2821, IOS content filter-BUG? HTTP CORE process eating router alive

HTTP CORE process in IOS router is causing network outage. Its 2821, zone based firewall with IOS content filter. IOS content filter was working fine for last month, all of the sudden today it is working faulty. Network is waving on and off with CPU being hogged. Tried reboot and problem returns. Any advice out there?
IOS versions below
CPU utilization for five seconds: 99%/0%; one minute: 99%; five minutes: 99%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
141 2228956 11329 196747 99.20% 99.29% 99.02% 0 HTTP CORE
4 3428 294 11659 0.39% 0.09% 0.10% 0 Check heaps
210 8 14040 0 0.07% 0.00% 0.00% 0 Atheros LED Ctro
c2800nm-advsecurityk9-mz.124-22.T.bin
#sh ip trm sub status
Package Name: Security & Productivity
Status: No subscription information available.
Status Update Time: N/A
Expiration-Date: N/A
Last Req Status: Waiting for response
Last Req Sent Time: 22:02:38 CST Sat Jan 24 2009
sh ip trm ?
config TRM config
subscription Trend Subscription information
#sh ip trm config
Server: trps.trendmicro.com ( Default *)
HTTPS Port: 443
HTTP Port: 80
Status: Active
11111 11111 11111
999999900000999999999999999999990000099999999990000099999999
999999900000999999999999999999990000099999999990000099999999
100 ************************************************************
90 ************************************************************
80 ************************************************************
70 ************************************************************
60 ************************************************************
50 ************************************************************
40 ************************************************************
30 ************************************************************
20 ************************************************************
10 ************************************************************
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds)
11111111111 11 11111111111111 11 11
0000000000090090000000000000099009900 5
0000000000090090000000000000099009900355215223
100 ####################################*
90 #####################################
80 #####################################
70 #####################################
60 #####################################
50 ##################################### *
40 ##################################### *
30 ##################################### *
20 ##################################### *
10 ##################################### ** * #
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%

Try moving to 12.4(20)T2 like me
Some issues have been corrected like object-groups for acls.
I noticed all has not been solved, but it is quite better.
On 12.4(22)T, I had memory fragmentation and overflow when I was issuing a lot of acl and object groups commands

