sircles.net Computer Support The sircles.net IT support & solutions blog | Troubleshooting

Twitter Feed Popout byInfofru

The sircles.net IT support & solutions blog SEO, Copy Writing, Networking and Internet Safety & Security

Juniper SSG5 to DrayTek Vigor 2860 IPSec VPN

Juniper SSG5 to DrayTek Vigor 2860 IPSec VPN The DrayTek Vigor router range are very straightforward

Juniper SSG5 to DrayTek Vigor 2860 IPSec VPN

The DrayTek Vigor router range are very straightforward routers with which to configure a VPN and only get really complicated to work on when dealing with multiple firewall rules that may conflict or override each other. The Junipers are highly configurable in a a very ordered manner, but this does mean that there are extra considerations and stages to configuration when programming a VPN.

The Juniper needs to be told to allow traffic through a VPN and also needs a tunnel and an endpoint configured and so let us deal with that first.

We are assuming that you already have access to the Juniper via the web browser and can reach the configuration screens.

Go to the Network menu and select Interfaces and List.

Now with the drop down top right, choose Tunnel IF and then click New.

Set the Zone to be Untrust (trust-vr)

Check the bubble for Unumbered as this is a route-based VPN

Choose the interface to be the internet facing interface with the IP address that you will be pointing the DrayTek Vigor VPN at.

Now click the Tunnel link at the right of the links at the top of your configuration panel.

Once again the destination will be left as 0.0.0.0 as this is a route-based VPN and the Gateway we define in a minute will determine the endpoint for the VPN.

Now we have the tunnel configured we move on to configure the VPN:

Click Autokey IKE and then New:

Rather than configure a gateway in advance we will simply create one in this page. Click the bubble to Create a Simple Gateway and enter a name for the remote gateway. Leave IKE as ver.1 and choose Static IP and enter the Vigor WAN IP or hostname.

Now enter the pre-shared key which is a code that you will enter into the Vigor or share with the admin of the remote Vigor by some secure means. The Outgoing Interface will be the Juniper physical interface on which the WAN IP address resides to which you will be pointing the Vigor VPN.

Now click Advanced:

Here we are choosing the Phase 2 encryption proposal which is simply the encryption types - AES 256-bit in this case with DH Group 14 PFS (Perfect Forward Secrecy) and 3600 seconds time-out, but feel free to simply select a standard choice and simply make a note of the one you are choosing. Is it AES or 3DES or DES? What is the time-out, is it in seconds, minutes or hours? What is the PFS DH group? All of these should be noted as the Vigor must be configured to accept them.

Now enter the local and remote IP / Netmask where the local is the LAN address and teh subnet and the remote is the LAN which resides behind the Vigor which we are going to have remote access to once the VPN is established. In this case both subnets are set at /24 meaning 255.255.255.0 Class-C subnets but you must obviously enter your own details for each network.

Set service to Any which will allow all traffic to pass between the sites via our VPN.

Tick VPN Monitor, Optimised and Rekey  and leave the destination as default whilst choosing the external interface to which you will point the Vigor as the Source Interface.

Now click Return and OK. Now move on to configure the policies. The Gateway settings below are just for reference.

Here are the configurations for the Gateway but these two pages have been configured already when we configured the VPN but they are included as reference if you need to troubleshoot your Gateway settings:

 

Now click Advanced:

Now we must configure the policies to allow traffic between the sites. Go to Policy then Policies and at the top select from Trusted to Untrusted and click New.

Give the policy a name and enter the local subnet in the source and the remote subnet in the destination address boxes.

Choose the service type as Any and click OK. There is no need to configure advanced options in this instance.

Now at the top of the policy screen, select from Untrusted to Trusted and New and configure the settings as above but with the Vigor remote LAN subnet as the source and the local Juniper subnet as the destination with the service set as Any.

This completes the Juniper set-up and we can now configure the DrayTek Vigor 2860.

