When you check the status of a certificate in Exchange and it it displayed at ‘Invalid’ and the details show that the revocation check has failed.
Solution
This can happen if your certificate CA has its CRL or OCSP information setup incorrectly, or the Exchange sever simply cannot access them to verify the validity of the certificate. If you are using your own CA the correct way to fix the problem is setup a CRL or an OCSP responder properly.
However there may be some circumstances where you want the certificate to work but don’t have the time/inclination to fix the CRL/OCSP. I found myself in this situation on my test network. I wanted to use this certificate but it was quicker to ‘hack’ Exchange than to fix the CRL and reissue certificates.
This is more a workaround then a fix, you can get Exchange to ‘not bother ‘enforcing the revocation check, it will still show as having a revocation error but it wont be flagged as ‘invalid’.
I was setting up a print server yesterday, when I tried to add the print server role it failed with this error;
Unable to obtain feature list error 0x800f0902
Solution
Internet searching was pointing to a problem with the ‘Task Scheduler Service’ and suggested stopping that, which I was unable to do. It turns out my server had just finished Windows updates, and needed to reboot, (it was a new deployment). Post reboot it was fine.
Related Articles, References, Credits, or External Links
I was working on some Server 2012 R2 servers this morning, and every time I tried to launch IE, instead of the normal IE 11, it stubbornly kept opening the the IE App.
Solution
Hit the Windows key > Type in ‘internet options’ > make the following changes;
Programs Tab > Opening Internet Explorer > Select ‘Always in Internet Explorer on the desktop’ > Apply > OK.
Related Articles, References, Credits, or External Links
Usually when I’m asked to setup Active/Active I cringe, not because its difficult, its simply because people assume active/active is better than active/standby. I hear comments like ‘we have paid for both firewalls lets use them’, or ‘I want to sweat both assets’.
The only real practical use cases I can think of for Active /Active are;
You have a multi-tenancy environment and want to offer your tenants failover firewall capability.
You have multiple LAN subnets and what to split them though different firewalls.
What Active/Active Wont Give You
Load balancing: It’s a firewall! If you want load balancing buy a load balancer! People assume because both firewalls are passing traffic, they must load balance, they don’t, in fact they don’t even pass traffic from the same subnet.
VPNS: Yes theres no VPNs with Active Active. (This is 100% the case up to an including version 9.0, after version 9.0 they have stopped saying it’s not supported, but don’t say it’s supported).
Deploy Cisco ASA in Active/Active Failover
Here’s what Im going to setup;
For a more ‘logical’ view heres what is actually being setup;
1. Make sure the Licences are on the firewalls allow multiple contexts. and Active/Active, for 5510, 5512-X, and 5508-X that means Security Plus, for all other models a ‘base’ licence is required. (Note: This CANNOT be done on an ASA 5505 or 5506-X).
[box]
ciscoasa(config)# show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
——OUTPUT REMOVED FOR THE SAKE OF BREVITY—
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Disabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Disabled perpetual
——OUTPUT REMOVED FOR THE SAKE OF BREVITY—
Configuration last modified by enable_15 at 08:04:40.249 UTC Wed Oct 14 2015
ciscoasa(config)#
[/box]
2. Put the firewalls in Multiple context mode.
[box]
ciscoasa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
Converting the configuration - this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
[/box]
3. Let it reboot.
4. Make sure the firewall is in routed mode, and multiple context mode, repeat on the other firewall.
[box]
ciscoasa> enable
Password: *********
ciscoasa# show mode
Security context mode: multiple
ciscoasa# show firewall
Firewall mode: Router
ciscoasa#
[/box]
5. Once ASA1 is backup give it a sensible hostname, and ensure all the physical interfaces (and any sub interfaces) are NOT shutdown, and add then to the relevant VLAN (they are shut down by default).
6. Failover link NEEDS to be configured and used by the SYTEM Context, so its configured here. (Note: I’m using the same physical interface for LAN and Stateful failover information).
