I wonder how many hours Ive lost trying to get browsers to connect to things, and the browser has not been happy? This week I needed to connect to a vCenter (6.5) web console with Firefox and was greeted with this.
Your connection is not secure
The owner of {site} has configured their web site improperly. To protect information being stolen, Firefox has not connected to this website.
Error Code: , SEC_ERROR_UNKNOWN_ISSUER
Normally I use Firefox, because if there’s a problem I can simply add an exception and all is well, but this time there was no way to connect at all.
Solution
Browse to about:config, and then search for security.enterprise, set it to true.
Now it will work
Related Articles, References, Credits, or External Links
I’ve seen this a couple of times now, and each time I’ve (wrongly) assumed that the OVA/OVF file I’ve downloaded is either corrupt, or it has some sort of problem.
Failed to deploy OVF package.
Cause:
A general system error occurred:
Transfer failed: The OVF descriptor is not available.
Solution
Redeploy the OVF file, but this time instead of selecting the Cluster, select A SPECIFIC HOST to deploy to, this time it deployed without error.
Note: I’m using vCenter 6.5, ESX 6.5, and Firefox to manage the vCenter. I’ve seen the same problem with vCenter 6.7 and Chrome.
Related Articles, References, Credits, or External Links
When it comes to transferring files from PC to iPhone and vice versa, the most obvious choice is to use iTunes. However, it has been found that many users don’t like working with this application. Bloated and ponderous, iTunes continues Apple’s ongoing trend of having lost its design mojo.
Luckily, we have other options. One of the easiest ways is to use Wi-Fi Direct Transfer. With this method, you can pair your computer and iPhone/iPad within seconds and transfer anything you desire in a jiffy. Unlike AirDrop, Wi-Fi Direct allows you to work across all the platforms including Windows and Android. So you can also use this method to share files between an Android device and your iPhone/iPad as well.
How to use Wi-Fi Direct transfer
For it to work, your iPhone and your computer must be connected to the same Wi-Fi network. Since they will connect directly within the Wi-Fi network, you don’t even need an access point. In other words, your devices don’t have to connect to the Internet.
If there is no Wi-Fi network available nearby, you can create one on your own by using the Personal Hotspot feature. Just turn on Personal Hotspot on your iPhone, then on the computer, join the newly created hotspot. That way you can establish a connected Wi-Fi network from anywhere.
Now we’re going to install a wireless transfer tool on the computer and its companion app on the iPhone. There are actually plenty of tools offering this function in the market. The best ones? Well, below are the apps that I’ve used and personally recommend.
1. SHAREit
The SHAREit application is pretty popular due to the fact that the app is developed by Lenovo and it comes pre-installed on many Android devices from this brand.
Step 1:Download and install the SHAREit appson both your computer and iPhone. After they have been installed, launch the apps.
Step 2:Make sure both devices are connected to the same Wi-Fi network. To send files from your iPhone, select “Send” from the main screen. Note that you’re only able to send photos and videos and other files managed by the Files app.
Step 3:Select the files you wish to transfer to the computer, then tap “OK”. Now if your computer is on the same Wi-Fi network, it should display on the screen. Tap on it to start transferring. Once done, the files will appear on the window of the desktop app.
If you’re not able to connect the two devices, make sure the app is on-screen on both your computer and your iPhone. I have used SHAREit as the primary method to transfer photos from my iPhone to the PC(for editing with Lightroom and Photoshop) and it has worked fine.
3. Xender
Xender is quite similar to SHAREit, except that you don’t have to install a program on your computer. It can work by using your web browser.
Step 1:Download and install the Xender app on your iPhone. It’s free.
Step 2:Connect two devices to the same Wi-Fi network.
Step 3:On your PC, open your web browser of choice and go to http://web.xender.com. The web page will display the QR code used for connecting from the iOS device.
Related Articles, References, Credits, or External Links
If you are used to running ‘on-prem’ Exchange then allowing an IP/Hostname to relay mail (sent mail through without authenticating) it’s handy for things like older multifunction scanners, or applications that need to send emails. Now you SHOULD be sending mail through Office 365 ‘authenticated’, but that’s not always possible.
Solution
From Office 365,Launch The Exchange admin console.
Mail flow > Connections > Add.
From: Your Organisations email server.
To: Office 365
Give the connector a sensible name > Next.
Enter the PUBLIC IP or PUBLIC HOSTNAME > Next.
WARNING: Where possible ensure this IP is only used by the internal host that needs to relay, if you only have one public IP (And you NAT/PAT all your internal IPs to this public IP), then filter the hosts that can send mail ‘outgoing’ on your firewall. If you don’t, and an internal client gets infected it will be able to send unauthenticated mail though your office 365 account!
Text
Save.
Related Articles, References, Credits, or External Links
After I had a datastore failure I needed to ‘unmount’ a datastore in my VMware 6.5 environment. But when I attempted to do so I got;
The “Remote Datastore” operation failed for the entity with the following error message.
