Lukas Beeler’s IT Blog

Branding sucks.

McAfee formerly used the name “Network Associates”. So many of it’s files were positioned in %ProgramFiles%\Network Associates and %AllUsersProfile%\Network Associates.

At some time, McAfee started to rebrand it’s program path. Program upgrades do not change the path, but new installations do. This means that you’ll have a nice mixup of paths if you have machines installed from different sources. The new pathnames use McAfee instead of Network Associates.

IBM has the same problems - they currently have suite of programs called “iSeries Access”, which gets installed to %ProgramFiles%\IBM\Client Access (which is the former name of the suite). But as the program should be called “System i Access” by now (or “i5/OS Access”), and the next rebranding will probably be coming up.

I’ve been using OpenVPN for a few years on Linux to establish site to site VPNs. It has never let me down, and i was always able to get the configuration working in the way I wanted it, without much effort and fiddling. Another nice ability of OpenVPN is that it can work it’s way through almost any firewall, which can be especially nice when working with restricted internet access.

A few days ago, i’ve got into a situation where I needed to get to a site to site VPN up as quickly as possible, behind a restrictive firewall. I’ve started with the obvious route, and found a few resources referring to OpenVPN on the net.

One of them is the OpenVPN GUI, which is mostly aimed at roadwarrior scenarios. The Windows installation notes and the Windows section in the howto are quite sparse. As such, my expectations weren’t high.

Installing OpenVPN results in the creation of a virtual ethernet adapter, that’s backed by the TAP driver (which is not signed). The install went fine, and configuration was the same as on Linux.

The Windows installer automatically installs as service that defaults to a disabled state, which when started launches OpenVPN for all *.ovpn files in %ProgramFiles%\OpenVPN\config. Simple, but efficient. Logs get written to %ProgramFiles%\OpenVPN\log.

After creating an appropriate configuration, i put it into the config dir, started the service, and everything just worked. Right out of the box. Without thinkering. Without error messages. It just worked.

As such, the application clearly shows it’s Linux/Unix origin, but it works nicely. Windows administrators that have never worked with a unix-like operating system might be put off by the application. I would still suggest everyone to take a look at OpenVPN for some low cost VPN improvisations.

We’ve just received a new System x3200, to serve as an infrastructure hub for our POS software at a Small Business customer. Unlike all other machines i’ve talked about before (HP DL320 G5, System x3650 vs. HP DL380 G5, System x3250, System x3650), this machine is a tower model. With IT moving more and more towards a professional service subset, tower machines are getting less and less common, but many small businesses do not see the return on investment a rack mounted server will give them. As such, IBM still produces a few decent System x servers in the tower form factor.

The x3200 brother is the rackmounted System x3250. Both of them are IBM’s low end entry systems. The x3200 we sold to our customer was one of more well endowed models, featuring redundant power supplies and hot plug SAS disks.

The disks come in a standard 3.5″ form factor, there are no 2.5″ models available (which makes sense, as towers are not really space constrained, which is clearly visible when looking at the x3200 bulky frame).

The exact configuration ordered:

• System x3250 Xeon 2.13Ghz DC, with 2×512MB Base Memory, 3.5″ HP SAS, redundant PSU
• 2x 72GB 10kRPM SAS

Unpacking and opening

The machine was shipped in a box where you’d have thought it contains a 5 year old desktop PC, meaning it was a bit bigger than the Lenovo ThinkCentre tower shipping boxes. As always, removing the machines from these boxes is not as fun when you’re alone, because the styropor sticks to the machine.

Another thing to note is that the machine shipping without any power cables, which is normally not the case. But this might’ve been a mixup at our distributor.

The machine itself is big and bulky (exactly as it looks on the photos), but the case is very well done, much better than the xSeries 226 had. Everything is tool less, and the opening mechanisms for the front and side cover work nicely, and fit like a glove when putting them back on.

Interiors

Even though this is a budget machine, the interior is done rather well. The cables are packed together nicely, and the system has room for expansion. 4x 3.5″ HP SAS disk trays, 3 PCI slots, 2 PCI-E Slots (1x, 4x). The LSI Logic SAS RAID Controller is mounted directly on the mainboard, saving expansion slots. Again, this machine only accepts 4 DIMMs, which aren’t that accessible. But this isn’t a huge problem, as maintenance on tower models has always been awkward and finicky - that’s what rack servers are for.

The machine isn’t quiet, but it isn’t loud either. I wouldn’t mind having it in my office, the noise is not a high pitched scream like you usually get from a 1U rack server. There is no inline documentation like IBM usually provides with their rack mount servers, and there’s no LightPath diagnostics either. That’s perfectly normal for this price.

What isn’t usual for this price class is the fact that this machine has redundant power supplies. While this is the norm for more expensive servers, it isn’t for entry level servers. The redundant power supplies do not cost a lot more than the normal model, and it’s always nice to have redundant power (as UPSes account for a large number of power failures, at least here in Switzerland).

