Windows Remote VPN no DNS

VPN no DNS KB ID 0001402

Problem

I’ve been setting up a VPN solution on the test bench as I’m looking at Always On VPN. When I noticed that I had a problem with my remote VPN connections on Windows. They would connect fine but I could not resolve any FQDNs for my domain?

VPN no DNS Solution

By default, all (Windows) VPN connections are ‘Force Tunnel’ (this means they have the option ‘Use default gateway on remote network’ selected). This also means that, (unless your RAS server is the default Gateway for your network,) you usually don’t have internet access when connected to the VPN. 

Now I connected fine, and I could ping IP addresses on my corporate network, but I could not ping my servers by their domain name, in fact Windows was trying to resolve my domain name to a public IP?

Google this problem and you’re simply told to ‘Disable IPv6 on your network card, and this works, (if you want to keep your remote users Force-Tunnelled). But disabling IPv6 is hardly a fix is it?

Also If you want internet access for your remote clients, (Commonly referred to as ‘Split Tunnel’), then even with IPv6 disabled, the problem comes back!

Why is this happening? Well even with Force Tunnel enabled, you can still use your local LAN (Connect to your VPN, and ping your home gateway, or printer or wireless access point if you don’t believe me!) This connection takes precedence over your remote VPN connection, to prove it run a netstat -rn command. 

From the above you can see my Ethernet Adaptor has a metric of 6, and my VPN connector, (in this case called Connection Template) has metric of 23. AND THE LOWEST ONE WINS, so your DNS queries are going out of your local internet connection NOT down the VPN tunnel!

How Do I Fix this VPN no DNS?

Well until Microsoft fixes this in Windows 10, (it’s fine on Windows 8 and earlier), you have to manipulate the metrics yourself, like so;

VPN no DNS On Your Physical Adapter;

Start > ncpa.cpl {enter}  > Right click your NIC > Properties > Internet Protocol Version 4 > Properties.

Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 20 > OK > OK >OK.

On Your VPN Connector;

Start > ncpa.cpl {enter}  > Right click your VPN Connector > Properties > Internet Protocol Version 4 > Properties.

Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 10 > OK > OK >OK. 

Now your DNS look-ups should behave!

Related Articles, References, Credits, or External Links

NA

Upload Files to VMware Datastore Fails

KB ID 0001777

Problem

Whilst attempting to upload an ISO into a VMware datastore this morning, I got this error;

The operation failed for an undetermined reason. Typically this problem occurs due to certificates that the browser does not trust. If you are using self-signed or custom certificates, open the URL below in a new browser tab and accept the certificate, then retry the operation.

Solution

I’ve encountered this exact problem once before here: VMware: ISO Upload or Deploy OVA Fails ‘Undetermined Reason’ It happens because you do not trust the CA that signed the certificate that vSphere is using. Go back to the initial logon page and click ‘Download Trusted Root CA Certificates‘. Note: if you have a stupid browser that tries to open the file (I’m looking at you Microsoft Edge!) Then choose ‘Save target as’ and save the zip file containing the root CA Certificates.

Open the Zip file and choose the Windows or Mac version and locate the file that has the CRT extension, (the other file is a certificate revocation list, and you don’t need this). Double click the certificate and choose ‘Install Certificate‘.

Select ‘Local Machine‘.

Select the option to choose which store to use and put it in ‘Trusted Root Certification Authorities‘  > Then complete the import wizard, (and ensure it says import successful). Then restart your browser, log back into vSphere and try again.

Related Articles, References, Credits, or External Links

NA

Cisco ASA: Received a DELETE PFKey message from IKE

KB ID 0001720

Problem

I was debugging a VPN tunnel today. (From a Fortigate to a Cisco ASAv). I was messing around with the encryption and hashing, when the tunnel fell over. Phase 1 was establishing fine but not Phase 2 (IPSEC). 

I’ve got better skills on the ASA, so that’s where I was debugging;

[box]

IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic
IPSEC: New embryonic SA created @ 0x00007fc98613ea60,
    SCB: 0x85567700,
    Direction: inbound
    SPI      : 0x3B5A332E
    Session ID: 0x00004000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Received a PFKey message from IKE
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x3B5A332E)
IPSEC DEBUG: Inbound SA (SPI 0x3B5A332E) destroy started, state embryonic
IPSEC: Destroy current inbound SPI: 0x3B5A332E
IPSEC DEBUG: Inbound SA (SPI 0x3B5A332E) free started, state embryonic
IPSEC DEBUG: Inbound SA (SPI 0x3B5A332E) state change from embryonic to dead
IPSEC DEBUG: Inbound SA (SPI 0x3B5A332E) free completed
IPSEC DEBUG: Inbound SA (SPI 0x3B5A332E) destroy completed

[/box]

Solution

Google that error and you get some posts about NAT, that we’re  not applicable to me. I took a look on the Fortigate and the only clue there was;

[box]

