Simple VPN Configuration Between ASA and PAN Device

Basic CLI configuration setting to bring up the VPN tunnel between ASA and PAN device.

Phase 1 Proposal

ASA:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

PAN:
<ike-crypto-profiles>
<entry name=”default”>
<encryption>
<member>aes192</member>
<member>aes256</member>
<member>aes128</member>
<member>3des</member>
</encryption>
<hash>
<member>sha1</member>
<member>md5</member>
</hash>
<dh-group>
<member>group2</member>
<member>group1</member>
</dh-group>
<lifetime>
<hours>24</hours>
</lifetime>
</entry>
</ike-crypto-profiles>

P2 Proposal

ASA:
crypto ipsec transform-set palo-alto esp-aes-256 esp-sha-hmac
crypto map outside 20 set transform-set palo-alto

PAN:
<ipsec-crypto-profiles>
<entry name=”default”>
<esp>
<encryption>
<member>aes256</member>
</encryption>
<authentication>
<member>sha1</member>
</authentication>
</esp>
<dh-group></dh-group>
<lifetime>
<hours>24</hours>
</lifetime>
</entry>
</ipsec-crypto-profiles>
</crypto-profiles>

Gateway:

ASA:
crypto map outside 20 set peer 70.98.39.8
tunnel-group 70.98.39.8 type ipsec-l2l
tunnel-group 70.98.39.8 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold infinite
prompt hostname context
Cryptochecksum:2e764f8b78fffa0bef7a212795ec0ebe

PAN:
<gateway>
<entry name=”Loyalty.ASA”>
<peer-address>
<ip>67.88.212.253</ip>
</peer-address>
<local-address>
<ip>70.98.39.8/24</ip>
<interface>ethernet1/1</interface>
</local-address>
<authentication>
<pre-shared-key>
<key>k2VXNMN7gOjEFUe6y8ALut8vWzxw5TY0</key>
</pre-shared-key>
</authentication>
<protocol>
<ikev1>
<exchange-mode>auto</exchange-mode>
<ike-crypto-profile>default</ike-crypto-profile>
<dpd>
<enable>yes</enable>
<interval>10</interval>
<retry>3</retry>
</dpd>
</ikev1>
</protocol>
</entry>
</gateway>

P2 – proxy ID/tunnel

ASA:
access-list PDX2CLUBFED extended permit ip 10.211.168.0 255.255.252.0 10.61.0.0 255.255.0.0
crypto map outside 20 match address PDX2CLUBFED

PAN:
<tunnel>
<ipsec>
<entry name=”LoyTunnel”>
<anti-replay>no</anti-replay>
<copy-tos>no</copy-tos>
<tunnel-monitor>
<enable>no</enable>
</tunnel-monitor>
<tunnel-interface>tunnel.1</tunnel-interface>
<auto-key>
<ike-gateway>
<entry name=”Loyalty.ASA”/>
</ike-gateway>
<ipsec-crypto-profile>default</ipsec-crypto-profile>
<proxy-id>
<local>10.61.0.0/16</local>
<remote>10.211.168.0/22</remote>
</proxy-id>
</auto-key>
</entry>
</ipsec>
</tunnel>

Microsoft: DPM2010, troubleshooting errors

System Center Data Protection Manager (DPM) 2010 is a server-based application that enables disk-based and tape-based data protection and recovery for computers in and across Active Directory domains. DPM performs replication, synchronization, and recovery point creation to provide reliable protection and rapid recovery of data both by system administrators and by end-users. DPM uses replication, the Volume Shadow Copy Service (VSS) infrastructure, and a policy-driven engine to provide businesses of all sizes with nearly continuous protection and rapid, reliable data recovery.

Troubleshooting:

There are three types of errors that i have bumped in to those are the following:

  • Replica is inconsistent
  • Recovery point creation failed
  • Unable to configure protection

All of these errors generates a critical alarm in the monitoring tab. They are in fact very critical since it could mean no backup at all involving the affected server/client. But do not panic, they are in fact easy to get to working again. All you have to do is follow my steps in this troubleshooting-guide. This is an example of how it could look:

Replica is inconsistent

This alert is generated when the replica of the specified volume on the DPM server is inconsistent with the data source. All protection activities for the data source will fail until the replica is made consistent with the data source by performing synchronization with consistency check.

