Zerto Hyper-V to VMware

Zerto Hyper-V to VMware KB ID 0001805

Problem

I’ve known this was possible for a while, I tried to set it up a while ago, but had a nightmare installing SCVMM so I threw my toys out of the pram and did something else. After a chat with a colleague the other week we have client who needs to do this (we are migrating them from Hyper-V into VMware).

So I thought I’d revisit the subject, and this time everything went swimmingly.

Zerto Hyper-V to VMware Pre Requisites 

SCVMM

I work A LOT less with Hyper-V than I do with vSphere, but for Zerto to talk to a Hyper-V environment, it needs to have SCVMM. This can be added to either a stand alone Hyper-V host, or a Hyper-V Cluster. For the VMware techs try to think of it like vCenter for Hyper-V (only more clunky).

The most annoying part of SCVMM is installing it, it will go to the end of the install, then casually inform you, you are missing something it needs, this will happen multiple times if you dont get your ducks in a row. I installed SQL (standard) beforehand. It will also need SQL Server Command Line Utilities (download separately to SQL). The Windows Assessment and Deployment Kit, and after 2019 they’ve removed the Windows Preinstallation Environment features and made that a separate ‘Add-On’. You may also need some ODBC drivers. (If only Microsoft has put all these requirements in the install media!)

Once that’s done, adding your Hyper-V environment is pretty easy.

Note: You dont have to change the way you manage your Hyper-V environment just because you have SCVMM (In fact I’m ripping it out after this).

Zerto

I’m assuming you have Zerto setup in the source and target environment (if you are temporarily setting it up in the source Hyper-V environment) then if you have IP connectivity to the ZVM on the VMware (target environment) then you can use your existing licences from there (or simply paste in your existing licence).

For the uninitiated – you install Zerto on a ZVM (Zerto Virtual Manager) in my case on a Server 2019 server > Then you deploy VRA (Virtual Replication Appliances) to all your HOSTS. You can then setup sites, and replicate virtual machines between those sites using VPGs (Virtual Protection Groups). That’s saved you a weeks course!

The process is more or less identical for  both Hyper-V and VMware, except one you point at SCVMM and the other at vCenter.

Zerto Hyper-V to VMware VMWare Tools Deployment

To make the operation much smoother you should install the VMware tools on the machine while they are still in Hyper-V (so post migration/failover) they come up cleanly. Unfortunately VMware do not make this simple (as you will see in a minute). You can either go to VMware and download the VMware tools (requires a logon). Or Simply get them from your existing ESX hosts.

Use either WinSCP for FileZilla and SFTP into you ESX hosts (you may need to enable SSH first) you will find the windows.iso image for VMware tools in /vmimages/tools-isoimages 

Note: there’s also a linux.iso in here, if you have ginger hair and wear AC/DC T-shirts, (despite not knowing any songs.)

Mount the iso file somewhere and run setup64.exe (unless it’s the thirteen hundreds, and you are still running x32 bit servers).

It will complain that;

The VMware Tools should only be installed inside a virtual machine

Well that’s great, we are stuck in a catch 22?

Well not really LEAVE the error message on the screen and navigate to the %TEMP% directory. Here you find a folder with a big long name that looks like a GUID with ‘~setup’ on the end of its name > Open that folder and grab these three files, (copy them to your desktop). At this point you can click OK on the error message and dismiss any other VMware prompts.

Now you need to edit the MSI file and remove the environmental check so you can install them, to do that get a copy of OrcaMSI Install and run it. Open > navigate to VMware Tools64.msi > Open.

Tables > InstallUISequence > VM_CheckRequirements > Right click > Drop Row > OK > CLICK SAVE! > Exit Orca.

You can use the ‘doctored’ MSI file to install the tools on your Hyper-V host(s) or if there’s A LOT you can install the MSI across all the machines with a group policy. YOU DONT NEED TO REBOOT post install, the server will reboot during migration.

What are the other TWO files for? They are just in case your machines do not have the C++Redistributable on them, you will know if yours are missing because the VMware tools install will stop and say; 

Service ‘VMware Alias Manager and Ticket Service’ (VGAuthService) failed to start. Verify that you have sufficient privileges to start system services”

If yours does that, that’s what those other two files are for (x32 and x64 versions as applicable).

Zerto Hyper-V to VMware Site Pairing

It does not really matter which way round you do this (as you will see in a minute) on one of your ZVMs > Sites > Generate Pairing Token > Copy. (then take that to the OTHER ZVM.

