ACE Policy is not working

Hi,
I have ACE 4710 in context mode. I am doing internet browsing (Port 80) redirection to two proxy servers (Transparent Proxy) as well as I am using this ACE box for multiple other servers load balancing.
I have multiple policies applied on my LAN interface (VLAN 300) where all the users and servers are connected.
Now I am facing problem with one application (PLATTS) which is oil company related application. This application is working fine while directly connected with Internet (extrenal internet connection) or by giving explicit proxy in the user browser.
But In transparent proxy This application is not working and my company policy only allow the transparent proxy not explicit proxy.
Now if on my interface vlan 300 i will remove the service-policy input PM_MAIN_BCPROXY my application will start working but i cant redirect the port 80 traffic to my proxy servers which is also my requirement.
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
no normalization
mac-address autogenerate
no icmp-guard
access-group input acl-in
nat-pool 5 172.23.16.5 172.23.16.5 netmask 255.255.255.255 pat
nat-pool 4 172.23.16.4 172.23.16.4 netmask 255.255.255.255 pat
nat-pool 3 172.23.16.3 172.23.16.3 netmask 255.255.255.255 pat
nat-pool 1 172.23.16.2 172.23.16.2 netmask 255.255.255.255 pat
service-policy input PM_BYPASS_PLATTS
service-policy input PM_ENOC_Servers
service-policy input PM_RT_FAX
service-policy input PM_ITSM_Web_Server
service-policy input PM_ITSM_MAPP_Server
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
=============================================================================================
This application use multiple destinations for connectivity and I have even tried by passing the destination IP addresses by making bypass policy but still no luck.
I want this application to work as well as redirection of port 80. I even try re-ordering the policy sequence but no luck. Can you please help me out how to achieve this application to work as well as redirectino of port 80 for Internet.
I have attached the full configuration as welll.
I will be very thankful if someone can help me on this.

Hi,
This application has no VIP and serverform.
My traffic is passing through the ACE and when traffic passing ACE policy for redirection of port 80 is droping traffic. If i remove my last service policy on the interface this application will start working
Sent from Cisco Technical Support iPhone App

Similar Messages

Fault policy does not work when throwing remoteFault in bpel

Hi
I have a BPEL-proces in which I throw a remoteFault.
In the fault-policy there is a condition for this fault
<faultName xmlns:bpelx="http://schemas.oracle.com/bpel/extension"
name="bpelx:remoteFault">
<condition>
<action ref="ora-java"/>
</condition>
</faultName>
But the fault-policy does not work if I throw this remoteFault in de bpel. But when I invoke another service (which is shutdown), then I get a remoteFault and for this remoteFault the fault-policy works well.
Any idea why the fault-policy does not work when I throw the remoteFault?
Regards

BPEL fault works only on invocation failures.
Fault management will work based on the remote fault from the remote service, you cannot throw remote fault from bpel and capture that in fault management and process.
The following are the actions that we can take on faults.
1. Human Intervention
2. Rethrow [rethrowFault]
3. Termination [abort]
4. Replay Fault [replayScope]
5. Custom Java Action [javaAction]
6. Retry [retry]
Hope this helps !!!
Thanks,
Vijay