Possible causes for an inconsistent replica include:

  • The consistency check that DPM automatically performs on a newly created replica during replica creation has not yet been performed.
  • The synchronization log on the file server ran out of space before all data changes to the data source were logged.
  • DPM determined that the file server shut down unexpectedly.

If a daily consistency check is scheduled, DPM will automatically perform the consistency check at the next scheduled time.

Recovery point creation failed

This alert is generated when DPM fails to create a recovery point for a data source. Data Protection Manager (DPM) creates recovery points for each data source from which you can recover data.

The error conditions and recommended actions associated with each “Recovery point creation failed” alert are provided in the alert details for the DPM alert. Follow the recommended action in the alert, and retry the job. You can access the recovery points on the DPM server to recover previous versions of data. You can manually create a recovery point in the protection task area.

Unable to configure protection

DPM periodically contacts the DPM agents to check connectivity status. This alert is generated when the DPM server has not been able to contact the specified file server since the specified time. If the connection is not established, subsequent data protection jobs will fail. The error conditions and recommended action associated with each connection failure are provided with the alert. Some common causes include:

  • File server is not available, The file server has been shut down or has been disconnected from the network and cannot be contacted.
  • The DPM File Agent is not compatible with DPM software, A more recent version of Data Protection Manager has been installed on the DPM server, but the DPM File Agent on the file server has not been not updated.
  • File server is behind a firewall
  • Firewall settings on the DPM server or the file server are preventing the DPM server from communicating with the file server.

1. Make sure the clients agent is reachable and working correctly navigate Management > Agents > Refresh

2. On the clientserver start CMD in administrator mode. Navigate to C:\Program Files\Microsoft Data Protection Manager\DPM\BIN enter following:

 SetDpmServer.exe -DPMServerName DPMSERVER.yourdomain.com

3. If it’s a server that is not on the same domain as the DPM server use this instead:

SetDpmServer.exe -DPMServerName adm-sto-vsh-10.admin -isNonDomainServer -userName “LocalWindowsaccount” -productionserverdnssuffix “Domain”.yourdomain.com

It will promt you for the password, enter the password and configuration will complete successfully.

4. Restart the server

5. Preform  the  consistency check manually again. And we should be done.

6. If this did not help, uninstall the client agent and install it again. And repeat phase 2 + 3.

 

//Karl

Microsoft: Reduce Sharepoint Datase Log file (WSS_Content_log.LDF)

SharePoint Config database logs are one thing to keep an eye on since they do have a tendency to grow. If you don’t perform a full farm backup usually the log doesn’t get emptied and it just keeps bloating.

If you’re running SQL Server Express with default installation, you can find the files in C:Program Files\Microsoft SQL Server\MSSQL.1MSSQLData

As we see in the example above, even though the database is only 9 gig, the log file grew to 34 gigs. Let’s reduce that:

1. If you don’t have it yet, download and install SQL Server Management Studio express from here.

2. Run the Management Studio and connect to your SQL Server.

3. Expand “Databases” and select your config database “SharePoint_Config”.

4. Right Click it, select Tasks –> Shrink –> Files

5. In the new window select Release unused space and click OK.

 

 

SAN v7000: How to fix broken HTTP web-GUI

I thought i would never write about storage on this blog, but it turns out strange things happen to SAN”s as well. I do normally not work with SAN that much, the ones im familiar to is IBM DS3400 and Storeweize v7000. Today the v7000 stoped answer to https, so we could not manage it with the web gui.

Luckily one of the nodes still got HTTP service up. So here is what i did:

  1. Connect to the Node.
  2. Chose the Node you would like to restart the tomcat on (webserver).
  3. Go to “Restart Service”

4.  And chose to restart the Web server (Tomcat)

If you don’t have the same amount of luck as i had. You will have to restart the web server using CLI. You can only run satask commands if you connected to the CLI using the SSH private key which is associated with the user called superuser. No other SSH key will allow you to run satask commands:

sainfo lsservicenodes

panel_name cluster_id       cluster_name  node_id node_name relation node_status error_data
01-1       000002006540697C ldcluster-22b 1       node1     local    Active
01-2       000002006540697C ldcluster-22b 3       node2     partner  Active

To find out which node is the configuration node, run the following command

sainfo lsservicestatus <panel name>

the following line tells you which node is the config node:

...
node_id 1
node_name node1
node_status Active
config_node Yes
hardware 100
service_IP_address 9.71.49.17
service_gateway 9.71.48.1
...
Use the following command to restart the web service on the configuration node

satask restartservice -service tomcat <panel name>

Wait at least 5 minutes for the service to restart before assuming that this has failed

If this do no’t solve your problems, you should restart the cannister with configuration node on it. Remember to connect to the Node that’s not configuration node. And restart the “partner”. If unable to get it reset, reset the canister physically. that is, pull it out a few inches from the chassis and then insert it again after 30 seconds.

