New Job, Updated blog

After eight years working at Wavex I have taken the decision to move on for a new career challenge and I am now a Senior Infrastructure Engineer at IT Lab. The past eight years have been a very good learning experience and I have developed from a young and inexperienced Service Desk Engineer into a more confident and technical IT Professional with the ability to communicate on a technical and commercial level to explain the problem and solution in a given situation.

As part of this change I have decided to try and remove some of the more juvenile aspects of my website and tidy up some of the blog posts that were written before I started my professional career as I realised that many of these were inappropriate content for a modern audience. All the blog content has moved from the subfolder “blog” to the root of my website and I am hoping that as my new role develops that there will be new content added over the coming months to read.

Thank you to all those at Wavex for their time in the past and here’s to the future.

Matt

Using OSPF to maintain site-site VPN across multiple WAN links

Having a Single Point of Failure (SPoF) on your network is never a desirable situation and recently I implemented a multi-site set-up where each site had two internet connections and there was a requirement to enable the satellite office to connect to the head office at all times. Each site has a Juniper SSG5-SB firewall as well as a 10Mbit leased line primary Internet circuit and an ADSL backup.

With the Juniper SSG firewalls it is possible to use Policy Based VPNs to maintain multiple tunnels and have the firewalls switch between these as required however you end up with four policies on each firewall and you cannot tell from looking at a routing table where the traffic is flowing. In this instance I decided to make use of OSPF to dynamically route the traffic depending on the availability of the VPNs at each site.

The first thing we need to do in order to implement this is to put each Internet connection into its own Virtual Router so they can run independently of each other.I have covered this in a recent blog post which you can read here.

Once you have the two firewalls setup with each Internet connection in its own virtual router we need to setup the VPNs. This is done with a new Zone in the trust-vr and we will need four numbered tunnel interfaces on each firewall.

set zone name VPNZone
set zone VPNZone vrouter trust-vr
set interface "tunnel.1" zone "VPNZone"
set interface "tunnel.2" zone "VPNZone"
set interface "tunnel.3" zone "VPNZone"
set interface "tunnel.4" zone "VPNZone"
set interface tunnel.1 ip 172.16.1.1/30
set interface tunnel.2 ip 172.16.1.5/30
set interface tunnel.3 ip 172.16.1.9/30
set interface tunnel.4 ip 172.16.1.13/30

On the second site firewall you will need to repeat the commands but using the other IP address in the /30 in each case.

Now we need to setup the VPN tunnels. You may want to change these based upon your requirements however I have used these settings regularly and they work well. NB you will need to apply similar settings on the Site-B firewall with the various endpoint addresses for SiteA

set ike gateway "Site-A_PRI-Site-B_PRI" address 192.0.2.18 Main outgoing-interface "ethernet0/0" preshare EnterYourPSKHere proposal "pre-g2-aes128-sha"
set ike gateway "Site-A_PRI-Site-B_SEC" address 192.0.2.34 Main outgoing-interface "ethernet0/0" preshare EnterYourPSKHere proposal "pre-g2-aes128-sha"
set ike gateway "Site-A_SEC-Site-B_PRI" address 192.0.2.18 Main outgoing-interface "ethernet0/1" preshare EnterYourPSKHere proposal "pre-g2-aes128-sha"
set ike gateway "Site-A_SEC-Site-B_SEC" address 192.0.2.34 Main outgoing-interface "ethernet0/1" preshare EnterYourPSKHere proposal "pre-g2-aes128-sha"
set vpn "Site-A_PRI-Site-B_PRI IKE" gateway "Site-A_PRI-Site-B_PRI" no-replay tunnel idletime 0 proposal "g2-esp-aes128-sha"
set vpn "Site-A_PRI-Site-B_PRI IKE" monitor optimized rekey
set vpn "Site-A_PRI-Site-B_PRI IKE" id 0x6 bind interface tunnel.1
set vpn "Site-A_SEC-Site-B_PRI IKE" gateway "Site-A_SEC-Site-B_PRI" no-replay tunnel idletime 0 proposal "g2-esp-aes128-sha"
set vpn "Site-A_SEC-Site-B_PRI IKE" monitor optimized rekey
set vpn "Site-A_SEC-Site-B_PRI IKE" id 0x3 bind interface tunnel.2
set vpn "Site-A_SEC-Site-B_PRI IKE" dscp-mark 0
set vpn "Site-A_PRI-Site-B_SEC IKE" gateway "Site-A_PRI-Site-B_SEC" no-replay tunnel idletime 0 proposal "g2-esp-aes128-sha"
set vpn "Site-A_PRI-Site-B_SEC IKE" monitor optimized rekey
set vpn "Site-A_PRI-Site-B_SEC IKE" id 0x4 bind interface tunnel.3
set vpn "Site-A_SEC-Site-B_SEC IKE" gateway "Site-A_SEC-Site-B_SEC" no-replay tunnel idletime 0 proposal "g2-esp-aes128-sha"
set vpn "Site-A_SEC-Site-B_SEC IKE" monitor optimized rekey
set vpn "Site-A_SEC-Site-B_SEC IKE" id 0x5 bind interface tunnel.4

From the GUI you should be able to check that these have come up by going to VPN -> Monitor Status.

