Windows Client(s) not ‘appearing’ in WSUS

KB ID 0000591 

Problem

Before you start troubleshooting clients, how long have you waited? I usually setup and configure WSUS up at the start of a job, then leave it alone for a few DAYS, before I start worrying.

Here are the steps I usually follow to get the machines listed in the WSUS management console.

Solution

Before doing anything further, simply try running the following two PowerShell commands, (on the problem client,) and then waiting for a few hours;

[box]

$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates

wuauclt /reportnow

[/box]

 

 

1. Assuming you are deploying your WSUS settings by GPO, make sure the machine in question is actually trying to apply the policy, you can do this by running rsop.msc like so:

Or by running gpresult /R from command line

Note: If you cannot see Computer Policy / Computer Settings, i.e. you can only see user settings, then you are probably not running the command window as ‘Administrator’ (Locate cmd.exe > right click > Run as Administrator).

2. If you are enforcing by GPO, or directly via registry edit, your next step is to check that the registry entries exist. Start > In the Search/Run box type regedit {Enter}. Navigate to:

[box]HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > Windows > WindowsUpdate[/box]

3. Start > In the Search/Run box type services.msc {enter} Locate the Windows Update service and ensure it is running.

4. Then locate the Background Intelligent Transfer Service and make sure that’s also running.

5. To make sure the client can see the WSUS website, open a browser window, and navigate to http://{name-of-the-wsus-server}/iuident.cab and make sure you can open/download the file.

6. If all the above is OK, you can try forcing a registration with the following command;

[box]wuauclt /detectnow[/box]

7. All update events are being logged, you can find the log at c:windowsWindowsUpdate open the file with notepad.

8. Scroll all the way to the end, then work upwards looking for errors.

9. Sometimes if you image a machine (Or clone a VM) it keeps it’s unique update ID, if this happens then the first machine with this ID to register gets listed, and all the rest do not. To find out if this is your problem, locate and stop the Windows update service on an affected client.

10. Open the registry Editor and navigate to:

[box]HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > WindowsUpdate[/box]

Locate and delete the SusClientId entry.

11. Restart the Windows Update service and run the following two commands:

[box]wuauclt /resetauthorization /detectnow<br /> wuauclt /reportnow [/box]

Update 16/06/15

Received via Email from Patrick Mauger:

You can add an incorrect binding in IIS to the site WSUS Administration.

You need to add a binding for port 80, because the only ports configured are 8530 and 8531.

Related Articles, References, Credits, or External Links

Windows Server Update Services – Install and Configure (2008 R2)

WSUS Install Error – ‘The update could not be found. There may be a network connection issue.

Message ID 6600: sms wsus configuration manager failed to configure upstream server

WSUS Install Error on Windows Server 2008 R2

Cisco – LDAP AAA Error ‘AAA Server has been removed”

KB ID 0001271 

Problem

Seen while attempting to test AAA authentication via LDAP to a Windows domain Controller.

Authentication test to host {IP-Address} failed. Following error occurred – 

ERROR: Authentication Server not responding: AAA Server has been removed

Solution

This is a terribly ambiguous error! What it means is that the ASA cannot bind to active directory, either because;

  • The ASA bind account password is wrong.
  • The ASA bind username, (or path to the user object) is wrong.
  • You have set the LDAP server group to use LDAPS (port 636) and the server specified as an LDAP  host is not authenticating via LDAPS.
  • There is no connectivity between the ASA and the LDAP server.

