DMVPN on Dual Stack Hub Site
Hi,
I have a Dual Stacked DMVPN Hub site, VPN for ether IPv4 oder IPv6 is working properly, but not both at the same time.
If the IPv4 Peers connect first, then the IPv6 Peers are unable to form an IPsec security association and the other way around. Crypto ISAKMP Phase1 is build correctly.
A "show crypto ipsec sa" on the Hub shows only sa's for the kind of Peers that connected first. A "show crypto ipsec sa" on the Spoke that is unable to form an security association with the Hub shows an security association, but with no proposals and raising send error counters:
Spoke (IPv4) SA
interface: Tunnel1
Crypto map tag: My-Profile-v4-head-1, local addr 2.2.2.1
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 23255, #recv errors 0
local crypto endpt.: 2.2.2.1, remote crypto endpt.: 1.1.1.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
I'm running IOS Version 15.3(2)T, is there some kind of known bug and/or a workaround for this?
Interface Configuration
interface GigabitEthernet0
description ** Outside **
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
ipv6 address 2001:1:1:1::1/64
Crypto Configuration
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0 no-xauth
crypto isakmp key cisco address ipv6 ::/0 no-xauth
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set My-Set esp-aes 256 esp-sha512-hmac
mode tunnel
crypto ipsec profile My-Profile-v4
description ** IPsec Profile fuer IPv4 Peers **
set transform-set My-Set
set pfs group2
crypto ipsec profile My-Profile-v6
description ** IPsec Profile fuer IPv6 Peers **
set transform-set My-Set
set pfs group2
Tunnel Configuration
interface Tunnel1
description ** DMVPN Intranet IPv4 **
bandwidth 1000
ip vrf forwarding VPN
ip address 10.0.10.1 255.255.255.0
no ip redirects
ip mtu 1416
no ip next-hop-self eigrp 65351
no ip split-horizon eigrp 65351
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
shutdown
keepalive 10 3
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile My-Profile-v4 shared
interface Tunnel2
description ** DMVPN Intranet IPv6 **
bandwidth 1000
ip vrf forwarding VPN
ip address 10.0.12.1 255.255.255.0
ip mtu 1416
no ip next-hop-self eigrp 65351
no ip split-horizon eigrp 65351
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0
tunnel mode gre multipoint ipv6
tunnel key 2
tunnel protection ipsec profile My-Profile-v6 shared
Regards,
Thomas
Hello Marcin,
it is working now :-)
First I was running a dual stacked spoke as well, but now I am using one IPv4 and one IPv6 only spoke. The ipsec profiles are "shared", because besides the two shown tunnels I have one more IPv4 and IPv6 Tunnel for Extranetuse. The Spoke sites use "shared" as well, because they build a backup VPN Tunnel to a second Hub router.
I have removed the "keepalive 10 3" from my Tunnel interfaces and rebooted the routers and everything is working now.
Here are my final configurations:
Crypto
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0 no-xauth
crypto isakmp key cisco address ipv6 ::/0 no-xauth
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set My-Set esp-aes 256 esp-sha512-hmac
mode tunnel
crypto ipsec profile My-Profile-v4
description ** IPsec Profile fuer IPv4 Peers **
set transform-set My-Set
set pfs group2
crypto ipsec profile My-Profile-v6
description ** IPsec Profile fuer IPv6 Peers **
set transform-set My-Set
set pfs group2
Tunnel Hub Dual Stacked
interface Tunnel1
description ** DMVPN Intranet IPv4 **
bandwidth 1000
ip vrf forwarding VPN
ip address 10.0.10.1 255.255.255.0
no ip redirects
ip mtu 1416
no ip next-hop-self eigrp 65351
no ip split-horizon eigrp 65351
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile My-Profile-v4 shared
interface Tunnel2
description ** DMVPN Intranet IPv6 **
bandwidth 1000
ip vrf forwarding VPN
ip address 10.0.12.1 255.255.255.0
ip mtu 1416
no ip next-hop-self eigrp 65351
no ip split-horizon eigrp 65351
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 360
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
tunnel source GigabitEthernet0
tunnel mode gre multipoint ipv6
tunnel key 2
tunnel protection ipsec profile My-Profile-v6 shared
end
Tunnel Spoke IPv4
interface Tunnel1
description ** DMVPN Intranet IPv4 **
ip vrf forwarding VPN
ip address 10.0.10.2 255.255.255.0
no ip redirects
ip mtu 1416
ip pim sparse-mode
ip nhrp map 10.0.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 1
ip nhrp holdtime 360
ip nhrp nhs 10.0.10.1
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile My-Profile-v4 shared
end
Tunnel Spoke IPv6
interface Tunnel1
description ** DMVPN Intranet IPv6 **
ip vrf forwarding VPN
ip address 10.0.12.2 255.255.255.0
no ip redirects
ip mtu 1416
ip pim sparse-mode
ip nhrp map 10.0.12.1 2001:1:1:1::1
ip nhrp map multicast 2001:1:1:1::1
ip nhrp network-id 2
ip nhrp holdtime 360
ip nhrp nhs 10.0.12.1
ip nhrp shortcut
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet0
tunnel mode gre multipoint ipv6
tunnel key 2
tunnel protection ipsec profile My-Profile-v6 shared
end
Thanks again
Thomas
Similar Messages
-
Mapping error in PI 7.4 dual stack
Dear Experts,
Recently we upgraded our system from PI 7.1 to PI 7.4 dual stack.
