I was dealing with an issue where a layer 2 trunk was one way. The fix was to make sure the vlan was allowed on the trunk in both directions
Came across this useful command to trace the L2 path as normal traceroute uses L3 routes.
x is src mac
y is dst mac (i used the mac on the vlan interface for vlan 33, got with show arp)
traceroute mac xxxx.xxxx.xxxx yyyy.yyyy.yyyy vlan 33
MTU on palo alto global protect is set to 1300
The MTU was changed on the Global Protect side but nothing worked for EIR connections
This was the fix after working with Palo Support.
On user Laptop depending if they are using the the WiFi or Ethernet Connection we need to adjust the MTU on the interface
This command will list your interfaces and the index of them
netsh interface ipv4 show interfaces
This command will change the MTU on the index we want to change where 19 is the index of the interface
netsh interface ipv4 set interface 19 mtu=1300
So what you need to do is run the command netsh interface ipv4 show interfaces to list the interfaces.
If you are using wifi or lan identify it by the index number and then run the command netsh interface ipv4 set interface 19 mtu=1300 to change it
test the connection to see if it works
if it works you can run the command netsh interface ipv4 set interface 19 mtu=1300 store=persistent - this will save the setting even after a reboot
Came across some mis-configured DHCP scopes and needed to resolve. They were working independently duplicate leases and reservations not matching. This was causing issues with WIFI AP's
Backup
mkdir C:\tools\dhcpbackup
cd C:\tools\dhcpbackup
Export-DhcpServer -Leases -File "C:\tools\dhcpbackup\WC-DC03-leases.xml" -Force
Get-DhcpServerv4Reservation -ComputerName WC-DC03 -ScopeId 10.66.33.0 | Export-Csv "C:\tools\dhcpbackup\WC-DC03-reservations.csv" -NoTypeInformation
In a maint window.
Moved all reservations to DC03
Deleted scope on DC04
Setup scope on DC03 as a failover scope and selected DC04 as partner
This will take care of leases
Need to sync reservations manually (can setup a scheduled task to run a script)
$LogFile = "C:\tools\dhcpbackup\dhcp-sync-log.txt"
Invoke-DhcpServerv4FailoverReplication -ComputerName WD-DC03 -ScopeId 10.65.33.0 -Force -ErrorAction Stop
check if mac address has a lease and/or reservation
You can add more mac's to the list as needed.
I needed this to compare two independent DHCP scopes
$macs = @("xx-xx-xx-xx-yy-yy","zz-zz-zz-zz-zz-zz");
$macs | ForEach-Object {
$lease = Get-DhcpServerv4Lease -ScopeId 192.168.1.0 -ClientId $_ -ErrorAction SilentlyContinue;
$reservation = Get-DhcpServerv4Reservation -ScopeId 192.168.1.0 -ClientId $_ -ErrorAction SilentlyContinue;
"MAC: $_, Lease: $($lease.IPAddress -join ', '), Reservation: $($reservation.IPAddress -join ', ')"
}
Handy for helping remote hands identify the right switch in the stack (looking for switch 3). A blue LED was coming on and off for 9300
hw-module beacon switch 3 on
hw-module beacon switch 3 off
You can also search mac address table for the device plugged in:
sh mac address-table | i xxxx.xxxx.xxxx
Duo Auth Proxy 6.6.0 uses the new OpenSSL standards and the Auth Proxy does not recognize root CAs with RSA 1024bits
Needed to change the RSA bits from 1024 (very old one) to 4096
Change the configuration on the Root CA >> Uploaded the new Root CA into DUO SSO config in the DUO portal >> Upgrade DUO Auth Proxy again
It’s inside an encrypted DB, can be viewed in opmanger web interface
Can also export to raw file on the opman server
Go to Settings -> NCM -> Export Configuration