 Log into the admin web page of the DrayTek and go to the VPN and Remote Access section on the right-hand side. Click on LAN to LAN and then click an empty profile so that you can begin to populate the necessary information:

Name the VPN, indicating where it is connecting your local subnet to.

Tick to enable the profile.

Choose which WAN port/interface the VPN will be established through.

We are allowing NetBIOS naming packets as this will be for a Windows computer network and we may wish to enable inter-site computer browser functioning etc.

Multicast via VPN we will leave disabled.

Set the direction to be Both so that either site can initiate the connection.

Set the VPN type to be IPSec and enter the WAN IP or hostname of the Juniper we are connecting to.

Populate the bubble for Pre-Shared Key and click the IKE Pre-Shared Key button. Here you must enter the same key you entered into the Juniper and click OK.

Below that, choose the bubble for High(ESP) and set the dropdown box to be AES with Authentication. Then click the Advanced button:

Here we are selecting Main mode as we did on the Juniper and out phase 1 proposal as AES256_SHA1_G14

Our phase two proposal is set as AES256_SHA1

Timeouts are once again 28800 seconds and 3600 seconds for phase one and two respectively and the Perfect Forward Secret (PFS) is enabled. Now click OK.

Moving down the VPN LAN to LAN page we come to the Dial-In setings:

Tick IPSec Tunnel as the VPN type and untick the others.

Tick the box to Specify Remote VPN Gateway and enter the Juniper WAN IP once more.

Tick the box for the Pre-Share Key and enter it as before by pressing the appropriate button.

Tick the AES button for the IPSec Security Method.

Leave section 4 blank here as we are not using GRE in this example.

Finally section 5 we enter the Vigor WAN IP in My WAN IP. The Juniper WAN IP in Remote Gateway IP.

The Juniper LAN subnet in Remote Network IP such as 192.168.10.0 and the subnet mask below, in this case 255.255.255.0 rather than /24.

The local network IP is the LAN subnet being the Vigor such as 192.168.11.0 and the subnet for the Vigor below.

The RIP direction is set to both and the traversal method is set to Route.

Now click OK.

Go to VPN and Remote Access and Connection Management and see if the VPN is up:

Event ID: 16393 Publishing Failed for RDSH Collection - RemoteApp name: Collection name: Failure: Could not create a published application instance on the server

We were receiving the following error: Log Name: Microsoft-Rdms-UI/AdminSource: Microsoft-Windows-Rd

On our Windows 2012 R2 Remote Desktop Collection, We were receiving the following error:

Log Name: Microsoft-Rdms-UI/Admin
Source: Microsoft-Windows-Rdms-UI
Date: 
Event ID: 16393
Task Category: Publishing
Level: Error
Keywords:
User: domain\user
Computer: server.domain.suffix

Description: Publishing Failed for RDSH Collection - RemoteApp name: Sage 50 Report Designer Collection name: QuickSessionCollection Failure: Could not create a published application instance on the server server.domain.suffix.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Rdms-UI" Guid="{GUID}" />
<EventID>16393</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>30</Task>
<Opcode>0</Opcode>
<Keywords>0x2000000000000000</Keywords>
<TimeCreated SystemTime="2017-04-19T07:26:59.337215000Z" />
<EventRecordID>7</EventRecordID>
<Correlation ActivityID="{ActivityID}" />
<Execution ProcessID="4996" ThreadID="5604" />
<Channel>Microsoft-Rdms-UI/Admin</Channel>
<Computer>Copland.sircles.net</Computer>
<Security UserID="UserID" />
</System>
<EventData>
<Data Name="arg1">RemoteApp name: Application Name Collection name: Collection Name Failure: Could not create a published application instance on the server server.domain.suffix.</Data>
</EventData>
</Event>

 

Our issue was expired certificates in the RD server set-up which were interfering with the system even though in IIS they were all up-to-date and the server was working fine.

So under server manager we went into the RD settings and then highlighted the deployment and under tasks chose 'edit deployment properties' and went to the certificates page:

Here we chose the new certificate, one-by-one, to replace the expired certificates:

And then applied each certificate replacement before attempting the next.

