ACE server initiating traffic issue

Similar Messages

• RSA SecureID ACE/Server 6.1.2 integration issue with IDM2005Q4M3

  I tried the SecureID adapter with the following steps:
  1.setup the idm gateway on SecureID Server
  2.copy SecureID's apidemon.exe to gateway.exe folder
  3.add the administrator on secureid server and use it on idm resource adapter
  4.run gateway.exe -d -fsso.log -l6
  5.configure the SecureID adapter resource and test configuration is ok
  6.add a rsa_test user on IDM, then assign the SecureID resource to the user
  before step 6 every thing is fine, but the step 6 cause the IDM hangup, nothing response from gateway.
  while I assign the user with SecureID resource in IDM, the gateway trace log print the trace log below and then hanged up:
  01/09/2008 17.44.55.234000 [2464] (../../../../src/wps/agent/securid/SecurIdExtension.cpp,1439): Enter: login
  01/09/2008 17.44.55.234000 [2464] (../../../../src/wps/agent/connect/RAEncryptor.cpp,69): RAEncryptor::Decrypt3DES: input length (8) moded to 1
  my environment:
  idm 2005Q4M3 on linux
  gateway: Sun Java System Identity Manager 6.0 SP1 HF82 on windows 2003 sp1
  RSA SecureID ACE/Server: 6.1.2 on windows 2003 sp1
  Any help on RSA SecureID ACE/Server 6.1.2 integration with IDM2005Q4M3 is greatly appreciated.
  Or anybody can send me some more docs on the integration process and the check point?
  My email: [email protected]
  Please help!
  Edited by: Brave on Jan 9, 2008 4:36 AM

  Found the solution. Problem was the acecInt.dll in the System32 folder was mismatching with the one in the RSA install folder. I copied the dll from the RSA install folder to the System32 and it started to work fine.
  The error i was getting was "Get file operation with no or unknown handle aborted".

• Not able to run a reconciliation from IDM on a the securID/ACE server UNIX

  I have configured a securID/ACE adapter in IDM 7.1 so that it can provision updates of user accounts. RSA 6.1.2 server is running on Linux RHEL 2.6.9. I am able to connect to RSA form IDM, but when I run a reconciliation I get the following error,
  Error iterating accounts for resource RES-User-RSA-Projects:
  com.waveset.util.WavesetException: Trouble constructing User 'null'
  Below is the stack trace that I extracted from IDM (debug): The stack below tells me that IDM is not able to establish a connection to the RSA server. I have made sure that the login account that I am using in the RSA adapter parameters belongs to the same group that owns /opt/ace/utils/tcl/bin/tcl-sd.
  Is there anything else I need to do? Has anybody out there faced a similar issue and found a resolution?
  SecurIdUnixResourceAdapter#getFeatures() Entryno args
  SecurIdUnixResourceAdapter#getFeatures() Exit void
  SecurIdUnixResourceAdapter#getFeatures() Entry no args
  SecurIdUnixResourceAdapter#getFeatures() Exit void
  SecurIdUnixResourceAdapter#getFeatures() Entry no args
  SecurIdUnixResourceAdapter#getFeatures() Exit void
  SecurIdUnixResourceAdapter#getLoginScript() Entry no args
  SecurIdUnixResourceAdapter#getTclshPath() Entry no args
  SecurIdUnixResourceAdapter#getTclshPath() Exit returned= /opt/ace/utils/tcl/bin/tcl-sd
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 24
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 2
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
  SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 6
  SecurIdUnixResourceAdapter#getUserExtensionMapNames() Entry no args
  SecurIdUnixResourceAdapter#getUserExtensionMapNames() Exit void
  SecurIdUnixResourceAdapter#getLoginScript() Exit void
  SecurIdUnixResourceAdapter#getAccountIteratorscript() Entry no args
  SecurIdUnixResourceAdapter#procSetup() Entry no args
  SecurIdUnixResourceAdapter#procSetup() Exit void
  SecurIdUnixResourceAdapter#procTearDown() Entry no args
  SecurIdUnixResourceAdapter#procTearDown() Exit void
  SecurIdUnixResourceAdapter#getAccountIteratorscript() Exit void
  SecurIdUnixResourceAdapter#getAccountIteratorResult() Entry no args
  SecurIdUnixResourceAdapter#getAccountIteratorResult() Exit void
  SecurIdUnixResourceAdapter#constructUser() Entry no args
  SecurIdUnixResourceAdapter#constructUser() Info Database connection is not established!
  SecurIdUnixResourceAdapter#getFeatures() Entry no args
  SecurIdUnixResourceAdapter#getFeatures() Exit void

