PowerShell: Find Computers Last Logon Date

KB ID 0001612

Problem

I had to find the last time a particular server had logged on for a client the other week, so we knew for sure it was dead!

Solution

The two commands you may need are;

Locate Servers Last Login Time

[box]

Get-ADComputer -Filter {OperatingSystem -Like '*SERVER'} -Properties lastlogondate,operatingsystem | Select name,laslogondate,operatingsystem

[/box]

Locate Clients Last Login Time

[box]

Get-ADComputer -Filter {OperatingSystem -notLike '*SERVER'} -Properties lastlogondate,operatingsystem | Select name,laslogondate,operatingsystem

[/box]

Short and sweet!

Related Articles, References, Credits, or External Links

NA

Cisco ASA EZVPN (Revisited)

KB ID 0001261

Problem

EZVPN is a technology that lets you form an ISAKMP/IPSEC VPN tunnel from a site with a dynamically assigned IP (EZVPN Client,) back to a device with a static IP (EZVPN Server).

I’ve called this EZVPN revisited, because this is a technology I’ve talked about before. So why am I here again? Well back then I used the ASDM. If you do that now, you need to go in and mess about with things to get it to work properly. Last week a client was asking me about buying a 5505 for his home, and putting a VPN into his place of work. Obviously he did not have a static IP at home, which was why I suggested EZVPN.

So it’s time to ‘Man Up’ and get to grips with the CLI. In the example below my corporate LAN is behind a Cisco ASA 5515-X, and my ‘Home Office’ is behind a Cisco ASA 5506-X, (you can use a 5508-X as well, or an old 5505).

 

Solution

So How does EZVPN Work? Well there’s no separate/special technology, it’s a good old fashioned Client IPSEC VPN. The one we used to use the OLD IPSEC VPN client for, (yes the one that went end of life – in 2011!)

But instead of using a piece of software to supply the username/password and the group/pre-shared-key, you configure a hardware device to supply those details. This enables the hardware device to bring up a software client VPN session. There are two methods of doing this, Client Mode and Network Extension Mode (NEM).

  • Client Mode: Works exactly like the VPN client software, and leases an IP address from a pool of IP addresses supplied by the ASA, (or a DHCP server).
  • Network Extension Mode: This works like a ‘proper’ site to site VPN, insofar as, all the IP addresses on the client/remote site can be addressed from the main site. 

I’m going to use Network Extension Mode for this example, I’m also going to enable ‘Split tunnelling’ so that only VPN traffic goes over the VPN.

Remote EZVPN Client WARNING

The client that ‘dials in’ cannot be running any other VPN solution. In fact it can’t even have IKE policies defined, (even if they are not in use).

Configure the EZVPN Server

The bulk of the work is on the main site ASA.

[box]

!
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
crypto ipsec ikev1 transform-set TS-IPSEC-VPN esp-3des esp-sha-hmac
!
access-list SPLIT-TUNNEL standard permit 192.168.100.0 255.255.255.0
!
group-policy IPSEC-VPN internal
group-policy IPSEC-VPN attributes
 password-storage enable
 nem enable
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 vpn-simultaneous-logins 3
!
tunnel-group IPSEC-VPN type remote-access
tunnel-group IPSEC-VPN general-attributes
 default-group-policy IPSEC-VPN
 authentication-server-group LOCAL
tunnel-group IPSEC-VPN ipsec-attributes
 ikev1 pre-shared-key Cisco123456
!
crypto dynamic-map DYNAMIC-CRYPTO-MAP 65535 set ikev1 transform-set TS-IPSEC-VPN
!
crypto map CRYPTO-MAP 65535 ipsec-isakmp dynamic DYNAMIC-CRYPTO-MAP
!
crypto map CRYPTO-MAP interface outside
!
crypto ikev1 enable outside
!
object network OBJ-EZVPN-SUBNET
 subnet 10.254.254.0 255.255.255.0
!
nat (inside,outside) source static any any destination static OBJ-EZVPN-SUBNET OBJ-EZVPN-SUBNET no-proxy-arp route-lookup
!
username EZVPNSite1 password P@ssword123
!