ACE SSL terminate not working ... please help

Hello, I configured cisco ace 4710 with ssl-proxy and it is not working, but http://10.1.40.2 and http://10.1.40.3 is OK. When i put https://10.1.41.20 the output is: "There is a problem with this website's security certificate", so i click in "Continue to this website (not recommended)" and the ace dont balance the output show error "Internet Explorer cannot display the webpage".
The configuration:
ace-demo/Admin# sh run
Generating configuration....
boot system image:c4710ace-mz.A3_2_4.bin
boot system image:c4710ace-mz.A3_2_1.bin
login timeout 0
hostname ace-demo
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
channel-group 1
no shutdown
interface gigabitEthernet 1/4
channel-group 1
no shutdown
interface port-channel 1
switchport trunk allowed vlan 400-401,450
no shutdown
crypto csr-params testparams
country PE
state Lima
locality Lima
organization-name TI
organization-unit TI
common-name www.yyy.com
serial-number 1000
access-list anyone line 8 extended permit ip any any
access-list anyone line 16 extended permit icmp any any
parameter-map type ssl sslparams
cipher RSA_WITH_RC4_128_MD5
version SSL3
rserver host rsrv1
ip address 10.1.40.2
inservice
rserver host rsrv2
ip address 10.1.40.3
inservice
serverfarm host farm-demo
rserver rsrv1
    inservice
rserver rsrv2
    inservice
serverfarm host site-A
rserver rsrv1
    inservice
serverfarm host site-B
rserver rsrv2
    inservice
ssl-proxy service testssl
key testkey.key
cert testcert.pem
ssl advanced-options sslparams
class-map type management match-any MGMT
2 match protocol icmp any
3 match protocol http any
4 match protocol https any
5 match protocol snmp any
6 match protocol telnet any
7 match protocol ssh any
class-map match-any VIP
6 match virtual-address 10.1.41.10 any
class-map type generic match-any WAN-site-A
2 match source-address 192.168.10.106 255.255.255.255
3 match source-address 192.168.10.125 255.255.255.255
class-map type generic match-any WAN-site-B
2 match source-address 192.168.10.96 255.255.255.255
3 match source-address 192.168.10.93 255.255.255.255
class-map type management match-any icmp
2 match protocol icmp any
class-map match-any vip-ssl-10.1.41.20
2 match virtual-address 10.1.41.20 tcp eq https
policy-map type management first-match ICMP
class icmp
    permit
policy-map type management first-match MGMT
class MGMT
    permit
policy-map type loadbalance first-match vip-ssl-10.1.41.20
class class-default
    serverfarm farm-demo
policy-map type loadbalance generic first-match lb-server
class WAN-site-A
    serverfarm site-A
class WAN-site-B
    serverfarm site-B
class class-default
    serverfarm farm-demo
policy-map multi-match client-side
class VIP
    loadbalance vip inservice
    loadbalance policy lb-server
policy-map multi-match lb-vip
class vip-ssl-10.1.41.20
    loadbalance vip inservice
    loadbalance policy vip-ssl-10.1.41.20
    loadbalance vip icmp-reply
    ssl-proxy server testssl
interface vlan 400
description side-server
ip address 10.1.40.1 255.255.255.0
access-group input anyone
service-policy input ICMP
no shutdown
interface vlan 401
description side-client
ip address 10.1.41.1 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input ICMP
service-policy input client-side
service-policy input lb-vip
no shutdown
interface vlan 450
description mgmt
ip address 10.1.45.1 255.255.255.0
access-group input anyone
service-policy input MGMT
no shutdown
ip route 192.168.10.0 255.255.255.0 10.1.45.10
And the proof:
ace-demo/Admin# sh serverfarm farm-demo
serverfarm     : farm-demo, type: HOST
total rservers : 2
                                                ----------connections-----------
       real                  weight state        current    total      failures
   ---+---------------------+------+------------+----------+----------+---------
   rserver: rsrv1
       10.1.40.2:0           8      OPERATIONAL 0          25         19
   rserver: rsrv2
       10.1.40.3:0           8      OPERATIONAL 0          23         18
ace-demo/Admin# sh crypto files
Filename                                 File File    Expor      Key/
                                         Size Type    table      Cert
admin                                    887   PEM     Yes         KEY
testcert.pem                             709   PEM     Yes        CERT
testkey.key                              497   PEM     Yes         KEY
ace-demo/Admin#
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status     : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
    class: vip-ssl-10.1.41.20
      ssl-proxy server: testssl
      loadbalance:
        L7 loadbalance policy: vip-ssl-10.1.41.20
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        Persistence Rebalance: DISABLED
        curr conns       : 0         , hit count        : 38
        dropped conns    : 18
        client pkt count : 159       , client byte count: 12576
        server pkt count : 16        , server byte count: 640
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
      compression:
        bytes_in : 0
        bytes_out : 0
        Compression ratio : 0.00%
in other time:
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status     : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
    class: vip-ssl-10.1.41.20
      ssl-proxy server: testssl
      loadbalance:
        L7 loadbalance policy: vip-ssl-10.1.41.20
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        Persistence Rebalance: DISABLED
        curr conns       : 0         , hit count        : 170
        dropped conns    : 89
        client pkt count : 703       , client byte count: 60089
        server pkt count : 85        , server byte count: 3400
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
      compression:
        bytes_in : 0
        bytes_out : 0
        Compression ratio : 0.00%
ace-demo/Admin#
ace-demo/Admin# sh stats crypto server
+----------------------------------------------+
+---- Crypto server termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol:                       43
TLSv1 negotiated protocol:                        0
SSLv3 full handshakes:                           37
SSLv3 resumed handshakes:                         0
SSLv3 rehandshakes:                               0
TLSv1 full handshakes:                            0
TLSv1 resumed handshakes:                         0
TLSv1 rehandshakes:                               0
SSLv3 handshake failures:                         6
SSLv3 failures during data phase:                 0
TLSv1 handshake failures:                         0
TLSv1 failures during data phase:                 0
Handshake Timeouts:                               0
total transactions:                               0
SSLv3 active connections:                         0
SSLv3 connections in handshake phase:             0
SSLv3 conns in renegotiation phase:               0
SSLv3 connections in data phase:                  0
TLSv1 active connections:                         0
TLSv1 connections in handshake phase:             0
TLSv1 conns in renegotiation phase:               0
TLSv1 connections in data phase:                  0
+----------------------------------------------+
+------- Crypto server alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd:                      0
SSL alert UNEXPECTED_MSG rcvd:                    0
SSL alert BAD_RECORD_MAC rcvd:                    0
SSL alert DECRYPTION_FAILED rcvd:                 0
SSL alert RECORD_OVERFLOW rcvd:                   0
SSL alert DECOMPRESSION_FAILED rcvd:              0
SSL alert HANDSHAKE_FAILED rcvd:                  0
SSL alert NO_CERTIFICATE rcvd:                    0
SSL alert BAD_CERTIFICATE rcvd:                   0
SSL alert UNSUPPORTED_CERTIFICATE rcvd:           0
SSL alert CERTIFICATE_REVOKED rcvd:               0
SSL alert CERTIFICATE_EXPIRED rcvd:               0
SSL alert CERTIFICATE_UNKNOWN rcvd:               6
SSL alert ILLEGAL_PARAMETER rcvd:                 0
SSL alert UNKNOWN_CA rcvd:                        0
SSL alert ACCESS_DENIED rcvd:                     0
SSL alert DECODE_ERROR rcvd:                      0
SSL alert DECRYPT_ERROR rcvd:                     0
SSL alert EXPORT_RESTRICTION rcvd:                0
SSL alert PROTOCOL_VERSION rcvd:                  0
SSL alert INSUFFICIENT_SECURITY rcvd:             0
SSL alert INTERNAL_ERROR rcvd:                    0
SSL alert USER_CANCELED rcvd:                     0
SSL alert NO_RENEGOTIATION rcvd:                  0
SSL alert CLOSE_NOTIFY sent:                      0
SSL alert UNEXPECTED_MSG sent:                    0
SSL alert BAD_RECORD_MAC sent:                    0
SSL alert DECRYPTION_FAILED sent:                 0
SSL alert RECORD_OVERFLOW sent:                   0
SSL alert DECOMPRESSION_FAILED sent:              0
SSL alert HANDSHAKE_FAILED sent:                  0
SSL alert NO_CERTIFICATE sent:                    0
SSL alert BAD_CERTIFICATE sent:                   0
SSL alert UNSUPPORTED_CERTIFICATE sent:           0
SSL alert CERTIFICATE_REVOKED sent:               0
SSL alert CERTIFICATE_EXPIRED sent:               0
SSL alert CERTIFICATE_UNKNOWN sent:               0
SSL alert ILLEGAL_PARAMETER sent:                 0
SSL alert UNKNOWN_CA sent:                        0
SSL alert ACCESS_DENIED sent:                     0
SSL alert DECODE_ERROR sent:                      0
SSL alert DECRYPT_ERROR sent:                     0
SSL alert EXPORT_RESTRICTION sent:                0
SSL alert PROTOCOL_VERSION sent:                 47
SSL alert INSUFFICIENT_SECURITY sent:             0
SSL alert INTERNAL_ERROR sent:                    0
SSL alert USER_CANCELED sent:                     0
SSL alert NO_RENEGOTIATION sent:                  0
+-----------------------------------------------+
+--- Crypto server authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications:                 0
Failed SSL client authentications:                0
SSL client authentication cache hits:             0
SSL static CRL lookups:                           0
SSL best effort CRL lookups:                      0
SSL CRL lookup cache hits:                        0
SSL revoked certificates:                         0
Total SSL server authentications:                 0
Failed SSL server authentications:                0
+-----------------------------------------------+
+------- Crypto server cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5:                    43
Cipher sslv3_rsa_rc4_128_sha:                     0
Cipher sslv3_rsa_des_cbc_sha:                     0
Cipher sslv3_rsa_3des_ede_cbc_sha:                0
Cipher sslv3_rsa_exp_rc4_40_md5:                  0
Cipher sslv3_rsa_exp_des40_cbc_sha:               0
Cipher sslv3_rsa_exp1024_rc4_56_md5:              0
Cipher sslv3_rsa_exp1024_des_cbc_sha:             0
Cipher sslv3_rsa_exp1024_rc4_56_sha:              0
Cipher sslv3_rsa_aes_128_cbc_sha:                 0
Cipher sslv3_rsa_aes_256_cbc_sha:                 0
Cipher tlsv1_rsa_rc4_128_md5:                     0
Cipher tlsv1_rsa_rc4_128_sha:                     0
Cipher tlsv1_rsa_des_cbc_sha:                     0
Cipher tlsv1_rsa_3des_ede_cbc_sha:                0
Cipher tlsv1_rsa_exp_rc4_40_md5:                  0
Cipher tlsv1_rsa_exp_des40_cbc_sha:               0
Cipher tlsv1_rsa_exp1024_rc4_56_md5:              0
Cipher tlsv1_rsa_exp1024_des_cbc_sha:             0
Cipher tlsv1_rsa_exp1024_rc4_56_sha:              0
Cipher tlsv1_rsa_aes_128_cbc_sha:                 0
Cipher tlsv1_rsa_aes_256_cbc_sha:                 0
ace-demo/Admin# crypto verify testkey.key testcert.pem
Keypair in testkey.key matches certificate in testcert.pem.
ace-demo/Admin#
ace-demo/Admin# sh conn
total current connections : 0
conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+

