3.2cluster with zone

Similar Messages

• Deferred patching broken for machines with zones

  For a while I've noticed that Ive had trouble patching a couple of machines.
  I've managed to determine the significant characteristic identifying them.
  All the machines with a non global zone have the problem.
  To confirm, I added a test zone to a machine that was fine. And it immediately it developed the problem.
  Anyway, the symptom is that no deferred patches will install.
  So patches delayed by a "smpatch update" till the reboot fail to install.
  The sunucLog displays the following error
  Sep 17 10:30:05 webdb1 123186-03 [notice] Status Install Begin 123186-03
  Sep 17 10:30:05 webdb1 123186-03 [ALERT] Validating patches...
  Sep 17 10:30:05 webdb1 123186-03 [ALERT] Loading patches installed on the system...
  Sep 17 10:30:05 webdb1 123186-03 [ALERT] Loading patches requested to install.
  Sep 17 10:30:05 webdb1 123186-03 [ALERT] Checking patches that you specified for installation.
  Sep 17 10:30:05 webdb1 123186-03 [ALERT] svcadm: Instance "svc:/system/filesystem/local:default" has been disabled by another entity.
  Sep 17 10:30:05 webdb1 123186-03 [ALERT] ERROR: Enabling filesystem/local service failed.
  Sep 17 10:30:05 webdb1 123186-03 [ALERT] Status Install End 123186-03 Install Update installation failed
  Anyone got any workarounds for this problem.
  Is it a known issue.
  Or should I log a support request.

  Any progress on this? Its been 2 months. And sun has managed to put out an entire new update to Solaris.
  And a 119254-59 has been released. But neither includes a fix for this issue as far as I can tell...
  Its now basically impossible to patch machines with zones up to the latest kernel 137137-09 since that has a dependency on 119254-58.
  And machines with zones can't be patched if a version higher than 119254-53 is installed....

• Cloning Solaris 10 with zones

  What is the best method to use when cloning a Solaris machine with zones, to ensure all software is included and can be easily installed
  on new hardware?
  Thank you!

  If you use UFS, then ufsdump/ufsrestore
  If you use ZFS, then zfs send/zfs receive
  But, if you are using hardware or software RAID, you can also try to move one disk to an another machine.
  You can see with these simple examples, that you have several methods and it depends how you configured your machine, Solaris and the zones. And finally, it depends too what is the source machine and what is the target machine, and how they are configured.

• Live migration with zones

  Hi all,
  I have been reading into making "SPARC Private Cloud" whitepapers with LDOM's from Oracle. One thing really pops out from the text which really confuses me:
  from Page 8 and 10:
  "VMs may also be securely live migrated or automatically started or restarted across any servers in their respective pools. *Zones are cold migrated*"
  "Secure live migration—Move domains off of servers that are undergoing planned maintenance. *Zones are cold-migrated*."
  Does this really mean that if I have zones inside LDOM guest, I can live migrate the LDOM guests but not the zones? Hence zones will go down if I do this? If so, whats the reason behind this, its hard to grasp the idea that the OS itself can be live migrated, but not zones inside it that are using the same kernel, binaries etc from it....
  Links:
  https://blogs.oracle.com/infrared/entry/building_private_iaas_with_sparc
  http://www.oracle.com/us/groups/public/@otn/documents/webcontent/1659149.pdf
  - Jukka

  Lumi, I'm pretty sure they are comparing LDOMs with zones on a standalone system (i.e. no LDOMs).
  When you migrate a domain, everything the guest kernel is doing should emerge as it was before.
  Migration might take a bit longer than for the GZ alone, since you're using more virtual memory.
  To move an NGZ between standalone GZ's, you would indeed have to halt, detach, attach, and boot it.
  But please don't take my word for it... feel free to try both methods for yourself. =-)
  The only limitation for zones in LDOMs that I'm aware of: You cannot currently set elastic power policy.
  Other than that, I don't see why you couldn't keep zones running inside your guest as it moves around.
  Hope that helps... -cheers, CSB

• Live Upgrade with Zones - still not working ?

