Tech Blog

Network outage?!?! Nevermind, FortiGate IPS is just blocking everything.

This afternoon we received several reports all at once that the internet was down. Interestingly we were able to reach client locations, all SNMP monitoring looked healthy and no outages were present. We did however notice that bandwidth utilization had dropped to a trickle, so something was amiss!

Eventually we discovered in the IPS logs that most traffic was being blocked due to matching the following IPS signature:


When we disabled IPS, traffic started flowing again.  We then went to System -> FortiGuard -> Update AV and IPS Definitions.  After the update we reenabled IPS and traffic flowed normally again!

Remove Pending patches in bulk – Windows Server

The following post was submitted by Jon Worley in response to a server stuck in a boot loop due to pending updates failing to install:

This is a summary of what I did to avoid manually removing 28 different packages using the long form name of them without access to Powershell in the Windows RE.  This worked better than using DISM to revert pending actions or deleting “pending.xml” but takes a little additional prep work before running the script.

Pro tip: If it’s 2008 R2 and a VM, the mouse may not work so editing the file is easier when using shift + end to highlight text for deletion.

  1. Boot into the Windows RE from an ISO and launch into the command prompt recovery mode.
  2. Determine which drive has the image as it can vary by using “dir c:\, dir d:\, etc” until you find the system drive, in this case it was mounted to e:\
  3. If it doesn’t exist create a temp directory with “mkdir e:\temp”
  4. See if there are staged packages causing the hang up with:

    “dism /image:e:\ /get-packages /scratchdir:e:\temp /format:table | more”

  5. If there are staged packages output them into a text file for easier manipulation with: read more…

Unable to remove FortiManager from a FortiGate

In order to resolve a failed relationship between a FortiGate and FortiManager we needed to remove the FortiGate.  In FortiManager this worked fine, however in FortiGate the relationship still persisted (under Security Fabric -> Settings -> Central Management).

If we attempted to disable the Central Management toggle we received the following error:

Failed to save FortiManager settings

read more…

Outlook clients not authenticating, but OWA and ActiveSync work fine

We had an issue where a clients’ Outlook connectivity stopped working and they were continuously prompted for credentials.  Mysteriously OWA and ActiveSync were fine.  In the Security logs on the Exchange server we saw a lot of the following:

Source: Microsoft Windows security auditing.
Event ID: 4625
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0x80090302
Sub Status: 0xC0000418 read more…

CCAPI: Internal Error (Software Error)

We changed a customer from PRI to SIP trunk and after the change, the Exchange UM stopped working for calls coming in from the outside.  We found the following error in the logs:

%VOICE_IEC-3-GW: CCAPI: Internal Error (Software Error): IEC= on callID 78

Some posts mentioned upgrading the firmware (which we did with no effect).  The dial-peer pointed to Exchange had some volume adjustments on it.  Once we removed the adjustments, the error went away and calls went through. read more…