ACE session persitence "sticky" TCP port
Hey guys,
I trying to work up some configurations on the ACE for performing session persistence "sticky" on the ACE based on source TCP port. All flows are SSL based therefor, I thought the only option was SSL-ID but I've been running into querky behavior due to clients using IE7. Evidently there are several cases where IE7 causes the SSL-ID to be regenereated causing this weird behavior.
Anybody have example configs of the layer4-payload offset, length, etc. to perform sticky based on TCP source port?
Thanks in advance.
Paul
Since source port is not part of the layer 4 payload you cannot use it for sticky. IE changing ssl id is a known problem (does it every 2 minutes).
So you are left with:
terminating SSL on the ace and using cookie sticky (you can always re-encrypt on back end if security demands it)
or
source IP sticky (practical only if clients are not behind a proxy device)
Similar Messages
-
Xfce 4.6 session binds to tcp port (ICE layer)
As topic.
However to be more specific, since the new Xfce4 xfce4-session automatically listens on a (random?) port. This being a tcp-binding to the ICE layer.
See xfce4-session man page:
--disable-tcp
Disable binding to TCP ports in the ICE layer. This is not possible on every platform. If you
use this option on a platform that does not support it, xfce4-session will print a warning message and ignore the setting.
Thus, by default its enabled.
netstat -apn
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:45505 0.0.0.0:* LISTEN 5318/xfce4-session
tcp 0 0 :::42892 :::* LISTEN 5318/xfce4-session
Since I'm paranoid this seems to me like a security risk. It is possibly fixable by appending --disable-tcp to the xfce4-session entry in /etc/xdg/xfce4/xinitrc. Or is there a better place?
Is this worth putting in the bug-tracker, is it intended, should Arch by default disable xfce4-session listening to a tcp-port? Or is there a similar entry somewhere already?
In my opinion, it should be disabled by default, since if it is not specifically required, its just another hole in the system.
m....gremlins. That's the only explanation I can think of. An hour and a half after I changed the APN settings, it fixed itself. I guess there's a bit of lag somewhere in the system somewhere.
Regardless, it works now, and thanks for the advice. I'd not found the BTSC earlier; thanks much for pointing me at it. And I do believe I might hang around. It seems a friendly place.
-Chris -
ACE VIP OK HTTP, NOK other TCP port
Hi,
we are having issues in configuring load balancing for a TCP port. For HTTP it's working without issues and we have the ACE also balancing for other TCP ports.
Here goes the relevant config:
probe http PROBE-HTTP
interval 5
passdetect interval 2
passdetect count 1
request method get url /idc/
expect status 200 200
probe tcp PROBE-TCP
port 4444
interval 5
passdetect interval 10
rserver host PRD1
ip address 10.10.10.1
inservice
rserver host PRD2
ip address 10.10.10.2
inservice
serverfarm host SF-HTTP
probe PROBE-HTTP
rserver PRD1 80
inservice
rserver PRD2 80
inservice
serverfarm host SF-TCP
probe PROBE-TCP
rserver PRD1 4444
inservice
rserver PRD2 4444
inservice
sticky ip-netmask 255.255.255.255 address source SC-IP-PRD-HTTP
timeout 10
serverfarm SF-HTTP
class-map match-all NAT-VIP-HTTP
2 match virtual-address 10.10.35.1 any
class-map match-all NAT-VIP-TCP
2 match virtual-address 10.10.35.1 tcp eq 4444
policy-map type loadbalance first-match LB-VIP-HTTP
class class-default
sticky-serverfarm SC-IP-PRD-HTTP
insert-http x-forward header-value "%is"
policy-map type loadbalance first-match LB-NAT-VIP-TCP
class class-default
serverfarm SF-TCP
policy-map multi-match POLICY-RSERVER-VIP
class NAT-VIP-TCP
loadbalance vip inservice
loadbalance policy LB-NAT-VIP-TCP
loadbalance vip icmp-reply active
nat dynamic 1 vlan 200
class NAT-VIP-HTTP
