Time Domain Reflectometer (TDR) for Network Professional

As a network engineer/administrator, you would encounter the cabling problem of patch panel to host, patch panel to switch, switch to switch.

In these scenarios, you can determine whether switch or physical layer (Layer 1 ) issue or not before contacting to cabling contractor.

To do so, you can use below commands.

show interface
show interface counters
show interface counters errors

Moreover, you still can find the cabling issue with another testing method. That is Time Domain Reflectometer.

To test this in cisco switch, use below commands.

test cable tdr interface port number

show cable-diagnostics tdr interface port number

You will know how to use it from below sample pictures.





If you are testing FastEthernet, Pair A and Pair B result must be Normal.
If you are testing GigabitEthernet , all Pair must be Normal.

Other than that result, you need to find out where is the distance that cable becoming fault.

The approximate cable fault distance is shown in result.

Yes, I believe you know the basic of TDR now.

This feature is include not only on Cisco Switch but also you can find in other brand switch like juniper, hp and dell.

If you want to know more about this in details, please go and read from below link.
https://supportforums.cisco.com/document/74231/how-use-time-domain-reflectometer-tdr 

Have a good time.
(Be knowledgeable, pass it on then)

Deploying Legal Notice Logon Banner in Domain Computers

As of Audit Purpose or Standard Organization Policy, we need to deploy legal notice logon banner message/warning of usage logon message in domain computers.

To do it automatically, we can use logon script/group policy.

Since group policy is easy to mange, I'd like to show you how to do it.

Open group policy management console, go to group policy objects, right click on it and select new to create new GPO as below. (You can create and link directly on the OU that you wish to deploy GPO but I create it separately to show clearly.)


Right click on newly created GPO and select edit to make changes.


Go go Computer Configuration>Windows Settings>Security Settings>Security Options> and find Interactive logon: Message tesxt for users ... . Enable and define the message that you wish to show as logon message.



Find Interactive logon: Message title for users attempting... and Define the message title for your logon message.


After that, link newly created GPO with the OU that you wish to display logon banner.



If you want your GPO immediately, just force update Group Policy via command line or else just wait to refresh the policy automatically by default timer.
Below is the sample logon banner message.
I used the Windows Server 2008 R2 Standard for this demonstration.


Have a good time.
(Be knowledgeable,pass it on then)

Upgrading the Cisco Switch IOS

According to business need, you will need to upgrade the OS of your network device in your infrastructure as a Network Administrator/Engineer.

I’d like to share the experience of upgrading the IOS in Cisco to the beginners and for those who haven’t done this yet.

Before complete the task, you should know and prepare the following.

- You must have correct IOS License for your devices
- You must have backup of current running configuration and IOS.
- You must have Local/Remote TFTP Server/FTP/SFTP Server to keep backup files and new IOS.
- You should prepare pre-configured same model device if you have. So you can replace if your task was something wrong.
- Upgrading task should do in Maintenance Windows. You shouldn’t do it however you have very good hands-on experience for that.
- You should read Tech Notes from Cisco about Bugs for your new IOS before upgrade. Then you can expected what need to be done if something unexpected issue occur.
- Be ensure the role and function of your device.

Let’s start the task if you well-prepared above steps.

In this example, I’ll use Cisco Catalyst 3560 PoE Switch to upgrade the IOS as need SSH to enable on it and current IOS do not support SSH because of it is not loaded cryptoimage IOS. Cryptoimage show include crypto and K9 in the file name.

Let’s begin.

- Check the IOS Version of switch. Take a look the photo and take note on red highlighted area for DRAM and Flash Capacity.

   "show version"

- Now, let’s check flash memory space. You would need to delete old IOS if there   is not enough free space to copy new IOS. Take note on red highlighted area. In this example, free space is enough.

 "show flash"


- Login with cisco id and password at Cisco Software Download webpage.

  Find the correct IOS for your switch model. As shown in picture, please download correct IOS as your need. (Ensure to use correct subscribe license feature, DRAM/Flash specification of yours). Take note IOS File Size and MD5 Hash Value too to re-check once it is loaded in Switch.



- Copy downloaded IOS to TFTP/FTP/SFTP Server. In my example, I used TFTP Server.
- Console in to switch and copy IOS from TFTP Server to flash memory of switch.

