EVE-NG: Create Windows Server 2019 VM

KB ID Article 

Problem

I’ve had a Windows 2012R2 server image that I’ve ben using in EVE-NG for ever. This week it bit the dust so I thought, can I deploy a shiny new 2019 server?

EVE-NG Windows Virtual Machines

Yes! In fact the deployment procedure is the same for 2019 as it was for earlier versions of Windows server. First log onto your EVE-NG host and create the folder;

[box]

mkdir /opt/unetlab/addons/qemu/winserver-2019/

[/box]

Then ‘upload’ a copy of the Windows Server 2019 installation iso into that folder with WinSCP or FileZilla.

Now rename the ISO image file to cdrom.iso, then create a new, (empty) hard drive file, that we will install windows onto. (Note: below I’m setting it to 60GB in size).

[box]

mv en_windows_server_2019_updated_nov_2020_x64_dvd_860005f.iso cdrom.iso
/opt/qemu/bin/qemu-img create -f qcow2 virtioa.qcow2 60G

[/box]

In EVE-NG create a new Lab and add in your Windows 2019 Server, then power it on.

It wont find the hard drive, because it has not got the controller driver, click ‘Load Driver‘.

Navigate to B:\Storage\2003R2\amd64 OK > Next > It will detect and load the ‘Red Hat Virtio‘ driver and install Windows. Once done shut the Windows server down.

WARNING: If you intend to deploy ‘multiple’ Server OS’s into single EVE-NG Labs, then run ‘Sysprep‘ on the server image select ‘Generalize’ and Shutdown THEN commit the image, once it’s shut down.

Now you need to ‘commit’ that image (so all new VMs will be created form that image). Ive written about this before, see the following link;

EVE-NG: Committing / Saving Qemu Virtual Machine Settings

But essentially get the ‘Pod Number’ from user management, and the Lab ID from Lab details.

Get the Node ID from the virtual machine, and execute the following command;

[box]

cd /opt/unetlab/tmp/POD-Number/Lab-ID/Node-Number/
e.g.
cd /opt/unetlab/tmp/1/b56699c-31b5-4399-af2e-697eab12981d/2/

[/box]

Lastly, don’t forget to tidy up and delete the ISO image now you no longer need it.

[box]

cd /opt/unetlab/addons/qemu/winserver-2019
rm -f cdrom.iso

[/box]

Related Articles, References, Credits, or External Links

NA

Veeam Backup Error – ‘Unable to release guest. Error: Unfreeze error:’

KB ID 0000763 

Problem

Yesterday morning, I walked into the office, the boss told me a client’s Exchange was running slowly and they had had a Veeam backup fail. I know this client well enough to know if it was something simple he would have fixed it himself, so while my laptop booted I armed myself with a coffee.

By the time I got on remotely, Ben on the help desk had also got online and was giving me the heads up on what the NAble proactive system had flagged up during the night, one drive was practically full, and it had filled up quickly.

I rang the client who told me the drive in question was the transaction log volume for Exchange, (which with failing backups would make sense). Also he had added 1500 iPad clients to the network in the last few weeks, and the transaction logs were going up by about 20GB a day. Without a good backup to flush the logs things had steadily got worse.

I connected to the Veeam backup server and this was the error.

Unable to release guest. Error: Unfreeze error: [Backup job failed. Cannot create a shadow copy of the volumes containing writer’s data. A VSS critical writer has failed. Writer name: [Microsoft Exchange Writer]. Class ID: [{76fe1ac4-15f7-4bcd-987e-8e1acb462fb7}]. Instance ID: [{65ec880f-7b6a-402f-baf1-14d4de7f6fb9}]. Writer’s state: [VSS_WS_FAILED_AT_FREEZE]. Error code: [0x800423f2].]
Error: Unfreeze error: [Backup job failed. Cannot create a shadow copy of the volumes containing writer’s data. A VSS critical writer has failed. Writer name: [Microsoft Exchange Writer]. Class ID: [{76fe1ac4-15f7-4bcd-987e-8e1acb462fb7}]. Instance ID: [{65ec880f-7b6a-402f-baf1-14d4de7f6fb9}]. Writer’s state: [VSS_WS_FAILED_AT_FREEZE]. Error code: [0x800423f2].]

