I had to do this today and realised, it’s been so long since I did it last, I’d forgotten how to do it. Before we go forward, please be clear, I’m talking about MAIL CONTACTS, these are Active Directory Objects that have an Email address, but DO NOT have a mailbox in your Exchange Organisation, and DO NOT have an Active Directory User. I point this out because you can have MAIL USERS that have an Active Directory User Object and have an External Email address (i.e. a Gmail or Hotmail address) associated with the MAIL USER object.
Traditionally mail contacts are used for listing outside mail addresses in your global address list, (like mail users do) but are also used to forward mail to as well.
Solution
I was exporting from Exchange 2010, from the EMC run the following command;
You can see my exported CSV list in, DisplayName, Name, PrimarySmtpAddress format. You will need to do some work with it in Excel to get it in > Name, Firstname, Lastname, ExternalEmailAddress format.
Once you have you CSV file ready, import it into the Target Exchange Server with the following command;
Normally I don’t like upgrading the SFR this way. But then I tend to install new firewalls set them up and walk away, so its easier (and a LOT quicker) to simply image the module to the latest version and then set it up.
This week I had an existing customer, who has an ASA5508-X but wasn’t using his FirePOWER, I’d installed the controller licence when I set it up originally, (as a safe guard in case the licence got lost, which nearly always happens!) The firewall was pretty much up to date but the SFR was running 5.4.0 (at time of writing we are at 6.2.2). So Instead of imaging it I decided to upgrade it, this takes a LOOOOOOOONG TIME! (4-6 hours per upgrade) and you cannot simply upgrade straight to the latest version.
Thankfully this does not affect the firewall itself, (assuming you set the SFR to Fail Open).
Solution
First task is to find out what the latest version is, at time of writing thats 6.2.2, open the release notes for that version and locate the upgrade path, it looks like this;
Well that’s a lot of upgrades! You may notice that there’s some ‘pre-installation packages’. Sometimes when you go to the downloads section at Cisco these are no-where to be found! This happens when a version gets updated, in the example above one of my steps is 6.0.1 pre installation package, this was no where to be found, so I actually used 6.0.1-29.
The files you need are the ones which end in .sh, i.e. Cisco_Network_Sensor_Patch-6.0.1-29.sh (DON’T Email me asking for updates you need a valid Cisco support agreement tied to your Cisco CCO login.)
Once you have downloaded your update, login to the ASDM > Configuration > ASA FirePOWER Configuration > Updates > Upload Update.
Upload your update, (this can take a while).
When uploaded > Select your update > Install, (if the install needs a reboot accept the warning).
Note: This is a reboot of the FirePOWER module, NOT the Firewall.
You can follow progress (to a point) from the task information popup (Once the SFR module goes down you wont see anything apart from an error, unless your version is 6.1.0 or newer (which shows a nice progress bar). So;
Don’t panic: it looks like it’s crashed for hours – it’s fine.
There are other things you can look at if you’re nervous.
Monitoring FirePOWER upgrades
What I like to do is SSH into the firewall and issue the following command;
[box]debug module-boot[/box]
Then you can (after a long pause of nothing appearing to happen!) see what is going on.
You can also (before it falls over because of the upgrade) look at Monitoring > ASA FirePOWER Monitoring > Task Status.
If you are currently running 6.1.0 or above you get this which is a little better.
Or you can connect directly to the FirePOWER module IP (you will need to know the admin password) to watch progress.
Back at the firewall, if you issue a ‘show module‘ command during the upgrade it looks like the module is broken! This will be the same of a few hours!
