15
Feb 13

Hyper-V 2008 R2 Virtual Switch Issues

Just came across an issue in Hyper-V:  I was making changes to a network adapter’s binding in Hyper-V manager under the Virtual Network Manager when MMC crashed, closing out Hyper-V manager.  Upon reopening, trying to bind the virtual switch to an External Adapter resulted in the following error:

[Window Title]
Virtual Network Manager

[Main Instruction]
Error Applying New Virtual Network Changes

[Content]
Setup switch failed.

Cannot bind to ‘HP NC373i Multifunction Gigabit Server Adapter #8’ because it is already bound to another virtual network.

[Close]

Searching the error resulted in the following KB, KB2486812:

http://support.microsoft.com/kb/2486812

Essentially, download the NVSPbind tool and extract it.  Copy the EXE to your server, run it with no switches to list all adapters.  nvspbind no switches

The format is:

{6B360F51-C6C4-4EA0-AFEF-E4D1056B498E}
“pci\ven_14e4&dev_1600&subsys_3015103c”
“Friendly NIC Name”
“Local Area Connection”:
disabled: ms_netbios       (NetBIOS Interface)
disabled: ms_server        (File and Printer Sharing for…

After finding the offending adapter, run:

nvspbind /u Friendly NIC Name

 

This will scrub the binding and allow you to try again via the GUI or Powershell.

 

 


08
Feb 13

Connecting to Watchguard SSLVPN from Android

PingTestI’ve used Android phones since way back in 2008 (version 1.5? Maybe 2.1).  At the moment I’ve got a Galaxy S3 running a 4.2.1 Jellybean ROM.

On the remote side, I have Watchguard firewalls deployed in my HQ and branch offices.  HQ terminates SSL VPN connections and routes traffic appropriately.

Being out and about, the inevitable support call comes up. It’d be nice to fire off a SQL query, RDP to a machine, SSH into a box, etc, without opening these services up to the world. Running to the nearest PC isn’t always ideal — my phone is ALWAYS with me, but VPN support has been lacking. This reddit post on apps for IT professionals finally motivated me to sit down today and get it working.

In the past I’ve looked at Watchguard’s client files in order to get SSL VPN working on Ubuntu.  This arms me with the knowledge that they’re using nothing more than an OpenVPN wrapper. This works out wonderfully because OpenVPN is pretty mature and fully embraced.

After some trial and error, I found the right Android client and the correct combo of settings to make this work.

First off, download the OpenVPN for Android client from the Play Store or hit the QR code.

QR Code

My setup is detailed below — depending on your config, settings will vary.

  • Watchguard XTM 505’s running 11.6.1
  • Watchguard SSL VPN client configured and working from Windows 7 (OS X has a client, too, but I’m more familiar with the Windows locations of its certs).
  • Default advanced settings (SHA-1 authentication, AES 256 encryption, TCP data channel, port of your choice — I use 450)

Android:

  • S3 running 4.2.1 (Cyanogenmod 10.1)
  • OpenVPN for Android (no root required)

Settings:

  • Start a manual profile with a profile name of your liking.
  • Edit Basic Settings.
    • Server Address can be a DNS record or the external IP address to your firewall
    • Server port: Port taken advanced settings on your firewall – default is 443, mine is set to 450 to avoid port conflicts
    • TCP
    • No LZO compression

From a machine that you’ve connected with the SSL VPN client before, copy your ca.crt, client.crt and client.pem to your phone. In Windows 7, these are located at %appdata%/Watchguard/Mobile VPN.

Back in the OpenVPN client, change type to User/PW + Certificates. Now, click CA Certificate and browse to your ca.crt file and import. Click client certificate, browse to your client.crt and import. Click Client certificate key, brose to your client.pem file and import.

Next, input your username and password that you use to authenticate from the Watchguard SSL VPN client on Windows – I’m using Active Directory, so it’s my Windows username and password.  Your setup will certainly vary here – check your SSL VPN settings on the firewall for authentication type (Firebox-DB, AD, Radius, LDAP, etc.)

  • Go back. Leave IP settings unchanged.
  • Under routing, clear the check for default route under IPV6.
  • Under authentication, add AES-256-CBC under encryption cipher.
  • Leave advanced settings unchanged.

Go back to the main menu and tap your newly configured profile.  If all goes well, the logs will fly by and you’ll get a notification that the VPN is connected.

Fire up a terminal window and try pinging a resource on the remote side to confirm connectivity.