I needed to get a list of operating systems ‘in-use‘ in my active directory this week. bear in mind this will pull information from all enables computer accounts in AD, so if you are ‘not good‘ at tidying out old machines and servers you might get a lot of garbage in your output!
Seen when attempting to deploy Window Server 2016, as an ‘Image‘ (Parent VM,) with VMware Horizon View.
‘VM With Unsupported Guest OS’
I double checked, and Server 2016 (Standard and DataCenter) were supported, as was Server 2019 (Standard and DataCenter.) The image also had a new version of the VMware Horizon View agent installed in it?
Solution
In my case this was an embarrassingly easy fix, previously I’d deployed Windows 7, 8, and 10 with Horizon View, this was the first time I’d ever deployed a server OS as a VDI image, (With Windows Server Datacenter, this works out cheaper, licensing wise).
By Default: VMware Horizon View does not allow server operating systems, (even though they are supported.) You just need to enable the feature! Launch Horizon Administrator, View Configuration > Global Settings > Edit > Tick ‘Enable Windows Server Desktops‘ > OK.
Doh! That cost me two hours, (hope it saved you some time).
Related Articles, References, Credits, or External Links
After recently picking up some second hand ASA5512-X firewalls, I went to run them up, and make sure they were ok, however on boot up they went straight to ROMMON like so;
[box]
Use ? for help.
rommon #0>
[/box]
Now I know what ROMMON is, it’s the base operating system of the device, its job is a bit like the BIOS on a PC, it locates and loads the operating system. The only time you should ever see a rommon prompt is
If you ‘force’ a device into rommon mode as it boots.
The devices config register is incorrectly set.
The operating system is missing/corrupt.
The flash memory of the device is broken, (or needs reformatting).
Chances are, the firm who ‘re-sold’ them simply did some password recovery, and forgot to set the config register back again.
Solution
I’ve recovered enough passwords and booted form the network enough times to know that if the OS is present on the device, I can load it manually with the ‘boot’ command.
Once loaded up and logged in, lets have a look at the config register, (it should look like 0x1).
[box]
ciscoasa# show ver | incl register
Configuration register is 0x40 << Aha!!
ciscoasa#
[/box]
The easiest way to rectify this is to delete the config register, and it will then reset to the default.
[box]
ciscoasa# configure terminal
ciscoasa(config)# no config-register
ciscoasa(config)# exit
ciscoasa#
ciscoasa# show ver | incl registerConfiguration register is 0x40 (will be 0x1 at next reload)
ciscoasa#
[/box]
Reload/reboot the firewall and if it boot properly, then you know you have rectified the problem, but you can re-check..
[box]
ciscoasa# show ver | incl register
Configuration register is 0x1 << Boom!
ciscoasa#
[/box]
Related Articles, References, Credits, or External Links
2. The more observant of you will have noticed that it has already shown you the OS version above, but in case there is any doubt.
[box] root@FW-02# show version
## Last changed: 2014-08-26 21:15:09 GMT version 12.1X44-D30.4;
[edit]
root@FW-02# exit[/box]
3. I’ve always got 3CDeamon on my laptop so I’ll copy the update file over via FTP to the /var/tmp folder. (Note: We’re not at CLI or configure mode!)
[box]root@FW-02% ftp 10.5.0.2
Connected to 10.5.0.2.
220 3Com 3CDaemon FTP Server Version 2.0
Name (10.5.0.2:root): PeteLong
331 User name ok, need password
Password:********
230 User logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /var/tmp
Local directory now /cf/var/tmp
ftp> bin
200 Type set to I.
ftp> get junos-srxsme-12.1X47-D10.4-domestic.tgz
local: junos-srxsme-12.1X47-D10.4-domestic.tgz remote: junos-srxsme-12.1X47-D10.
