Search This Blog

Saturday 7 August 2010

Archive files with Robocopy

I have a few customers who keep all their data from the first server they ever had so we are looking at data from the 1990s onward! It always strikes me that if you don't need to keep data for legal reasons then if it hasn't been accessed for 6 months its ready to be archived off the server to NAS and then to offsite storage.

Robocopy is a tool that can help with this process, it can perform all sorts of file copy operations and in this case can move files that have not been accessed since a date to a new location and keep the file structure.

robocopy c:\share d:\archive\share /S /SEC /MOV /MINLAD:20081231 /L

This command will use the switches

/S - copy all subdirectories that contain files
/MOV - move the files and folders from the source
/MINLAD:YYYYMMDD - find files that have not been accessed before this date
/L - test the operation before you copy for real, very handy!

Monday 2 August 2010

Non admin users cannot logon to Citrix PS4.5 with RDP

I had an issue where we had to logon some users to a Citrix Presentation Server 4.5 via RDP as the VPN tunnel from their remote site was down, it was a temporary workaround but when we connected via RDP we had this error displayed.

"Connection Error : The desktop you are trying to open is currently available only to administrators"

This is related to the Terminal Server Configuration and the RDP Listener, under the Citrix Settings is a check box that says "Non published applications for Administrators only". This means the Desktop as this is a non published application and in my case my users needed the Full Desktop.

I removed this check box and they could logon as normal with RDP.

Sunday 1 August 2010

SSH to Cisco 1841 using route-map statements for PAT

I had a problem when using the Cisco 1841 router, I could not get access to the router from a remote location using ssh to the routers WAN IP.

I had been able to do this on the Cisco 877 but could not make it work on the 1841 router, after some head scratching and forum posting I was given a clue when I looked at the firewall logs. The logs showed that the packets were going to the router ok but on the return they were coming back from the wrong ports and this caused the packets to be dropped.

The firewall log is displayed here

%FW-6-DROP_PKT: Dropping tcp session 78.xx.xx.xx:3 86.xx.xxxx:45369 on zone-pair ccp-zp-self-out class ccp-icmp-access due to  Invalid Flags with ip ident 0

The log shows that the return packet has a source port of 3 but I know the connection entered on port 22 for ssh, so this means something has changed the packet source port before its return.

The answer is that NAT/PAT is involved and this is changing the packets on the return by PAT the packets back out of the ATM interface. The 8141 routers all use a route map so I can have two PAT statements and use the failover for the two ATM interfaces. So when the connection is made with ssh on port 22 the PAT statements are translating the traffic back out and this violates the ZBF rules and the packets get dropped.

To resolve this you have to use an ACL to allow the traffic you want PAT and deny everything else.

The current PAT statement and route maps are

ip nat inside source route-map O2 interface ATM0/0/0.1 overload

Route-map O2 permit 10
Match interface ATM0/0/0.1

So this route map needs to have an ACL added to only allow the traffic from my internal networks to be PAT. So I created a new ACL rule below

Access-list 120 ip permit 192.168.110.0 0.0.0.255 any
Access-list 120 ip deny any any

Route-map O2 permit 10
Match interface ATM0/0/0.1
Match ip address 120

Now that this ACL is added to the route map when the connection is made on port 22 the return traffic is matched against the route map ACL and this can see that the source IP is not in the 192.168.110./24 subnet so it is denied from being PAT and returns out of the ZBF with the correct source port and meets the ZBF inspection.