You will see this error if you are pasting configuration into a Cisco firewall. This week I was manually converting an old 8.2 version firewalls configuration, to run on a modern (version 9) firewall, when I saw this;
[box]
Petes-ASA(config)# username fred.bloggs attributes
Petes-ASA(config-username)# group-lock value SOME-VALUEWARNING: tunnel-group SOME-VALUE does not exist
[/box]
Solution
The reason you are seeing this error is because you are working your way through the config, (from top to bottom), and you have just told the firewall to use a tunnel-group, and that tunnel group is further down in the config, so you have not created it yet on the target firewall!
For the uninitiated: A group-lock is used to define different tunnel-groups for different users.
So on the source configuration, locate the appropriate tunnel-group and put that in first, then retry;
I don’t validate and check the sites RSS feed as often as I should, but post server migration I got this error;
This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
Your feed appears to be encoded as “UTF8”, but your sever is reporting “US-ASCII”
Solution
As you can see by the section I’ve indicated above, I can see where the UTF-8 is being set on the page. I just need my server (CentOS with Apache2) to allow it.
1. Edit (or create a file in the same directory as the RSSXML file) .htaccess and add the following lines to the end.
[box]
# Add the UTF-8 Character Set
AddCharset UTF-8 .xml
[/box]
2. The restart Apache.
[box]
service https restart
[/box]
Related Articles, References, Credits, or External Links
1. It’s a simple one to solve, the server was built with the HP ESXi build, and the management agents are complaining because the iLO is not connected to the network.
2. When you connect the iLO socket to the network the alarm should change as shown below.
3. Once you have connected or disabled it you can reset the alarm.
4. Take the opportunity to log in and configure the iLO. Access via an internet browser (it will get a DHCP address by default, you can set a static IP address by entering the iLO setup at boot (see disabling iLO section below)).
5. The user name is Administrator (capital A) and the password will be either on a pull out tab on the front of the server, or a brown cardboard label tied to the front of the server (you did keep that didn’t you!), or on a brown sticker on top of the server chassis. On certain models HP also stick this information under the server lid.
6. Then you can log in and configure.
Disable the iLO
1. If you do not want to use the iLO then you can disable it (I cant think why you would want to, because its a handy piece of kit, but heres how to do it.)
2. Reboot the server, and when prompted press F8 to enter the iLO setup.
3. Settings > Configure.
4. These are the default settings, use the cursor keys to select and the space bar to enable/disable the options.
5. All disabled.
Related Articles, References, Credits, or External Links
Seen on Server 2003 running IIS 6, about once a week the website would fail, and the client had to reboot the server to bring things back up again. I took a look at the server and noticed that when the failure happened, we had five Event ID 1014 errors;
Source W3SVC
The World Wide Web Publishing Service encountered an internal error in its process management of worker process ‘<value>’ serving application pool ‘DefaultAppPool’. The data field contains the error number.
And finally we had an Event ID 1002;
Source W3SVC
Application pool ‘DefaultAppPool’ is being automatically disabled due to a series of failures in the process(es) serving that application pool
Solution
1. Before you proceed make sure this is not the problem.
2. Open the Internet Information Services (IIS) Manager > {Servername} > Application Pools > DefaultAppPool (unless your error is for another app pool) > Properties > Health.
3. Rapid-Fail Protection: You may wish to troubleshoot by simply increasing the thresholds, (the frequency of your 1002 events should give you a pointer). Though from what I’ve read this system tends to cause more problems than it cures, in the end I disabled it completely.
Warning: Disabling a system that is designed to protect you inherently has dangers.
If you suddenly get an unstable server, or memory leak problems you might want to reinstate this, and start checking the code in your website!
Related Articles, References, Credits, or External Links
The call came in this morning, a client had replaced a failed drive in his SAN, (an MSA P2000 2324sa). He was asking if there was anything he needed to do. I said “Just mark it as a global spare and that should be it”. He rang back some time later to say he was still having problems.
When I dialled on I could see his ‘new’ drive was marked as LEFTOVR and was flagged with the following warning;
The disk may contain stale metadata. Recommended action: Clear the metadata to rescue the disk.
Solution
You see this error because this is a ‘recycled’ disk, and it still has data on it that refers to the array and/or vdisk that it was in originally. This is the ‘metadata’ that it is referring to.
Note: You can see, (from the image above) the disk I’m dealing with is disk 8 (make a mental note of that).
1. With the MSA Selected > Tools > Clear Disk Metadata.
2. Remember our disk is in in slot 8, so tick it and click ‘clear metadata’.
3. You can now treat this disk as if it were a new disk and add it as a global spare, (your failed vdisk will then claim the disk and the RAID should rebuild it without further intervention).
Related Articles, References, Credits, or External Links
Before upgrading/updating the ASA to version 8.3 (or Higher) Check to see if you have the correct amount of RAM in the firewall (“show version” command will tell you). This is VERYIMPORTANT if your ASA was shipped before February 2010. See the link below for more information.
Be aware, if you are upgrading to an OS of 8.4(2) or newer you can no longer access the device via SSH when using the default username of “pix” you need to enable AAA authentication for SSH, do this before you reboot/reload the firewall or you may lock yourself out.