loadbalance vip inservice
loadbalance policy LB-VIP-HTTP
loadbalance vip icmp-reply active
nat dynamic 1 vlan 200
interface vlan 200
description SERVER-SIDE
ip address 10.10.14.2 255.255.255.0
alias 10.10.14.1 255.255.255.0
peer ip address 10.10.14.3 255.255.255.0
access-group input EVERYONE
nat-pool 1 10.10.4.6 10.10.4.6 netmask 255.255.255.255 pat
service-policy input AllowICMP
service-policy input POLICY-RSERVER-VIP
no shutdown
The probe are OK, but nothing seems to get to the VIP:
ACE/CTX# show probe PROBE-TCP
probe : PROBE-TCP
type : TCP
state : ACTIVE
port : 4444 address : 0.0.0.0 addr type : -
interval : 5 pass intvl : 10 pass count : 3
fail count: 3 recv timeout: 10
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
serverfarm : SF-TCP
real : PRD1[4444]
10.10.10.1 8853 1 8852 SUCCESS
real : PRD2[4444]
10.10.10.2 8853 1 8852 SUCCESS
ACE/CTX# show serverfarm SF-TCP detail
serverfarm : SF-TCP, type: HOST
total rservers : 2
active rservers: 2
description : -
state : ACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 1
total conn-dropcount : 0
Probe(s) :
PROBE-TCP, type = TCP
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: PRD1
10.10.10.1:4444 8 OPERATIONAL 0 0 0
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: PRD2
10.10.10.2:4444 8 OPERATIONAL 0 0 0
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
ACE/CTX# show service-policy POLICY-RSERVER-VIP
Status : ACTIVE
Interface: vlan 1 200
service-policy: POLICY-RSERVER-VIP
class: NAT-VIP-TCP
nat:
nat dynamic 1 vlan 200
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
loadbalance:
L7 loadbalance policy: LB-NAT-VIP-TCP
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
I see a lot of this messages in the logging of the ACE:
show logging | i 4444
22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
show logging | i 4444
22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
The client request it's going trough an ASA, in the ASA side I see that the TCP connection it' half-open with SAaB flags. It seems that the VIP never replies with SYN+ACK to the ASA...
Thank you.
Best regardsHi Norberto,
The log messages you are getting are most probably the probe connections and not a failure, looking to them you will see your ACE is establishing TCP connection on 4444 then it will teardown the connection with FIN which is expected since you are using TCP keepalives.
I would recommend to go back and define the problem exactly, what are you exteriancing when you try to telnet on port 4444 toward the VIP from the client?
Run sniffing software on the client, the server and enable capture on ACE and ASA will give you exact idea what you are experiencing.
Note: The ASA and the ACE has great capture feature which will show you exactly the packet flows.
Note: Since you are applying NAT on the client requests, you should see the NATed IP address on the server capture.
Note: With L4 load balancing the ACE is not spoofing the clients' request, it just forward the SYN, SYN+ACK and ACK between the server and the client.
Let me know if you have any other questions.
Best regards,
Ahmad -
ACE Probe Config for Blue Coat Proxy TCP Port 74 NETRJS-4
We are running 4710's with A5(2.2). We use Blue Coat proxies for our internet connections, specifcally TCP port 74. So when we open up a browser connection to www.cisco.com, the HTTP GET is actually encapsulated in TCP port 74 netrjs-4. We want to load-balance these proxies with ACE and I'm trying to setup health probes, but the only ones that work are the tcp probes PROXY_BCC_PROBE and PROXY_PROBE. I'd like to have health probes that hit external websites, but I'm confused whether the "ip address" Probe sub command is all I need, and netrjs is simple encapsulation of the HTTP request (which is what it looks like on a sniffer). Does anyone have Blue Coat proxies/ACE working? If so, how are your probes configured?