Microsoft: User State Virtualization

Problem : Working with roaming profiles, getting corrupted profiles saying “User profile service service failed to logon”? The company’s users are getting upset and angry because they can’t get in and work? Users say it take’s ages to logon, while loading their profiles?

We have experienced that, and today we are changing the User State Virtualization tactics. We will no longer offer central profiles for our users. We will no longer have to reset their corrupted profiles, because we are leaving it!

Today’s scenario :

User with HomeFolder + Central Profile with 30MB area.  What’s in the profile? Well, Outlook signatures, Desktop items, IE favorites, and other Windows settings (Appdata).

Tomorrows scenario :

Users with HomeFolder + NO CENTRAL PROFILE, instead we are going to use Folder-Redirection. This means all of the users content get’s moved to wherever we chose in our group policy with Folder redirection. In this case we are going to use their homefolder. This will give us faster logon, since no central profile will be loaded, it will give the users the possibility to save very large files on their desktop since it’s not bounded to their profiles any more. And it will give the IT department less headache when administrating corrupted central profiles.

Configuration: 

  1. Create a GPO within the domain, with Folder Redirection
  2. Select a group of users witch the GPO will be applied to
  3. Create PowerShell script for removing profiles
  4. Schedule the script
  5. And wait!

1.  The first thing we will do is to create the GPO with folder redirection and Attachment Security, so create the GPO in your domain:

Edit settings and navigate: User Configuration > Windows Settings > Folder Redirection, and edit as followed:

This will create and move the users Central AppData when they login to a new map in their homefolder and redirect it. By using the %HOMESHARE% windows will understand that it should put it in the users homefolder specified on the object in the AD. Do this for all of the objects you would like to get redirected (Desktop,favorites etc).  The next step is optional but you would probably like to configure it, since it’s pain for the end users, this will make items located in the taskbar (pinned items) warn the user that they are opening items from unsafe areas. There are two types of doing this, either way you configure IE settings with GPO or you configure Attachment security policy’s. I will show you how to configure Attachment’s. Navigate to User Configuration > Policies > Administrative Templates > Windows Components > Attachment Manager. Edit the “Inclusion list for low file types” . And set it as followed:

This will make exclusions for the task bar shortcuts. Set:  .exe;.lnk  and save it. 2. Create a group within your domain, this group is linked to the GPO.

Ok so, as soon as the users logon to their computers, the Group Policy will create and move files to the users homefolders. In this example i am applying it to 100 User accounts. I know for certain that they will not sign in the next 10 days, so i set a limit of 30 days. After 30 days i will remove the users profiles. Then i know at least 95% of my users will have logged on at least once. And those who haven’t will get Folder redirection but it won’t move their old files so i will have to do it manually.

3. Create the Powershell script to remove users profiles:

function ProfileWipe([string]$adgroup)

{

if(!$adgroup){$adgroup = Read-Host “AD group name”}
Import-Module ActiveDirectory
get-adgroupmember -identity “No Profile Users” | select samAccountName | foreach {
# select user from AD with default-properties + profilepath och lastlogon
$user = get-aduser $_.samaccountname -properties profilepath, lastlogon
Add-Content “C:\profilepaths.txt” $user.profilepath
set-aduser $_.samaccountname -profilepath $null
}
}

This will get members from the ad group “No Profile Users”. It will remove the profile-path of every user, and it will replace it with “$null”. It will also export a text document of the profile paths so you can Ctrl + F a user if something would go wrong and put it back. Please have in concern that you should not run this script until you know that all of the users specified in the group have been logged on at least once since you activated Folder Redirection.

The last thing we will do is to create a schedule task and a .bat file. Create the .bat and paste:

 powershell.exe -command ProfileWipe No-Profiles

Schedule this to any time you would like. And we are done. This will maybe create other problems than we are experiencing with central profiles, but it’s worth a try and i will come back with feedback.

// Karl