Sites > Pair > Give the ZVM the IP of the Other ZVM > Paste in the pairing token > Pair.

Time to go and get a coffee, after a while you should see something like this.

Zerto Hyper-V to VMware VPG Setup

I’m doing this at the Hyper-V (Source) end  > VPG > Add > Give the VPG a name and priority > Next.

Add in the source VM(s) > Next.

I’m sticking with the defaults (thin provisioned target) > Next.

Select the target site > I’m manually adding the host and datastore at the other end (you can select a cluster instead and let VMware decide) > Next.

We are migrating to the production network at the other side. If I wanted to do test failovers I can add a test network, but here there’s no point so I’ve set them the same > Recovery Folder is the folder in VMware (I spent a good sixty seconds staring a that!) > Next.

Here we are actually on the same network, but in real life you may need to re-ip the server when its moved/failed-over so to replicate that Ive added a static IP we can check post migration. Select the NIC > Edit Selected > Change accordingly > Save > Next.

Note: Hey Zerto, I’d have preferred a ‘wildcard octet option‘ i.e. 192.168.X.{number} to 192.168.Y.{number} like Veeam does!

We don’t need to offload backups to long term retention  > Next.

Take a quick look at the summary > Done.

Depending on network connectivity and speed, it might take a while, but you are waiting until it says “Meeting SLA”.

Zerto Hyper-V to VMware Move (Failover)

I’m using failover rather than move > Live > Select the VPG > Select the server(s) >Next.

I want my source server to shutdown > Next.

Failover Start.

Here we are moving a VM for A to B, if it were to fail or there was a problem I’ve still got the original VM in Hyper-V I can power it back on so I’m not too concerned > Start Failover.

Pretty quickly there’s a flurry of activity in VMware and the new VM is powering up, (it will reboot a couple of times).

Notice I’m connecting with the VMware remote console now, let’s check that IP and make sure we’ve got internet connectitity.

 

Related Articles, References, Credits, or External Links

Kudos to Dave Williams for sorting me a Zerto NFR License

Exchange 2000 / 2003 – Exporting Mail to .pst files with ExMerge

KB ID 0000091

Problem

ExMerge has been around for a long time, its used (as the name implies) to merge pst files into existing mailbox’s. However its also a great tool to export/backup users mail box’s if you’re doing a migration, or if you have got your “Disaster Recovery” hat on.

The following is a run through of how to export from a mail store to pst files – Note on a live system this can take some time, the example below was done in VMware on a test Exchange box that had 1000 users (as it was a test server the mailbox’s were tiny) If you need to do this on a production server plan in a LOT of time if your moving a large amount of data.

Solution

 

Note: I’ve mentioned it in the video, but just to reiterate, your mailbox’s need to be smaller than 2GB, if that can not be achieved, you can either;

1. Use ExMerge and export particular “date ranges” and produce multiple .pst files for the same mailbox (hopefully less than 2GB).

2. Use Outlook 2007 (or greater) to export the mailbox to .pst files individually.

Related Articles, References, Credits, or External Links

Download ExMerge 

Exchange 2010 Bulk Import .pst Files

Exchange 2007 – Export Mailbox’s to PST files

Migrate From Server 2012 to Server 2019 Domain Controllers

Server 2012 DC to Server 2019 DC KB ID 0001731

Problem

I get asked about this quite a lot. In the past most of the queries were about moving from Server 2008 to Server 2019, if that’s what you are after then simply go here. This article is purely for the introduction of, and migration to Windows Server 2019 Domain Controllers. And it assumes your current domain controllers are Windows server 2012 (or 2012 R2).

Adding a Server 2019 Domain Controller

Once you have a Windows Server 2019 box stood up and fully updated, ensure it is added to the domain as a member server. Then from Server Manager > Manage > Add roles and features.

Next > Next > Next  Next > Select “Active Directory Domain Services” > When prompted select ‘yes‘ to add the required services.

Next > Next > Next > Install > Close.

Click the ‘Warning Triangle‘ > Promote this server to a domain controller.

Next.

Enter the DSRM Password > Next.

That’s fine (if you’re worried see the link below) >Next.

Windows – A Delegation For This DNS Server Cannot Be Created

Next.

I’m accepting the default AD install locations > Next.

Next (forestprep and domainprep is all done for you now).

Next.

Install.

When complete the server will reboot.

View Server 2019 Domain Controller

You should now see the new domain controller listed in Active Directory

At this point I’m moving all the FSMO roles to the new Windows 2019 server.