Solution

1. OK that’s a huge error, but essentially it’s complaining about the VSS writer on the Exchange server. Log onto the Exchange server, drop to command line and issue the following command;

[box]
vssadmin list writers[/box]

Chances are you will see the following;

If you look in the Event Log you will probably also see Event ID 2007.

Information Store (2544) Shadow copy instance 1 aborted.

2. To fix that you need to restart the Microsoft Exchange information store service.

3. Check again to make sure you are back up.

4. Note: We are backing up using Veeam, make sure there is no instance of the Symantec Backup Exec Remote Agent for Exchange, if it’s there remove it.

5. Finally, I’ve got over 120GB of transaction logs to contend with, for the problem mail store, I’m going to enable circular logging to free up some room. (Note: You can disable this again once you have a decent backup if you wish).

6. At this point I rebooted both the Exchange server and the Veeam Backup server it then performed a backup of the Exchange server without error.

Update 170114

We had an issue with this again this week and the above resolution did not work. In the end we had to do the following;

1. Exchange shouldn’t be more than 20 sec.
So please kindly inspect closely the following article: http://www.veeam.com/kb1680

2. Please make sure that Exchange server isn’t running on a snapshot.

3. Troubleshoot the VSS service. i.e.

[box]

To check for unnecessary providers

vssadmin list providers

Check that there are no shadow copies running

vssadmin list shadows

Check the writers state. Probably there will be a Failed/Timed out writer. 

vssadmin list writers

[/box]

4. To get a failed writer to a normal state restart following services: “COM+ Event System”, “Microsoft Software Shadow Copy Provider”, “Volume Shadow Copy”.

5. Next you can manually create a shadow copy of an Exchange db volume:  (Note: This assumes Exchange is on C:).

[box]vssadmin create shadow /for=c:[/box]

6. Manual creation should report that is completed successfully.

7. Delete the shadow copy that you have just created.

[box]vssadmin delete shadows /for=c: /all [/box]

8. Finally make sure all shadows have been removed with the following command

[box]vssadmin list shadows[/box]

9. Attempt to re-run the backups

Related Articles, References, Credits, or External Links

Thanks to Steve Morrison and Dimitri from Veeam

Veeam Backup and Recovery Download

Veeam Availability Suite Download

 

Juniper SRX – Commit Errors

KB ID 0000999 

Problem

WARNING: This article is not to cover every problem that will stop you committing the firewall config. It just serves to document problems I’ve encountered, and I how I overcame them.

Solution

I came across the following two problems whilst attempting to setup a ‘chassis cluster‘. both were related to configuration existing on interfaces that I wanted to use as Reth interfaces. essentially I didn’t delete ALL the settings for these interfaces before I started configuring clustering.

Problem 1

[box]root# commit
[edit security zones security-zone untrust]
‘interfaces ge-0/0/0.0’
Interface ge-0/0/0.0 must be configured under interfaces
error: configuration check-out failed
[/box]

This was because ge-0/0/0 was automatically converted to fxp0, (which is the management interface). The error is telling me that that physical interface is part of the ‘untrust’ zone, so I need to remove that.

[box]{hold:node0}[edit]
root# delete security zones security-zone untrust interfaces ge-0/0/0.0[/box]

Now it let me commit the configuration.

[box] {hold:node0}[edit]
root# commit
node0:
commit complete

{hold:node0}[edit]
root#[/box]

Problem 2

[box]root@FWA# commit
[edit interfaces ge-0/0/4 gigether-options]
‘redundant-parent’
Logical unit is not allowed on redundant-ethernet member
error: commit failed: (statements constraint check failed)
[/box]

This was because ge-0/0/0 was part of Reth0, (which was my outside facing redundant interface), had some configuration on it that shouldn’t be there, to find out what I needed to search the configuration.