Hello Alvaro,
The issue here is that your config is missing the clear text port the ACE should use to send the traffic to the backend servers; in this case port 80.
Remove the rservers from the SF "farm-demo" and then configure them back like this:
serverfarm host farm-demo
rserver rsrv1 80
    inservice
rserver rsrv2 80
    inservice
That should do the trick =)
HTH
Pablo

ACE bridge mode not working

Folks,
I am trying to configure ACE in transparent mode and it is not working, i can browse to the servers directly,but when i try to hit the vip , I do not get any webpages, all keepalives are up and everything is in inservice.
hostname abc
boot system image:c6ace-t1k9-mz.3.0.0_A1_6_1.bin
access-list ANY line 8 extended permit ip any any
rserver host rs1
ip address 1.1.1.1
inservice
rserver host rs2
ip address 1.1.1.2
inservice
serverfarm host SF1
rserver rs1
inservice
rserver rs2
inservice
class-map type management match-any REMOTE_ACCESS
10 match protocol telnet any
20 match protocol ssh any
30 match protocol icmp any
class-map match-all VIP
2 match virtual-address 1.1.1.3 any
class-map type http loadbalance match-any src1
2 match source-address 0.0.0.0 0.0.0.0
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match R-Policy
class class-defaut
serverfarm SF1
policy-map multi-match R-LB
class VIP
loadbalance vip inservice
loadbalance policy R-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise
interface vlan 3
bridge-group 1
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
interface vlan 4
bridge-group 1
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input R-LB
no shutdown
interface bvi 1
ip address 1.1.1.4 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 1.1.1.5

I made some progress, but still it is not working.
When the server behind the ACE module default gateway is set to the firewall, i can telnet to the vip at port 80,but i still do not see the page when i open the browser and point to the vip. here are the outputs.
hostname RBharti
boot system image:c6ace-t1k9-mz.3.0.0_A1_6_1.bin
access-list ANY line 8 extended permit ip any any
rserver host rs1
ip address 1.1.1.1
inservice
rserver host rs2
ip address 1.1.1.3
inservice
serverfarm host SF1
rserver rs1
inservice
rserver rs2
inservice
class-map type management match-any REMOTE_ACCESS
10 match protocol telnet any
20 match protocol ssh any
30 match protocol icmp any
class-map match-all VIP
2 match virtual-address 1.1.1.5 any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match R-Policy
class class-default
serverfarm SF1
policy-map multi-match R-LB
class VIP
loadbalance vip inservice
loadbalance policy R-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise
interface vlan 3
bridge-group 1
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input R-LB
no shutdown
interface vlan 4
bridge-group 1
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
interface bvi 1
ip address 1.1.1.4 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 202.137.232.193
Ri/Admin# sh service-policy
Policy-map : R-LB
Status : ACTIVE
Interface: vlan 3
service-policy: R-LB
class: VIP
loadbalance:
L7 loadbalance policy: Rediff-Policy
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 54
dropped conns : 54
client pkt count : 81 , client byte count: 3888
server pkt count : 0 , server byte count: 0

VPD context_sentisitive policy does not works as expected

Hi,
I'm trying to implement CONTEXT_SENSITIVE RLS policies:
http://docs.oracle.com/database/121/ARPLS/d_rls.htm#ARPLS67721
Server re-evaluates the policy function at statement execution time if it detects context changes since the last use of the cursor. For session pooling where multiple clients share a database session, the middle tier must reset context during client switches. Note that the server does not cache the value returned by the function for this policy type; it always executes the policy function on statement parsing. Applies to only one object.
What I have discovered so far:
1. policy function executed each time when query executed from SQL*Plus. Independently of context changes.
2. policy function executed only once when query executed from PL/SQL.
3. When we have a PL/SQL procedure like this:
begin
<query>
<change context>
<query>
end;
Additionally, query (cursor) is not present in PL/SQL cursor cache, then
policy functions executed only once when first query executed.
So wrong results are possible when application context changed in a way that policy function returned predicate also changed.
4. JDBC: policy function executed each time when query is executed. Policy function executed only once when I enabled statement caching:
OracleDataSource ods = new OracleDataSource();
// skip
ods.setConnectionCachingEnabled( true );
ods.setImplicitCachingEnabled( true );
Properties cacheProps = new Properties();
cacheProps.put( "InitialLimit", "1" );
cacheProps.put( "MinLimit", "1" );
cacheProps.put( "MaxLimit", "5" );
cacheProps.put( "MaxStatementsLimit", "50" );
ods.setConnectionCacheProperties( cacheProps );
5. Queries with RLS policies are not cached in the session cursor cache. For example, if we executed same query multiple times in SQL*Plus - then this query will be not cached.
2 and 3 (PLSQL) relates to PL/SQL cursor cache.
As a result, when we disable PL/SQL cursor cache (setting session_cached_cursors=0), then policy function executed each time in PL/SQL.
What I have observed, it is not agreed with documentation on context_sensitive policies (I provided a link above):
Server re-evaluates the policy function at statement execution time if it detects context changes since the last use of the cursor.
Signature of DBMS_RLS.ADD_POLICY procedure was changed in 12c with additional arguments: NAMESPACE, ATTRIBUTE.
I tried to use them with no luck, results are the same.
In my opinion statements below are contradict to each other:
1. Server re-evaluates the policy function at statement execution time if it detects context changes since the last use of the cursor.
2. it always executes the policy function on statement parsing.
First, documentation says that the policy function evaluates at statement execution time.
Second, documentation says that the policy function executes on statement parsing.
I have used Oracle Database 12.1.0.2 for testing.
I provided a script that I have used in my tests:
rls_policy.txt - creates test schema and policy
rls_sqlplus.txt - runs simple select against query with RLS policy
rls_plsql.txt - more complex example, runs some anonymous blocks with queries against table with RLS policy.
In my opinion, context_sensitive policies does not works as described in the documentation.
Is it a bug or I'm missing something?
Please advice.
Best regards,
Mikhail.

