Steup ipsec in solaris 10
Hi Everybody
is there a doc or white paper that explain step by step how configure ipsec under solaris 10
Thanks
http://docs.sun.com
Similar Messages
-
Problem with IPSec on solaris 9
Hi all
I'm facing a problem with IPSec on solaris 9 that I didn't have with Solaris 8 (With the Security package installed).
I've an application that creates SA's by using the pf-key interface.
What it does is first doing a GETSPI to a specific SPI and a specific Destination IP Address.
This will create an SA and put it in a LARVAL state. After about a minute my application will do an UPDATE to this SPI and that command should change the state of the SA from LARVAL to MATURE but instead I get an error saying that this SPI & IP address already exist (errno = 17).
Well of course it's already exist that's the all point it should just change the state of an existing SA.
This exact scenarion was is working fine on Solaris 8.
Am I doing somthing wrong (maybe there is a package on the solaris 9 that I need to install ?)
or is this a bug in solaris 9.
If anyone has any idea on how to do that (without using a one step ADD for a new SA) I will be very thankfull.Sorry for using reply for querying.
I got a problem in creating a Security Association using the PF_KEY Socket (first used SADB_GETSPI and got SPI,with SPI tried to update SADB_UPDATE).
Getting this problem on Sun Solaris 8.
It returns errno 122 . operation not supported.
Here is my mailId [email protected]
I got few more queries regarding PF_KEY socket.
Not much directions are available also for pf_key socket in internet.
Monitor produces the following error.
# ipseckey monitor
"Base message (version 2) type UPDATE, SA type AH.
Error Operation not supported on transport endpoint from PF_KEY.
Message length 16 bytes, seq=4294967294, pid=450."
Here is my mailId [email protected]
Thanks in Advance.
ssundar. -
Configuring IPSec in Solaris 9
Hello Friends,
I want to configure IPSec in solaris 9 so that a win2k/XP machine can communicate with that solaris m/c using IPSec. Could anybody help me regarding this. I have a basic idea of IPSec. I just want a step by step instructions for how to configure it. I have searched through google and found many docs which instructs how to configure IPSec between solaris only and also between windows only and I have succeeded to do so. But failed to configure it within solaris and windows.
Thanks and Regards
Dipta P Banerjeeyes, you can use oracle thin driver.
Your connection pool configuration is actually using datasource of oracle thin driver.
1) download oracle thin driver from oracle
2) .jar need to be kept in AS_INSTALL/domains/<domain-name>/lib/ext
3) restart AS
4) set all the necessary properties for Oracle thin driver - conn. pool (refer App Server Administration Guide > JDBC Resources > Config. for specific JDBC Drivers > Oracle thin type 4 driver
5) Ping conn. pool
If you are still getting the failure message, please post
1) exception got during ping, from domains/<domain-name>/logs/server.log
2) connection pool configuration
Thanks,
-Jagadish -
Certificate Authority Support for IPSEC in Solaris
I'm wondering when Solaris SPARC or X86 will support a IKE daemon that supports Certificates.
The whole manual IPSEC is not desirable nor is it the best method of securityYou may want to pose your question over on the Solaris Suggestion Board as well:
http://www.sun.com/bigadmin/discussions/ -
Using IPsec in solaris 10 with zones - in the zones.
I manage to set up the IPsec feature in the global zone , However, i need to use it in one of the zones,
How can i do it?????Hi Peter - thanks for your reply.
I had already tried including the full path to srcore in AccessKeyMouseEvents (apologies for not mentioning this before) and still no luck.
I've just now re-verified that I made the correct changes as outlined in the JDS3 accessibility guide. My AccessKeyMouseEvents line is:
<Control>s 1 1000 1000 /usr/sfw/bin/srcore login disable-magnifier enable-speech enable-braille
(it is all on one line)
Any other suggestions?
Is there a way I can determine (via a non graphical method) whether the proper modules are being loaded by gdm?
Thanks,
Ivan Fetch. -
IPsec tunnel to a windows 2008 R2 server
I have an application that uses FTP to a win2k8r2 server. I'd like to setup an IPSEC tunnel to the windows server to encapsulate this traffic.
I've configured IPSEC in Solaris before, but not in LINUX. The implementation eludes me. I've searched online and not found anything that appears to work.
anyone got any ideas or secret documents that lines out how to do this?yes, but not very helpful educationally. What I am trying to do is establish a permanent tunnel to a win2k8r2 server. I've got it to the point where it will establish a tunnel if the windows box initiates the transaction but my attempts fail. addtionally, the connection is not permanent. it drops every so often.
I keep getting the following errors over and over again until the windows box tries to send something.
Apr 16 13:47:01 LINUXHOST pluto[12025]: "WINHOST_Conn" #29: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK to replace #27 {using isakmp#14 msgid:41efece2 proposal=defaults pfsgroup=no-pfs}
Apr 16 13:47:01 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Apr 16 13:47:01 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
Apr 16 13:47:11 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Apr 16 13:47:11 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
Apr 16 13:47:12 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Apr 16 13:47:12 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
Apr 16 13:47:26 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received Delete SA payload: replace IPSEC State #16 in 10 seconds
Apr 16 13:47:26 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
Apr 16 13:47:31 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Apr 16 13:47:31 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
Apr 16 13:47:36 LINUXHOST pluto[12025]: "WINHOST_Conn" #30: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK to replace #16 {using isakmp#14 msgid:219d57e8 proposal=defaults pfsgroup=no-pfs}
problem is the windows server is the recipient in these transactions. -
I am trying to use(& install) IPsec in Solaris 8, SunOS 5.8, ULTRA 10.
when I try to use "ipcseckey", problem occured...
log message is followed..
#ipsecconf -a /etc/inet/ipsecinit.conf
#ipseckey
ipseckey>add ah spi 0x90125 src free.domain.com dst ultra.domain.com \
authalg md5 authkey 1234567890abcdef1234567890abcdef
ipseckey>Reply message from PF_KEY timed out.
tell me solution for this problem...
thanksHi
I have seen this problem before, it is normally a result of a missing
package that goes with the ipsec feature, I cant remember which one
out of the top of my head.
If you have not yet fixed the problem, let me know and I will be happy
to figure out which is the missing package at your end.
-manish -
I am currently attempting to activate IPSecurity on Solaris and I am having a host of issues. I am hoping someone on the forums have done this before.
Here are the steps that I have figured out:
1) Create Certificates and add them into the database: I am fairly certain that this has been done correctly since when the in.iked daemon comes up it reads in my CA certificate and my server certificate that I have created.
2) Edit the /etc/inet/ike/config file. I have edited this file but there is an odd thing here. Looking at the man page it says that I should be able to do use AES for the phase 1 SA. However when I use the key word for the aes it tells me it is an error. <Question> Is the AES support only on 10? Is there away I can tell the version of the in.iked daemon I am working with?
3) Activate the in.iked server with the config file. I have done this and used the -p2 -d options so I can see the log file that goes with it.
4)Update the /etc/inet/ipsec.init file: I have done this but here is another instance that things do not make sense. I create a phase 2 proposal devoid of all encryption algorithms and the default one came up. It only had AES and Blowfish. There was no Triple DES option available even though in the man page is there. <question> how do I get the version number of the ipsecconf command.
5)I then use the ipsecconf command to suck in the ipsec.init profile. I have done this successfully with AES and can do a list display.
Usage<<<< I attempt to run a traffic from my solaris to my partner machine that matches the phase 2 traffic descriptors however when the traffic arrives it is not encrypted and the solaris did not attempt to negotiate a tunnel.
When I attempt to initiate a VPN from the other side all I get is parameter mismatch on the Solaris side however the parameters that I have configured all seem to match.
<Questions>
1) Is there some better messages available above -p2 -d
2) Is there a way to initiate a phase 1 negotiation on the SA. ikeadm command does not seem to have that.
3) Is there a service that I have to activate to start the IPSecurity pieces?http://www.sun.com/servers/coolthreads/t2000/specs.xml
no.