Windows Server – Locating, Transferring, and Seizing FSMO Roles

Demoting the 2012 Domain Controller(s)

WARNING: Before proceeding, make sure anything on your network that may be using this server for DNS has been pointed to your new domain controllers. Don’t forget to change the DNS servers that are being distributed via DHCP, (update your DHCP scopes). And change your new domain controllers to look at themselves for DNS not the domain controller(s) you are about to demote!

Over on your 2012 domain controller > Server manager > Manage > Remove roles and features.

Next > Untick ‘Active Directory Domain Services’ > Demote this domain controller > Next.

Tick  ‘Proceed with removal‘ > Next.

Untick ‘Remove DNS delegation’ > Next.

Set a new local administrator password for this server to use after it has been demoted (as it will be a member server at that point). You can of course still log into it as the domain admin. > Next > Demote.

When complete, the server will reboot.

You can now (if you wish raise your domain functional level). Note: Check you meet all the prerequisites for doing so, personally I rarely update them until I have a specific need to do so.

Once you are confident all your domain controllers in the domain have replicated, you can then update the forest functional level if you wish to do so.

Related Articles, References, Credits, or External Links

NA

Duo: Migrate from LDAP to LDAPS

KB ID 0001647

Problem

With the impending ‘turning off’ of cleartext LDAP queries to Windows Server, I wanted to make sure my new Duo deployments were already using LDAPS. I got LDAP deployed very quickly and easily, but making the ‘swap’ to LDAPS proved to be massively problematic.

Normally I find Duo a pleasure to deploy, but their technical documentation just confused me for this and I went running up some blind alleys, and eventually ended up logging a call to Duo to try to get it working. So to save you this pain, read on.

Solution

Firstly your domain controller(s) need to be setup to accept LDAPS queries, SORT THAT OUT FIRST. I’ve covered that in the following post;

Get Ready for LDAPS Channel Binding

In the following section I’ll assume you have LDAP already setup on your Duo ADSync, if this is a new deployment, and you are going straight to LDAPS, then you can ignore this next section.

Duo Existing LDAP AD Sync

It goes without saying, (but I’ll say it anyway,) your ADSync should already be connected, if you’re switching room LDAP!

So your domain controller(s) will be using TCP port 389.

Your transport type will be set to ‘Clear’.

Duo Deploy LDAPS for ADSync

The first thing that held me up was reading the Duo documentation, and wondering what I needed to add to my authproxy.cfg file! The truth is;

YOU DON T NEED TO ADD ANYTHING TO AUTHPROXY.CFG!!

Here’s a copy of mine for reference, you ONLY need the sections highlighted, the additional section on mine was for my Cisco ASA RADIUS client;

Rights and Permissions for Duo Service Account

Note: By default the Duo service on your Duo Auth Proxy server will be running under the LOCAL SYSTEM ACCOUNT. I had problems using this account, so I used the service account specified in the authproxy.cfg file. But there are some rights you need to assign to the account first. On the Auth Proxy server, run secpol.msc > Security Settings > Local Policies > User Rights Assignment > Log on as a service > Add User or Group > Add in your Duo service account.

 

All domain users should have the following right, but let’s take a ‘belt and braces’ approach! On a domain controller open ‘Active Directory Users and Computers’ > Right click your domain > Properties > Security > Advanced.

Add in the Duo service account, and grant;

  • List contents
  • Read all properties
  • Read properties

Note: They will probably, already be selected.

Finally: Add the Duo service account to the LOCAL ADMINISTRATORS group on the Duo Auth Proxy server, (Server Manager > Tools > Computer Management).

You can now open the services console and change the account the service runs under, to the Duo Service account, (Windows Key + R > services.msc > OK > Locate ‘Duo Authentication Proxy Service’ > Properties > Log On > Change the account to your service account and enter the password.) Then RESTART THE SERVICE.

Change Duo ADSync to LDAPS

To do this you are going to need a copy of your Root CA certificate (in PEM format). If you have Microsoft Certificate services make sure you get a copy of the Root CA cert in Base 64 format, (if you don’t, when you open the Certificate with Notepad, it will link like gobbledegook!)

Open your Cert with a text editor, and it should look a bit like this, copy that, (with no additional spaces on the end!) To the clipboard, you will need to paste it into the Duo Admin Panel in a minute.

In the Duo Amin Portal > Users > Directory Sync > Active Directory > ADSync > Change the port on your Domain controllers to 636 (That’s LDAPS TCP Port 636, so it needs to be open on any firewalls between the Duo Auth Proxy, and the domain controllers!)

