KodeTitan's questions

I have a network with a Windows 2008 R2 server with Routing and Remote Access installed on a cloud platform with a PUBLIC and PRIVATE IP address. I have successfully configured the Fortigate FW and the 2008 server to negotiate Phase 1 and Phase 2 of the connection. Everything looks fine up to that point.

When I try to ping from the LOCAL side of the Fortigate to the PRIVATE side of the 2008 R2 device I then run into problems. The tunnel comes up with phase 1 and phase 2 negotiating just fine, but the Windows Event Viewer shows the packets are getting blocked by the packet filter system under Windows.

Event viewer shows two error codes

Log Name: Security
Source: Microsoft Windows security
EventID: 5152
Task Category: Filtering Platform Packet Drop
  The Windows Filtering Platform has blocked a packet.

  Application Information:
Process ID:     0
Application Name:   -

  Network Information:
Direction:      Inbound
Source Address:     192.168.219.183
Source Port:        0
Destination Address:    10.182.193.3
Destination Port:       8
Protocol:       1

 Filter Information:  
Filter Run-Time ID: 74898
Layer Name:     Transport
Layer Run-Time ID:  12

The other event log entry is

Log Name: Security
Source: Microsoft Windows security
EventID: 4963
Task Category: IPsec Driver
  IPsec dropped an inbound clear text packet that should have been secured. 
  If the remote computer is configured with a Request Outbound IPsec policy, 
  this might be benign and expected.  This can also be caused by the remote 
  computer changing its IPsec policy without informing this computer. This 
  could also be a spoofing attack attempt.

  Remote Network Address:   192.168.219.183
  Inbound SA SPI:       0

I have gone as far as to turn off all filtering for each Windows FW domain for incoming connections with no luck. I continue to see these error messages repeated when I try to PING. I have also tested TELNET to the Windows Telnet server I had installed on the system as well with not luck either.

Has anyone dealt with the 2008 R2 Firewall for an IPSEC tunnel like this and had success? I find very spotty references elsewhere and none quite as deep in as this.

I have a BIND server running on Ubuntu that is failing to lookup www.microsoft.com or any records at Microsoft. All other domains like google.com and yahoo.com seem to be working just fine. I am looking for some suggestions on how to improve logging to figure out why BIND is having problems with this domain.

I already am capturing the query channel into the default_syslog and see the queries coming to the server, but I don't see the result of the efforts of the BIND server in trying to find the IP address of these names.

Symptoms

> ping www.microsoft.com fails on lookup, indicates host is not found

> dig @A.B.C.D www.microsoft.com also times out, where A.B.C.D is the IP address of this internal DNS server.

other queries seem to work fine

At this time, I am using db.root for the root servers and have no forwarders setup in this configuration. I would expect this server to be determining the root servers of microsoft.com and then being able to find the records from there. Thank you for any suggestions on how to improve logging detail in BIND and where to look for the log messages.

With ESX and ESXi, we recently had two systems where that the boot partition became degraded due to a failed disk. The only alert we managed to capture was the visual alert on the Dell servers. We failed to received any electronic alerts regarding the failed or degraded array.

Does anyone have any experience with monitoring for these types of failures? In both cases, the servers were running in a RAID 5 SCSI configuration (5 disks on one system, 3 disks on another) which if we were running a Windows Server OS, we would have had an alert created in the Eventviewer. Where would I begin to look for this solution. Can it be configured in VCenter or vFoglight?

I have a Postfix server that is having issues receiving a distribution email from a customer mail server that has over 100+ recipients. I have increased debug information using debug_peer_level and debug_peer_list.

What I have found is that after the Postfix server receives 99-102 "RCPT TO:" SMTP commands, it closes the connection.

The logs don't really indicate exactly what Postfix is doing at that point and I have increased my debug_peer_level to 99 to make sure I'm not missing any additional information.

We currently run a mail server using Postfix and Amavisd.

A client has asked us to see if we can archive all of their internet email and we had started with using the Postfix always_bcc option.

However, we have come to realize that when emails include BCC's, all of theat information is not proeproly preserved. The always_bcc message only has the TO: and CC: fields.

In our instance, the client mail server uses Postfix for smarthosting and at this point, I'm sure that the BCC information is intact when sent to the Postfix server. The logs will show the email going to the TO:, CC:, and BCC: field all using the same Postfix ID so I'm pretty sure the information is there.

I have recenly been looking at qpsmtpd as another option for capturing this information and trying to see what other otpions I may have for preserving tand archiving the email with the info.

Our company is looking to implement a policy of monitoring USB additions and removals to our corporate PC's running the Windows operating system. We know that we can just block USB usage for users with policies under certain condition, but our prefered option is to report these changes into the EventViewer so that they could be collected and reviewed on a daily, weekly, hourly basis.

Does anyone know of any tools or options which could be implemented across the Windows platform. I don't really need help with centralized collection of the information, only reliable reporting at the PC level.

We have a Postfix hub and I'm trying to better understand the information in the mail.log file. I use tools like qshape, pflogsumm.pl and amavis-logwatch to summarize the log files, but I have still have questions about some of the elements of the raw log file.

My first question is in regard to the delay entry that appears from Postfix when an email is finally delivered. I am guessing that these values are in seconds, but what does this information exactly mean.

delay=2.4, delays=0.18/0.01/1.4/0.81

Did the email take a total of 2.4 seconds to process?

What is the breakdown of timings in the delays section?