[box]
PETES-FW# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508 JAD2008761R
sfr FirePOWER Services Software Module ASA5508 JAD2008761R
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 00c8.8ba0.9b71 to 00c8.8ba0.9b90 1.0 1.1.8 9.7(1)
sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b89 N/A N/A 6.0.0-1005
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Not Applicable 6.0.0-1005
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Unresponsive Not Applicable
MANY HOURS LATER
PETES-FW# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508 JAD2008761R
sfr FirePOWER Services Software Module ASA5508 JAD2008761R
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 00c8.8ba0.9b71 to 00c8.8ba0.9b79 1.0 1.1.8 9.7(1)
sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b70 N/A N/A 6.0.1-29
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER Up 6.0.1-29
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
1 Up Sys Not Applicable
sfr Up Up
[/box]
Related Articles, References, Credits, or External Links
This is another question I see getting asked a lot in forums!
You see something like the following;
[box]
000032: *Sep 28 09:35:32.507 UTC: %PHY-4-SFP_NOT_SUPPORTED: The SFP in Gi3/0/50 is not supported (PNL-3750-Stack)
000033: *Sep 28 09:35:32.507 UTC: %PM-4-ERR_DISABLE: gbic-invalid error detected on Gi3/0/50, putting Gi3/0/50 in err-disable state (PNL-3750-Stack)
[/box]
The usual response is ‘Enable unsupported SFP’s’, and while that sometimes is the answer, it’s not always the answer!
Solution
1. Firstly Check the Modules and the Switches, Are you tying to plug a 10GB SFP+ into a slot that only supports SFP, (that includes plugging a twinax cable into an old switch!) In your ‘show run’ you should see TenGigabitEthernet (if your using SFP+ modules). Some switches with network modules list the same interface twice (once as 10GB interfaces and once at 1GB modules, I’ve blogged about that before see THIS ARTICLE, and to confuse things even further, the four interface versions, are grouped as two pairs with each pair consisting of one SFP slot and one SFP+ slot.)
2. Make sure your cable is NOT a CAB-SFP-50CM, (unless you are connecting a 3560 to ANOTHER 3560).
3. Are you using a 2960-S? If so you may need to update the IOS to use SFP+ (assuming your model supports SFP+ not all 2960-S models do).
4. Are you plugging into a Nexus switch with a 1GB connection? If so check the other end for the following error;
Description: Gi1/1/15: This port has been disabled because Non Compliant Gigabit Interface Converter (GBIC) connector detected.
If so, you may need to Manually set the speed on the 5K to 1000, (it wont auto-sense).
5. Is it a non-cisco branded SFP? If so it may still work, (but you will get no joy if you log a TAC call) with the following commands;
[box]
Petes-SW(config)#service internal
Petes-SW(config)#no errdisable detect cause gbic-invalid
Petes-SW(config)#service unsupported-transceiver
Before you create your logon banner it’s important to understand;
Where you want it to appear.
What the underlying file is actually called (on ESXi).
For access to the vSphere Web client (including the Flash client), the setting you want is ”Login Banner’ (Note: vCenter 6.0.Update2 or higher is required);
Using this you CAN FORCE, (but you don’t have to) a user to tick “I Agree..” to your banner before they can login.
This does not mean that vCenter does not have ‘Message of the Day’, it does, it just behaves a little differently, i.e.
With the ESXi hosts there are essentially TWO files we are concerned with, the etc/issue file and the etc/motd* file, and they display in two subtly different places.
*Note: MOTD stands for message of the day.
The ‘Issue‘ File
The ‘motd‘ file
You can use either one, (or both) to suit your requirements.
Solution
Logon Banner Text Example
What you actually put in the banners is up to you, here are a couple of examples I’ve used in the past, feel free to copy and adapt them to suit your own requirements.