  Hi Guys,
  I'm trying to do LiveUpdate from Solaris update 3 to update 4 with non-global zone installed. It's driving me crazy now.
  I did everything as described in documentation, installed SUNWlucfg and supposedly updated SUNWluu and SUNWlur (supposedly because they are exactly the same as were in update 3) both from packages and with script from update 4 DVD, installed all patches mentioned in 72099, but lucreate process still complains about missing patches and I've checked if they're installed five times. They are. It doesn't even allow to create second BE. Once I detached Zone - everything went smooth, but I had an impression that Live Upgrade with Zones will work in Update 4.
  It did create second BE before SUNWlucfg was installed, but failed on update stage with exactly the same message - install patches according to 72099. After installation of SUNWlucfg Live Upgrade process fails instantly, that's a real progress, must admit.
  Is it still "mission impossible" to Live Upgrade with non-global zones installed ? Or am I missed something ?
  Any ideas or success stories are greatly appreciated. Thanks.

  I upgraded from u3 to u5.
  The upgrade went fine, the zones boot up but there are problems.
  sshd doesn't work
  svsc -vx prints out this.
  svc:/network/rpc/gss:default (Generic Security Service)
  State: uninitialized since Fri Apr 18 09:54:33 2008
  Reason: Restarter svc:/network/inetd:default is not running.
  See: http://sun.com/msg/SMF-8000-5H
  See: man -M /usr/share/man -s 1M gssd
  Impact: 8 dependent services are not running:
  svc:/network/nfs/client:default
  svc:/system/filesystem/autofs:default
  svc:/system/system-log:default
  svc:/milestone/multi-user:default
  svc:/system/webconsole:console
  svc:/milestone/multi-user-server:default
  svc:/network/smtp:sendmail
  svc:/network/ssh:default
  svc:/network/inetd:default (inetd)
  State: maintenance since Fri Apr 18 09:54:41 2008
  Reason: Restarting too quickly.
  See: http://sun.com/msg/SMF-8000-L5
  See: man -M /usr/share/man -s 1M inetd
  See: /var/svc/log/network-inetd:default.log
  Impact: This service is not running.
  It seems as thought the container is not upgraded.
  more /etc/release in the container shows this
  Solaris 10 11/06 s10s_u3wos_10 SPARC
  Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
  Use is subject to license terms.
  Assembled 14 November 2006
  How do I get it to fix the inetd service?

• Is patching Sol 10 machines with zones safe?

  Now that Sun update has been released, "smpatch update" explicitly checks for the presence of non global zones and refused to run.
  Now, its fairly trival to reproduce the "smpatch update" functionality from "smpatch download" which still works and a bit of scripting.
  Ive done this on a test machine with zones with no obvious ill effects.
  However since Sun went to the trouble of disabling "smpatch update", you have to presume there was a good reason.
  So is patching machines with zones safe. Or is there some known problem with doing this.

  The problem was that the underlying tool patchadd was not zones aware and then changes (I believe for bug: 6200143 ) changed the exit codes that smpatch relies on.
  Now in Solaris 10 patchadd/patchrm now returns only an exit code of 1 or 0 when using zones which is insufficient both for smpatch and for the Update Manager.
  So there are two options:
  If the system does not have any local zones configured then you can run "patchadd -t" in transitional mode which reverts back to the old pre Solaris 10 rich return codes that smpatch needs.
  If there are zones on the system, using smpatch download + patchadd will work, but you cannot get rich status from patchadd:
  Running "patchadd -t" on a system with local zones gives:
  # patchadd -t
  Transition patching (-t option) is not supported in a zones environment.
  HTH
  ethan

• Firefox 5 will not start with Zone Alarm Ver 10.0.240.000

  Firefox updated yesterday and now it will no longer start, it looks like the probem may be with Zone Alarm Forcefield. Does anyone have any ideas how to get Firefox 5 to tun under Zone Alarm Extreme Security? Thanks

  Hi,
  I'm running Win7 x64 with ZoneAlarm Extreme Security 10.0.241.000
  I had the same problem with Firefox 4. After turning off ForceField Toolbar, it started working fine.
  Then I updated to Firefox 5 and it wouldn't start, instead it was showing an error message from ZA...
  I searched mozilla support and followed the instructions here: http://kb.mozillazine.org/Browser_will_not_start_up
  on the topic"Firefox does not start after updating with ZoneAlarm ForceField enabled".
  The correct instructions for this ZA version should be: "'''Internet '''-> '''Web Security '''-> '''Settings''', and click '''Clear Virtual Data'''"
  After that I could open Firefox again! Then I realized it was still version 4...
  I installed the update, and everything went smooth. Checked again if Forcefield toolbar was inactive (it was) and opened a few pages, closed Firefox and opened again. After a while it wouldn't open...
  AGAIN the "Clear Virtual Data" did the trick...
  This time I clicked on '''Settings '''(next to "Clear Virtual Data") -> '''Advanced Settings''', and turned off "'''Enable Virtualization'''".
  Until ZA get a fix for this, either we turn it off or clear virtual data every few moves...
  Working fine.
  Best regards

