Check out the Astaro manual for help with Astaro’s features, and try some helpful tricks we’ve uncovered over the years.
We are always adding more troubleshooting information. Please contact us if there is anything you’d like to see here.
The Astaro Knowledge Base is an important reference for administrators, and can be reached here .You will also be able to download the latest manuals from the Knowledge Base.
If you are experiencing difficulty with the software, chances are that someone else has had the same problem. The Astaro Forum is an excellent place to find these people.
Finally, the Up2Date service has its own source of documentation, which can prove very useful when you’re evaluating whether to move to the newest Astaro release just yet.
Tips and Advice
Below you’ll find some technical tips that ish has found very useful in the past. If you’re wondering about something, you might be able to find the answer right here.
This is a good list of time servers to use:
Just set them up as a network definition (with subnet mask 32).
If you are in Australia, define a new network
(type = DNS Host multiple)au.pool.ntp.org. and under system settings select host from use NTP Server. See
for other pools in different countries.
Reset passwords from shell
If you’ve managed to lock yourself out of the WebAdmin because of a lost password and can get into SSH or console, then this will allow you to reset all your passwords:
# joe /etc/wfe/conf/setttings (joe is the text editor in Astaro)
Change the line which reads:
reset_pwd = 0
reset_pwd = 1
then type reboot to restart the firewall. When it restarts, connect to the web interface and you will be able to reset all the passwords.
If webadmin doesn’t come back up properly after an update, it may be necessary to restart webadmin. Do this by typing:
in the shell. There are other scripts to stop and start services in
If you have set up a proxy in your web browser to point to Astaro, you might have to exclude the Astaro IP from your proxy settings. There will usually be a setting whereever you set up proxy configuration in your web browser.
If your Astaro system clock is set incorrectly to a future date/time when you install Astaro, Astaro may think that it is unlicensed and not give you the standard 30 day trial. This will fix itself when the system clock reaches the date/time when Astaro thought it was installed, or when you add a license key.
Resetting License Count
Every time a device (eg a computer, a PDA etc) connects to the internet through your Astaro firewall, its IP address is remembered.
You should also remember that even when a temporary device is connected to your firewall (eg when a colleague from a branch office comes in to work at your office on their laptop for the day), they are also remembered.
There is, however, a way to clear Astaro’s memory of IP addresses. To reset the total count, go to
System->licensing. The click the button at the bottom of the page called ‘reset user (IPs) listing’. Please note that doing this will also restart your firewall.
L2TP not working from Windows client
During our testing at various clients, we found that the most common problem was a disabled native IPSec service. If you have or had installed an IPSec client, your IPSec service had been disabled during the install routine of the IPSec client.
In order to activate it again, right click on ‘My Computer’ and select ‘Manage’.
Now the ‘Computer Management’ window opens. Expand ‘Services and Applications’ in the left pane and select ‘Services’. You will now see all Windows services in the right pane.
Search for ‘IPSEC Services’ and see if it is disabled. If yes, change the startup state to ‘Automatic’ again and start the service. L2TP over IPSec should now work.
HOWTO for IPsec/L2TP with certificates
In the default configuration the Astaro only offers the possibility to authenticate via PSKs when choosing the MS-L2TP-client. However for most people in a roadwarroir setup the use of certificates is a much better approach. So here is how to do it:
The client configuration on W2K/XP is as described for PSKs just deactivate under
-->Security-->IPsec-settings the authentication via PSKs then Windows automatically searches for certificates.
Of course you have to import the certificate that you created with your CA. When you create the certificate on the firewall make sure to select DN (Distinguished Name) as VPN-ID and leave the right field blank (it is filled automatically)!
To import the certificate correctly follow this instructions:
Now configure the ASL-side:
- Create a new IPsec-Connection
- Choose Roadwarrior as type
- Activate L2TP-encapsulation
- As policy choose MS-DEFAULT
If MS-DEFAULT is not predefined, here are the settings:
- Encryption Algorithm: 3DES 168bit
- Authentication Algorithm: SHA1 160 bit
- IKE DH group: DH Group X (MODP2048)
- SA Lifetime: 28800
- IPsec settings:
- Encryption Algorithm: 3DES-CBC 168bit
- Enforce Algorithms: Off
- Authentication Algorithm: MD5 160bit
- SA lifetime: 3600
- PFS: No PFS
- Compression: Off
Now you can select your remote-key-object for the connection.
Finally you have to add Packetfilter-rules to allow traffic between the IPsec-Pool-Network and your internal network. And if you want your remote-clients to have internet-access through the firewalled-office-network you have to add a masquerading rule for the IPsec-Pool-IPs.
OSX default route
OSX 10.3 supports L2TP through the “internet connect” application which comes with the operating system. It is very easy to set up and works well with Astaro. As an added security feature, when you are connected to a VPN tunnel, then all traffic is forwarded through that connection (including any web browsing, etc). This makes it more difficult for your machine to be hijacked and used as a way into the company network.
However, if you really want to allow both sets of traffic at once, do the following:
System Preferences -> SharingTurn on the built in firewall for extra security.
- Create a file called
/etc/ppp/peers/MyVPN(where MyVPN is whatever you called the VPN tunnel you created). Then put inside it just one word followed by a return:
In OSX 10.4, you can set this feature in action by openint Internet Connect and going to
Connect -> Options and un-checking “Send all traffic over VPN connection”.
/var/storage filling up
/var/storage contains the spool for e-mails, and the directory for quarantined e-mails. If there are many quarantined e-mails, /var/storage may run out of space.
If Astaro gives the error “storage application partition mounted at /var/storage is filling up – please check”, you will need to check the following directories, and clear them out if necessary:
/var/storage/chroot-http/tmp/(downloaded files with http proxy)
/var/storage/chroot-smtp/spool/Finput/(smtp fetched emails)
/var/storage/chroort-pop3/var/mrpopper/(pop3 fetched emails)
/var/up2Date filling up
If you /var/up2date partition becomes full, the up2date service will cease to function. Later versions of Astaro have fixed this problem, but if it affects you, you will need to enter the terminal interface and delete the .tar files and expanded directories of the latest updates downloaded to your system. (These files and directories can be found in the
This will free up space for the earlier updates to run. Then you can go back to the WebAdmin interface and download the later updates again.
Click here for the definitive IANA list of port numbers:
And here is the list of port numbers for Apple software (OSX, OSX Server, etc):
For NFS, the source address is below 1024 (I’ve seen 1008 a lot) and the destination is 2049. Also, don’t forget to open the mountd port 2219 as well.