Monday, May 3, 2021

Cisco Broke my Mail Server

The Rant 

I don't usually write about networking, but I'm having to do a bit more of it lately. Today we found that a new Cisco Firepower ASA broke our e-mail servers.

The Problem

SMTP Mail queues are backing up. Mail is not transferring. Now this isn't the internal, within the domain mail. This is going to another domain in the org. Still managed, sort of, by us, but separate. Complaints abot Non-delivery receipts start coming in.

You go to the Exchange Management Console, go to tools, click Queue Viewer and yup. A bunch of e-mail in the queue. This isn't dial-up days, mail shouldn't be in there unless they have bypassed your great e-mail attachment rule that limits sending Windows ISO images via e-mail. (thank you Jim!!) So you start to look around to see what is causing it.

Normal Problem

Usually this is cause my McAffee AV 8.8 and the Block Mass Mailing Worm rule. Enabled by default and applied by lazy busy admins to Exchange Servers. This is the main cause of intra domain e-mail backups. In McAfee Endpoint Manager there is a rule that you CAN enable, but is not enabled by default.

The Other Problem

OK, so to figure out if this is your problem, telnet to both exchange servers. (OK, I was stupid, so I'll put this in here. If you run putty, make sure to change the radio button to telnet because SSH will NOT work.) When you telnet in, You will get one of two things:

220 ************************************************************


220 SVR-LAB-EXC-01, Microsoft <blah blah blah>

The ***s are wrong. That is coming from the Firewall. You need to remove the SMTP block on there. A google search will turn up a "fixup protocol smtp 25" command. That's what broke it and seems to be in there by default, but doing a "no fixup protocol smtp 25" just doesn't work like other cisco commands should. This should work to remove the ESMTP Inspection.

# policy-map global_policy

# class inspection_default

# no inspect esmtp

Be happy today!!

VMWare PowerShell Module Problems


Can't update the PowerShell Modules for VMware. You did it a year of more ago because you use VMWare Powershell Modules offline on an airgapped system. You remember doing it, but can't recall the sequence of events. Typical.


Now you recall, you try to use the:
Install-Module -Name VMware.PowerCLI
But you get an error. And the Error dialog says, Do you want to load the new version of NuGet, and of course you say yes, cause, "do it for me" is easiest. But it doesn't work.
WARNING: Unable to download from URI '' to ''.
WARNING: Unable to download the list of available providers. Check your internet connection.
PackageManagement\Install-PackageProvider : No match was found for the specified search criteria for the provider 'NuGet'. 
The package provider requires 'PackageManagement' and 'Provider' tags. Please check if the specified package has the tags.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\\PSModule.psm1:7405 char:21
+ ...     $null = PackageManagement\Install-PackageProvider -Name $script:N ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (Microsoft.Power...PackageProvider:InstallPackageProvider) [Install-PackageP 
   rovider], Exception
    + FullyQualifiedErrorId : NoMatchFoundForProvider,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackageProvider
PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider name 'NuGet'. 
Try 'Get-PackageProvider -ListAvailable' to see if the provider exists on the system.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\\PSModule.psm1:7411 char:21
+ ...     $null = PackageManagement\Import-PackageProvider -Name $script:Nu ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (NuGet:String) [Import-PackageProvider], Exception
    + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportPackageProvider
You try an administrator shell if you didn't have that already, but still NO.
OK, now here is what the problem is. The last time you ran this, TLS1.0 and SSL3.0 were great!! but now they suck and you are still using them. What to prove it? type:
and you get tls, ssl3 and Pppptthhrrrr. You lose.

OK, so Lets add the new TLS 1.1 and 1.2

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
and then
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
You get tls, tsl1, tls12 - You'll be happy now. Go back and try your module update, import module, etc. and NuGet will load. 

