Exchange Bulk Export / Import Mail Contacts

KB ID 0001349 

Problem

I had to do this today and realised, it’s been so long since I did it last, I’d forgotten how to do it. Before we go forward, please be clear, I’m talking about MAIL CONTACTS, these are Active Directory Objects that have an Email address, but DO NOT have a mailbox in your Exchange Organisation, and DO NOT have an Active Directory User. I point this out because you can have MAIL USERS that have an Active Directory User Object and have an External Email address (i.e. a Gmail or Hotmail address) associated with the MAIL USER object.

Traditionally mail contacts are used for listing outside mail addresses in your global address list, (like mail users do) but are also used to forward mail to as well.

Solution

I was exporting from Exchange 2010, from the EMC run the following command;

[box]Get-MailContact -ResultSize unlimited | Select DisplayName,Name,PrimarySMTPAddress | Export-Csv “c:\Contacts-Exported.csv“[/box]

And there’s my file.

You can see my exported CSV list in, DisplayName, Name, PrimarySmtpAddress format. You will need to do some work with it in Excel to get it in > Name, Firstname, Lastname, ExternalEmailAddress format.

Once you have you CSV file ready, import it into the Target Exchange Server with the following command;

[box]Import-Csv “C:\Contacts-Exported.csv” | ForEach {New-MailContact -Name $_.Name -Firstname $_.FirstName -LastName $_.LastName -ExternalEmailAddress $_.ExternalEmailAddress -OrganizationalUnit “OU=IMPORT,DC=PNL,DC=COM”}[/box]

There’s my new contacts 🙂

Related Articles, References, Credits, or External Links

NA

Updating FirePOWER Module (From ASDM)

KB ID 0001348 

Problem

Normally I don’t like upgrading the SFR this way. But then I tend to install new firewalls set them up and walk away, so its easier (and a LOT quicker) to simply image the module to the latest version and then set it up.

Like So; Re-Image and Update the Cisco FirePOWER Services Module

This week I had an existing customer, who has an ASA5508-X but wasn’t using his FirePOWER, I’d installed the controller licence when I set it up originally, (as a safe guard in case the licence got lost, which nearly always happens!) The firewall was pretty much up to date but the SFR was running 5.4.0 (at time of writing we are at 6.2.2). So Instead of imaging it I decided to upgrade it, this takes a LOOOOOOOONG TIME! (4-6 hours per upgrade) and you cannot simply upgrade straight to the latest version.

Thankfully this does not affect the firewall itself, (assuming you set the SFR to Fail Open).

Solution

First task is to find out what the latest version is, at time of writing thats 6.2.2, open the release notes for that version and locate the upgrade path, it looks like this;

Well that’s a lot of upgrades! You may notice that there’s some ‘pre-installation packages’. Sometimes when you go to the downloads section at Cisco these are no-where to be found! This happens when a version gets updated, in the example above one of my steps is 6.0.1 pre installation package, this was no where to be found, so I actually used 6.0.1-29.

The files you need are the ones which end in .sh, i.e. Cisco_Network_Sensor_Patch-6.0.1-29.sh (DON’T Email me asking for updates you need a valid Cisco support agreement tied to your Cisco CCO login.)

Once you have downloaded your update, login to the ASDM > Configuration > ASA FirePOWER Configuration > Updates > Upload Update.

Upload your update, (this can take a while).

When uploaded > Select your update > Install, (if the install needs a reboot accept the warning).

Note: This is a reboot of the FirePOWER module, NOT the Firewall.

You can follow progress (to a point) from the task information popup (Once the SFR module goes down you wont see anything apart from an error, unless your version is 6.1.0 or  newer (which shows a nice progress bar). So;

  1. Don’t panic: it looks like it’s crashed for hours – it’s fine.
  2. There are other things you can look at if you’re nervous.

Monitoring FirePOWER upgrades

What I like to do is SSH into the firewall and issue the following command;

[box]debug module-boot[/box]

Then you can (after a long pause of nothing appearing to happen!) see what is going on.

You can also (before it falls over because of the upgrade) look at Monitoring > ASA FirePOWER Monitoring > Task Status.

If you are currently running 6.1.0 or above you get this which is a little better.

Or you can connect directly to the FirePOWER module IP (you will need to know the admin password) to watch progress.

Back at the firewall, if you issue a ‘show module‘ command during the upgrade it looks like the module is broken! This will be the same of a few hours!