Darren -
Solaris 11 responds to IPSEC VPN traffic ONLY one direction
I have established a IPSEC VPN tunnel between my remote solaris 11 and office Sonicwall router using Site to Site. Everything works fine if the traffic initiates from the Solaris side. However when I try to ping or any network services like nfs,ssh, samb, etc. on the remote solaris box from our office. The server does NOT respond to the incoming packets but packets are going through the tunnel and appears on the remote end when I do snoop –d tun0 and snoop –I vnic0. What I do notice is that snoop –d vnic0 shows no packets and it doesn’t seem to get any traffic at all (see netstat –rn). Could it be my routing table? Ip zones? Any ideas? I followed the Oracle Documents very carefully and with extra help from other extern Solaris 11 admin sites. I know people would suggest using OpenSwan or OpenVPN but this setup should work.
Here is the network info on my IPSEC VPN setup. Tunnel is configured in Transport Mode and IPSEC/IKE is working fine.
Solaris 11 vnic0/10.4.0.1/24, external Internet Nic is nge0/209.xxx.xxx.194/25
# dladm show-link
LINK CLASS MTU STATE OVER
nge0 phys 1500 up --
tun0 iptun 1402 up --
vnic0 vnic 1500 up nge0
# dladm show-iptun
LINK TYPE FLAGS LOCAL REMOTE
tun0 ipv4 s- 209.xxx.xxx.194 64.xxx.xxx.34
# ipadm show-if
IFNAME CLASS STATE ACTIVE OVER
lo0 loopback ok yes --
nge0 ip ok yes --
vnic0 ip ok yes --
tun0 ip ok yes --
# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
nge0/v4 static ok 209.xxx.xxx.194/25
vnic0/inside static ok 10.4.0.1/24
tun0/v4 static ok 10.4.0.1->172.20.0.1
lo0/v6 static ok ::1/128
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 209.xxx.xxx.129 UG 6 16874898 nge0
10.4.0.0 10.4.0.1 U 2 0 vnic0
10.181.0.0 172.20.0.1 UGS 3 16862235 tun0
127.0.0.1 127.0.0.1 UH 2 1786 lo0
172.20.0.1 10.4.0.1 UH 3 16862235 tun0
Routing Table: IPv6
Destination/Mask Gateway Flags Ref Use If
::1 ::1 UH 2 42 lo0
# routeadm
Configuration Current Current
Option Configuration System State
IPv4 routing disabled disabled
IPv6 routing disabled disabled
IPv4 forwarding disabled disabled
IPv6 forwarding disabled disabled
Routing services "route:default ripng:default"
Routing daemons:
STATE FMRI
disabled svc:/network/routing/ripng:default
disabled svc:/network/routing/rdisc:default
disabled svc:/network/routing/route:default
disabled svc:/network/routing/legacy-routing:ipv4
disabled svc:/network/routing/legacy-routing:ipv6
online svc:/network/routing/ndp:default
Solaris># ping 10.181.1.218
10.181.1.218 is alive
C:\>ping 10.4.0.1
Pinging 10.4.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
# snoop -d tun0 10.181.1.218
Using device tun0 (promiscuous mode)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 33) (1 encap)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 34) (1 encap)
# snoop -I vnic0 10.181.1.218
Using device ipnet/vnic0 (promiscuous mode)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 36)
10.181.1.218-> 10.4.0.1 -i ICMP Echo request (ID: 1 Sequence number: 37)
# ipadm show-prop
PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
ipv4 forwarding rw off off off on,off
ipv4 ttl rw 255 -- 255 1-255
ipv6 forwarding rw off -- off on,off
ipv6 hoplimit rw 255 -- 255 1-255
ipv6 hostmodel rw weak -- weak strong,
src-priority,
weak
ipv4 hostmodel rw strong strong weak strong,
src-priority,
weak
icmp max_buf rw 262144 -- 262144 65536-1073741824
icmp recv_buf rw 8192 -- 8192 4096-262144
icmp send_buf rw 8192 -- 8192 4096-262144
tcp cong_default rw newreno -- newreno newreno,cubic,
highspeed,vegas
tcp cong_enabled rw newreno,cubic, newreno,cubic, newreno newreno,cubic,
highspeed, highspeed, highspeed,vegas
vegas vegas
tcp ecn rw passive -- passive never,passive,
active
tcp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
tcp largest_anon_port rw 65535 -- 65535 32768-65535
tcp max_buf rw 1048576 -- 1048576 128000-1073741824
tcp recv_buf rw 128000 -- 128000 2048-1048576
tcp sack rw active -- active never,passive,
active
tcp send_buf rw 49152 -- 49152 4096-1048576
tcp smallest_anon_port rw 32768 -- 32768 1024-65535
tcp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
udp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
udp largest_anon_port rw 65535 -- 65535 32768-65535
udp max_buf rw 2097152 -- 2097152 65536-1073741824
udp recv_buf rw 57344 -- 57344 128-2097152
udp send_buf rw 57344 -- 57344 1024-2097152
udp smallest_anon_port rw 32768 -- 32768 1024-65535
udp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
sctp cong_default rw newreno -- newreno newreno,cubic,
highspeed,vegas
sctp cong_enabled rw newreno,cubic, newreno,cubic, newreno newreno,cubic,
highspeed, highspeed, highspeed,vegas
vegas vegas
sctp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
sctp largest_anon_port rw 65535 -- 65535 32768-65535
sctp max_buf rw 1048576 -- 1048576 102400-1073741824
sctp recv_buf rw 102400 -- 102400 8192-1048576
sctp send_buf rw 102400 -- 102400 8192-1048576
sctp smallest_anon_port rw 32768 -- 32768 1024-65535
sctp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
# ipadm show-addrprop
ADDROBJ PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
lo0/v4 broadcast r- -- -- -- --
lo0/v4 deprecated rw off -- off on,off
lo0/v4 prefixlen rw 8 8 8 1-30,32
lo0/v4 private rw off -- off on,off
lo0/v4 reqhost r- -- -- -- --
lo0/v4 transmit rw on -- on on,off
lo0/v4 zone rw global -- global --
nge0/v4 broadcast r- 209.xxx.xxx.255 -- 209.xxx.xxx.255 --
nge0/v4 deprecated rw off -- off on,off
nge0/v4 prefixlen rw 25 25 24 1-30,32
nge0/v4 private rw on on off on,off
nge0/v4 reqhost r- -- -- -- --
nge0/v4 transmit rw on -- on on,off
nge0/v4 zone rw global -- global --
vnic0/inside broadcast r- 10.4.0.255 -- 10.255.255.255 --
vnic0/inside deprecated rw off -- off on,off
vnic0/inside prefixlen rw 24 24 8 1-30,32
vnic0/inside private rw off -- off on,off
vnic0/inside reqhost r- -- -- -- --
vnic0/inside transmit rw on -- on on,off
vnic0/inside zone rw global -- global --
tun0/v4 broadcast r- -- -- -- --
tun0/v4 deprecated rw off -- off on,off
tun0/v4 prefixlen rw -- -- -- --
tun0/v4 private rw off -- off on,off
tun0/v4 reqhost r- -- -- -- --
tun0/v4 transmit rw on -- on on,off
tun0/v4 zone rw global -- global --
ipadm show-ifprop
IFNAME PROPERTY PROTO PERM CURRENT PERSISTENT DEFAULT POSSIBLE
nge0 arp ipv4 rw on -- on on,off
nge0 forwarding ipv4 rw off off off on,off
nge0 metric ipv4 rw 0 -- 0 --
nge0 mtu ipv4 rw 1500 -- 1500 68-1500
nge0 exchange_routes ipv4 rw on -- on on,off
nge0 usesrc ipv4 rw none -- none --
nge0 forwarding ipv6 rw off -- off on,off
nge0 metric ipv6 rw 0 -- 0 --
nge0 mtu ipv6 rw 1500 -- 1500 1280-1500
nge0 nud ipv6 rw on -- on on,off
nge0 exchange_routes ipv6 rw on -- on on,off
nge0 usesrc ipv6 rw none -- none --
nge0 group ip rw -- -- -- --
nge0 standby ip rw off -- off on,off
vnic0 arp ipv4 rw on -- on on,off
vnic0 forwarding ipv4 rw on on off on,off
vnic0 metric ipv4 rw 0 -- 0 --
vnic0 mtu ipv4 rw 1500 -- 1500 68-1500
vnic0 exchange_routes ipv4 rw on -- on on,off
vnic0 usesrc ipv4 rw none -- none --
vnic0 group ip rw -- -- -- --
vnic0 standby ip rw off -- off on,off
tun0 arp ipv4 rw off -- on on,off
tun0 forwarding ipv4 rw on on off on,off
tun0 metric ipv4 rw 0 -- 0 --
tun0 mtu ipv4 rw 1402 -- 1402 68-65515
tun0 exchange_routes ipv4 rw on -- on on,off
tun0 usesrc ipv4 rw none -- none --
tun0 group ip rw -- -- -- --
tun0 standby ip rw off -- off on,off
Edited by: user1233039 on Jun 20, 2012 9:18 AMI have established a IPSEC VPN tunnel between my remote solaris 11 and office Sonicwall router using Site to Site. Everything works fine if the traffic initiates from the Solaris side. However when I try to ping or any network services like nfs,ssh, samb, etc. on the remote solaris box from our office. The server does NOT respond to the incoming packets but packets are going through the tunnel and appears on the remote end when I do snoop –d tun0 and snoop –I vnic0. What I do notice is that snoop –d vnic0 shows no packets and it doesn’t seem to get any traffic at all (see netstat –rn). Could it be my routing table? Ip zones? Any ideas? I followed the Oracle Documents very carefully and with extra help from other extern Solaris 11 admin sites. I know people would suggest using OpenSwan or OpenVPN but this setup should work.