[/box]

Points to Note:

  • I’m using 3DES and SHA1 for Phase 1 (ISAKMP,) and phase 2 (IPSEC).
  • The Network behind my main site ASA is 192.168.100.0/24.
  • The Network behind my remote site ASA is 10.254.254.0/24.
  • I’ve enabled split tunnelling.
  • My interfaces are called inside and outside, yours might be different!
  • Crypto Map Warning: If you already have a crypto map applied to the outside interface use the name of the existing one (i.e NOT CRYPTO-MAP), or your exiting VPN’s will stop working! Issue a ‘show run crypto map‘ command to check.
  • I have not enabled PFS. (If I had it would have been in the crypto map).

Configure the EZVPN Client (Remote Site)

The remote site(s) are easy.

[box]

!
vpnclient server 198.100.51.1
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup IPSEC-VPN password Cisco123456
vpnclient username EZVPNSite1 password P@ssword123
vpnclient enable
!

[/box]

Adding Additional EZVPN Sites

To add another site in Client Mode you would simply add another username and password, on the EZVPN server. With Network Extension Mode then you would add an object and NAT exemption on the main site, then setup a new username and password for that site like so;

New Site EZVPN Server Config

[box]

!
object network OBJ-EZVPN-SUBNET-2
 subnet 10.254.254.0 255.255.255.0
!
nat (inside,outside) source static any any destination static OBJ-EZVPN-SUBNET-2 OBJ-EZVPN-SUBNET-2 no-proxy-arp route-lookup
!
username EZVPNSite2 password P@ssword456
!

[/box]

New Site EZVPN Client Config

You just need the new username and password;

[box]

!
vpnclient server 198.100.51.1
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup IPSEC-VPN password Cisco123456
vpnclient username EZVPNSite2 password P@ssword456
vpnclient enable
!

[/box]

 

Related Articles, References, Credits, or External Links

NA

Cannot Open a Console Session in the VMware VI Client on Windows 8

KB ID 0000677 

Problem

Mostly my conversion to Windows 8 has been pretty painless, the only thing that wont work is the VMware VI client cant open a console session to the VMs on my ESX server.

Error
The VMRC console has disconencted…attempting to reconnect

This happens because the IE10 that comes with Windows 8 does NOT LIKE the requests the VI client is sending to the Internet Explorer plug-in.

Update 08/03/13 – This problem has now been fixed! Download the latest 5.1 version of the VI client. (see screenshot).

Solution

Work-Around 1 Use VMware workstation (Note: scroll down for a permanent fix)

Until either Microsoft or VMware change something then we are stuck! however there is a work around. if you have VMware Workstation (download the trial it will keep you ticking over till the problem is fixed!).

1. Launch VMware workstation > File > Connect to Server > Enter your ESX/vCenter server details > Connect.

Note: You may need to accept the certificate warning if you are using self signed certificates.

2. Now you can open a console session to your virtual machines.

Work-Around 2 Use VMware Guest Console

Download and run VMware Guest Console > Connect to to a host or vCenter, and you can access the guest machines consoles from there.

Permanent Fix

Sorry, the only way to fix this (at time of writing) is to upgrade to vSphere 5.1 AND install the 5.1 version of the vSphere client. (You can’t point the 5.1 client at a 5.0 host, it automatically launches the 5.0 version of the VI client).

Note: You will need to update vCenter to 5.1 as well for that to work!

Problem Resolved

Update to the latest VI client, and the problem will cease.

 

Related Articles, References, Credits, or External Links

NA

VMware VI Client – Remove Cached IP addresses and Hostnames

KB ID 0000644 

Problem

If you connect to a lot of ESX, ESXi and vCenter machines, the drop down list in your VI client can get a little cluttered.

Solution

1. Start > Run > Regedit {enter}

2. Navigate to;

[box]HKEY_CURRENT_CURRENT_USERSoftwareVMwareVMware Infrastructure ClientPreferences[/box]

Locate the ‘RecentConnections’ string value, and either delete them all, (or just the ones you no longer need).

3. Now things will be a little less cluttered.

Related Articles, References, Credits, or External Links

NA

vSphere – Adding a Serial Port to a VM

KB ID 0001039 

Problem

I wanted to perform command line access to a virtual firewall on my home ESXi server, (a Juniper Firefly vSRX) via a console session. To do that I needed to add a serial port to that VM.