8. You may find that there is not enough room in flash memory, if so you will see this error. (if it does not error skip to step 11).
9. If you are stuck for room you can delete some items from your flash memory > Tools > File Management.
10. Here you can see I’m deleting and old version of the ASDM. Note you could delete the live version of the ASDM and Operating system if you had no choice (THOUGH DONT REBOOT THE FIREWALL until the new ones have uploaded, or you will be loading the files in in ROMMON mode!)
11. Once all the files have been downloaded to your location, they will be uploaded to the firewalls flash memory.
12. Next.
13. Finish.
Note: What happens now is the following commands are issued in the background automatically; (Note the versions numbers may be different in your case).
[box]
asdm image disk0:/asdm-649.bin
no boot system disk0:/asa843-k8.bin
boot system disk0:/asa844-1-k8.bin
boot system disk0:/asa843-k8.bin
[/box]
14. After the firewall reboots, it should come back up with the new OS and ASDM version.
Related Articles, References, Credits, or External Links
I’ve been writing Cisco ASA walkthroughs for years, and littered all over PeteNetLive you will see me warning readers every time I use access-group commands. So I’ve finally got round to putting this article up so I can reference it in future.
What is an Access-Group command?
You use an access-group command to apply an access-list to an interface, in a particular direction (in or out). Although I always apply access-groups in an interface to avoid confusion.
Example
[box]
Create an access list first
access-list outbound permit tcp host 192.168.1.1 any eq www
Then nothing will happen unless you apply that ACL to an interface with an
access-group command.
access-group outbound in interface inside
[/box]
Solution
So Why The Access-Group Warning?
Reason 1
When I post articles and direct you to allow traffic though a firewall, I make the assumption that you do not have any ACL’s already applied with access-group commands. if you did, and followed my tutorials blindly then you would overwrite your access-groups, and any existing ACLs would stop working! (The ACL would still be there, you would need to reapply them though).
Reason 2
By default traffic will flow though the ASA from interfaces that have a higher (more secure) security level, to interfaces with a lower security level. Thats why you can get out though a new firewall without adding any rules. However every ACL has an implicit deny on the end of it. So if you have a mail server and allow out SMTP for example, as soon as you apply the ACL with your access-group command you STOP ALL OTHER OUTBOUND COMMUNICATION until that is allowed also.
So How Can You Make Sure I’m Not About to Break Anything?
Easy, your firewall will tell you if you have any access-groups already in use, with a ‘show run access-group‘ command. Below you can see theres three and what interface they are applied to.
[box]
User Access Verification
Password: ******** Type help or ‘?’ for a list of available commands. PetesASA> enable Password: ******** PetesASA# show run access-groupaccess-group inside-in in interface outside access-group outside-in in interface inside access-group DMZ-in in interface DMZ PetesASA#
[/box]
I’ve deliberately shown a naming convention I don’t usually use, I typically have an ACL called outbound for outgoing traffic, and inbound for incoming traffic. If your firewall has different named ACLs applied with access-group commands USE YOUR ACL NAME, NOT THE ONES IN MY ARTICLES!
I’ve followed Your Article and It Works But Everything Else Has Stopped Working!
OK remember (Reason 2) above, you need to allow the traffic out again. The simplest way to do that is with a permit ip any any command which is what you had originally*, (I prefer to only allow out what traffic needs to go out, but I’m a firewall nut!)
*Note: To avoid emails form the pedants, you actually had all protocols open, not just IP.
[box]
Assuming the last commands you issued looked something a little like..
access-list outbound permit tcp host 192.168.1.1 any eq www access-group outbound in interface inside
Now that works, but everything else does not, you have fallen foul of the ‘implicit deny’, so allow out the traffic you want to allow out i.e.
access-list outbound permit ip any any
[/box]
Related Articles, References, Credits, or External Links
I wrote an article yesterday about tethering via bluetooth, and had a few problems, sorry to say the web was not much help at all 🙁
Basically the iPhone was marked with a yellow warning triangle, and when clicking the troubleshooting option you see the following,
Error: Bluetooth Peripheral Device doesn’t have a driver.
2. I read some forum posts and the general advice was to download iTunes, extract the driver msi out of it and use those drivers, but that didn’t work either.
Error: Bluetooth Peripheral Device – No driver found.
Solution
The reason this is happening, is by default your iPhone installs with the “Wireless iAP” Service enabled. Click Start > Devices and Printers >Locate your iPhone > Right click > Properties > Services > Untick Wireless iAP > Apply > OK.
Note: You can still use the phone as an internet access point.
Related Articles, References, Credits, or External Links
iTunes
There are purchased items on the iPhone “{name of phone}” that have not been transferred you your iTunes library, You should transfer these items to your iTunes library before updating this iPhone. Are you sure you want to continue?
Solution
1. Firstly remove the warning by clicking “Cancel”.
2. With iTunes running and your iPhone connected, locate the phone which should be listed on the menu on the left hand side, Right click the phone and select “Transfer Purchases”.
3. Wait for it to complete then re-try the update process.
Related Articles, References, Credits, or External Links