I’ve had a Windows 2012R2 server image that I’ve ben using in EVE-NG for ever. This week it bit the dust so I thought, can I deploy a shiny new 2019 server?
EVE-NG Windows Virtual Machines
Yes! In fact the deployment procedure is the same for 2019 as it was for earlier versions of Windows server. First log onto your EVE-NG host and create the folder;
[box]
mkdir /opt/unetlab/addons/qemu/winserver-2019/
[/box]
Then ‘upload’ a copy of the Windows Server 2019 installation iso into that folder with WinSCP or FileZilla.
Now rename the ISO image file to cdrom.iso, then create a new, (empty) hard drive file, that we will install windows onto. (Note: below I’m setting it to 60GB in size).
In EVE-NG create a new Lab and add in your Windows 2019 Server, then power it on.
It wont find the hard drive, because it has not got the controller driver, click ‘Load Driver‘.
Navigate to B:\Storage\2003R2\amd64 OK > Next > It will detect and load the ‘Red Hat Virtio‘ driver and install Windows. Once done shut the Windows server down.
WARNING: If you intend to deploy ‘multiple’ Server OS’s into single EVE-NG Labs, then run ‘Sysprep‘ on the server image select ‘Generalize’ and ShutdownTHEN commit the image, once it’s shut down.
Now you need to ‘commit’ that image (so all new VMs will be created form that image). Ive written about this before, see the following link;
Yesterday morning, I walked into the office, the boss told me a client’s Exchange was running slowly and they had had a Veeam backup fail. I know this client well enough to know if it was something simple he would have fixed it himself, so while my laptop booted I armed myself with a coffee.
By the time I got on remotely, Ben on the help desk had also got online and was giving me the heads up on what the NAble proactive system had flagged up during the night, one drive was practically full, and it had filled up quickly.
I rang the client who told me the drive in question was the transaction log volume for Exchange, (which with failing backups would make sense). Also he had added 1500 iPad clients to the network in the last few weeks, and the transaction logs were going up by about 20GB a day. Without a good backup to flush the logs things had steadily got worse.
I connected to the Veeam backup server and this was the error.
Unable to release guest. Error: Unfreeze error: [Backup job failed. Cannot create a shadow copy of the volumes containing writer’s data. A VSS critical writer has failed. Writer name: [Microsoft Exchange Writer]. Class ID: [{76fe1ac4-15f7-4bcd-987e-8e1acb462fb7}]. Instance ID: [{65ec880f-7b6a-402f-baf1-14d4de7f6fb9}]. Writer’s state: [VSS_WS_FAILED_AT_FREEZE]. Error code: [0x800423f2].]
Error: Unfreeze error: [Backup job failed. Cannot create a shadow copy of the volumes containing writer’s data. A VSS critical writer has failed. Writer name: [Microsoft Exchange Writer]. Class ID: [{76fe1ac4-15f7-4bcd-987e-8e1acb462fb7}]. Instance ID: [{65ec880f-7b6a-402f-baf1-14d4de7f6fb9}]. Writer’s state: [VSS_WS_FAILED_AT_FREEZE]. Error code: [0x800423f2].]
Solution
1. OK that’s a huge error, but essentially it’s complaining about the VSS writer on the Exchange server. Log onto the Exchange server, drop to command line and issue the following command;
[box]
vssadmin list writers[/box]
Chances are you will see the following;
If you look in the Event Log you will probably also see Event ID 2007.
Information Store (2544) Shadow copy instance 1 aborted.
2. To fix that you need to restart the Microsoft Exchange information store service.
3. Check again to make sure you are back up.
4. Note: We are backing up using Veeam, make sure there is no instance of the Symantec Backup Exec Remote Agent for Exchange, if it’s there remove it.
5. Finally, I’ve got over 120GB of transaction logs to contend with, for the problem mail store, I’m going to enable circular logging to free up some room. (Note: You can disable this again once you have a decent backup if you wish).
