Unable to allocate processing resources. Error: No backup proxy is able to process this VM due to proxy processing mode restrictions.
There could be scenarios not listed in the KB, like the following quite specific one.
Imaging you have the following:
Imagine you then add the ESXi Host to vCenter and your backups start failing. It doesn’t matter if you disconnect/remove the host from vCenter – backups keep failing. (you don’t change anything in the Veeam configuration and still have your ESXi host directly added, not as a vCenter server)
When digging into the problem C:\ProgramData\Veeam\Backup\<jobname>\Job.<jobname>.Backup.log says:
Error Failed to connect to agent’s endpoint ‘<Backup Proxy IP>:2500’. Host: ‘<Backup Proxy IP>’.
Error No connection could be made because the target machine actively refused it <Backup Proxy IP>:2500 (System.Net.Sockets.SocketException)
Then looking at Backup Proxy logs at /var/log/VeeamBackup/<jobname>/Agent.LinuxFileCommander.log it reports quite a generic error:
ERR |Server session thread has failed.
The problem is that Veeam cannot identity it’s Backup Proxy VM on the ESXi host, since the VM is moved somewhere else within the “Hosts & Clusters tree” in Vmware. Reason of this is the addition of the ESXi Host to vCenter which creates a “tree” hierarchy for the <datacenter> <cluster> <VMs> and this configuration remains on the ESXi host even when disconnected from vCenter. However this hierarchy is not visible in the Veeam B&R VMware inventory! Other Backups solutions, like the Synology’s Active Backup for Business however correctly displays the tree structure of the ESXi host (Note the ha-datacenter and the cluster below. Real names are masked obviously.)
So, how to fix the issue? Probably during your troubleshooting attempts you’ve went through the properties of the Backup Proxy to verify your current configuration and you’ve seen this screen.
Most people would conclude that the selected VM is correct. However it isn’t – since it’s located at a different place with VMware’s “Host&Clusters” tree structure.
To fix this you have to browse and select the very same VM, saving the configuration. This makes Veeam update it’s config to point correctly to the Backup Proxy VM.
]]>Consider the following scenario:
We want an Upgrade to DSM 6.2.2 which involves several steps (not going into details here – you can google them):
TLDR – VMware sometimes mix the SATA Controllers order!
The expected behavior is SATA Controller 0 to be first (and our boot drive goes there) and SATA Controller 1 to be second. VMware replaced the order however! Why – haven’t dig into the details of the VMware order, but I wanted to understand why it messes up DSM.
First of all, how to recognize easily that ordering is messed up:
Then what’s the impact of this controller order – well it seems its in the specifics of the synology boot loader, which expects:
set sata_args=’sata_uid=1 sata_pcislot=5 synoboot_satadom=1 DiskIdxMap=0C SataPortMap=1 SasIdxMap=0′
Take a look at https://gugucomputing.wordpress.com/2018/11/11/experiment-on-sata_args-in-grub-cfg/ for a good explanation of sata_args
The solution – well – simply re-attach the disks to the other controller. For example the boot disk SATA (0:0) becomes SATA (1:0), DATA disks SATA (1:X) becomes SATA(0:X)
Here’s how they look like in BIOS after controller swap (Note the boot disk is at 2:0.0:0):
Few side notes:
Initiator Instance Does Not Exist.
Resolution was to uninstall the Microsoft iSCSI Initiator storage controller from device manage and install it again.
Steps:
Recently I was looking at why GCP TCP Load Balancer healthchecks were failing, despite I have configured strictly my local OS firewall to allow the documented health check IP ranges :
(https://cloud.google.com/compute/docs/load-balancing/network/ – Section Firewall rules and Network load balancing – 209.85.152.0/22
, 209.85.204.0/22
, and 35.191.0.0/16
at the time of writing).
Network Services–>Load Balancing–>Load Balancers tab was stating my instances were unhealthy:
Instance <instance name> is unhealthy for <LBIP>
It turned out Google is sending healthcheck from their metadata IP address instead – metadata.google.internal (169.254.169.254)
Allowing this in the OS firewall made the HCs succeed!
]]>Since it’s running on ESXi, the VMware disk extend was easy. However surprisingly or not the Synology part wasn’t. The GUI does not allow you to increase the size of the RAID Group (in my case Basic without protection – single disk RAID1, Storage Manager–>RAID Group–>Manage the “Expand” option is grayed out)
So it was obvious manual resize through SSH is necessary.
After some time spend on googling good articles for doing this, the best one i found was http://blog.azib.net/2013/12/how-i-upgraded-my-synology-nas-to.html. It explains quite well the overall process of manually extend the volume (extend the vmware disk partition, the MD device, the physical, virtual and logical LVM volumes) , however I found Step 1 from the guide as dangerous (the partition recreation with a larger one) so I decided to try the parted partition resize option instead.