Similar Messages

Really Slow web surfing through ZBF with IOS Content filter

Edited: attached partial output of "sh policy-map type inspect zone-pair urlfilter"
Hey, all
We have a 1921 router with IOS Content filter subscribsion and it is also configured as ZBF running latest IOS v15.1. End-user keep complaining about slow web surfing. I connected to network and tested myself and found intermittent surfing experience.
For example, access to www.ibm.com or www.cnn.com hangs 7 times of 10 attempts and maybe only loads reasonablly quick in 1-2 time of the 3. This also affects the speed of download from websites.
I have the case openned with Cisco TAC and CCIE checked my configure but nothing caught his eyes...
I decide to post the issue here in case we both missed something:
Current configuration : 18977 bytes
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname abc_1921
boot-start-marker
boot system flash:/c1900-universalk9-mz.SPA.151-4.M4.bin
boot-end-marker
aaa new-model
aaa authentication login default local
aaa authentication login NONE_LOGIN none
aaa authorization exec default local
aaa session-id common
clock timezone AST -4 0
clock summer-time ADT recurring 3 Sun Mar 2:00 2 Sun Nov 2:00
no ipv6 cef
ip source-route
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.9
ip dhcp excluded-address 192.168.1.111 192.168.1.254
ip dhcp pool DHCPPOOL
import all
network 192.168.1.0 255.255.255.0
domain-name abc.local
dns-server 192.168.10.200 192.168.10.202
netbios-name-server 4.2.2.4
default-router 192.168.1.150
option 202 ip 192.168.1.218
lease 8
ip domain name abc.locol
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip port-map user-port-1 port tcp 5080
ip port-map user-port-2 port tcp 3389
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type inspect global
log dropped-packets enable
parameter-map type urlfpolicy trend cprepdenyregex0
allow-mode on
block-page message "The website you have accessed is blocked as per corporate policy"
parameter-map type urlf-glob cpaddbnwlocparapermit2
pattern www.alc.ca
pattern www.espn.com
pattern www.bestcarriers.com
pattern www.gulfpacificseafood.com
pattern www.lafermeblackriver.ca
pattern 69.156.240.29
pattern www.tyson.com
pattern www.citybrewery.com
pattern www.canadianbusinessdirectory.ca
pattern www.homedepot.ca
pattern ai.fmcsa.dot.gov
pattern www.mtq.gouv.qc.ca
pattern licenseinfo.oregon.gov
pattern www.summitfoods.com
pattern www.marine-atlantic.ca
pattern www.larway.com
pattern www.rtlmotor.ca
pattern *.abc.com
pattern *.kijiji.ca
pattern *.linkedin.com
pattern *.skype.com
pattern toronto.bluejays.mlb.com
pattern *.gstatic.com
parameter-map type urlf-glob cpaddbnwlocparadeny3
pattern www.facebook.com
pattern www.radiofreecolorado.net
pattern facebook.com
pattern worldofwarcraft.com
pattern identityunknown.net
pattern static.break.com
pattern lyris01.media.com
pattern www.saltofreight.com
pattern reality-check.com
pattern reality-check.ca
parameter-map type ooo global
tcp reassembly timeout 5
tcp reassembly queue length 128
tcp reassembly memory limit 8192
parameter-map type trend-global global-param-map
cache-size maximum-memory 5000
crypto pki token default removal timeout 0
crypto pki trustpoint Equifax_Secure_CA
revocation-check none
crypto pki trustpoint NetworkSolutions_CA
revocation-check none
crypto pki trustpoint trps1_server
revocation-check none
crypto pki trustpoint TP-self-signed-3538579429
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3538579429
revocation-check none
rsakeypair TP-self-signed-3538579429
!! CERTIFICATE OMITED !!
redundancy
ip ssh version 2
class-map type inspect match-any INCOMING_VPN_TRAFFIC_MAP
match access-group name REMOTE_SITE_SUBNET
class-map type inspect match-all PPTP_GRE_INSPECT_MAP
match access-group name ALLOW_GRE
class-map type inspect match-all INSPECT_SKINNY_MAP
match protocol skinny
class-map type inspect match-all INVALID_SOURCE_MAP
match access-group name INVALID_SOURCE
class-map type inspect match-all ALLOW_PING_MAP
match protocol icmp
class-map type urlfilter match-any cpaddbnwlocclasspermit2
match server-domain urlf-glob cpaddbnwlocparapermit2
class-map type urlfilter match-any cpaddbnwlocclassdeny3
match server-domain urlf-glob cpaddbnwlocparadeny3
class-map type urlfilter trend match-any cpcatdenyclass2
class-map type inspect match-all cpinspectclass1
match protocol http
class-map type inspect match-any CUSTOMIZED_PROTOCOL_216
match protocol citriximaclient
match protocol ica
match protocol http
match protocol https
class-map type inspect match-any INSPECT_SIP_MAP
match protocol sip
class-map type urlfilter trend match-any cptrendclasscatdeny1
match url category Abortion
match url category Activist-Groups
match url category Adult-Mature-Content
match url category Chat-Instant-Messaging
match url category Cult-Occult
match url category Cultural-Institutions
match url category Gambling
match url category Games
match url category Illegal-Drugs
match url category Illegal-Questionable
match url category Internet-Radio-and-TV
match url category Joke-Programs
match url category Military
match url category Nudity
match url category Pay-to-surf
match url category Peer-to-Peer
match url category Personals-Dating
match url category Pornography
match url category Proxy-Avoidance
match url category Sex-education
match url category Social-Networking
match url category Spam
match url category Tasteless
match url category Violence-hate-racism
class-map type inspect match-any INSPECT_PROTOCOLS_MAP
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol icmp
class-map type urlfilter trend match-any cptrendclassrepdeny1
