Skip to content
Jul 9 15

IPsec VPN Tunnel to AWS VPC using PFsense – Packet loss and connectivity issues.

by Patrick Durante

Like most trying to accomplish this I found the post here.

I was having issues with packet loss when testing with ICMP packet over an IPSEC tunnel. Hardware was a Dell R610 with on-board Broadcom 4 port interface cards. I configured each tunnel and they would both come online if you clicked the button to enable the tunnel. What they don’t tell you is this will cause routing issues. You can’t have both tunnels up at the same time. You might make the same mistake if you click the PLAY button next to both tunnels on the IPSEC status page.

Untitled picture

*** If you force the secondary tunnel up on the IPSEC status page you might have packet loss. Both can be enable, but make sure that you shut down the second tunnel if it does come up. ** Seems to be an asynchronous routing issue so Amazon shuts this tunnel down. ***

There are a few key settings to get the VPC to work properly and have a fast transfer rate. This configuration also had little to no packet loss from the multiple networks that used the VPC.

1) Critical – make sure only one IPSEC tunnel is started first. Use the tunnel they have defined as 1st in the list. If the second was enable AND in the upstate I would get packet loss and slow performance. You can have it enabled just don’t click the button to force it up. If you are having packet loss try stopping the 2nd tunnel.

2) MMS clamping on IPSEC tunnel. This is under the advanced settings of the IPSEC config. Make sure this is set to 1387. Set TCP to be the max size as specified in config you downloaded from Amazon and set this on the WAN interface.

3)Make sure that you summarize your networks as much as possible, I.E. 192.168.0.0/16 10.128.0.0/16 vs /24

Other things that need to be configured:
-If this is a one armed router, then make sure that the setting under NAT/ Networking is allowing traffic to go in/out on the same interface.
-Make sure Ipsec rules allow the correct traffic.
-Modify the settings recommended here for BCE interfaces from the Pfsense Wiki. I performed this since I was using the on-board Broadcom network card in a Dell server.  In /boot/loader.conf.local – Add the following (or create the file if it does not exist):
kern.ipc.nmbclusters=”131072″
hw.bce.tso_enable=0
hw.pci.enable_msix=0

That will increase the amount of network memory buffers, disable TSO directly, and disable msix.

CLUSTERING
If this is going to be part of a failover cluster. You can then go and configure your CARP settings according to this post.
https://www.howtoforge.com/how-to-configure-a-pfsense-2.0-cluster-using-carp

If you have issues with the tunnel coming up when you fail over the secondary unit you have to disconnect/reconnect the IPSec service located here. I had to sometimes stop/start it 3 or 4 times before traffic would flow over the tunnel after a failover. This was only happening when I failed back and forth between testing. If I just a single failover it worked properly and only dropped a packet or 2.
You should then configure iperf on a VPC and a local machine to test performance.
Start the server with
iperf -s

On a client within your network run:
iperf -c 10.128.128.100 -fM -m -i5 -t25

Other options I configure that were no-standard:
Disabled lockout
Enabled secure shell.
Firewall Optimization Options Normal
Bypass firewall rules for traffic on the same interface
Enable MSS clamping on VPN traffic 1387

WAN interface MTU 1436

Jun 26 15

How to add a second drive to a ProxMox server using LVM

by Patrick Durante

Creating, formatting, and mounting a file system that uses LVM in Proxmox or Linux.

*If you have any issue with the terms use it this post see this link below.**
http://www.howtogeek.com/howto/40702/how-to-manage-and-use-lvm-logical-volume-management-in-ubuntu/

Step 1:
On the CLI find the disk with fdisk -l

Step 2:
Create physical volume
pvcreate /dev/sdb1
Physical volume “/dev/sdb1” successfully created

Step 3:
Create the Volume Group
vgcreate Backup-Drive /dev/sdb1
Volume group “Backup-Drive” successfully created

Step 4:
Create the logical volume to use the max space.
lvcreate -l 100%FREE -n Backup Backup-Drive

Step 5:
Make the filesystem
mkfs -t ext4 /dev/Backup-Drive/Backup

Step 6:
Make a directory to mount somewhere.
mkdir /mnt/Backup
mount -t ext4 /dev/Backup-Drive/Backup /mnt/Backup

Create a folder you will map to called Backups or whatever you are using it for.

Step 7:
Added to fstab so it’s there when you reboot.
/dev/Backup-Drive/Backup /mnt/Backup ext4 defaults 0 1

Then add the directory of where the file system is mounted in Proxmox with what functions it will have. Click the different options in the drop down depending on what you want to use it for.