You can narrow it down by running the following debug;

[box]debug ldap 255[/box]

In the following output you can see either the username or the password is wrong;

[box]

Petes-ASA(config)# debug ldap 255
debug ldap  enabled at level 255
[-2147483629] Session Start
[-2147483629] New request Session, context 0x00007fffbcc69c88, reqType = Authentication
[-2147483629] Fiber started
[-2147483629] Creating LDAP context with uri=ldap://192.168.110.10:389
[-2147483629] Connect to LDAP server: ldap://192.168.110.10:389, status = Successful
[-2147483629] supportedLDAPVersion: value = 3
[-2147483629] supportedLDAPVersion: value = 2
[-2147483629] Binding as asa
[-2147483629] Performing Simple authentication for asa to 192.168.110.10
[-2147483629] Simple authentication for asa returned code (49) Invalid credentials
[-2147483629] Failed to bind as administrator returned code (-1) Can't contact LDAP server
[-2147483629] Fiber exit Tx=207 bytes Rx=720 bytes, status=-2
[-2147483629] Session End

[/box]

In the following output you can see the firewall is trying to connect over LDAPS but the server is not configured, (or not answering on TCP 636);

[box]

Petes-ASA(config)# debug ldap 255
debug ldap  enabled at level 255
[-2147483625] Session Start
[-2147483625] New request Session, context 0x00007fffbcc69c88, reqType = Authentication
[-2147483625] Fiber started
[-2147483625] Creating LDAP context with uri=ldaps://192.168.110.10:636
[-2147483625] Connect to LDAP server: ldaps://192.168.110.10:636, status = Failed
[-2147483625] Unable to read rootDSE. Can't contact LDAP server.
[-2147483625] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[-2147483625] Session End

[/box]

 

Related Articles, References, Credits, or External Links

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

Cisco ASA – AnyConnect Authentication via LDAP and Domain User Groups

Network Summarisation – Exam Technique and Examples

KB ID 0001138 

Problem

Note: Yes I’m spelling Summarisation with an ’S’ I’m English.

Most examples I’ve seen on this give you a bunch of subnets then ask you to come up with a summary route for all of them, (that’s kind of the point of route summarisation, I’ll grant you). However in an exam with a laminated board and the dodgy permanent pen they give you to make notes with, are you seriously expected to convert everything to binary to find the ‘last contigious bit’?

I was studying this today and kept getting it wrong, so I asked a colleague to look and see where I was going wrong. He scribbled on a piece of paper for two minutes and came up with the correct answer. So I’ve stolen his methodology. You can use it for any range of subnets, and if it comes up in an exam, you also have the added bonus that the right answer will be on the screen so even if your maths is off a little, the answer should jump out at you.

Solution

Step 1: You get a range of subnets to summarise;

[box]

192.168.10.0 /24
192.168.11.0 /24
192.168.12.0 /24
192.168.13.0 /24
192.168.14.0 /24
192.168.15.0 /24

[/box]

Points to note:

A) Everything’s happening in the third octet.

B) Ignore everything except the lowest and the highest subnet.

Step 2: Write down the Highest and Lowest Network (in fact just the third octet).

[box]

10
15

[/box]

Step 3:Convert those into Binary (use a full 8 bits).

[box]

10 = 00001010 (if you’ve just gone eh! That's an 8, and a 2).
15 = 00001111 (if you’ve just gone eh! That's an 8, a 4, a 2, and a 1).

[/box]

Step 4: Find the POSITION of last contigious bit, (the same in both).

[box]

00001010 
00001111

[/box]

Above, the first 5 numbers are the same, thats where the LAST bit of the summarised subnet will be. (If you’re confused, everything to the left will be a one, everything to the right will be a zero. i.e. 11111111.11111111.11111000.0000000

So the answer will have a /21 mask, (because there’s 21 x 1s).

Well that’s great, but I still don’t know the subnet address?

Yes you do! In step 3 you worked out the LOWEST subnet, you simply forget all the numbers that are NOT contigious, and the subnet is all the bits that are left. (That sounds more complicated than it is), So;

[box]

00001010 
00001111

[/box]

You ignore the last three, they are not contigious, (010 and 111 are not the same), that leaves you with;

[box]

00001000 = 8

[/box]

So the network to summarise is 192.168.8.0/21 (or 255.255.248.0 if you prefer).