Thanks Scott. May i know why i should never use user policies for denying access?
From my readings on some articles, there is no way to deny users permission in sharepoint after granting domain users with read access other than the web application user policy in our case (with certain reason, we need this group to be granted with
read access but we would like to restrict small amount of users from seeing the page)

Retry in Fault Policy is not Working..

Hi,
- I have created sync BPEL Process and invoking JDE BSSV in the same.
- I want to retry invoking BSSV in case of remote and binding fault.
- I am using Fault Policy to achieve the same but RETRY is not Working._
I am using below Fault Binding / Fault Policy for the same..
........................Fault BINDING.........................................
<?xml version="1.0" encoding="UTF-8" ?>
<faultPolicyBindings version="3.0"
xmlns="http://schemas.oracle.com/bpel/faultpolicy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<composite faultPolicy="BPELFaults"/>
</faultPolicyBindings>
.......................Fault Policy...............................................
<?xml version="1.0" encoding="UTF-8" ?>
<faultPolicies xmlns="http://schemas.oracle.com/bpel/faultpolicy">
<faultPolicy version="3.0" id="BPELFaults"
xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.oracle.com/bpel/faultpolicy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Conditions>
<faultName>
<condition>
<action ref="ora-retry"/>
</condition>
</faultName>
</Conditions>
<Actions>
<Action id="ora-retry">
<retry>
<retryCount>3</retryCount>
<retryInterval>10</retryInterval>
<retryFailureAction ref="ora-rethrow-fault"/>
<exponentialBackoff/>
</retry>
</Action>
<Action id="ora-rethrow-fault">
     <rethrowFault/>
</Action>
</Actions>
</faultPolicy>
</faultPolicies>
I tried using "humanIntervention" instead of Retry and it worked
but Retry dont work..
I am stuck on this error from 2 days but unable to achieve it :(
I will appreciate if someone can provide any Solution on the same..
Thanks in Advance :)

Hi Vijay,
Thanks for your response..
Please find below Path For policy Files, fault policy Content and Exception*:*
path for your policy files
<service name="XXXXXXXImpl"
ui:wsdlLocation="XXXXXXXXProcess.wsdl">
<interface.wsdl interface="http://xmlns.oracle.com/XXXXXXXXXToJDEE1App/XXXXXXXXXImpl/XXXXXXXXXProcess#wsdl.interface(CustomerSearchPIPS0238Process)"/>
<binding.ws port="http://xmlns.oracle.com/XXXXXXXXXXToJDEE1App/XXXXXXXXXXImpl/XXXXXXXXProcess#wsdl.endpoint(XXXXXXXXImpl/XXXXXXXProcess_pt)">
<property name="weblogic.wsee.wsat.transaction.flowOption"
type="xs:string" many="false">NEVER</property>
</binding.ws>
</service>
*<property name="oracle.composite.faultPolicyFile">fault-policies.xml</property>*
*<property name="oracle.composite.faultBindingFile">fault-bindings.xml</property>* <
component name="XXXXXXXXXProcess" version="1.1">
<implementation.bpel src="XXXXXXXXProcess.bpel"/>
<property name="bpel.config.transaction" type="xs:string" many="false">required</property>
</component>
fault-policy.xml
<?xml version="1.0" encoding="UTF-8"?>
<faultPolicies xmlns="http://schemas.oracle.com/bpel/faultpolicy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<faultPolicy version="3.0" id="CustomerSearchPIPPolicy"
xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.oracle.com/bpel/faultpolicy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <Conditions>
     <faultName xmlns:bpelx="http://schemas.oracle.com/bpel/extension" name="bpelx:remoteFault">
     <condition>
          <action ref="ora-action-retry"/>
     </condition>
     </faultName>
     </Conditions>
     <Actions>
<Action id="ora-action-retry">
<retry>
<retryCount>3</retryCount>
<retryInterval>10</retryInterval>
<retryFailureAction ref="ora-rethrow-fault"/>
<exponentialBackoff/>
</retry>
</Action>
     <Action id="ora-rethrow-fault">
     <rethrowFault/>
     </Action>
<Action id="ora-human-intervention">
     <humanIntervention/>
     </Action>
     <Action id="ora-terminate">
     <abort/>
     </Action>
     </Actions>
</faultPolicy>
</faultPolicies>
Fault-binding.xml
<?xml version="1.0" encoding="UTF-8"?>
<faultPolicyBindings version="3.0"
xmlns="http://schemas.oracle.com/bpel/faultpolicy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<component faultPolicy="CustomerSearchPIPPolicy">
<name>XXXXXXXXXXProcess</name>
</component>
</faultPolicyBindings>
Exception
Message     javax.xml.rpc.soap.SOAPFaultException: Waiting for response has timed out. The conversation id is null. Please check the process instance for detail.
Supplemental Detail     at oracle.integration.platform.blocks.soap.WebServiceEntryBindingComponent.generateSoapFaultException(WebServiceEntryBindingComponent.java:1193)
at oracle.integration.platform.blocks.soap.WebServiceEntryBindingComponent.processIncomingMessage(WebServiceEntryBindingComponent.java:971)
at oracle.integration.platform.blocks.soap.FabricProvider.processMessage(FabricProvider.java:113)
at oracle.j2ee.ws.server.provider.ProviderProcessor.doEndpointProcessing(ProviderProcessor.java:1187)
at oracle.j2ee.ws.server.WebServiceProcessor.invokeEndpointImplementation(WebServiceProcessor.java:1112)
at oracle.j2ee.ws.server.provider.ProviderProcessor.doRequestProcessing(ProviderProcessor.java:581)
at oracle.j2ee.ws.server.WebServiceProcessor.processRequest(WebServiceProcessor.java:233)
at oracle.j2ee.ws.server.WebServiceProcessor.doService(WebServiceProcessor.java:194)
at oracle.j2ee.ws.server.WebServiceServlet.doPost(WebServiceServlet.java:485)
at oracle.integration.platform.blocks.soap.FabricProviderServlet.doPost(FabricProviderServlet.java:528)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:139)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Please suggest me, what else i can do.. this is heppening only in case of retryAction. except this every thing workin but as per requirement i have to use retry Action.