Scenerio is ECC->PI->SOAP(Webservice) synchronous
Issue in detail:
We are creating a invoice in ECC system through PI its updating in third party site using SOAP webservice and will get a reference number from that site and then updating in ECC as in synchronous way.
Invoice data's are reached PI sucessfully from ECC but it not updating in the site and getting below mapping error after upgarded to PI 7.4.
Your points will be highly appreciable.
Kindly help to sort out this issue.
Best Regards,
MonikandanHi Monikandan,
It seems you are trying the sign the payload in your java mapping. So, looking at the attached error, there could be 2 possibilities:
1) Either there is no certificate with alias: *_PRD
2) This certificate is stored in some "System" type keystore view which is not accessible from you mapping code. Try to move your certificate to some "User" keystore view.
Thanks & regards,
Piyush -
How-To: Comparing DMVPN Single & Dual Tier Architectures - IPSec VPN & mGRE Termination
Greetings to everyone,
I'd like to share a recent article we published that covers the differences between Single and Dual Tier DMVPN deployments. The article aims to help engineers understand the differences at the IPSec VPN level and its termination on the HUB router.
Those interested can following the link below to read up on this hot topic:
Firewall.cx - Comparing DMVPN Single & Dual Tier Architectures - IPSec VPN & mGRE Termination
Topics Covered (Diagram included for every scenario):
- Single Tier Headend, How IPSec Tunnel mode terminate on Hub
- Single Tier Headend, How mGRE Tunnels terminate on Hub
- Dual Tier Headend, How IPSec Tunnel mode terminate on Frontend Router
- Dual Tier Headend, How mGRE Tunnels terminate on Hub
- Links to similar articles that will surely interest
Feedback is always welcome.
Thanks,
Chris.You might be running a bug, try to check the Cisco Bug Toolkit for a bug (Or Cisco TAC).
Also try to capture the debug as the why the VPN is failing. Since EIGRP packets flow continuously the tunnel should not go down.
Regards
Farrukh -
Dual stack on tunnel interface
Is it possible to run dual stack IP schemes over an ipsec-protected tunnel interface on IOS? I am able to assign the IPv6 addresses like a normal interface on both ends however when i try to ping across the tunnel with IPv6 there is no response. Here is an example of my config:
R1
interface Tunnel0
description Tunnel to R2
ip address 172.30.1.237 255.255.255.252
ip mtu 1400
ip nat inside
ip virtual-reassembly
load-interval 30
ipv6 address FE80::172:30:1:1 link-local
ipv6 address 2001:1::172:30:1:1/126
keepalive 5 4
tunnel source GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel destination 1.2.3.4
tunnel protection ipsec profile protect-gre
R2
interface Tunnel0
description Tunnel to R1
ip address 172.30.1.238 255.255.255.252
ip mtu 1400
ip nat inside
ip virtual-reassembly
load-interval 30
ipv6 address 2001:1::172:30:1:2/126
ipv6 address FE80::172:30:1:2 link-local
keepalive 5 4
tunnel source FastEthernet0/1
tunnel destination 1.2.3.5
tunnel mode ipsec ipv4
tunnel protection ipsec profile protect-gre
The only solution i can clearly see is running a separate tunnel, which i would like to avoid. Any assistance is greatly appreciated!Hello,
In my System preferences the IPv6 settings are set to "automatic", my DSL router (Cisco 787) supports IPv6. When visiting sites like www.sixxs.net and www.apnic.org (which are reachable by both IPv6 and IPv4), some pages are reached by IPv6 and some by IP4. Even the same page may load in IPv6 first, but a second time via IPv4. This behaviour has changed since my upgrade to Leopard, under Tiger the behaviour was much more stable.