Below are the commands used, but first PLEASE BACKUP YOUR DATA without attempting anything:
Number Start End Size File system Name Flags
34s 2047s 2014s Free Space
1 2048s 4982527s 4980480s ext4 raid
2 4982528s 9176831s 4194304s linux-swap(v1) raid
9176832s 9437183s 260352s Free Space
3 9437184s 5153755935s 5144318752s raid
5153755936s 6012954180s 859198245s Free Space <–the free space is after the last (3rd) partition in the disk
And REMEMBER”
ALWAYS BACKUP YOUR DATA FIRST!
Enjoy!
]]>Most of the articles over Internet says to disable ACPI, despite in XenServer 6.X the native safe mode has already that option turned on as well as others compatibility settings like noirqbalance, noapic, etc.
]]>Where to start from:
1. Deploy IIS 8.5 using Server Manager and add the SMTP server feature(or use an external SMTP server). It will be required later to send order emails from Magento
Install URL-rewrite IIS add on from http://www.iis.net/downloads/microsoft/url-rewrite
2. Install a MySQL server (or have a remote one)
3. Install php (5.5.x, 5.6.x or 7.0.2) http://devdocs.magento.com/guides/v2.0/install-gde/system-requirements.html and enable the required PHP modules as per the official magento documentation.
4. Download Magento https://www.magentocommerce.com/download , extract it in C:\inetpub\wwwroot (or a custom one ex. C:\Websites\Magento – something I recommend in general )
5. Configure php settings required by magento (in this example php 5.6.x was used)
The magento requirement says you have to configure these as a minimum http://devdocs.magento.com/guides/v2.0/install-gde/prereq/php-ubuntu.html#instgde-prereq-timezone
They are safe to be configured in you global php.ini file”
memory_limit = 768M
always_populate_raw_post_data = -1
asp_tags = Off
date.timezone = Europe/Sofia http://php.net/manual/en/timezones.php
Magento however customize some php settings using the .htaccess file. Since we’ll be using IIS these have to be converted in IIS aware setup (web.config). A good article how to configure php settings per IIS website can be found here http://www.iis.net/learn/application-frameworks/install-and-configure-php-on-iis/enable-per-site-php-configuration-on-iis-60-and-iis-7-and-above
Then you can find the cutomized PHP settings in the .htaccess file in the root magento directory
Edit your global php.ini file and add
user_ini.filename = “.user.ini”
Then create an .user.ini file in the root magento directory and copy the .htaccess php settings content for your PHP version. In our case the content for php 5.6 is:
memory_limit = 768M
max_execution_time = 18000
session.auto_start = Off
zlib.output_compression = On
suhosin.session.cryptua = Off
Create another .user.ini file inside pub directory and take the settings from pub\.htaccess:
memory_limit = 256M
max_execution_time = 18000
session.auto_start = Off
zlib.output_compression = Off
suhosin.session.cryptua = Off
6.Converting Magento Apache based .htaccess into IIS web.config
6.1 URL Rewrite Rules
You can use the URL-rewrite IIS settings to import .htaccess URL rewrite rules (URL Rewrite–>Import Rules–>Browse the file and select Import–>remove the non-convertable settings and click apply.