Once all the certificates were showing as status OK, we re-published the RemoteApp settings:

And the publish now suceeds:

 

CRM 2016 for Outlook - Cannot display the folder Path does not exist Verify the path is correct

If you are seeing the following in CRM 2016 using Outlook 2016: Then you should check the registry

CRM 2016 for Outlook

Cannot display the folder Path does not exist Verify the path is correct

 

If you are seeing the following in CRM 2016 using Outlook 2016:

Then you should check the registry - this commonly occurs when the user has migrated or upgraded office and the system has used the incorrect 32 or 64 bit registry settings.

Start registry editor as your normal logon user - i.e. the one that you use for Outlook rather than an Admin user - and under HK_Current_User go to software>Microsoft>MSCRM and have a look under these keys:

Make sure that the CRM_Client_InstallDir and InstallPath keys point to either program files (x86) or program files as befits your Microsoft Office install.

CRM_Client_InstallPath should be:    C:\Program Files (x86)\Microsoft Dynamics CRM\ or C:\Program Files\Microsoft Dynamics CRM\ for 32 and 64 bit respectively.

InstallPath should be:    C:\Program Files (x86)\Microsoft Dynamics CRM\Client\ or C:\Program Files\Microsoft Dynamics CRM\Client\ for 32 and 64 bit respectively

 

 

HP DL360 G7 Red Screen of Death Illegal OpCode

This is a fairly disturbing occurrence - when your server, instead of booting-up, just after one rec

HP DL360 G7 Red Screen of Death Illegal OpCode

 

This is a fairly disturbing occurrence - when your server, instead of booting-up, just after one recommended update or a fist time reboot after install you receive a bright red screen explaining that the server feels it has done enough and will proceed no further. Not great news if you have a lot of users awaiting emails or database results and even worse if you've never seen it before.

 

 

Well this error can be related to a few problems related to running various forms of Linux on SD card drives but it can also affect those of us just running plain old Windows Server on the inbuilt 410i RAID controller.

In essence the message means that it is unable to read the boot device and so has thrown an HP level issue instead of a standard Windows or BIOS error.

I have found this problem in connection with the following:

  • Installing using iLO3 with a network accessed ISO file and then rebooting for the first time
  • Installing a recommended update to the NICs that made the whole server BSOD and then reboot into this and so we had to fix the error to find out that the DB was intact
  • Updating BIOS for the motherboard that has somehow disabled the USB boot in the BIOS and so lost the SD card boot device (which I was using on that occassion)
  • Installed the Windows iLO3 drivers which then somehow told Windows, because there was an ISO listed in the ILO3 boot-up system, that Windows was not the boot device

In order to fix these issues you should:

  1. Update the iLO3 firmware as there is a fix in the latest versions (allegedly) but I have found this unreliable
  2. Disable the iLO if this fails at boot-up
  3. Change the boot order in BIOS so that your boot device is first and then:
  4. Boot from a Windows DVD and ensure you can see the boot volume and then use the inbuilt repair (this seems to be the best solution for Windows installs)

If all the above fails you can just try unplugging all the PSUs for ten minutes as this is a recommended solution from HP but only for the G8 servers. 

Good luck with a really distressing and fairly futile error screen.

WBAdmin snap-in failed to initailise

The other day we had an issue with the Windows Backup on a Windows 2012 R2 server that had previousl

WBAdmin snap-in failed to initailise

 

The other day we had an issue with the Windows Backup on a Windows 2012 R2 server that had previously backed up OK.

On start-up of the Windows Backup application we received a message saying that the windows backup wbadmin snap-in failed to start and that we should restart the service and retry the snap-in.

When we tried the command line we received a message saying that the command was not available on portable workstations

After some looking around we found that a possible cause was that the registry had this entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control

PortableOperatingSystem = 1

So we changed to 0 as the server would have been tricky to carry and then wbadmin stated that there were no jobs scheduled.