Here is the network info on my IPSEC VPN setup. Tunnel is configured in Transport Mode and IPSEC/IKE is working fine.
Solaris 11 vnic0/10.4.0.1/24, external Internet Nic is nge0/209.xxx.xxx.194/25
# dladm show-link
LINK CLASS MTU STATE OVER
nge0 phys 1500 up --
tun0 iptun 1402 up --
vnic0 vnic 1500 up nge0
# dladm show-iptun
LINK TYPE FLAGS LOCAL REMOTE
tun0 ipv4 s- 209.xxx.xxx.194 64.xxx.xxx.34
# ipadm show-if
IFNAME CLASS STATE ACTIVE OVER
lo0 loopback ok yes --
nge0 ip ok yes --
vnic0 ip ok yes --
tun0 ip ok yes --
# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
nge0/v4 static ok 209.xxx.xxx.194/25
vnic0/inside static ok 10.4.0.1/24
tun0/v4 static ok 10.4.0.1->172.20.0.1
lo0/v6 static ok ::1/128
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 209.xxx.xxx.129 UG 6 16874898 nge0
10.4.0.0 10.4.0.1 U 2 0 vnic0
10.181.0.0 172.20.0.1 UGS 3 16862235 tun0
127.0.0.1 127.0.0.1 UH 2 1786 lo0
172.20.0.1 10.4.0.1 UH 3 16862235 tun0
Routing Table: IPv6
Destination/Mask Gateway Flags Ref Use If
::1 ::1 UH 2 42 lo0
# routeadm
Configuration Current Current
Option Configuration System State
IPv4 routing disabled disabled
IPv6 routing disabled disabled
IPv4 forwarding disabled disabled
IPv6 forwarding disabled disabled
Routing services "route:default ripng:default"
Routing daemons:
STATE FMRI
disabled svc:/network/routing/ripng:default
disabled svc:/network/routing/rdisc:default
disabled svc:/network/routing/route:default
disabled svc:/network/routing/legacy-routing:ipv4
disabled svc:/network/routing/legacy-routing:ipv6
online svc:/network/routing/ndp:default
Solaris># ping 10.181.1.218
10.181.1.218 is alive
C:\>ping 10.4.0.1
Pinging 10.4.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
# snoop -d tun0 10.181.1.218
Using device tun0 (promiscuous mode)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 33) (1 encap)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 34) (1 encap)
# snoop -I vnic0 10.181.1.218
Using device ipnet/vnic0 (promiscuous mode)
10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 36)
10.181.1.218-> 10.4.0.1 -i ICMP Echo request (ID: 1 Sequence number: 37)
# ipadm show-prop
PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
ipv4 forwarding rw off off off on,off
ipv4 ttl rw 255 -- 255 1-255
ipv6 forwarding rw off -- off on,off
ipv6 hoplimit rw 255 -- 255 1-255
ipv6 hostmodel rw weak -- weak strong,
src-priority,
weak
ipv4 hostmodel rw strong strong weak strong,
src-priority,
weak
icmp max_buf rw 262144 -- 262144 65536-1073741824
icmp recv_buf rw 8192 -- 8192 4096-262144
icmp send_buf rw 8192 -- 8192 4096-262144
tcp cong_default rw newreno -- newreno newreno,cubic,
highspeed,vegas
tcp cong_enabled rw newreno,cubic, newreno,cubic, newreno newreno,cubic,
highspeed, highspeed, highspeed,vegas
vegas vegas
tcp ecn rw passive -- passive never,passive,
active
tcp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
tcp largest_anon_port rw 65535 -- 65535 32768-65535
tcp max_buf rw 1048576 -- 1048576 128000-1073741824
tcp recv_buf rw 128000 -- 128000 2048-1048576
tcp sack rw active -- active never,passive,
active
tcp send_buf rw 49152 -- 49152 4096-1048576
tcp smallest_anon_port rw 32768 -- 32768 1024-65535
tcp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
udp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
udp largest_anon_port rw 65535 -- 65535 32768-65535
udp max_buf rw 2097152 -- 2097152 65536-1073741824
udp recv_buf rw 57344 -- 57344 128-2097152
udp send_buf rw 57344 -- 57344 1024-2097152
udp smallest_anon_port rw 32768 -- 32768 1024-65535
udp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
sctp cong_default rw newreno -- newreno newreno,cubic,
highspeed,vegas
sctp cong_enabled rw newreno,cubic, newreno,cubic, newreno newreno,cubic,
highspeed, highspeed, highspeed,vegas
vegas vegas
sctp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
sctp largest_anon_port rw 65535 -- 65535 32768-65535
sctp max_buf rw 1048576 -- 1048576 102400-1073741824
sctp recv_buf rw 102400 -- 102400 8192-1048576
sctp send_buf rw 102400 -- 102400 8192-1048576
sctp smallest_anon_port rw 32768 -- 32768 1024-65535
sctp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
# ipadm show-addrprop
ADDROBJ PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
lo0/v4 broadcast r- -- -- -- --
lo0/v4 deprecated rw off -- off on,off
lo0/v4 prefixlen rw 8 8 8 1-30,32
lo0/v4 private rw off -- off on,off
lo0/v4 reqhost r- -- -- -- --
lo0/v4 transmit rw on -- on on,off
lo0/v4 zone rw global -- global --
nge0/v4 broadcast r- 209.xxx.xxx.255 -- 209.xxx.xxx.255 --
nge0/v4 deprecated rw off -- off on,off
nge0/v4 prefixlen rw 25 25 24 1-30,32
nge0/v4 private rw on on off on,off
nge0/v4 reqhost r- -- -- -- --
nge0/v4 transmit rw on -- on on,off
nge0/v4 zone rw global -- global --
vnic0/inside broadcast r- 10.4.0.255 -- 10.255.255.255 --
vnic0/inside deprecated rw off -- off on,off
vnic0/inside prefixlen rw 24 24 8 1-30,32
vnic0/inside private rw off -- off on,off
vnic0/inside reqhost r- -- -- -- --
vnic0/inside transmit rw on -- on on,off
vnic0/inside zone rw global -- global --
tun0/v4 broadcast r- -- -- -- --
tun0/v4 deprecated rw off -- off on,off
tun0/v4 prefixlen rw -- -- -- --
tun0/v4 private rw off -- off on,off
tun0/v4 reqhost r- -- -- -- --
tun0/v4 transmit rw on -- on on,off
tun0/v4 zone rw global -- global --
ipadm show-ifprop
IFNAME PROPERTY PROTO PERM CURRENT PERSISTENT DEFAULT POSSIBLE
nge0 arp ipv4 rw on -- on on,off
nge0 forwarding ipv4 rw off off off on,off
nge0 metric ipv4 rw 0 -- 0 --
nge0 mtu ipv4 rw 1500 -- 1500 68-1500
nge0 exchange_routes ipv4 rw on -- on on,off
nge0 usesrc ipv4 rw none -- none --
nge0 forwarding ipv6 rw off -- off on,off
nge0 metric ipv6 rw 0 -- 0 --
nge0 mtu ipv6 rw 1500 -- 1500 1280-1500
nge0 nud ipv6 rw on -- on on,off
nge0 exchange_routes ipv6 rw on -- on on,off
nge0 usesrc ipv6 rw none -- none --
nge0 group ip rw -- -- -- --
nge0 standby ip rw off -- off on,off
vnic0 arp ipv4 rw on -- on on,off
vnic0 forwarding ipv4 rw on on off on,off
vnic0 metric ipv4 rw 0 -- 0 --
vnic0 mtu ipv4 rw 1500 -- 1500 68-1500
vnic0 exchange_routes ipv4 rw on -- on on,off
vnic0 usesrc ipv4 rw none -- none --
vnic0 group ip rw -- -- -- --
vnic0 standby ip rw off -- off on,off
tun0 arp ipv4 rw off -- on on,off
tun0 forwarding ipv4 rw on on off on,off
tun0 metric ipv4 rw 0 -- 0 --
tun0 mtu ipv4 rw 1402 -- 1402 68-65515
tun0 exchange_routes ipv4 rw on -- on on,off
tun0 usesrc ipv4 rw none -- none --
tun0 group ip rw -- -- -- --
tun0 standby ip rw off -- off on,off
Edited by: user1233039 on Jun 20, 2012 9:18 AM -
We're using Solaris 8, 9 & 10. (Mainly version 9)
We need to connect to our DMZ servers via an IPSEC tunnel, but the solution seems to be unstable and does not work properly from a UNIX Solaris workstation.