Forti-FW # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Tunnel-To-SiteB ver=2 serial=1 192.168.100.100:0->192.168.100.111:0 dst_mtu=1500
bound_if=4 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=0 overlay_id=0

proxyid_num=1 child_num=0 refcnt=14 ilast=1 olast=782 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=Tunnel-To-SiteB proto=0 sa=0 ref=1 serial=2
  src: 0:192.168.1.0/255.255.255.0:0
  dst: 0:172.16.1.0/255.255.255.0:0
run_tally=1

[/box]

There’s not much I can discern from that either; 

sa=0 There is a mismatch between selectors (or no traffic is being initiated).
sa=1 IPsec SA is matching and there is traffic between the selectors.
sa=2 Only seen during IPsec SA rekey

So I went back to basics and checked the Phase 2 on BOTH, firstly the Fortigate;

For the uninitiated: GCM Protocols DON’T require a hashing algorithm, (that’s why you can’t see SHA or MD5 on there), they disappear when a GCM protocol is selected.

Then on the Cisco ASA;

[box]

Cisco-ASA(config-ipsec-proposal)# show run crypto ipsec
crypto ipsec ikev2 ipsec-proposal FORTIGATE
 protocol esp encryption aes-gmac-256
 protocol esp integrity null <--Note: This can say anything it gets ignored!

[/box]

Or if you prefer the ASDM;

THE ANSWER IS STARING YOU/ME IN THE FACE. I just didn’t realise yet, I changed the phase 2 protocols to DES/MD5 and the tunnel came up, I walked up through the protocols and options and discovered what I’d done wrong.

Root Cause: The ASA is set to use AES-GMAC-256 that’s a DIFFERENT PROTOCOL to the AES256GCM configured on the Fortigate! The ASA should be set to AES-GCM-256! (So the Phase 2 proposals didn’t match).

[box]

Cisco-ASA(config)# crypto ipsec ikev2 ipsec-proposal FORTIGATE
Cisco-ASA(config-ipsec-proposal)# protocol esp encryption aes-gcm-256
WARNING: GCM\GMAC are authenticated encryption algorithms.esp integrity config is ignored

[/box]

Or, via ASDM (from the same location as above);

Problem solved!

Related Articles, References, Credits, or External Links

NA

OVA / OVF Deployment Gets Stuck ‘Validating’

KB ID 0001664

Problem

I had this problem (on sphere 6.7) the other day when trying to deploy some OVA files on my test network.

Solution

Well as stated elsewhere I tried reconnecting to my vCenter using its FQDN, this didn’t solve the problem, using Flash or HTML5 didn’t cure the problem either. What did cure the problem was using a different browser! I switched from IE to Chrome and it worked fine.

Update: I Also cured this problem by using Microsoft Edge (The new chromium based one).

Related Articles, References, Credits, or External Links

VMware vSphere – How to Import and Export OVF and OVA Files

VMware: Export a VM to OVA With PowerCLI

VMware: ISO Upload or Deploy OVA Fails ‘Undetermined Reason’

Gpupdate: Windows Could Not Locate the Directory Object

KB ID 0001625

Problem

Saw this on a Windows client on my test network;

User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not locate the directory object OU=Top-Level,OU=computers,DC=PeteNetLive,DC=com. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

Note: You may also see Event ID 1101

Event ID 1101

Log Name: System
Source: Microsoft-Windows-GroupPolicy
Event ID: 1101
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: PNL-PROD-WIN10.pnl.com
Description:
The processing of Group Policy failed. Windows could not locate the directory object OU=PNL,DC=pnl,DC=com. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.

Solution

Strangely the OU that this computer was in, needed to have the ‘Read‘ right, granting to ‘Authenticated Users’ group, not sure how that got removed! Note: Remember start at the OU that’s directly on the root of the domain, of you have nested OUs.

After that everything was peachy!

Related Articles, References, Credits, or External Links

NA

HP iLO Upgrade Stops at 99%

KB ID 0001553

Problem

While trying to update an iLO on a blade server yesterday, (from 2.07 to 2.33). I uploaded the file it got to 99% then after a while it recycled and repeated the process all over again, and kept going.

Solution

Well I was on a 2016 Server using IE 11, and the iLO2 is VERY OLD, so I’m guessing it’s a browser problem. I reconnected to the iLO using Firefox, and it worked perfectly. (Note: If using a Blade Center – connect to that using Firefox, then open the iLO page from there, you may need to restart the browser before it ‘autofills‘ in the username and password for you.

Related Articles, References, Credits, or External Links

NA

VMware – Datastore Browser shows “Searching Datastore….”

KB ID 0000401 

Problem

I did a VMware VI3 to vSphere (4.1 U1) upgrade today. While bringing all the guest machines across, suddenly I could no longer browse the datastore, I only had one more guest to “Add to the inventory”, and all the mission critical machines were already migrated. I tried rebooting the virtual center, I tried restarting the ESXi host machines, still it sat saying “Searching Datastore……”.