match url reputation ADWARE
match url reputation DIALER
match url reputation DISEASE-VECTOR
match url reputation HACKING
match url reputation PASSWORD-CRACKING-APPLICATIONS
match url reputation PHISHING
match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
match url reputation SPYWARE
match url reputation VIRUS-ACCOMPLICE
class-map type inspect match-all CUSTOMIZED_NAT_MAP_1
match access-group name CUSTOMIZED_NAT_1
match protocol user-port-1
class-map type inspect match-all CUSTOMIZED_NAT_MAP_2
match access-group name CUSTOMIZED_NAT_2
match protocol user-port-2
class-map type inspect match-any INSPECT_H323_MAP
match protocol h323
match protocol h323-nxg
match protocol h323-annexe
class-map type inspect match-all INSPECT_H225_MAP
match protocol h225ras
class-map type inspect match-all CUSTOMIZED_216_MAP
match class-map CUSTOMIZED_PROTOCOL_216
match access-group name CUSTOMIZED_NAT_216
policy-map type inspect OUT-IN-INSPECT-POLICY
class type inspect INCOMING_VPN_TRAFFIC_MAP
inspect
class type inspect PPTP_GRE_INSPECT_MAP
pass
class type inspect CUSTOMIZED_NAT_MAP_1
inspect
class type inspect CUSTOMIZED_NAT_MAP_2
inspect
class type inspect CUSTOMIZED_216_MAP
inspect
class class-default
drop
policy-map type inspect urlfilter cppolicymap-1
description Default abc Policy Filter
parameter type urlfpolicy trend cprepdenyregex0
class type urlfilter cpaddbnwlocclasspermit2
allow
class type urlfilter cpaddbnwlocclassdeny3
reset
log
class type urlfilter trend cptrendclasscatdeny1
reset
log
class type urlfilter trend cptrendclassrepdeny1
reset
log
policy-map type inspect IN-OUT-INSPECT-POLICY
class type inspect cpinspectclass1
inspect
service-policy urlfilter cppolicymap-1
class type inspect INSPECT_PROTOCOLS_MAP
inspect
class type inspect INVALID_SOURCE_MAP
inspect
class type inspect INSPECT_SIP_MAP
inspect
class type inspect ALLOW_PING_MAP
inspect
class type inspect INSPECT_SKINNY_MAP
inspect
class type inspect INSPECT_H225_MAP
inspect
class type inspect INSPECT_H323_MAP
inspect
class class-default
drop
zone security inside
description INTERNAL_NETWORK
zone security outside
description PUBLIC_NETWORK
zone-pair security INSIDE_2_OUTSIDE source inside destination outside
service-policy type inspect IN-OUT-INSPECT-POLICY
zone-pair security OUTSIDE_2_INSIDE source outside destination inside
service-policy type inspect OUT-IN-INSPECT-POLICY
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key password address 11.22.3.1
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set TunnelToCold esp-3des
crypto map TunnelsToRemoteSites 10 ipsec-isakmp
set peer 11.22.3.1
set transform-set TunnelToCold
match address TUNNEL_TRAFFIC2Cold
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description OUTSIDE_INTERFACE
ip address 1.1.1.186 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex full
speed 1000
crypto map TunnelsToRemoteSites
crypto ipsec df-bit clear
interface GigabitEthernet0/1
description INSIDE_INTERFACE
ip address 192.168.1.150 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex full
speed 1000
ip forward-protocol nd
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.1.217 5080 interface GigabitEthernet0/0 5080
ip nat inside source route-map NAT_MAP interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.216 80 1.1.1.187 80 extendable
ip nat inside source static tcp 192.168.1.216 443 1.1.1.187 443 extendable
ip nat inside source static tcp 192.168.1.216 1494 1.1.1.187 1494 extendable
ip nat inside source static tcp 192.168.1.216 2598 1.1.1.187 2598 extendable
ip nat inside source static tcp 192.168.1.213 3389 1.1.1.187 3390 extendable
ip nat inside source static tcp 192.168.1.216 5080 1.1.1.187 5080 extendable
ip route 0.0.0.0 0.0.0.0 1.1.1.185
ip access-list standard LINE_ACCESS_CONTROL
permit 192.168.1.0 0.0.0.255
ip access-list extended ALLOW_ESP_AH
permit esp any any
permit ahp any any
ip access-list extended ALLOW_GRE
permit gre any any
ip access-list extended CUSTOMIZED_NAT_1
permit ip any host 192.168.1.217
permit ip any host 192.168.1.216
ip access-list extended CUSTOMIZED_NAT_2
permit ip any host 192.168.1.216
permit ip any host 192.168.1.212
permit ip any host 192.168.1.213
ip access-list extended CUSTOMIZED_NAT_216
permit ip any host 192.168.1.216
ip access-list extended INVALID_SOURCE
permit ip host 255.255.255.255 any
permit ip 127.0.0.0 0.255.255.255 any
ip access-list extended NAT_RULES
deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended REMOTE_SITE_SUBNET
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ABM
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2Bridgewater
permit ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ColdbrookDispatch
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ColdbrookETL
permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ColdbrookTrailershop
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2Moncton
permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2MountPearl
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2Ontoria
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
ip access-list extended WEB_TRAFFIC
permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 10 permit 192.168.1.0 0.0.0.255
route-map NAT_MAP permit 10
match ip address NAT_RULES
snmp-server community 1publicl RO
control-plane
line con 0
logging synchronous
login authentication NONE_LOGIN
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class LINE_ACCESS_CONTROL in
exec-timeout 30 0
logging synchronous
transport input all
scheduler allocate 20000 1000
ntp server 0.ca.pool.ntp.org prefer
ntp server 1.ca.pool.ntp.org
end