[box]
PHYSICAL-ASA(config)# failover lan unit primary
PHYSICAL-ASA(config)# failover lan interface FAILOVER GigabitEthernet2
INFO: Non-failover interface config is cleared on GigabitEthernet2 and its sub-interfaces
PHYSICAL-ASA(config)# failover link FAILOVER GigabitEthernet2
PHYSICAL-ASA(config)# failover interface ip FAILOVER 172.16.1.1 255.255.255.0 standby 172.16.1.2
PHYSICAL-ASA(config)#
[/box]
7. You can only have TWO failover groups (you can have many contexts, depending on the licence on your firewall).
PHYSICAL-ASA(config)# changeto context vASA1
PHYSICAL-ASA/vASA1(config)# interface outside_vASA 1
PHYSICAL-ASA/vASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
PHYSICAL-ASA/vASA1(config-if)# ip address 123.123.123.123 255.255.255.0 standby 123.123.123.124
PHYSICAL-ASA/vASA1(config-if)# no shut
PHYSICAL-ASA/vASA1(config)# interface inside_vASA 1
PHYSICAL-ASA/vASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
PHYSICAL-ASA/vASA1(config-if)# ip address 10.5.100.1 255.255.255.0 standby 10.5.200.2
PHYSICAL-ASA/vASA1(config-if)# no shut
PHYSICAL-ASA/vASA1(config-if)# exit
PHYSICAL-ASA/vASA1(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.1
PHYSICAL-ASA/vASA1(config)# monitor-interface inside
PHYSICAL-ASA/vASA1(config)# monitor-interface outside
PHYSICAL-ASA/vASA1(config)# object network obj_any
PHYSICAL-ASA/vASA1(config-network-object)# subnet 0.0.0.0 0.0.0.0
PHYSICAL-ASA/vASA1(config-network-object)# nat (inside,outside) dynamic interface
PHYSICAL-ASA/vASA1(config-network-object)# exit
PHYSICAL-ASA/vASA1(config)# exit
PHYSICAL-ASA/vASA1#
[/box]
11. Now configure vASA2.
[box]
PHYSICAL-ASA/vASA1(config)# changeto context vASA2
PHYSICAL-ASA/vASA2(config)# interface inside_vASA 2
PHYSICAL-ASA/vASA2(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
PHYSICAL-ASA/vASA2(config-if)# ip address 10.6.200.1 255.255.255.0 standby 10.6.200.2
PHYSICAL-ASA/vASA2(config-if)# no shut
PHYSICAL-ASA/vASA2(config)# interface outside_vASA 2
PHYSICAL-ASA/vASA2(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
PHYSICAL-ASA/vASA2(config-if)# ip address 120.120.120.120 255.255.255.0 standby 120.120.120.122
PHYSICAL-ASA/vASA2(config-if)# exit
PHYSICAL-ASA/vASA2(config)# route outside 0.0.0.0 0.0.0.0 120.120.120.1
PHYSICAL-ASA/vASA2(config)# object network obj_any
PHYSICAL-ASA/vASA2(config-network-object)# subnet 0.0.0.0 0.0.0.0
PHYSICAL-ASA/vASA2(config-network-object)# nat (inside,outside) dynamic interface
PHYSICAL-ASA/vASA2(config-network-object)# exit
PHYSICAL-ASA/vASA2(config)#
[/box]
12. Go back the the System context and save ALL the changes.
[box]
PHYSICAL-ASA/vASA2(config)# changeto system
PHYSICAL-ASA(config)# wr mem all
Building configuration...
Saving context : system : (000/003 Contexts saved)
Cryptochecksum: e63d00e3 18224da1 be9d77c6 27c6e54d
2109 bytes copied in 0.300 secs
Saving context : admin : (001/003 Contexts saved)
Cryptochecksum: f2f07827 f2784851 89925ac1 86c1e96f
974 bytes copied in 0.330 secs
Saving context : vASA1 : (002/003 Contexts saved)
Cryptochecksum: 037e3a39 fe10e4d0 ff72d306 36fcf1ed
1930 bytes copied in 0.330 secs
Saving context : vASA2 : (003/003 Contexts saved)
Cryptochecksum: e9024f22 53ad6316 70f7ccad 4394c81c
1879 bytes copied in 0.230 secs
[OK]
PHYSICAL-ASA(config)#
[/box]
Note: Configuration on the main (physical) firewall is complete, the ‘failover’ configuration needs to now be setup on the second physical ASA.