We then ran the following command in order:

  1. Get-WBPolicy | Remove-WBPolicy
  2. Remove-WBBackupSet
  3. Remove-WBCatalog
  4. get-Service *wb* | Start-Service
  5. Restart Windows Server Backup

We then found that the backup record was destroyed but that the service could be run in the GUI once more.

Watching for new roothints and adware

OK, so you have your new Computer and you are dying to get cracking on the Internet as your ISP has

OK, so you have your new Computer and you are dying to get cracking on the Internet as your ISP has just made live your new broadband connection. Your computer was pre-installed and appears to have everything that you need including your bonus installation of Norton Antivirus or similar and free downloads for a year. You install your modem and are ready to go so lets go...

Antivirus Questions?

But maybe we should hold on a second. Norton Antivirus wins a lot of awards etc but then it would. It is manufactured by Symantec and they are definitely a leader in corporate antivirus technology and a good supplier to deal with on that level but they will charge you for any support as a home user and charge you to update your signature files after your trial period. A better option is to lose the installed antivirus and get AVG Free Edition from Grisoft which picks up as many viruses as any other home edition antivirus package. Grisoft's solution is available from http://free.grisoft.com/doc/1 and I would urge you to pay for the full edition if you are a business as the extra functionality is worth it. Avast Antivir are also perfectly good examples and are also free. Whatever you do, make sure you have a suitable solution before just surfing unknown pages.

You should also equip yourself with a Firewall. Surfing the internet without a firewall is leaving yourself open to attacks so at the very least make sure you have either the Microsoft XPSP2 firewall or one of these free firewalls: Kerio, Sygate, ZoneAlarm

ALSO: Keep Windows Updated! Many Windows updates are to close holes exploited by malicious programs and simply staying updated will keep a lot of infections off your system.

But what about Spy-ware?

What antispyware system should I use? Well first of all, a lot of decent antivirus solutions get spy-ware as well as ad-ware and viruses as they are all basically the same thing. They are all darn annoying and the primary reason new internet users run into trouble. Most of the anti-spy-ware solutions these days use all of the spy-ware and virus hassles to try and sell themselves - I have people calling me asking how to get spy-axe and spy-ware-killer OFF of their machines. These are not solutions being sold to enrich computer use, they are immature, trip-you-up pieces of software designed for a quick buck and some new users will be caught out. In my experience there is no anti-spy-ware solution - even the ones from Microsoft and the like - that catch most of the ad-ware and irritations that can be removed simply by going into Control Panel in Windows and removing everything you do not use or recognise.

If you are determined to use other means or have tried all of the above you can also run these on-line scans. PandaActivescan Housecall Scan although they require an Active X download which your Firewall may object to.

The following examples are all free also, and can happily coexist on the same computer:
Free Anti-Spyware: MS Antispyware AdAwareSE SpybotSD SpywareBlaster
It is important that your computer is run at minimum functionality. Windows is like a pen-knife - it can do almost anything you need it to - but if you are not hosting a website then make sure that the Web-Hosting features are uninstalled. You can do this in Control Panel under add/remove programs and then by clicking add/remove windows components on the left (Windows XP - the others are similar.) Every bit of unnecessary functionality can be used against you so try and run a tight ship. Make sure you have a reason to keep everything you see in this screen. If you don't use network printing then get rid of it. If you don't use Fax services then get rid of them. Every one you can dump frees memory and so decreases the work your computer is doing to swap out the page-file which equals more speed.

Once you have spy-ware/ad-ware or a virus infesting your system it will be taking you to an undesirable website or you will be getting pop-ups of some kind or whatever. Do not go running to the first advert you see. Your friends are the other people who have had the problem. Do a search on the Internet for a description of the symptoms and have a read of some articles that do not get money off of you for your custom. Forums and the like. There will be instructions. If you cannot get to a website other than the one to which you are unwittingly directed, go into control panel and add/remove programs, and get rid of anything with an incomplete name (I mean uninstall it by get rid of) or anything that you do not knowingly use. If you are unsure, then have a look in the documentation for the software name in question. Do not just uninstall everything you do not recognise, check the system again at each uninstall to see if the problem is cured so you know for sure which application was causing the problem.