Hi,
I know this is for a different platform but have a look at this link:
https://supportforums.cisco.com/thread/2089462
Read through it to get some idea of the similarity, but in particular note the last entry almost a year after the original post.
I too am having trouble with http inspection, if I do layers 3 & 4 inspection there is no issue whatsoever, but as soon as I enable layer 7 inspection then I have intermittent browsing issues.
The easy solution here is to leave it at layers 3 & 4, which doesn't give you the flixibility to do cool things like blocking websites, IM, regex expression matching etc... but in my opinion I just don't think these routers can handle it.
It appears to be a hit and miss affair, and going on the last post from the above link, you might be better off in having the unit replaced under warranty.
The alternative is wasting a lot of time and effort and impacting your users to get something up and running that in the end is so flaky that you have no confidence in the solution and you are then in a situation where ALL future issues users are facing MIGHT be because of this layer 7 inspection bug/hardware issue etc?
I would recommend you use the router as a frontline firewall with inbound/outbound acl's (no inspection), and then invest a few $ in getting an ASA dedicated firewall (but that's just me )

[Trend Micro Ios content filtering] parameter-type command under policy map not available

Hi, all:
I'm trying to configure TrendMicro IOS content filtering. I have this working on a separate box, running 15.1.
On this particular testbed, I have a 2900 running:
System image file is "flash0:c2900-universalk9-mz.SPA.152-3.T1.bin"
And the following licensing:
Technology Package License Information for Module:'c2900'
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
ipbase        ipbasek9      Permanent      ipbasek9
security      securityk9    Permanent      securityk9
uc            uck9          Permanent      uck9
data          datak9        Permanent      datak9
Configuration register is 0x2102
CUBE_GOLD_MEX#show ip trm subscription status
       Package Name: Security & Productivity (Trial)
             Status: Active
Status Update Time: 18:02:51 CST Mon Jul 23 2012
    Expiration-Date: Mon Aug 20 02:00:00 2012
    Last Req Status: Processed response successfully
Last Req Sent Time: 18:02:51 CST Mon Jul 23 2012
CUBE_GOLD_MEX#
Also, I have the following config lines on it:
ip host trps.trendmicro.com 216.104.8.100
ip name-server 4.2.2.2
ip cef
multilink bundle-name authenticated
parameter-map type urlfpolicy trend tm-pmap
allow-mode on
[snip]
parameter-map type trend-global trend-glob-map
class-map type inspect match-all http-imap
match protocol http
class-map type urlfilter trend match-any drop-category
match url category Abortion
match url category Activist-Groups
match url category Adult-Mature-Content
match url reputation ADWARE
match url reputation DIALER
match url reputation DISEASE-VECTOR
match url reputation HACKING
match url reputation PASSWORD-CRACKING-APPLICATIONS
match url reputation PHISHING
match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
match url reputation SPYWARE
match url reputation VIRUS-ACCOMPLICE
policy-map type inspect urlfilter trend-policy
class type urlfilter trend drop-category
I have not been able to get to the good part of configuring the ZBF.
I've looked over several configuration examples and can't figure out what I'm doing wrong, since I'm not able to see the command 'parameter-map' under the 'policy-map urlfiltering'
XXXXXX(config)#policy-map type inspect urlfilter trend-policy
XXXXXX(config-pmap)#?
Policy-map configuration commands:
class        policy criteria
description Policy-Map description
exit         Exit from policy-map configuration mode
no           Negate or set default values of a command
XXXXXX(config-pmap)#
I thought it might be an issue with version 15.2.3, but according to configuration guides, commands are the same.
Can anyone provide some assistance?
TIA.
c.