13. On the ’Secondary’ Physical ASA.
[box]
ciscoasa# configure terminal
ciscoasa(config)# interface gigabitEthernet 0
ciscoasa(config-if)# no shut
ciscoasa(config-if)# interface gigabitEthernet 0.1
ciscoasa(config-subif)# no shut
ciscoasa(config-subif)# vlan 800
ciscoasa(config-subif)# interface gigabitEthernet 0.2
ciscoasa(config-subif)# no shut
ciscoasa(config-subif)# vlan 900
ciscoasa(config-subif)# interface gigabitEthernet 1
ciscoasa(config-if)# no shut
ciscoasa(config-if)# interface gigabitEthernet 1.1
ciscoasa(config-subif)# no shut
ciscoasa(config-subif)# vlan 100
ciscoasa(config-subif)# interface gigabitEthernet 1.2
ciscoasa(config-subif)# no shut
ciscoasa(config-subif)# vlan 200
ciscoasa(config-subif)# exit
ciscoasa(config)# failover lan unit secondary
ciscoasa(config)# failover lan interface FAILOVER GigabitEthernet2
INFO: Non-failover interface config is cleared on GigabitEthernet2 and its sub-interfaces
ciscoasa(config)# failover link FAILOVER GigabitEthernet2
ciscoasa(config)# failover interface ip FAILOVER 172.16.1.1 255.255.255.0 standby 172.16.1.2
ciscoasa(config)#
[/box]
14. Remember failover is off by default, and we have not switched it on, this needs to be done on both of the physical ASA’s (primary and secondary). Note: Make sure the ‘failover’ interface is NOT in a shut down state first!
[box]
Secondary
ciscoasa(config)# interface GigabitEthernet2
ciscoasa(config)# no shut
ciscoasa(config)# failover
ciscoasa(config)#
Primary
PHYSICAL-ASA(config)# int gigabitEthernet 2
PHYSICAL-ASA(config-if)# no shut
PHYSICAL-ASA(config)# failover
PHYSICAL-ASA(config)#
[/box]
Note: If building in GNS3 sometimes you need to put a switch in the middle of the ‘backup link’ or the firewalls don’t detect each other!
17. Top Tip: Remember that you need to make the changes on the active firewall context in the correct failover group. Change the firewall prompt to show you all this information.
[box]
PHYSICAL-ASA# conf t
PHYSICAL-ASA(config)# prompt hostname context priority state
PHYSICAL-ASA/pri/act(config)#
Note: Moral of the story is you need to be aware what physical firewall you are on (primary or secondary) what mode you are in (active or standby) and what context you are in (vASA1 or vASA2). So in this example to make a change to vASA2 you would need to go to Secondary/Standby/vASA2 to edit the active firewall, (confusing eh! That’s why I change the firewall prompt).
Now you will want to test things, probably by pinging, don’t forget ICMP is not enabled by default an you will need to enable it, (in each context).
[box]
vASA1 (as specified above), make sure it says ‘act’ on the end of the prompt.
PHYSICAL-ASA/pri/act(config)# changeto context vASA1
PHYSICAL-ASA/vASA1/pri/act(config)# policy-map global_policy
PHYSICAL-ASA/vASA1/pri/act(config-pmap)# class inspection_default
PHYSICAL-ASA/vASA1/pri/act(config-pmap-c)# inspect icmp
PHYSICAL-ASA/vASA1/pri/act(config-pmap-c)# exit
PHYSICAL-ASA/vASA1/pri/act(config-pmap)# exit
PHYSICAL-ASA/vASA1/pri/act(config)# exit
PHYSICAL-ASA/vASA1/pri/act#
vASA2 (as specified above), make sure it says ‘act’ on the end of the prompt.
PHYSICAL-ASA/sec/stby# changeto context vASA2
PHYSICAL-ASA/vASA2/sec/act# conf t
PHYSICAL-ASA/vASA2/sec/act(config)# policy-map global_policy
PHYSICAL-ASA/vASA2/sec/act(config-pmap)# class inspection_default
PHYSICAL-ASA/vASA2/sec/act(config-pmap-c)# inspect icmp
PHYSICAL-ASA/vASA2/sec/act(config-pmap-c)# exit
PHYSICAL-ASA/vASA2/sec/act(config-pmap)# exit
PHYSICAL-ASA/vASA2/sec/act(config)# exit
I usually only have to do this on very small sites, or occasionally on the test bench. Most of the time we will have a server sat doing DHCP. The procedure below was carried out on a router, but the procedure is the same for a catalyst switch.
By default DHCP is disabled, you have to turn it on, then create a ‘dhcp pool.’
[box]
Petes-Router(config)#service dhcp
Petes-Router(config)#ip dhcp pool DATA-VLAN-10
[/box]
Then set the range of addresses and scope options.