6. At this point I rebooted both the Exchange server and the Veeam Backup server it then performed a backup of the Exchange server without error.
Update 170114
We had an issue with this again this week and the above resolution did not work. In the end we had to do the following;
1. Exchange shouldn’t be more than 20 sec.
So please kindly inspect closely the following article: http://www.veeam.com/kb1680
2. Please make sure that Exchange server isn’t running on a snapshot.
3. Troubleshoot the VSS service. i.e.
[box]
To check for unnecessary providers
vssadmin list providers
Check that there are no shadow copies running
vssadmin list shadows
Check the writers state. Probably there will be a Failed/Timed out writer.
vssadmin list writers
[/box]
4. To get a failed writer to a normal state restart following services: “COM+ Event System”, “Microsoft Software Shadow Copy Provider”, “Volume Shadow Copy”.
5. Next you can manually create a shadow copy of an Exchange db volume:(Note: This assumes Exchange is on C:).
[box]vssadmin create shadow /for=c:[/box]
6. Manual creation should report that is completed successfully.
7. Delete the shadow copy that you have just created.
[box]vssadmin delete shadows /for=c: /all [/box]
8. Finally make sure all shadows have been removed with the following command
[box]vssadmin list shadows[/box]
9. Attempt to re-run the backups
Related Articles, References, Credits, or External Links
WARNING: This article is not to cover every problem that will stop you committing the firewall config. It just serves to document problems I’ve encountered, and I how I overcame them.
Solution
I came across the following two problems whilst attempting to setup a ‘chassis cluster‘. both were related to configuration existing on interfaces that I wanted to use as Reth interfaces. essentially I didn’t delete ALL the settings for these interfaces before I started configuring clustering.
Problem 1
[box]root# commit
[edit security zones security-zone untrust]
‘interfaces ge-0/0/0.0’ Interface ge-0/0/0.0 must be configured under interfaces
error: configuration check-out failed[/box]
This was because ge-0/0/0 was automatically converted to fxp0, (which is the management interface). The error is telling me that that physical interface is part of the ‘untrust’ zone, so I need to remove that.
[box]{hold:node0}[edit]
root# delete security zones security-zone untrust interfaces ge-0/0/0.0[/box]
[box]root@FWA# commit
[edit interfaces ge-0/0/4 gigether-options] ‘redundant-parent’
Logical unit is not allowed on redundant-ethernet member
error: commit failed: (statements constraint check failed)[/box]
This was because ge-0/0/0 was part of Reth0, (which was my outside facing redundant interface), had some configuration on it that shouldn’t be there, to find out what I needed to search the configuration.
[box]{primary:node0}[edit]
root@FWA# show | display set | match ge-0/0/4
set interfaces ge-0/0/4 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust[/box]
The first setting tells me its part of Reth0, which is good, but the second one should not be there. I could just delete that one, but I’ll simply delete all configuration for that interface, then add the correct line back like so;
2. Load factory defaults, at this point you cannot commit/save the configuration unless you set a password, so do that next.
[box]
[edit]
PeteL@Petes-SRX# set system root-authentication plain-text-password
New password: Password123
Retype new password: Pasword123
[edit]
PeteL@Petes-SRX#
[/box]
3. Save the changes then reboot.
[box] [edit]
PeteL@Petes-SRX# commit and-quit
commit complete
Exiting configuration mode
PeteL@Petes-SRX> request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
[pid 1904]
PeteL@Petes-SRX>
*** FINAL System shutdown message from root@FW-01 ***
System going down IMMEDIATELY
[/box]
Reset To Factory Settings if the SRX is part of a Chassis Cluster (is in Failover mode)
1. If the firewall is part of the Chassis cluster then you need to the following before you can carry out the procedure above.