Is there an IPSEC client that will allow secure stable access to manage Web servers? We need to be able use X-base GUI over this tunnel.Are you using a real IP-in-IP tunnel protected with IPsec? Or do you just want the IPsec protection? (Many vendors think all IPsec protection is a "tunnel", which is wrong.)
A few more details would be helpful here. And I'm sorry for not seeing this sooner.
Dan - Solaris IPsec developer -
Zfs core dumps in Solaris Zones after patchcluster installation
Hi
I've installed the recommended patch cluster for Solaris 10 (SPARC) on my T2000 Server.
Now after the reboot all the Solaris Zones (got about 10 of them) instantly do zfs core dumps when their booted.
Some Output:
Dec 15 15:34:43 XXXXX genunix: NOTICE: core_log: zfs[1711] core dumped: /var/core/core_XXXXXX_zfs_0_0_1292423682_1711
bash-3.00# svcs
STATE STIME FMRI
online 13:58:50 svc:/system/svc/restarter:default
online 13:58:51 svc:/system/filesystem/root:default
online 13:58:51 svc:/network/loopback:default
online 13:58:53 svc:/network/pfil:default
online 13:58:54 svc:/system/installupdates:default
online 13:58:55 svc:/system/boot-archive:default
online 13:58:56 svc:/network/physical:default
online 13:58:57 svc:/system/filesystem/usr:default
online 13:58:57 svc:/system/identity:node
online 13:58:58 svc:/system/device/local:default
online 13:58:58 svc:/system/keymap:default
online 13:58:58 svc:/milestone/devices:default
online 13:58:58 svc:/system/filesystem/minimal:default
online 13:58:58 svc:/system/rmtmpfiles:default
online 13:58:58 svc:/system/cryptosvc:default
online 13:58:59 svc:/system/identity:domain
online 13:58:59 svc:/system/name-service-cache:default
online 13:58:59 svc:/system/coreadm:default
online 13:58:59 svc:/network/ipsec/ipsecalgs:default
online 13:58:59 svc:/application/print/ppd-cache-update:default
online 13:58:59 svc:/network/ipsec/policy:default
online 13:59:00 svc:/milestone/network:default
online 13:59:00 svc:/network/initial:default
online 13:59:00 svc:/system/manifest-import:default
online 13:59:00 svc:/network/service:default
online 13:59:00 svc:/milestone/single-user:default
online 13:59:00 svc:/network/dns/client:default
online 13:59:00 svc:/network/routing-setup:default
online 13:59:00 svc:/milestone/name-services:default
online 13:59:03 svc:/milestone/sysconfig:default
online 13:59:03 svc:/system/utmp:default
online 13:59:03 svc:/system/console-login:default
offline 13:58:51 svc:/system/sysidtool:net
offline 13:58:51 svc:/network/rpc/bind:default
offline 13:58:51 svc:/system/sysidtool:system
offline 13:58:52 svc:/network/nfs/status:default
offline 13:58:52 svc:/network/nfs/nlockmgr:default
offline 13:58:52 svc:/network/nfs/cbd:default
offline 13:58:52 svc:/network/nfs/mapid:default
offline 13:58:52 svc:/network/inetd:default
offline 13:58:52 svc:/network/nfs/client:default
offline 13:58:52 svc:/system/filesystem/autofs:default
offline 13:58:53 svc:/system/system-log:default
offline 13:58:53 svc:/network/smtp:sendmail
offline 13:58:53 svc:/system/cron:default
offline 13:58:53 svc:/milestone/multi-user:default
offline 13:58:54 svc:/application/management/snmpdx:default
offline 13:58:54 svc:/application/management/dmi:default
offline 13:58:54 svc:/application/management/seaport:default
offline 13:58:54 svc:/network/ssh:default
offline 13:58:54 svc:/milestone/multi-user-server:default
offline 13:58:54 svc:/application/font/fc-cache:default
offline 13:58:55 svc:/application/management/sma:default
offline 13:58:58 svc:/system/sac:default
offline 13:59:00 svc:/network/shares/group:default
offline 13:59:00 svc:/system/boot-archive-update:default
maintenance 15:34:43 svc:/system/filesystem/local:default
uninitialized 13:58:52 svc:/network/rpc/gss:default
uninitialized 13:58:54 svc:/application/font/stfsloader:default
uninitialized 13:58:55 svc:/network/rpc/rstat:default
uninitialized 13:58:55 svc:/application/print/rfc1179:default
uninitialized 13:58:55 svc:/application/x11/xfs:default
uninitialized 13:58:55 svc:/network/finger:default
uninitialized 13:58:55 svc:/network/ftp:default
uninitialized 13:58:56 svc:/network/login:rlogin
uninitialized 13:58:56 svc:/network/nfs/rquota:default
uninitialized 13:58:56 svc:/network/rpc/rusers:default
uninitialized 13:58:56 svc:/network/rpc/smserver:default
uninitialized 13:58:57 svc:/network/security/ktkt_warn:default
uninitialized 13:58:57 svc:/network/shell:default
uninitialized 13:58:57 svc:/network/telnet:default
uninitialized 13:58:58 svc:/network/rpc-100235_1/rpc_ticotsord:default
uninitialized 13:58:58 svc:/network/rpc/cde-calendar-manager:default
uninitialized 13:58:59 svc:/network/rpc/cde-ttdbserver:tcp
bash-3.00# svcs -x
svc:/system/filesystem/local:default (local file system mounts)
State: maintenance since Wed Dec 15 15:34:43 2010
Reason: Start method exited with $SMF_EXIT_ERR_FATAL.
See: http://sun.com/msg/SMF-8000-KS
See: /var/svc/log/system-filesystem-local:default.log
Impact: 24 dependent services are not running. (Use -v for list.)
svc:/network/rpc/gss:default (Generic Security Service)
State: uninitialized since Wed Dec 15 13:58:52 2010
Reason: Restarter svc:/network/inetd:default is not running.
See: http://sun.com/msg/SMF-8000-5H
See: gssd(1M)
Impact: 11 dependent services are not running. (Use -v for list.)
svc:/network/rpc/rstat:default (kernel statistics server)
State: uninitialized since Wed Dec 15 13:58:55 2010
Reason: Restarter svc:/network/inetd:default is not running.