Alternatively place this in web.config into the magento root directory
<?xml version=”1.0″ encoding=”UTF-8″?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name=”Imported Rule 1″ stopProcessing=”true”>
<match url=”.*” ignoreCase=”false” />
<conditions logicalGrouping=”MatchAll”>
<add input=”{REQUEST_METHOD}” pattern=”^TRAC[EK]” ignoreCase=”false” />
</conditions>
<action type=”Redirect” url=”{R:0}” redirectType=”Temporary” />
</rule>
<rule name=”Imported Rule 2″ stopProcessing=”true”>
<match url=”^(.*)$” ignoreCase=”false” />
<conditions logicalGrouping=”MatchAll”>
<add input=”{URL}” pattern=”^/mobiledirectoryhere/.*$” ignoreCase=”false” negate=”true” />
<add input=”{HTTP_USER_AGENT}” pattern=”"android|blackberry|ipad|iphone|ipod|iemobile|opera” ignoreCase=”false” />
</conditions>
<action type=”Redirect” url=”/mobiledirectoryhere/” redirectType=”Found” />
</rule>
<rule name=”Imported Rule 3″ stopProcessing=”true”>
<match url=”.*” ignoreCase=”false” />
<conditions logicalGrouping=”MatchAll”>
<add input=”{REQUEST_FILENAME}” matchType=”IsFile” ignoreCase=”false” negate=”true” />
<add input=”{REQUEST_FILENAME}” matchType=”IsDirectory” ignoreCase=”false” negate=”true” />
</conditions>
<action type=”Rewrite” url=”index.php” />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Place this inside pub\media\web.config
<?xml version=”1.0″ encoding=”UTF-8″?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name=”Imported Rule 4″ stopProcessing=”true”>
<match url=”.*” ignoreCase=”false” />
<conditions logicalGrouping=”MatchAll”>
<add input=”{REQUEST_FILENAME}” matchType=”IsFile” ignoreCase=”false” negate=”true” />
</conditions>
<action type=”Rewrite” url=”../get.php” />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Place this inside pub\static\web.config
<?xml version=”1.0″ encoding=”UTF-8″?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name=”Imported Rule 5″ stopProcessing=”true”>
<match url=”^version.+?/(.+)$” ignoreCase=”false” />
<action type=”Rewrite” url=”{R:1}” />
</rule>
<rule name=”Imported Rule 6″ stopProcessing=”true”>
<match url=”.*” ignoreCase=”false” />
<conditions logicalGrouping=”MatchAll”>
<add input=”{REQUEST_FILENAME}” matchType=”IsFile” ignoreCase=”false” negate=”true” />
</conditions>
<action type=”Rewrite” url=”../static.php?resource={R:0}” appendQueryString=”false” />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Place this inside pub\web.config
<?xml version=”1.0″ encoding=”UTF-8″?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name=”Imported Rule 7″ stopProcessing=”true”>
<match url=”.*” ignoreCase=”false” />
<conditions logicalGrouping=”MatchAll”>
<add input=”{REQUEST_METHOD}” pattern=”^TRAC[EK]” ignoreCase=”false” />
</conditions>
<action type=”Redirect” url=”{R:0}” redirectType=”Temporary” />
</rule>
<rule name=”Imported Rule 8″ stopProcessing=”true”>
<match url=”.*” ignoreCase=”false” />
<conditions logicalGrouping=”MatchAll”>
<add input=”{REQUEST_FILENAME}” matchType=”IsFile” ignoreCase=”false” negate=”true” />
<add input=”{REQUEST_FILENAME}” matchType=”IsDirectory” ignoreCase=”false” negate=”true” />
</conditions>
<action type=”Rewrite” url=”index.php” />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Make sure the rule name are unique in the deployment ! Otherwise you might get HTTP Error 500.52 – URL Rewrite Module Error
6.2 Convert the Mime Types
[Update Needed]
6.3 Convert all Remaining Settings
[Update Needed]
7. NTFS permissions
“IIS APPPOOL\ApplicationPoolIdentity” (ex. “IIS APPPOOL\MagentoLive”) need to have :
READ&EXECUTE access on the magento directory (C:\Websites\Magento)
MODIFY access on magento \app\etc directory (for security purposes this should be removed after the installation is complete
MODIFY access on magento \var directory
MODIFY access on magento \pub\media directory
MODIFY access on magento \pub\static directory
MODIFY access on the PHP Temp directory (otherwise it throws an errors like “We’re sorry, an error has occurred while generating this email” on the Storefront or “Could not determine temp directory, please specify a cache_dir manually” in the Admin panel
In case PHP Temp directory is not specified in php.ini then PHP takes the folder in the TEMP Environment variable (C:\Windows\Temp by default).
The Default ACL on C:\Windows\Temp on Windows 2012 R2 is (icacls output)
C:\Windows\Temp CREATOR OWNER:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
BUILTIN\Users:(CI)(S,WD,AD,X)
BUILTIN\IIS_IUSRS:(OI)(CI)(S,RD)
In case magento is the single website on your IIS server you can directly grant the IIS_IUSERS MODIFY permissions
Important Security Notice: for all magento directories where you grant write access make sure you remove scripts execution in IIS (go to each folder–>Handled-Mappings–>Edit Feature Permissions–> uncheck Script)
8. Setup PHP OpCache (don’t miss this step! – it’s a great performance boost)
Edit you global php.ini and insert:
inside [php] section
zend_extension=php_opcache.dll (the DLL file must be present in your php extensions directory)
inside [opcache] section
opcache.enable=1
opcache.enable_cli=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.use_cwd=1
opcache.revalidate_freq=60
opcache.fast_shutdown=1
9. Setup SSL on you IIS website – a lot of content exist on Internet how to do this. It doesn’t matter if you do this before or after the Magento Installation. It’s important to avoid using self-signed certificate.