[box]

PETES-FW# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508            JAD2008761R
 sfr FirePOWER Services Software Module           ASA5508            JAD2008761R

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 00c8.8ba0.9b71 to 00c8.8ba0.9b90  1.0          1.1.8        9.7(1)
 sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b89  N/A          N/A          6.0.0-1005

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Not Applicable   6.0.0-1005

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Unresponsive       Not Applicable

MANY HOURS LATER

PETES-FW# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508            JAD2008761R
 sfr FirePOWER Services Software Module           ASA5508            JAD2008761R

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 00c8.8ba0.9b71 to 00c8.8ba0.9b79  1.0          1.1.8        9.7(1)
 sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b70  N/A          N/A          6.0.1-29

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               6.0.1-29

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Up                 Up

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco Error ‘%PHY-4-SFP_NOT_SUPPORTED’

KB ID 0001347 

Problem

This is another question I see getting asked a lot in forums!

You see something like the following;

[box]

000032: *Sep 28 09:35:32.507 UTC: %PHY-4-SFP_NOT_SUPPORTED: The SFP in Gi3/0/50 is not supported (PNL-3750-Stack)
000033: *Sep 28 09:35:32.507 UTC: %PM-4-ERR_DISABLE: gbic-invalid error detected  on Gi3/0/50, putting Gi3/0/50 in err-disable state (PNL-3750-Stack)

[/box]

The usual response is ‘Enable unsupported SFP’s’, and while that sometimes is the answer, it’s not always the answer!

 

Solution

1. Firstly Check the Modules and the Switches, Are you tying to plug a 10GB SFP+ into a slot that only supports SFP, (that includes plugging a twinax cable into an old switch!) In your ‘show run’ you should see TenGigabitEthernet (if your using SFP+ modules). Some switches with network modules list the same interface twice (once as 10GB interfaces and once at 1GB modules, I’ve blogged about that before see THIS ARTICLE, and to confuse things even further, the four interface versions, are grouped as two pairs with each pair consisting of one SFP slot and one SFP+ slot.)

2. Make sure your cable is NOT a CAB-SFP-50CM, (unless you are connecting a 3560 to ANOTHER 3560).

3. Are you using a 2960-S? If so you may need to update the IOS to use SFP+ (assuming your model supports SFP+ not all 2960-S models do).

4. Are you plugging into a Nexus switch with a 1GB connection? If so check the other end for the following error;

Description: Gi1/1/15: This port has been disabled because Non Compliant Gigabit Interface Converter (GBIC) connector detected.

If so, you may need to Manually set the speed on the 5K to 1000, (it wont auto-sense).

5. Is it a non-cisco branded SFP? If so it may still work, (but you will get no joy if you log a TAC call) with the following commands;

[box]

Petes-SW(config)#service internal
Petes-SW(config)#no errdisable detect cause gbic-invalid
Petes-SW(config)#service unsupported-transceiver

[/box]

If you are still in doubt check the Compatibility Matrix.

Related Articles, References, Credits, or External Links

NA

FirePOWER – ‘DataPlaneInterface0’ is not receiving and packets

KB ID 0001344 

Problem

While replacing a FirePOWER Management console, I got this error;

Interface Status
Interface ‘DataPlaneInterface0’ is not receiving any packets

 

Solution

A look a the health monitor showed me the same thing;

Firstly, common sense dictates, that this is a live firewall and traffic is actually flowing though it? In my case the traffic simply needed to be ‘sent though’ the module. Execute the following, (or check for the presence of matching configuration);

[box]

access-list ACL-FirePOWER extended permit ip any any
class-map CM-SFR
 match access-list ACL-FirePOWER
 exit
policy-map global_policy 
 class CM-SFR
  sfr fail-open
exit
exit
write mem

[/box]

Note: Here I’m assuming you want to ‘fail-open’ i.e. not block traffic if the FirePOWER module fails, and you are inspecting ‘inline’ (not passively).

Then apply the cup of coffee rule, and ensure some traffic is sent via the firewall.

Failover (Active / Standby) Firewalls and FirePOWER

As pointed out (below, thanks Marvin) If you have an active/standby failover firewall pair, you will also see this error from the SFR module in the standby firewall. Which makes sense because this firewall is not passing any traffic!

Related Articles, References, Credits, or External Links

NA

VMware Converter – Unable to Deploy Agent

KB ID 0001345

Problem

I still think P2V conversions are cool, and I’ve been doing them since version 3! It seems though every time I try and do one with the standalone converter though I get this error;

VMware vCenter Converter Standalone
Unable to complete installation/uninstallation of converter agent on ‘{target}’

Solution

I always spend five minutes messing with firewalls, checking remote registry services, credentials, and the fix is nearly always the same;

Locate VMware-Converter-Agent.exe in  C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone, copy it to the target machine, and install it manually. Then try the conversion again.

If it gets this far, your problem is solved.

Related Articles, References, Credits, or External Links

NA