• Upgrading Solaris with Zones

  I have just found the following statement in the Solaris 10 Install Guide, section "Upgrade Limitations":
  "If you have configured Solaris Zones on your system, you are not able to upgrade until you have unconfigured and uninstalled your non-global zones"
  I have a serious problem with this limitation. It seems to be impossible to upgrade a Solaris 10 system with zones configured. I would have to shut down and uninstall my zones and applications to upgrade the OS.
  There's not even a way to move the affected zones to another system to keep the application running if the host with the global zone needs maintenance due to OS upgrade, HW maintenance or if simply has too many zones configured on it and all resources are exhausted.
  With these limitations I don't see much reasonable use for zones. In particular, once a zone and an application is set up on a physical box with a particular OS release I am stuck with it for all times.
  How are you going to solve these problems. And when? What are zones good for in the current implementation? I am still waiting for convincing arguments to use zones ...

  I guess I'll state for the record, lest anyone should be confused by my last post, that LiveUpgrade doesn't allow upgrade anymore. I guess I got away with it before LU was upgraded to restrict such activity.
  ERROR: Unable to upgrade boot environment <Solaris10-B58>.
  INFORMATION: Boot environment <Solaris10-B58> has one or more non-global
  zones installed. This version of Live Upgrade cannot upgrade a boot
  Guess I'd better figure out how to backup my zones so I clean remove them. A simple tar will probly do the trick for now.
  benr.

• IP/Interface setup with zones

  Moin!
  Am trying to configure my first server with zones and am new to it so please forgive me if I aske dumb questions.
  I wanted to use zones to protect my machine setup from possible intrusions from the internet. So I wanted to create a global zone that is only connected to a backend network (10.x.x.x.) over say hme0 and then a zone that has access to hme1 which is connected to public internet.
  However as it is only possible to configure routes from the global zone I have to give that interface (hme1) an address in the global zone also as I have to configure different default routes. This however exposes the global zone to the internet.
  Is there anything I missed that makes it possible to achive this (without fireing up ipfilter)?
  TIA and so long
  -Ralf Weber

  You should be able to add the default routes with configuring a global zone address on hme1. However, you need to boot the zone before you install the routes. For security, you should also:
  - enable strict destination multihoming:
  # ndd -set /dev/ip ip_strict_dst_multihoming 1- add reject routes to block the zone from accessing the global zone (see older posts on this forum)
  Blaise

• Problem with zone installation on solaris 08/07

  Hello :)
  I need some help
  I install solaris 10 08/07 on my x2100 M2.Everything is ok.
  Then I try to install non-global zone named web-zone with the following commands:
  # mkdir /export/web-zone
  # chmod 700 /export/web-zone
  # zonecfg -z web-zone
  web-zone: No such zone configured
  Use 'create' to begin configuring a new zone.
  zonecfg:web-zone> create
  zonecfg:web-zone> set autoboot=true
  zonecfg:web-zone> set zonepath=/export/web-zone
  zonecfg:web-zone> add net
  zonecfg:web-zone:net> set address=192.168.0.3
  zonecfg:web-zone:net> set physical=bge1
  zonecfg:web-zone:net> end
  zonecfg:web-zone> info
  zonepath: /export/web-zone
  autoboot: true
  pool:
  inherit-pkg-dir:
  dir: /lib
  inherit-pkg-dir:
  dir: /platform
  inherit-pkg-dir:
  dir: /sbin
  inherit-pkg-dir:
  dir: /usr
  net:
  address: 192.168.0.3
  physical: bge1
  zonecfg:web-zone> verify
  zonecfg:web-zone> commit
  zonecfg:web-zone> exit
  # zoneadm -z web-zone verify
  # zoneadm -z web-zone install
  # zoneadm list -cv
  # zoneadm -z web-zone boot
  When I zlogin into zone configuration stack with:
  Fatal internal error: prompt_error called before prompt_open!
  The IP address previously set on the network interface
  is no longer available. The system state is corrupted. System identification
  can no longer continue.
  Press Return to continue
  And that�s it :)
  On interface bge1 I have 2 ip addresses, one for management processor (192.168.0.254) and one for global zone (192.168.0.2)
  The output from ifconfig �a is :
  # ifconfig -a
  lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  inet 127.0.0.1 netmask ff000000
  lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
  zone web-zone
  inet 127.0.0.1 netmask ff000000
  bge1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
  inet 192.168.0.2 netmask ffffff00 broadcast 192.168.0.255
  ether 0:1b:24:5:4f:6f
  bge1:1: flags=4001000842<BROADCAST,RUNNING,MULTICAST,IPv4,DUPLICATE> mtu 1500 index 2
  zone web-zone
  inet 192.168.0.3 netmask ffffff00 broadcast 192.168.0.255
  Any Ideas ?? :)
  Thaks
  pp Sory for my baad english :)