Go to Transport Type > Change to LDAPS > Paste in your CA Certs PEM information into the ‘SSL CA Certs’ Section > Save Directory.

Why didn’t you tick ‘SSL Verify Hostname’? Simply because it fails when I do that, I’m assuming the common name on the LDAPS cert on my domain controllers is the hostname of the DC, and not its FQDN, so I needed to leave this unticked.

All being well it should say connected.

Troubleshooting Duo LDAPS

Duo have a tool that will check your domain controller certificates are OK. It’s called acert.exe or you can enable debugging, or use the connectivity tool.

Related Articles, References, Credits, or External Links

NA

Microsoft Edge (macOS) Migrate Bookmarks from Safari

KB ID 0001641

Problem

So now theres a version of Microsoft Edge for macOS! Normally I would not bother, but I spend a lot of time in SharePoint and Azure so I thought, rather than my usual approach of playing ‘Browser Roulette’ I’d try Microsoft Edge and see what it was like.

My usual browser of choice is Safari, but the install wizard defaults to wanting to import bookmarks / favourites* from Chrome. (I do also have Chrome, but I don’t use it often!)

*Note: Wow! Microsoft have spelled Favourites correctly for once!

So how to get my Safari Bookmarks?

Solution

Firstly Edge needs full disk access to get the bookmarks > Apple Logo > System Preferences > Security & Privacy > Privacy > Full Disk Access > ‘UNLOCK’ > Tick Microsoft edge.

Launch Edge > {ellipses} > Settings > Import Browser Data > Select ‘Safari’ > Import.

So now they are there, but they look like a ‘bag of spanners’ all my neat folders have been moved into another folder called ‘Imported from Safari”.

From ‘Manage Favourites’, you can drag everything to where you want it.

Related Articles, References, Credits, or External Links

NA

Certificate Services 0xc8000202 Error

KB ID 0001639

Problem

You will see this error if you are migrating a Certificate Services Server from Server 2008, (NOT Server 2008 R2) to Windows Server 2016, (or newer).

Version of log file is not compatible with the Jet version 0xc8000202 (ESE: 514 Jet_errBadLogVersion)

You will also see the following events logged;

Event ID 17

Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: xx/xx/xxxx xx:xx:xx
Event ID: 17
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: 2019-CA.migrate.com
Description:
Active Directory Certificate Services did not start: Unable to initialize the database connection for MIGRATE-CA. Version of log file is not compatible with Jet version 0xc8000202 (ESE: -514 JET_errBadLogVersion).

Event ID 454

Log Name: Application
Source: ESENT
Date: 1xx/xx/xxxx xx:xx:xx
Event ID: 454
Task Category: Logging/Recovery
Level: Error
Keywords: Classic
User: N/A
Computer: 2019-CA.migrate.com
Description:
certsrv.exe (1268,P,98) Restore0001: Database recovery/restore failed with unexpected error -514.

Event ID 640

Log Name: Application
Source: ESENT
Date: xx/xx/xxxx xx:xx:xx
Event ID: 640
Task Category: General
Level: Warning
Keywords: Classic
User: N/A
Computer: 2019-CA.migrate.com
Description:
certsrv.exe (1268,P,98) Restore0001: Error -1919 validating header page on flush map file “C:\Windows\system32\CertLog\{CA-Name}.jfm”. The flush map file will be invalidated.
Additional information: [SignDbHdrFromDb:Create time:00/00/1900 00:00:00.000 Rand:0 Computer:] [SignFmHdrFromDb:Create time:00/00/1900 00:00:00.000 Rand:0 Computer:] [SignDbHdrFromFm:Create time:01/17/2020 22:30:48.514 Rand:248810345 Computer:] [SignFmHdrFromFm:Create time:01/17/2020 22:30:48.529 Rand:4091580707 Computer:]

Solution

OK, if you followed a good CA migration guide like mine here, then you already have a copy of the the Database, CA certs, Private keys, and Registry settings. So you are good, don’t panic.

This has happened because the source Jet Database that Certificate Services used on the old 2008 Server, (Note: not 2008 R2) is simply too old to be upgraded straight to the one on Server 2016 or newer.

You need to spin up a 2012 R2 server, migrate Certificate Services, onto that, then migrate to Server 2016 (or 2019) from there.

