Set Up the VMware View 5 (and Horizon View) Event Database

KB ID 0000856

Problem

Below I’ll configure SQL 2008 R2, insofar as I will setup a new database for the View Events, create a user for that database, then finally connect the View 5 Horizon View Connection Server to that database.

Solution

1. Firstly, I’m assuming you have a SQL Server setup and ready to create database on, If you do not rather than reinvent the when follow my instructions in the article below.

Deploying VMware View 5 -Part 4 Installing and Configuring SQL 2008 R2

Note: Complete ONLY Steps 1 to 6 then return here.

2. Login to the SQL Management Studio > Databases > New Database.

3. Call it View5Events (Note: You can call it ‘Aunty Mary’s Canary’ if you want to).

4. Options section > change the recovery mode to ‘Simple’ > OK.

5. Expand Security > Logins > New Login.

6. Give the user a name i.e. view5events > Tick ‘SQL Authentication’ > Type and re-type a password > Untick ‘Enforce password policy’.

7. User Mapping tab > Tick the View5Events Database > Tick db_owner > OK > Close the SQL Management Studio.

8. Login to the Connection Server (Flash Required) > View Configuration > Event Configuration > Edit,

Database Server: The name of the Server Running SQL.
Port: 1433 (Standard SQL Port make sure it it NOT blocked by a firewall).
Database Name: View5Events
User name: view5events
Password: {You set above}
Table prefix: _vdi

9. To see if it is working > Monitoring > Events > (It may be empty for a while don’t panic).

 

Related Articles, References, Credits, or External Links

NA

Connecting to and Configuring Cisco Routers with ‘Cisco Configuration Professional’

KB ID 0000512 

Problem

It’s not often I work on Cisco routers, but as I tend to do most of the Cisco ASA Firewalls, I’m the unofficial “Cisco Guy”. Which is fine until someone wants a router or some complex switching, then I need to do some heavy duty frowning.

Last time I put in a Cisco router it was a baby Cisco 800 series (an 877W) so I assumed the 1921 ISR router I had to put in would be the same. Before I used the Cisco SDM console that’s now either depreciated or not used, and a quick look in the flash memory of the router told me there was nothing in there apart from the IOS.

Now for all your web based router needs, you use the “Cisco Configuration Professional” software, it comes in two flavours:

1. Express – this installs on the router itself and is a cut down version.

2. PC Version – the full suite of tools installs on a Windows PC (that has Java installed) Note: is does NOT need anything else installing on the router.

To download the software you will need a valid Cisco CCO login and a valid support contract (or SmartNet) for your router. (download link).

Solution

1. Using the console cable provided with your router connect a PC/Laptop to the router and access using Hyperterminal or PuTTy, (See here for details).

2. Connect an ethernet port to your LAN, we are going to configure it to get an IP from DHCP (assuming you have DHCP of course if not give is a static IP address).

3. While connected via console cable, go to enable mode, set the ether net port you connected to DHCP, then configure Telnet and SSH login, and finally allow HTTP access.

Note: If you get an error message like “IP address may not be configured on L2 Links” then assign the IP address to the VLAN (usually, but not always VLAN 1).This is seen on smaller 800 series routers, to resolve also make sure the Ethernet port is NOT shutdown like this;

[box]

interface FastEthernet0
! <<<<<<<Note: Make sure the Ethernet ports you will use are NOT in a shutdown state!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
ip address 192168.1..1 255.255.255.0 <<<Or use DHCP as appropriate

[/box]

4. So all being well, this is what you should see if you issue a “show run” command.

5. Lets make sure it got an IP address with “show ip interface”.

6. Install CCP on you PC and launch it > Select “Manage Devices” > Enter the IP, username and password you set earlier > OK.

7. If discovery fails make sure you’re cabled correctly and select “Discover”.

8. It connects over https so it’s normal to see this, just click yes.

9. You can now configure the router as required.

10. If you have the Security/Firewall IOS you can also manage that from here.

 

Related Articles, References, Credits, or External Links

Original Article Written 26/09/11

 

Cisco ASA Redundant or Backup ISP Links with VPNs

KB ID 0000544

Problem

This method provides failover to a redundant ISP link should your primary network connection go down. IT IS NOT going to load balance the traffic across both interfaces. In this example I’ve also got a VPN to a remote site and some port forwarding to contend with as well.

Where we are at the start.

Where we want to be

 

Solution

Before you go any further the ASA that will have the backup ISP line, needs a Security Plus Licence or it’s not going to work.