  Anybody out there who has configured SUN IDM to provision into RSA SecureID Ace/Server UNIX? Any help on this is greatly appreciated!

• RSA ACE server SYSLOG collector, Parsing help!

  Hi Board.
  I am in a very big hurry for developing a RSA ACE collector script. The
  already released RSA ACE Collector script is file based and the RSA ACE
  server can dump a CSV log report with an interval of a hour as the
  fastest possible interval. This is not at all satisfying for the
  customer which - due to the latest issue with hacking attacks on EMC's
  network both announced in the press and by letter from EMC and to their
  customers - is not at all acceptable. They need to have logic for
  pattern searches and correlation rules that can respond as close to real
  time as possible.
  We have with success and without any troubles or big efforts installed
  the SNARE agent on the RSA ACE Appliance box. We are receiving the
  events from the RSA server correctly (or we are receiving the events as
  unsupported events because the events is not parsed correctly, but all
  the needed information is there) and I have started development of a new
  Collector script based on the Generic Event Collector (Just
  doubleclicked on New Collector script in the Ant menu).
  So far I have tryed some different approaches. I know that I can totaly
  manipulate with the events received from the Source because I can
  pre-set values via the protoEvt.map file. Even further have I been able
  to set some other values in the Parse function by using the rec2Evt.map
  and then hardcode a value to the desired field by using
  rec.-input_record_field-.
  Therefor I am pretty convinced that I am on the right track.
  Now here is my question:
  Based on this copy-pasted s_RXBufferString value (IP addresses and
  host+domain values changed for protecting the customer):
  Code:
  Mar 26 05:48:12 192.168.1.100 hostname[tab]MSWinEventLog[tab]4[tab]Application[tab]14765[tab]Sat Mar 26 10:48:12 2011[tab]1011[tab]ACESERVER6.1[tab]Unknown User[tab]N/A[tab]Information[tab]hostname[tab]Devices[tab][tab][tab]Passcode accepted (Login:'jodo'; User Name:'Doe, John'; Token:'000123456789'; Group:''; Site:''; Agent Host:'remotehost.domain.com'; Server:'serverhost').[tab]14617
  *NB!* Swap out [tab] with tablulator delimiter!
  I have tryed this approach (this is the entire Parse Functiomn):
  Code:
  var ValueArray = this.s_RXBufferString.split("\\t");
  rec.msg = this.s_RXBufferString;
  var SourceInfo = ValueArray[0];
  rec.sun = ValueArray[1];
  //e.InitServiceName = ValueArray[1];
  //rec.Service = ValueArray[1];
  //e.EventTime = ValueArray[5];
  //rec.EvtTime = ValueArray[5];
  //e.VendorEventCode = ValueArray[6];
  rec.evtCode = ValueArray[6];