4-domestic.tgz
200 PORT command successful.
150 File status OK ; about to open data connection
100% |**************************************************| 158 MB 00:00 ETA
226 Closing data connection; File transfer successful.
166060642 bytes
received in 64.50 seconds (2.46 MB/s)
ftp> bye
221 Service closing control connection
root@FW-02%[/box]
4. Now perform the upgrade.
[box] root@FW-02% cli
root@FW-02> request system software add no-copy /var/tmp/junos-srxsme-12.1X47-D10.4-domestic.tgz
NOTICE: Validating configuration against junos-srxsme-12.1X47-D10.4-domestic.tgz
.
NOTICE: Use the ‘no-validate’ option to skip this if desired.
Formatting alternate root (/dev/da0s2a)…
/dev/da0s2a: 627.4MB (1284940 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 156.86MB, 10039 blks, 20096 inodes.
super-block backups (for fsck -b #) at:
32, 321280, 642528, 963776
Extracting /var/tmp/junos-srxsme-12.1X47-D10.4-domestic.tgz …
Checking compatibility with configuration
Initializing…
Verified manifest signed by PackageProduction_12_1_0
Verified junos-12.1X44-D30.4-domestic signed by PackageProduction_12_1_0
Using junos-12.1X47-D10.4-domestic from /altroot/cf/packages/install-tmp/junos-1
2.1X47-D10.4-domestic
Copying package …
Verified manifest signed by PackageProduction_12_1_0
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
Usage: license-check -f “<features>” -m -p -q -M -u -U -V
Validation succeeded
Installing package ‘/altroot/cf/packages/install-tmp/junos-12.1X47-D10.4-domesti
c’ …
Verified junos-boot-srxsme-12.1X47-D10.4.tgz signed by PackageProduction_12_1_0
Verified junos-srxsme-12.1X47-D10.4-domestic signed by PackageProduction_12_1_0
JUNOS 12.1X47-D10.4 will become active at next reboot
WARNING: A reboot is required to load this software correctly
WARNING: Use the ‘request system reboot’ command
WARNING: when software installation is complete
Saving state for rollback …
root@FW-02> [/box]
5. Then reboot the firewall.
[box]
root@FW-02> request system reboot
Reboot the system ? [yes,no] (no) yes
Shutdown NOW!
[pid 2749]
root@FW-02>
*** FINAL System shutdown message from root@FW-02 ***
System going down IMMEDIATELY
[/box]
6. Post reboot, check the version again.
[box]
login: root
Password: ********
— JUNOS 12.1X47-D10.4 built 2014-08-14 22:21:50 UTC
With modern Cisco ASA firewalls a show flash (or show disk0) command will give you a descriptive list of what is stored in NVRAM. With an older version 6 firewall the result is a little more confusing.
Solution
If you connect to the PIX and view the contents of the flash, you will see something like this;
[box]
Sent username “pix”
Type help or ‘?’ for a list of available commands.
file 0 : This is the operating system file, it will have a .bin extension (e.g. 6.3(5) is pix635.bin, which is the version you can see here).
file 1: This is the firewalls config file, you can view it with a “show config” command, it is the config that gets loaded into memory and becomes the running config when the firewall boots.
Note: If you issue a “write erase” command this file will be removed, WARNING: Doing this will cause the firewall to revert to factory settings when it reloads (reboots).
file 2: This datafile stores the firewalls IPSec key and certificate information.
file 3: This is the firewalls PDM image file, it will have a .bin extension (e.g. 3.0(4) is pdm-304.bin, which is the version you can see here).
Note: There is no command to remove JUST this file, but if you TFTP in a new PDM image then pull the plug “mid-transfer”, the PIX will time out and delete it local PDM image from flash.
file 4: Crash-dump file.
file 5: File system record file.
Related Articles, References, Credits, or External Links
With all the command changes that have come in in the past few versions, it seems when I get asked ‘how do you do xyz?” my first question is ‘What is the OS version on your ASA?’
So next time I get a blank look, I can just point them here.