Installing options

We only got a few disks with the machine, and installing them was a breeze. They are hid behind an easily openable lid, and come in a standard IBM hotplug mounting tray.

The machine we received had horrible outdated firmware, so the first step was to get everything up to speed. This worked fine with an USB floppy drive, as IBMs Update CD’s weren’t current (again). I still think there should be some method that does all this whole box-update thing via the internet. Not sure how this could be implemented without astronomic cost, but i still want it.

The Onboard LSI Logic RAID Controller supports mirroring and striping, and brings it’s own horrible management software - it’s not an IBM ServeRAID family controller. I didn’t even find a way to automatically send mails in case of a disk failure.

Booting the server

We’ve installed Windows Server 2003 R2 SP2 on this machine, not using the ServerGuide procedure. Again, the install went through without any problems after supplying the LSI Logic driver on an USB floppy. I’m still waiting for Windows Server 2008 which will make this a lot easier with it’s Windows PE 2.0 based installer.

As far as my first impressions went, the disk performance is very good. It’s quite noticeable if you use 10kRPM SAS disks against 7.2kRPM SATA disks.

Resumee

Even though it’s a budget machine, the build quality and the features of the System x3200 are quite impressive (i really, really liked two PSUs in such a small machine). I still don’t like tower machines, but the System x3200 is worth it’s money if you don’t have a rack at a given location. The system is very well designed, and could even serve as a small business server for a very small business.

Also, the obligatory plug to DATALINE AG which sells this server and other IBM System x or System i servers.

McAfee ProtectionPilot can deploy hotfixes for VirusScan. The error handling for this is rather buggy, though.

If the installation of a hotfix fails, you will not notice that from the management console or from the agent logs. The agent logs will still say that the current hotfix is installed.

Product(s) running latest hotfix 15.

Pay attention to the information that can be accessed by using a right click on the tray icon - it shows the real version of VirusScan and it’s current hotfix level. I’ve found no why to retrieve the hotfix level using the McAfee ProtectionPilot console, but this information might be contained within the ePO database used by PRP.

Installing hotfixes manually is trivial, but it can fail if the original .msi file is missing (i’ve seen this happening on a few machines, and never found out why). The VSE800.msi should be in %PROGRAMFILES%\Network Associates\VirusScan\RepairCache. If it isn’t, retrieve it from another machine at the same path, or from within the self extracting setup.exe that can be downloaded from mcafee.com with your grant number or is found in your PRP repository.

I still haven’t received my 5733-QU2 disk set, and i’m anxiously waiting for this product to get delivered.

I’ve found a few good resources on IBM’s website, which i’ve been reading in order to get started as fast as possible.

• DB2 Web Query Quick Install Guide
• Getting started with DB2 Web Query for System i (Redbook)
• IBM Web FAQ
• iSociety DB2 Web Query Chat

When reading the quick install guide, you’ll notice that internationalization has taken a big step backwards. And when reading the iSociety Chat Log, you’ll notice that the hardware requirements for Web Query are extreme - it probably won’t run on a baseline Model 520, but should on a baseline Model 515. But i’m still waiting for the final product to make up my mind.

The newest CUME for V5R4 adds a nice command key in the DSPPTF screen (F20) which shows the current firmware levels in a model 5xx system.

This information has always been available, but through a rather complicated set of keystrokes in SST/DST. They of course still work, and you still need them if you want to change several advanced configuration options without having a HMC.

If you do not have a HMC, you usually do not need to pay as much attention to your firmware levels as someone with a HMC. If you do not have an HMC, the firmware level is managed by i5/OS. As you can only have a single i5/OS LPAR without a HMC, it’s quite clear which LPAR that is. But it still makes sense to keep your firmware level current.

Upgrading the firmware requires a “server ipl”. This means that all LPARs need to restart at the same time. It’s not possible to do the update concurrently (or “hot patching” in modern terms). IBM’s documentation for OS managed firmware isn’t that current - the page refers to LIC V5R3M0 and V5R3M5. The currently newest firmware Image for V5R4 is MH01001 - i didn’t find much references to this images on IBMs website, maybe someone else knows more.

• 1. Start a service tool
• 4. Display/Alter/Dump
• 1. Display/Alter storage
• 2. Licensed Internal Code (LIC) data
• 14. Advanced analysis
• 1 FLASHLEVELS
• Just press “Enter”

Today i’ve encountered a very interesting problem that’s very hard to track down exactly.

A small business customer was running an Exchange 2003 server behind a ZyXEL ZyWALL 5 with AntiSpam installed and enabled. The ZyWALL forwarded port 25 to the Exchange server. This worked, for the most, flawlessly. But a few hosts (i’ve found no distinct differences between the source hosts - ADSL, Leased Lines, Colocated, Europe, USA) failed to get an SMTP greeting (220 customer.example.com Microsoft ESMTP MAIL Service, Version: 6.0.xx ready at Thu, xx Sep 2007 xx:xx:xx +0200).