See: http://sun.com/msg/SMF-8000-5H
See: rpc.rstatd(1M)
See: rstatd(1M)
Impact: 1 dependent service is not running. (Use -v for list.)
bash-3.00# cat /var/svc/log/system-filesystem-local:default.log
[ Jul 10 03:41:35 Enabled. ]
[ Jul 10 03:43:45 Rereading configuration. ]
[ Jul 10 03:44:17 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Jul 10 03:44:18 Method "start" exited with status 0 ]
[ Jul 10 12:44:36 Enabled. ]
[ Jul 10 12:44:45 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Jul 10 12:44:45 Method "start" exited with status 0 ]
[ Jul 10 12:45:03 Enabled. ]
[ Jul 10 12:45:09 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Jul 10 12:45:09 Method "start" exited with status 0 ]
[ Jul 10 13:54:39 Enabled. ]
[ Jul 10 13:54:46 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Jul 10 13:54:46 Method "start" exited with status 0 ]
[ Jul 18 12:34:19 Enabled. ]
[ Jul 18 12:34:27 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Jul 18 12:34:27 Method "start" exited with status 0 ]
[ Jul 18 17:29:08 Enabled. ]
[ Jul 18 17:29:15 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Jul 18 17:29:15 Method "start" exited with status 0 ]
[ Jul 19 11:13:34 Enabled. ]
[ Jul 19 11:13:42 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Jul 19 11:13:42 Method "start" exited with status 0 ]
[ Jul 19 11:32:23 Enabled. ]
[ Jul 19 11:32:30 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Jul 19 11:32:31 Method "start" exited with status 0 ]
[ Jul 19 11:57:06 Enabled. ]
[ Jul 19 11:57:13 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Jul 19 11:57:13 Method "start" exited with status 0 ]
[ Jul 19 12:40:05 Enabled. ]
[ Jul 19 12:40:12 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Jul 19 12:40:12 Method "start" exited with status 0 ]
[ Jul 20 15:51:46 Enabled. ]
[ Jul 20 15:51:54 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Jul 20 15:51:54 Method "start" exited with status 0 ]
[ Jul 24 11:42:17 Enabled. ]
[ Jul 24 11:42:25 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Jul 24 11:42:25 Method "start" exited with status 0 ]
[ Jul 27 12:05:06 Stopping because service disabled. ]
[ Jul 27 12:05:07 Executing stop method (null) ]
[ Jul 27 12:13:10 Enabled. ]
[ Jul 27 12:13:17 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Jul 27 12:13:17 Method "start" exited with status 0 ]
[ Jul 27 13:10:26 Stopping because service disabled. ]
[ Jul 27 13:10:26 Executing stop method (null) ]
[ Jul 27 13:18:19 Enabled. ]
[ Jul 27 13:18:26 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Jul 27 13:18:26 Method "start" exited with status 0 ]
[ Jul 31 10:12:31 Enabled. ]
[ Jul 31 10:12:38 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Jul 31 10:12:39 Method "start" exited with status 0 ]
[ Aug 7 10:08:52 Stopping because service disabled. ]
[ Aug 7 10:08:52 Executing stop method (null) ]
[ Aug 7 10:34:50 Enabled. ]
[ Aug 7 10:34:57 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Aug 7 10:34:58 Method "start" exited with status 0 ]
[ Aug 9 09:14:50 Stopping because service disabled. ]
[ Aug 9 09:14:50 Executing stop method (null) ]
[ Aug 9 09:55:03 Enabled. ]
[ Aug 9 09:55:10 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Aug 9 09:55:11 Method "start" exited with status 0 ]
[ Aug 16 10:46:43 Enabled. ]
[ Aug 16 10:46:50 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Aug 16 10:46:50 Method "start" exited with status 0 ]
[ Aug 16 12:06:56 Enabled. ]
[ Aug 16 12:07:02 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Aug 16 12:07:02 Method "start" exited with status 0 ]
[ Aug 16 13:45:10 Enabled. ]
[ Aug 16 13:45:16 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Aug 16 13:45:16 Method "start" exited with status 0 ]
[ Aug 16 14:36:59 Enabled. ]
[ Aug 16 14:37:07 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Aug 16 14:37:07 Method "start" exited with status 0 ]
[ Aug 16 15:00:40 Enabled. ]
[ Aug 16 15:00:47 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Aug 16 15:00:47 Method "start" exited with status 0 ]
[ Aug 22 16:00:13 Enabled. ]
[ Aug 22 16:00:21 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Aug 22 16:00:21 Method "start" exited with status 0 ]
[ Aug 23 09:49:04 Enabled. ]
[ Aug 23 09:49:10 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Aug 23 09:49:11 Method "start" exited with status 0 ]
[ Aug 23 09:49:23 Stopping because service disabled. ]
[ Aug 23 09:49:23 Executing stop method (null) ]
[ Aug 23 10:04:13 Enabled. ]
[ Aug 23 10:04:20 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Aug 23 10:04:20 Method "start" exited with status 0 ]
[ Aug 23 10:06:57 Enabled. ]
[ Aug 23 10:07:04 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Aug 23 10:07:05 Method "start" exited with status 0 ]
[ Oct 23 08:43:05 Enabled. ]
[ Oct 23 08:43:14 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Oct 23 08:43:14 Method "start" exited with status 0 ]
[ Nov 21 14:51:50 Enabled. ]
[ Nov 21 14:51:58 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Nov 21 14:51:59 Method "start" exited with status 0 ]
[ Nov 29 15:33:19 Enabled. ]
[ Nov 29 15:33:26 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Nov 29 15:33:27 Method "start" exited with status 0 ]
[ Dec 18 13:37:35 Enabled. ]
[ Dec 18 13:37:42 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Dec 18 13:37:42 Method "start" exited with status 0 ]
[ Dec 19 08:48:07 Enabled. ]
[ Dec 19 08:48:14 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Dec 19 08:48:14 Method "start" exited with status 0 ]
[ Dec 19 08:56:07 Enabled. ]
[ Dec 19 08:56:14 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Dec 19 08:56:14 Method "start" exited with status 0 ]
[ Dec 19 08:57:41 Enabled. ]
[ Dec 19 08:57:48 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Dec 19 08:57:48 Method "start" exited with status 0 ]
[ Feb 1 10:39:48 Enabled. ]
[ Feb 1 10:39:55 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Feb 1 10:39:56 Method "start" exited with status 0 ]
[ Feb 8 11:12:50 Enabled. ]
[ Feb 8 11:12:57 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Feb 8 11:12:57 Method "start" exited with status 0 ]
[ Jun 6 10:08:34 Enabled. ]
[ Jun 6 10:08:44 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Jun 6 10:08:46 Method "start" exited with status 0 ]
[ Aug 8 09:45:48 Enabled. ]
[ Aug 8 09:46:35 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Aug 8 09:46:36 Method "start" exited with status 0 ]
[ Aug 14 17:53:59 Enabled. ]
[ Aug 14 17:54:06 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Aug 14 17:54:06 Method "start" exited with status 0 ]
[ Aug 14 17:55:20 Enabled. ]
[ Aug 14 17:55:27 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Aug 14 17:55:27 Method "start" exited with status 0 ]
[ Aug 18 15:19:17 Enabled. ]
[ Aug 18 15:19:24 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Aug 18 15:19:24 Method "start" exited with status 0 ]
[ Aug 29 12:56:48 Enabled. ]