  Hi
  Thank you for replay
  This is happened exactly when I zlogin for first time to complete installation.
  The installation procedure flow flawless.I set terminal type 13 (dt terminal) and everything is OK, but when I try to setup hostname I�ve got this error.
  I try this with 3 different zones on this machine with same result
  I have old x86 machines with solaris 11/06 zones installed , everything works fine (1 year uptime)
  This is not the first zone in my life :)
  Best Regards
  DJ JAM

• Problem with zone creation in Solaris 10 6/06

  Hi,
  I have configured and installed a non-global zone following the example given in the guide http//www.sun.com/software/solaris/howtoguides/posgresqlhowto.jsp. My zone has the following configuration:
  # zonecfg -z pg_zone
  zonecfg:pg_zone> info
  zonepath: /export/zones/pg_zone
  autoboot: true
  pool:
  fs:
  dir: /pg_log
  special: /dev/dsk/c1d0s0
  raw: /dev/rdsk/c1d0s0
  type: ufs
  options: []
  net:
  address: 192.168.10.100/24
  physical: bge0
  zonecfg:pg_zone> exit
  The installation completed but I got the following errors:
  # zoneadm -z pg_zone install
  Preparing to install zone <pg_zone>.
  Creating list of files to copy from the global zone.
  Copying <130101> files to the zone.
  Initializing zone product registry.
  Determining zone package initialization order.
  Preparing to initialize <1059> packages on the zone.
  Initialized <1059> packages on zone.
  Zone <pg_zone> is initialized.
  Installation of these packages generated errors: <SUNWgnome-a11y-libs-share>
  Installation of <63> packages was skipped.
  The file </export/zones/pg_zone/root/var/sadm/system/logs/install_log> contains a log of the zone installation.
  When examined the logs there were several messages like this:
  SUNW_PKG_THISZONE=true in the pkginfo file.
  *** package <SUNWamutl> was not installed:
  The package <SUNWamutl> is registered to be installed in the
  global zone only. The package may have been installed in the global
  zone using the pkgadd '-G' option, or the package may contain a
  request script, or the package may directly set the package attribute
  SUNW_PKG_THISZONE=true in the pkginfo file.
  *** package <SUNWiimdv> was not installed:
  The package <SUNWiimdv> is either not fully installed in the
  global zone, or the package contains a request script. Only packages
  that are fully installed in the global zone and that do not contain a
  request script can be installed when a new zone is created. If this
  package does not contain a request script, you can correct this
  problem by removing and reinstalling the package in the global zone.
  And when I try to boot the zone I get this error:
  # zoneadm -z pg_zone boot
  zoneadm: zone 'pg_zone': "/usr/lib/fs/lofs/mount -o zonedevfs /export/zones/pg_zone/dev /export/zones/pg_zone/root/dev" failed with exit code 33
  zoneadm: zone 'pg_zone': call to zoneadmd failed
  Any suggestion how to solve this problem?
  thanks

  To answer your question wangzh: Yes I did. I actually followed exactly the procedure on the how-to-uides: http://www.sun.com/software/solaris/howtoguides/containersLowRes.jsp.
  I think the problem here might reside in the script supplied in the solaris distribution for creating zones. For example, in the default configuration script, the package directories /lib /platform /var and /usr are by default set to be automatically imported. But when I try to create a zone using these defaults settings, it ends up with an mounting error that prevents the installation of the zone. only when I remove manually those directories from the configuration then the installation continues.
  And during the installation process there are number of packages that are by default imported via the installation script and this is some of those packages that cause the errors here. I also tried to exclude the offending packages as suggested by henryC but I couldn't find all of them and the creation still fails at the booting.