The resource “Datastore-Name” is in use.
Solution
In use by what? Thanks for the assistance! Usually this happens because you have a VM with a VMDK in their datastore, or more likely, a VM has a CD mapped to an ISO that was in this datastore (which was my problem).
In “Datatstore View” > Select the offending Datastore > VMs > Eliminate them one by one.
Related Articles, References, Credits, or External Links
There are many free tftp applications, my personal favourite is 3Cdaemon, as it also has a built in syslog server and an FTP server. heres how to install it on your computer.
There are a number of places you can download 3CDeamon or just CLICK HERE
Deploy a windows TFTP Server
Download the files and extract them to your PC, then run the setup.exe file > At the Welcome screen > Next.
At the license screen > Yes.
Either accept the default location or choose your own > Next.
5. Leave it on the default > Next.
When its done > OK.
Launch the application.
9.Ensure the “TFTP Server” section is selected > Click the “Pen knife” Icon labelled “Configure TFTP Server”.
10. Change the Upload / Download directory to something you will find easliy (I usually create a “TFTP Root” folder on the C: drive.
Related Articles, References, Credits, or External Links
Windows 10 machine, (with Latest Java installed), while attempting to launch the ASDM you see;
Windows cannot find ‘javaw.exe’. Make sure you typed the name correctly, and then try again.
Solution
I should have fixed this a lot quicker than I did, because the error message was a lot more descriptive in older versions of Windows and the ASDM! This is the same problem seen on Windows 8.
You still need to install the x32 bit versions of Java! once you do it will work fine.
Related Articles, References, Credits, or External Links
Quite a while ago I wrote the “Connecting to and managing Cisco firewalls” article, which is still pretty complete, but I’ve been asked on a few occasions, “How do I actually configure the firewall to allow remote administration via, SSH, or HTTPS/ASDM, or Telnet
If you have no network connection to the firewall, then you will need to connect via console cable (CLICK HERE).
Solution
Cisco ASA Allow SSH – Via Command Line
1. Log on to the firewall > Go to enable mode > Go to configure terminal mode.
[box]
User Access Verification
Password:*******
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure terminal
PetesASA(config)#
[/box]
2. Now you can either allow access for one machine, or a whole network, the syntax is “ssh {ip address} {subnet mask} {interface that you will be connecting to}.
[box]
The following will just allow one external host (123.123.123.123).
PetesASA(config)# ssh 192.168.1.10 255.255.255.255 outsideThe following will just allow a whole internal network 192.168.1.1 to 254
PetesASA(config)# ssh 192.168.1.0 255.255.255.0 inside
[/box]
3. You will need to create a username and password for SSH access, then set SSH to use the LOCAL database to check of usernames and passwords, (unless you are using LDAP, RADIUS, TACACS, or Kerberos for authentication.)
4. By default the SSH session times out after 5 mins, I prefer to change this to 45 minutes.
[box]
PetesASA(config)# ssh timeout 45
[/box]
5. To encrypt the SSH access you need to have an RSA keypair on the firewall, (Note: this is generated from the firewall’s host name, and its domain name, if you ever change either, the keypair will break, and SSH access will cease until the keypair is re-created). To create a key issue a “crypto key generate rsa” command;
[box]
PetesASA(config)# crypto key generate rsa mod 2048
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
PetesASA(config)#
[/box]
Note: I set the key size to 2048, this is considered good practice
7. Lastly, save the changes with a “write mem” command;
[box]
PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
[/box]
Cisco ASA Allow SSH – Via ASDM (version shown 6.4(7))
1. Connect via ASDM > Navigate to Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH > Add > Select SSH > Supply the IP and subnet > OK. (Note you can set both the timeout, and the SSH versions you will accept, on this page also). Note you still need to generate the RSA Key (See step 5 above, good luck finding that in the ASDM – see the following article).
Cisco ASA – Enable AAA for SSH (Local Database) ASDM version 6.4(7)
Cisco ASA – Add a User to the Local Database
Cisco ASA – Allow HTTPS/ASDM – Via Command Line
1. Log on to the firewall > Go to enable mode > Go to configure terminal mode.
[box]
User Access Verification
Password: *******
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure terminal
PetesASA(config)#
[/box]
2. Now you can either allow access for one machine or a whole network, the syntax is “http {ip address} {subnet mask} {interface that it’s connected to}.
[box]
The following will just allow one host (192.168.1.10).
PetesASA(config)# http 192.168.1.10 255.255.255.255 inside
The following will just allow a whole network 192.168.1.1 to 254
PetesASA(config)# http 192.168.1.0 255.255.255.0 inside
[/box]
3. Unlike telnet and SSH, HTTPS/ADSM access is via the firewalls enable password (Unless you have enabled AAA logon). this password is set with the “enable password {password}” command. (Note: You will already have entered this password in step 1, only do this if you wish to change it).