Solution

1. I found the solution by accident. I was adding virtual machines to the new VSphere inventory, so I went in search of a method of doing it from the console, I was just about to:

Command to add a VMware guest to the inventory

[box]vmware-cmd -s register {full path to virtual machine}MACHINE_NAME.vmx[/box]

But, while looking in the folder with the guest files, I saw thousands of log files, I guess the VI client is struggling to parse them all, and display them. A quick internet search and I found out I can safely delete the log files.

2. Log into the ESX/ESXi servers console, for ESXi servers (version 4.0 and below) see here, for newer versions you can simply enable SSH access from Troubleshooting Mode Options > Enable Remote Tech support (SSH).

3. Log on as root and issue the following command to find the symlink path to your shared storage:

[box]ls -l /vmfs/volumes/[/box]

4. Now you know your symlink, you can change to the folder that contains the affected guest OS.

[box]cd /vmfs/volumes/{your symlink}/{your vm folder}[/box]

5. To get rid of all the log files, simply issue the following command.

[box]rm -f vmware-*.log[/box]

6. Now retry and you should see the folder contents when you “Browse Datastore”.

Related Articles, References, Credits, or External Links

NA

Windows Server – DHCP Service Starts then Stops again

KB ID 0000617 

Problem

Saw this last week on an SBS 2011 Server. When attempting to get the DHCP service running it span up then stopped straight away.

Solution

A quick look in Event Viewer showed me what the problem was,

Event ID 1054

The DHCP/BINL service on this computer is shutting down. See the previous event log messages for reasons

Fair enough lets see the previous error on the same server;

Event ID 1053

The DHCP/BINL service has encountered another server on this network with IP Address, (IPv4 or IPv6 address), belonging to the domain

In this example the offending IP (192.168.87.254) Was a Cisco PIX 501 firewall that was running a DHCP server. Thankfully My main job that day was to replace the firewall so when I put in a new ASA I didn’t have the DHCPD service running.

If you see this elsewhere you will need to locate the offending IP and disable DHCP on it.

 

Related Articles, References, Credits, or External Links

NA

Deploy ODBC Settings via Group Policy

KB ID 0000805 

Problem

I’ve briefly mentioned this before when I wrote about Group Policy Preferences so when I had to do this on-site this week, I jumped straight into the group policy management console, and found that because my ODBC connection was using SQL authentication (with the SQL sa account), this would NOT WORK, (it only works with Windows authentication and even then it needs a tweak). If you are using SQL authentication jump down to the bottom of the article.

Solution

NOTE: Below I’m dealing with user DSN ODBC connections, so I’m looking at User Policies, if you want to send out Machine DSN ODBC connections then you need to be looking at Computer Policies.

Deploy ODBC Settings via Group Policy Preferences (Windows Authentication)

The GPP is pretty easy to locate you will find it in;

[box]

User Configuration > Preferences > Control Panel Settings > Data Sources

OR

Computer Configuration > Preferences > Control Panel Settings > Data Sources

[/box]

However you will find there is a bug in the system which means it does not deploy.

ODBC Settings fail to Deploy via GPO

1. Locate the ODBC connection that you are trying to deploy > right click > Copy.

2. Right click your desktop and ‘paste’ > You will get an XML file > Open it with notepad > Delete the username and the cpassword information > Save the file.

3. Then delete the original ODBC file from your group policy.

4. Drag the XML file into the policy, in its place > Select ‘Yes’ to import it.

WARNING: Do not open its settings/properties from this point forward, or it will break again.

Getting ODBC Settings from a Clients Registry

1. You may wish to locate and extract the ODBC settings from a working client, you can locate the settings in a working client machines registry and simply export them so you can import them on a target machine, or deploy them via GPP or logon script.

[box]

User DSN's
Computer>HKEY_CURRENT_USER>Software>ODBC>ODBC.INI
Machine DSN's 
Computer>HKEY_LOCAL_MACHINE>Software>ODBC>ODBC.INI

[/box]

2. Simply right click the key that corresponds to the ‘name’ of the ODBC connector that you wish to export, > right click > Export > Save.

Deploy ODBC Settings via Group Policy Preferences (SQL Authentication)

In this example I’ve merged the ODBC connection details into the registry, you could just as easily set them up manually, as long as they exist, either on the machine you are creating the policy on, or another machine you have ‘remote registry’ rights to.

1. Create or edit a group policy and navigate to;

[box]User Configuration > Preferences > Windows Settings > Registry > Collection
[/box]

Select New > Registry Wizard.

2. Select where you want to collect the registry information from > Next.

3. Navigate to;

[box]

User DSN's
Computer>HKEY_CURRENT_USER>Software>ODBC>ODBC.INI
Machine DSN's 
Computer>HKEY_LOCAL_MACHINE>Software>ODBC>ODBC.INI

[/box]

Select the OBDC name that corresponds to the one you want to collect, then select all the settings within that key > Finish.

4. The finished GPP should look like this > Close the policy editor.

 

Related Articles, References, Credits, or External Links

NA