Common Cisco ASA Firewall Configuration Commands

July 2nd, 2009
No comments

Setting up a Trunk with a Between Cisco ASA and Cisco 3560 Switch

ASA Configuration

To configure the ASA side of the trunk you need to:

  1. Select the interface you will be using. interface ethernet0/2
  2. Then create a subinterface for each VLAN you intend to use.. interface ethernet0/2.2
  3. Configure the IP address on each subinterface. ip address 192.168.64.1 255.255.255.0
  4. Add a description (not neccessary). description DMZ Interface
  5. Configure nameif. nameif DMZ
  6. Configure the security Level. security-level 50
  7. Configure the VLAN ID. vlan 25

interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.2
description DMZ Interface
vlan 25
nameif DMZ
security-level 50
ip address 192.168.64.1 255.255.255.0
!

Switch Configuration

To configure the switch side of the configuration you need to:

  1. Select the interface you will be using. interface fastethernet 0/1
  2. Set the trunk encapsulation. switchport trunk encapsulation dot1q
  3. Set the port to trunk mode. switchport mode trunk

interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk

Setting Up Windows Multicast Network Load Balancing (NLB) with Cisco ASA

ASA Configuration

When using multicast Windows NLB, you need to setup a static ARP entry on the ASA. For more information on why this is required please see my previous post Windows Network Load Balancing (NLB). To do this use the global configuration mode command arp

  • arp DMZ 192.168.64.50 03ii.aaa8.122e alias

Replacing the MAC address (03ii.aaa8.122e) with the NLB cluster MAC address.

ASA_NLB

Setting Up Static NAT For Public Servers, Setting Up PAT for LAN Internet Access

To configure Port Address Translation (PAT) to allow your internal LAN to access the Internet, you need to:

  1. Use the nat command to specify the internal IP addresses you want translated. nat (INSIDE) 1 192.168.60.0 255.255.255.0
  2. Setup a corresponding global command with the address you want to translate to. global (OUTSIDE) 1 66.123.45.91

To configure Static Network Address Translation for 1-to-1 mappings for hosts like web servers, you need to use the static command.

Syntax for static NAT command – static (real_interface,mapped_interface) mapped_ip real_ip netmask mask

  • static (INSIDE,OUTSIDE) 210.193.162.197 192.168.10.2 netmask 255.255.255.255
  • static (DMZ,OUTSIDE) 66.123.45.95 192.168.64.45 netmask 255.255.255.255

Commands to view NAT details:

  • show local-host – will display both tcp and udp flows active on the firewall for all or a certain number of hosts.

Configure Logging on the ASA

To configure buffered logging and syslog logging.

  • Enable logging. logging enable
  • Timestamp logs. logging timestamp
  • Enable buffered logging. logging buffered errors (by default the asa allocates 4096 bytes of memory, this can be changed with the command logging buffer-size xxxx)
  • To automatically save the buffered logs to flash memory:
    • Enable saving to flash. logging flash-bufferwrap
    • Set the minimum free space the ASA must reserve to ensure other admin tasks can be performed. logging flash-minimum-free 4000
    • Set the maximum space the ASA can use to store buffered logs. logging flash-maximum-allocation 2000
  • Enable logging to a Syslog server:
    • Enable logging to a UDP Syslog server. logging host inside 192.168.10.3 format emblem
    • Enable Logging to a TCP Syslog server. logging host inside 192.168.10.3 TCP/port
    • Enable Syslog logging. logging trap debugging
    • For TCP-based syslog servers, the security appliance drops the new connections if the session to the syslog server cannot be established. This default behavior can be changed by using the logging permit-hostdown command.
  • You can limit the rate at which log messages are generate using logging rate-limit 1 1 level ‘x’ where x is the logging level, 1 1 represents 1 log message per 1 second (in order).

To view buffered logs, show logging

To view the logs saved to flash, dir flash:/syslog

Splunk is a handy tool for analysing the Syslog output – http://www.splunk.com

Disable ICMP on the Outside Interface

Disable ICMP on the outside interface using the global configuration command, icmp deny any OUTSIDE

Configuring Routes

To configure a default gateway, route outside 0.0.0.0 0.0.0.0 gatewayIP metric

To configure routes for internal destination networks, route inside 192.168.10.0 255.255.255.0 gatewayIP metric

Configure Interface Duplex

Configure each interfaces duplex, with the interface subcommand. duplex full or half or auto.