Thanks,
probe tcp PROXY_BCC_PROBE
port 8084
interval 3
passdetect interval 3
probe http PROXY_HTTP1_PROBE
ip address 198.133.219.25
port 74
interval 3
passdetect interval 3
request method head url /index.html
expect status 200 299
probe http PROXY_HTTP2_PROBE
ip address 198.133.219.25
port 74
interval 3
request method get url /
expect status 200 299
probe tcp PROXY_PROBE
port 74
interval 3
passdetect interval 3Hi,
I have seen this working for one of the customer.
probe http HTTPGET
description Tests that www.gmail.com returns 302 redirect
interval 10
request method get url http://www.gmail.com
expect status 302 302
If I modify your probe :
probe http PROXY_HTTP1_PROBE
ip address 198.133.219.25
port 74
interval 3
passdetect interval 3
request method get url
http://www.gmail.com
expect status 302 302
Give it a try and see if that helps.
regards,
Ajay Kumar -
Good day everyone,
I have a question in regard to real server operation with different server farms, and VIPs
Can a Real Server be associated ( for simpliciy) with two different Server Farms that have a VIP associated with each, servicing the same TCP Port (443).
Example:
SF-A
RSRV-1: 192.168.1.10 /24
RSRV-2: 192.168.1.11 /24
VIP-A: 192.168.1.20 /24
VIP-A: https:web-A
Protocol: HTTPS
SF-B
RSRV-2: 192.168.1.11 /24
RSRV-3: 192.168.1.12 /24
VIP-B: 192.168.1.30 /24
VIP-b: https:web-B
Protocol: HTTPS
Client-A: 172.16.128.10
Client-B: 172.16.128.15
I have attached an sketch depicting the connectivity.
As always any feedback/Suggestions will be greatly apprecaited.
Cheers,
Raman AzizianRaman,
This type of config is no problem. What the server is doing is virtual web hosting. The server would have two different web services running for the same IP, but each listening for a unique host header.
From an IP point of view both connections would be destined to the rserver address on port 80, but in the http header they would have two different Host headers.
one for www.example1.com and the second for www.example2.com. If the web server is configured correct so each host name is tied to one web service it will not have any issues.
The config you attached looks ok. The way you have the sticky group is ok doing source IP. If you use cookies for the sticky group I would suggest you create two sticky groups each with a different cookie name and add the same serverfarm to both groups. The client will only send a cookie for the domain it received it from so using the same cookie in two vips could cause problems if the same client hits both vips.
Hope that helps
Regards
Jim -
Dear Expert,
I study the ACL to filter (stop) the tcp port from below URL
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml
In the section of "Allow Only Internal Networks to Initiate a TCP Session", grateful if someone would enlighten me the usage of "established"
interface ethernet0
ip access-group 102 in
access-list 102 permit tcp any any gt 1023 established
What is different if the ACL is changed to following:
access-list 102 permit tcp any any gt 1023
rdgsDear Jennifer,
Great helpful.
Gratful if you would comment on following configuration which I digest your advice
interface serial 0/0
description 45M DS3 from HK to US
ip access-group 105 in
interface fastethernet 0/0
Description Internat VLAN 100 for xxx department
ip address 102.168.100.0 255.255.255.0
ip access-group 101 in
access-list 101 remark -- only allow Web service from internal to outside --
access-list 101 permit tcp 192.168.100.0 0.0.0.255 any http
access-list 105 remark -- allow return traffic if destination tcp port great than 1023 --
access-list 105 permit tcp any 192.168.100.0 eq http 0.0.0.255 gt 1023 established
! it should embed the partial function of "permit tcp any eq http 192.168.100.0 0.0.0.255 gt 1023" but the
! traffic should be permit only if it initiates from 192.168.100.0/24. If the traffic is initiate from outside,
! the acl 105 would deny it.