You might think, THAT WAS LONG WINDED! Well I took pains to explain everything. Once you have the method you can apply it to any list of networks;.

A More Complicated Example

[box]

192.168.112.0 /24
192.168.113.0 /24
192.168.114.0 /24
192.168.115.0 /24
192.168.116.0 /24
192.168.117.0 /24
192.168.118.0 /24
192.168.119.0 /24

Lowest and Higest

192.168.112.0
192.168.119.0

Convert the changing Octet to Binary

01110000
01110111

We are the same up to the 5th bit so its a /21
Drop the last three bits 01110000 is 112

Answer is 192.168.112.0/21

[/box]

More Exercises to Try (Answers Below)

[box]

1. 

10.10.1.0/27
10.10.1.32/28
10.10.1.48/28
10.10.1.64/26
10.10.1.128/29
10.10.1.136/29
10.10.1.144/28

2.

10.22.178.0 /23
10.22.180.0 /23
10.22.182.0 /23
10.22.184.0 /23
10.22.186.0 /23
10.22.188.0 /23
10.22.190.0 /23

3. 

172.16.4.0/24
172.16.5.0/24
172.16.6.0/24
172.16.128.0/24

4.

172.16.207.192 /26
172.16.205.64 /26	
172.16.206.128 /25
172.16.204.0 /24

5.

172.16.0.0/24
172.16.1.0/24
172.16.2.0/24
172.16.3.0/24

[/box]

ANSWERS

1. 10.10.1.0 /24

2. 10.22.176.0 /20

3. 172.16.0.0 /16

4. 172.16.204.0 /24

5. 172.16.0.0 /22

Related Articles, References, Credits, or External Links

NA

Event ID 3085

KB ID 0000129

Problem

Error – 1601 occurred while generating an outgoing replication message.  Type 0x4″

Solution

There’s corruption in your public folder store, I see this during Exchange 2003 to 2007 Migrations, quite often some folders will replicate fine and other will not, and there is no rhyme or reason as to why. Then you see this error in the event log, essentially a couple of corrupt messages/items are stopping an entire folder from replicating.

There’s going to be some downtime to your public folders (sorry)

1. On the Exchange 2003 Server, launch the Exchange System Manager > Drill down to the public folder store > Right click > Dismount > Yes.
2. Now you need to run the isinteg tool, it in the exchsrvr directory in the sub folder called “bin” > Start > Run > cmd {Enter} > cd “c:program filesexchsrvrbin” {enter}.

Note: The path to your bin folder might be different.

3. Take note of your exchange server name in the example below its CTC-EX2, execute the following command,

isinteg -s CTC-EX2 -fix -test alltests

4. Select the offline database that your public folders are in, (in the example below that’s 2).

5. Press Y {enter} to confirm.

4. This will perform 11 different tests, each one will tell you,

x number of errors
x number of warnings
x number of fix(es)
x number of rows <—- ignore this figure its not important.

5. Continue to execute the SAME command until one of two things happens,

a. You get 0 errors, 0 warnings, and 0 fix(es) for everything.
OR
b. You get the same result on one or more tests THREE TIMES IN A ROW.

6. When done, go back to the Exchange System Manager and re-mount the store, apply the cup of coffee rule and check replication.

Related Articles, References, Credits, or External Links

Credit to Debasis at Microsoft for his help.

VMware Workstation – Deploying Server 2012 and Windows 8 ‘Linked Clones’ from Templates

KB ID 0000953 

Problem

VMware Workstation, is a great test tool, if i need to take a look at some new software, or plan how I’m going to do a job, and I don’t have access to the ESX server, or test bench, it’s a great tool to have on my laptop.

If you build machines form scratch, every time you need one it can take a while. To address that you can create a template and deploy machines from that. To make things even more efficient you can make then ‘linked clones’. If you use VDI you will probably be aware of linked clones, they use the hard drive of the machine they were created from, and maintain a ‘delta disk’ that holds the differences, this make them very efficient at using hard drive space, (which is good if you are running on a laptop!)