Many viruses and the like kick-off their processes at boot up. There are many places in the Registry (a set of files that do a lot to tell Windows how it should behave) that these processes can give themselves shortcuts to start-up. If you go to the start button on your task bar and choose run and then type regedit into the box which appears, you will be presented with the registry editor. Beware!!!! The Registry is critical to Windows and if you mess about with it you can stop Windows booting up altogether so do not change anything without verifying the information from at least two sources!!! If you look at HKey_Local_Machine -> Software -> Microsoft -> Windows -> CurrentVersion -> Run and Runonce etc. you will see something like that below:

 

Many of the processes aggravating you or your computer are to be found here or other similar places in the Windows Registry. Note that in a lot of articles it is common to substitute HKLM for HKey_Local_Machine and that there are as many trouble causers as do-gooders so try and find a good source of information and verify it. Once you have found a source to be good more than a few times you can start to trust the information you find there.

With issues like SpyAxe where the product repeats that you have a virus, remember a few things. If the product it is asking you to install is not already installed then how can the computer know it has a virus? 

Please feel free to submit any other spy-ware problems at http://forum.sircles.net for us to have a look at. If you wish to try an anti-spy-ware application to help clear up your PC, have a look at the anti-spy-ware review site for a decent opinion of which one works best as we prefer companies to be inspired to make a good product rather than just hard-selling via cheap viruses and ad-ware; if they keep trying to hard-sell you things, tell us, and we will find a better link.

Windows Boot Recovery

10. January 2017 08:49 by sirclesadmin in Microsoft Windows, Troubleshooting
Windows 7 uses the Boot Configuration Data (BCD) which is a firmware-independent registry style coll

Windows 7 uses the Boot Configuration Data (BCD) which is a firmware-independent registry style collection of files for boot-time configuration data. It replaces the boot.ini that was used by NTLDR, and is used by Microsoft's new Windows Boot Manager which replaces NTLDR itself.

Boot Configuration Data is stored in a data file (formatted in the same way as a Windows registry hive) that is located either on the EFI System Partition (on machines that use Extensible Firmware Interface firmware which is an Operating System aware replacement for BIOS and communicates with the OS for things like MBR and ACPI) or in \Boot\Bcd on the system volume (on machines that use IBM PC style firmware).

Boot Configuration Data may be altered using a command-line tool (bcdedit.exe) pictured below:

by using WMI (Windows Management Instrumentation), or with 3rd party tools such as EasyBCD which allows for advanced configuration and support for non-Windows operating systems.

Boot Configuration Data contain the menu presented by the Windows Boot Manager, just as boot.ini contained the menu entries presented by NTLDR.

To Troubleshoot startup problems by using Windows RE, first try the Startup Repair option in the System Recovery Options dialogue box. If the Startup Repair option does not resolve the issue, or if you must troubleshoot manually, use the Bootrec.exe tool as described below.

The Bootrec.exe tool is the boot recovery tool in the Windows Recovery Environment (Windows RE) and is useful when trying to troubleshoot and repair the following in Windows Vista:

  • A master boot record (MBR)
  • A boot sector
  • A Boot Configuration Data (BCD) store

When you run the Bootrec.exe tool, you must start Windows RE like so:

  • Put the Windows Vista installation disc in the disc drive, and then reboot the computer.
  • Press a key when you are prompted by the DVD
  • Select the relevant language, time, currency and keyboard
  • Click Next
  • Click Repair your computer.
  • Click the operating system that you want to repair,
  • Click Next.
  • In the System Recovery Options dialog box, click Command Prompt.
  • Type Bootrec.exe, and then press ENTER.

NB:To start the computer from the Windows Vista DVD, you must configure the compute to start from the DVD drive in the BIOS.