[ Aug 29 12:56:55 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Aug 29 12:56:55 Method "start" exited with status 0 ]
[ Oct 13 11:59:43 Enabled. ]
[ Oct 13 11:59:50 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Oct 13 11:59:51 Method "start" exited with status 0 ]
[ Feb 26 16:47:00 Enabled. ]
[ Feb 26 16:47:07 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Feb 26 16:47:07 Method "start" exited with status 0 ]
[ Apr 14 15:54:17 Enabled. ]
[ Apr 14 15:54:24 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Apr 14 15:54:25 Method "start" exited with status 0 ]
[ Aug 28 08:49:58 Stopping because service disabled. ]
[ Aug 28 08:49:58 Executing stop method (null) ]
[ Aug 28 08:52:54 Enabled. ]
[ Aug 28 08:53:01 Executing start method ("/lib/svc/method/fs-local") ]
bootadm: this operation is not supported on sparc
[ Aug 28 08:53:01 Method "start" exited with status 0 ]
[ Aug 28 09:08:20 Stopping because service disabled. ]
[ Aug 28 09:08:20 Executing stop method (null) ]
[ Sep 1 16:05:36 Enabled. ]
[ Sep 1 16:06:05 Executing start method ("/lib/svc/method/fs-local") ]
[ Sep 1 16:06:05 Method "start" exited with status 0 ]
[ Sep 1 19:29:19 Enabled. ]
[ Sep 1 19:29:27 Executing start method ("/lib/svc/method/fs-local") ]
[ Sep 1 19:29:27 Method "start" exited with status 0 ]
[ Sep 1 23:04:00 Enabled. ]
[ Sep 1 23:04:08 Executing start method ("/lib/svc/method/fs-local") ]
[ Sep 1 23:04:08 Method "start" exited with status 0 ]
[ Sep 2 00:23:41 Stopping because service disabled. ]
[ Sep 2 00:23:42 Executing stop method (null) ]
[ Sep 2 00:46:46 Enabled. ]
[ Sep 2 00:46:53 Executing start method ("/lib/svc/method/fs-local") ]
[ Sep 2 00:46:54 Method "start" exited with status 0 ]
[ Sep 26 12:04:34 Enabled. ]
[ Sep 26 12:04:41 Executing start method ("/lib/svc/method/fs-local") ]
[ Sep 26 12:04:42 Method "start" exited with status 0 ]
[ Oct 20 13:05:09 Stopping because service disabled. ]
[ Oct 20 13:05:10 Executing stop method (null) ]
[ Oct 20 13:24:01 Enabled. ]
[ Oct 20 13:24:08 Executing start method ("/lib/svc/method/fs-local") ]
[ Oct 20 13:24:09 Method "start" exited with status 0 ]
[ Oct 21 16:30:59 Enabled. ]
[ Oct 21 16:31:09 Executing start method ("/lib/svc/method/fs-local") ]
[ Oct 21 16:31:09 Method "start" exited with status 0 ]
[ Oct 21 16:32:42 Stopping because service disabled. ]
[ Oct 21 16:32:42 Executing stop method (null) ]
[ Oct 21 16:42:05 Enabled. ]
[ Oct 21 16:42:15 Executing start method ("/lib/svc/method/fs-local") ]
[ Oct 21 16:42:15 Method "start" exited with status 0 ]
[ Oct 21 17:27:37 Enabled. ]
[ Oct 21 17:27:47 Executing start method ("/lib/svc/method/fs-local") ]
[ Oct 21 17:27:47 Method "start" exited with status 0 ]
[ Oct 22 11:08:34 Enabled. ]
[ Oct 22 11:08:43 Executing start method ("/lib/svc/method/fs-local") ]
[ Oct 22 11:08:43 Method "start" exited with status 0 ]
[ Dec 9 09:17:33 Stopping because service disabled. ]
[ Dec 9 09:17:33 Executing stop method (null) ]
[ Dec 10 11:47:14 Enabled. ]
[ Dec 10 11:47:24 Executing start method ("/lib/svc/method/fs-local") ]
[ Dec 10 11:47:25 Method "start" exited with status 0 ]
[ Dec 15 10:52:25 Stopping because service disabled. ]
[ Dec 15 10:52:25 Executing stop method (null) ]
[ Dec 15 12:42:16 Enabled. ]
[ Dec 15 12:42:26 Executing start method ("/lib/svc/method/fs-local") ]
Abort - core dumped
WARNING: /usr/sbin/zfs mount -a failed: exit status 134
[ Dec 15 12:42:28 Method "start" exited with status 95 ]
[ Dec 15 13:13:19 Enabled. ]
[ Dec 15 13:13:28 Executing start method ("/lib/svc/method/fs-local") ]
Abort - core dumped
WARNING: /usr/sbin/zfs mount -a failed: exit status 134
[ Dec 15 13:13:30 Method "start" exited with status 95 ]
[ Dec 15 13:58:51 Enabled. ]
[ Dec 15 13:59:00 Executing start method ("/lib/svc/method/fs-local") ]
Abort - core dumped
WARNING: /usr/sbin/zfs mount -a failed: exit status 134
[ Dec 15 13:59:03 Method "start" exited with status 95 ]
[ Dec 15 15:34:41 Leaving maintenance because clear requested. ]
[ Dec 15 15:34:41 Enabled. ]
[ Dec 15 15:34:41 Executing start method ("/lib/svc/method/fs-local") ]
Abort - core dumped
WARNING: /usr/sbin/zfs mount -a failed: exit status 134
[ Dec 15 15:34:43 Method "start" exited with status 95 ]
bash-3.00# /usr/sbin/zfs mount -a
internal error: Unknown error
Abort (core dumped)
Before that I've installed the patch cluster with halted solaris zones which produced following output:
Application of patches finished : 2010.12.15 12:08:43
Following patches were applied :
119254-77 119812-10 125719-31 140159-03 142911-01
141588-04 119900-11 125731-05 142292-01 142933-02
142251-02 119906-16 126206-05 141444-09 142909-17
118666-28 120460-17 126363-08 141500-07 143140-04
118667-28 121012-03 126365-16 141502-02 143502-01
118777-16 121308-20 126868-04 141506-09 143506-01
140860-02 122212-40 127724-02 141514-02 143615-02
119059-56 122261-03 136998-09 141518-12 143731-01
119213-23 122675-05 137000-07 141552-03 143733-01
124628-10 123003-04 137080-05 141558-01 143977-01
119252-29 123590-12 137147-06 141586-01 144053-04
119280-23 123893-22 138195-04 141590-02 144106-01
124188-03 124393-11 138822-07 141874-09 144254-01
120199-15 124457-02 138826-07 141876-07 144488-04
119534-19 124630-42 138880-02 142084-04 144492-01
120272-28 125215-03 139099-04 142397-01 145124-01
119757-18 125388-03 139620-01 142529-01 145796-01
119783-15 125555-07
Following patches were skipped :
Patches already applied
120900-04 119063-01 119810-05 123005-07 137093-01
121133-02 119081-25 119986-03 124444-01 138866-03
119317-01 119130-33 120061-02 124939-03 137137-09
121296-01 123611-04 120201-05 124943-01 137871-02
138215-01 140899-01 120292-02 124997-01 138181-01
127884-01 122640-05 120329-02 125279-05 138361-01
118712-23 126897-02 121975-01 125539-06 138373-02
118918-24 127755-01 120719-02 125891-01 138647-01
138217-01 125503-02 120830-06 126440-01 141016-01
119578-30 125547-02 121095-02 126540-02 139555-08
121453-02 140796-01 121606-04 127127-11 139967-01
121453-02 120011-14 124171-07 136882-02 140455-01
121118-16 139520-02 123630-03 137032-01 140563-01
118833-36 119764-06
Patches obsoleted by one or more patches already applied
118731-01 124204-04 122660-10
Patches not applicable to packages on the system
121181-03 120410-33 121211-02 125533-15 143317-03
119115-35 120412-11 122259-03 125541-06 143510-01
119117-52 120414-27 122470-03 125952-20 143725-01
119315-19 120543-21 122911-24 137004-08 143727-01
119548-14 120739-06 122958-06 138387-01 143739-01
119903-02 120811-09 123938-02 138824-07 144325-01
120094-30 120849-04 125136-24 138876-01 145006-02
120185-21 121104-11 125137-24 139986-01 145080-01
119368-04 121136-02 125332-14 142244-02 145200-01
120286-03
Installation of patch set complete. PLEASE REBOOT THE SYSTEM.
when i tried to reboot the system by init 6 the service iscsi hanged and produced syslog errors about a unkown iocall -> killed the process. System rebooted w/o errors.