Simple ws-policy demo not working

Hi Gurus,
It's been quite awhile, I could not work it out though. I guess your help would be the last change to stop it from driving me crazy~
The goal is to implement a simple ws-seurity enabled webservice demo using only username/password token as the policy. username/password in the ones listed in "myrealm" (might have SQL Authentication provider as well),and X509 is not the thing to be considered in this simple test.
Env:
WebLogic Server Version: 10.3.0.0
JVM: Sun one installed with weblogic
WebLogic Eclipse plugin: 1.0.0.2008.0808135653
Windows XP sp3
After reading that much docs, it came to below procedure and code:
1. Eclipse -> new Dynamic web project "WSTest3"
2. create file: example.ws.HelloW1.java
package example.ws;
import javax.jws.WebService;
import weblogic.jws.Policy;
import weblogic.jws.Policies;
@WebService(serviceName="HelloW1")
@Policies( { @Policy(uri = "policy:usernametoken.xml") } )
public class HelloW1 {
     public String sayHi(String hi){
          System.out.println("Already here: " + hi);
          return "Welcome, you said: " + hi;
3. add "weblogic.jar" to build path
4. create WEB-INF/policies/usernametoken.xml
<?xml version="1.0"?>
<wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512"
>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>
5. Publish the project WSTest3 to weblogic server
6. Test the webservice within weblobic admin console, get below response which is expected since there is no input for user/pass in the simple test web page:
~~~~~~~~~~~~~~~~~~~
<faultcode>wsse:InvalidSecurity</faultcode>
<faultstring>Error on verifying message against security policy Error code:1000</faultstring>
~~~~~~~~~~~~~~~~~~~
7. create the WSTest3Client project
8. new "web service client"
9. input the WSDL "http://127.0.0.1:7001/WSTest3/HelloW1?WSDL" and have the webservice related stub files created.
10. create java file: example.ws.client.Main.java
package example.ws.client;
import java.rmi.RemoteException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.security.cert.X509Certificate;
import javax.xml.rpc.ServiceException;
import org.apache.axis.client.Stub;
import example.ws.HelloW1_PortType;
import example.ws.HelloW1_Service;
import example.ws.HelloW1_ServiceLocator;
import weblogic.jws.jaxws.ClientPolicyFeature;
import weblogic.jws.jaxws.policy.InputStreamPolicySource;
import weblogic.security.SSL.TrustManager;
import weblogic.wsee.security.unt.ClientUNTCredentialProvider;
import weblogic.xml.crypto.wss.WSSecurityContext;
import weblogic.xml.crypto.wss.provider.CredentialProvider;
public class Main {
     public static void main(String[] args)
     throws ServiceException, RemoteException{
          String username = "weblogic";
          String password = "weblogic";
          CredentialProvider cp = new ClientUNTCredentialProvider(username.getBytes(), password.getBytes());
          List credProviders = new ArrayList();
          credProviders.add(cp);
          HelloW1_Service service = new HelloW1_ServiceLocator();
          HelloW1_PortType port = service.getHelloW1Port();
     Stub stub = (Stub)port;
     stub._setProperty(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credProviders);
//Map rc = ((BindingProvider)port).getRequestContext();
//rc.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credProviders);
     System.out.println(port.sayHi("nihao"));
11. add weblogic.jar to build path and let it go.
The expected output string was not coming, but still the exception there:
~~~~~~~~~~~~~~~
Exception in thread "main" AxisFault
faultCode: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}InvalidSecurity
faultSubcode:
faultString: Error on verifying message against security policy Error code:1000
faultActor:
faultNode:
faultDetail:
     {http://xml.apache.org/axis/}stackTrace:Error on verifying message against security policy Error code:1000
     at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:222)
     at org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:129)
{WITH MANY OTHER LINES BELOW}
~~~~~~~~~~~~~~~~~~
use below code suggested from reference link (2)
Map rc = ((BindingProvider)port).getRequestContext();
rc.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credProviders);
to replace stub._setProperty, but I was told can not make the CAST from stub to BindingProvide, seems it's something in Jdeveloper11, not for my env.
if I comment "@Policies( { @Policy(uri = "policy:usernametoken.xml") } ) " off and republish the webservcie, the test would be running good, but defniately there is no anthentication, which is not what I want.
reference link (1): http://e-docs.bea.com/wls/docs103/webserv_sec/message.html
reference link (2): http://kingsfleet.blogspot.com/2008/12/simple-custom-policy-example-using-jax.html
I am grateful to have your input, thanks in advance and wish you a good day!
Regards,