Upgrading the operating system on the CSC module is pretty straight forward, as long as you have a valid support agreement for your hardware and a CCO account you can download the updates straight from Cisco (here).
Solution
WARNING: It’s rare that you can update straight to the latest version, by all means try, and the CSC module will simply error if it will not accept the version you are trying to update to.
WARNING 2: This may involve some downtime, especially if your CSC module is configured to fail-closed, you may wish to set it to fail-open during the upgrade to minimise disruption. Unless you have a dual failover firewall solution, in which case scroll down.
You can do this via command line if you wish, but it’s a lot simpler to do via the web console. You will need to download your updated software (with the .pkg extension NOT the .bin extension).
Once downloaded, log into the web portal of the CSC module https://{IP-Address}:8443 > Administration > Product Upgrade > Browse > Locate your update > Upload > Go an have a coffee, it will take a while.
Upgrading CSC Modules in a Failover Pair
If you have firewalls deployed in failover, then you will have two CSC modules to upgrade.
1. Just for ease I’m showing the command line and the web console view. Start by upgrading the CSC module in the Secondary Standby firewall, here I’m upgrading 6.3.1172.0 to 6.3.1172.4.
2. Now I take the same module to 6.6.1125.0.
3. Once I know the system has updated and is back online, I jump onto the Primary Active firewall and force a failover to the Secondary Standby firewall.
Check module status with;
[box]
show module 1 detail
[/box]
To force failover, on the PrimaryActive firewall.
[box]
configure terminal
no failover active
[/box]
4. Note: At this point the screen looks the same as above, but ‘physically’ the firewalls have swapped over, the Primary is now Standby and can be updated. Below I’m upgrading from 6.2.1599.0 to 6.2.1599.6.
5. Now we can see both modules are running the latest (at time of writing), product version.
6. Now to fail back simply issue the following command an the Secondary Active firewall;
[box]
configure terminal
no failover active
[/box]
7. You can also check the versions match with the following command;
[box]
show failover
[/box]
Related Articles, References, Credits, or External Links
I had to update a Cisco PIX 515E last week, Cisco 500 firewalls are a bit thin on the ground these days, and most of my corporate clients have replaced then with Cisco ASA 5500 firewalls. So as these units are now getting retired, or moved to the test bench, or sold on ebay. I thought I’d document probably the last one I did for posterity, and to help anyone else out.
Note: Cisco 506E and 501 firewall cannot be updated past version 6.3(5) see here.
Solution
Related Articles, References, Credits, or External Links
Before upgrading/updating the ASA to version 8.3 (or Higher) Check to see if you have the correct amount of RAM in the firewall (“show version” command will tell you). This is VERYIMPORTANT if your ASA was shipped before February 2010. See the link below for more information.
Be aware, if you are upgrading to an OS of 8.4(2) or newer you can no longer access the device via SSH when using the default username of “pix” you need to enable AAA authentication for SSH, do this before you reboot/reload the firewall or you may lock yourself out.
8. You may find that there is not enough room in flash memory, if so you will see this error. (if it does not error skip to step 11).
9. If you are stuck for room you can delete some items from your flash memory > Tools > File Management.
10. Here you can see I’m deleting and old version of the ASDM. Note you could delete the live version of the ASDM and Operating system if you had no choice (THOUGH DONT REBOOT THE FIREWALL until the new ones have uploaded, or you will be loading the files in in ROMMON mode!)
11. Once all the files have been downloaded to your location, they will be uploaded to the firewalls flash memory.
12. Next.
13. Finish.
Note: What happens now is the following commands are issued in the background automatically; (Note the versions numbers may be different in your case).
[box]
asdm image disk0:/asdm-649.bin
no boot system disk0:/asa843-k8.bin
boot system disk0:/asa844-1-k8.bin
boot system disk0:/asa843-k8.bin
[/box]
14. After the firewall reboots, it should come back up with the new OS and ASDM version.
Related Articles, References, Credits, or External Links