access-list 115 remark -- allow in/return traffic for tcp port great than 1023 --
access-list 115 permit tcp any eq http 192.168.100.0 0.0.0.255 gt 1023
! the traffic is permit no matter it is initiate from internal or external
access-list 125 remark -- allow return traffic for all tcp port --
access-list 125 permit tcp any eq 80 192.168.100.0 0.0.0.255 any established
! include the function of ACL 105, also support tcp port range from 1 to 1023
access-list 135 remark -- allow in/return traffic for all tcp port --
access-list 135 permit tcp any eq 80 192.168.100.0 0.0.0.255 any
! include the function of ACL 115, also support tcp port range from 1 to 1023
If so, I would like to modify the ACL to support more services, grateful if you would comment on it.
access-list 101 remark -- only allow Internet services from internal to outside --
access-list 101 permit tcp 192.168.100.0 0.0.0.255 any http
access-list 101 permit tcp 192.168.100.0 0.0.0.255 any smtp
access-list 101 permit tcp 192.168.100.0 0.0.0.255 any pop
access-list 101 permit tcp 192.168.100.0 0.0.0.255 any imap
access-list 101 permit tcp host 192.168.100.120 eq imap any estanlished
access-list 101 permit tcp 192.168.100.0 0.0.0.255 any telnet
access-list 145 remark --- return and in traffic ---
access-list 145 permit tcp any 192.168.100.0 0.0.0.255 gt 1023 established
access-list 145 permit tcp any host 192.168.100.120 imap -
How to get the number of bytes at TCP port
Hi all,
How to get the number of bytes to read at the TCp port...as someone had suggested in some forum we do read the number of bytes first and then pass this...
but we get a problem when we have FF data in this...because then it sends 2 FF data...and cause of this we skip the last data...is there any solution for the same?Hi
In LabVIEW you don't have the same property as in serail port.
You havn't "Byte at TCPIP port".
if you developp a protocol, one soltion, is to send the size to read.
Ingénieur d'Application / Développeur LabVIEW Certifié (CLD)
Application Engineer / LabVIEW Certified Developer (CLD) -
Bypassing TCP port 25 restriction (i.e. worst ISP EVER; Mail is not allowed
Hi
The private company that runs my DOES NOT ALLOW Smtp connections on its "hi speed internet connection".
Meaning that Mail cannot function and I have to check via webmail.
I'm serious.
Their FAQ states:
Can I use email clients such as Microsoft Outlook or Outlook Express to send and receive emails?
No, you will only be able to use web browser based email such as Hotmail or Gmail; this is due to limitations (on TCP port 25) which have been implemented to protect you against other computer users sending unsolicited bulk emails (SPAM) via your computer.
Does anyone know a way to get around this as I NEED the functionality of Mail.....
Also,
Are all British ISPs this ridiculous?
Dieing to find a solution to this....... Many Many Many Many Thanks
PS. I already paid extra ($250USD) to enable 'super' internet which doesnt throttle VOIP, STREAMING, gaming, P2P etc.
LukeBeginning January 1, 2006 Port 587 has been standardized as the port to use for authenticated SMTP servers although most will still work with Port 25 as well. More and more ISPs are blocking port 25 as various jurisdictions are holding them responsible for spam and/or viruses originating on their network. With unauthenticated SMTP anyone can send using that server whether they have an account or not. So the ISPs block that port with the sole exception of their own SMTP server so they can scan the messages for spam and viruses. With an authenticated SMTP server where a valid account id and password are required to send messages the provider of the server assumes the responsibility for scanning all traffic through their server thus relieving the ISP of the liability.
Whether you think this is a big brother step or not, with estimates that spam on the internet is running as high as 70% of all email traffic, if it weren't for restrictions like this email would rapidly become an unusable tool. The only annoying thing I have found about this is how few ISP Tech Support people know about this. To often their solution is "you can only use another email provider through their webmail interface." -
ACS 5.5 SFTP repository non-standard TCP port
is it possible to change the TCP port in a SFTP repository from 22 to something different ?
like this is not working
repository sftp1
url sftp://10.10.0.8:22222/user1
user user1 password hash bc14bc179d2708cc31cbc22ee6a679cd22c095a1There is not much information inside the defect. We've been seeing different customer's experiencing this issue.