  e.DeviceName = ValueArray[7];
  rec.sun = ValueArray[8];
  //e.EffectiveUserID = ValueArray[8];
  //var OSInitUser = ValueArray[8];
  //e.InitHostName = ValueArray[11];
  rec.shd = ValueArray[11];
  //ValueArray[12] = ValueArray[12].ltrim();
  var AppSpecificMessage = '';
  for(var t = 12; t<count(ValueArray); t+1)
  AppSpecificMessage += ValueArray[t];
  //e.InitIP = SourceInfo.match("[0-9]+.[0-9]+.[0-9].[0-9]");
  rec.sip = this.s_RXBufferString.match("\d+\.\d+\.\d+\.\d+");
  var A = AppSpecificMessage.search('\(.+\)');
  //e.EventName = 'Debugging RSA';
  //e.EventName = AppSpecificMessage.substring(0,A-1).ltrim();
  rec.evt = AppSpecificMessage.substring(0,A-1).ltrim();
  AppSpecificMessage = AppSpecificMessage.match('\(.+\)');
  // var B = AppSpecificMessage.search(')');
  //var B = AppSpecificMessage.search(')');
  // var BaseInfo = AppSpecificMessage.substring(A+1,B-1);
  // var BaseTmpArray = BaseInfo.split(';');
  // var BaseArray = new Array();
  /*for(var i = 0; i<count(BaseTmpArray); i+1)
  var str = BaseTmpArray[i].ltrim();
  var TempAr = str.split(':');
  BaseArray.push(TempAr[1].substring(1,-1));
  /*var AgentArr = BaseArray[6].split(".");
  AgentArr.reverse();
  AgentArr.pop();
  AgentArr.reverse();
  e.InitHostDomain = AgentArr.join(".");
  //rec.InitDomain = AgentArr.join(".");
  e.InitHostDomain = "corp.ad.local";
  if (ValueArray[10] == "Information")
  rec.sev = "0";
  //e.Severity = "0";
  else if (ValueArray[10] == "Warning")
  rec.sev = "3";
  //e.Severity = "3";
  else if (ValueArray[10] == "Error")
  rec.sev = "4"
  //e.Severity = "4";
  else
  rec.sev = "1";
  //e.Severity = "1";
  //e.InitUserID = BaseArray[0];
  rec.LoginName = BaseArray[0];
  //e.InitUserName = BaseArray[1];
  rec.UserName = BaseArray[1];
  //e.customerVar35 = BaseArray[2];
  //rec.Token = BaseArray[2];
  //e.customerVar36 = BaseArray[5];
  //rec.Agent = BaseArray[5];
  instance.SEND_EVENT = true;
  // parsing logic goes here
  /*if (1==1) { // set SEND_EVENT to true if your parsing logic worked correctly
  instance.SEND_EVENT = true;
  // If you can't parse...
  //rec.sendUnsupported();
  return true;
  But it just laughs at me and wont work. It states that there is a
  parsing error: match function something with input.
  Can you please help me build a logic that will work as intended? It
  should be clear what information or which piece of the text that I try
  map to which Event fields (look at the outcommented bits right above or
  below the ones that point to a rec.something because there I have tryed
  just map the information directly).
  kkrasmussen
  kkrasmussen's Profile: http://forums.novell.com/member.php?userid=20966
  View this thread: http://forums.novell.com/showthread.php?t=435715