[box]
PetesASA(config)# enable password PASSWORD123
[/box]
4. You need to make sure that HTTPS access is enabled with a “http server enable” command.
[box]
PetesASA(config)# http server enable
Note: if your port forwarding https on your firewall you will NOT be able to get access externally unless you put it on a different port (i.e.1234).
PetesASA(config)# http server enable 1234
[/box]
5. Lastly, save the changes with a “write mem” command.
[box]
PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
OK, the title of this might raise an eyebrow, but if you have access to the ASDM and you want to grant access to another IP/Network them you might want to do this. Connect via ASDM > Navigate to Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH > Add > Select ASDM/HTTPS > Supply the IP and subnet > OK. (Note: You can also enable and disable the http Server here and change its port number).
Cisco ASA Allow Telnet – Via Command Line
WARNING: Telenet is insecure, if possible don’t use it, (usernames and password are sent unencrypted.)
1. Log on to the firewall > Go to enable mode > Go to configure terminal mode.
[box]
User Access Verification
Password: *******
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure terminal
PetesASA(config)#
[/box]
2. Now you can either allow access for one machine, or a whole network, the syntax is “telnet {ip address} {subnet mask} {interface that its connected to}.
[box]
The following will just allow one host (192.168.1.10).
PetesASA(config)# telnet 192.168.1.10 255.255.255.255 insideThe following will just allow a whole network 192.168.1.1 to 254
PetesASA(config)# telnet 192.168.1.0 255.255.255.0 inside
[/box]
3. To set the password you use the “passwd” command (yes that’s spelled correctly).
[box]
PetesASA(config)# passwd PASSWORD123
[/box]
4. By default the telnet session times out after 5 mins, I prefer to change this to 45 minutes.
[box]
PetesASA(config)# telnet timeout 45
[/box]
5. Lastly, save the changes with a “write mem” command.
[box]
PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
[/box]
Allow Telnet – Via ASDM (version shown 6.4(7))
1. Connect via ASDM > Navigate to Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH > Add > Select Telnet > Supply the IP and subnet > OK. (Note you can set the timeout on this page also).
Related Articles, References, Credits, or External Links
I see this get asked in forums A LOT, typically the poster has another problem they are trying to fix, someone has asked them to debug the problem and they cant see any debug output.
Solution
Firstly you need to understand what logging is, and how debugging fits within it. (Bear with me, this is good knowledge to have).
The firewall saves logs in syslog format, and there are 8 Levels of logs, the one with the MOST information is called ‘debugging’ (or severity 7 in Syslog world)
0=Emergencies
1=Alert
2=Critical
3=Errors
4=Warnings
5=Notifications
6=Informational
7=Debugging
So if you are debugging, then all you are doing is looking at syslog output thats severity 7. The ASA can send these logs to an internal memory buffer, and external Syslog server, or to the screen, either the console (via rollover cable) or the monitor (SSH/Telnet session, or what router types, call the virtual terminal lines).
Fine but I cant see anything doofus, that’s why I’m here!
OK, now you understand how it all works, you should understand when you see the commands, why it wasn’t working!
Issue a ‘show log’ command;
What does this tell us? Well mose importantly it tells us logging in ON.
[box]Syslog logging: enabled[/box]
If it were disabled then you turn it on with;
[box]logging on[/box]
The next piece of pertinent information is.
[box]Timestamp Logging: Disabled[/box]
While not critical, logs are much easier to interpret when they are stamped with the correct time! I’m in the UK so this is the command I would use (Note: I’m enabling NTP Time sync, this can take a while to synchronise);
[box]
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
ntp server 130.88.203.12 source outside
!
logging timestamp
[/box]
Sending Debug Output to the Screen
As mentioned above, you can send output to the console or the monitor;
Send Debug to SSH/Telnet Session
[box]logging monitor debugging
terminal monitor[/box]
Note: To disable, the command is ‘terminal no monitor‘ NOT ‘no terminal monitor’ (Thanks Cisco!)
Sending Debug Output to the Console (Serial Connection)
Send Debug to SSH/Telnet Session
[box]logging console debugging[/box]
Note: To stop it, set it back to ‘warnings’ (the default).
[box]logging console warnings[/box]
Sending Debug Output to the Internal Log (Buffer)
This is easier, as you can filter the results for particular IP addresses/ports/usernames etc, which is handy if there are pages and pages to look though, and they are not scrolling past you yes, faster than you can read them!
When attempting to connect to a Cisco ASA firewall via SSH you see the following error;
The first key-exchange algorithm supported by the server is diffie-hellman-group1-sha1, which is below the configured warning threshold.
Do you want to continue with this connection?
Clicking ‘Yes’ will let you connect.
Solution
When connected, execute the following commands;
[box]conf t
ssh key-exchange group dh-group14-sha1
write mem[/box]
Problem solved.
Related Articles, References, Credits, or External Links