iTunes -9808

I came across an interesting problem today while trying to subscribe to a podcast through iTunes where iTunes threw up an error (-9808) saying an unknown error had occurred.

9808

I’ve used iTunes on this machine (Vista SP1) a fair bit and have had no issues with downloading podcasts before, however, I was logged in as a test user and wasn’t using my normal user account. Some quick checking found that it wasn’t our Internet Content Filter causing the problem, but did find this message in our ISA firewall log:

Failed Connection Attempt
Log type:
Web Proxy (Forward)
Status: 995 The I/O operation has been aborted because of either a thread exit or an application request.
Destination: External (17.250.237.19:443)
Request: buy.itunes.apple.com:443
Filter information: Req ID: 1b5d88f0; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: SSL-tunnel

Searching for status 995 and ISA in Google didn’t bring up any useful results, but a search for iTunes and 9808 bought up a a heap of results. Turns out this is a reasonably common problem and found the solution at soccerislife8 and disabled Check for server certificate revocation in Internet Explorer.

9808 IE Setting

After some more research it seems that updating to the latest version of iTunes won’t fix the problem?!

Apple_SSL

Checking Apple’s SSL Certificate in IE shows that its valid so its a still a mystery. I’m not impressed that I’ve had to disable security features in my browser for the sake of iTunes

ProCurve – Front-Panel Security & Authentication

I was looking for some ProCurve documentation on AAA security and stumbled across the Hardening ProCurve Switches White Paper and found a few nice things to add to our ProCurve config.

Password Clear Protection – Front-Panel Securitylogo_procurve_networking_by_hp
ProCurve devices utilize the Reset and Clear buttons on the front panel to help users reset the switch configuration to factory default or to reset the console password. This capability creates a security risk anywhere it’s impossible to  prevent physical access to the switch. ProCurve makes it possible to disable this functionality to protect from malicious use of these features.

There are two components to front-panel security: “password clear” and “factory reset.” Both must be disabled to fully secure the device.

In the switch’s default mode, a malicious user can utilize the front-panel clear button to reset a console password stored locally on the switch. To disable this feature, issue the command:

ProCurve Switch(config)# no front-panel-security password-clear

The other capability built into ProCurve switches is the ability to reset the switch configuration to the factory default mode:

ProCurve Switch(config)# [no] front-panel-security factory-reset

Executing this command prevents reset of the switch configuration by use of the front-panel Reset and Clear buttons.

It’s critical to understand that disabling these features severely restricts administrator options if the password is lost or forgotten. Before making these changes, users are strongly encouraged to review all considerations outlined in the Access and Security Guide for your model.
wireless_edge_services_zl_module
Authentication – Server-Supplied Privilege Level
Login privilege level instructs the switch to accept the authenticating user’s command level (manager or operator) that is supplied by the server. This allows manager-level users to skip the login context and proceed immediately to enable context, thus eliminating the need for a manager-level user to login twice.

To allow the switch to accept the privilege level provided by the server, use the following configuration command:

ProCurve Switch(config)# aaa authentication login privilege-mode

To supply a privilege level via RADIUS, specify the “Service-Type” attribute in the user’s credentials.
• Service-Type = 6 allows manager-level access
• Service-Type = 7 allows operator-level access
• A user with Service-Type not equal to 6 or 7 is denied access
• A user with no Service-Type attribute supplied is denied access when privilege mode is enabled

– The Radius Authentication for switch access sounds interesting. If our Staff are using their network credentials to access the switch config, or contractors that are working on the network, we can easily enable/disable their access to the switches without hassle and letting everyone know the Manager/Operator passwords

HP 2710p Battery issues resolved

Just over 12 months ago we purchased 55 HP 2710p Tablets with Vista Business for our Teaching Staff. The machines have generally been pretty good but we had some unsolvable battery issues that we couldn’t solve ourselves and eventually opened a support case with HP to try and rectify. We had various problems with batteries not holding much, or any charge and some machines that wouldn’t recognise their battery at all and would only work with the AC adapter connected to the power. If we swapped batteries around between machines they would start to work normally again and the battery would charge and be usable, however, it wouldn’t be long before the machine would have battery issues again.