   "copy tftp flash"



- Once copy task finished, you need to check md5 has value as below to ensure your IOS file didn’t corrupted between processes.

  "verify /md5 flash: put new ios image file name with file extension here"



- If MD5 hash value is correct, will change booth path of switch from old IOS to new IOS as below.

  "boot system flash: put new ios image file name with file extension here"


- After that, copy running configuration to startup configuration as below.

  "copy running-config startup-config" or "write memory" or "write"

- Reload the switch then. Your switch should working as expected without any issue if your upgrading complete successfully.

- In this post, I didn’t mentioned details about IOS Licensing, Clearing Flash Memory space, checking booth path from zip file in Flash and setting up the TFTP Server. I’ll write about those if I’ve got time.

If you are willing to know how to choose correct IOS, please read it here. http://www.ictformyanmar.com/2014/03/what-is-different-ip-base-and-ip.html

However this post demonstrate the task with Switch, you could reference for router and firewall IOS upgrading task too.
But depends on the role of device, steps can be a bit different and complex because of you will need some requirement and pre-arrangement.

I’ll write more details about router and firewall if I’ve got a chance.

Have a good time.

(Be knowledgeable, pass it on then)



Solving "WSUS administration console was unable to connect to the WSUS Server via the remote API" error

Today, I've got below when I try to connect my WSUS Server via WSUS Console.



Below logs are display in Event Logs too.

The WSUS administration console was unable to connect to the WSUS Server via the remote API. 

Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.
The WSUS administration console was unable to connect to the WSUS Server via the remote API.
Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.
System.Net.Sockets.SocketException -- No connection could be made because the target machine actively refused it 172.16.99.98:80
Source
System
Stack Trace:
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Int32 timeout, Exception& exception)
** this exception was nested inside of the following exception **

System.Net.WebException -- Unable to connect to the remote server
Source
Microsoft.UpdateServices.Administration
Stack Trace:
   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)
   at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer(String serverName, Boolean useSecureConnection, Int32 portNumber)
   at Microsoft.UpdateServices.UI.AdminApiAccess.AdminApiTools.GetUpdateServer(String serverName, Boolean useSecureConnection, Int32 portNumber)
   at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.GetUpdateServer(PersistedServerSettings settings)
   at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.ConnectToServer()
   at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.ConnectToServerAndPopulateNode(Boolean connectingServerToConsole)
   at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.OnExpandFromLoad(SyncStatus status)

Time to investigate for why?

As mentioned in Log, I restarted Update Services service, IIS and SQL Service. Then try to connect again and still the same error pop out.

Second, I try to test the port 80 of WSUS Server whether open or not from other Serverby using  Telnet WSUS Server Name/IP 80 .
Port 80 is not opened. Then pretty sure Default Web Site Service of WSUS has been stopped for some reason.

Just go to IIS Manager and Start the Default Web Site. After that try again connect the WSUS Console and it's working then.




Actually, the error is come out because of me. Last day, I was tested WhatsUp Gold Network Monitoring Application by installing and that use IIS and SQL. I uninstall it after tested and didn't check WSUS that time.

The root cause is uninstalling WhatsUp Gold without checking properly.

So if you are having such kind of error, do not forget to check above steps what I did to bring up WSUS again. :P

My Server is Windows Server 2008 R2 SP2 and WSUS is 3.0 SP2.

May you all be happy.
(Be knowledgeable, pass it on then)

Putty Command Line Error - unknown option "-wt" in GNS3

You will receive "Putty Command Line Error" as below if your are using GNS3 and later version.



To overcome this error, just go and download Putty.exe that provide from below link.

After that , overwrite the Putty.exe in your pre-installed Putty.exe

Download Putty for GNS3

Once download and overwrite the Putty.exe, you may try to console Router/Switch/Firewall in GNS3.

If you want to know about for that, read details at http://forum.gns3.net/topic5016.html

May you all be happy.
(Be knowledgeable, pass it on then)

Finding Server Model and Serial Number in Linux remotely

Sometime you might need Server Model Name and Serial Number for Documentation, Audit or Warranty Lookup Purpose.

It's easy for Windows server to extract.

But for Linux, I believe, it will be a bit busy if you are not in touch with Linux.

I just want to share on how to for those who not in touch with Linux.

Login to Linux Server that you need to extract information for Server Model and Serial Number.

Key in below command as "root".