Untitled picture

Apr 3 15

Check the last backup in Veeam for VMware – Powershell Script

by Patrick Durante

I had found the following script here .  Which would check if a VM had a backup run in a set amount of time.  I modified the script to send an email report.  Very useful to make sure that newly created VMs are getting backed up.


#Verify if Virtual Machines have been backed up. Put this file in a folder called c:\Scripts

asnp "VMware.VimAutomation.Core" -ErrorAction SilentlyContinue
asnp "VeeamPSSnapIn" -ErrorAction SilentlyContinue

#-------------------------------------------------------
# Configuration

#For Vcenter server make sure you use the SAME EXACT NAME that Veeam uses in the managed servers vsphere tab.
$vcenter = "X.X.X.X"
$excludevms=@("xxxx","xxxx")
$DaysToCheck= 7

#Email Configuration
$toemail = "xxx@xxx.com"
$fromemail = "xx@xx.com"
$smtpserver = "x.x.x.x"
$subject = "Unprotected VM Report: No backup detected in $DaysToCheck days or no policy exists."

#-------------------------------------------------------
#-------------------------------------------------------
# Connect to vCenter
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false | out-null
Connect-ViServer $vcenter | out-null

# Build hash table with excluded VMs
$excludedvms=@{}
foreach ($vm in $excludevms) {
$excludedvms.Add($vm, "Excluded")
}

# Get a list of all VMs from vCenter and add to hash table, assume Unprotected
$vms=@{}
foreach ($vm in (Get-VM | Where-Object {$_.PowerState -eq "PoweredOn"} | ForEach-Object {$_ | Select-object @{Name="VMname";Expression={$_.Name}}})) {
if (!$excludedvms.ContainsKey($vm.VMname)) {
$vms.Add($vm.VMname, "Unprotected")
}
}

# Find all backup job sessions that have ended in the last week
$vbrsessions = Get-VBRBackupSession | Where-Object {$_.JobType -eq "Backup" -or $_.JobType -eq "Replica" -and $_.EndTime -ge (Get-Date).adddays(-$DaysToCheck)}

# Find all successfully backed up VMs in selected sessions (i.e. VMs not ending in failure) and update status to "Protected"
$backedupvms=@{}
foreach ($session in $vbrsessions) {
foreach ($vm in ($session.gettasksessions() | Where-Object {$_.Status -ne "Failed"} | ForEach-Object { $_ | Select-object @{Name="VMname";Expression={$_.Name}}})) {
if($vms.ContainsKey($vm.VMname)) {
$vms[$vm.VMname]="Protected"
}
}
}

#Remove my output file first from the last time it was run.
Remove-Item C:\scripts\bad.txt
Remove-Item C:\scripts\good.txt

# Output VMs in color coded format based on status.
foreach ($vm in $vms.Keys)
{
if ($vms[$vm] -eq "Protected") {
"$vm" | Add-Content C:\scripts\good.txt
} else {
"$vm"| Add-Content C:\scripts\bad.txt
}
}

#Echo the file and send the output, use the `n for new line.
$body = (Get-Content C:\scripts\bad.txt) -join "`n"

$email = @{
From = $fromemail
To = $toemail
Subject = $subject
SMTPServer = $smtpserver
Body = $body
}
send-mailmessage @email

Jan 6 15

Getting the most performance out of your SSD drive.

by Patrick Durante

I had converted my machine from a magnetic platter drive to a SSD a year ago.  I noticed the performance wasn’t as fast as it should be for certain operations.

blogpost

 

My SSD was connected via IDE and I hadn’t enable my controller to support AHCI.  I changed it before, but Windows 7 wouldn’t boot by default.  If you installed the OS originally via an IDE drive you need to enable the AHCI driver first via the registry.

  1. Click Start, type regedit in the Start Search box, and then press ENTER.
  2. If you receive the User Account Control dialog box, click Continue.
  3. Locate and then click one of the following registry subkeys:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msahci
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IastorV
  4. In the pane on the right side, right-click Start in the Name column, and then click Modify.
  5. In the Value data box, type 0, and then click OK.
  6. On the File menu, click Exit to close Registry Editor.

Once that is complete go into your BIOS and change the SATA operation mode to AHCI.  You will notice a pretty substantial performance increase from using the new driver.

2015-01-05_20-00-43

 

I don’t have a SATA III 6Gbits compatible sata controller, so this is as fast as the performance will get on SATA II 3Gbits/s.