  > - I'm not sure I understand why you replace the tabs with '|' just to do
  > the split; why can't you just split on tab? You can also investigate our
  > 'safesplit()' method, which understands quoted delimited strings:
  > Novell Login
  > (not sure that's necessary in this case)
  I replaced the tabs with '|' foir easier regex searchess for both
  numbers, alphanummeric and spaces in same match cases - but with the
  opportunity to index better for those searches because I did not need to
  worry about the tabs being recognised as whitespaces anymore.
  The safesplit works fine with '|' but not for this one:
  Code:
  var AppSpecificArray = AppSpecificMessage.safesplit(";");
  It reports that: "Cannot find function safesplit".
  If I change that to:
  Code:
  var AppSpecificArray = AppSpecificMessage.split(/\;/);
  It reports that: "Cannot find function split".
  > - The 'substring()' method is defined as taking two arguments:
  > from Required. The index where to start the extraction. First character
  > is at index 0
  > to Optional. The index where to stop the extraction. If omitted, it
  > extracts the rest of the string
  > Neither of those two arguments will *ever* be negative - they always
  > count from the beginning of the string. What you're really trying to do
  > is to extract the substring from the beginning +1 character, to the end
  > -2 characters, which is not how substring() works. But you *can* do
  > something like:
  > this.evt = Msg.substring(1,Msg.length - 2);
  >
  Aha I see. Thanks for the info. However, I tried the suggested this.evt
  = Msg.substring(1,Msg.length - 2); but it reports: Cannot call method
  "substring" of null. Remember that I have already testet and verified
  that I do have a value in the Msg variable.
  Here is the newest code. Please notice that I have outcommented the
  desired "result" and is just trying to get something from at least the
  part of the string that I want to parse.
  Code:
  this.msg = this.s_raw_message2;
  var TempTxt = this.s_raw_message2.replace(/\t/g,"|");
  var ValueArray = TempTxt.safesplit("|");
  var SourceInfo = ValueArray[0];
  this.evtCode = ValueArray[6];
  this.sip = TempTxt.match(/\d+\.\d+\.\d+\.\d+/);
  e.DeviceName = ValueArray[7];
  //AppSpecificMessage = TempTxt.match(/(?:\().+(?:\))/);
  var Msg = ValueArray[14].match(/(?:\|)[^\|]+(?:\()/);
  this.evt = Msg.substring(1,Msg.length - 2);
  //this.evt = Msg;
  AppSpecificMessage = ValueArray[14].match(/(?:\().+(?:\))/);
  if (ValueArray[10] == "Information")
  this.sev = "0";
  else if (ValueArray[10] == "Warning")
  this.sev = "3";
  else if (ValueArray[10] == "Error")
  this.sev = "4"
  else
  this.sev = "1";
  if(TempTxt.match(/(?:Login:\')\S+(?:')/) != false)
  //var apptemp = AppSpecificMessage.substring(1,AppSpecificMessage. length - 1);
  //var AppSpecificArray = apptemp.safesplit(";");
  var AppSpecificArray = AppSpecificMessage.safesplit(";");
  for(var c = 0; c<count(AppSpecificArray); c + 1)
  var key = AppSpecificArray[c].split(/:/);
  if (key[0] == "(Login")
  if (key[1] == "''")
  this.iuid = ValueArray[8];
  else
  this.iuid = key[1];
  //this.iuid = key[1].substring(1,key[1].length - 1);
  if (key[0] == " User Name")
  if (key[1] == "''")
  this.sun = "System";
  else
  this.sun = key[1];
  //this.sun = key[1].substring(1,key[1].length - 1);
  if (key[0] == " Agent Host")
  if (key[1] == "'')")
  this.shd = "Unknown Host Domain";
  else
  //var TempArr = key[1].substring(1,key[1].length - 1).safesplit(".");
  var TempArr = key[1].plit(/\./);
  TempArr.reverse();
  TempArr.pop();
  TempArr.reverse();
  this.shd = TempArr.join(".");
  if (key[0] == " Token")
  if (key[1] != "''")
  e.CustomerVar35 = key[1];
  //e.CustomerVar35 = key[1].substring(1,key[1].length - 1);
  else
  this.shd = "Unknown Host Domain";
  this.iuid = ValueArray[8];
  this.sun = "System";
  instance.SEND_EVENT = true;
  return true;
  kkrasmussen
  kkrasmussen's Profile: http://forums.novell.com/member.php?userid=20966
  View this thread: http://forums.novell.com/showthread.php?t=435715