Solution

1. I’ve titled this Windows 8 and Server 2012, but this process works for just about any modern version of Windows. Build the machine that will be the template, and install all the latest updates. Locate sysprep.exe uisually in C:WindowsSyste32Sysprep, and run it. Ensure the ‘Generalize’ option is selected, and the shutdown option is set to ‘Shutdown’.

2. Once finished the machine will shutdown, in VMware Workstation right click the VM > Snapshot > Take Snapshot > Give the snapshot a sensible name > Take Snapshot.

3. Once complete > Right Click the VM again > Settings > Options Tab > Advanced > Select ‘Enable Template mode (to be used for cloning) > OK.

4. Now every time you want a new VM simply right click the template > Manage > Clone > When the wizard starts > Next.

5. Choose the snapshot name you picked in step 2 > Next > Linked Clone (if you choose full clone it creates a complete new machine and will take a LOT of system resources) > Next > Give it a name > Finish.

6. Power on your new machine and it will run the mini windows setup, and behave like a completely new VM.

Related Articles, References, Credits, or External Links

NA

Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication

KB ID 0000688

Problem

Last week I was configuring some 2008 R2 RADIUS authentication, for authenticating remote VPN clients to a Cisco ASA Firewall.

I will say that Kerberos Authentication is a LOT easier to configure, so you might want to check that first.

Solution

Step 1 Configure the ASA for AAA RADIUS Authentication

1. Connect to your ASDM, > Configuration > Remote Access VPN. > AAA Local Users > AAA Server Groups.

2. In the Server group section > Add.

3. Give the group a name and accept the defaults > OK.

4. Now (with the group selected) > In the bottom (Server) section > Add.

5. Specify the IP address, and a shared secret that the ASA will use with the 2008 R2 Server performing RADIUS > OK.

6. Apply.

Configure AAA RADIUS from command line;

[box]

aaa-server PNL-RADIUS protocol radius
aaa-server PNL-RADIUS (inside) host 172.16.254.223
  key 123456
  radius-common-pw 123456
  exit

[/box]

Step 2 Configure Windows 2012 Server to allow RADIUS

7. On the Windows 2008 Server > Launch Server Manager > Roles > Add Role.

8. If you get a welcome page > Next > Select Network Policy and Access Server > Next >Next.

9. Select ‘Network Policy Server’ > Next > Install.

10. Close, when complete.

11. Whilst still in Server Manager > Network Policy and Access Server > NPS (Local).

12. Register Server in Active Directory >OK > OK.

13. Expand RADIUS Clients and Servers > Right click RADIUS Clients > New.

14. Give the firewall a friendly name, (take note of what this is, you will need it again) > Specify its IP > Enter the shared secret you setup above (number 5) > OK.

15. Expand policies > right click ‘Connection Request Policies’ > New > Give the policy a name > Next.

16. Add a condition > Set the condition to ‘Client Friendly Name’ > Add.

17. Specify the name you set up above (number 14) > OK > Next > Next > Next.

18. Change the attribute to User-Name > Next > Finish.

19. Now right click ‘Network Policies’ > New > Give the policy a name> Next.

20. Add a condition > User Groups > Add.

21. Add in the AD security group you want to allow access to > OK > Next > Next.

22. Select ‘Unencrypted Authentication PAP SPAP” > Next > No > Next > Next > Finish.

Step 3 Test RADIUS Authentication

23. Back at the ASDM, in the same page you were in previously, select your server and then click ‘Test’.

24. Change the selection to Authentication > Enter your domain credentials > OK.

25. You are looking for a successful outcome.

Note: if it fails check there is physical connectivity between the two devices, the shared secrets match. Also ensure UDP ports 1645 and 1646 are not being blocked.