• Need Best Practice for creating BE in ZFS boot environment with zones

  Good Afternoon -
  I have a Sparc system with ZFS Root File System and Zones. I need to create a BE for whenever we do patching or upgrades to the O/S. I have run into issues when testing booting off of the newBE where the zones did not show up. I tried to go back to the original BE by running the luactivate on it and received errors. I did a fresh install of the O/S from cdrom on a ZFS filesystem. Next ran the following commands to create the zones, and then create the BE, then activate it and boot off of it. Please tell me if there are any steps left out or if the sequence was incorrect.
  # zfs create –o canmount=noauto rpool/ROOT/S10be/zones
  # zfs mount rpool/ROOT/S10be/zones
  # zfs create –o canmount=noauto rpool/ROOT/s10be/zones/z1
  # zfs create –o canmount=noauto rpool/ROOT/s10be/zones/z2
  # zfs mount rpool/ROOT/s10be/zones/z1
  # zfs mount rpool/ROOT/s10be/zones/z2
  # chmod 700 /zones/z1
  # chmod 700 /zones/z2
  # zonecfg –z z1
  Myzone: No such zone configured
  Use ‘create’ to begin configuring a new zone
  Zonecfg:myzone> create
  Zonecfg:myzone> set zonepath=/zones/z1
  Zonecfg:myzone> verify
  Zonecfg:myzone> commit
  Zonecfg:myzone>exit
  # zonecfg –z z2
  Myzone: No such zone configured
  Use ‘create’ to begin configuring a new zone
  Zonecfg:myzone> create
  Zonecfg:myzone> set zonepath=/zones/z2
  Zonecfg:myzone> verify
  Zonecfg:myzone> commit
  Zonecfg:myzone>exit
  # zoneadm –z z1 install
  # zoneadm –z z2 install
  # zlogin –C –e 9. z1
  # zlogin –C –e 9. z2
  Output from zoneadm list -v:
  # zoneadm list -v
  ID NAME STATUS PATH BRAND IP
  0 global running / native shared
  2 z1 running /zones/z1 native shared
  4 z2 running /zones/z2 native shared
  Now for the BE create:
  # lucreate –n newBE
  # zfs list
  rpool/ROOT/newBE 349K 56.7G 5.48G /.alt.tmp.b-vEe.mnt <--showed this same type mount for all f/s
  # zfs inherit -r mountpoint rpool/ROOT/newBE
  # zfs set mountpoint=/ rpool/ROOT/newBE
  # zfs inherit -r mountpoint rpool/ROOT/newBE/var
  # zfs set mountpoint=/var rpool/ROOT/newBE/var
  # zfs inherit -r mountpoint rpool/ROOT/newBE/zones
  # zfs set mountpoint=/zones rpool/ROOT/newBE/zones
  and did it for the zones too.
  When ran the luactivate newBE - it came up with errors, so again changed the mountpoints. Then rebooted.
  Once it came up ran the luactivate newBE again and it completed successfully. Ran the lustatus and got:
  # lustatus
  Boot Environment Is Active Active Can Copy
  Name Complete Now On Reboot Delete Status
  s10s_u8wos_08a yes yes no no -
  newBE yes no yes no -
  Ran init 0
  ok boot -L
  picked item two which was newBE
  then boot.
  Came up - but df showed no zones, zfs list showed no zones and when cd into /zones nothing there.
  Please help!
  thanks julie

  The issue here is that lucreate add's an entry to the vfstab in newBE for the zfs filesystems of the zones. You need to lumount newBE /mnt then edit /mnt/etc/vfstab and remove the entries for any zfs filesystems. Then if you luumount it you can continue. It's my understanding that this has been reported to Sun, and, the fix is in the next release of Solaris.