Hi Carlos,
I am having the same problem. I have seen a few diffenent configuration examples and they all show adding the "parameter type urlfpolicy trend parm-map-name" command but it doesn't exist, at least in 15.2(3)T1 and I see it listed in the the IOS documentation for 15.2. Maybe they forgot it :-)
I guess I will open a TAC case as I do not want to downgrade...
I will keep you posted if I find the answer.
Regards,
Troy

What is RFC for "Content-Type: application/HTTP-Kerberos-session-enc"

Does anybody know how to process HTTP request with content type "Content-Type: application/HTTP-Kerberos-session-enc" ?
I cannot decode HTTP request:
-- Encrypted Boundary
     Content-Type: application/HTTP-Kerberos-session-encrypted
     OriginalContent: type=application/soap+xml;charset=UTF-16;Length=1624
-- Encrypted Boundary
     Content-Type: application/octet-stream
<octet-stream>-- Encrypted Boundary
Where <octet-stream> starts with four bytes [47, 0, 0, 0]
other bytes from <octet-stream> I am trying to decode "context.unwrap()" method ("context" was created on previous request):
                                        GSSHeader gssHeader = new GSSHeader(new ByteArrayInputStream(content));
                                        log.debug("Incoming warped content length: " + content.length);
                                        log.debug("Incoming GSS header OID: " + gssHeader.getOid());
                                        log.debug("Incoming GSS header length: " + gssHeader.getLength());
                                        log.debug("Incoming GSS header MechTokenLength: " + gssHeader.getMechTokenLength());
                                   byte[] newBytes = context.unwrap(content, 0, content.length, msgProp);
"content" - byte array which was created from <octet-stream> without first four bytes (without [47, 0, 0, 0]).
"gssHeader" is created correctly because in debug log I see:
Incoming warped content length: 1671
Incoming GSS header OID: 1.2.840.113554.1.2.2
Incoming GSS header length: 15
Incoming GSS header MechTokenLength: 1656
but on "unwrap" operation I've got exception:
GSSException: Defective token detected (Mechanism level: Invalid padding on Wrap Token)
     at sun.security.jgss.krb5.CipherHelper.arcFourDecrypt(CipherHelper.java:1226)
     at sun.security.jgss.krb5.CipherHelper.decryptData(CipherHelper.java:532)
     at sun.security.jgss.krb5.WrapToken.getDataFromBuffer(WrapToken.java:230)
     at sun.security.jgss.krb5.WrapToken.getData(WrapToken.java:195)
     at sun.security.jgss.krb5.WrapToken.getData(WrapToken.java:168)
     at sun.security.jgss.krb5.Krb5Context.unwrap(Krb5Context.java:941)
     at sun.security.jgss.GSSContextImpl.unwrap(GSSContextImpl.java:384)
     at com.myproject.ws_management.WSServer$MyHandler.handle(WSServer.java:361)
     at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:65)
     at sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:65)
     at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:68)
     at sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:552)
     at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:65)
     at sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:524)
     at sun.net.httpserver.ServerImpl$DefaultExecutor.execute(ServerImpl.java:119)
     at sun.net.httpserver.ServerImpl$Dispatcher.handle(ServerImpl.java:349)
     at sun.net.httpserver.ServerImpl$Dispatcher.run(ServerImpl.java:321)
     at java.lang.Thread.run(Thread.java:619)
KeyTab instance already exists