Gerard -
Problem running apache dual stack IPv4 and IPv6
Hello!
I am running a single Lion-Server with one public IPv4 address. Because my Provider is able to support IPv6 now, I ordered a public IPv6 address for my server. (To learn IPv6)
I setup IPv6 address and setup the firewall with ip6fw - everything works fine, I can connect to ssh and afp via IPv4 or IPv6 but when I try to connect to my wiki over IPv6 I get the certificate question (unknown certificate ... blah) click continue and the certificate is loeded againe - I end up in an infinte loop of certificate questions.
The part of the firewall config looks like this:
20515 allow tcp from any to any 443
20516 allow tcp from any to any 8443
20517 allow tcp from any to any 1640
I looked into apache config:
/etc/apache2/sites/virtual_host_global.conf has this entries:
Listen *:443
NameVirtualHost *:443
Listen *:80
NameVirtualHost *:80
I have only one domain and only one single virtual host as defined in /etc/apache2/sites/0000_any_443_.conf:
## Default Virtual Host Configuration
<VirtualHost *:443>
ServerAdmin [email protected]
DocumentRoot "/Library/Server/Web/Data/Sites/Default"
DirectoryIndex index.html index.php /wiki/ default.html
CustomLog "/var/log/apache2/access_log" combinedvhost
ErrorLog "/var/log/apache2/error_log"
<IfModule mod_ssl.c>
SSLEngine On
SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
SSLProxyEngine On
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCertificateFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.cert.p em"
SSLCertificateKeyFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.key.pe m"
SSLCertificateChainFile "/etc/certificates/www.ABCDE.de.1A00F8DFC2738F25D26E3248A4C8F687D7EA7F32.chain. pem"
SSLProxyProtocol -ALL +SSLv3 +TLSv1
</IfModule>
<Directory "/Library/Server/Web/Data/Sites/Default">
Options All +MultiViews -ExecCGI -Indexes
AllowOverride None
<IfModule mod_dav.c>
DAV Off
</IfModule>
</Directory>
</VirtualHost>
I have not modified the apache config by hand until now - but this was an upgrade from Snow Leopard Server. At the moment I am a littel scared to upgrade to Mountain Lion server because this server runs mail and calender services for my company.
I tried to setup "Listen" entry with dedicated IP-addresses, one for IPv4 and one for IPv6 but this only leads to the same problem - IPv4 works, IPv6 ends in an infinte loop.
I found somewhere that I had to duplicate virtual hosts setup for IPv4 and IPv6 but afaik "Server.app" will overwrite it, right?
Every hint is welcome, bye
Christoph
P.S. Sorry just saw that I posted to ML-Server discussions not Lion-Server, but maybe someone can tell me that I can upgrade without scare.
Message was edited by: Christoph Ewering1Hello!
Did some more testing and found that FireFox works with the loopback-address.
https://[::1]/
So, the address above works with FireFox after accepting the certificate - Safari loops in the dialog accepting the certificate.
Then I tried the link-local-address but it looks like apache does not listen to that address at all
Then I tried the global-address and got to:
Safari looping in the certificate dialog
FireFox brings an alert „sec_err_bad_database"
BTW this tests were made on the server that runs the apache. So no firewall between the browser and the server.
No one using Mac OS X server in a dual stack enviroment?
Bye,
eweri -
Error in phase import Homogeneous system copy from a BI 7.3 dual stack ABAPJAVA
Hi
I'm doing a Homogeneous system copy from a BI 7.3 dual stack ABAP+JAVA system with an Oracle DB (11g version, 11.2.0.3.0 patch level) with AIX ibm OS.