• Indesign Server CC Trial issues

  The installation instructions states
  You need to download Adobe Provisioning Toolkit Enterprise Edition (APTEE) for using the InDesign Server trial
  The download link only refers to CS6, CS5.5 & CS5 not CC
  Since there is no Adobe Provisioning Toolkit Enterprise Edition for CC I decided just to install and run the trial.
  However I got the Adobe InDesign Server is not properly licensed and will now quit message.
  According to the CC Release notes it says:
  InDesign CC Server needs to be activated before it can be used. If the computer is online, activation is done automatically when you install. You need to provide your Adobe ID, and serial number when prompted by the installer. Unless the software is activated, you'll see an error, "Adobe InDesign Server’ is not properly licensed and will now quit."
  My computer was online yet the it seems it didn't perfom the automatic activation as it suggests. When I entered my AdobeID credentials I did not get any errors saying it could not connect online.
  So I had to do something and decided to use the Adobe Provisioning Toolkit Enterprise Edition for CS6.
  This allowed me to get pass the licensing issue.
  The next problem was I was getting DDE Server Window:InDesignServer.exe System Error popup. Telling me The program can't start because svml_dispmd.dll is missing from your computer.
  C:\Program Files\Adobe\Adobe InDesign CC Server x64>indesignserver
  ================================================================================
  .  InDesign CC Server Version 9.0 x64 Evaluation
  .  Copyright 1999-2013 Adobe Systems Incorporated and its licensors.
  .  All rights reserved. See the other legal notices in the ReadMe.
  ================================================================================
  11/28/13 08:08:49 INFO  [server] Initializing
  11/28/13 08:08:49 INFO  [server] Loading the application
  11/28/13 08:08:49 INFO  [server] Scanning for plug-ins
  11/28/13 08:08:49 INFO  [server] Registering 113 plug-ins
  11/28/13 08:08:53 INFO  [server] Completing Object Model
  11/28/13 08:08:53 INFO  [server] Saving Object Model
  11/28/13 08:08:53 INFO  [server] Initializing plug-ins
  11/28/13 08:08:53 INFO  [server] Calling Early Initializers
  11/28/13 08:08:53 INFO  [server] Starting up Service Registry
  11/28/13 08:09:02 INFO  [server] Executing startup services
  11/28/13 08:09:02 INFO  [server] Using configuration configuration_noport
  11/28/13 08:09:02 INFO  [server] Initializing Application
  11/28/13 08:09:02 INFO  [server] Completing Initialization
  11/28/13 08:09:02 INFO  [server] Calling Late Initializers
  11/28/13 08:09:08 INFO  [server] Image previews are off
  11/28/13 08:09:08 INFO  [server] Server Running
  11/28/13 08:09:08 INFO  [javascript] Executing File: C:\Program Files\Adobe\Adobe InDesign CC Server x64\Scripts\startup scripts\ConnectInstancesToESTK.js
  11/28/13 08:09:08 INFO  [javascript] Executing File: C:\Program Files\Adobe\Adobe InDesign CC Server x64\Scripts\converturltohyperlink\startup scripts\ConvertURLToHyperlinkMenuItemLoader.jsx
  11/28/13 08:09:08 INFO  [javascript] Executing File: C:\Program Files\Adobe\Adobe InDesign CC Server x64\Scripts\converturltohyperlink\ConvertURLToHyperlinkMenuItem.jsxbin
  So after browsing the net to see where I can get this missing svml_dispmd.dll I found this post http://software.intel.com/en-us/forums/topic/285859
  and decided to install what it suggested.
  I still got the missing dll error so I copied it from C:\Program Files (x86)\Common Files\Intel\Shared Libraries\redist\intel64\compiler into C:\Program Files\Adobe\Adobe InDesign CC Server x64
  Now it just sits there and hangs at the same spot
  11/28/13 08:09:08 INFO  [javascript] Executing File: C:\Program Files\Adobe\Adobe InDesign CC Server x64\Scripts\converturltohyperlink\ConvertURLToHyperlinkMenuItem.jsxbin
  What the heck is going on here?
  I have installed Indesign Server CC on another machine and although I did not get the missing dll problem it still however hangs at the same spot mentioned above.
  Could someone from Adobe please help. The already I'm losing days with this trial and I will have little days left to test this product.