[box]{primary:node0}[edit]
root@FWA# show | display set | match ge-0/0/4
set interfaces ge-0/0/4 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust[/box]

The first setting tells me its part of Reth0, which is good, but the second one should not be there. I could just delete that one, but I’ll simply delete all configuration for that interface, then add the correct line back like so;

[box] {primary:node0}[edit]
root@FWA# delete interfaces ge-0/0/4

{primary:node0}[edit]
root@FWA# set ge-0/0/4 gigether-options redundant-parent reth0 [/box]

Now it let me commit the configuration.

[box] {hold:node0}[edit]
root# commit
node0:
commit complete

{hold:node0}[edit]
root#

[/box]

 

Related Articles, References, Credits, or External Links

NA

 

Factory Reset Juniper SRX Firewall

KB ID 0001003 

Problem

If you manage to stuff up your firewall, or you have just done some testing and want to revert back to ‘as new’ here is how to do it.

Solution

1. Connect to the firewall either by console cable or via SSH, go to CLI mode then configuration mode.

[box] login: PeteL
Password: ************

— JUNOS 12.1X47-D10.4 built 2014-08-14 22:21:50 UTC

PeteL@Petes-SRX> cli

PeteL@Petes-SRX> configure
Entering configuration mode

[edit]
PeteL@Petes-SRX#

[/box]

2. Load factory defaults, at this point you cannot commit/save the configuration unless you set a password, so do that next.

[box]

[edit]
PeteL@Petes-SRX# set system root-authentication plain-text-password
New password: Password123
Retype new password: Pasword123

[edit]
PeteL@Petes-SRX#

[/box]

3. Save the changes then reboot.

[box] [edit]
PeteL@Petes-SRX# commit and-quit

commit complete
Exiting configuration mode

PeteL@Petes-SRX> request system reboot
Reboot the system ? [yes,no] (no) yes

Shutdown NOW!
[pid 1904]

PeteL@Petes-SRX>

*** FINAL System shutdown message from root@FW-01 ***

System going down IMMEDIATELY

[/box]

Reset To Factory Settings if the SRX is part of a Chassis Cluster (is in Failover mode)

1. If the firewall is part of the Chassis cluster then you need to the following before you can carry out the procedure above.

[box]

PeteL@Petes-SRX> set chassis cluster disable reboot

For cluster-ids greater than 15 and when deploying more than one
cluster in a single Layer 2 BROADCAST domain, it is mandatory that
fabric and control links are either connected back-to-back or
are connected on separate private VLANS.

{primary:node0}
PeteL@Petes-SRX>

*** FINAL System shutdown message from root@FWA ***

System going down IMMEDIATELY

[/box]

Completely Wipe the Juniper SRX

Alternatively you can also do the following.

[box]

root> request system zeroize
warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files? [yes,no] (no) yes

warning: zeroizing re0

root>

[/box]

 

Related Articles, References, Credits, or External Links

NA

 

Juniper SRX – Setting the Default Static Route

KB ID 0001008 

Problem

It takes me seconds to do this on an ASA, on every occasion I’ve had to do the same on a Juniper firewall I’ve had to research how to do it again.

Here I’m setting up the ‘default’ route to the Internet, but the syntax is the same for setting up any static route.

Solution

1. Connect to the firewall either by console cable or via SSH, go to CLI mode then configuration mode.

[box]login: PeteL
Password: ************

— JUNOS 12.1X47-D10.4 built 2014-08-14 22:21:50 UTC

PeteL@Petes-SRX> cli

PeteL@Petes-SRX> configure
Entering configuration mode

[edit]
PeteL@Petes-SRX#

[/box]

2.Here is the syntax for adding a route, (0.0.0.0/0 denotes the default route or GOLR).

[box][edit]
PeteL@Petes-SRX# set routing-options static route 0.0.0.0/0 next-hop 123.123.123.123[/box]

3. Save the changes.

[box][edit]
PeteL@Petes-SRX# commit
commit complete[/box]

 

Related Articles, References, Credits, or External Links

NA

 

Cisco ASA to Juniper SRX Site to Site VPN

KB ID 0000710

Problem

You want to establish a site to site VPN from a site with a Cisco ASA firewall, to another site running a Juniper SRX firewall. I had to do this this week, and struggled to find any good information to help.