We now need to enable OSPF on the trust-vr and configure the interfaces to communicate using OSPF. This should be completed on both the primary and secondary site firewalls.

set vrouter trust-vr protocol ospf
set vrouter trust-vr protocol ospf enable
set vrouter trust-vr
  set interface tunnel.1 protocol ospf area 0.0.0.0
  set interface tunnel.1 protocol ospf enable
  set interface tunnel.1 protocol ospf priority 10
  set interface tunnel.1 protocol ospf cost 1
  set interface tunnel.1 protocol link-type p2p
  set interface tunnel.2 protocol ospf area 0.0.0.0
  set interface tunnel.2 protocol ospf enable
  set interface tunnel.2 protocol ospf priority 20
  set interface tunnel.2 protocol ospf cost 2
  set interface tunnel.2 protocol link-type p2p
  set interface tunnel.3 protocol ospf area 0.0.0.0
  set interface tunnel.3 protocol ospf enable
  set interface tunnel.3 protocol ospf priority 30
  set interface tunnel.3 protocol ospf cost 3
  set interface tunnel.3 protocol link-type p2p
  set interface tunnel.4 protocol ospf area 0.0.0.0
  set interface tunnel.4 protocol ospf enable
  set interface tunnel.4 protocol ospf priority 40
  set interface tunnel.4 protocol ospf cost 4
  set interface tunnel.4 protocol link-type p2p
  set interface bgroup0 protocol ospf area 0.0.0.0
  set interface bgroup0 ospf passive
  set interface bgroup0 ospf enable

You can check the OSPF status by running the following command

get vr trust-vr protocol ospf neighbor

Finally we need to setup policies to allow traffic to flow across the VPN between the two sites.

set address Trust "Site A LAN (192.168.1.0/24)" 192.168.1.0/24
set address VPNZone "Site B LAN (192.168.1.0/24)" 192.168.1.0/24
set policy from Trust to VPNZone "Site A LAN (192.168.1.0/24)" "Site B LAN (192.168.1.0/24)" any permit
set policy from VPNZone to Trust "Site B LAN (192.168.1.0/24)" "Site A LAN (192.168.1.0/24)" any permit

To test this you need to take down the Internet connections one by one and watch the routing table update on each firewall.
You should now see all four IPSec VPN Tunnels show as active and the route between sites will be via the Layer-3 tunnel interface for the relevant tunnel.

Hello world!

UPDATE 29/12: The content should all be mirrored across from the old blog to the new site. I am working on a URL rewrite for the old hyperlinks from search engines etc to link to the new blog but it looks to be up to date.

Hello, and welcome back to my blog. Over the years this site has been in a state of disarray and lack of updates so I have decided that an overhaul is needed to get this back on track. All the old additional content from my University days has been consigned to the Internet dustbin and the site is just going to be a location for me to blog about technology and things that interest me.

I am working on reimporting all the old content from the old database and making sure that the images are all touched up and reimported so if you are looking for an old article these should be back in the coming weeks.

Thanks,

Matt

JunOS: Logout stale edit sessions

I have been bitten enough times when my ssh session to my JunOS switch or router has been disconnected because it was idle and then when I reconnect get the warning to say that another user is editing the configuration.

adminuser@switch01> edit
Entering configuration mode
Users currently editing the configuration:
adminuser terminal p0 (pid 28439) on since 2013-02-28 14:27:28 GMT, idle 01:41:42
[edit]

The easiest thing to do is to log out the other session once you have reconnected to the device by using the PID of the stale session (in this case 28439) with the following command:

request system logout pid 28439

You should now no longer see that message when you log back into the switch.

Citrix XenApp 6.5 – GPO Templates

I’ve recently been configuring a new Citrix XenApp 6.5 farm for one of my clients and as part of the deployment was looking through some articles on configuring the farm settings when I discovered the following post in Gerrish’s IT Blog about enabling the enhanced user interface features available with XenApp 6.5 (XenApp 6.5 – Enhanced Desktop Experience)

Alongside the implementation of a standardised user interface the post also explains how Citrix can automatically create some GPO templates to lock down the server farm so the users are not able to perform tasks they shouldn’t be able to do. These policies will need to be tweaked to match the requirements of your particular environmetn but provides a strong starting point for configuring and standardising your Citrix farm.