  I'm having same trial activation difficulties. How have you activated it with APTEE? What leid did you use?
  Thank you.
  UPDATE: Never mind. I found it and activated server by executing:
  "adobe_prtk.exe  --tool=StartTrial --leid=InDesignServer-CS7-Win-GM"

• CSM in Bridge mode and Server initiated connections

  I know one can use Source NAT for server initiated connections back to VIP using CSM in routed mode. How do I achieve the same for bridge mode?
  Thanks in advance,
  Shahid

  Shahid,
  that's a well-known problem for all loadbalancer in the world.
  With a sniffer trace, or just thinking about TCP/IP rules you can figure out why client nat is required.
  If you go from a server to a vip, the CSM will forward the traffic to a random server.
  The CSM forwards the traffic with the source ip unchanged by default.
  The server receiving the traffic will forward the response back to the source that initiated the request.
  If the source is also a server in the same subnet, the response does not need to be sent through a gateway. Since both source and destination are in the same subnet, the traffic is sent based on mac address and it bypasses the CSM which can't perform the nating.
  The source receiving the response from the server directly will just ignore it.
  Using client nat forces the response to go back to the CSM which can perform the nating before sending it to the client.
  This has been discussed tons of times in this forum.
  It's a classic question :-)
  Gilles.

• ACE ; server vlan

  Hi,
  do we always have to layer-3 interface of the server vlan on the ACE so as to setup a load balancing?
  i.e. support i have server 1 (10.10.1.1) and server 10.10.1.2).
  do I always have to define server vlan for these servers (that's default gateway of the server vlan) on the ACE? or I can default it any where on our network (i.e. define it on the switch)?
  if I can define it on any switch than how would ACE send client traffic to these server?
  Thanks in advance...

  Hello Gavin,
  Here you have some links and details of each type of design, you can take a look of that and find out which one matches with your design.
  Routed Mode:
  http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Routed_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
  Bridge Mode
  http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Bridged_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
  One Arm Mode
  http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example
  Hope this helps
  Jorge

• CSM: server-initiated connections

  Hello
  I hope you can help me to figure out this question, I have a CSM module with more than 10 serverfarms, all of them working fine, and all of them are on different vlans. We are using route mode for all of them.
  For example:
  ServerFarm01-> Vlan10
  Client_Side01-> Vlan11
  ServerFarm02-> Vlan20
  Client_Side02-> Vlan21
  ServerFarm03-> Vlan30
  Client_Side03-> Vlan31
  and so on...
  I noticed something, When I generate outbound traffic from a real server, it does not matter it belong to SeverFarm01, 02 or 03; the packet leaves the CSM using alway the vlan31.
  Can you please help to determine what’s going on?
  Actually, we want realservers from ServerFarm01 to sent traffic to internet through the CSM, and those traffic should be seen on vlan11.
  Thankds and Regards
  Edgar

  Hi Edgar,
  Few things to check.
  Check if the servers has two interface. It may be sending traffic through other interface.
  Please go through below configuration guidelines that will help you to associate Particular serverfarm with their respective VLAN.
  Configuring Server-Initiated Connections
  The NAT for the server allows you to support connections initiated by real servers and to provide a default configuration used for servers initiating connections that do not have matching entries in the server NAT configuration. By default, the CSM allows server-originated connections without NAT.
  To configure NAT for the server, perform this task:
  Command
  Purpose
  Step 1
  Router(config)# static [drop | nat
  [ip-address | virtual]]
  Configures the server-originated connections. Options include dropping the connections, configuring them with NAT with a given IP address, or with the virtual IP address that they are associated with1 , 2 .
  Step 2
  Router(config-slb-static)# real ip-address
  [subnet-mask]
  Configures the static NAT submode where the servers will have this NAT option. You cannot use the same real server with multiple NAT configuration options.
  1 Enter the exit command to leave a mode or submode. Enter the end command to return to the menu's top level.
  2 The no form of this command restores the defaults.
  For Example :
    static nat 199.200.9.140  ( IP can be virtual IP as well)
     real 192.168.24.0 255.255.252.0
     real 192.168.20.0 255.255.252.0

• Droid Razr (not maxx) stuck in boot flash droid screen after a server initiated OTA ICS upgrade. How do I recover?.