Before starting export I've executed in the source system the report SMIGR_CREATE_DDL, as described in sap note 888210, and I generated *.SQL files.
After, during the import in the target system I get the following error message:
vi /expdb2/tmpDB0/sapinst_instdir/NW730/ORA/ORA/COPY/ORA/SYSTEM/STD/AS/import_monitor.log
INFO: 2014-03-08 00:21:57 com.sap.inst.migmon.LoadTask run_report
Monitor jobs: running 0, waiting 1, completed 60, failed 5, total 66 finish processing of package SAP0000
You can see below the detail of the 5 packages in error:
SAPAPPL0_1_5
DbSlExecute: rc = 99
(SQL error 2216)
error message returned by DbSl:
ORA-02216: tablespace name expected
(DB) INFO: disconnected from DB
/usr/sap/DB2/SYS/exe/uc/rs6000_64/R3load: job finished with 1 error(s)
/usr/sap/DB2/SYS/exe/uc/rs6000_64/R3load: END OF LOG: 20140307141347
SAPZPSA
DbSlExecute: rc = 99
(SQL error 2216)
error message returned by DbSl:
ORA-02216: tablespace name expected
(DB) INFO: disconnected from DB
SAPDODS
DbSlExecute: rc = 99
(SQL error 922)
error message returned by DbSl:
ORA-00922: missing or invalid option
(DB) INFO: disconnected from DB
SAPDFACT
DbSl Trace: Error 1741 in exec_immediate() from oci_execute_stmt(), orpc=0
DbSl Trace: ORA-01741 occurred when executing SQL stmt (parse error offset=8126464)
(DB) ERROR: DDL statement failed
( ALTER TABLE "/BI0/F0TCT_C01" ADD PARTITION "/BI0/F0TCT_C010000001131" VALUES LESS THAN ( 0000001131 ) TABLESPACE "" )
DbSlExecute: rc = 99
(SQL error 1741)
error message returned by DbSl:
ORA-01741: illegal zero-length identifier
(DB) INFO: disconnected from DB
SAPZOSO
DbSl Trace: Error 922 in exec_immediate() from oci_execute_stmt(), orpc=0
DbSl Trace: ORA-00922 occurred when executing SQL stmt (parse error offset=242024448)
(DB) ERROR: DDL statement failed
(CREATE TABLE "/BIC/B0000989000" ("REQUEST" VARCHAR2 (000090) DEFAULT ' ' NOT NULL, "DATAPAKID" VARCHAR2 (000018) DEFAULT '000000' NOT NULL, "PART
NO" NUMBER (000010) DEFAULT 0 NOT NULL, "RECORD" NUMBER (000010) DEFAULT 0 NOT NULL, "PLANT" VARCHAR2 (000012) DEFAULT ' ' NOT NULL, "MATERIA
L" VARCHAR2 (000054) DEFAULT ' ' NOT NULL, "RPA_CURUOM" VARCHAR2 (000015) DEFAULT ' ' NOT NULL, "RPA_MVF" NUMBER (000017, 000002) DEFAULT 0 NOT N
ULL, "PRICE_UNIT" NUMBER (000017, 000003) DEFAULT 0 NOT NULL, "RPA_QTYUOM" VARCHAR2 (000009) DEFAULT ' ' NOT NULL, "RT_SSMFGR" VARCHAR2 (000024)
DEFAULT '00000000' NOT NULL, "BASE_UOM" VARCHAR2 (000009) DEFAULT ' ' NOT NULL, "FRE_PLNPUR" VARCHAR2 (000036) DEFAULT ' ' NOT NULL, "FRE_MINS
TK" NUMBER (000017, 000003) DEFAULT 0 NOT NULL, "FRE_SERLEV" NUMBER (000017, 000003) DEFAULT 0 NOT NULL, "FRE_SELCLS" VARCHAR2 (000003) DEFAULT '
0' NOT NULL, "FRE_REPLST" VARCHAR2 (000006) DEFAULT ' ' NOT NULL, "ABCKEY" VARCHAR2 (000003) DEFAULT ' ' NOT NULL, "RECORDMODE" VARCHAR2 (000003)
