Author: Bob Lin

Situation: The client has Palo Alto 850 Firewall. The Dashboard> High Availability shows App Version, Threat Version and Antivirus Version Mismatch.

Troubleshooting:

1. When we try to login Spare Unit Management IP, it is time out.
2. Using console cable connecting to the console port, we see this information: EDAC MC0: 1 CE DIMM 0 rank 1 bank 10 row 97824 col 1016 on any memory page: 0x0 0ffset: 0x0 grain: 0 syndrom

Troubleshooting: 1. Hard reboot the unit.

2. Access the management and update the Dynamic Updates manually.

Situation:  When configuring the deployment on a RD server, you may receive an error: Cloud does not save the settings for RD Licensing. Error: Unable to set the license settings: “Invalid operation”.

Troubleshooting: If you configure the Deployment on a RDS server that includes only the RD Session Host role and the RD Licensing role, you will receive this error. you should run gpedit.msc on RD server to configure the Deployment on a RDS server that includes only the RD Session Host role and the RD Licensing role. 

You will use Configure the Deployment for configuring RD license on a RD server includes the RD Connection Broker role.

Situation: When troubleshooting RD license issue by using RD Licensing Diagnoser, you may receive this error: “Remote desktop licensing mode is not configured”

or this error may popup in System notification.

Troubleshooting 1: Configure licensing for an RDS deployment that includes only the RD Session Host role and the RD Licensing role

1. Run gpedit.msc on RD server

2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.

3. Double-click on Use the specified Remote Desktop license servers, and then check Enabled and enter the RD server in License server to use. 

4. Double-click on Set the Remote Desktop licensing mode, and then check Enabled and select Per Device or Per User, as appropriate for your deployment.

Troubleshooting 2: Configure licensing for an RDS deployment that includes the RD Connection Broker role

1. On the RD Connection Broker server, open Server Manager and then go to Remote Desktop Services > Overview

2. Click on Task and then select Edit Deployment Properties

3. Click on RD Licensing and configure RD Licensing mode and server.

Note: This is for configuring licensing for an RDS deployment that includes the RD Connection Broker role. If you configure licensing for an RDS deployment that includes only the RD Session Host role and the RD Licensing role using this mothed, you may receive an error: Cloud does not save the settings for RD Licensing. Error: Unable to set the license settings: “Invalid operation”.

Please view this step by step video:

Situation: When attempting to access Remote Desktop server, you may receive this message: “No Remote Desktop License Servers”

Troubleshooting 1: Check the RD Licensing Manager Status

In Server manager, click on Tools>Remote Desktop Services>Remote Desktop Licensing Manager

It should have a green check.

If it shows yellow explanation,

right click on the RD server and run Review Configuration, and make sure install Licenses. Also you can go to Advanced to Reactive Server.

Troubleshooting 2: Run Remote Desktop Licensing Diagnoser to check any errors.

In Server manager, click on Tools>Remote Desktop Services>Remote Desktop Licensing Diagnoser.

If you receive this message: License server is not available, go back to resolution 1 to re-install the RD license or reactive license.

If you receive this message: remote desktop licensing mode is not configured, try this fix. Please refer to this post:

• Fixing “Remote desktop licensing mode is not configured”

Situation: The client configured their new Palo alto Firewall 440 but can’t access the Internet and ping the default gateway IP address. The ping from the firewall LAN or gateway IP 192.168.100.1 works. Ping from Management IP 192.168.100.254 doesn’t work.

Troubleshooting 1: We find they didn’t configure the Static Router.

Troubleshooting 2: No NAT configured.

Troubleshooting 3: Ping is unchecked in the management Profile.

Troubleshooting 4: In our case, the client configures it at home with two networks, 192.168.12.0/24 and 192.168.100.0/24.

This is incorrect connecting. The management IP 192.168.100.254 can’t pass the Internet router.

This is correct connection. The management IP should be the same as the first network IP. 192.168.120/24 range, 192.168.12.100 in our example.

If you don’t have two networks and PA firewall as default router, the LAN/ethernet IP and Management IP could be the same subnet.

Situation: A user has been assigned as a Distribution group manager to manage the email group. However, he gets this message when he tries to add a member: Changes to the public group membership cannot be saved. You do not have sufficient permissions to perform this operation on this object.

Troubleshooting:

When we checked the status of owners, it shows the user is the owner.