Hi, it comes to episode2.
Now the WS client's very smoothly working in my Jdev10.1.3, the code is very alike, but it uses
stub._setProperty(Stub.USERNAME_PROPERTY, "weblogic");
stub._setProperty(Stub.PASSWORD_PROPERTY, "weblogic");
// This source file is generated by Oracle tools and is subject to change
// It is a utility client for invoking the operations of the Web service port.
// For reporting problems, use the following
// Version = Oracle WebServices (10.1.3.1.1, build 070111.22769)
package proj2.proxy;
import oracle.webservices.transport.ClientTransport;
import oracle.webservices.OracleStub;
import javax.xml.rpc.ServiceFactory;
import javax.xml.rpc.Stub;
public class HelloW1PortClient {
private proj2.proxy.HelloW1_PortType _port;
public HelloW1PortClient() throws Exception {
ServiceFactory factory = ServiceFactory.newInstance();
port = ((proj2.proxy.HelloW1Service)factory.loadService(proj2.proxy.HelloW1_Service.class)).getHelloW1Port();
* @param args
public static void main(String[] args) {
try {
proj2.proxy.HelloW1PortClient myPort = new proj2.proxy.HelloW1PortClient();
System.out.println("calling " + myPort.getEndpoint());
// Add your own code here
myPort.setUsername("weblogic");
myPort.setPassword("weblogic");
System.out.println( myPort.sayHi("Hello") );
} catch (Exception ex) {
ex.printStackTrace();
* delegate all operations to the underlying implementation class.
public String sayHi(String arg0) throws java.rmi.RemoteException {
return _port.sayHi(arg0);
* used to access the JAX-RPC level APIs
* returns the interface of the port instance
public proj2.proxy.HelloW1_PortType getPort() {
return _port;
public String getEndpoint() {
return (String) ((Stub) port).getProperty(Stub.ENDPOINT_ADDRESS_PROPERTY);
public void setEndpoint(String endpoint) {
((Stub) port).setProperty(Stub.ENDPOINT_ADDRESS_PROPERTY, endpoint);
public String getPassword() {
return (String) ((Stub) port).getProperty(Stub.PASSWORD_PROPERTY);
public void setPassword(String password) {
((Stub) port).setProperty(Stub.PASSWORD_PROPERTY, password);
public String getUsername() {
return (String) ((Stub) port).getProperty(Stub.USERNAME_PROPERTY);
public void setUsername(String username) {
((Stub) port).setProperty(Stub.USERNAME_PROPERTY, username);
public void setMaintainSession(boolean maintainSession) {
((Stub) port).setProperty(Stub.SESSION_MAINTAIN_PROPERTY, Boolean.valueOf(maintainSession));
public boolean getMaintainSession() {
return ((Boolean) ((Stub) port).getProperty(Stub.SESSION_MAINTAIN_PROPERTY)).booleanValue();
* returns the transport context
public ClientTransport getClientTransport() {
return ((OracleStub) _port).getClientTransport();
the weird thing is when I moved "
stub._setProperty(Stub.USERNAME_PROPERTY, "weblogic");
stub._setProperty(Stub.PASSWORD_PROPERTY, "weblogic");
into Eclipse, it still complains the same error: "Error on verifying message against security policy Error code:1000", meanwhile the server outputs:
<WSEE:18>Trying to validate identity assertion token http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken<SecurityMessageInspector.inspectIdentity:629>
Thanks,

Fault policy is not working in BPEL Process

Hi All,
I am handling A Fault (remoteFault) thrown by Throw Activity in BPEL process using Fault policies. For this I have Created two xml file called fault-policies.xml and fault-bindings.xml and kept them in the same directory as in Composite.xml file. But policies are not getting applied . Is there any configiration or setting is required for this. I have followed the same syntax as given in Soa developer guide which is available in JDeveloper Help.
Thanks & Regards
Yogendra Rishishwar
9867927087

Hi ,
I am sending code for both file .
These files are available in same directory in which composite.xml present. I am throwing Fault using Throw activity. It is also not working in case of web service invocation. I would like to know whether any configuration or setting is required in any other file in addition to fault-policies.xml anf fault-bindings.xml.
Thanks & Regards
Yogendra Rishishwar
<?xml version="1.0" encoding="UTF-8" ?>
- <faultPolicies xmlns="http://schemas.oracle.com/bpel/faultpolicy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
- <faultPolicy version="0.0.1" id="FusionMidFaults" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.oracle.com/bpel/faultpolicy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
- <Conditions>
- <faultName xmlns:bpelx="http://schemas.oracle.com/bpel/extension" name="bpelx:remoteFault">
- <condition>
- 
<action ref="ora-terminate" />
</condition>
</faultName>
- <faultName xmlns:bpelx="http://schemas.oracle.com/bpel/extension" name="bpelx:FaultVar">
- <condition>
- 
<action ref="ora-terminate" />
</condition>
</faultName>
</Conditions>
- <Actions>
- 
- <Action id="ora-terminate">
<humanIntervention />
</Action>
</Actions>
</faultPolicy>
</faultPolicies>
2.
<?xml version="1.0" encoding="UTF-8" ?>
- <faultPolicyBindings version="0.0.1" xmlns="http://schemas.oracle.com/bpel/faultpolicy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<composite faultPolicy="FusionMidFaults" />
</faultPolicyBindings>

ACE 4710 is not working

Hi. I'm working on the Cisco ACE 4710 to be able to load balance web Traffic between several web servers. but despite following the steps mentioned on the Cisco configuration guide (specially this link and related docs: http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Creating_a_Virtual_Context) we did not managed to make it. we tested both the "bridged scenario" and "routed scenario" but none of them is working. specifically "configuring Nat" in the above link is very confusing and is not clear; because it's not the same as Cisco IOS, which we used to implement it that way.
Routed Scenario:
==========================================
probe http Http_Probe
description Server Healty Check
port 80
request method head url /index.htm
probe icmp ICMP_Check
interval 10
passdetect interval 5
rserver host NetCad_Server_1
ip address 172.16.1.100
probe ICMP_Check
inservice
rserver host NetCad_Server_2
ip address 172.16.1.101
probe ICMP_Check
inservice
rserver host NetCad_Server_3
ip address 172.16.1.102
probe ICMP_Check
inservice
serverfarm host NetCad_Servers
probe Http_Probe
rserver NetCad_Server_1 80
inservice
rserver NetCad_Server_2 80
inservice
rserver NetCad_Server_3 80
inservice
sticky http-cookie Cookie1 1
serverfarm NetCad_Servers
class-map match-all VS_NetCad
2 match virtual-address 192.168.13.162 255.255.252.0 tcp any
policy-map type management first-match mgmt-pm
class class-default
permit
policy-map type loadbalance first-match VS_NetCad-l7slb
class class-default
serverfarm NetCad_Servers
policy-map multi-match int40
class VS_NetCad
loadbalance vip inservice
loadbalance policy VS_NetCad-l7slb
loadbalance vip icmp-reply
interface vlan 40
description Client Side
ip address 192.168.13.161 255.255.252.0
ip options allow
no normalization
no icmp-guard
access-group input Permit_ALL
service-policy input mgmt-pm
service-policy input int40
no shutdown
interface vlan 41
description Server Side
ip address 172.16.1.1 255.255.255.0
ip options allow
no normalization
no icmp-guard
access-group input Permit_ALL
nat-pool 1 172.16.1.110 172.16.1.110 netmask 255.255.255.255 pat
service-policy input mgmt-pm
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.12.1
==========================================