"dmidecode -t 1"

You might need to install dmidecode package if you Linux is not pre-installed or lower version.

To install that, just key in below command first.

"sudo yum install dmidecode"

Below sample result are tried in Red Hat and Debian for your reference in command usage and output.




May you all be happy.
(Be knowledgeable, pass it on then)

7z Cracker, useful tool

I am very like 7zip Application among many of zip application because of easy to use, support many zip file format and handy.

Sometime I need to zip and protected it with password by using 7zip for some important files.

One day, I've forgot the password to unlock one of my important files.

Then I seek application to unlock it and found out 7z Cracker as the best.

It's really useful to crack your password protected files within few seconds even you give complex password.

If you would like to try it or need urgently to unlock for your password protected files, you can download it from below link.

http://sourceforge.net/projects/sevenzcracker/

But you also need to download 7za Application to work your 7z Cracker. Your pre-installed 7z application will not work for this and so download it from below link.

http://sourceforge.net/projects/sevenzip/?source=typ_redirect

You can reference Read Me file  for "How to use"  that include inside the 7z Cracker Application when you downloaded.


But please take note this is for educational and personal usage purpose only.

Using this for illegal is at your own risk.


May you all be happy.
(Be knowledgeable, pass it on then)

How to check the vpn user list and session in Cisco ASA 5520?

You've deployed Cisco ASA Firewall and setup Local AAA Server to create useraccount for IPSec VPN usage.
As a network administrator, you've responsibility to check and monitor the list of vpn user and active session for security and audit purpose.

You can use ASDM GUI to do such task but its handy to do.
So, it is better to user CLI for that.
Below are some useful commands to check user list and active vpn user sessions.

To check user list, use below commands

- show run | grep username
- show aaa local user



To check active vpn user list and sessions, use below commands

- show vpn-sessiondb remote | grep Username (This command result will let you know how many user are active)
- show vpn-sessiondb remote filter name username (This filter command will let you know details of vpn session user by inserting active vpn username in "username" )




Yes. That's all.

Here I show you with Cisco ASA 5520 and its software version is 8.2 (5).


May you all be happy.
(Be knowledgeable, pass it on then)


Solving "The name of the security certificate is invalid" error

We purchase SSL Certificate to get secure when we use Outlook Web Access with Exchange Server.

We use the External Domain URL for OWA when we purchase SSL Certificate.

But the issue can come out when your Internal URL and External URL of Exchange Server are different.

The issue is user will get security alert pop-up when he/she open outlook client everytime.



To get rid of this issue, we need to change the Internal URL of OWA on Server.

Let's start.

First, run the Exchange Management Powershell as Administrator.

"Use Get-ClientAccessServer | FL" command to collect existing configuration for revert back if something goes wrong.



Next, use "Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUrl https://mail.ictformyanmar.com/autodiscover/autodiscover.xml" command and change the URL accordingly.

Only High-lighted text are need to aware as yours.

After that, go to Exchange IIS Manager and select Application Pools. Then right click on MSExchangeAutodiscoverAppPool and click Recycle.



Fine. We are done!

You can re-check by using Get-ClietAccessServer | FL command to ensure changed URL.

If everything is fine, just close and open the outlook client at user's PC and you won't see any secrutiy pop-up regarding Certificate.

I've use ClientAccess service only on my Server.If you use  WebServicesVirtualDirectory, OABVirtualDirectory and UMVirtualDirectory, you also need to change the URL for these too.

My server is  Microsoft Exchange Server 2007. Powershell command is different and depends on Server Version. So, do not forget to reference Microsoft Powershell Technet Website.


May you all be happy.
(Be knowledgeable, pass it on then)

Singapore ISP broadband service will be get 2Gbps in early 2015

Singapore ISP broadband service will be get 2Gbps in early 2015

Singapore Local Internet Service Provider, ViewQwest, announces its new 2Gbps fiber broadband service to be made commercially available in early-2015, offering the fastest residential internet connection in Singapore.

In a statement released Wednesday, the local internet service provider (ISP) said the 2Gbps service will be tested among a group of selected customers until year-end, before it is made commercially available in early-2015.

This new service will also be on demo at the Sitex exhibition show to be held from November 27 to 30, the company said.

For further details about this service from ViewQwest, please go and reand at ZDNET.