When i disabled the Anti-Spam and pressed enter (in a telnet session to port 25), the SMTP greeting appeared. If anti-spam was enabled, it never appeared. But that didn’t help - Postfix still couldn’t send mails:

postfix/smtp[25010]: C65AA88075: conversation with customer.example.com[256.256.256.256] timed out while receiving the initial server greeting

I’ve looked at every setting on both the ZyWALL and the Exchange server, but didn’t find any unusual DNS etc. setting. I even disabled all the DNS lookups done on the Exchange server, but to no avail.

But after upgrading the ZyXEL ZyWALL 5’s firmware to the latest version (V4.02(XD.2)), the problem disappeared. While this wasn’t exactly what i was hoping for, at least the problem was now solved.

Lenovo is selling a new screen, that can be rotated, and finally solves the cabling problem that comes with the rotating capability.

The System i has come a long way, and so have most of it’s administrators. Back when i started working with Networks, 10mbit Ethernet using 10BASE2 was the norm, but just a few months later i’ve switched to 10BASE-T.

But the System i has dealt with a lot more LAN standards than i ever did. From Twinax (which still sees some use for connecting legacy printers or consoles), over Token Ring and of course some more obscure variants. Even though IBM has moved on regarding to the hardware, and all current 5xx models ship with two Gigabit ports standard.

The problem is that many System i admins never moved away from their 10BASE-T Ethernet knowledge, and stuck with that. This leads to many ethernet lines which are not configured correctly, or not for optimal performance.

Today, Ethernet auto negotiation works perfectly. But many setups use fixed values on the System i side (like 10mbit full duplex), but leave the switch/network side on auto negotiation - this is prone to troubles which is usually called a “duplex mismatch”. This duplex mismatch will not cause your ethernet line to cease functioning, but it will work at extremely degraded speeds (usually just a few kilobyte per seconds). If you’re just using 5250 to connect to your i5/OS instance, you won’t notice this. But as soon as you start using data transfer to your System i (e.G. Image Catalogs), you will notice the extremely degraded performance.

Now, there are two ways to fix this problem:

Configure your System i correctly

Use DSPLIND to have a look at your Ethernet line. It should look like this:

Übertragungsgeschwindigkeit  . . . :   *AUTO
Aktuelle Übertragungsgeschw. . . . :   100M
Duplex . . . . . . . . . . . . . . :   *AUTO
Aktueller Duplexwert . . . . . . . :   *FULL

This means that you’re using autonegotiation, and the system currently has negotiated 100mbit full duplex (of course, it might’ve negotiated different things on your networks, depending on the capability of your network).

If it looks like this, your system is not configured correctly:

Übertragungsgeschwindigkeit  . . . :   10M
Aktuelle Übertragungsgeschw. . . . :   10M
Duplex . . . . . . . . . . . . . . :   *FULL
Aktueller Duplexwert . . . . . . . :   *FULL

This means that your System i is configured to use 10mbit, full duplex no matter what the other end thinks. This can lead to the aforementioned duplex mismatches.

Fixing is easy, but requires the Ethernet line to be varied off. So you’ll need to do this after hours, from a console:

CHGLINETH LIND(ETHLINEX)
          LINESPEED(*AUTO)
          DUPLEX(*AUTO)

After varying on the Ethernet line, you should be having full network performance. Please note that not all cards support autonegotiation. The 2838 that are used in the models 170, 800, 270 work perfectly though, but if my memory serves correctly the cards that usually ship with the model 150 did not. It might also depend on the OS level, and i don’t have a V4Rx machine around for testing. The integrated 5706 in the 5xx models also work perfectly (and also support Gigabit speeds, if your switch supports them).

Configure the switch to use fixed values

If your DSPLIND looks like this:

Übertragungsgeschwindigkeit  . . . :   10M
Aktuelle Übertragungsgeschw. . . . :   10M
Duplex . . . . . . . . . . . . . . :   *FULL
Aktueller Duplexwert . . . . . . . :   *FULL

And you can’t or don’t want to change your line description, you will need to reconfigure the switch (or hub) to use fixed values. This is only possible if you have a managed switch or hub, with a telnet/ssh/web/serial interface, and this differs from manufacturer to manufacturer. It’s important that you configure the switch to the exactly same values as your System i - this will make sure that you don’t have a duplex mismatch or much worse a speed mismatch. I don’t recommend this approach, but it will work just as fine.

After IBM shipped us a new 515, the control panel displayed “HMC = 0″. The machine wasn’t ordered with a HMC, the customer wanted to use it with his already existing Twinax console.

Resetting the machine to a non-HMC state without a HMC is not clearly documented, but still easily doable, as long as you can access the ASMI.

Access the ASMI is a simple process, all you need is a laptop and a piece of CAT5 cable. From there, you can reset the ASMI which will remove the HMC affinity from the control panel display.

Problems might arise if someone screwed up and you no longer know the IP addresses on the two FSP ports on the back (labeled HMC 1, 2). In this case, you need to remove the FSP assembly and switch the DIP switch or jumper located on it to the other position (you can leave it there after doing so). This is a bit more invasive, but easily doable.