Does anyone have got an idea how to find out which patch or whatever do produce these errors?Hi,
I'm having the same issue of diskmon core dumps after upgrading grid and database from 11.2.0.1 to 11.2.0.2 on Solaris 10 x86-64. Following this thread, I'm trying to deinstall the Oracle 11.2.0.1 grid home.
I answered the following questions asked by the grid deinstall tool:
1. ASM configuration was not detected in this Oracle home. Was ASM configured in this Oracle home (y|n): y
2. Specify the ASM Diagnostic Destination: /db01/app/oracle/diag/asm/+ASM
3. Specify the diskgroups that are managed by this ASM instance: DATA FRA
4. De-configuring ASM will drop all the diskgroups at cleanup time. Do you want deconfig tool to drop the diskgroups:
If I answer no to question 1, the tool exits with error.
How do I answer question #4? (confused about this question of dropping diskgroups, it's already been upgraded)
Deinstall of Oracle db Home 11.2.0.1 was successful.
The +ASM instance has been upgraded and is running fine under 11.2.0.2 except for the excessive diskmon core dumps.
Thanks,
Lisa
Edited by: user12018917 on Apr 19, 2011 10:21 AM -
Solaris 10 05/09 Update 7 - Zone shutdown issue
I have just clean installed several servers with solaris 10 update 7 (both sparc and x64, no other software installed) and I am getting the following svc error messages whenever I shutdown a zone.
Aug 19 18:26:22 svc.startd[25328]: svc:/network/ipsec/policy:default: Method "/usr/sbin/ipsecconf -F" failed with exit status 1.
Aug 19 18:26:22 svc.startd[25328]: svc:/network/ipsec/policy:default: Method "/usr/sbin/ipsecconf -F" failed with exit status 1.
Aug 19 18:26:22 svc.startd[25328]: svc:/network/ipsec/policy:default: Method "/usr/sbin/ipsecconf -F" failed with exit status 1.
Aug 19 18:26:23 svc.startd[25328]: network/ipsec/policy:default failed: transitioned to maintenance (see 'svcs -xv' for details)
The log file for svc:/network/ipsec/policy:default shows the following error.
+[ Aug 19 18:26:22 Stopping because service disabled. ]+
+[ Aug 19 18:26:22 Executing stop method ("/usr/sbin/ipsecconf -F") ]+
ipsecconf: (loading pf_policy) socket:: Permission denied
ipsecconf: unable to open policy socket: Permission denied
+[ Aug 19 18:26:22 Method "stop" exited with status 1 ]+
The errors occur in both sparse and whole root zones with a shared ip-type (does not occur in exclusive ip-type). The zonecfg is shown below.
set zonepath=/export/zones/rdo23wok
set autoboot=false
set ip-type=shared
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end
add inherit-pkg-dir
set dir=/usr
end
add net
set address=xxx.xxx.xxx.xxx/xx
set physical=bge0
end
Looking at the release notes for 05/09 update 7 it mentions that "IP security (IPsec) is now managed by the following Solaris Management Facility (SMF) services" which seems to fit with the error I am getting.
Although I can prevent the error messages by disabling the service in each zone with svcadm it is a bit annoying and would like to have a better solution. Does anyone know how I can prevent this service from being enabled when I create a new zone?
Thanks
Jools
Edited by: joolshomer on Aug 19, 2009 10:57 AMI have just clean installed several servers with solaris 10 update 7 (both sparc and x64, no other software installed) and I am getting the following svc error messages whenever I shutdown a zone.
Aug 19 18:26:22 svc.startd[25328]: svc:/network/ipsec/policy:default: Method "/usr/sbin/ipsecconf -F" failed with exit status 1.
Aug 19 18:26:22 svc.startd[25328]: svc:/network/ipsec/policy:default: Method "/usr/sbin/ipsecconf -F" failed with exit status 1.
Aug 19 18:26:22 svc.startd[25328]: svc:/network/ipsec/policy:default: Method "/usr/sbin/ipsecconf -F" failed with exit status 1.
Aug 19 18:26:23 svc.startd[25328]: network/ipsec/policy:default failed: transitioned to maintenance (see 'svcs -xv' for details)
The log file for svc:/network/ipsec/policy:default shows the following error.
+[ Aug 19 18:26:22 Stopping because service disabled. ]+
+[ Aug 19 18:26:22 Executing stop method ("/usr/sbin/ipsecconf -F") ]+
ipsecconf: (loading pf_policy) socket:: Permission denied
ipsecconf: unable to open policy socket: Permission denied
+[ Aug 19 18:26:22 Method "stop" exited with status 1 ]+
The errors occur in both sparse and whole root zones with a shared ip-type (does not occur in exclusive ip-type). The zonecfg is shown below.
set zonepath=/export/zones/rdo23wok
set autoboot=false
set ip-type=shared
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end
add inherit-pkg-dir
set dir=/usr
end
add net
set address=xxx.xxx.xxx.xxx/xx
set physical=bge0
end
Looking at the release notes for 05/09 update 7 it mentions that "IP security (IPsec) is now managed by the following Solaris Management Facility (SMF) services" which seems to fit with the error I am getting.
Although I can prevent the error messages by disabling the service in each zone with svcadm it is a bit annoying and would like to have a better solution. Does anyone know how I can prevent this service from being enabled when I create a new zone?
Thanks
Jools
Edited by: joolshomer on Aug 19, 2009 10:57 AM -
Solaris 10 x86 and Nortel VPN?
Is it possible to connect to Nortel VPN (using IPSEC implementation provided in Solaris 10) ?
Nortel doesn't provide client software for Unix/Linux
but is it possible to connect from solaris 10, using it's IPSEC facilities?
Nortel VPN authentication parameters include : group id, group password, user id and auth.code(password)Did you ever have any luck with this?
-
Solaris 10 VPN server/gateway setup
Hi all,
I have a V20z running Solaris 10 at home, and I would like to set it up as a VPN server. The Solaris 10 is behind a router with a reserved private IP assigned by DHCP and port forwarding set up for only SSH at the moment. The router has a static external IP.
I'm not exactly sure what the terms are for what I'm trying to do, but this is basically it:
When I am out of town or overseas, I want to be able to connect from my laptop running OS X or Linux to my Solaris 10 server at home, and have the S10 server act as a proxy(?) (gateway?) for all the traffic from my laptop; for example, if I was in a place where nytimes.com was blocked and wanted to be able to browse from my laptop by having the Solaris 10 server proxy (transparently) my requests and forward the responses back to me. I hope I'm explaining this ok...
I have searched a lot online for how to do this, and I have found a lot of info, but nothing that really ties it all together. I'm pretty comfortable working in the shell and doing config stuff, but it would be a huge help if anyone could explain all the pieces I need to snap together to get this working.
These are my questions:
1. What is what I have described called? Just "VPN" or "VPN router," or "VPN gateway"?
2. What software do I need on my Solaris 10 server to do this?
A lot of what I read pointed me to OpenVPN, but I am not clear if OpenVPN alone would enable me to use the public web via the VPN.
If not, then what would I need to have on the server to enable incoming requests over the VPN connection to be rerouted to the public internet?
3. I'm sure I can figure this out if I can just get the server VPN working, but if anyone happens to know, I'd appreciate it:
Built into OS X Networking Prefs I have the ability to add a VPN interface of either of these 2 types:
"PPTP"
"L2TP over IPsec"
From what I have read so far, it seems like IPsec is likely the only reasonable choice, but the option of "L2TP over IPsec" confuses me since I haven't read that they are required to be used together.
Will this option work for connecting to my Solaris VPN server or will I need a 3rd-party app?
Any guidance would be a tremendous help.
Thanks guys!
JamieMobile IP???
Assuming that you had the right security in place you could have the "Home" box export it's display back to the "Roving" box and then just run a web browser over X. Something like SSH with X forwarding.
alan -
Getting SunScreen work in Solaris 9
Hi all,
I installed Sunscreen in Solaris 9 from the CD, path
/cdrom/sol_9_1202_sparc_2/Solaris_9/ExtraValue/CoBundled/SunScreen_3.2/sparc
Now i am trying:
root# ssadm edit policyname
could not acquire read lock.
From sun docs:
"""""" could not acquire read lock
Return code: 242
Indicates that the configuration editor could not acquire a read lock.