HP Support got us to run the Battery Check and Health Check on some effected machines as well as machines that hadn’t had any battery issues and send them the .XML files that were generated for their engineers to check. We also sent them the .nfo System Info files from MSINFO32.exe for these machines.

hpbc
C:\Program Files (x86)\Hewlett-Packard\HP Battery Check\hpbc.exe

hphc
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc.exe

Running these two applications generates two logs files that are stored under HP Active Support
C:\Program Files (x86)\Hewlett-Packard\HP Active Support\Logs

Battery Check Results: HealthCheckBC.xml

   1: <?xml version="1.0"?>
   2: <HC_BCheck Generated="17/10/2008 11:25:39 AM">
   3:   <Battery>
   4:     <HealthStatus SerialNumber="2CE7412ZL5">Test Passed</HealthStatus>
   5:     <TestResult>0</TestResult>
   6:     <DesignCapacity>4000</DesignCapacity>
   7:     <FullChargeCapacity>3791</FullChargeCapacity>
   8:     <RemainingCapacity>1163</RemainingCapacity>
   9:     <StorageCapacity>98.9473684210526</StorageCapacity>
  10:     <MaxError>0</MaxError>
  11:     <CycleCount>1</CycleCount>
  12:     <Temperature>23</Temperature>
  13:     <TerminalVoltage>11077</TerminalVoltage>
  14:     <Current>0</Current>
  15:     <DesignVoltage>11100</DesignVoltage>
  16:     <BatteryManufactureName>HP                </BatteryManufactureName>
  17:     <Status>128</Status>
  18:     <CellVoltage1>0</CellVoltage1>
  19:     <CellVoltage2>3688</CellVoltage2>
  20:     <CellVoltage3>3700</CellVoltage3>
  21:     <CellVoltage4>3700</CellVoltage4>
  22:     <BatteryACPower>1</BatteryACPower>
  23:     <BatterySupportedCount>2</BatterySupportedCount>
  24:     <SerialNumber>00577 2008/04/10</SerialNumber>
  25:     <satId>00577</satId>
  26:     <ManufactureDate>04/10/2008</ManufactureDate>
  27:     <Source>1</Source>
  28:     <Table>0</Table>
  29:     <SubTable>0</SubTable>
  30:     <InWarranty>False</InWarranty>
  31:     <WarrantyID>12ZL5-18100-18287-2CE74-00000-01</WarrantyID>
  32:   </Battery>
  33: </HC_BCheck>

HP Health Check Results: HealthCheckAC.xml

   1: <?xml version="1.0"?>
   2: <HC_ACheck AC_Server="h20397.www2.hp.com" Generated="25/08/2008 12:13:32 PM" HealthStatus="Poor">
   3:   <ISSUE GUID="10007315-0281-0514-8344-020194660001">
   4:     <STATUS>Detected</STATUS>
   5:     <QA>True</QA>
   6:     <URLRESULT>
   7:     </URLRESULT>
   8:     <FREEINFO>
   9:       <CATEGORY>Maintenance</CATEGORY>
  10:       <PERSISTANT value="always" timestamp="" />
  11:       <ALERT>Please update HP Health Check by clicking on REPAIR and following the instructions.</ALERT>
  12:       <SYMPTOM>HP Health Check update available.</SYMPTOM>
  13:       <SEVERITY>Alert</SEVERITY>
  14:     </FREEINFO>
  15:   </ISSUE>
  16:   <ISSUE GUID="10007315-0281-0514-8344-020194660047">
  17:     <STATUS>Detected</STATUS>
  18:     <QA>True</QA>
  19:     <URLRESULT>
  20:     </URLRESULT>
  21:     <FREEINFO>
  22:       <CATEGORY>Security</CATEGORY>
  23:       <PERSISTANT value="always" timestamp="" />
  24:       <ALERT>There is a critical security update available for HP Quick Launch Button software. This update removes a security vulnerability by disabling HP Info Center.  Click the GREEN button to apply the security update.</ALERT>
  25:       <SYMPTOM>HP Quick Launch Buttons security update available.</SYMPTOM>
  26:       <SEVERITY>Alert</SEVERITY>
  27:     </FREEINFO>
  28:   </ISSUE>
  29: </HC_ACheck>

The Health Check managed to find that the machine’s were missing an update for the HP Quick Launch buttons, but didn’t find that there was an updated BIOS available for the 2710p. The HP Health check seems to be pretty good at finding updates for HP software and drivers, but not so good at finding and recommending firmware updates. The issue has been resolved by updating to the latest BIOS, which for us was F.13, F.14 is now available. All machines that had experienced battery problems have now received the BIOS update, and have not had any problems with batteries holding their charge or not being detected since then.