  I am stuck in the boot flash droid screen after a server initiated OTA ICS upgrade. I have an email from Verizonwireless confirming that the ICS upgrade is complete. But I am not able to use the phone. Any I help appreciated getting back to my phone working. I am not much care about ICS or GB. I am paying over 100 each month and any down time over 2 days is unacceptable.
  In the forum I see lot of people had a problem and since Vierzonwireless or Motorolla has not publicly accepted this as a issue. Also the server push upgrade  was poorly timed, I was away from my home town on a road trip over the mountains and valley  where the 4G network is spotty and the phone battery was draining often while using the GPS navigation.
  Thanks for the forum and appreciate any help to get back to working..

      Sorry the update came at such an inconvenient time Beachcrafter. I hope you were still able to have a good roadtrip. It sounds like the signal flux in the mountains along with a lower battery may have contributed to the update bringing up the boot flash screen you mentioned. The option ejf74 mentioned about how to go into the recovery screen is a great way to restart the Droid. I would recommend starting with the reboot option though. If needed, the wipe data/factory reset option would be able to bring your phone back to how it came out of the box. The wipe data/factory reset option will erase everything on your device memory. You'll get to keep the ICS upgrade that was completed, but you'll need to log back into Gmail and all your other services and apps to start using your device again.

• DNS Server Having Intermittent Issues with Open Directory

  I work for a school and we're undertaking the large task of moving from Xserves running 10.6.8 to Mac Minis running 10.9. I have a lot of experience with OS X Server (I held ACSA up until they ditched it, and ACTC through the current OS) but I've hit a fairly large snag in configuring our DNS server. We currently run DNS via an AD server that is being retired at the end of the summer, so this is the first time our DNS will be Mac-based. That said, our network is ridiculously simple as we are a very small school. For the most part it's a flat network using the same IP range for our wired and wireless internal clients (we do have a vlan for guests but that's through Aerohive). I configured the DNS by hand, recreating the entries in our AD server (there were only about a dozen) and then adding in things that should have been there in the first place (e.g. printers and some other devices with static IPs that I'd like FQDNs for). Everything seemed to be working fine...until trying to log into Open Directory accounts.
  For some background, the DNS server running 10.9 was the first server we upgraded and it was a completely clean install. We run DHCP on another Mac Server currently running 10.6.8 and it does have the proper OD server listed. All DNS entries for the OD server match our current DNS server. The issue is that it's taking some users 5-6 tries to log in with their network accounts. The errors they receive range from the login window shaking to it stating the user cannot log in at this time. This seems to be worse on client machines running 10.9. but it's appearing on machines running 10.6.8-10.9.3.
  In my troubleshooting, I found that if I log in as a local user to one of those machines and do a dig for the OD server the results vary, this is where it gets weird. For example, if I dig ourodserver.ourdomain.org it will sometimes return host not found or it will sometimes resolve. If I ping the same thing it will sometimes work (even after stating it cannot resolve the host) and it will sometimes fail. If I then try a dig for the .local (e.g. ourodserver.local) it also yields the same varied results. However, on every machine that I've tested if I then open a Finder window and navigate to the server via the "Shared" menu and connect I have no trouble connecting and then magically my digs and pings in terminal work. If I revert DNS back to point to our old Windows server the issue goes away. I have meticulously combed through that server many many times now and am not seeing any missed entries. Any idea what could be causing this?

  You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.
  The primary DNS server used by the server must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