• Any "Best Practice" regarding use of zfs in LDOM with zones

  I have 3 different networks and I want to create a guest-domain for each of the three networks on the same control domain.
  Inside each guest-domain, I want to create 3 zones.
  To make it easy to handle growth and also make the zones more portable, I want to create a zpool inside each guest domain and then a zfs for each zoneroot.
  By doing this I will be able to handle growth by adding vdisks to the zpool(in the guest domain) and also to migrate individual zones by using zfs send/receive.
  In the "LDoms Community Cookbook", I found a description on how to use zfs clone in the control domain to decrease deploy time of new guest domains:
  " You can use ZFS to very efficiently, easily and quickly, take a copy of a previously prepared "golden" boot disk for one domain and redeploy multiple copies of that image as a pre-installed boot disk for other domains."
  I can see clear advantages in using zfs in both the control domain and the guest domain, but what is the downside?
  I ends up with a kind of nested zfs where I create a zpool inside a zpool, the first in the control domain and the second inside a guest domain.
  How is zfs caching handled, will I end up with a solution with performance problems and a lot of I/O overhead?
  Kindest,
  Tor

  I'm not familiar with the Sybase agent code and you are correct, only 15.0.3 seems to be supported. I think we'd need a little more debug information to determine if there was a workaround. May be switching on *.info messages in syslogd.conf might get some more useful hints (no guarantee).
  Unfortunately, I can't comment on if, or when, Sybase 15.5.x might be supported.
  Regards,
  Tim
  ---

• Problems with Zone based Firewall and mtr (mytraceroute)

  We are using ZFW on an ASR1001 and have experienced a problem: when I try to use mtr (mytraceroute, see
  http://en.wikipedia.org/wiki/MTR_%28software%29), I am getting packetloss on all hops between the source and the destination. e.g.:
  <code>
                                                                                                                     Packets               Pings
  Host                                                                                                            Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. Stuttgart-I28-1.belwue.de                                                                                    100.0     8    0.0   0.0   0.0   0.0   0.0
  2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net                                                                        100.0     7    0.0   0.0   0.0   0.0   0.0
  3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net                                                                       100.0     7    0.0   0.0   0.0   0.0   0.0
  4. Karlsruhe1-10GE-4-0-0.belwue.net                                                                             100.0     7    0.0   0.0   0.0   0.0   0.0
  5. Mannheim1-10GE-3-0-0.belwue.net                                                                              100.0     7    0.0   0.0   0.0   0.0   0.0
  6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net                                                                    100.0     7    0.0   0.0   0.0   0.0   0.0
  7. de-cix20.net.google.com                                                                                      100.0     7    0.0   0.0   0.0   0.0   0.0
  8. 72.14.238.230                                                                                                100.0     7    0.0   0.0   0.0   0.0   0.0
  9. 72.14.239.62                                                                                                 100.0     7    0.0   0.0   0.0   0.0   0.0
  10. 209.85.242.187                                                                                               100.0     7    0.0   0.0   0.0   0.0   0.0
  11. ???
  12. ???
  13. ???
  14. bk-in-f94.1e100.net                                                                                           0.0%     7   20.0  20.6  20.0  21.2   0.4
  </code>
  So it seems that the Firewall on my asr1001 is throwing away all packets with ttl-exceeded coming back from hops in between, they have another destination address.
  At the moment I am inspecting all kind of traffic from my network outgoing:
  ip access-list extended 101
  permit ip any any
  class-map type inspect match-all cmap1
  match access-group name 101
  policy-map type inspect pmap1
  class type inspect cmap1
  inspect
  etc... (zones, zone-pair in-out with policies applied)
  So I tried to let pass all icmp-traffic from the outside to my network:
  class-map type inspect match-all cmap_icmp
  match protocol icmp
  policy-map type inspect pmap2
  class type inspect cmap_icmp
  pass
  etc... (zones, zone-pair out-in with policies applied)
  So this has no effect, but I tested and I could figure out, that when I pass all icmp-traffic from my network to the outside, THEN mtr does work.
  BUT then normal ping does not work anymore, because it will not be inspected any more.
  But I want to have a secure Firewall with inspecting echo-replys and working mtr anyway.
  Has anyone the same problem or can even solve this issue?
  Thanks in advance,
  Stefan