Hi,
Let me explain you.
Assuming client IP as 1.1.1.1, VIP as 2.2.2.2 and Real Server as 3.3.3.3
Consider the simple situation where client needs to access an application hosted on 3.3.3.3. Client sends a request which comes to VIP.
src 1.1.1.1----->dst------->2.2.2.2. ACE after matching conditions and taking LB decision decides to send it to 3.3.3.3 real server. Performs destination NAT and forwards the client request to 3.3.3.3. So the above packet L3 header will now look like:
src 1.1.1.1 dst 3.3.3.3. When reply comes from server, ACE will change src 3.3.3.3 back to 2.2.2.2 and forwards the request to client 1.1.1.1. SIMPLE LB.
Now comes a situation where let's say you want to hide the client IP from server or let's say server's default GW is not ACE or client and server are in same subnet but need to communicate through VIP on ACE etc.
Src 1.1.1.1 dst 2.2.2.2
After LB ace decides to send it to 3.3.3.3 but also policy multi match has nat rule (nat dynamic 1 vlan x). But packet would be forwarded from server vlan where you have NAT pool defined. So let's say pool IP is 3.3.3.4. So ACE will perform both destination as well as src NAT here before forwarding the packet to server and packet L3 header will look like:
src 3.3.3.4 ----->dst 3.3.3.3
Now when 3.3.3.3 has to send packet back, ACE will answer ARP for 3.3.3.3 and hence packet will come back to ACE which will again change the L3 header IP's and send it out the client VLAN towards client.
So NAT is always applied to server side vlan and that's why pool is chosen from server side subnet.
Let me know if you have any questions.
Regards,
Kanwal

Service policy counters not working..

I have a service policy on a 6509 interface so I can see what the packets per second of a video stream coming out of a DVR (digital video recorder) is. This DVR has 16 security cameras attached and I'm concerned that when someone views all 16 cameras the video stream is going to be huge.
So I create a service policy to match an access list for all IP from the DVR. But no counters increment unless I add in some other match statement. I added in a match protocol telnet and the service policy counters started to work. I removed the match on telnet and the counters stopped. Telnet has nothing to do with the DVR. Here is the config of the class map, policy map and show commands: (By the way video is streaming through this interface continually during this excercise)
MATCHING ACCESS LIST ONLY:
class-map match-any DVR
match access-group 130
policy-map DVR-test
class DVR
ROC-6509-DU-A#sh access-list 130
Extended IP access list 130
10 permit ip host 164.72.2.125 any
ROC-6509-DU-A#sh policy-map int
GigabitEthernet2/5
Service-policy output: DVR-test
Class-map: DVR (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps
Match: access-group 130
0 packets, 0 bytes
30 second rate 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
ADDING IN TELNET:
class-map match-any DVR
match access-group 130
match protocol telnet
policy-map DVR-test
class DVR
ROC-6509-DU-A#sh policy-map int
GigabitEthernet2/5
Service-policy output: DVR-test
Class-map: DVR (match-any)
524025 packets, 70724866 bytes
30 second offered rate 3991000 bps
Match: access-group 130
523896 packets, 70689220 bytes
30 second rate 3991000 bps
Match: protocol telnet
129 packets, 35646 bytes
30 second rate 0 bps
Class-map: class-default (match-any)
18696 packets, 11180265 bytes
30 second offered rate 129000 bps, drop rate 0 bps
Match: any
If I remove the 'match protocol telnet' and clear the counters, no longer do the counters for the access-list 130 increment - put back in match telnet and they start to increment.
This is a Sup720 with IOS 12.2(18)SXE3
Is this a bug or do I not have my class map or policy map correct?

The hardware ASICs do not support collecting the individual policer information.
Try:
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/1216ea1/3550scg/swqos.htm#xtocid1990743

New Folder Redirection Group Policy is not working

Recently installed a new server on an older network:
Old network server: SBS 2003
New network server: Server 2012 STD
The network is working well and all computers are able to communicate with each other. I have already mapped a few network drives to folders that are located on the server. The owner wants to implement the same Folder Redirection of their Documents folder
(Mixture of WIN7 PCs and WINXP) that their old server provided. I used the following Document to create the Folder Redirection:
http://technet.microsoft.com/en-us/library/jj649078.aspx
I then went to each computer and performed a gpupdate /force on each computer than logged off the profile. When I logged off, the sync window (folder redirection?) popped up and still showed that it was trying to transfer/sync with the old server that is
no longer on the network. I also logged into the server and the shared folder that I selected for Folder Redirection does not have any data in it.
Is there something else that I am missing. Is there some sort of configuration on the clients themselves that I need to look for such as some Target Path?
I can provide more information upon request.

Hi,
Based on your description, have we redirected the folders back before we removed the older server?
Besides, were there some error events in the Event Viewer?
To configure folder redirection, we need to assign users proper share and NTFS permissions.
Regarding this point, the following article can be referred to as reference.
Security Recommendations for Folder Redirection
http://technet.microsoft.com/library/cc736916.aspx
Besides, regarding how to configure folder redirection, the following article can also be referred to for more information.
Configuring Folder Redirection
http://technet.microsoft.com/library/cc786749.aspx
In addition, for folder redirection to work, we need to log off clients twice, or we can enable the following policy.
Computer Configuration > Policies > Administrative Templates > System/Logon > Always wait for the network at computer startup
and logon
Hope it helps.
Best regards,
Frank Shen