To Test AAA RADIUS Authentication from Command Line

[box]

test aaa-server authentication PNL-RADIUS host 172.16.254.223 username petelong password password123

[/box]

26. Finally, save the firewall changes > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Windows Server 2003 – Configure RADIUS for Cisco ASA 5500 Authentication

Windows Server 2012 – Configure RADIUS for Cisco ASA 5500 Authentication

Cisco ASA – Using ‘logging’ to see what ports are being blocked

KB ID 0000702 

Problem

If you look after a firewall, sooner or later something will fail, and the blame (rightly or wrongly), will be leveled at the firewall. I came back from holiday this week to find a client had got a problem with secure POP email. The problem had been fixed (temporarily) by dropping the affected users into a group, and opening all ports. As this had fixed the problem then it’s fair to say that the ASA was the root cause of the problem.

So I was asked to take a look and open the correct ports and lock the firewall back down again.

Solution

Step 1 – Setting up logging on the ASA

I’m going to do some real time testing, so the internal buffer on the ASA will hold enough logs for me, if you have an intermittent problem you might want to setup an external syslog server. I’m going to set the log buffer size, and the logging level, and finally turn logging on.

[box]User Access Verification

Password:
Type help or ‘?’ for a list of available commands.
PetesASA> enable
Password: *******
PetesASA# conf t
PetesASA(config) logg buffer-size 4096
PetesASA(config)# logg buffered 7
PetesASA(config)# logg on[/box]

Step 2 – Attempt communication

At this point I got the client to attempt connection to the secure POP server, then had a look at the logs. I could view the whole log with ‘show logg’, but I filtered it down just to include traffic to and from this client (192.168.1.2).

Note: The ports being used are highlighted in red, (YES I know that these are the ports required for secure POP, but your application could be using anything!)

[box]PetesASA(config)# show logg | inc 192.168.1.2

%ASA-4-106023: Deny tcp src inside:192.168.1.2/49279 dst outside:123.123.123.1231/995 by access-group “outbound” [0x911f757b, 0x0]
%ASA-4-106023: Deny tcp src inside:192.168.1.2/49280 dst outside:123.123.123.1231/995 by access-group “outbound” [0x911f757b, 0x0]
%ASA-4-106023: Deny tcp src inside:192.168.1.2/49281 dst outside:123.123.123.1231/25 by access-group “outbound” [0x911f757b, 0x0]
%ASA-4-106023: Deny tcp src inside:192.168.1.2/49282 dst outside:123.123.123.1231/25 by access-group “outbound” [0x911f757b, 0x0][/box]

Step 3 – Open the Ports required

There are a few ways of doing this. I just created some network objects, then if any other hosts need secure POP, I can simply add them to the object group.

[box]PetesASA(config)object-group service SPOP-Ports tcp
PetesASA(config-service)# port-object eq 995
PetesASA(config-service)# port-object eq 25
PetesASA(config-service)# object-group network SPOP-Hosts
PetesASA(config-network)# network-object host 192.168.1.2
PetesASA(config-network)# exit
PetesASA(config)access-list outbound extended permit tcp object-group SPOPHosts any object-group SPOP-Ports
PetesASA(config)access-group outbound in interface inside
[/box]

WARNING: This assumes you DON’T have an outbound traffic access list. If you DO replace the word ‘outbound’ with the name of yours. Also remember as soon as you allow traffic like this all other traffic gets blocked!

Step 4 – Disable Logging

Simply prefix your earlier command with the word ‘no’.

[box]PetesASA(config)# no logg on[/box]

Related Articles, References, Credits, or External Links

NA

 

Cisco ASA 5500 – Adding New ‘Different Range’ Public IP Addresses

KB ID 0001006 

Problem

I got an email at work yesterday;

“Hello Pete
I have asked our ISP to give us two additional real IP addresses so that we can progress the following two projects:

  1. Microsoft DirectAccess
  2. Publishing documents to a web server from our internal DMS.

{ISP Name} have come back and said that they don’t have the next available numbers in our current IP address range, but they do have two other numbers we could have from another range.
Would that cause any problems with regard to the firewall configuration etc.”