There’s nothing to stop you running multiple scopes either, below I add another scope for my voice VLAN, and exclude the router IP on that VLAN, and my PBX.
After not touching one for a couple of years, I was back on HP switches recently, and I had to map out a clients switches. Now I could have used some software, but they didn’t have SNMP enabled so, I had to ‘re acquaint’ myself with LLDP.
For a More Detailed LLDP View of attached devices.
Note: This command will NOT show up in the help menu!
[box]
HP-Switch-1# show lldp info remote all
LLDP Remote Device Information Detail
Local Port : 10
ChassisType : local
ChassisId : Cisco1.petenetlive.com
PortType : local
PortId : GigabitEthernet0/15
SysName :
System Descr : Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Ver...
PortDescr :
System Capabilities Supported : bridge
System Capabilities Enabled : bridge
Remote Management Address
Type : ipv4
Address : 111.222.111.222
------------------------------------------------------------------------------
Local Port : 10
ChassisType : mac-address
ChassisId : 00 1c f6 c8 55 8f
PortType : inte...
PortId : || PeteNet || 10Mb ||...
SysName : Cisco1.petenetlive.com
System Descr : Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Ver...
PortDescr : GigabitEthernet0/15
System Capabilities Supported : bridge, router
System Capabilities Enabled :
Remote Management Address
Type : ipv4
Address : 111.222.111.222
------------------------------------------------------------------------------
Local Port : 13
ChassisType : local
ChassisId : Cisco1.petenetlive.com
PortType : local
PortId : GigabitEthernet0/18
SysName :
System Descr : Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Ver...
PortDescr :
System Capabilities Supported : bridge
System Capabilities Enabled : bridge
Remote Management Address
Type : ipv4
Address : 111.222.111.222
------------------------------------------------------------------------------
Local Port : 13
ChassisType : mac-address
ChassisId : 00 1c f6 c8 55 92
PortType : inte...
PortId : || PeteNet || Previou...
SysName : Cisco1.petenetlive.com
System Descr : Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Ver...
PortDescr : GigabitEthernet0/18
System Capabilities Supported : bridge, router
System Capabilities Enabled :
Remote Management Address
Type : ipv4
Address : 111.222.111.222
------------------------------------------------------------------------------
Local Port : 23
ChassisType : mac-address
ChassisId : c0 91 34 dd 3b c0
PortType : local
PortId : 23
SysName : HP-Switch-2
System Descr : HP J9145A 2910al-24G Switch, revision W.15.13.0014, ROM W...
PortDescr : 23
System Capabilities Supported : bridge, router
System Capabilities Enabled : bridge, router
Remote Management Address
Type : ipv4
Address : 192.168.1.221
Poe Plus Information Detail
Poe Device Type : Type2 PSE
Power Source : Unknown
Power Priority : Unknown
Requested Power Value : 0 Watts
Actual Power Value : 0 Watts
------------------------------------------------------------------------------
Local Port : 24
ChassisType : mac-address
ChassisId : c0 91 34 dd 3b c0
PortType : local
PortId : 24
SysName : HP-Switch-2
System Descr : HP J9145A 2910al-24G Switch, revision W.15.13.0014, ROM W...
PortDescr : 24
System Capabilities Supported : bridge, router
System Capabilities Enabled : bridge, router
Remote Management Address
Type : ipv4
Address : 192.168.1.221
Poe Plus Information Detail
Poe Device Type : Type2 PSE
Power Source : Unknown
Power Priority : Unknown
Requested Power Value : 0 Watts
Actual Power Value : 0 Watts
[/box]
To find what Port an IP address is on
First ping the IP address, to make sure that the switch has the MAC address you are looking at, in its ARP cache.
[box]
HP-Switch-1# ping 192.168.251.2
192.168.251.2 is alive, time = 3 ms
[/box]
Then look for it in the ARP cache;
[box]
HP-Switch-1# show arp
IP ARP table
IP Address MAC Address Type Port
--------------- ----------------- ------- ----
192.168.251.1 e8b748-c757b0 dynamic 13
192.168.251.2 005056-a61c1c dynamic 5 << It’s on port 5
192.168.251.5 005056-a606d9 dynamic 7
[/box]
Or if you already know its MAC address;
[box]
HP-Switch-1# show mac-address 005056-a61c1c
Status and Counters - Address Table - 005056-a61c1c
Port
-------
5
[/box]
Related Articles, References, Credits, or External Links