  Hi Andrew, thanks for Your answer...
  So I have now:
  class-map type inspect match-any cmap_icmp
  match access-group name icmp_types
  ip access-list extended icmp_types
  permit icmp any any ttl-exceeded
  PMAP IN--> OUT
  (don't be confused, my "vlanxxx_pmap_in" is the pmap FROM my network TO the outside...)
  policy-map type inspect vlan664_pmap_in
  class type inspect vlan664_cmap_in   (this is an extended ACL "permit ip x.x.x.x any")
    inspect
  class type inspect ipsec_cmap_in (this is because I have problems with VPN when inspected, another problem...)
    pass log
  class class-default
    drop log
  PMAP OUT-->IN
  policy-map type inspect vlan664_pmap_out
  class type inspect cmap_icmp (here comes the "ttl-exceeded"-ACL)
    pass log
  class type inspect vlan664_cmap_out (some open ports for some clients)
    inspect
  class type inspect ipsec_cmap_out (same problem with VPN when inspected)
    pass log
  class class-default
    drop log
  But unfortunately, the same problem occurs. Curiously, the first two packets seem to go "through" the firewall, but with 3rd packet the packetloss comes up:
                                                  Packets               Pings
  Host                                         Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. Stuttgart-I28-1.belwue.de                 50.0%     3    0.3   0.3   0.3   0.3   0.0
  2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net     50.0%     3    0.9   0.9   0.9   0.9   0.0
  3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net     0.0%     2    2.7   2.7   2.7   2.7   0.0
  4. Karlsruhe1-10GE-4-0-0.belwue.net           0.0%     2    1.5   1.5   1.5   1.5   0.0
  5. Mannheim1-10GE-3-0-0.belwue.net            0.0%     2    2.5   2.5   2.5   2.5   0.0
  6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net  0.0%     2    4.1   4.1   4.1   4.1   0.0
  7. de-cix20.net.google.com                    0.0%     2    5.0   5.0   5.0   5.0   0.0
  8. 72.14.238.44                               0.0%     2   39.2  39.2  39.2  39.2   0.0
  9. 72.14.236.68                               0.0%     2    5.4   5.4   5.4   5.4   0.0
  10. 209.85.254.118                             0.0%     2    5.4   5.4   5.4   5.4   0.0
  11. ???
  12. google-public-dns-a.google.com             0.0%     2    5.5   5.3   5.2   5.5   0.2
                                                   Packets               Pings
  Host                                          Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. Stuttgart-I28-1.belwue.de                  66.7%     4    0.3   0.3   0.3   0.3   0.0
  2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net      66.7%     4    0.8   0.8   0.8   0.8   0.0
  3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net     66.7%     4    2.1   2.1   2.1   2.1   0.0
  4. Karlsruhe1-10GE-4-0-0.belwue.net           66.7%     4    1.5   1.5   1.5   1.5   0.0
  5. Mannheim1-10GE-3-0-0.belwue.net            66.7%     4    2.6   2.6   2.6   2.6   0.0
  6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net  66.7%     4    4.2   4.2   4.2   4.2   0.0
  7. de-cix20.net.google.com                    66.7%     4    5.3   5.3   5.3   5.3   0.0
  8. 72.14.238.44                               66.7%     4   70.3  70.3  70.3  70.3   0.0
  9. 72.14.239.60                               66.7%     4    5.8   5.8   5.8   5.8   0.0
  10. 209.85.254.116                             66.7%     4    5.8   5.8   5.8   5.8   0.0
  11. ???
  12. google-public-dns-a.google.com              0.0%     4    6.3   5.7   5.2   6.3   0.5
  In the sessions on the routers, I see only this entry:
           Session 206F66C (129.143.6.89:8)=>(8.8.8.8:0) icmp SIS_OPEN
  Any other suggestions?

• Problem with zone alarm.

  Hi everyone, this is the first time I get a Toshiba Lap top and I had a problem after installing Zone Alarm PRO edition. The module is just not starting, the icon appears but nothing else happens, I already tried with an older version and cleaning the system with Tune Up. I was checking in some forums I found some information about that Zone Alarm is not compatible with some Toshiba Satellite models (mine is L305-SP6912R).
  Can some one please help me to find what is the problem, because I really need to use Zone Alarm on my LapTop.
  Thanks and sorry for my bad english.

  I'd say you're in the wrong forum. Try the Zone Alarm folks.
     ZoneAlarm User Forum
  Good luck!
  (Be sure to come back here with Toshiba problems.)
  -Jerry