Advantage/disavantage of disabling "no inspect sqlnet"
What is the advantage of enabling sqlnet inspection and what is the down side of disabling sqlnet inspection "no inspection sqlnet"?
I know very well the pro and con of enabling ftp inspection and disabling of ftp inspection but for the past five years, I have not seen anyone has been to explain the pro and con of enabling/disabling sqlnet inspection
I asked this question five years ago and someone replied but I dont' think he knows what it is. He just copied from cisco documentation: https://supportforums.cisco.com/discussion/10838696/what-advantage-enabling-sqlnet-inspection-asa-appliance
From my production experience, enabling/disabling sqlnet inspection makes no differences and my previous life was an Oracle DBA.
I've seen my security vulnerabilities and when Oracle does not work across the ASA firewalls, Cisco TAC response is always "disable sqlnet inspection".
If that is the case, why have it enable by default in the first place?
Hi,
The advantage of having the any protocol inspection enabled on the ASA device is to make ASA device aware of these two things mainly:-
1) Any Embedded IP address at the application layer for the specific protocol
2) To allow secondary Channel by opening Pin Holes through the ASA device without explicitly allowing it using the ACL rules.
Some other inspections are also used to implement/enforce the RFC for the protocols as well (For Ex:- SMTP , DNS etc.)
Just picking the example from Inspect sqlnet:-
NoteDisable SQL*Net inspection when SQL data transfer occurs on the same port as the SQL control TCP port 1521. The ASA acts as a proxy when SQL*Net inspection is enabled and reduces the client window size from 65000 to about 16000 causing data transfer issues. Disable SQL*Net inspection when SQL data transfer occurs on the same port as the SQL control TCP port 1521. The ASA acts as a proxy when SQL*Net inspection is enabled and reduces the client window size from 65000 to about 16000 causing data transfer issues.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i2.html#pgfId-1762719
These inspections are enabled by default but can be modified or disabled depending on the application that you are using through the ASA device.
Hope that clarifies your query. Let me know if you have any other questions.
Thanks and Regards,
Vibhor Amrodia
Similar Messages
-
Can I disable "inspect sqlnet?"
In a recent Cisco Security Advisory (Advisory ID: cisco-sa-20131009-asa) there is a "SQL*Net Inspection Engine Denial of Service Vulnerability" identified. I plan to follow the upgrade process to resolve this, however, I will not be able to perform the upgrade for a couple of weeks.
The temporary work around suggested is to disable SQL*Net inspection:
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# no inspect sqlnet
This seems simple enough, but I am banging my head on the desk trying to figure out how this will affect any database traffic that may be going through these interfaces. If the default sqlnet inspection is disabled does that mean I need to add explicit ACL entries per interface to allow that traffic? I've reviewwed the information from this thread: https://supportforums.cisco.com/thread/2005571
I know there are SQL and Oracle databases on this particular segment, but what confuses me is that there are no rules configured to NAT anything right now. Is there some sort of way to see if any traffic even matches that default inspection so I know whether it's doing anything right now?
I seem to be overthinking this because I keep going in circles with my own reasoning. I'm not sure what config information to include with my question. I can tell you that there are many interfaces in use. There is no NAT. There are mulitple security levels.
Thank you in advance.Patrick,
Thank you! This was exactly what I was asking for. In my post I asked the question "Is there some sort of way to see if any traffic even matches that default inspection."
That is all I needed. I don't know why I couldn't find how to show this information. -
Disable esmtp Inspection for Specific Host
Hello. Is it possible to disable esmtp inspection for a specific INSIDE host with use of a policy-map? If so, could you provide an example configuration.
Yes it is possible. You could do something like the following:
access-list ESMTP deny ip host 1.1.1.10 any
access-list ESMTP permit ip 1.1.1.0 255.255.255.0 any
class-map CMAP
match access-list ESMTP
policy-map PMAP
class CMAP
inspect esmtp
service-policy PMAP interface inside
Please remember to select a correct answer and rate helpful posts -
Disable http inspection in global_policy FWSM
I am running 4.0(7) and we are experiencing some issues with downloads - specifically http downloads. Anything with an https link works fine.
Looking into the config on the FWSM i see that under the global_policy we are inspecting http
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect http
I would like to remove inspect http as a test to see if this is causing our problems, but am unsure of the impact of doing this?
Also it is strange as this option has been there for a long time and our download issues have only recently started to happen, it does seem to be only for http links though?