Deployment of software through Group policy does not work

Hi all,
I am trying to deploy a program through Group policy, specifically winrar, any client computer is able to install the program. Please find below the events from the workstation:
Log Name: Application
Source: Microsoft-Windows-WMI
Date: 4/27/2014 10:06:01 PM
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: IRCLIENT0001.corp.healthcareinnovation.com
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because
of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 4/27/2014 10:04:49 PM
Event ID: 1085
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: IRCLIENT0001.corp.healthcareinnovation.com
Description:
Windows failed to apply the Software Installation settings. Software Installation settings might have its own log file. Please click on the "More information" link.
Log Name: System
Source: Application Management Group Policy
Date: 4/27/2014 10:04:49 PM
Event ID: 108
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: IRCLIENT0001.corp.healthcareinnovation.com
Description:
Failed to apply changes to software installation settings. Software changes could not be applied. A previous log entry with details should exist. The error was : %%1612
Log Name: System
Source: Application Management Group Policy
Date: 4/27/2014 10:04:48 PM
Event ID: 102
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: IRCLIENT0001.corp.healthcareinnovation.com
Description:
The install of application WinRAR from policy Basic Computers GPO failed. The error was : %%1612
I am using windows server 2008 R2 and all my clients are running Windows 7 Enterprise and they are working over a domain, note that I am using VMware.
Below there are a list of the troubleshooting steps that have been already applied:
*Disable the the firewall both in the server and in the clients
*Grant read access to the folder where the the program is shared for installation, it was added the authenticated users and domain computers.
*Group policy modifications:
-> User Account Control
Policy Setting Winning GPO
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Elevate without prompting Basic Computers GPO
- User Account Control: Detect application installations and prompt for elevation Disabled Basic Computers GPO
- User Account Control: Only elevate UIAccess applications that are installed in secure locations Disabled Basic Computers GPO
- User Account Control: Run all administrators in Admin Approval Mode Disabled Basic Computers GPO
--> System/Group Policy
Policy Setting Winning GPO
- Startup policy processing wait time Enabled Basic Computers GPO
Amount of time to wait (in seconds): 120
--> System/Logon
Policy Setting Winning GPO
- Always wait for the network at computer startup and logon Enabled Basic Computers GPO
Thank you very much for your time.

Hi Marco,
Based on your description, we can enable diagnostic logging of Group Policy Software Installation processing to troubleshoot the issue.
Regarding this point, the following article can be referred to for more information.
How to troubleshoot software installations by using Windows application management debug logging
http://support.microsoft.com/kb/249621
Once you get the log, you may upload it to OneDrive and provide us the download link.
In addition, the following article provides a step-to-step guidance for deploying software via group policy and can be referred to for double check.
How to use Group Policy to remotely install software in Windows Server 2008 and in Windows Server 2003
http://support.microsoft.com/kb/816102
Best regards,
Frank Shen

Power settings on XP Policy Preferences not working

I have been trying to change the power settings on XP laptops but have not had any success so far. Has anyone got this working? I have tried creating, updating and replacing the power scheme but the power options I have specified do not get applied to the laptops. I have installed client side extensions on our XP SP 3 laptops and have managed to create a folder on all laptops using the preferences settings. However when it comes to the power options it does nothing and it does not even report any errors in the application logs that might help me diagnose what the problem could be. I have ensured all the settings in the preference settings are enabled (pressing F5 enables all the settings and puts a green underline under each setting).
Can anyone help with this? Any suggestions would be appreciated, thanks.

Hi,
Did you configure the Power Options settings under User Configuration or Computer Configuration? If it’s Computer Configuration, please try to restart the client and test, also try to configure under User Configuration and vice versa.
Test on more than one clients and update device drivers to make sure it’s not caused by driver.
If the issue persists, let’s try the steps below for troubleshooting. On DC, create or edit a GPO for XP clients.
1.    Create or edit a GPO for client machine and enable the following settings. Navigate to
[Computer Configuration/ Policies / Administrative Templates / System / Group Policy]
If you configured Drive Map settings in user GPP, double-click [Drive Maps Policy Processing] and set the properties to enable:
-"Allow processing across a slow network connection"
-"process even if the Group Policy objects have not changed"
Change Background priority to Normal.
2.    Disable Fast Logon.
Navigate to: [Computer Configuration/ Policies / Administrative Templates / System /Logon]
Enable "Always wait for the network at computer startup and logon".
3.    Open the GPO, navigate to:
[Computer Configuration\Policies\Administrative Templates\System\Group Policy\Logging and Tracing]
a.    Double-click Power options Processing Properties, click Enable, change Tracing to On. Click OK.
b.    Test on clients, find "%SYSTEMDRIVE%\Documents and Settings\All Users\Application Data\GroupPolicy\Preference\Trace\user.log" and send to [email protected] for research.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights.

Cisco ACE SSL Offloading not working

Dear All,
I have configured SSL offloading on ACE when i tried to test it from the PC i found that:
1. when i try to test the SSL Offloading by   (https://192.168.69.110) i can reach the main page on WEB1 but i can't open any virual directory or any link inside this server (ex: https://192.168.69.110/web).
Thanks,
Bader

Hello Mohammed,
The behavior which you are getting is totally expected since you are NOT matching the url.
Why do not you try this?
(config-cmap-http-lb)# class-map type http loadbalance match-all MATCH-URL
(config-cmap-http-lb)# match http url /.*
class-map type http loadbalance match-all MATCH-URL
2 match http url /.*
Also you can try this one instead of the one above, since this one will be more specific:
class-map type http loadbalance match-all MATCH-URL
2 match http url /web.*
policy-map type loadbalance first-match WEB-SERVERS-LB
class MATCH-URL
    sticky-serverfarm Sticky-WEB-SERVERS
class class-default
    sticky-serverfarm Sticky-WEB-SERVERS
Please mark it, if it fixes your issue.
Jorge

Outlook 2013 - wrap text group policy applied, not working with or without digital signature

Hello,
I'm adding group policies to apply on our new installations of Windows 8.1 with Office 2013. One of the settings being applied is enforcing plain text emails and wrapping text at a certain number of characters. Policies are being added using the Outlook
2013 admx.
When I check the options inside Outlook 2013 the group policy did apply successfully (File, Options, Mail, scroll down to Message Format) The option to "Automatically wrap text at character:" is set to 132 and not adjustable as it should be.
In the group policy I have it set to wrap at 132 characters, but when I go to a client machine and send a digitally signed email, it wraps at the default 76 characters. This makes for very annoying short blocky emails and multi-line hyperlinks.
If I do not digitally sign the email then the text doesn't wrap at all! (until it meets the end of the window). So under no circumstances is it wrapping at 132 where it's supposed to.
Thanks,
-Nick

Hi,
What is your account type in Outlook? Exchange or others?
Please also let me know the email format that you are sending, Plain Text, HTML or Rich Text Format.
You can try sending the same emails in Outlook Safe Mode:
Press Win + R and type “outlook.exe /safe” in the blank box, then press Enter.
If there’s no problem in Safe Mode, disable the suspicious add-ins to verify which add-ins caused this issue.
Thanks,
Melon Chen
Forum Support
Come back and mark the replies as answers if they help and unmark them if they provide no help.
If you have any feedback on our support, please click
here

ACE Policy is not working

Similar Messages

Maybe you are looking for