Related Articles, References, Credits, or External Links

NA

Migrating RD Web and RD Gateway Roles

KB ID 0001406

Problem

I’ve got a job coming up to deploy some Duo two factor authentication into a clients RDS farm. To make things a bit easier for them I needed to migrate their RD Connection Broker. They had their Connection Broker, Gateway, and Web roles on one server, (which is not unusual, or incorrect). It turned out, that moving the Connection Broker, was going to be a major task, and it would be a lot easier to move the other two roles.

Solution

Note: Before deploying make sure you have the certificate ready to import (in .PFX format with a known password). If you are confused export the one from the old server. If you’re still confused use the search button above, I’ve written that procedure up before.

Moving the Gateway and Web roles is actually pretty simple to do, the process is, add the server to the RDS farm, ddd the Role, migrate the IIS settings. You can then repoint your firewall rules to the new server and remove the roles form the old one.

Build your new server, update it and join it to the domain.

Add the new server into the RDS deployment, (on one of the RDS farm members).

You can (from one to the other servers in the RDS farm) now deploy the new role, I’m going to deploy RD Web Access first.

Search for, select, then add the new server > Next.

Add

The new role will be deployed, (time for a coffee?).

Select  ‘Configure Certificate’.

Your newly added role will say ‘Error’ > Select it > ‘Select existing certificate’.

Browse to the certificate > Supply the password > Tick ‘Allow the certificate to be added to the Trusted Root……’ option > OK.

When the display changes to ‘Success’ > Apply > OK.

Now you can add the other RDS Server(s) into the Server Manager console on the ‘new’ RDS server.

Now to ‘migrate’ any custom IIS settings, download the web Deploy Tool, either directly fromMicrosoft,

Or you can deploy from the Web Platform Installer.

Then to migrate all the IIS settings issue the following commands;

[box]CD “C:\Program Files (x86)\IIS\Microsoft Web Deploy V3”

msdeploy.exe -verb:sync -source:webServer,computername={Source-Server-IP} -dest:webServer,computername={Destination-Server-IP}[/box]

Repeat the process for the RD Gateway Role

Related Articles, References, Credits, or External Links

NA

Exchange Bulk Export / Import Mail Contacts

KB ID 0001349 

Problem

I had to do this today and realised, it’s been so long since I did it last, I’d forgotten how to do it. Before we go forward, please be clear, I’m talking about MAIL CONTACTS, these are Active Directory Objects that have an Email address, but DO NOT have a mailbox in your Exchange Organisation, and DO NOT have an Active Directory User. I point this out because you can have MAIL USERS that have an Active Directory User Object and have an External Email address (i.e. a Gmail or Hotmail address) associated with the MAIL USER object.

Traditionally mail contacts are used for listing outside mail addresses in your global address list, (like mail users do) but are also used to forward mail to as well.

Solution

I was exporting from Exchange 2010, from the EMC run the following command;

[box]Get-MailContact -ResultSize unlimited | Select DisplayName,Name,PrimarySMTPAddress | Export-Csv “c:\Contacts-Exported.csv“[/box]

And there’s my file.

You can see my exported CSV list in, DisplayName, Name, PrimarySmtpAddress format. You will need to do some work with it in Excel to get it in > Name, Firstname, Lastname, ExternalEmailAddress format.

Once you have you CSV file ready, import it into the Target Exchange Server with the following command;

[box]Import-Csv “C:\Contacts-Exported.csv” | ForEach {New-MailContact -Name $_.Name -Firstname $_.FirstName -LastName $_.LastName -ExternalEmailAddress $_.ExternalEmailAddress -OrganizationalUnit “OU=IMPORT,DC=PNL,DC=COM”}[/box]

There’s my new contacts 🙂

Related Articles, References, Credits, or External Links

NA

Cisco ASA – Converting IKEv1 VPN Tunnels to IKEv2

KB ID 0001196 

Problem

We’ve had IKEv2 support on Cisco ASA for a while, (since  version 8.4). I tend to setup site to site VPN tunnels at command line, and on the rare occasions I’m using the ASDM I normally just ignore the IKEv2 settings. Like all techies I know a way that works, so I will keep doing it that way.

What’s the difference between IKEv1 and IKEv2?

IKE version 2 is a lot more efficient and has a smaller network overhead, this is because it uses less messages to establish secure peers. Back with IKEv1 we had main mode (9 messages), and aggressive mode (6 messages), but IKEv2 only has one mode and that has only 4 messages. Back with IKEv1 both ends of the tunnel needed to use the same method of authentication (usually a shared secret (PSK) or an RSA Signature (Digital certificate). But with IKEv2 each end of the tunnel can use a different authentication method. Nat Traversal is automatically taken care of, and DoS Attacks can be mitigated by built in anti-replay, and cookie support to defend against flood attacks.