<B>Symptom:</B>
SFTP stops working after upgrading to ACS 5.5
<B>Conditions:</B>
once we upgrade to ACS 5.5
<B>Workaround:</B>
NA
Try this one, this should work
https://tools.cisco.com/bugsearch/bug/CSCum93359/?reffering_site=dumpcr
Regards,
Jatin
**Do rate helpful posts** -
Http probe on non-standard tcp port 8021
I've configured http probe on standard port 80 with no issue. I'm now trying http probe on non-standard tcp port 8021, confirmed with packet capture to confirm that the CSM is indeed probing, status code 403 is returned but the reals are showing "probe failed". Am I missing something? Thank you in advance.
CSM v2.3(3)2
probe 8021 http
request method head
interval 2
retries 2
failed 4
port 8021
serverfarm TEST
nat server
no nat client
real 10.1.2.101
inservice
real 10.1.2.102
inservice
probe 8021
vserver TEST
virtual 10.1.2.100 tcp 8021
serverfarm TEST
replicate csrp connection
persistent rebalance
inservice
VIP and real status:
vserver type prot virtual vlan state conns
Q_MAS_8021 SLB TCP 10.1.2.100/32:8021 ALL OUTOFSERVICE 0
real server farm weight state conns/hits
10.1.2.101 TEST 8 PROBE_FAILED 0
10.1.2.102 TEST 8 PROBE_FAILED 0you need to specify what HTTP response code you expect.
The command is :
gdufour-cat6k-2(config-slb-probe-http)#expect status ?
<0-999> expected status - minimum value in a range
The default is to expect only 200.
This is why your 403 is not accepted.
Gilles. -
Unknown open TCP ports on router
Anyone know how to close these open ports on my Cisco 7606 router?
Anyone know what these TCP ports are used for?
49 - Not sure what this one is other than what IANA reports about TCP port 49
4510
4509
2222
I'm sure I could add an ACL to block communications to my router based on this ports but would rather figure out how to close 'em so this already overloaded router doesn't have additional processing.
Cisco-7606# sh tcp br all
TCB Local Address Foreign Address (state)
12EFC1C0 172.16.8.3.14401 10.8.2.14.49 TIMEWAIT
1CC4F57C 172.16.8.3.26963 10.8.2.14.49 TIMEWAIT
1A419F90 0.0.0.0.4510 *.* LISTEN
1C581740 0.0.0.0.4509 *.* LISTEN
1A417BBC 0.0.0.0.2222 *.* LISTEN
12FB03A8 10.8.10.2.2222 10.8.1.42.4690 CLOSEWAIT
12FB099C 10.8.10.2.2222 10.8.1.42.2233 CLOSEWAIT
12FA7DF0 10.10.0.3.2222 10.8.1.15.4878 CLOSEWAIT
1CD47780 10.10.0.3.2222 10.8.1.15.3917 CLOSEWAIT
1CDDBCE0 10.8.10.2.2222 10.8.1.42.3964 CLOSEWAIT
Cisco-7606# sh ver | i image
System image file is "disk0:c7600rsp72043-advipservicesk9-mz.122-33.SRD3.bin"
Tks
FrankFrank
I can offer some suggestion about one of your port numbers. TCP port 49 is used for TACACS. If you are using TACACS for authentication, or authorization, or accounting then we know why port 49 is open and blocking TCP49 will prevent TACACS from working with your router.
I have no insights or suggestions about the other port numbers that you mention.
HTH
Rick -
Smbclient wants to connect to TCP port 139
On my Powerbook, using Little Snitch under certain conditions (undetermined) I get the following message repeatedly, I am not connected to a network (except for Airport) or printer:
The application "smbclient" wants to connect to 192.168.131.65 on TCP port 139 (netbios-ssn)
What is this all about - thanks.