DEFAULT ' ' NOT NULL, "RT_SERVLEV" VARCHAR2 (000003) DEFAULT ' ' NOT NULL, "RT_SUPS" VARCHAR2 (000003) DEFAULT ' ' NOT NULL, "VAL_TYPE" VARCH
AR2 (000030) DEFAULT ' ' NOT NULL, "PUR_GROUP" VARCHAR2 (000009) DEFAULT ' ' NOT NULL, "RT_VPNEU" NUMBER (000017, 000002) DEFAULT 0 NOT NULL,
"CURRENCY" VARCHAR2 (000015) DEFAULT ' ' NOT NULL, "RT_VRKPE" NUMBER (000017, 000003) DEFAULT 0 NOT NULL, "DISMM" VARCHAR2 (000006) DEFAULT ' '
NOT NULL, "SALES_UNIT" VARCHAR2 (000009) DEFAULT ' ' NOT NULL, "RT_VP_BT" NUMBER (000017, 000002) DEFAULT 0 NOT NULL, "RT_VPE_BT" NUMBER (000017,
000003) DEFAULT 0 NOT NULL, "RT_VP_NT" NUMBER (000017, 000002) DEFAULT 0 NOT NULL, "RT_VPE_NT" NUMBER (000017, 000003) DEFAULT 0 NOT NULL, "R
T_VWAERBT" VARCHAR2 (000015) DEFAULT ' ' NOT NULL, "RT_VWAERNT" VARCHAR2 (000015) DEFAULT ' ' NOT NULL, "RT_VPMEIBT" VARCHAR2 (000009) DEFAULT '
' NOT NULL, "RT_VPMEINT" VARCHAR2 (000009) DEFAULT ' ' NOT NULL, "LOC_CURRCY" VARCHAR2 (000015) DEFAULT ' ' NOT NULL, "UNIT" VARCHAR2 (000009)
DEFAULT ' ' NOT NULL, "CM_MCATDIV" VARCHAR2 (000054) DEFAULT ' ' NOT NULL, "CM_CDT1" VARCHAR2 (000054) DEFAULT ' ' NOT NULL, "CM_CDT2" VARCHAR2
(000054) DEFAULT ' ' NOT NULL, "CM_CDT3" VARCHAR2 (000054) DEFAULT ' ' NOT NULL, "CM_CDT4" VARCHAR2 (000054) DEFAULT ' ' NOT NULL, "CM_HIEID"
VARCHAR2 (000006) DEFAULT ' ' NOT NULL, "CPSTLC" NUMBER (000017, 000002) DEFAULT 0 NOT NULL, "CPSVLC" NUMBER (000017, 000002) DEFAULT 0 NOT NULL
, "STOCK_VAL" NUMBER (000017, 000002) DEFAULT 0 NOT NULL, "STOCK_QTY" NUMBER (000017, 000003) DEFAULT 0 NOT NULL, "RT_SEASON" VARCHAR2 (000012)
DEFAULT ' ' NOT NULL, "RT_SEASYR" VARCHAR2 (000012) DEFAULT '0000' NOT NULL, "CALDAY" VARCHAR2 (000024) DEFAULT '00000000' NOT NULL, "CALWEEK"
VARCHAR2 (000018) DEFAULT '000000' NOT NULL, "RF_BNDID" VARCHAR2 (000012) DEFAULT ' ' NOT NULL, "/BIC/ZCATTR3" VARCHAR2 (000006) DEFAULT ' ' NOT
NULL, "/BIC/ZCSTYLE" VARCHAR2 (000006) DEFAULT ' ' NOT NULL, "/BIC/ZCIMAGE" VARCHAR2 (000006) DEFAULT ' ' NOT NULL, "/BIC/ZCBRNDTYP" VARCHAR2 (000
003) DEFAULT ' ' NOT NULL, "/BIC/ZCGROUPE" VARCHAR2 (000054) DEFAULT ' ' NOT NULL) PCTFREE 10 PCTUSED 00 INITRANS 001 TABLESPACE STORAGE (
INITIAL 0000000016 K NEXT 0000001024 K MINEXTENTS 0000000001 MAXEXTENTS 2147483645 PCTINCREASE 0000
FREELISTS 001 FREELIST GROUPS 01) PARTITION BY RANGE ("PARTNO") ( PARTITION "/BIC/B00009890000000000002" VALUES LESS THAN (00000
00002) NOCOMPRESS ) )
DbSlExecute: rc = 99
(SQL error 922)
error message returned by DbSl:
ORA-00922: missing or invalid option
(DB) INFO: disconnected from DBhello,
Before anything update DB shared lib, R3load, R3ldctl and R3szchk in the target system. Also Check in source system if you have any tables o index missing in db02 transaction, If this system wa upgraded from a previous release please check TAORA and IAORA tables in source system and check all the tablespaces named in those tables are created in the target system.
let me know how it goes.