10. Magento Installation
There are two ways to do this:
A) using the http://yoursite.com/setup web based wizard
or
B) using command line
cd magentorootdirectory
php magento setup:install –admin-firstname John –admin-lastname Doe –admin-email [email protected] –admin-user admin –admin-password yourpassword –base-url http://yoursite.com –db-host=localhost –db-name DB –db-user DBuser –db-password yourDBpassword –use-rewrites 1 –use-secure-admin 1 –session-save db
List of support command line parameters can be found here http://devdocs.magento.com/guides/v2.0/install-gde/install/cli/install-cli-install.html
When you install from the website the Magento installation may hang on (freeze on) Installing schema.. or Upgrading schema.. usually around 4% or 5%.
This happens due to IIS FastCGI “Activity timeout” settings (by default 30 seconds)
Adjust the settings to a higher enough value to allow the setup to finish. ex. 3600 (1h)
Then retry the installation by :
– deleting magentorootdirectory\app\etc\config.php and magentorootdirectory\app\etc\env.php
– dropping the MySQL DB tables
– re-running the setup from http://yoursite.com/setup
Until you retry the installation Magento website will return HTTP error 500 Internal Server Error
The installation might fail to deploy the static content making Storefront and the Admin page looking badly formatted(missing pictures, CSS styles, js, etc). To resolve this run:
“php bin\magento setup:static-content:deploy en_US”
http://devdocs.magento.com/guides/v2.0/install-gde/trouble/tshoot_no-styles.html
https://github.com/magento/magento2/issues/1312
When using non en-US Locale (Admin–>Stores–>Configuration–>General–>Locale Options) even after deploying static content, the StoreFront will still be badly formatted (Admin will be now OK). Two ways to solve this:
A) Set en-US locale in the Admin panel
B) Deploy static content for your locale
“php bin\magento setup:static-content:deploy bg_BG”
http://devdocs.magento.com/guides/v2.0/config-guide/cli/config-cli-subcommands-static-view.html
11. Magento Store Configuration
]]>[More updates will follow]
It’s one of the worse implemented features ever seen on a managed switch. The idea for additional L2 security layer is good, however the realization is definitely poor. With the basic enabled/disabled states and zero customization available, the features set goes into the recycle bin. In particular it blocks all NetBIOS traffic over the LAN due to the “nice” feature called “Prevent UDP Blat Attack”.
It seems HP engineers are not aware NetBIOS use the same UDP Port 138 or maybe they believe it’s rarely used protocol nowadays.
However what happens when you replace some legacy switches on your network with a new HP V1810 series 48 port 1Gbps switches? What I’ve seen in particular is inability to join PCs in an Active Directory domain using the domain NetBIOS names with the following symptoms:
– Error 0x54b(1355 in decimal) present in %windir%\debug\NetSetup.log during PC join attempts.
– nltest /dsgetdc returns ERROR_NO_SUCH_DOMAIN (the same 1355/0x54b)
– no NetBIOS broadcast resolution
– no NetBIOS traffic reaching destination server with local LMHosts file entries enabled
– and much more.
Clearly reading the full vendor documentation before deploying any new equipment is a must. Otherwise you can spend hours in troubleshooting to understand how a single check box affects your Active Directory environment.
Reference: Auto Dos features description.
Auto DoS
Enable – Select to prevent receiving packets from the all attacks mentioned below (Default: Disabled).
Prevent Land Attack – Prevents receiving packets with matching Source and Destination IP addresses.
Prevent TCP Blat Attack – TCP Source and Destination Port match
Prevent UDP Blat Attack – UDP Source and Destination Port match
Prevent Ping Of Death Attack – Prevents receiving ping packets with a size larger than 512 bytes through the use of fragments, which can target vulnerable systems.
Prevent Invalid TCP Flags Attack – Prevents receiving packets with invalid TCP flags. TCP Flag SYN set and Source Port less than 1024 or TCP Control Flags = 0 and TCP Sequence Number = 0 or TCP Flags FIN, URG, and PSH set and TCP Sequence Number = 0 or TCP Flags SYN and FIN set.
Prevent TCP Fragment Attack – Drop IP Packets that have a TCP header less than 20 bytes.
Check First Fragment Only – Enable checking DOS attacks on IP first fragments
Prevent Smurf Attack – ICMP Echo packets (ping) to a broadcast IP address are dropped.
Prevent Ping Flood Attack – Prevents Ping Flood by limiting the number of ICMP Ping packets. The rate is 1000 ICMP packets per second.
Prevent Syn Flood Attack – A SYN flood attack sends TCP connections requests faster than a machine can process them. Setting this filter limits the rate of TCP connection requests.
After troubleshooting through drivers compatibility and processor performance counters the root cause was found in the enabled Intel C-State Tech feature in BIOS. Disabling this power saving feature returned back the expected performance of Hyper-V.
]]>