It looks like [47, 0, 0, 0] (hex [2F, 0, 0, 0]) is cipher suite, but on http://www.iana.org/assignments/tls-parameters
I fount that it is:
0x00,0x2F TLS_RSA_WITH_AES_128_CBC_SHA [RFC3268]
So... what does this bytes can mean ?

IOS Content Filtering - Is No More ?

Cisco very quickly End of Lifed the IOS Content Filtering offering last year
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/eol_c51-698205.html
For something with a minimum of a yearly lic involved, the EOL timing is shocking - you could have ordered product with a 1 year lic and come back now to find the offering is now dead (as in our case) so much for ROI !
Cisco are pushing Scansafe as their current offering, which has probably led toa falling out with Trend who provided the underlying service for
IOS Content Filtering. Scansafe does not economically cover the low end application, for which IOS Content Filtering was ideal i.e SMB space with 8xx or low end ISR routers. The Cisco answer is basically "perhaps you want to go and investigate solutions form other suppliers"
So we are left with a router platform which is fine and content filtering which was fine but are now unable to re-licence the URL filtering service and will stop working in about 30 days and there is apparently nothing we can do about it
Does anyone know if Trend still operate the URL filtering subscription service and whether theire is a way of geting a subscription renewal direct ?
(i'm not holding my breath on that - I am guessing the IOS content filtering hooks for the service being certificate based + Cisco license process will make that hard for anyone but Cisco)
Or of any alternative simple and cost effective solution we can configure the router to use
(please tell me we're not back to SurfControl/Websense solutions again..)
thanks
Sez

Approached the Cisco AM - frankly there was little or no interest in fixing such a low value problem. The spin was the Trend relationship ending was beyond Cisco control and Cisco hands tied - i.e. its not our fault (but strangely the problem is the customers)
Yes we could get some TMP discount - against the original hardware purchase but the hardware for lowend installs is negligible, it is the services time/cost in getting solution (and any replacement) into deployment which is the costly part and TMP makes no allowance for that.
Also scansafe solution is much more expensive, compared to IOS URL Filtering, so even taking off the minor TMP discount the answer form Cisco is basically - yep spend more money with us and we'll fix the problem we created for you. And why is there so little normal info on Cisoc.com for scansafe - i.e. covering SKU/ordering models etc... It always just ays 'ask your Cisco AM for details' - that may have worked when Scansafe was a separate company but a Cisco AM is unlikely to even answer the phone to talk about a $3K order
If Cisco really wanted to protect customer investment, why couldn't it provide through Scansafe a replacement service for IOS URL Filtering service, at similar cost and pricing model to that provided by the Trend integration? i.e. same kit, same config but pointed at scansafe cloud rather than Trend cloud. Then there would be no issue and a clean migration path provided for Ciscos valued customers
Probably answering my own question but scansafe appears to return to a cost related to the user count, whereas IOS URL Filtering service was a simple one off cost per router. This was ideal for low end application (the ISR800 series size of deployment) and comparable scansafe is way more expensive.
I have found we are not alone in this, most customers are only finding out about this mess when existing IOS URL Filtering licence's expire and go for renewal only to find the 3 month EOL process has stealthily boatanchored their implementation.
Sez

IOS Content Filtering Using TrendMicro: Can I customize the block-page redirect-url?

