100 {
address i.i.i.100/24
allow-service {
default
}
traffic-group traffic-group-local-only
vlan internal
}

5. We can now access our BigIP on https://x.x.x.101 !

No related posts.

Posted on

How to Set a Static IP and DNS in Ubuntu 14.04 or Later

How To Set A Static IP And DNS In Ubuntu 14.04 or Later

This article details how to set a static IP and DNS in Ubuntu: version 14.04 and later no longer allow direct editing of /etc/resolv.conf directly.

Using something like “echo nameserver 8.8.8.8 >> resolv.conf” will work temporarily but will be overwritten as soon as the  machine is rebooted or the networking service restarted.

You must now modify /etc/resolvconf/resolv.conf.d/head or /etc/resolvconf/resolv.conf.d/tail.

/etc/resolv.conf is written from:

  1. /etc/resolvconf/resolv.conf.d/head
  2. DNS set on interfaces
  3. /etc/resolvconf/resolv.conf.d/base
  4. /etc/resolvconf/resolv.conf.d/tail

While any and all of these work, it is much simpler to set this in the interface config aong with a static IP:

Edit /etc/network/interfaces and change the following:

Notes:

  • Your network card may be referred to as eth0, eth1, ens32 etc.
  • Change your dns-nameservers to whatever you want them to be – the above ones are google’s own.
  • The IP addressing must also be tailored to whatever your home router is configured with.
  • Leaving the dns-nameservers directive out will result in the DNS servers from your ISP or home router being used instead.
auto eth0
iface eth0 inet dhcp

to:

auto eth0 
  iface eth0 inet static
  address 192.168.0.50
  netmask 255.255.255.0
  gateway 192.168.0.1
  network 192.168.0.0
  broadcast 192.168.0.255
  dns-nameservers 8.8.8.8 8.8.4.4

Finally, restart your ethernet:

$ sudo service networking restart
$ sudo ifdown eth0
$ sudo ifup eth0

No related posts.