Regards,
Michael -
Dual Stack NW 7.0 installation with R/3 Backend as UME
I have a quick question guys. I am about to install a dual stack NW system with ADS(SQL server database on windows) and will use a R/3 Enterprise running on unix as the UME datasource. Now this R/3 enterprise backend already acts as bakend for Portal system and uses sap logon tickets and as such already has the user SAPJSF. Now when i actually perform the NW 7.0 installation and enter a master password during the course, would this override the SAPJSF user in R/3 backend system at all.
What are the general problems that are caused with using an existing ABAP only system as the UME for your Java stack(Dual stack actually) systems. Can you advise.
Regards
KalyanHi,
Now when i actually perform the NW 7.0 installation and enter a master password during the course,
would this override the SAPJSF user in R/3 backend system at all.
NO....Not at all..
SAPJSF user is used for the communication between ABAP and JAVA stacks. SAPJSF user is an independent user of each independent ABAP stack.
ABAP data/user-store is the place where the users, roles and authorizations of an ABAP System are stored.
And with the same concept, the UME is the same mechanism for users, roles, permissions of an JAVA system.
After installation of your new NW ABAP+JAVA Stack, you will have to specify the SAPJSF user of ur old R/3 ABAP system which you want to use as User Data Store for ur Newly installed Java System's UME.
In ABAP System section u will have to provide all details of ur SAP R/3 application server, which ur portal is already using as User Data Store.
What are the general problems that are caused with using an existing ABAP only system
as the UME for your Java stack(Dual stack actually) systems. Can you advise.
It depends on the usage of your new application server.
Regards
Bhavik G. Shroff -
Question about the number of ERS instances in a dual-stack MCS environment
Hello to the group.
I have a simple question for those running a NetWeaver 7.0 (i.e. 2004s) dual stack (ABAP/JAVA) setup in an MCS environment. On each individual node, do you have two separate ERS processes running on the node (as seen in Task Manager) that is opposite to the system running the ASCS/SCS instances? If so, do you have a set of profiles for each of these ERS processes (I am guessing that is true)?
Thanks in advance for your help.
J. HaynesHas anyone found a good description of the process that runs after one node fails over to another one? help.sap.com mentions that the ASCS will restart and run the command enstatus.cmd but I cannot find what is supposed to happen after that. Is the ERS service itself stopped?
Thanks
J. Haynes -
hi guys,
we plan to upgrade Enterprise Dual stack(ABAP+JAVA) System to EHP4 system.
In EHP4 upgrade document it says, No dual stack supported for EHP4 installation..was that mean
only for Installation or upgrade too.
Seperate SID is required for EHP4 system after upgrade? Please confirm.
thankshi jaichan,
yes, you are right ..For new installation of SAP ERP to EHP4 level, you cannot install dual stack system..i have read in sap note 855534..please find below the extract from this note:
As of SAP Business Suite 7, you can no longer install Dual Stack Application Systems (ABAP+Java).
If you want to use both SAP Business Suite ABAP and Java Components in your system landscape, you have to proceed as follows:
1. Install a separate ABAP-based SAP Business Suite system.
2. Install the required Java components in a separate Java-based SAP system.
3. Configure the connection of the Java-based SAP system to the ABAP-based SAP Business Suite back-end system.
The SAP Business Suite 7 comprises: EHP4 for SAP ERP 6.0, SAP CRM 7.0, SAP SCM 7.0, SAP PLM 7.0, SAP SRM 7.0
As of now you will find the latest recommendations at a central place in SDN:
https://www.sdn.sap.com/irj/sdn/landscapedesign -> Distribution Models
You will also find information about the deployment of SAP NetWeaver usage types and the SAP Business Suite there.
but you can upgrade your previously installed SAP ERP dual stack system without having seperate SID's thing...