I don't really understand what the inspection engine does?Well,
I removed the http inspection and it broke all inbound and outbound web services!
Then I discover this
url-server (WEB-Sense) vendor websense host 10.*.*.* timeout 30 protocol TCP version 1 connections 5
filter url except 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 allow
This web-sense server is down and no longer used.
But am I correct to assume that the prescense of this config caused a problem as all http was trying to go via the Websense but with the http inspection enabled it is able to go out direct?
I am unclear as to exactly how the inspection and the url-server / filter url commands interact.
Thanks
Roger -
Should I disable ESMTP inspect engine on the ASA??
Hello all,
I read a lot of blog that recomend disable the ESMTP inspect engine because in the mostly time affects email comunication servers between networks.
It is a good pratice ??
Thank you !!!!!Hi Konsu,
You will find your answer here:
https://supportforums.cisco.com/message/3110997#3110997
Hope that helps.
Varun -
Hello, I am doing a pre-deployment testing for our new ASA. We are using VeEX tester to generate 10G traffic. Unfortunately, this tester does not have layer 4 traffic support for 10G, all of UDP header, etc. belong to DATA and only can fill 16 bytes pattern (repeat one pattern to fill). This causes ASA to reject package with invalid udp length or invalid UDP port etc. Is any CLI cmd that we can use to disable this UDP checking and passing layer 3 traffic directly? We like to get base performance throughput data.
Thanks in advance.Hi Gongyuan Yao,
You maybe should move your question to the community "Security > Firewalling" since you ask for help on ASA configuration.
Best regards
Roger -
Command to disable packet inspection?
cisco 2651XM
IOS: c2600-ipbasek9-mz.124-23.bin
I need to diable RDP packet inspection on this router but I can't find where I do that. I'm having troubele with audio on a sip line and I read here (bottom of page)
http://forums.asterisk.org/viewtopic.php?f=1&t=76056&p=150405&hilit=one+way+audio+forward+ports#p150405
that turning off RDP packet solved the problem. I've looked through the config and searched on google but couldn't find the asnwer. what is the command to turn off RDP packet inspection?Do you have a firewall in the picture because it would be the firewall like ASA performing packet inspection not the 2600 router. Also unless I am missing something I think it is weird that RDP (Port 3389) packet inspection causing issues with your SIP line. Unless asterik uses that port for something. Any ways start from your firewall. Also setup a sniffer and see what is happening to the packets.
-
Potential Impact of Disabling Default HTTP Inspection Policy
I have a 5500-series firewall configured with basic HTTP inspection via the default global policy-map. The software for this firewall is recent 8.2(x).
Some questions:
1. I am under the impression that default HTTP inspection will do basic validation of RFC compliance for HTTP traffic without any custom configuration. All such traffic is inspected by the appliance. Am I correct in this understanding?
2. If so, would basic HTTP inspection create the potential for additional latency in the environment for matched traffic?
3. Would removing the policy via the "no inspect http" command within the global policy-map be service disrupting? Would I see any noticeable impact to HTTP traffic by doing this?
Thank you for your responses in advance.
JeffHi,
These are the response to your queries:-
1) Yes ,HTTP inspection will check all the connections destined to port 80 through the ASA device as per the RFC standards.
2) Might be yes , As the HTTP connections are the major amount of traffic on the ASA device , too much traffic have to be inspected by the ASA device and re-assembling will also cause the ASA device to do some extra processing.
3) No , I think you would reduce the processing for the ASA after disabling this inspection.
This would not cause any disruption in the traffic as it is not applied on the existing connections but only on the new connections which are made through the ASA device after the policy is modified.
Also , check this:-
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113393-asa-troubleshoot-throughput-00.html
Thanks and Regards,
Vibhor Amrodia -
Disable inspection on Advanced returns
Hi Experts
The client that I am working with has an external WM system and the inspection is also going to be performed by the external system.
Is it possible to disable the inspection control within the advanced returns?
Thanks
AshACCHello,
I've got the solution for the problem fron the SAP.
If a content repository A2 (in transaction OAC0) is configured it's possible to store attachments to the material inspection.
A configuration for a specific business object and/or document type is not nessessary. It works just with the content repository A2.
Michael.
Edited by: Michael Benner on Feb 22, 2011 4:54 PM -
ACS DB Replcation Fails Through Cisco Firewalls w/Skinny Policy Inspect
We run Cisco ACS v3.3 (Windows) on two servers over our WAN, and replcate the internal databases for redundancy. The problem is that replications fail between the ACS servers and it is because of the default port the ACS servers use to replicate over...TCP 2000.