Setup Backup ISP Links at the Main Site

1. Log into the firewall and setup the IP address on your backup interface.

[box]

PetesASA>
PetesASA> en
Password: *******
PetesASA#
PetesASA# configure terminal
PetesASA(config)# interface Ethernet0/3
PetesASA(config-if)# nameif backup
PetesASA(config-if)# security-level 0
PetesASA(config-if)# ip address 234.234.234.234 255.255.255.248
PetesASA(config-if)# no shutdown
PetesASA(config-if)# exit
PetesASA(config)#

[/box]

2. In a ‘Failed Over’ state your traffic needs to then be NATTED to the backup interface, then setup a new route for the outside interface, and finally one for the backup interface. Note: The new primary route will be “Tracked” based on an SLA we will configure in a minute.

[box]

Configure NAT for a firewall running an OS NEWER than 8.3

PetesASA(config)# object network obj_any-01
PetesASA(config-network-object)# subnet 0.0.0.0 0.0.0.0 
PetesASA(config-network-object)# nat (inside,backup) dynamic interface
Configure NAT for a firewall running an OS OLDER than 8.3

PetesASA(config)# global (backup) 1 interface
INFO: backup interface address added to PAT pool

Configure the Routes

PetesASA(config)# route outside 0.0.0.0 0.0.0.0 123.123.123.124 1 track 1
PetesASA(config)# route backup 0.0.0.0 0.0.0.0 234.234.234.235 2

[/box]

3. Now we are going to setup a new SLA that maintains connectivity to an IP address (In this case 4.2.2.2 via ICMP, then we are going to tie that SLA to “track 1”, )which you will remember is what keeps the default route on the Primary ISP), if that route fails, it swaps to the backup route.

[box]

PetesASA(config)# sla monitor 100
PetesASA(config-sla-monitor)# type echo protocol ipIcmpEcho 4.2.2.2 interface outside
PetesASA(config-sla-monitor-echo)# num-packets 3
PetesASA(config-sla-monitor-echo)# frequency 10
PetesASA(config-sla-monitor-echo)# sla monitor schedule 100 life forever start-time now
PetesASA(config)# track 1 rtr 100 reachability
PetesASA(config)#

[/box]

4. Any port forwarding getting done on the outside interface needs a mirror entry for the backup interface. and also will need matching ACL’s

[box]

PetesASA(config)# static (inside,backup) tcp interface www 10.0.0.5 www netmask 255.255.255.255
PetesASA(config)# static (inside,backup) tcp interface smtp 10.0.0.3 smtp netmask 255.255.255.255
PetesASA(config)# access-list backup permit tcp any interface backup eq www
PetesASA(config)# access-list backup permit tcp any interface backup eq smtp PetesASA(config)# access-group backup in interface backup

[/box]

5. Lets test it, issue a “show route” command, then disconnect your primary ISP then issue another “show route” command and it should have failed over like so;

[box]

PetesASA(config)# show route
 
 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
 * - candidate default, U - per-user static route, o - ODR
 P - periodic downloaded static route
 
 Gateway of last resort is 123.123.123.124 to network 0.0.0.0
 
 C 234.234.234.0 255.255.255.248 is directly connected, backup
 C 123.123.123.0 255.255.255.240 is directly connected, outside
 C 10.0.0.0 255.255.255.0 is directly connected, inside
 S* 0.0.0.0 0.0.0.0 [1/0] via 123.123.123.124, outside
 PetesASA(config)#
 
 
Now Disconnect the Primary line
 
 PetesASA(config)# show route
 
 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
 * - candidate default, U - per-user static route, o - ODR
 P - periodic downloaded static route
 
 Gateway of last resort is 234.234.234.235 to network 0.0.0.0
 
 C 234.234.234.0 255.255.255.248 is directly connected, backup
 C 10.0.0.0 255.255.255.0 is directly connected, inside
 S* 0.0.0.0 0.0.0.0 [254/0] via 234.234.234.235, backup
 PetesASA(config)#

[/box]

6. To enable this firewall to accept the existing VPN on its backup interface, you need to add the backup interface to that cryptomap (issue a show run crypto if your unsure). Then you need to enable ISAKMP on the backup Interface.

[box]

PetesASA(config)# crypto map outside_map interface backup
 PetesASA(config)# crypto isakmp enable backup

[/box]

7. Save the changes with a write mem command.

[box]

PetesASA(config)# wr mem
 Building configuration...
 Cryptochecksum: 91d190ba 2a3eb9c4 244d8c88 0da54e36
 
 10220 bytes copied in 3.740 secs (3406 bytes/sec)
 [OK]
 PetesASA(config)#

[/box]

Change the ASA at the Remote VPN Site

1. Connect to the firewall at the remote site, find the cryptomap that points to the main site (show run crypto). find the one that pointing to the IP at the main site, then add the new IP address as an alternate peer address.