[box]
PeteL@Petes-SRX> set chassis cluster disable reboot
For cluster-ids greater than 15 and when deploying more than one
cluster in a single Layer 2 BROADCAST domain, it is mandatory that
fabric and control links are either connected back-to-back or
are connected on separate private VLANS.
{primary:node0}
PeteL@Petes-SRX>
*** FINAL System shutdown message from root@FWA ***
System going down IMMEDIATELY
[/box]
Completely Wipe the Juniper SRX
Alternatively you can also do the following.
[box]
root> request system zeroize
warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files? [yes,no] (no) yes
warning: zeroizing re0
root>
[/box]
Related Articles, References, Credits, or External Links
You want to establish a site to site VPN from a site with a Cisco ASA firewall, to another site running a Juniper SRX firewall. I had to do this this week, and struggled to find any good information to help.
In the example below I’m configuring the whole thing from a laptop (172.16.254.206) that’s on the Juniper’s site. Use the diagram below, and substitute your own IP addresses and subnet addresses, to get a workable solution for your site.
When the process is complete, I will test it by pinging the host behind the Cisco ASA on the remote site (10.254.254.5).
Solution
Before you begin, I will assume both firewalls are functioning properly and the clients behind them can access internet services (where allowed) through them already.
5. Enter the Local (behind the ASA) network > Then the Remote (behind the Juniper) network > Next.
Note: You can type them in, but if you use the pick-list button you can select ‘inside-network’ for the local, and define a network object for the remote network.
6. Enter a pre shared key, (remember this, you need to enter it on the Juniper).
8. Enable PFS > Tick the box to exempt traffic from NAT > Next.
9. Review the settings > Finish
11. Save the changes > File > Save running Configuration to Flash.
Step 2 – Configure the Juniper SRX (Route Based VPN)
Model used SRX100B version 11.2R4.3
The SRX support two types of VPN
Route based VPN – VPN selection is done based on the route. In this you define a route pointing to the tunnel interface (st0 interface) bound to the VPN.
Policy based VPN – VPN is selected based on the policy.
15. Give the tunnel a name > Set the local zone to trust > Add in the local subnet (behind the Juniper) > Name the Secure Tunnel Interface (just put in a zero) > Set the secure tunnel zone to Untrust > Enter the physical address the VPN will be terminating on, (usually the fe0/0/0.0 interface, but it does not have to be) > Next.
Note: On the Juniper, when specifying a subnet use the short subnet notation, i.e. 192.168.1.0 255.255.255.0 would be 192.168.1.0/24 (if you get stuck use my subnet calculator).
16. Supply the public IP address of the ASA > and add in the subnet at the far end of the tunnel (behind the ASA) > Next.
17. Set the IKE (phase 1) settings to Compatible, Main Mode, enter the same pre shared key you setup in Step 1 (number 6) > Set the IPSEC (phase 2) settings to Compatible, IPsec Perfect Forward Secrecy (PFS) to group 2 > Next.
20. Navigate to IPsecVPN > Auto Tunnel > Phase II > Select your tunnel > Edit > IPsecVPN Options > Tick ‘use proxy identity’ > Enter the local and remote subnets > OK.
21. Navigate to Security > Zones/Screen > Select the untrust zone > Edit > Host Inbound traffic – Interface > Select the physical address that the VPN is terminating on (usually fe-0/0/0.0) > Add IKE as an Interface service > OK.
22. To save the changes > Action > Commit.
23. Test the VPN by attempting to ping a host on the other end.
Juniper SRX Command Line
On the Cisco firewalls I prefer to work at command line. The Juniper Firewall also supports CLI, you can check the VPN config with the following commands;
If you want you can execute the below commands on CLI to get the “set” commands
show security ike | display set
show security ipsec | display set
show | display set | match <external interface configured in ike>
show | display set | match <st.x>
Above commands will give you the “set” commands for cli.
Related Articles, References, Credits, or External Links
Special thanks to Kalanidhi Tripathi at JTAC for his assistance.