PB G4 Al 17"Airport is as much of a network as Ethernet is. Port 139 is the normal port for SMB connections. (At the terminal, try "grep 139 /etc/services".) What you want to do is figure out where your Powerbook was connecting to a Windows file or printer server on network 192.168.0.0 or 192.168.131.0. Are either of those the network address for your Airport network? You can see this in your Network settings.
Login Items is the first place to look for an alias that might trigger an automated mount, but another application (other than the Finder) could be looking for a file server, too (as another posted mentioned). You could try to grep for "192.168.131.65" in all the files in your Preferences folder, except if you have 10.4 they might all be binary now and you'd have to convert them to xml text first, using plutil (again in Terminal). -
LMS 4.2 Why is TCP port 514 used and how to close it?
An internal security scan showed that TCP port 514 is open on the Cisco Prime LMS 4.2.4 server. The security team is concerned that this port is commonly used for rsh, which is not encrypted and may use plain text logins or poorly authenticated logins. The port being open is documented in the "Installing and Migrating ..." manual for LMS 4.2 where it says that this TCP port 514 is used for Remote Copy Protocol in the direction from the server to device. The well-known port associated with a service is usually on the target host, not on the host that initiates the connection, so this is a little confusing. I see that there is no rsh service in /etc/inetd.conf, but there is an rsh service in /etc/xinetd.conf. This LMS is not configured to use RCP for anything, as far as I can tell.
Can I close TCP port 514 on this server without disasterous results, and how do I do that?
Or, how do I satisfy the security team that having this port open is not a security concern?
Thanks for any help.
DaveI have a love/hate relationship with security audits like that. Happy to know the profile of a server but then hating to have to justify everything their "report" "concludes" (95% of which is usually just dressed up too output from Nessus or whatever).
Problem is with appliance servers running a packaged application like LMS, mucking with the OS settings (rc files etc.) can break things in unexpected ways. I'm more in favor of putting it on a segmented network and applying access-control lists or firewall rules inbound vs. trying to take apart the system and put it back together using only the parts you think are necessary (a bit of hyperbole there but it's to make a point).
Call it defense in depth and declare victory and then move on with using the tool to actually manage the network instead of defending its configuration to the Stasi. -
Tomcat Servlet - TCP Port Already in Use?
My problem is that tomcat/servlet is not releasing its TCP port after my servlet closes the port. Next time a servlet tries to use the port it gets an error "Port already in use". Using netstat I can see the port is still in use. If I stop tomcat and restart it, the port is released. I have not had this sort of problem writing C programs that use sockets.
My setup is Fedora Core 6 with JDK1.5_14 and Tomcat 5.5.26. I know it's not the latest, but sockets and streams have been around for a long time.
Actual implementation uses a trivial javaserver page to instantiate a class to create/accept connection from a client (JApplet). After connection, it starts a thread to receive data. I am using ServerSocket(), InputStreamReader(), and OutputStreamWriter(). On ServerSocket I set ReuseAddress to true.
I have try/catch on all my I/O and use tomcat context log for error and OK messages. Data transfer is perfect. Detect close by client works. In the context log I see close of streams and ServerSocket occur with no exceptions. Then, I manually close the jsp window. No indication of any problems. If I use different port 2nd time (e.g. 50001) it all works perfect. If I use my default (50000) again, servlet gets an error during bind, "Port already in use".
2.5 years with Java. 5 years with Linux and C.
Please advise or referrwengr wrote:
My problem is that tomcat/servlet is not releasing its TCP port after my servlet closes the port. Next time a servlet tries to use the port it gets an error "Port already in use". Using netstat I can see the port is still in use. If I stop tomcat and restart it, the port is released. I have not had this sort of problem writing C programs that use sockets.Nice.... Not sure that matters though.