Nov 18 14

How to reclaim space from thin provisioned VM

by Patrick Durante

Download sdelete from sysinternals for windows.  Run the following command for your drive letter.

sdelete.exe z [DRIVE:]

Enable SSH for your VM host and locate the .vmdk file of the host.

To see the actual size run:

du h [DISKNAME].vmdk

Punch all the zeroed blocks out of the vmdk.

vmkfstools punchzero [DISKNAME].vmdk

That’s it.  You’ll notice the size of VM has decreased.

Oct 2 14

How to quickly configure the resource pools in VMware

by Patrick Durante

If you want a quick and easy way to design resource pools in VMware you could do the following.

You could create 3 by the name of:

Gold > Silver > Bronze

The shares are determined by the number of VMs in the resource pool.  Shares are an arbitrary value, but in this case they are used to determine the value toward each other.

I gave Gold 100  Silver 50  Bronze 25.  This means that gold would be the most important, silver is half as important as gold, and finally bronze is half as important as silver.

Resource pools only take effect in times of contention for resources.  So in our case gold will get the most resources if that were to happen.

To calculate the shares to give a pool, take the number of VMs and multiple it by our share number above.

So to calculate how many total shares the gold pool should have, take 100 X (number of vms in the gold pool)

Take 50 X (number of vms in the silver pool)

Take 25 X (number of VMs in the bronze pool)

Here are two scripts you can schedule to take care of this in your cluster.

http://www.yellow-bricks.com/2010/02/24/custom-shares-on-a-resource-pools-scripted/

http://wahlnetwork.com/2012/02/01/understanding-resource-pools-in-vmware-vsphere/

Oct 2 14

How to add a powershell script to run as a scheduled task.

by Patrick Durante

Make sure you have the latest version of the PowerCLI before you begin.  You can grab a copy from the VMware site.

Launch secpol.msc and edit the batch login service to allow the account you are going to use.  In local security console –> User Right Assignment –> Log on as a batch job.

In the run command add the following:

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe

In the argument box add the following.

-PSconsolefile “C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI\vim.psc1” “& ‘C:\Scripts\adjustshares.ps1′”

Make sure you have credentials in the script and the account has rights to log into Vcenter.

Jul 22 14

Finally found a disk check plugin that works!

by Patrick Durante

I’ve been looking for a good disk check plugin for Nagios that gave perf data and didn’t require a lot of random perl modules.  This guy wrote an excellent plugin.

http://sysengineers.wordpress.com/2010/05/27/check_iostat-pl-version-0-9-7/

 

 

Jul 8 14

Cisco Asdm Java couldn’t trust Server

by Patrick Durante

Yes, yes, I know you should only use the CLI.  But if you are running the latest version of Java and can’t login to the ASDM you can do the following to fix that.

Browse via a web browser to the site and download the cert file.

Open the Java console.  Start > Configure Java.

Add the internal site to the exception list.

Click manage certs.

Install it to the following.

Secure type area,  Signer CA, and Trusted Root.

Now you should stop getting the error message and be able to connect via the ASDM.

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Java couldn’t trust Server

Jul 4 14

Acer Aspire V7 482PG duplicate keys and freezing keyboard fix

by Patrick Durante

I had an issue with my laptop (Acer Aspire V7-482PG-6629) where the keyboard would freeze.  This seemed to happen more after I had just upgraded the laptop to Windows 8.1   It would have duplicate key input, I would have to type very slow or hit the key multiple times for it to register. I knew it was nothing wrong with the keyboard since I booted a LIVE CD with a different OS and the laptop didn’t have the issue. I had installed every updated Windows 8.1 driver from Acer’s site but it still didn’t fix the issue. I updated the bios, wifi, bluetooth, and every device I could find. If you have the issue, go under the control panel for the mouse it might show two ELAN pointing device tabs. To fix the duplicate input you need to first load:

TouchPad_Synaptics_17.0.6.13_W81x64.  Under the device manager you will see the following appear.  THIS IS BAD!!!  This is not the correct driver, but you need to load it first for the multi touch gestures to work.
7-4-2014 8-58-18 AM

Reboot the laptop and now load this driver from their site.

TouchPad_ELANTECH_11.6.27.201_W81x64

The mouse will now show the following under the device manager.

7-4-2014 8-59-03 AM

 

Reboot one more time and all your mouse issues will be fixed.   If you ever have the issue again just make sure the mouse shows as ELAN, not Synaptics.