mtu issue on eir home connections, vpn not working

MTU on palo alto global protect is set to 1300

The MTU was changed on the Global Protect side but nothing worked for EIR connections

This was the fix after working with Palo Support. 

On user Laptop depending if they are using the the WiFi or Ethernet Connection we need to adjust the MTU on the interface

This command will list your interfaces and the index of them

netsh interface ipv4 show interfaces

This command will change the MTU on the index we want to change where 19 is the index of the interface

netsh interface ipv4 set interface 19 mtu=1300

So what you need to do is run the command netsh interface ipv4 show interfaces to list the interfaces.

If you are using wifi or lan identify it by the index number and then run the command netsh interface ipv4 set interface 19 mtu=1300  to change it

test the connection to see if it works

if it works you can run the command  netsh interface ipv4 set interface 19 mtu=1300 store=persistent - this will save the setting even after a reboot

fixing some DHCP scopes

Came across some mis-configured DHCP scopes and needed to resolve. They were working independently duplicate leases and reservations not matching. This was causing issues with WIFI AP's

Backup

mkdir C:\tools\dhcpbackup

cd C:\tools\dhcpbackup

Export-DhcpServer -Leases -File "C:\tools\dhcpbackup\WC-DC03-leases.xml" -Force

Get-DhcpServerv4Reservation -ComputerName WC-DC03 -ScopeId 10.66.33.0 | Export-Csv "C:\tools\dhcpbackup\WC-DC03-reservations.csv" -NoTypeInformation

In a maint window.

Moved all reservations to DC03

Deleted scope on DC04

Setup scope on DC03 as a failover scope and selected DC04 as partner

This will take care of leases

Need to sync reservations manually (can setup a scheduled task to run a script)

$LogFile = "C:\tools\dhcpbackup\dhcp-sync-log.txt"

Invoke-DhcpServerv4FailoverReplication -ComputerName WD-DC03 -ScopeId 10.65.33.0 -Force -ErrorAction Stop

powershell command to check if mac address has a lease and/or reservation

check if mac address has a lease and/or reservation 

You can add more mac's to the list as needed.

I needed this to compare two independent DHCP scopes

$macs = @("xx-xx-xx-xx-yy-yy","zz-zz-zz-zz-zz-zz"); 

$macs | ForEach-Object { 

    $lease = Get-DhcpServerv4Lease -ScopeId 192.168.1.0 -ClientId $_ -ErrorAction SilentlyContinue; 

    $reservation = Get-DhcpServerv4Reservation -ScopeId 192.168.1.0 -ClientId $_ -ErrorAction SilentlyContinue; 

    "MAC: $_, Lease: $($lease.IPAddress -join ', '), Reservation: $($reservation.IPAddress -join ', ')"

}

Make a LED flash on the right switch in cisco stacked switch

 Handy for helping remote hands identify the right switch in the stack (looking for switch 3). A blue LED was coming on and off for 9300

hw-module beacon switch 3 on

hw-module beacon switch 3 off

You can also search mac address table for the device plugged in:

sh mac address-table | i xxxx.xxxx.xxxx

FIx duo sso

Duo Auth Proxy 6.6.0 uses the new OpenSSL standards and the Auth Proxy does not recognize root CAs with RSA 1024bits

Needed to change the RSA bits from 1024 (very old one) to 4096

Change the configuration on the Root CA >> Uploaded the new Root CA into DUO SSO config in the DUO portal >> Upgrade DUO Auth Proxy again

export config from NCM in manageengine opmanger

It’s inside an encrypted DB, can be viewed in opmanger web interface

Can also export to raw file on the opman server

Go to Settings -> NCM -> Export Configuration

match palo alto firewall settings that are not sync'd by HA

Some settings are not sync'd

show clock

show system info | match timezone

show system ntp-servers

show system setting service-route

show interface management

show high-availability state

Check your software and GP versions match too

Timezone mismatch (exactly what you hit)

Service routes not identical

DNS works on active, fails on passive

Management gateway missing on one unit

Local admin password mismatch

Cert generated on one box only

Log discrepancies causing confusion