Between the two servers are Cisco ASA firewalls running 7.2.2(19). We run Cisco MGCP VoIP phones between the sites as well, which utilize TCP 2000 for call control.
When the policy-inspect skinny command is enabled on the firewalls, the ACS server replcation breaks, because the firewall sees that the TCP 2000 packets for the DB replication are not VoIP call control packets.
Is there a way to reconfigure the ACS servers so they use a different port other than TCP 2000? (Registry hack, ini file edit, something???)
Frankly, it is rather lame of Cisco to implement an already defined port for their DB replication that defined in IETF as a well know port for the skinny protocol. Even worse is that this problem continues to exist into v4.0 as I understand it.
An no...we should not have to disable the inspect-policy for skinny on the ASA's. :-)
Any help to qwell my frustration on this topic would be appreciated.
Thanks,
-ScottScott,
If disabling the inspection of the skinny protocol is not feasible, the following
configuration sample may be incorporated into the firewall configuration so that replication traffic is not affected by the skinny fixup:
In this example, the ACS servers are at IP addresses 10.1.2.3 and 10.4.5.6.
#Define what traffic you want inspected:
access-list skinny_acl extended deny ip host 10.1.2.3 host 10.4.5.6
access-list skinny_acl extended deny ip host 10.4.5.6 host 10.1.2.3
access-list skinny_acl extended permit tcp any any eq 2000
#Create a class map to match the acl
class-map skinny_map
match access-list skinny_acl
#Under the global policy, take the skinny inspection out of the
#class inspection_default, and add it under our new class
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class skinny_map
inspect skinny
service-policy global_policy global
###Will be inspected for skinny###
FWSM(config-pmap-c)# show service-policy flow tcp host 172.16.1.2 host 172.16.5.6 eq 2000
Global policy:
Service-policy: global_policy
Class-map: skinny_map
Match: access-list skinny_acl
Access rule: permit tcp any any eq 2000
Action:
Input flow: inspect skinny
FWSM(config-pmap-c)#
###Will not be inspected for skinny###
FWSM(config-pmap-c)# show service-policy flow tcp host 10.1.2.3 host 10.4.5.6 eq 2000
Global policy:
Service-policy: global_policy
FWSM(config-pmap-c)#
Regards,
~JG
Please rate if helps ! -
H323 inspect in a single class with match criteria
Hi, I trying to apply this to make sure only inspect h323 traffic in a single host (that's a Video Conference host), but don't works. Only works when I applied the inspect in the inspection_default class.
Here is the config:
access-list 100 extended permit ip host x.x.x.x any
access-list 100 extended permit ip any host x.x.x.x
class-map h223_VC
match access-list 100
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect ip-options
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
inspect icmp
inspect netbios
inspect icmp error
class h223_VC
inspect h323 h225
It´s possible? or is something wrong?
Thanks a lot for your helpHi,
When you have it in the global policy you only H323 H225 or you also have H323 ras?
What do you see if you run this commands?
packet-tracer input tcp 1025 1720
sho service-policy flow tcp host host eq 1720
How do you test it?
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html -
Inspect http issue - unable to browse secure site.
Hi,
Current version of the asa firewall is 7.1(2) in which when the inspect http is enabled, while opening secure site like axis bank account or any money market site either blank page display or page can not display error message appear. When i disable this command i am able to access all the secure sites properly. It looks like a bug but in the release not i am not finding any bug related to this issue. Please help me resolve this issue.
Amit M.Thanks for the reply. When i disable http inspection and when i try to open login page for some of the site then this page cannot be display appear. Also i try MSS might get exceeded and found in the show asp drop tcp mss is not showing. But still i create a class for mass exceed and apply it in globle configuration but it does not work. Latter i have to disable the http inspection and it started working. Now the question is while clicking on login butten it will go from http to https page during this shifting of http to https why does it affect the connection when enable http inspection.
Following is the show asp drop output.