Configure Access Lists

Access lists are configured similarly to on a Cisco router. You create an extended access list with commands similar to the below (italics are not part of the command):

  • access-list outside_in extended remark Allow port 8o to WebServer A (used to create comments in the Access Lists)
  • access-list outside_in extended permit tcp any host 192.168.80.4 eq 80 (allows traffic destined for 192.168.80.4 on port 80 through the firewall)
  • access-list outside_in extended permit tcp any object-group WEBServerSubnet eq 80 (you can use an object-group to group multiple hosts, or networks for which you need to allow the same ports for, see below)
  • access-list outside_in extended deny ip any any log (block all other traffic and log it)

To create an object-group for use in you access lists, from global configuration mode:

  1. object-group network WebServerSubnet
  2. network-object 192.168.76.0 255.255.255.0

Access lists are applied to an interface using, access-group outside_in in interface outside where in is the direction of the traffic flow.

Commands:

  • show access-list – show the access list, and also the hit count per entry.

Enable Remote Management Using SSH

To enable remote management of the ASA of using SSH:

  1. Set the domain-name. domain-name blah.blah
  2. Generate RSA Keys which are used to encrypt the session. crypto key generate RSA
  3. Enable SSH on an interface. ssh 192.168.2.0 255.255.255.0 management for a specific host ssh 192.168.19.74 255.255.255.255 inside
  4. Restrict the SSH version. ssh version 2

Add Users

Add users to the ASA using the following command syntax from global configuration mode:

command syntax: username name {nopassword | password password [mschap]} [privilege priv_level]

username bob password cisco1234 privilege 15

Other Commands

  • Use packet tracer to simulate traffic flow through the ASA to view how it will process certain types of packets. Example: packet-tracer input outside tcp 66.55.44.33 1459 201.6.44.3 80 detailed.
  • Use packet capture to capture if packets are being transmitted and received by the ASA. Example capturing an internal host telnetting to an external server:
    • access-list telnet-acl tcp permit host 192.168.5.3 host 203.55.44.22 eq telnet
    • access-list telnet-acl tcp permit host 203.55.44.22 eq telnet host 192.168.5.3
    • capture telnet-cap access-list telnet_acl interface inside

static (real_interface,mapped_interface) mapped_ip real_ip netmask mask

Cisco, Firewall, Networking, Security ,

GFI WebMonitor For Microsoft ISA Server Review

June 28th, 2009
No comments

“GFI WebMonitor is a comprehensive monitoring tool that plugs in and compliments the functionality provided by Microsoft ISA Server to enable you to monitor and filter network users’ web traffic (browsing and file downloads) in real time. It enables you to block web connections in progress as well as to scan traffic for viruses, trojans, spyware and phishing material.”

GFI WebMonitor installs on top of Microsoft’s Internet Security and Acceleration Server adding much greater and simpler control of ingress and egress web traffic. WebMonitor installs directly on top of your existing ISA Server installation so there are no other pre-requisites required in order to run the installation. The installation is a simple and short step by step wizard making deployment easy.

After installation of WebMonitor is complete, management is done via an integrated management console. The management interface is a two frame window, with a tree driven menu system on the left and a display view on the right. All settings can be reached from the left menu.

The main Dashboard allows for easy reference to some key statistics including, the Total Bandwidth Consumed, which is a key number for businesses with a limited amount of bandwidth. Blocked AV & Anti-Phishing, Downloads & IMs and also Web requests. All of which can be mapped to the User/IP and time at the bottom of the screen.

Some of the Key Features include:

Bandwidth consumption. After selecting Bandwidth Consumption from the menu the administrator has multiple report options which will be beneficial for reporting to management including, Top Sites and Top Users, allowing you to easily identify users breaching company Internet policies and using large amounts of bandwidth.

User History. This section allows the administrator to view reports pertaining to user specific data, including Top Surfers which shows how much time a user has been browsing for. Top Hit Count and Top Policy Breakers.