Mic Check // Oh Wait a minute now…

Over the last 12 months since we’ve installed our J9051A ZL Wireless Edge Services Module (WESM), we’ve had some intermittent issues with some of our wireless notebooks causing the WESM to freak out and run at 100% CPU and boot all of our wireless stations of the Wireless network. These notebooks work fine on the WLAN 99% of the time but every now and then they freak out and cause problems with the TKIP integrity check.

The notebooks that we’ve had trouble with have had either an Intel or Broadcom wireless NIC:

  • Acer 3230 with WLAN: integrated Intel® PRO/Wireless 2200ABG
  • HP 1100 Tablet with WLAN: Intel PRO/Wireless LAN 2100 3B Mini PCI
  • Motion Computing Tablet with WLAN: Broadcom Wireless

We have many other 3230’s on the WLAN and one other Motion tablet that are identical to the machines that we’ve had issues with, but no other machines have caused the TKIP failure. We’ve updated drivers for the wireless NICs and installed all Windows updates and still haven’t been able to correct the problem?

When the TKIP failure occurs the CPU on the WESM hits 100%, see below, while it tries to perform the TKIP Countermeasures. TechDuke has a great explanation of the TKIP Message Integrity Check (MIC), and explains that when a wireless station fails the MIC, or Michael, hash check twice within 60 seconds then all wireless stations are booted off the wireless network for a minute and forced to reconnect/re-authenticate. Zack de la Rocha was way ahead of his time when he wrote Mic Check, he explains the MIC failure perfectly…

Rage Against The Machine – Mic Check (The Battle of Los Angeles (1999))
Mic Check
Oh Wait a minute now
Ha ha ha
Come on
Wait a Minute Now
Check

WESM_CPU_Usage
The Diagnostic page on the WESM showing that the CPU had been running at 100%, as soon as we disabled Dial-in access in Active Directory for the offending notebook we broke the Radius authentication and the WESM went back to running as normal.

Wireless Edge Service Log

   1: Feb 06 11:27:46 2009: %CC-4-TKIPCNTRMEASSTART: TKIP countermeasures started on wlan 1
   2: Feb 06 11:28:15 2009: %MGMT-4-OTHERREQQUED: request queued in delegated requests
   3: Feb 06 11:28:46 2009: %CC-4-TKIPCNTRMEASEND: TKIP countermeasures ended on wlan 1
   4: Feb 06 11:28:47 2009: %CC-4-TKIPMICCHECKFAIL: TKIP message integrity check failed in frame on wlan 1
   5: Feb 06 11:28:47 2009: %KERN-3-ERR: mic check failure <00-13-CE-04-FB-4A>. (pkt_len 360 prio: 0) rx: <2B-2B-02-DC-00-FF> calc: <A7-CE-2B-B8-45-C6>.
   6: Feb 06 11:28:51 2009: %CC-4-TKIPMICCHECKFAIL: TKIP message integrity check failed in frame on wlan 1

Checking the message log on the WESM, we could identify which machine was failing the MIC and which WLAN they were connected to. Line 5 shows the MIC check failure and the MAC address of the offending machine.

dhcp

We traced the offending MAC address back to its owner via the DHCP console and disabled Dial-in access for the computer and on the user account of its owner. This causes WLAN Radius authentication to fail the EAP-TLS auth because a valid certificate and dial-in access are required for access to that particular WLAN.

Currently we’re still running the original firmware wt.01.03 that came with the ZL module, but will update to wt.01.15 shortly and test these machines on the WLAN to see if the updated firmware can handle integrity check failure with a little more grace than the original firmware.