>
My setup is Fedora Core 6 with JDK1.5_14 and Tomcat 5.5.26. I know it's not the latest, but sockets and streams have been around for a long time.
Actual implementation uses a trivial javaserver page to instantiate a class to create/accept connection from a client (JApplet). Bleah! Don't use a JSP for that. Use a servlet at worst. At best use a Servlet to start some other socket manager class which you can/have tested outside the Servlet Container environment.
After connection, it starts a thread to receive data. I am using ServerSocket(), InputStreamReader(), and OutputStreamWriter(). On ServerSocket I set ReuseAddress to true.
I have try/catch on all my I/O and use tomcat context log for error and OK messages. Data transfer is perfect. Detect close by client works. In the context log I see close of streams and ServerSocket occur with no exceptions. Then, I manually close the jsp window. Closing the browser window has no affect on the server.
No indication of any problems. If I use different port 2nd time (e.g. 50001) it all works perfect. If I use my default (50000) again, servlet gets an error during bind, "Port already in use".
2.5 years with Java. 5 years with Linux and C.
Please advise or referShow some code. If you just want some generic advice it would be to close the port, as soon as you don't need it anymore. But you know that. Without any further code I think that is about all that can be said.
P.S. Make the code as small as possible, compilable, but still demonstrating the problem. Also see: [this tutorial as an example...|http://www.javaworld.com/javaworld/jw-12-1996/jw-12-sockets.html?page=1] -
[SQL QUERY] Select TCP Port Monitors and their related Watcher Node
Hi everybody,
I'm working on a SSRS report and SQL Query, I have no problem to find all my TCP Port Monitor (SCOM 2012 R2) based on the DisplayName, but I can't figure out how to get their related watcher nodes (in my case only 1 computer is a watcher node).
I can't find which table, which field, contains this information..?
Here is the query i started to write (i select * since i still searching for the right column):
SELECT
FROM StateView s
INNER JOIN BaseManagedEntity me on me.BaseManagedEntityId=s.BaseManagedEntityId
INNER JOIN MonitorView mv on mv.Id=s.MonitorId
INNER JOIN ManagedTypeView mtv on mtv.Id=s.TargetManagedEntityType
--where mv.DisplayName like 'Ping Target Status Check%'
AND me.IsDeleted = '0'
where mv.DisplayName like '%tcpmon%'
and mv.LanguageCode = 'ENU'
--and s.HealthState in (@state)
ORDER BY s.Lastmodified DESC
It would be great if someone can help me !
Thanks,
JulienHi,
After creating a TCP port monitor, we can find a table for this monitor under operationsmanager database :
SELECT *
FROM [OperationsManager].[dbo].[MT_TCPPortCheck_******WatcherComputersGroup]
You will find the warcher computer group.
Regards,
Yan Li
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Maybe you are looking for
-
Hi I am using SAP B1 8.8 PL15, When i use Dunning Wizards, system is not allow me future DueDate and ERROR: Future Posting Date is not allowed [Message 60014-19] for postding date am usning past date range and am reqd future due date any one else hav
-
Process Flow Exit Parameters, Possible?
I want to send through variables from One process to Another within a Process Flow Package, is this possible. I'm not able to add EXIT parameters to the END Object through which I can hand over values to the next process, how is this done?
-
I'm trying to do a (for now) simple form in iweb using the html snippets tool. The text in the non-form parts of my page use white Calibri of various sizes ("I'm using the "Darkroom" page template). The static text in my form looks like Times and i
-
Is it OK to cache home stubs in 6.1?
I heard that caching home stubs may cause hot deployment issues in WebLogic server. Is this the case for 6.1? What about remote stubs (i.e. for a stateless session bean)? Thanks, Bob
-
Iweb site gone forever??
my hard drive was recently replaced, meaning my iweb site files are all gone. my site was up and working fine until i re-created juddheads.com in iweb, hoping that I would be able to copy and paste all of my old blog entries. of course what happened