Wednesday, November 27, 2019

Failure to Mount ISO on Windows Server 2016 and 2019


You have an ISO on a share in your network. You have mapped a drive to the share because, well, that's the right way to do it. And the users are happy about it, the service operations people can get to their stuff easily and the Admins have a share with all of the daily use tools.
Now, that library just happens to have a bunch of ISO files. You want to use one of them to install software, modify boot/install disks, etc. The easy button since Win 8 is the right click and Mount command. East peasy lemon squeezy. You get what looks like a CD Drive and you can browse the files.


Now, try that on a server with at least minimal security. Not happening.
  1. The right click Mount option is there. so the default application is Windows Explorer or File Explorer depending on your version.
  2. If you directly address the file as in \\file-01\share\mygreat.iso it will work
  3. If you map a drive "net use z: \\file-01\share" and try z:\mygreat.iso it will NOT work. It will tell you there is a problem.
  4. Yes, if you move it to a C Drive folder, or some other direct location it will work, but when you have a LIBRARY of iso files, that's not an option.


This has to do with Administrative rights and UAC. Somehow the mapped drives (EVEN THOUGH THEY ARE MAPPED IN GROUP POLICY FOR ALL USERS) do not get mapped when you go to mount the ISO.
Before you suggest it. I'm already logged in as a domain admin.
This is a large issue. Many people are having this problem. And for those of you that are NOT having the problem. Good for you. Now lock your computers down so you don't get hacked, OK?

Monday, October 7, 2019

NetApp OnCommand Performance Manager


Installing OCPM is an easy OFV File install, but sometimes, you get a MonitorLoop error. What I found was that the OVF file had reservations for CPU and memory. Reduce those to Zero (0) and you should startup fine.
The next problem will be installing the VMWare tools. On my instance of 6.5U3, the OVF file came in with an OS Type of Other/Other and the VMware tools install can't find a disk for Other. Shut it down, go into Edit Settings and the VP Options tab. Epand General and you'll find the OS Choices. I was able to successfully install using "Centos 4/5 or higher x64". Set the VM Options to that, save, and power it back up.
You should now beable to open the console, select VMRC, Manage, Install VMWare tools. You will see the console update automatically that it is installing the tools. Eventually, it will bring you to the start of the setup questions. Location.
It's Whack-A-Mole from here.

Monday, August 12, 2019

CDBurnerXP command line problems ERROR 800402A0

An error (800402A0) occurred while executing the command

This is generally caused by an error in one of your paths. Try different options and see what the results are.

Simplify the folder option from this:
"C:\Program Files\CDBurnerXP\cdbxpcmd.exe" --burn-data -folder[\backup]:"D:\DiskBackup" -iso:"d:\datadisk.iso"

To this.
"C:\Program Files\CDBurnerXP\cdbxpcmd.exe" --burn-data -folder:"D:\DiskBackup\" -iso:"d:\datadisk.iso"

Use quotes around your paths.

Wednesday, April 24, 2019

vCenter VCSA Certificate Locations via SSH

HTTPS Strict Transport Security error

If you get the dreaded HTTPS Strict Transport Security error when going to vCenter and you CAN NOT get the certificate in order to install it. Because if you get the error, you don't get the screen that let's you download it. Catch-22.

Where it lives

Here is where it lives:

Just putty or Secure CRT (MY ABSOLUTE FAVORITE) into the vCenter appliance, cd to the directory and cat the files. Then copy them, paste them to a notepad++file and save them with a .crt extension.

Import into Certificate Manager

Click start, and type certificate manager, run it.
The ca.crt file you should import and store in local computer in the trusted root certification authorities folder. The Machine-ssl.crt file just use local machine and let it figure it out.


No more red banner, no more HSTS error.

Now I'm leaving that took about 3 hours to figure out.

Thursday, March 7, 2019

Dell R640 Servers

Using these as ESXi Hosts

There are a number of things that you want to do if this is a true enterprise environment. You want to manage them as a group. that can be difficult especially in an offline environment.

Dell has lots of services for internet connected servers, but who really wants their credit card processing server touching the internet.

iDrac 9 info