We have upgraded around 50 of our systems without any problem
thanks sunny -
PI 7.1(dual stack) and PI 7.31(Single stack) -
Friends,
I have a proxy to proxy scenario - Proxy --> PI --> Proxy
We have two servers PI 7.1(dual stack) and PI 7.31(Single stack)
i did the development in ESR and my ESR is pointing to PI 7.1, when i execute the scenario i receive one error message "receiver could not be determined", i ensured that all my input is correct, still i get the same error message.
the expectation is my scenario should point to PI 7.31, Can some one help me where and what settings i need to make in-order to make it work.
Please Note: All my data is correct and i read some scn forums wherein they asked to refresh the cache , i have refreshed the cache also still the problem persists.
Thanks in advance!Iñaki Vila
Communication component in ID is the same as sender side.
could you share your sender configuration?
Did you mean Tcode - SXMB_ADM and under that Sender/Receiver configuration
Krupa Rao Atluri
In ID steps are correctly defined.
I spoke to my colleague he hinted that at RUN TIME we want to point to PI7.31, he mentioned config change needed in SXMB_ADM
any further inputs from any one could be useful. -
Parameterized mapping in PI 7.31 Dual Stack
Hi All,
I am working on PI 7.31 Dual Stack. I am getting the below exception in parameterized mapping:
com.sap.aii.utilxi.misc.api.BaseRuntimeException; com.sap.aii.mapping.api.UndefinedParameterException: The input-parameter TestVal does not exist.
I could test in MM test tab but facing the issue in runtime. Please suggest me where I am going wrong.
Thanks,
MadhurimaHi Madhurima,
Have you checked if your PI version and patch level is being affected with this note 1933139 - Errors during execution of operation mapping with message mapping parameters names different from the operation mapping parameter names?
Regards. -
Issue while creating Component Based Message Alerting in PI 7.31 Dual Stack
Hi,
We tried to implement Component Based Message Alerting following the steps mentioned in the below blog.
http://scn.sap.com/community/pi-and-soa-middleware/blog/2012/03/25/michals-pi-tips-component-based-message-alerting
Ours is PI 7.31 dual stack. However, after setting up the job with my own user id, I am getting the below error inside the log of Jobs tab:
javax.jms.JMSSecurityException: You do not have permissions: action alertingVP.queue and instance:name alertingVP.queue
action consumer
instance jms/queue/xi/monitoring/alert/ALERT-TO-MAIL
Please let us know what permission is required to set up the job.
Thanks,
RahulHi,
Now I am able to receive alert in my mailbox. But it's coming with improper content.
I have set up the job at an interval of every 2 minutes in NWA, and in case if only 1 message fails in IE, in ideal case, I should receive only 1 message details in alert.
However, in every 2 minutes, I am receiving junk data and the number is increasing for the particular scenario for which the alert has been created. Also the Error Category mentioned is showing improper.
But in table SXMSALERTCONTENT I am able to view only the newly added failed entry.
An erroneous alert email content is pasted below:
63 messages failed for "Test_XXX" on "af.s0i.saps0i"
Root cause: -1
To navigate to the failed messages in the local message monitor use this link
The first 1 messages of that data collection:
"AdapterNamespace": "http://sap.com/xi/XI/System",
"AdapterType": "File",
"Channel": "FileSender_XXX",
"ChannelParty": "",
"ChannelService": "XXXXX",
"Component": "af.s0i.saps0i",
"ErrCat": "",
"ErrCode": "",
"ErrLabel": "-1",
"ErrText": "Configured source directory '\\Outbound\\XXX\\CREMAS' does not exist",
"FromParty": "",
"FromService": "XXX",
"Interface": "Z_CREMAS_SUSMM.CREMAS03",
"Namespace": "urn:sap-com:document:sap:idoc:messages",
"RuleId": "3a64dd6e1b1d3e58aff62ea70c97cb80",
"Timestamp": "2013-02-01T09:43:23Z",
"ToParty": "",
"ToService": ""
The failed message however do not relate to the 'source directory does not exist' issue. Please help.
Thanks,
Rahul -
How to restart Java Engine in ABAP+JAVA dual stack installation ?
Dear Experts
if i use stopsap r3 in this dual stack installation - it stops both ABAP & JAVA Web Application Servers.
