One of my customers is running a five node Nutanix cluster, which is configured for FT2 (2N/2D). This means, that if the storage containers are configured with RF3, two of the five nodes can fail. Now I stumbled over the “Cluster Resiliency / Fault Tolerance Status” widget on the dashboard, which clearly showed that only a single node failure would be tolerated. This was a bit confusing, because the cluster is configured for FT2, which should allow two node failures (in case of RF3 for the storage containers).

This really annoying issue was hunting me for several weeks until I discovered the root cause. One of my customers is running VMware ESXi on top of HPE ProLiant DX hardware, the customized Hardware from HPE for Nutanix. It’s simply a ProLiant DL with a specific set of available components, firmware, drivers and branding. Instead of running AHV, this customer chose to run VMware ESXi as hypervisor. Everything was running fine until the customer reported reocurring fails of a specific Nutanix Cluster Check, in this case the ‘host_disk_usage_check’. While investiagting the issue, I noticed that the root filesystem on all nodes of the clsuter was full.

I’m a loyal Apple iPhone and T-Mobile customer for many years. Recently, it came to my attention, that there is a voicemail service active on my personal mobile number. This is pretty annoying, as I never use voicemail on my private mobile number. Okay, maybe due to an update or something. I quickly found the standard mobile code to disable any forwardings: ##002# is a standard mobile code that cancels all call forwarding on your phone, including when the line is busy, unreachable, or when there is no answer. Surprisingly, this didn’t worked… There was still am active forwarding to a voicemail service, even if I didn’t got any notiofication when someone left me a message on the voicebox. I continued my research and stumbled upon a forum post that mentioned the iOS live voicemail feature. After disabling this feature, there was no further forwarding to voicemail. You can disable this feature under Settings -> Apps -> Phone -> Live-Voicemail -> Disable.

The HPE iLO Amplifier Integration into the vSphere Lifecycle Manager is an easy way to update your ESXi hosts not only with updates, but also with the latest firmware. Despite the fact that HPE has discontinued HPE ILO Amplifier, the product is widly used. The final version is 2.22, the final version for the HPE iLO Amplifier HSM Provider for VMware vSphere is version 1.5.0.

A recurring problem is an error message during the compliance scan:

Sometimes you need to decomission services, and move them to new servers. Sometimes this requires the change of the IP address. This is no big deal as long as accessing clients use DNS, or until you can change the IP address to connect to the services using a central mechanism. DNS and LDAP are two of these services. They come often as part of Microsoft Active Directory Domain Controllers. Sometimes customers use the IP address of a DC and put this IP address hard coded into other IT systems or config files. This makes it nearly impossible to track what clients and sub systems access these services.

We all know the e-mail disclamer and “EXTERNAL” tags in subject lines that should make clear, that a specific e-mail is coming from external sender. Mostly this is done to make sure nobody clicks on links in external e-mails that might look like an external e-mail.

This can easily be done by creating a transport rule in Exchange or Exchange Online that matches senders outside the organization. This rule adds something to the beginning of the subject line, and usually a preamble is added to the mail body.

After a routine update of a 6-node Nutanix cluster, a Nutanix Cluster Check (NCC) warning popped up indicating a problem with the SAS cabling. Running the check on the CLI offered some more details.

Running : health_checks hardware_checks disk_checks hpe_hba_cabling_check
[==================================================] 100%
/health_checks/hardware_checks/disk_checks/hpe_hba_cabling_check                                                                                   [ WARN ]
-----------------------------------------------------------------------------------------------------------------------------------------------------------+

Detailed information for hpe_hba_cabling_check:
Node 10.99.1.205:
WARN: Disk cabling for disk(s) S6GLNG0T610113 are detected at incorrect location(s) 3:251:8 respectively where each value in the location corresponds to box:bay
Node 10.99.1.202:
WARN: Disk cabling for disk(s) S6GLNG0T610203 are detected at incorrect location(s) 3:251:8 respectively where each value in the location corresponds to box:bay
Node 10.99.1.206:
WARN: Disk cabling for disk(s) S6GLNG0T610104 are detected at incorrect location(s) 3:251:8 respectively where each value in the location corresponds to box:bay
Node 10.99.1.201:
WARN: Disk cabling for disk(s) S6GLNG0T610248, S6GLNG0T610219, S6GLNG0T610220, S6GLNG0T610081, S6GLNG0T603894, S6GLNG0T603909, S6GLNG0T610222 are detected at incorrect location(s) 3:252:1, 3:252:7, 3:252:6, 3:252:2, 3:252:3, 3:252:4, 3:252:5 respectively where each value in the location corresponds to box:bay
Node 10.99.1.203:
WARN: Disk cabling for disk(s) S6GLNG0T610247 are detected at incorrect location(s) 3:251:8 respectively where each value in the location corresponds to box:bay
Node 10.99.1.204:
WARN: Disk cabling for disk(s) S6GLNG0T610213 are detected at incorrect location(s) 3:251:8 respectively where each value in the location corresponds to box:bay
Refer to KB 11310 (http://portal.nutanix.com/kb/11310) for details on hpe_hba_cabling_check or Recheck with: ncc health_checks hardware_checks disk_checks hpe_hba_cabling_check --cvm_list=10.99.1.205,10.99.1.202,10.99.1.206,10.99.1.201,10.99.1.203,10.99.1.204
+-----------------------+
| State         | Count |
+-----------------------+
| Warning       | 1     |
| Total Plugins | 1     |
+-----------------------+
Plugin output written to /home/nutanix/data/logs/ncc-output-latest.log

All six nodes were affected. The cluster is running for quite some time without any issues, and this issue never came up before. It appeared right after installing the latest patches.

The Certificate Enrollment Policy Web Service (CEP) and the Certificate Enrollment Web Service (CES) were introduced with Windows Server 2008 R2 in order to simplify the request for certificates, especially for devices that were not member of a Active Directory domain.

The “classic” way of requesting a certificate from a Active Directory Enterprise CA involves LDAP and RPC/ DCOM, which was okay in the early days of Active Directory, but today, with a CA as a tier 0 asset, this is some kind of a problem. Today you want to avoid clients being able to talk directly to your CA using DCOM/ RPC.

By default, credentials such as RADIUS or TACACS authentication keys, are stored separately from the switch configuration, and are not shown when saved or running configurations are displayed or copied using TFTP or SSH. You can change this behavior using the include-credentials command. This clearly seems to be a security issue, because the displays credentials are unencrypted. You can check the current status using show include-credentials.

HP Switch(config)# show include-credentials
Stored in Configuration         : Yes
Enabled in Active Configuration : Yes
Include ClearPass Keys          : No

If you want to encrypt these credentials, you can use the encrypt-credentials command. This command will encrypt the credentials using either a hardcoded 256 bit key, or you can add a pre-shared key to the command. In each case the switch uses AES256-CBC to encrypt the credeitals, regardless of the provided key.

Some weeks ago I decided to move my notes from Microsoft OneNote to Joplin. Microsoft OneNote is a great tool for taking notes collaborative, but sometimes it drives me insane and I wanted a more portable form at for my notes.

Markdown is a perfect portable format, and it is widly adopted. I really like the idea behind Markdown, and I even supported a Microsoft User Voice to add native Markdown support into OneNote. So my new note taking tool had to support Markdown. Long story short: Joplin was my tool of choice. It’s running on Windows and there is also an iOS app. Joplin offers a wide range of options to sync the notes, but none of them seemed to fit my use case - Except for the Joplin Server. I’m not afaraid in running my own infrastructure. I have some Azure credits available each months, so running a small VM for a Joplin Server is a good way to use them.