Please check
PIXFIREWALL# sho asp drop
Frame drop:
Invalid IP header 10
No route to host 13
Reverse-path verify failed 398846
Flow is denied by configured rule 107075
Flow denied due to resource limitation 35
Invalid SPI 2
First TCP packet not SYN 62706
TCP failed 3 way handshake 1211
TCP RST/FIN out of order 39
TCP packet SEQ past window 1
TCP invalid ACK 1
TCP packet buffer full 209
TCP RST/SYN in window 14
TCP DUP and has been ACKed 10411
TCP packet failed PAWS test 10
IPSEC tunnel is down 137
IP option drop 551
Expired flow 26
ICMP Inspect seq num not matched 1057
ICMP Error Inspect different embedded conn 60
DNS Inspect id not matched 4674
IPS Module requested drop 8
FP L2 rule drop 22988
Interface is down 8
Flow drop:
Flow terminated by IPS 16
NAT failed 13066
Tunnel being brought up or torn down 514
Need to start IKE negotiation 2136
Inspection failure 60 -
Sqlnet.ora trace files getting generated even after turning off tracing
Hi,
I have recently added the following parameters to the sqlnet.ora file.
TRACE_LEVEL_SERVER=16
TRACE_FILE_SERVER=SERVER
TRACE_DIRECTORY_SERVER=/ftpland/trace
TRACE_TIMESTAMP_SERVER=on
Even after removing these enteries from the sqlnet.ora I still see the trave files being generated.
#####enable tracing###################
#Trace_level_server=0
#Trace_filelen_server=1000
#Trace_fileno_server=1
#Trace_timestamp_server=on
#Trace_directory_server=/opt/oracle/product/10.2.0/network/trace
#Diag_adr_enabled=off
AUTOMATIC_IPC = ON
TRACE_LEVEL_CLIENT = OFF
SQLNET.EXPIRE_TIME = 10
NAMES.DEFAULT_DOMAIN = bsca.eds.com
NAME.DEFAULT_ZONE = bsca.eds.com
SQLNET.CRYPTO_SEED = "232166927-1713903352"
NAMES.DIRECTORY_PATH = (ONAMES,TNSNAMES)
NAMES.PREFERRED_SERVERS =
(ADDRESS_LIST =
(ADDRESS =
(COMMUNITY = TCP.bsca.eds.com)
(PROTOCOL = TCP)
(Host = oraclenames1.bsca.eds.com)
(Port = 1575)
(ADDRESS =
(COMMUNITY = TCP.bsca.eds.com)
(PROTOCOL = TCP)
(Host = oraclenames2.bsca.eds.com)
(Port = 1575)
NAME.PREFERRED_SERVERS =
(ADDRESS_LIST =
(ADDRESS =
(COMMUNITY = TCP.bsca.eds.com)
(PROTOCOL = TCP)
(Host = oraclenames1.bsca.eds.com)
(Port = 1575)
(ADDRESS =
(COMMUNITY = TCP.bsca.eds.com)
(PROTOCOL = TCP)
(Host = oraclenames2.bsca.eds.com)
(Port = 1575)
BEQUEATH_DETACH=YES
Regards,
VNSID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(GLOBAL_DBNAME =ROSDMP.bsca.eds.com)
(ORACLE_HOME = /opt/oracle/product/10.2.0)
(SID_NAME = ROSDMP)
TRACE_LEVEL_LISTENER=16
I believe, this is the reason, you are seeing trace files even after disabling it in sqlnet.ora -
I need to filter inbound HTTP requests <outside> to <dmz> headed to www.XYZ.com/XXX/admin/XXX.jsp.
My regex is: regex HACKBLOCK "*/admin/.*\.jsp*"
My class-maps are:
class-map type regex match-any HACKBLOCK_METHOD
match regex GET
class-map XXXXTWBLOCK
match access-list HACKBLOCK_HOSTS
class-map type regex match-any HACKBLOCK_URL
match regex HACKBLOCK
class-map type inspect http match-all HACKBLOCK_FILTER
match request uri regex class HACKBLOCK_URL
class-map inspection_default
match default-inspection-traffic
My policy-maps are:
policy-map type inspect http HACKBLOCK_HTTP
parameters
class HACKBLOCK_FILTER
log
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns
inspect h323 ras
class XXXXTWBLOCK
inspect http HACKBLOCK_HTTP
policy-map OUTSIDE
class XXXXTWBLOCK
inspect http HACKBLOCK_HTTP
class class-default
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1200
As you can see, I added the inspection rule to a seperate class name ENPROTWBLOCK. This matches traffic based on destination of our class C. I see that I am matching traffic in the ACL, but no matches on the HTTP inspection rule:
#sh service-pol inspec http
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Class-map: XXXXTWBLOCK
Inspect: http HACKBLOCK_HTTP, packet 745097, drop 0, reset-drop 0
protocol violations
packet 34206
class HACKBLOCK_FILTER
log, packet 0
enp-amer-clt-pix525-a#
I am generating bogus traffic to http://www.<ourdomain>.com/admin/test.jsp
Any idea whats going on here and why I am not macthing the HTTP uri's ????