In the example below I’m configuring the whole thing from a laptop (172.16.254.206) that’s on the Juniper’s site. Use the diagram below, and substitute your own IP addresses and subnet addresses, to get a workable solution for your site.

When the process is complete, I will test it by pinging the host behind the Cisco ASA on the remote site (10.254.254.5).

Solution

Before you begin, I will assume both firewalls are functioning properly and the clients behind them can access internet services (where allowed) through them already.

Step 1 – Configure the ASA

Model used Cisco ASA 5505 v8.4 (ASDM 6.4)

1. Connect to the ASDM > Wizards > VPN Wizards > Site-to-site VPN Wizard.

2. Next.

3. Enter the public IP address of the Juniper Firewall > Next, (Note: I’m assuming the VPN is terminated on the outside interface, if not change it).

4. IKE version 1 > Next.

5. Enter the Local (behind the ASA) network > Then the Remote (behind the Juniper) network > Next.

Note: You can type them in, but if you use the pick-list button you can select ‘inside-network’ for the local, and define a network object for the remote network.

6. Enter a pre shared key, (remember this, you need to enter it on the Juniper).

7. Accept the default of 3DES and SHA1 > Next.

8. Enable PFS > Tick the box to exempt traffic from NAT > Next.

9. Review the settings > Finish

11. Save the changes > File > Save running Configuration to Flash.

Step 2 – Configure the Juniper SRX (Route Based VPN)

Model used SRX100B version 11.2R4.3

The SRX support two types of VPN

  1. Route based VPN – VPN selection is done based on the route. In this you define a route pointing to the tunnel interface (st0 interface) bound to the VPN.
  2. Policy based VPN – VPN is selected based on the policy.

12. Log onto the Juniper Web Device Manager.

13. Tasks > Configure VPN > Launch VPN Wizard.

14. Accept the default of Site-to-site > Start.

15. Give the tunnel a name > Set the local zone to trust > Add in the local subnet (behind the Juniper) > Name the Secure Tunnel Interface (just put in a zero) > Set the secure tunnel zone to Untrust > Enter the physical address the VPN will be terminating on, (usually the fe0/0/0.0 interface, but it does not have to be) > Next.

Note: On the Juniper, when specifying a subnet use the short subnet notation, i.e. 192.168.1.0 255.255.255.0 would be 192.168.1.0/24 (if you get stuck use my subnet calculator).

16. Supply the public IP address of the ASA > and add in the subnet at the far end of the tunnel (behind the ASA) > Next.

17. Set the IKE (phase 1) settings to Compatible, Main Mode, enter the same pre shared key you setup in Step 1 (number 6) > Set the IPSEC (phase 2) settings to Compatible, IPsec Perfect Forward Secrecy (PFS) to group 2 > Next.

18. Accept the defaults > Next.

19. Review the settings > Commit.

Step 3 – Additional Steps required (for Cisco ASA)

20. Navigate to IPsec VPN > Auto Tunnel > Phase II > Select your tunnel > Edit > IPsec VPN Options > Tick ‘use proxy identity’ > Enter the local and remote subnets > OK.

21. Navigate to Security > Zones/Screen > Select the untrust zone > Edit > Host Inbound traffic – Interface > Select the physical address that the VPN is terminating on (usually fe-0/0/0.0) > Add IKE as an Interface service > OK.

22. To save the changes > Action > Commit.

23. Test the VPN by attempting to ping a host on the other end.

Juniper SRX Command Line

On the Cisco firewalls I prefer to work at command line. The Juniper Firewall also supports CLI, you can check the VPN config with the following commands;

If you want you can execute the below commands on CLI to get the “set” commands

            show security ike | display set
            show security ipsec | display set
            show | display set | match <external interface configured in ike>
            show | display set | match <st.x>

Above  commands will give you the “set” commands for cli.

Related Articles, References, Credits, or External Links

Special thanks to Kalanidhi Tripathi at JTAC for his assistance.

Juniper KB Articles

 

SRX Getting Started – Configure VPN tunnel for site-to-site connectivity

How to configure IPSec VPN on a J Series or SRX Series device