Finally, we find the problem is the user doesn’t have permissions to add the membership.

Giving Full control fixes the problem.

However, as Microsoft article “Owners of an on-premises distribution group synced to O365 can’t manage the distribution group in Exchange Online” mentioned: When an on-premises distribution group is synced to a Microsoft 365 organization through Active Directory synchronization, migrated users who are owners of the distribution group can’t manage it in Microsoft Exchange Online.

Also quoted from Office 365 – Allowing Users to Edit Exchange Groups They Manage – Perficient Blogs

Exchange Hybrid and Directory Synchronization provide for the most full-featured integration experience with your on-premises messaging environment. Users, for the most part, are unaware of whether their mailbox is in the cloud or on-premises.

There are, however, a few limitations with Exchange Hybrid and Directory Synchronization.

One of these limitations is around distribution groups that have had managers assigned for administrative purposes. If you have users that manage their own distribution groups via Outlook, you’ll find that this functionality does not work once the group manager has been moved to Exchange Online. This limitation should hopefully not come as a surprise, it’s a topic I discuss with my clients during every Exchange Online engagement. It is also an issue where unfortunately there are not a lot of great options for resolution.

Situation: The client has some TP-Link WiFi APs managed by Omada Controller. On the Omada Controller, it shows HEARTBEAT MISSED. They would like to know what’s the problem.

Troubleshooting: It could be the WiFI Mossing the connation or restart. You can go to Dashboard to check the EAPS status. These examples

Situation: The client has a site to site VPN to connect head office and remote office. Current computers which IP addresses have been added to firewall work fine. However, when they add more IP addresses in inbound policy on the remote office, the new IP doesn’t work.

Troubleshooting: We do see those IP addresses in remote office PA firewall. Note: Go to POLICY>Security, check the IPSec inbound policy.

In the Head Office PA firewall, we check the Monitor and find those IP addresses accessing to Remote Office port 3389 was denied.

Checking Head Office PA firewall IPSec outbound policy, we don’t see those IP addresses in.

Adding those IP addresses into Head Office PA firewall IPSec outbound policy fixes the problem.

Situation: When attempting to login Veeam backup & Replication, yo umay receive this error: Failed to connect to the Veeam Backup & Replication server:
No connection could be made because the target machine actively refused it <IP>:9392




Troubleshooting: The Veeam Backup Service has not started yet. Starting the services fixes the problem. 

Situation: The client receives this Error: The RPC server is unavailable. RPC function call failed. Function name: [InvokerTestConnection] from their Veeam Backup. Target machine: Host05.

Troubleshooting 1: Veeam Backup & Replication may not be able to reach the Veeam Installer Service on the remote machine.

To fix this issue, please follow steps:

1. Make sure the Veeam Installer Service is running on the machine specified in the error, Host05 in our case.
2. If the Veeam Installer Service cannot be started, check if another application is using the default port (6160) used by the Veeam Installer Service.Use the following command to list the PID of the application using port 6160:

   Get-Process -Id (Get-NetTCPConnection -LocalPort 6160).OwningProcess
   

   Alternatively, check within the Listening Ports section of the Network tab in Resource Monitor:

3. 3. If the Veeam Installer Service is running on the remote machine, run the following PowerShell command on the Veeam Backup & Replication server to isolate the connection issue:
      Replace <remote_machine> with the hostname, FQDN, or IP shown in the error.

   Test-NetConnection -ComputerName "<remote_machine>" -Port 6160

   Copy
   4. If neither PowerShell nor Veeam Backup & Replication  can reach the port and the Veeam Installer Service is running on the remote machine, investigate whether a firewall is blocking connectivity between the two machines.

   Other possible resolutions:

   • The Netlogon service is not running and is disabled.
   • Antivirus on the remote machine is preventing the VeeamDeploymentSvc.exe from being run.
     Process location: C:\Windows\Veeam\Backup
   • The Veeam Installer Service is not installed. In such a situation, edit the machine’s entry within the Backup Infrastructure > Managed Servers section and next the pages of the Edit Windows Server wizard to force the package to be redeployed.
   • The Veeam Installer Service package was partially updated. In such a situation, uninstall the Veeam Installer Service from the remote machine. Then edit the machine’s entry within the Backup Infrastructure > Managed Servers section and next through the pages of the Edit Windows Server wizard to force the package to be redeployed.