Both Whitelists and Blacklists can be specified for user, IP, or site to block or allow certain types of access irrespective of settings configured in WebMonitor. This allows you to easily block specific domains and subdomains.

Web Filtering Policies can be defined for groups of users to control access to the Internet and a time schedule can be configured on each policy. This could be used to allow users access to social networking sites like Facebook during lunch time only for example.

Download Policies can be defined similarly to Web Filtering policies, which allows an administrator to define what types of files users can and can’t download. This would come in very helpful, as an administrator could block file types such as ZIP from general users but allow ZIP to another group of users who need access to these types of files to perform there daily roles. Additional Content Types can also be added.

Access to IM can also be controlled using administratively defined policies.

WebMonitor is a welcome add on to ISA server which lacks the much needed functionality it provides.

For more information visit the GFI WebMonitor product page using the following links:

Reviews ,

DPM Agent Install on Domain Controller – Ensure that the Windows Management Information (WMI) service NO_PARAM is started and is accessible from the DPM server

April 28th, 2009
3 comments

Whe installing the DPM agent on a domain controller you receive the below error messages:

The following log is created in the Windows DPM Alerts event log:

Event Type: Warning

Event Source: DPM-EM

Event Category: None

Event ID: 1

Date: 4/28/2009

Time: 10:40:37 AM

User: N/A

Computer: DPMSERVER1

Description:

Agent operation failed. (ID: 370)

DPM is unable to retrieve the configuration information from DC02.domain.local. (ID: 346)

DPM ID: 0^|^DPMSERVER1^|^Agent operation failed^|^DPM^|^Administration^|^DPMSERVER1^|^f57f22b2-f55c-4b20-8155-13d24bede4dc

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

With the follow snippit of the error message generated on the DPM MMC window:

Ensure that the Windows Management Information (WMI) service NO_PARAM is started and is accessible from the DPM server

To resolve this you need to enable the Global Catalogue on the Domain Controller your trying to protect and wait for the replication to complete (or force replication immediatly). Once this is done re-run the agent installation and it should install successfully.

DPM 2007, Microsoft

A Day In The Trenches With A Windows Server 2003 Domain Environment

April 23rd, 2009
No comments

Not an entire day but long enough. Let me give you a rundown. The other day I was moving the PDC and BDC roles around two servers while I was rebuilding and decommissioning them. The first move was successful and the original PDC was rebuilt. I then moved the FSMO roles back and started the same procedure (see my post here for the steps for doing this: http://blog.networkfoo.org/?p=125). As I was doing this I started to run into a multitude of problems and error messages. Of these errors, I’ll post a copy of them and where available the steps I took to resolve them. (some of the errors were compounding on-top of other errors, so where I’ve fixed the root cause, there wont be a solution to the additional errors generated.)

Errors Occurring on the old PDC:

These errors were preventing the the new PDC from fully becoming a domain controller and also the now BDC server from correctly becoming a domain controller:

Event Type:        Warning

Event Source:    LSASRV

Event Category:                SPNEGO (Negotiator) 

Event ID:              40960

Date:                     22/04/2009

Time:                     11:19:53 AM

User:                     N/A

Computer:          BDC01

Description:

The Security System detected an authentication error for the server LDAP/BDC01.  The failure code from authentication protocol Kerberos was “There are currently no logon servers available to service the logon request.

 (0xc000005e)”.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 5e 00 00 c0               ^..À    

Event Type:        Warning

Event Source:    LSASRV

Event Category:                SPNEGO (Negotiator)

Event ID:              40960

Date:                     22/04/2009

Time:                     11:19:38 AM

User:                     N/A

Computer:          BDC01

Description:

The Security System detected an authentication error for the server cifs/domain.local.  The failure code from authentication protocol Kerberos was “There are currently no logon servers available to service the logon request.

 (0xc000005e)”.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 5e 00 00 c0               ^..À    

Event Type:        Warning

Event Source:    LSASRV

Event Category:                SPNEGO (Negotiator)

Event ID:              40960

Date:                     22/04/2009

Time:                     11:19:38 AM

User:                     N/A

Computer:          BDC01

Description:

The Security System detected an authentication error for the server ldap/BDC01.domain.local.  The failure code from authentication protocol Kerberos was “There are currently no logon servers available to service the logon request.