I’ve been asked similar questions before and my answer was always, “No let’s get a bigger range and re-ip the public side of the network”. But I was sat next to my usual font of all routing knowledge Steve, so I asked him what he thought. “It will just work, just NAT the traffic on the ASA, and as long as the ISP has set the routing up properly, the ASA will just proxy-arp the new public IP. We’ve done that for a few clients”.

I’ve not done this before, so before I put my neck on the block, I decided to build it in GNS3 to prove the concept.

Solution

1. I’ve already got a few basic Labs built for testing, here is the one I will use for this.

Note the ‘Host’ is really a router (this will become apparent later on). The ASA has a ‘public’ range of 11.11.11.1/29 this gives me 8 IP addresses (6 usable). Let’s assume we have exhausted all of those. and my ISP has given me 111.111.111.0/24 (generous eh!). I want to allocate 111.111.111.111 publicly to my host, (because I have OCD and it looks nice).

When I’ve finished I will test that it has worked by opening a TELNET session to my host from its outside IP 111.111.111.111.

2. Lets make sure that the host can get to the Internet, and then on the ASA observe what public IP address it’s getting.

[box] On the ‘Host’ Router

InsideHost#ping 4.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/164/568 ms
InsideHost#

Observe the results on the ASA

Petes-ASA(config)# show xlate
1 in use, 1 most used
Flags: D – DNS, i – dynamic, r – portmap, s – static, I – identity, T – twice
ICMP PAT from inside:192.168.1.10/0 to outside:11.11.11.6/41745 flags ri idle 0:00:05 timeout 0:00:30

[/box]

3. Connect to the ASA > Allow telnet traffic to the host > Setup a One-to-One static NAT translation to the new public IP.

[box]

 Petes-ASA# configure terminal
Petes-ASA(config)# access-list inbound extended permit tcp any host 192.168.1.10 eq telnet
Petes-ASA(config)# access-group inbound in interface outside
Petes-ASA(config)# object network OBJ-TELNET-HOST
Petes-ASA(config-network-object)# host 192.168.1.10
Petes-ASA(config-network-object)# nat (inside,outside) static 111.111.111.111
Petes-ASA(config-network-object)# exit
Petes-ASA(config)#

[/box]

4. Allow Telnet on the ‘host’ router.

5. At this point in a live environment you are reliant on your ISP to route those IP addresses to you. Here I’m going to achieve the same by adding a route on the ISP Router, and then (so I can connect to host), putting a static route on my laptop.

[box]ISP-Router(config)#ip route 111.111.111.0 255.255.255.0 11.11.11.6[/box]

6. Now let’s clear the ‘translations’ on the ASA, and repeat the test we did earlier, hopefully the public IP of our internal host should have changed.

[box] On the ASA

Petes-ASA(config)# clear xlate

On the ‘Host’ Router

InsideHost#ping 4.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/164/568 ms
InsideHost#

Observe the results on the ASA

Petes-ASA(config)# show xlate
1 in use, 1 most used
Flags: D – DNS, i – dynamic, r – portmap, s – static, I – identity, T – twice
NAT from inside:192.168.1.10 to outside:111.111.111.111
flags s idle 0:00:46 timeout 0:00:00
Petes-ASA(config)#

[/box]

7. Let’s make sure that the correct IP address is being seen, to do that I setup Wireshark to sniff the traffic on the ISP Routers 11.11.11.1 interface.

8. Then if I ping 4.2.2.2 from the internal host, and view the traffic capture, I should see the traffic coming from 111.111.111.111 (NOT 11.11.11.6).

9. Finally I should now be able to telnet from my laptop to the new public IP.

 

Related Articles, References, Credits, or External Links

NA