Likely the lock file is corrupt or some process is hanging.
ss_lock -c policy is likely to be needed. """"""
Then i try root# ss_lock -c
ss_lock: Command not found.
root# locate ss_lock
Nothing comes.
Does anyone have an idea how can i configure it?
Thanks in advance ...
Bellow the interesting outputs from command locate sunscreen:
/dev/screen
/dev/screen_ipsec
/dev/screen_skip
/devices/pseudo/clone@0:screen
/devices/pseudo/clone@0:screen_ipsec
/devices/pseudo/clone@0:screen_skip
/etc/init.d/plumbsunscreen
/etc/init.d/plumbsunscreen2
/etc/init.d/sunscreen
/etc/init.d/sunscreenft
/etc/init.d/sunscreentr.sh
/etc/rc?.d/ (startup scripts here)
/etc/sunscreen
/etc/sunscreen/configs
/etc/sunscreen/configs/template.policy
/etc/sunscreen/configs/template.registry
/etc/sunscreen/httpd (and subfiles)
/etc/sunscreen/ike/crls
/etc/sunscreen/ike/publickeys
/etc/sunscreen/ipsec.algorithms
/etc/sunscreen/location
/etc/sunscreen/name
/etc/sunscreen/proxies
/etc/sunscreen/secret
/etc/sunscreen/secret/ike.privatekeys
/etc/sunscreen/tmpcerts
/etc/sunscreen/version.txt
/usr/lib/sunscreen (and subdirs)
/usr/lib/sunscreen/etc
/usr/lib/sunscreen/lib
/usr/lib/sunscreen/ssadm
/usr/lib/sunscreen/ssadm/activate
/usr/lib/sunscreen/ssadm/active
/usr/lib/sunscreen/ssadm/algorithm
/usr/lib/sunscreen/ssadm/backup
/usr/lib/sunscreen/ssadm/certdb
/usr/lib/sunscreen/ssadm/certlocal
/usr/lib/sunscreen/ssadm/certrldb
/usr/lib/sunscreen/ssadm/cmg
/usr/lib/sunscreen/ssadm/configure
/usr/lib/sunscreen/ssadm/configure_ts
/usr/lib/sunscreen/ssadm/debug_level
/usr/lib/sunscreen/ssadm/domain
/usr/lib/sunscreen/ssadm/edit
/usr/lib/sunscreen/ssadm/filter
/usr/lib/sunscreen/ssadm/ha
/usr/lib/sunscreen/ssadm/lock
/usr/lib/sunscreen/ssadm/log
/usr/lib/sunscreen/ssadm/logdump
/usr/lib/sunscreen/ssadm/logmacro
/usr/lib/sunscreen/ssadm/logstats
/usr/lib/sunscreen/ssadm/patch
/usr/lib/sunscreen/ssadm/policy
/usr/lib/sunscreen/ssadm/product
/usr/lib/sunscreen/ssadm/restore
/usr/lib/sunscreen/ssadm/skip
/usr/lib/sunscreen/ssadm/spf2efs
/usr/lib/sunscreen/ssadm/sys_info
/usr/lib/sunscreen/ssadm/traffic_stats
/usr/lib/sunscreen/ssadm/welfmt
/usr/lib/sunscreen/support/ (and subdirs)Hi all,
I installed Sunscreen in Solaris 9 from the CD, path
/cdrom/sol_9_1202_sparc_2/Solaris_9/ExtraValue/CoBundled/SunScreen_3.2/sparc
Now i am trying:
root# ssadm edit policyname
could not acquire read lock.
From sun docs:
"""""" could not acquire read lock
Return code: 242
Indicates that the configuration editor could not acquire a read lock.
Likely the lock file is corrupt or some process is hanging.
ss_lock -c policy is likely to be needed. """"""
Then i try root# ss_lock -c
ss_lock: Command not found.
root# locate ss_lock
Nothing comes.
Does anyone have an idea how can i configure it?
Thanks in advance ...
Bellow the interesting outputs from command locate sunscreen:
/dev/screen
/dev/screen_ipsec
/dev/screen_skip
/devices/pseudo/clone@0:screen
/devices/pseudo/clone@0:screen_ipsec
/devices/pseudo/clone@0:screen_skip
/etc/init.d/plumbsunscreen
/etc/init.d/plumbsunscreen2
/etc/init.d/sunscreen
/etc/init.d/sunscreenft
/etc/init.d/sunscreentr.sh
/etc/rc?.d/ (startup scripts here)
/etc/sunscreen
/etc/sunscreen/configs
/etc/sunscreen/configs/template.policy
/etc/sunscreen/configs/template.registry
/etc/sunscreen/httpd (and subfiles)
/etc/sunscreen/ike/crls
/etc/sunscreen/ike/publickeys
/etc/sunscreen/ipsec.algorithms
/etc/sunscreen/location
/etc/sunscreen/name
/etc/sunscreen/proxies
/etc/sunscreen/secret
/etc/sunscreen/secret/ike.privatekeys
/etc/sunscreen/tmpcerts
/etc/sunscreen/version.txt
/usr/lib/sunscreen (and subdirs)
/usr/lib/sunscreen/etc
/usr/lib/sunscreen/lib
/usr/lib/sunscreen/ssadm
/usr/lib/sunscreen/ssadm/activate
/usr/lib/sunscreen/ssadm/active
/usr/lib/sunscreen/ssadm/algorithm
/usr/lib/sunscreen/ssadm/backup
/usr/lib/sunscreen/ssadm/certdb
/usr/lib/sunscreen/ssadm/certlocal
/usr/lib/sunscreen/ssadm/certrldb
/usr/lib/sunscreen/ssadm/cmg
/usr/lib/sunscreen/ssadm/configure
/usr/lib/sunscreen/ssadm/configure_ts
/usr/lib/sunscreen/ssadm/debug_level
/usr/lib/sunscreen/ssadm/domain
/usr/lib/sunscreen/ssadm/edit
/usr/lib/sunscreen/ssadm/filter
/usr/lib/sunscreen/ssadm/ha
/usr/lib/sunscreen/ssadm/lock
/usr/lib/sunscreen/ssadm/log
/usr/lib/sunscreen/ssadm/logdump
/usr/lib/sunscreen/ssadm/logmacro
/usr/lib/sunscreen/ssadm/logstats
/usr/lib/sunscreen/ssadm/patch
/usr/lib/sunscreen/ssadm/policy
/usr/lib/sunscreen/ssadm/product
/usr/lib/sunscreen/ssadm/restore
/usr/lib/sunscreen/ssadm/skip
/usr/lib/sunscreen/ssadm/spf2efs
/usr/lib/sunscreen/ssadm/sys_info
/usr/lib/sunscreen/ssadm/traffic_stats
/usr/lib/sunscreen/ssadm/welfmt
/usr/lib/sunscreen/support/ (and subdirs)
Maybe you are looking for
-
Windows Media Player does not work on Equium A100-027
I have an Equium Notebook A100-027 which I bought in February of this year. I have just tried to play my Windows Media Player, but nothing happens when I click on it! It was working fine yesterday, but today it is not working anymore! Can anyone help
-
I have owned a HP Pavilion G4 2129TX core i7 3632QM windows 7 ultimate 64 bit. last week, my computer crashed in a big way so I reinstalled Windows 7. I figured out all of my drivers and my Sound Works fine. The only problem is that I no longer have
-
Triggering ERMS work items for SOFM docuemnts
we have upgraded to SP08 in CRM and when system was up ERMS event linkage in 'CRM_ERMS_WF_CUST' , ERMSSUPRT2MAILRECEIVED was deactivated. and we manually activated later after couple of hours. Now we need to process those 200 emails received to CRM f
-
hello guys i am trying to make an iview out the standard par available in CRM Business package. com.sap.pct.crm.opportunity.par After creating an iview it gives me an error specifying component not found. Portal Runtime Error An exception occurred wh
-
Release Strategy (EBAN-FRGST) in PR authorization check
Hi, Do you know if it is possible to make release strategy (EBAN-FRGST) in authorization check of purchase requisition, other than release code & release group? Thanks.