Bootrec.exe optional switches:

/FixMbr
The /FixMbr option writes a Windows Vista-compatible Master Boot Record to the system partition. This option does not overwrite the existing partition table. This option is for when you must resolve MBR corruption issues, or when you have to remove non-standard code from the MBR.

/FixBoot
The /FixBoot option writes a new boot sector to the system partition by using a boot sector that is compatible with Windows Vista. Use this option if one of the following conditions is true:
The boot sector has been replaced with a non-standard Windows Vista boot sector.
The boot sector is damaged.
An earlier Windows operating system has been installed after Windows Vista was installed. In this scenario, the computer starts by using Windows NT Loader (NTLDR) instead of Windows Boot Manager (Bootmgr.exe).

/ScanOs
The /ScanOs option scans all disks for installations that are compatible with Windows Vista. Additionally, this option displays the entries that are currently not in the BCD store. Use this option when there are Windows Vista installations that the Boot Manager menu does not list.

/RebuildBcd
The /RebuildBcd option scans all disks for installations that are compatible with Windows Vista. Additionally, this option lets you select the installations that you want to add to the BCD store. Use this option when you must completely rebuild the BCD. If rebuilding does not resolve the issue, you can export and delete and then run this option again. By doing this, you make sure that the BCD is completely rebuilt. To do this, type the following:

bcdedit /export C:\BCD_Backup
c:
cd boot
attrib bcd -s -h -r
ren c:\boot\bcd bcd.old
bootrec /RebuildBcd

Windows 2003/XP/2000

Windows before Vista and Windows 7 did not use the BCD and Windows BootlLoader. Instead it relied on NTLDR and boot.ini.

Windows 2008 R2 Restore using Windows Backup error (0x80042408)

Whilst restoring (transfering) a Windows 2008 R2 machine using the built-in Windows Backup software

Windows 2008 R2 Restore using Windows Backup error (0x80042408)

 

Whilst restoring (transferring) a Windows 2008 R2 machine using the built-in Windows Backup software we ran into a few problems:

The original machine was a PC server with some dynamic disks as the system did not have RAID support for all drives.

The system disk was 111 GB

The data disk was 465 GB

The log file disk was 69 GB

We were restoring to a SUN X4150 with:

131GB system disk

514 GB Data disk

131 GB log file disk

The error we were getting was that the disks were too few or too small ????

0x80042408 We have never understood why it thought that there were not enough disks but...

We used the workaround with the wbadmin command line:

wbadmin get versions –backuptarget:<Target:> 

This is to interrogate the media for the backup sets that are present on the target drive.

wbadmin get items –version:<versionid> -backuptarget:<Target:>

Then this command shows the volumes and applications contained within the backup set on that drive or device.

Wbadmin start recovery –version:<versionid> -backuptarget:<Target:> -itemType:Volume –items:C: -recoverytarget:D:

Where Target: is the target drive letter. This command performs the restore. Here we are only restoring the system drive, as the applications and services relying on the data contained on other disks could be restored simply by robocopying the data back onto those data disks and then correcting the drive letters afterwards whereupon the services could be started.

After completing the above, the system was then still missing some boot files.

We then repaired using a Windows 2008 R2 / 7 x64 automatic repair and the system started to boot but obviously BSOD'd itself from lack of drivers for the new storage devices.

The Windows DVD could not repair any further and so we therefore had to add the storage device drivers manually using:

DISM /image:C:\ /add-driver /driver:G:\ /recurse
(C is my OS partition and G is the DVD drive where the driver DVD is inserted.)

This added the files from the X4150 drivers\storagetek\windows\2008\ and drivers\storagetek\windows\2008\amd64\ 

The system then booted OK but the drive letters had changed. After re-assigning the drive letters the system appeared to be back to normal.

Just for anyone still having difficulty, sometimes we are unable to run the repair from the DVD until we have repaired the bootcfg folder using bootrec /rebuildbcd after which we can run the DVD repair and start Windows successfully which on 7/2008 R2 or later will then install the required drivers to boot from there.

If you still have BSOD difficulties then use the DISM command above to add necessary drivers.