Monitoring Alarm Status on Juniper EX Switches

I am in the process of installing a number of Juniper EX2200, EX3200 and EX4200 switches for a client and as part of the setup need to be able to monitor the switches for any alarms  (eg Switch Management interface down or Switch booted from Backup Partition) and have them dealt with accordingly.

Having a look at the SNMP OID tree for the EX switches I came across the following useful table

http://www.oidview.com/mibs/2636/JUNIPER-ALARM-MIB.html

Object Name Object Identifier
jnxAlarms jnxAlarms 1.3.6.1.4.1.2636.3.4
jnxCraftAlarms jnxCraftAlarms 1.3.6.1.4.1.2636.3.4.2
jnxAlarmRelayMode jnxAlarmRelayMode 1.3.6.1.4.1.2636.3.4.2.1
jnxYellowAlarms jnxYellowAlarms 1.3.6.1.4.1.2636.3.4.2.2
jnxYellowAlarmState jnxYellowAlarmState 1.3.6.1.4.1.2636.3.4.2.2.1
jnxYellowAlarmCount jnxYellowAlarmCount 1.3.6.1.4.1.2636.3.4.2.2.2
jnxYellowAlarmLastChange jnxYellowAlarmLastChange 1.3.6.1.4.1.2636.3.4.2.2.3
jnxRedAlarms jnxRedAlarms 1.3.6.1.4.1.2636.3.4.2.3
jnxRedAlarmState jnxRedAlarmState 1.3.6.1.4.1.2636.3.4.2.3.1
jnxRedAlarmCount jnxRedAlarmCount 1.3.6.1.4.1.2636.3.4.2.3.2
jnxRedAlarmLastChange jnxRedAlarmLastChange 1.3.6.1.4.1.2636.3.4.2.3.3

I have used the jnxRedAlarmCount and jnxYellowAlarmCount oid values as basic Opsview SNMP Service Checks to give me an initial overview but in the long term will be looking to combine this into a full service check script that can be used to check a number of different things.

The setup of the Service Check in Opsview is fairly simple and below are screenshots of the config that I have for each service check.

All you need to configure on your hosts is the SNMP community string and you can apply these checks individually or via a Host Template.

Once I performed a reload I could see the following in Opsview for one of my switches:

A bit of inspection showed that the Red Alarm was for the Management Interface being down (but wasnt being used on this switch) and the Yellow alarm was due to not setting a rescue configuration. I cleared the alarms by isuing the following commands

edit
set chassis alarms management-interface link-down ignore
commit and-quit
request system configuration rescue save

Now when I refresh the checks in Opsview I get an OK state for both checks

Symantec Endpoint Protection Manager 12.1 configuration

Just stated to deploy my first SEP 12.1 implementation for a new client and came across a bug whereby the disk space on the system drive where SEPM had been installed was decreasing rapidly.  Investigation showed that the Endpoint Protection Manager is not configured by default to backup or truncate the log files for its database.

For more information from Symantec on the configuration of the truncate and index rebuild options please review the following KB article: http://www.symantec.com/business/support/index?page=content&id=TECH166658

One other thing that was pointed out by a colleague was that Backup Exec is unable to backup the Database files and you will need to configure SEPM to backup and export the data if you would like to recover the current SEPM configuration in the event of having to restore the server from backup.

To fix this is straightforward but led me to ask the question why Symantec wouldn’t think this needs to be enabled by default for the product.

 

Backup Exec 2012 – One time Exchange Backup doesnt flush transaction logs

I have spent the last few days trying to understand why a successful one time backup hadn’t flushed the transaction logs on my client’s Exchange 2010 server. We spent a lot of time troubleshooting message queues and looking for a transaction that hadn’t completed as the Backup job had reported successful. Digging a bit deeper into some of the job logs I can see that the one-time backup was doing a COPY – Full database and logs and not a FULL – database and flush committed logs.

Googling this came up with the following technote: http://www.symantec.com/business/support/index?page=content&id=TECH187838 and there is no way that you can change the option to do a full log flush in the one time backup.

I can’t fathom why this wouldn’t be a useful feature of the software to at least have the flush committed logs as a tickbox in the job options for the one-time backup.

Juniper EX view pending changes

When making changes to Juniper EX switches yesterday I wanted to check the changes that I had made to my configuration before committing them. A quick look in the reference manual gave me the following command:

show | compare rollback 0

This will show the edited candidate config and pipe that into the compare function and look at the changes to the specified version (rollback 0). I could look at the changes compared to a previous config by replacing 0 with another number in the rollback sequence.