Source : http://www.zdnet.com/sg/singapore-isp-unveils-2gbps-fiber-broadband-service-7000035717/?s_cid=e539&ttag=e539&ftag=TRE17cfd61


May you all be happy.
(Be knowledgeable, pass it on then)

Link Aggregating with Synology NAS and Cisco Switch

I’d like to share how to setup Link Aggregating between Synology NAS and Cisco Switch.

I’ve got one Synology NAS with 4 Network Ports and I’m going to use 2 of them.
Both Network Port to be as one Logical Link, Fault Tolerance and Load Balancing.

To do that, I need to configure Link Aggregating on Synology NAS and EtherChannel with LACP on Cisco Switch.

Below is brief steps to do to meet with my requirements.


- Get connected Synology NAS and Cisco Switch as shown in picture.
- Bonding two Network Ports of Synology NAS and assign IP Address
- Configure EtherChannel with LACP in Cisco Switch and add two physical ports as Member.



OK. Let’s begin from Synology NAS.
- Login to the Synology and go to Control Panel>Network>Create>Create Bond



- Select IEEE 802.3ad to get Fault Tolerance and Load Balancing Featureyou’re your switch not support 802.3ad you can only select Fault Tolerance only feature). After that click “Next”.


- Choose the network port for bonding and click Next.
- Assign the IP Address. Click Apply and wait to be applied the setting.



Let’s configure Cisco Switch now.
- Will use GigabitEthernet 3 and 4 to use Link Aggregation and member of Group.
- Take a look below picture for the command on how to configure EtherChannel with LACP. (There may be a bit different on hostname, port number when you configure your Switch but all the commands are same.)


- You can re-check whether you EtherChannel are correct and working or not as shown below photo.



You can see the Network Port bonding status on Synology NAS as below picture after you configure EtherChannel on your Switch.



If you want to make sure you configuration are working or not, just shutdown either one port on Cisco Switch or unplug one of the Network Cable on either Synology NAS or Cisco Switch Port.
Your link between Synology NAS and Cisco Switch should not disconnect even one link down if everything is correct. Only the connection between Synology and Cisco Switch will failure if both network connection fail.

Well… I believe you got something on how to aggregate the links between Synology NAS and Cisco Switch.

I use Synology Model RS2414rp+ with Firmware DSM 5.0-4493 and
Cisco WS-C2960G with IOS version 15.0 for this demonstration.

May you all be happy.
(Be knowledgeable, pass it on then)


Enabling Service for New Internal Transport Certificate for Exchange Hub Transport


After you restore your Exchange Hub Transport Server Operating System from Failure or revert back to previous snapshot of your Exchange Hub Transport Server Virtual machine, you will see below error in you server event log.

We can solve this error by doing below way.




- Generate new certificate and assign the service that previously we assigned in old certificate and enable to use.

Kindly take a look for how to generate new certificate at this link (http://en.ictformyanmar.com/2014/10/replacing-expired-internal-transport.html).

Once you generated new certificate, just use Powershell command as show below and enable the service that you need.

Enable-ExchangeCertificate -Services "SMTP" -Thumbprint "New Certificate Thumbprint Here"

You will be ask to overwrite existing default SMTP setting and just "Yes".


Well...we are done.


May you all be happy.
(Be knowledgeable, pass it on then)

Replacing expired internal transport certificate in Microsoft Exchange Hub Transport Server with new certificate

As a busy system administrator, you could overlook as below event logs.

You need to renew the expired internal transport certificate when you see this event logs.


It's easy.

First you need to check the certificate details with Powershell command as below

Get-ExchangeCertificate | fl

Then you know what certificate is expired and what are its service and thumbprint.




Once you knew all details about it, take note/copy thumbprint of it and try to replace with new certificate by using Powershell command as below.

Get-ExchangeCertificate –Thumbprint "Invalid Certificate Thumbprint Here" | New-ExchangeCertificate 

Powershell will prompt you to perform overwrite the existing certificate. Just type "Y" or "Yes" or hit "Enter".



Now you already replaced out of date internal transport certificate.

Next step is to remove the invalid/ out of date certificate.

Use below Powershell command to remove it.

Remove-ExchangeCertificate -ThumbPrint "old-thumbprint-here"



Yes. You've done in replacing new certificate with old certificate and removed the invalid certificates from your server.

May you all be happy.
(Be knowledgeable, pass it on then)