 (0xc000005e)”.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 5e 00 00 c0               ^..À    

This is one of those errors that I like, why? Because it tells you exactly how to fix it. Follow the instructions in the bottom of the error to resolve, if you don’t wont to wait the five minutes for the polling interval you can run the command net stop ntfrs && net start ntfrs which will cycle the NTFRS service. Don’t forget to set the registry key back to 0 after its fixed.

 

Event Type:        Error

Event Source:    NtFrs

Event Category:                None

Event ID:              13568

Date:                     22/04/2009

Time:                    11:20:19 AM

User:                     N/A

Computer:          BDC01

Description:

The File Replication Service has detected that the replica set “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)” is in JRNL_WRAP_ERROR. 

 

 Replica set name is    : “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)” 

 Replica root path is   : “c:\windows\sysvol\domain” 

 Replica root volume is : “\\.\C:” 

 A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found.  This can occur because of one of the following reasons. 

 

 [1] Volume “\\.\C:” has been formatted. 

 [2] The NTFS USN journal on volume “\\.\C:” has been deleted. 

 [3] The NTFS USN journal on volume “\\.\C:” has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal. 

 [4] File Replication Service was not running on this computer for a long time. 

 [5] File Replication Service could not keep up with the rate of Disk IO activity on “\\.\C:”. 

 Setting the “Enable Journal Wrap Automatic Restore” registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state. 

 [1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run “net stop ntfrs” followed by “net start ntfrs” to restart the File Replication Service. 

 [2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set. 

 

WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again. 

 

To change this registry parameter, run regedit. 

 

Click on Start, Run and type regedit. 

 

Expand HKEY_LOCAL_MACHINE. 

Click down the key path: 

   “System\CurrentControlSet\Services\NtFrs\Parameters” 

Double click on the value name 

   “Enable Journal Wrap Automatic Restore” 

and update the value. 

 

If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Once the above error has been resolved you should see some nicer event log entries.

Event Type:        Warning

Event Source:    NtFrs

Event Category:                None

Event ID:              13560

Date:                     22/04/2009

Time:                     1:18:13 PM

User:                     N/A

Computer:          KELSQL01

Description:

The File Replication Service is deleting this computer from the replica set “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)” as an attempt to recover from the error state,

 Error status = FrsErrorSuccess

 At the next poll, which will occur in 5 minutes, this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:        Information

Event Source:    NtFrs

Event Category:                None

Event ID:              13553

Date:                     22/04/2009

Time:                     1:23:13 PM

User:                     N/A

Computer:          BDC01

Description:

The File Replication Service successfully added this computer to the following replica set: 

    ”DOMAIN SYSTEM VOLUME (SYSVOL SHARE)” 

 

Information related to this event is shown below: 

Computer DNS name is “BDC01.domain.local” 

Replica set member name is “KELSQL01″ 

Replica set root path is “c:\windows\sysvol\domain” 

Replica staging directory path is “c:\windows\sysvol\staging\domain” 

Replica working directory path is “c:\windows\ntfrs\jet”

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Before the NTFRS error/s were resolved the new PDC could not get successful replication of the SYSVOL files, which was causing some major problems.
Event Type:        Information
Event Source:    NtFrs
Event Category:                None
Event ID:              13554
Date:                     22/04/2009
Time:                     1:23:13 PM
User:                     N/A
Computer:          BDC01
Description:
The File Replication Service successfully added the connections shown below to the replica set: 
    ”DOMAIN SYSTEM VOLUME (SYSVOL SHARE)” 
 
      ”PDC01.domain.local” 
      ”PDC01.domain.local” 
      
 
More information may appear in subsequent event log messages.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:        Information
Event Source:    NtFrs
Event Category:                None
Event ID:              13516
Date:                     22/04/2009
Time:                     1:23:14 PM
User:                     N/A
Computer:          BDC01
Description:
The File Replication Service is no longer preventing the computer BDC01 from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL. 
 