Solution

1. From Within the VI client > Select the ESXi Host > Configuration > Security Profile > Firewall Section > Properties.

2. Locate and enable ‘VM serial port connected over network’ > OK.

3. From the actual VM‘s properties, (right click > Edit settings) > Add > Serial Port > Next.

4. Connect via Network > Next.

5. Select ‘Server (VM listens for connection)’ > In Port URI enter telnet://{IP-of the ESX-Server}:2001 > Next.

Note: That’s the IP of the ESX server NOT the VM, here I’m using port 2001, but you can use 23 (standard telnet), or a random port above 1024.

6. Review the settings > Finish.

7. Now on a machine that has network connectivity to the ESX server > launch a telnet session to the VM (remember to use port 2001 as telnet defaults to 23!).

Here I’m using PuTTY but you can run ‘telnet {ip-address} {port}’ from a Windows client, (providing you have telnet enabled).

8. I’m in and working.

 

Related Articles, References, Credits, or External Links

NA

WDS – PXE Boot Error TFTP Timeout

KB ID 0000485 

Problem

Seen when using WDS on Windows Server 2008 (and 2008 R2). When attempting to PXE boot a client machine, it sucessfully gets an IP address. But it times out at the TFTP stage.

This is a common occurance if the WDS server is also a DNS server. It happens on machines that have had the MS08-037 security update installed. Basically the ports that WDS needs are being reserved for DNS.

Solution

1. On the WDS server > Start > in the search/run box type regedit {enter}.

2. Navigate to:

[box]HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWDSServerParameters[/box]

3. In the right hand window locate the UdpPortPolicy value and change it from 1 to 0 (Zero).

4. Then run services.msc > Locate the “Windows Deloyment Server Service” > Right Click > Restart.

Related Articles, References, Credits, or External Links

NA

Cisco Remote (IPSEC) VPN Clients Timeout / Disconnect

KB ID 0000309 

Problem

By default, your remote VPN clients will timeout their connections after 300 seconds of inactivity, should you wish to increase that you can, on a user by user basis, however sometimes that does not work. To fix the problem you need to disable ISAKMP monitoring at the “Head End”.

Solution

Enable via Command Line

(see below for ASDM instructions)

1. Connect to the the firewall (see here for instructions).

2. Login and go to enable mode.

[box]

User Access Verification

Password: Type help or ‘?’ for a list of available commands. PetesASA> en Password: ********

[/box]

3. We need to change the remote access IPSEC VPN tunnel group, to find out what its called issue a “show running-config tunnel-group” command.

The tunnel group we want will have an “ipsec-attributes” entry AND a “remote-access” entry, so in the example below the tunnel group we want is called “IPSEC-VPN-GROUP” (Yours may not be as well named!).

[box]

PetesASA# show running-config tunnel-group
tunnel-group IPSEC-VPN-GROUP type remote-access <<< Here's a remote access group
tunnel-group IPSEC-VPN-GROUP general-attributes
address-pool IPSEC-VPN-DHCP-POOL
authentication-server-group PNL-KERBEROS LOCAL
default-group-policy IPSEC-VPN-POLICY
tunnel-group IPSEC-VPN-GROUP ipsec-attributes <<< Its an IPSEC tunnel :)
pre-shared-key *****
tunnel-group SSL-VPN-POLICY type remote-access <<< Here's a remote access group
tunnel-group SSL-VPN-POLICY general-attributes
address-pool SSL-VPN-DHCP-POOL
default-group-policy SSL-VPN-GROUP-POLICY
tunnel-group SSL-VPN-POLICY webvpn-attributes <<< this ones an SSL group :(
group-alias PNL enable
PetesASA#

[/box]

4. Enter configuration mode (conf t) > Then to add the new attribute issue a “tunnel-group {tunnel group name} ipsec-attributes” > then to disable the keepalives, issue the following command “isakmp keepalive threshold infinite“.

Finally save your hard work with a “write mem” command.

[box]

PetesASA# conf t PetesASA(config)# tunnel-group IPSEC-VPN-GROUP ipsec-attributes PetesASA(config-tunnel-ipsec)# isakmp keepalive threshold infinite PetesASA(config-tunnel-ipsec)# PetesASA(config-tunnel-ipsec)# write mem Building configuration… Cryptochecksum: 5417d5a1 bee8b082 16c6f19d b3839f13

9379 bytes copied in 1.410 secs (9379 bytes/sec) [OK] PetesASA(config-tunnel-ipsec)#

 

[/box]

Do the same from ASDM.

