Cisco Firepower Threat Defense with a PPPoE Connection, no default route?

I have been working recently with Cisco Firepower Threat Defense and came across a difficult issue with using a PPPoE connection, where if the interface was using a dynamic IP address, the default route was not pushed from the ISP to the device, so there was no internet connectivity.

A helpful user on the Cisco commuity forum shared his settings, and there is a misleading tick box “Enable Route Settings” under “Devices > Device Management>  Interfaces” from the Firepower Management Center which needs to be ticked for this to work. This example is for a BT Infinity (VDSL) connection using the Openreach NTE, but will likely work for other ISPs:


Cisco’s description of this tick box in their own documentation is not entirely accurate (source – page 18):

“Enable Route Settings—To manually configure the PPPoE IP address, check this box and then enter the IP Address.”

Whilst this is true if the IP address box is populated, they fail to mention that its required for a dynamically assigned connection to receive a default route!

Hope this helps someone!


SRA “SyncOnce” Error with SRM6 + HP StoreVirtual SRA

Just a quick one, i’ve had a bit of free time recently and I have built a lab to learn about VMware Site Recovery Manager 6.

In order to achieve this I needed a cheap/free virtual SAN solution which supported replication – HP StoreVirtual appliance to the rescue! You can store up to 1TB of data completely free (

I installed the lab and got it up and running, however when trying to run my recovery plan I receive the following error from the “synchronise storage” command:

SRA command 'syncOnce' failed


SRA command 'syncOnce' didn't return a response

After much troubleshooting the many moving parts of the solution, it turns out that my version of the Storage Replication Adapter, the latest from the VMware site ( was for version 12.5 of the LeftHand OS.. but my StoreVirtual instance, the latest from the HP site, was running LeftHand OS 12.6!

I quickly downloaded the latest file from the HP site ( and the problem went away. For reference, the file you’re looking for is as follows:

HPE StoreVirtual SRA for VMware SRM 5.0 (AX696-10591.exe)

It’s labelled for SRM 5.0 but it works fine for me with SRM 6.0

Hope this saves someone some time!

Silent install of Advanced Group Policy Management (AGPM) console

A quick post regarding silent installation of the Advanced Group Policy Management Console that comes with Microsoft MDOP (Microsoft Desktop Optimisation Pack). This tool gives you access to a change controlled group policy console, very useful if you have lots of admins working in an environment with tight SLAs!

At the time of writing the following command installs the latest client (4.0.2) silently, choose x86 or amd64 as fit for your environment and change the server address next to the ARCHIVELOCATION switch! I couldn’t find a straight answer to this question online so I’m posting it here to save you the same hassle.


Copy group memberships from one active directory group to another using Powershell

A quick way to copy group memberships from one AD group to another.

A loop is required as Add-ADPrincipalGroupMembership will fail and error out if one the users of the first group is already a member of the second group. The loop ignores these errors and allows the command to continue.

$ErrorActionPreference = "SilentlyContinue"
 Get-ADGroupMember -Identity "Group1" | % { $_ | Add-ADPrincipalGroupMembership -MemberOf "Group2" }
 $ErrorActionPreference = "Continue"

Diving in to App-V 5.0

I’ve been spending a lot of time with App-V 5.0 recently and just thought i’d write a quick post on some strange problems I came across …

1. I was referring to some online blogs that showed screenshots of the client GUI … however I couldnt for the life of me find it when installing from the latest version on the MDOP 2014 DVD. What’s also annoying is that if you upgrade from 5.0 to 5.0 SP2, it actually REMOVES the GUI during the installation process! I was convinced my installation was broken, or i’d done something wrong. After much reading online, it turned out that the client GUI was removed from the 5.0SP2 client installation package and you have to download it separately from … easy when you know how, right?

2. If you’re using roaming profiles, folder redirection and Windows 8.1 (this limitation might extend to other OS versions, I only tested 8.1) make sure you have App-V 5.0 SP2, when I initially deployed I was using App-V 5.0 with no updates, and applications failed to lauch with the error code 0x00001525-00000057. After upgrading the client to SP2 all is well!

Once you know the ins and outs though and what it can and can’t do it’s a fantastic product .. the way you can have an application executing locally but available almost instantaneously to the user blows me away!

SCCM 2012 R2 – where are my Windows 8.1, Server 2012 R2, Office 2013 updates?

A quick post on some weird behaviour I came across in SCCM 2012 R2,

When configuring the Software Update point in a brand new SCCM 2012 R2 installation, I needed to select to synchronise the updates for Windows Server 2012 R2, Windows 8.1 and Office 2013 that would be used in this envrionment. However, this is what the product selection screen looked like (Under Administration > Site Configurating > Sites > Right click on site > Configure Site Components > Software Update Point, Products tab)

Notice the problem? Windows 8.1 nor Server 2012 R2 are visible (nor Office 2013, not shown). I went ahead and selected 2012 and Windows 8 anyway.

I looked in WSUS itself and this actually shows the correct options:

Weird … however I resisted the temptation to select them here as I know from experience that you shouldn’t mess with WSUS directly as SCCM likes to control it. I went ahead and clicked the “Sychronize Software Updates” button in SCCM but received the following strange messages in the WCM.log file:

However, after letting the sync finish, as if by magic the products THEN became available:

The moral of the story is, let SCCM 2012 do a synchronisation BEFORE you try to select the products you wish to update!

Snags with sticky MACs

I recently inherited a network which uses port-security with sticky MACs. I’d not used this configuration in a long time and one limitation I was not aware of which caused me some trouble is that a MAC address can only be sticky on a single port per config, so if a device is moved from one port to another, and it’s not working, you will need to check that the MAC of the device isn’t sticky on another port.

“sh log” on the switch shows the error:

Switch port-security tshoot 1

Normally in this situation one would clear the gi2/0/45 sticky MAC, but in this case this will not work, as the MAC is already assigned to another port.

“sh port-security address” can be used to identify which port the MAC exists on

Switch port-security tshoot 2
This shows that the offending device has been moved from port gi2/0/44 (as it exists in the port-security config) to gi2/0/45.
We then can go ahead and clear the stored MAC for both gi2/0/44 and gi2/0/45 to allow these ports to be used once more. Don’t forget to shut and un-shut the ports after this!

Switch port-security tshoot 3
Switch port-security tshoot 4