Type “net share” to check for the SYSVOL share.
I had some more errors still after fixing the NTFRS problems.
Event Type:        Error
Event Source:    NETLOGON
Event Category:                None
Event ID:              5719
Date:                     22/04/2009
Time:                     2:10:26 PM
User:                     N/A
Computer:          BDC01
Description:
This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following: 
There are currently no logon servers available to service the logon request.  
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  
ADDITIONAL INFO 
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 5e 00 00 c0               ^..À    
Using netdiag I was able to get more confirmation of this:
netdiag : corresponding error message
Trust relationship test. . . . . . : Failed
    [FATAL] Secure channel to domain ‘DOMAIN’ is broken. [ERROR_NO_LOGON_SERVERS]
Using the nltest command:
C:\>nltest /SC_QUERY:domain.local
Flags: 0
Trusted DC Name
Trusted DC Connection Status Status = 1311 0×51f ERROR_NO_LOGON_SERVERS
The command completed successfully
I noticed that the NET LOGON service failed to start on the PDC, once I started it manually the NET LOGON and SYSVOL shares successfully replicated to the PDC, and running the nltest command again produced a much better result:
C:\>nltest /SC_QUERY:domain.local
Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\PDC01.domain.local
Trusted DC Connection Status Status = 0 0×0 NERR_Success
The command completed successfully
Some of the other errors I encountered mixed in with all the NTFRS errors:
C:\>w32tm /resync /rediscover
Sending resync command to local computer…
The computer did not resync because no time data was available.
Event Type:        Warning
Event Source:    W32Time
Event Category:                None
Event ID:              14
Date:                     22/04/2009
Time:                     12:13:30 PM
User:                     N/A
Computer:          BDC01
Description:
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 15 minutes.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:        Error
Event Source:    W32Time
Event Category:                None
Event ID:              29
Date:                     22/04/2009
Time:                     12:13:30 PM
User:                     N/A
Computer:          BDC01
Description:
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible.  No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:        Error
Event Source:    Userenv
Event Category:                None
Event ID:              1054
Date:                     22/04/2009
Time:                     1:21:27 PM
User:                     NT AUTHORITY\SYSTEM
Computer:          BDC01
Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:        Error
Event Source:    Userenv
Event Category:                None
Event ID:              1054
Date:                     22/04/2009
Time:                     1:21:27 PM
User:                     NT AUTHORITY\SYSTEM
Computer:          BDC01
Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:        Error
Event Source:    Userenv
Event Category:                None
Event ID:              1054
Date:                     22/04/2009
Time:                     1:21:27 PM
User:                     NT AUTHORITY\SYSTEM
Computer:          BDC01
Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Some other helpful commands (they appear in the links below but I’ve copied them directly here for convienience)
Verify Communication with Other Domain Controllers
Netdiag /test:dsgetdc 
If successful the last line will say DC discovery test..: Passed. (if in verbose the actual dc’s will be listed
To use Nltest.exe to verify global catalog server readiness
  1. At a command prompt, type the following, using the name of the server you have added the global catalog to and the domain of the server:
  2. nltest /server:ServerName /dsgetdc:DomainName
  3. In the Flags: line of the output, if GC appears, then the global catalog server has satisfied its replication requirements.
C:\>nltest /server:PDC01 /dsgetdc:domain.local
           DC: \\PDC01.kelloggweb.local
      Address: \\192.168.254.2
     Dom Guid: fb3988aa-53e9-490a-bbd3-e79d432d8ac6
     Dom Name: domain.local
  Forest Name: domain.local
 Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST CLOSE_SITE
The command completed successfully
To verify replication is functioning
  1. To check if replication is working, at a command prompt, type the following command and press ENTER:
  2. dcdiag /test:replications. The /v option does not display any significant additional information for this test. Messages indicate that the connectivity and replications tests passed.
  3. To verify that the proper permissions are set for replication, at a command prompt, type the following command and press ENTER:
  4. dcdiag /test:netlogons - Messages indicate that the connectivity and netlogons tests passed.

Verify Successful Replication to a Domain Controller

Use Repadmin.exe to verify success of replication to a specific domain controller. Run the /showreps command on the domain controller that receives replication (the destination domain controller). In the output under INBOUND NEIGHBORS, Repadmin.exe shows the Lightweight Directory Access Protocol (LDAP) distinguished name of each directory partition for which inbound directory replication has been attempted, the site and name of the source domain controller, and whether it succeeded or not, as follows:

  • Last attempt @ YYYY-MM-DD HH:MM.SS was successful.
  • Last attempt @ [Never] was successful.