Example 1
[box]
/-------------------------------------------------------------\
| ! WARNING ! |
| Notice to All Users (Both Authorised or Unauthorised) |
| |
| You have accessed a private computer network. |
| Unauthorised access or use of this system is prohibited. |
| |
| If you are not authorised to use this system |
| please terminate access immediately. |
| |
| Any or all uses of this system and all data on this |
| system may be intercepted, monitored, recorded, copied, |
| audited, inspected, and disclosed to authorised sites |
| and law enforcement personnel, as well as authorised |
| officials of other agencies. By using this system, the |
| user consent to such disclosure at the discretion of |
| authorised site personnel. Unauthorised or improper use |
| of this system may result in administrative disciplinary |
| action, civil and criminal penalties. By continuing to |
| use this system you indicate your awareness of and |
| consent to these terms and conditions of use. STOP |
| IMMEDIATELY!!! if you do not agree to the conditions |
| stated in this warning. |
\-------------------------------------------------------------/
[/box]
Example 2
[box]
**********************************************
*** You are responsible for all activity ***
*** Performed on this device ***
*** All config changes are logged ***
*** ***
*** For further Information ***
*** Please Contact either ***
*** IT Manager ***
*** or ***
*** Pete Long ***
**********************************************
[/box]
Adding the vSphere Web Client Banner/Terms and Conditions
To get access to these settings you need to log into your PSC (Platform Services Controller).
https://{FQDN of vCenter or PSC}/psc
Configuration > Login Banner > Edit > Tick ‘Enabled‘ > Tick ‘Checkbox Consent‘, (to force them to tick “I Agree..”) > Enter a Title and the message/banner test to display > OK.
Adding the vSphere Web Client MOTD
Log into vSphere Select the vCenter> Configuration >Message of the Day > Edit > Type in the text.
Note: Remember this displays as a popup for users logged into vCenter, but as a ‘nag-message’ for anyone login in in future.
Changing the ESX ‘Issue’ Banner
Log onto the ESX server > issue the following command ‘vi /etc/issue‘ > Paste in your text > Save and exit the file > Restart the SSH daemon with the following command ‘/etc/init.d/SSH restart’.
Changing the ESX ‘MOTD’ Banner
Log onto the ESX server > issue the following command ‘vi /etc/motd‘ > Paste in your text > Save and exit the file > Restart the SSH daemon with the following command ‘/etc/init.d/SSH restart’.
Changing Issue and MOTD banners from the vSphere Client
Yes you can do this in the vSphere client, the problem is, you can only paste on a block of text, so the fancy formatting I put in above will be lost. If that’s not a problem for you, then open the vSphere Client > Hosts and Clusters > Select the Host > Configure > Advanced System Settings > Edit > Search for ‘Config.etc’ > Chang the Config.etc.issue and/or Config.etc.motd files as required.
Related Articles, References, Credits, or External Links
While replacing a FirePOWER Management console, I got this error;
Interface Status
Interface ‘DataPlaneInterface0’ is not receiving any packets
Solution
A look a the health monitor showed me the same thing;
Firstly, common sense dictates, that this is a live firewall and traffic is actually flowing though it? In my case the traffic simply needed to be ‘sent though’ the module. Execute the following, (or check for the presence of matching configuration);
[box]
access-list ACL-FirePOWER extended permit ip any any
class-map CM-SFR
match access-list ACL-FirePOWER
exit
policy-map global_policy
class CM-SFR
sfr fail-open
exit
exit
write mem
[/box]
Note: Here I’m assuming you want to ‘fail-open’ i.e. not block traffic if the FirePOWER module fails, and you are inspecting ‘inline’ (not passively).
Then apply the cup of coffee rule, and ensure some traffic is sent via the firewall.
Failover (Active / Standby) Firewalls and FirePOWER
As pointed out (below, thanks Marvin) If you have an active/standby failover firewall pair, you will also see this error from the SFR module in the standby firewall. Which makes sense because this firewall is not passing any traffic!
Related Articles, References, Credits, or External Links
I still think P2V conversions are cool, and I’ve been doing them since version 3! It seems though every time I try and do one with the standalone converter though I get this error;
VMware vCenter Converter Standalone
Unable to complete installation/uninstallation of converter agent on ‘{target}’
Solution
I always spend five minutes messing with firewalls, checking remote registry services, credentials, and the fix is nearly always the same;
Locate VMware-Converter-Agent.exe in C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone, copy it to the target machine, and install it manually. Then try the conversion again.
If it gets this far, your problem is solved.
Related Articles, References, Credits, or External Links