I have IOS content filtering using the Trend Micro subscription service working on a 2911 running 15.1.(3)T3 with the security license option and a 30 day demo Trend subscription.
Once I figured out that the content filtering for Trend appears to be completely broken in 15.2 (even using docs for 15.2) I went back to 15.1 and it works great.
Everything seems great so far except I would like to have a more 'fancy' or custom blocked page where a user can have a couple links to either go to the trend micro reporting page http://global.sitesafety.trendmicro.com/result.php or some other page, and maybe some branding so they know the page is coming from our network and is not some fake security thing or phishing attempt or whatever.
I know I can use the 'parameter-map type urlfpolicy trend ' section to do a tiny bit of customization of the text that appears on the default blocked page display and there is an option for it to go to a simple redirect instead ('block-page redirect-url') but I wonder if anyone has any ideas on how to do more with either the built in page or the redirect-url to keep the information of what page the user was trying to access and why it was blocked (category etc.) while adding more features.
Thanks!
Oh, one last thing, this doesn't support any kind of 'user override' or anything like that does it? So that a network can have a filter applied but an admin could override the filtering to allow temporary access to something?

Hmm... no thoughts over the weekend. Anyone?

App store icon gone missing/Web Content Filter - Apple Configurator

I am using Apple Configurator to manage the iPads at my school. I changed the settings on my school's profile, within Apple Configurator, so that the App store was not available. The App store icon disappeared and all was good. I decided to change the settings back, to allow the App store, saved the settings and refreshed a group of iPads. The App store icon is still missing and it doesn't appear that my new settings have been applied. I quit Configurator and tried again, but no success. I am running Configurator 1.5 and the ipads are running iOS 7.1.
Also, I have unchecked the "Allow use of You Tube" button because I want You Tube disabled, but Configurator still allows the use of You Tube through Safari. Is there any way to disable the use of You Tube without using the ridiculous "Web Content Filter", that when activated, limits adult content (good), which seems to include a lot of valuable educational sites (bad)? To me the only other option available seems to be to tick "Specific Websites Only" and spend the next year typing in all the possible sites that might have educational merit, ergo, my use of the word 'ridiculous'. Is there something I am missing?

Locate it in the Apps folder and drag it to the dock.

Ios 5 location bug ?

ios 5 location bug... I live in South Africa and i would love to use the reminders app for the location based alerts but as you can see here -->https://p.twimg.com/Abyz8QQCAAAyuPQ.png:large
when you drop a pin it just gives you the general area no roads or anything,
i am wondering if this is a problem with google maps or with iOS5 or both
any ideas ?

I have noticed the exact same issue. Since updating to iOS5 the maps app seems to not list the pin point position thus making the location based reminders very difficult to use.
I tested this with an iOS5 and an iOS4 device today and the iOS4 mapping gives street names and not just Johannesburg GP like on iOS5? See attached pictures with devices mapping at the same location?
I went into the Apple store in Sandton City on Thursday but the guy I spoke to simply said that it is a new operating system, and he would try and look into it? My problem is that if this is just a South African mapping iOS5 issue how long will it take to get resolved without being brought to the attention of the right people?

Web content filter and shockwave

Hi! I am using in my organization Squid proxy with DansGuardian as web content filter. The problem that i'm facing is that when i visit a site that uses shockwave,i get the messagethat " the Xtra package failed to initialize.. ". This problem is brought up by using DansGuardian, because when i use squid everything works fine.
With the previous version of shockwave i had added as exceptions in url and site lists the following paths and everything worked fine:
adobe.com
download.macromedia.com/pub/shockwave/cabs/director/sw.cab#version=8,5,0
download.macromedia.com/pub/shockwave/cabs/director/sw.cab
get.adobe.com/shockwave/

Try Settings > Wifi > your checked network > HTTP Proxy: Off

Content filter not fixed, still stripping message body

The content filter that arbitrarily strips out (part of) the body of my
email messages is not fixed: http://forums.adobe.com/message/1867251#1867251
Jochem
Jochem van Dieten
http://jochem.vandieten.net/

I think I found out why the message body of my messages is stripped out. It appears Jive is filtering the content of email messages with the following regular expression:
* Simple bean for storing the contents of an incoming email.
public class Message {
// ripped from EmailParserImpl
private static final Pattern originalMessagePattern = Pattern.compile("(-{5,}|_{5,}|^.*wrote:$)(\\s*.*)*", Pattern.MULTILINE);
My first impression is that this implementation is somewhet simplistic. For instance, it doesn't take into account whether you just quoted a single line or all of the message. For a great example of that, look at the House of Fusion email archives, where you can see selectiive quotes are allowed, but complete quotes of full messages are filtered out. It also doesn't do pattern matching on the standardized string that starts a signature.
More insight into the behaviour of the email integration can be obtained from the sourcecode of the Jive advancedemail plugin. Although I am not sure it is the same version as Adobe is running, there are some comments and TODO's in the code about behaviour I am not seeing in the email from these forums, but it still helps to understand what is happening.