[box]

RemoteSite(config)# crypto map outside_map 2 set peer 123.123.123.123 234.234.234.234

[/box]

2. Then create a tunnel group for the new backup address with the same shared secret as tunnel group to the primary IP.

[box]

RemoteSite(config)# tunnel-group 234.234.234.234 type ipsec-l2l
RemoteSite(config)# tunnel-group 234.234.234.234 ipsec-attributes
RemoteSite(config-tunnel-ipsec)# pre-shared-key 123456789

[/box]

3. Save the changes with a “write mem” command.

[box]

RemoteSite(config-tunnel-ipsec)#write mem
 Building configuration...
Cryptochecksum: 7a455ca7 3b637757 cd40aa82 7f3a22d8
 
7842 bytes copied in 1.530 secs (7842 bytes/sec)
[OK]
RemoteSite(config-tunnel-ipsec)#

[/box]

To test the VPN fails over, at the remote site issue a “show cry isa” command, then get someone at the primary site to disconnect the primary ISP, wait a few seconds and then re-issue a “show cry isa” command and it should have flipped over.

[box]

Failover-FWall# show cry isa
 
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
 
1 IKE Peer: 123.123.123.123
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
 
Now Disconnect the Primary line at the Main site
 
Failover-FWall# show cry isa
 
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
 
1 IKE Peer: 234.234.234.234
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

[/box]

Related Articles, References, Credits, or External Links

Original article written 12/12/11

Cisco ASA 5500 – Configuring PPPoE

KB ID 0000831 

Problem

Until very recently I’d never had to configure PPPoE. Most of my clients in that sort of connection speed range have ADSL with a router provided by their ISP. A Router that connects via PPPoA usually.

Here in the UK the main ISP’s (BT and Virgin) are busy rolling out FTTC connections that terminate with a ‘modem’ that presents an RJ45 socket.

So without the need for a router, you can get the ASA to perform the authentication (supply the username and password via PPPoE) and either use a static IP address, or obtain its IP via DHCP.

Solution

1. Before you attempt to configure the connection, you will need the following from your ISP;

  • Username
  • Password
  • IP Details (If you have bought static IP’s you will need the range of IP addresses and the IP address to use as the firewalls default route (default gateway). Some ISP’s will expect you to configure DHCP and will make sure you always get the same IP.
  • Authentication method: CHAP, MSCHAP, or PAP (If your ISP acts confused when you ask, it’s probably CHAP).

2. Connect to the ASA > Go to enable mode > Go to configuration mode > Create a ‘vpdn’ group, (here I’ve called it PNL-DIALER-GROUP) > Set the authentication method, (here I’m using CHAP).

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure terminal
PetesASA(config)# vpdn group PNL-DIALER-GROUP request dialout pppoe
PetesASA(config)# vpdn group PNL-DIALER-GROUP ppp authentication chap

[/box]

3. Supply your username and password. (The store-local command puts the details in a protected area of flash memory).

[box]

PetesASA(config)# vpdn group PNL-DIALER-GROUP localname username1234-fttc@ispname.net
PetesASA(config)# vpdn username username1234-fttc@ispname.net password Password12345 store-local

[/box]

4. Apply your vpdn group to the interface (or VLAN if your using an ASA5505), then configure the static IP address or DHCP;

[box]

Command for an ASA 5505 (By Default VLAN 2 will be the outside VLAN).

PetesASA(config)# Interface vlan2
PetesASA(config-if)#

Command for an ASA 5510 (or greater) (By Default Ethernet0/0 will be the outside interface).

PetesASA(config)# Ethernet0/0
PetesASA(config-if)#

The rest of the configuration is the same for all models

PetesASA(config-if)# pppoe client vpdn group PNL-DIALER-GROUP

If you have been given a static IP address and default route

PetesASA(config-if)# ip address 123.123.123.123 255.255.255.248 pppoe
PetesASA(config-if)# route outside 0.0.0.0 0.0.0.0 123.123.123.124

If you are getting you IP address via DHCP

PetesASA(config-if)# ip address pppoe setroute

[/box]

5. Save your changes.

[box]

PetesASA(config-if)# exit
PetesASA(config)# exit
PetesASA# write mem
Building configuration…
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#

[/box]

Cisco ASA Debugging PPPoE

You can use the following command/syntax to troubleshoot.

[box]

PetesASA# show ip address outside pppoe
PetesASA# [no] debug pppoe {event | error | packet}
PetesASA# show vpdn session [l2tp | pppoe] [id sess_id | packets | state | window]
PetesASA# show vpdn

[/box]

Configure PPPoE via ASDM

1. Connect to the ASDM > Configuration > Device Setup > Interfaces > Ethernet0/0 > Edit > General Tab > Use PPPoE.

2. Enter VPDN Group name username and password.

3. Set the PPP Authentication method PAP / CHAP or MSCHAP.

4. Tick store username and password in flash > IP Address and Route Settings
Apply > OK.

5. File > Save Running Configuration to flash.

Related Articles, References, Credits, or External Links

NA