• Cisco Server VCS C220 M3 Server BIOS password issue

  We have a Cisco Server VCS C220 M3 Server BIOS password issue.
  We needed to turn on Bit locker in the Cisco Server VCS C220. To do this we needed to create an administrator password for the BIOS to turn on trusted Platform Module (TPM). After we set up the administrator password and turn on Security for TPM. We were prompted for the administrator password. It would not let us log in with the administrator password that we created for the BIOS. In the next few days we received a BIOS is corrupted screen (BIOS Flash Image Corrupted *****).We follow procedures to recover the BIOS with the USB stick with recovery .cap file in the root folder. We tried reseating the jumper pg. 35 of the Cisco Server VCS C220 M3 Server of the Installation and Service Guide.
  http://www.cisco.com/en/US/docs/unified_computing/ucs/c/hw/C220/install/C220.pdf
  We were able to bring up the server, but we are still not able to get pass the Admin password issue. We tried to clear the CMOS header with Header J37 page 2-18 but we had no success with clearing out the password prompt. Figure 2-6 Service Header Locations shows the J41 BIOS RCVR boot and J37 Clear CMOS.
  Can anyone provide us documentation of where the pins are located on the motherboard to clear the BIOS password? We are looking for more of a detail picture of the pins please. The documentation is only showing a basic diagram of the header locations.

  You need to look at the CUCM logs for further info on what might have happened, and to make sure your servers are fit for the amount of users, devices, etc. you have in your environment.

• How ACE classifies the traffic and send it to appropriate Context

  Hi ,
  Could some one please explain packet clasification in ACE modulue  ,example : let us assume thee are three contexts ( context1 , context 2, context3) in ACE module , how the ACE  classifies the traffic and send to appropriate CONTEXT  if any customer comes and hit the ACE .
  Regards
  Raj

  Hello Raj,
  In addition to what Ajay mentioned, yes each virtual address ( VIP) in combination with the port which you configured( if any) will act as unique identifier for the ACE to handle a specific traffic and finally take the load balance decision it needs or any other action which would be required
  Another thing which you can take into consideration from the routing perspective is that you configure on the Admin Context the specific vlans allocated to each contexts based on your requirements so for example: you may allocate this vlan10 for context 1 then vlan 20 for context 2 or all of the vlans for context 3
  Going back to your original, yes the ACE works this:
  Request ----->VIP--->ACE checks which contexts has the VIP in question---->send request to context--->traffic is load balanced between the servers
  Jorge

• RSA Secure ID ACE/Server and gateway  IDM

  Hi all,
  we are trying to integrate and RSA server with IDM 6.0SP2.
  I do not understand this phrase on resource references doc.
  If SecurID is installed on Windows, the Identity Manager gateway must be running on
  the same system where the RSA ACE/Server is installed.it means that the gateway from RSA server must run on the same server where is running RSA ?
  Someone has integrated the appliance RSA installing on it the gateway ?
  Thanks,
  mazant

  The port should be 9278. Enable the gateway trace and see if it is logging anything to the trace file.

• Dot1x/ACS3.0/RSA ACE server 5.0

  Hi,
  I tried to configure dot1x (cat6500) with ACS 3.0 and RSA ACE server. In the first step when I configured static password in ACS everything was OK, but when I changed to the external user database I got an error: "Auth type not supported by External DB"
  Does anyone know why?
  Thanks,

  The dot1x supplicant on the PC will use Extensible Authentication Protocol (EAP) authentication to send the username/password. This authentication method cannot be used with an external RSA database, RSA has to use PAP authentication which sends the password in the clear (which is OK because it's a one-time password).
  See http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs31/acsuser/o.htm#625794 for details on the external DB's and password protocols. Notice how all the one-time password databases can only use PAP.

• Wireless WPA2 + AD + RSA ACE Server possible

  I have a client that wants to use WPA2 authenticated to the Windows Active Directory and also has an RSA ACE Server. The goal os to provide 802.1x security with these 3 devices. I am NOT looking to USE the RSA tokens for this, only the underlying RSA RADIUS service to authenticate clients. Is this possible or do I also need a ACS server?
  The alternative is to use Wireless WPA2 + AD + Windows IAS RADIUS.
  Thanks for any comments,
  Chris Serafin
  Security Engineer
  [email protected]

  Hi Chris,
  I don't think you can use the RSA's radius server without using tokens. If you are looking to authenticate to Active Directory then either use Wireless + IAS + AD or use Wireless + ACS + AD
  There will be no need to bring the RSA into the solution.