Content filter not working

I recently got my two teenagers a Droid Maxx and they love it. My question is if anyone knows why the content filter option doesn't work for it. You would think the content filter would work on all phones. Seems to me that prior to releasing any new phone they should have made sure all features of the Verizon account would work. Does anyone know if they are going to resolve this issue and if so when?? I do think it is irresponsible for the feature to not work considering the number of kids using cell phones now. How can a parent who wants to control content do so if not available. I think this should be a priority with Verizon. Do they value kids safety or not?

Hey there, skyhawk1! Thanks for your purchase of two new Droid Maxx smartphones. I hope your teenagers are loving them! I'm very curious about the crux of your post here. You've expressed interest in Content Filtering, and stated that the service is incompatible with the Droid Maxx. Our records indicate that the model will support filtering. Can you tell me why you feel that it doesn't? Did you attempt to add or request it, only to be denied? Please share the details. Thanks!
For more info on Content Filtering, please review this link: http://vz.to/17xz67N
DionM_VZW
Follow us on Twitter www.twitter.com/vzwsupport

Content filter on message body

I'm trying to setup a content filter for the message body containing the smart identifier "credit card". It works fine if I set the fitler for message body and attachments. However if I set the filter for message body only, the messages containing credit card numbers are not filtered.
Any suggestions? Is this a bug? This is Model B10, Operating System 6.6.1-016.
Thanks.

I'm trying to setup two filters on inbound messages. One would check for a credit card in the body and drop the message (and notify the recipient). The other would check for a credit card in attatchments and strip those attachments but let the rest of the message through with a disclaimer added.

How to add websites to content filter

I have the 7+ age content filter set for one of the phones on my plan, but there are still some sites accessible that are inappropriate for this age setting. How do I suggest new sites to be reviewed and hopefully blocked by the parental control filters?

Hi Revium,
Filters are an excellent tool to keep the device activities age appropriate! No content filtering tool is 100% effective. The service may not block access to all unwanted or undesirable content. The service isn't a substitute for parental supervision. Parents are ultimately responsible for their children's safety and should talk to their children about safe use of technology http://vz.to/185VfNv . Below is the description of what Child 7 filters:
Content recommended for ages 7
Minimum:
• Violence
• Sexual dialogue or situations
No:
• Strong language
• Mature themes
Includes:
• TV-G
• G movies
• Certain web/wap sites
• Education, weather and sports
Is the filter not blocking items located in the filter description?
Thanks,
PamelaF_VZW
Tweet us @vzwsupport

How do I turn off the content filter?

I cannot look at things like lottery results or personal ads. I get a "content filter" that does not allow the page to load.

This message is not from Firefox. I would guess that there is an app installed on the phone that filters all internet traffic.
If you are a resident of the UK you may be caught by http://en.wikipedia.org/wiki/Internet_censorship_in_the_United_Kingdom#Default_network-level_blocking_by_Internet_Service_Providers

Outgoing mail Policy only able to use one of either Content Filter - Outbreak Filter - DLP

No matter what config I use I am able to apply sender domains, anti spam and anti virus however I can only apply a single process of content filter which then will not move to the next process of DLP. Can this be achieved so I can have within the same outgoing mail policy the process of content filter and dlp policies applied.

Hello Bighead81,
could you explain what you mean by "single process of content filter" please? I'd suppose adding more than one content filter to a policy, which should be no problem. Also activation of Content Filter, Outbreak Filters and DLP (for outbound mailflow) for any policies.
Regards,
Andreas

2821, IOS content filter-BUG? HTTP CORE process eating router alive

Similar Messages

Maybe you are looking for