1. Connect to the ASDM

2. Click Configuration > Remote Access VPN > IPSEC Connection Profiles > {Your IPSEC Policy} > Edit.

2. Select Advanced > IPSEC > and tick “Headend will never initiate keepalive monitoring” > OK > Apply.

3. Finally click File > “Save Running Configuration to Flash”.

Related Articles, References, Credits, or External Links

NA

Cisco AnyConnect – Untrusted VPN Server Blocked!

KB ID 0000651 

Problem

The newest versions of the AnyConnect client now show you the following;

If you are seeing this you’re using the (default) self signed certificate, or you connected to an IP address rather than the FQDN. But unlike before, you can now ‘lower’ the security so it does not warn you every time.

Solution

1. From the warning screen (shown above) select ‘Change Settings…’.

2. Untick the ‘Block connections to untrusted servers’ option.

Or if you are on OSX

3. Now when you connect, you get the option of suppressing the warnings for this VPN connection.

Related Articles, References, Credits, or External Links

NA

AnyConnect Error ‘The secure gateway has rejected the connection attempt, No assigned address’

KB ID 0000876 

Problem

I upgraded a clients ASA5510 firewall(s) yesterday. Post upgrade he got this error;

The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway: No assigned address.

Solution

Thankfully the error is pretty descriptive, the remote client can not get an IP address. So I’m missing an ip local pool command, or that pool is missing from the AnyConnect tunnel-group. To Test;

[box]

WHAT IT SHOULD LOOK LIKE

Petes-ASA# show run | incl pool ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0 address-pool SSL-POOL Petes-ASA#

[/box]

In the example above, I have my address pool, and the second line is that pool being applied to the tunnel-group I’m using for AnyConnect.

If you are missing both (I was post upgrade)

Note: Change the subnet to match your requirements, and DONT use addresses that are in use INSIDE your LAN.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0

[/box]

If you are missing the address-pool command

The IP pool used, is defined in the tunnel group, (in the general-attributes section).

[box]

HERE THE POOL REFERENCE IS MISSING;

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run tunnel-group
tunnel-group SSL-PROFILE type remote-access
tunnel-group SSL-PROFILE general-attributes
authentication-server-group Windows-IAS
default-group-policy SSL-POLICY
tunnel-group SSL-PROFILE webvpn-attributes
group-alias PROFILE enable
Petes-ASA#

TO ADD IT IN (Take note of the tunnel group name SSL-PROFILE (above))

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# tunnel-group SSL-PROFILE general-attributes
Petes-ASA(config)# address-pool SSL-POOL
Petes-ASA(config)#

WHAT IT SHOULD LOOK LIKE

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run tunnel-group
tunnel-group SSL-PROFILE type remote-access
tunnel-group SSL-PROFILE general-attributes
address-pool SSL-POOL
authentication-server-group Windows-IAS
default-group-policy SSL-POLICY
tunnel-group SSL-PROFILE webvpn-attributes
group-alias PROFILE enable
Petes-ASA#

[/box]

 

Finally, don’t forget to save the changes.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

Afterthoughts

This happened because (pre migration) I had the following command in the firewall config;

[box]

ip local pool SSL-POOL 172.16.33.1 mask 255.255.255.0

[/box]

 

The firewall was (at that time) running version 8.2, in the past that syntax was fine, now you would need to specify the mask as 255.255.255.255 (to lease one address). During conversion this command was dropped, so it was never added to the tunnel-group either.

Related Articles, References, Credits, or External Links

NA

AnyConnect – ‘Service Provider is Restricting Access’

KB ID 0000950 

Problem

I only tend to use AnyConnect for VPN. So while I was at a clients site the other week, I wanted to jump onto my test servers at home and was greeted by this;

“The service provider in your current location is restricting access to the Internet.  You need to log on with the service provider before you can establish a VPN session.  You can try this by visiting any website with your browser.”

Solution

I was slightly confused because I had authenticated to the clients wireless network, and was happily browsing the Internet.

As it turns out when the AnyConnect service has started (When I opened my laptop), I had not yet authenticated, (they have a sponsored wireless access procedure).

1. Windows Key+R > services.msc > locate the ‘Cisco AnyConnect Secure Mobility Agent’.

2. Restart the service and try again.

Related Articles, References, Credits, or External Links

NA