Thanks,
Matthias CCIE# 28445I get hits on the ACL. The issue is that the HTTP inspection does not seem to function. Just for my own understanding, the global policy will match inbound traffic arriving on the outside interface right ?
access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65138) 0x6402ac20
enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
access-list HACKBLOCK_HOSTS; 1 elements
access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65245) 0x6402ac20
enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
access-list HACKBLOCK_HOSTS; 1 elements
access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65285) 0x6402ac20 -
DNS Inspection Denial of Service Vulnerability
Advisory ID: cisco-sa-20131009-asa
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa
I have a Pix running version 8.0.4 with the following configuration:
inside interface: 192.168.231.254/255.255.255.0
outside interface: 10.100.2.254/255.255.255.0
no nat-control
access-list test permit ip any any log
access-group test in interface outside
access-group test in interface inside
I have a window 2008R2 residing on the Internal interface of the firewall. The domain controller resides on the outside interface of the firewall.
I went ahead and implement the change recommended by Cisco
access-list DNS_INSPECT extended permit udp any any
class-map DNS_INSPECT_CP
match access-list DNS_INSPECT
policy-map global_policy
class DNS_INSPECT_CP
inspect dns preset_dns_map
However, after implement the workaround, my windows 2008R2 machine on the inside network can NOT join with AD on the outside network.
on the log of the firewall I see this:
Oct 31 14:34:09 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61780 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
Oct 31 14:34:17 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61780 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
I even change the DNS maximum length to 8192 but it still does not work.
I remove the recommendation from the configuration, everything works fine after that.
Anyone knows why?
Thanks in advanceJulio Carvajal wrote:U do not have this command right available at the CLI rightmessage-length maximum client auto
I do
CiscoPix# sh run policy-map
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect sqlnet
inspect dns preset_dns_map
class class_sunrpc_tcp
inspect sunrpc
class DNS_INSPECT_CP
inspect dns preset_dns_map
CiscoPix#
Julio Carvajal wrote: Then clear-local host try one more time and provide the logs.Note:access-list test permit ip any any logaccess-group test in interface outsideaccess-group test in interface insideThat ACL means u have no firewall in place
I am very aware of this. At this point, it does not matter, it just want the firewall to function like a routing device.
It still does NOT work. Here is the log:
Oct 31 17:57:25 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(61982) -> outside/10.100.2.128(53) hit-cnt 1 first hit [0x63a9cac7, 0x0]
Oct 31 17:57:25 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(61983) -> outside/10.100.2.128(389) hit-cnt 1 first hit [0x63a9cac7, 0x0]
Oct 31 17:57:25 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61983 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
Oct 31 17:57:32 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61983 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
Oct 31 17:57:33 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(50955) -> outside/10.100.2.128(53) hit-cnt 1 first hit [0x63a9cac7, 0x0]
Maybe you are looking for
-
Error while creating a delivery from a sales order
Hi Folks, when i try to create delivery of a sales order, i am getting following error: " Item 000030: delivery split due to conflicting header data (FKARV: ZF2C <-> F8) " please help me in correcting this error. thanks in advance.
-
I am out of the country and using an older laptop that has 10.6.8 installed on it. I also have 2 versions of Pages installed on this laptop (2.0.2 and 4.0.5). I was attempting to open some Pages files that I had created on my Mac (10.10), but got th
-
Not in class path - XSLT Mapping using Stylus studio
Hello, I am using Stylus studio for XSLT mapping. I have written a JAVA function and when I tried to execute, I am getting an error " ...... not inclasspath". I have put JAVA file in the classpath as expained in the Stylus studio help documentation.
-
HT204384 maximum size for sdxc?
I like to buy a new macbook pro retina with 256MB SSD. I would expand it with a sdxc card, but what is the maximum size of such a card? For now I think 64GB, but is there really no 128GB or more available? Thanks for your reaction Kurt
-
My 15 month old iBook G4 14 inch's battery is messed up. It keeps going down and now i only charge it for 45 mins and its fully charged and i can use it for only 1 hour or 45 mins Do you have any solutions?? Thanks