Requirements

  • Credentials: Domain Admins in the domain of the destination domain controller
  • Tools: Repadmin.exe (Support Tools)

To verify successful replication to a domain controller

  1. At a command prompt, type the following command and then press ENTER:
  2. repadmin /showreps ServerName /u:DomainName\UserName /pw:* - where ServerName is the name of the destination domain controller, DomainName is the single-label name of the domain of the destination domain controller (you do not have to use a fully-qualified DNS name), and UserName is the name of an administrative account in that domain.
  3. When prompted, type the password for the user account you provided, and then press ENTER.

The last successful attempt should agree with the replication schedule for intersite replication, or should be within the last hour for intrasite replication. When replication has never occurred, the message indicates that the last success was never.

If Repadmin.exe reports any of the following conditions, contact a superior:
  • The last successful intersite replication was prior to the last scheduled replication.
  • The last intrasite replication was longer than one hour ago.
  • Replication was never successful.

Some Helpful Links I Found When Fixing The Above Problems:

Microsoft, Server 2003

Using Log Parser to Generate Bandwidth Usage Statistics

March 4th, 2009
No comments

Using Log Parser you can easily generate simple output from different types of log files. A handy use for this is to quickly output the amount on data received and sent for an IIS website. To get this going there are some things you need to make sure are set:

  • You must ensure you are logging the sc-bytes (Bytes Sent) and the cs-bytes (Bytes Received) on your IIS site log settings. To check this:
    • Open the IIS MMC.
    • Expand the server.
    • Expand Web Sites
    • Right click the site you intend to run the report against, click Properties
    • On the Properties screen, under Enable logging click properties (for the purposes of this post my log format is set to WC3 extended)
    • On the Logging Properties screen, click the Advanced tab.
    • Locate Bytes Sent, and Bytes Received, and check them both.
  • Install Log Parser - http://www.microsoft.com/DownLoads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en

Process:

  • On your server create a new directory where you will run the Log Parser scripts from, and also where the output log will be created.
  • Inside this folder create a new file called lp_bandwidth.sql (or whatever you like just make sure it’s .sql). Paste the following into the lp_bandwidth.sql file:

SELECT QUANTIZE(TO_TIMESTAMP(date, time), 2678400) AS Month, 

ORDER BY Month

COUNT(*) AS Total,  

SUM(cs-bytes) AS TotBytesRecv, 

SUM(sc-bytes) AS TotBytesSent

FROM %myInput%

GROUP BY Month 

  • Save and close the file.
  • Create a new file, logrun.bat in the same directory.
  • Edit the file and paste the following in. (replace parts in bold where applicable)

for /f “tokens=2-4 delims=/ ” %%g in (‘date /t’) do (

  set mm=%%g

  set dd=%%h

  set yy=%%i

)

@ECHO ——www.WebsiteName.COM.AU—— >> LOG%dd%.TXT

logparser file:lp_bandwidth.sql?myInput=E:\logs\W3SVC1242729846\ex09%dd%*.log >> LOG%dd%.TXT

  • For each website you wish to do simple repeat the text which is underlined from above, modifying the parts in bold for each additional site into the logrun.bat file.
  • Once done save and close the logrun.bat file, now you can simply double click the logrun.bat it will analyze the log files and generate output log file LOG%dd%.TXT. 
  • In the lp_bandwidth.sql file in the above example im using a period of a month (SELECT QUANTIZE(TO_TIMESTAMP(date, time), 2678400) AS Month,) to determine the output period. You can easily modify the “2678400″ (which is a months time in seconds) to equal a week or day etc as you require.
  • The following is the output generated, once the logrun.bat file is run:
www.WebsiteName.COM.AU 
Month               Total   TotBytesRecv TotBytesSent 
——————- ——- ———— ————
2009-01-27 00:00:00 1398815 1041442202   55597781591
Statistics:
———–
Elements processed: 1398815
Elements output:    1
Execution time:     11.50 seconds

References

IIS, Microsoft