I want to restart only JAVA Weba pplication server.
How do it ?
Thaks in Advance !
RgdsBut theoritically they are 2 indpeendent installations like
AS ABAP
AS JAVA
..Do you aggree ?? really am not good on basics!!
During the installation also - if select AS ABAP & AS JAVA - it will become dual installation
and it does not show
any dependency while installing that AS JAVA requires AS ABAP.[Installation Component Selection and Dependency Screen shot|http://i303.photobucket.com/albums/nn153/S0002919350/SAP%20Issues/Oracle_Patches.jpg]
Installation Component Selection and Dependency Screen shot
Is it because if AS ABAP is down - AS JAVA UME is 001 client - and Java authentication fails ?
Can we de attatch from ABAP UME for my requirement like - running JAVA WAS alone w/o ABAP.
Regards
PR
Regards
Edited by: P.R. SRINIVAS on Jun 16, 2008 4:15 PM -
PI 7.31 Dual Stack SSL configuration
HI Gurus,
I have a quick query, I am configuring SSL on my PI 7.31 systems.
I have checked all the standard guides and forums but I have one doubt.
Q1 - Is it necessary to configure SSL both in ABAP and JAVA side ?
Q2 - If I just configure SSL in STRUSTSSO2 in ABAP , will it be more than enough ?
Q3 - In what cases do we need to configure SSL in JAVA side ? And does configuring SSL in JAVA mandatory require sapcryptolib files ?
Please share your views.
Cheers, SGI want to understand is it necessary to configure SSL in both ABAP and JAVA in case of dual stack PI ?
>>> Please refer to Huseyin's comments in the below thread..
PI 7.3 Dual Stack SSL configuration
In what cases do we use JAVA SSL in Dual stack system ?
>>> AFAIK - when you use http_aae adapter/soap with https then you should configure the SSL on java stack. -
PI 7.31 Dual Stack Using BPM/BRM and ccBPM
Hello,
My client has decided to use SAP PI 7.31, because we have many ccBPM solutions, being used a long time, the idea is install the Dual Stack solution and keep using the ccBPM, at least for while.
But for the new integration solutions, we would like to use the AEX(Local AEX-Based) and connect to BPM and BRM, and maybe migrate the old solutions when possible.
Is it possible, use the both solutions( AEX/BPM/BRM and ccBPM) ? In this case, we will have all the benefits and great perfomance
when using the AEX/BPM/BRM(Local AEX-Based) solution, that we have in the single stack ?
Best regards,
Dylon.Hi, vishal jain.
Thank you! Checking your link, we will probably choose the third case:
If PI is installed as dual-stack, then PO, PI and BPM/BRM, will have to be installed with different SIDs. PI on one SID and BPM/BRM on a different SID.
But the question remains... in this case is possible to use ccBPM and BPM/BRM, ok ?
And when using the BPM/BRPM, how is the performance and benefits ?
Are the same when using single stack solution ?
Best regards!
Maybe you are looking for
-
The best way to connect wireless and wired for a WRT160N.
It took me about 4 hours to find out how to connect wireless and wired to a network using model WRT160N. Here is what I have done. First install the CD when it says there is not connection connect your PC, Modem and router Andy any wireless are wir
-
Attachments not viewable in conversation view in Outlook 2010
We have an installation of Outlook 2010 on XP Pro SP3, and when the inbox is set to view by conversation and there are messages that contain attachments within a conversation, I will open the message that contains the attachment, but there will be no
-
Outlook 2013 won't sync thru iCloud -- workaround
On a Windows 8 PC, Outlook 2013 will not sync calendar and contacts with i devices thru iCloud. Until Apple and/or Microsoft address the compatibility issue, there is a reasonable workaround. Use Outlook 2013 only for mail. For calendar and conta
-
I cannot get to the menu button on my samsung galaxy 2 10.1 tablet. There is not a menu on the botton of the screen as many keep referring to either. Am I correct that customizing the app is just going to not be possible? Am about ready to give up an
-
Haven't lost song files, but have lost playlists and want to restore!
I store my songs (2300 in total) on a NAS drive. Two days ago, it was necessary for me to detach the NAS drive from my system. When it was re-attached, for some reason it came to life with a name that was a modified version of its prior name. Consequ