 

Solution

Migrating your tunnels from IKEv1 to IKEv2 is probably the easiest job you’ve been given, (it can be done with one command). But doing something, and understanding whats happening are two different things.

I usually use AES-256 and SHA for site to site VPNs so a typical config I would deploy would look like this;

[box]

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
object network OBJ-MainSite
subnet 10.0.0.0 255.255.255.0
object network OBJ-RemoteSite
subnet 10.0.3.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite
nat (inside,outside) source static OBJ-MainSite OBJ-MainSite destination static OBJ-RemoteSite OBJ-RemoteSite no-proxy-arp route-lookup
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group2
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside

[/box]

Assuming both sites are OK and the tunnel is up, if we look to see what’s happening with ISAKMP we see something like this.

[box]

Petes-ASA(config)# show crypto isakmp
IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 123.123.123.123
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

[/box]

You do the entire conversion with one command ‘migrate l2l’, or if these are client to site VPNS you can use ‘migrate remote-access’

[box]

Petes-ASA(config)# migrate ?

configure mode commands/options:
  l2l            Migrate IKEv1 lan-to-lan configuration to IKEv2
  overwrite      Overwrite existing IKEv2 configuration
  remote-access  Migrate IKEv1 remote-access configuration to IKEv2/SSL
  
Petes-ASA(config)# migrate l2l
Petes-ASA(config)#

[/box]

Now ensure you do the same at the other end, (or ensure the other vendor supports IKEv2). BE AWARE: By default if you configure IKEv1 and IKEv2 the ASA will fall back to IKEv1 if it cannot negotiate IKEv2. At this point we already have a tunnel established, so we need to ‘bounce’ the tunnel to get it to re-esablish.

[box]

PetesASA(config)# clear crypto isakmp
PetesASA(config)# show cry isa
There are no IKEv1 SAs
IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 87787277       123.123.123.123/500      2.2.2.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/7 sec
Child sa: local selector  10.0.0.0/0 - 10.0.0.255/65535
          remote selector 10.0.3.0/0 - 10.0.3.255/65535
          ESP spi in/out: 0xa5034be1/0x6c5de26e

[/box]

We are now running over IKEv2, to see how that’s changed the config see the differences below, highlighted in blue.

[box]

!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
!
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
object network OBJ-MainSite
subnet 10.0.0.0 255.255.255.0
object network OBJ-RemoteSite
subnet 10.0.3.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite
nat (inside,outside) source static OBJ-MainSite OBJ-MainSite destination static OBJ-RemoteSite OBJ-RemoteSite no-proxy-arp route-lookup
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-3DES-SHA
 protocol esp encryption 3des
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-128-MD5
 protocol esp encryption aes
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-AES-192-SHA
 protocol esp encryption aes-192
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-128-SHA
 protocol esp encryption aes
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-3DES-MD5
 protocol esp encryption 3des
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-AES-192-MD5
 protocol esp encryption aes-192
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-DES-MD5
 protocol esp encryption des
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-DES-SHA
 protocol esp encryption des
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-256-MD5
 protocol esp encryption aes-256
 protocol esp integrity md5
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group2
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
!

[/box]

 

Related Articles, References, Credits, or External Links

Cisco ASA 5500 Site to Site VPN (From CLI)

VMware ESX Error “cmd addnode failed for primary node: Internal AAM error”

KB ID 0000298 

Problem

Seen in a Virtual Center HA environment – even after selecting “Reconfigure for HA” on the ESX host.

Errors:
cmd addnode failed for the primary node:Internal AAM error – agent could not start – Unknown HA error.
Cannot complete the configuration of the HA agent on the host – See the task details for additional information. Other HA configuration error.

 

Solution

1. How you proceed depends on your infrastructure. If possible, using vMotion/Migrate all the guest machines on this host, to your other ESX hosts. (Note: if that’s no an option you will need to shut down the guest machines).

2. Put the offending ESX host into maintenance mode (Right click it enter select maintenance mode).

3. Assuming you are connected to the Virtual Center, right click the offending host and select “remove”.

4. Then add it back to the cluster (Right click the cluster and select “Add Host”).

5. HA will be reconfigured on the host as its added back in.

 

Related Articles, References, Credits, or External Links

NA