Advantage of NAT IP Pool for PAT
Hi support community,
would there be any benefits from using a small pool of public IPs (outside global addresses) to perform PAT instead of using a single IP address that is nomally associated with outside interface? We have enough public IPs where I could use 3 or 5 for PAT outside pool, and I was wondering if it would be beneficial or a waste.
Thank you for any information that you can provide on this.
Delmiro
Hi,
Do you mean using a PAT Pool of a few addresses instead of PAT using the "outside" interface of the ASA?
I would imagine if you were to use a PAT Pool you would considerably increase the amount of hosts/connections that the ASA could support going from LAN to WAN.
I would suggest first monitoring the current usage of the interface PAT to determine if there is any need to configure a PAT Pool.
If you are talking about PAT Pool then you must be using newer software
You can probably use the
show nat pool
Command to determine the usage of the current interface PAT ports.
Usually the single PAT address is just fine but if you have a large network with a lot of users you might benefit from the change. As I said, you should first see if your current PAT port usage is high.
If you had reached the PAT port limit then you would be seeing log messages of failed translations.
- Jouni
Similar Messages
-
I´m doing a design for presale, where I will need a router what support PAT for 500 or a little more of users, it not need any more features only static routing and dhcp pool for 500 users, can you help me for know what router recommend?
What is your WAN speed currently and projected WAN speed in the next 3 years?
-
Asymmetric NAT rules matched for forward and reverse flows - NAT Issue
Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505. The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet). I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside)
The Error:
5 Nov 12 2012 13:52:50 192.168.9.19 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.6.11 dst inside:192.168.9.19 (type 8, code 0) denied due to NAT reverse path failure
I understand this is a NAT issue; but I not seeing the error and could use a second set of eyes. Here's my current running configuration.
: Saved
ASA Version 8.3(2)
hostname fw1
domain-name xxxxxxxx.xxx
enable password <removed>
passwd <removed>
names
interface Vlan1
description Town Internal Network
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
interface Vlan2
description Public Internet
nameif outside
security-level 0
ip address 173.xxx.xxx.xxx 255.255.255.248
interface Vlan3
description DMZ (CaTV)
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
interface Vlan10
description Infrastructure Network
nameif InfraNet
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan13
description Guest Wireless
nameif Wireless-Guest
security-level 25
ip address 192.168.1.1 255.255.255.0
interface Vlan23
nameif StateNet
security-level 75
ip address 10.63.198.2 255.255.255.0
interface Vlan33
description Police Subnet
shutdown
nameif PDNet
security-level 90
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,5,10,13
switchport trunk native vlan 1
switchport mode trunk
speed 100
duplex full
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
switchport trunk allowed vlan 1,10,13
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/5
switchport access vlan 23
interface Ethernet0/6
shutdown
interface Ethernet0/7
switchport trunk allowed vlan 1
switchport trunk native vlan 1
switchport mode trunk
shutdown
banner exec Access Restricted to Personnel Only
banner login Access Restricted to Personnel Only
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxxxx.xxx
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service IMAPoverSSL
service tcp destination eq 993
description IMAP over SSL
object service POPoverSSL
service tcp destination eq 995
description POP3 over SSL
object service SMTPwTLS
service tcp destination eq 465
description SMTP with TLS
object network obj-192.168.9.20
host 192.168.9.20
object network obj-claggett-https
host 192.168.9.20
object network obj-claggett-imap4
host 192.168.9.20
object network obj-claggett-pop3
host 192.168.9.20
object network obj-claggett-smtp
host 192.168.9.20
object network obj-claggett-imapoverssl
host 192.168.9.20
object network obj-claggett-popoverssl
host 192.168.9.20
object network obj-claggett-smtpwTLS
host 192.168.9.20
object network obj-192.168.9.120
host 192.168.9.120
object network obj-192.168.9.119
host 192.168.9.119
object network obj-192.168.9.121
host 192.168.9.121
object network obj-wirelessnet
subnet 192.168.1.0 255.255.255.0
object network WirelessClients
subnet 192.168.1.0 255.255.255.0
object network obj-dmznetwork
subnet 192.168.2.0 255.255.255.0
object network FD_Firewall
host 74.94.142.229
object network FD_Net
subnet 192.168.6.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network obj-TownHallNet
subnet 192.168.9.0 255.255.255.0
object network obj_InfraNet
subnet 192.168.10.0 255.255.255.0
object-group service EmailServices
description Normal Email/Exchange Services
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_1
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq pop3
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_2
service-object object IMAPoverSSL
service-object object POPoverSSL
service-object object SMTPwTLS
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group network obj_clerkpc
description Clerk's PCs
network-object object obj-192.168.9.119
network-object object obj-192.168.9.120
network-object object obj-192.168.9.121
object-group network TownHall_Nets
network-object 192.168.10.0 255.255.255.0
network-object object obj-TownHallNet
object-group network DM_INLINE_NETWORK_1
network-object 192.168.10.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
access-list StateNet_access_in extended permit ip object-group obj_clerkpc any
access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net
pager lines 24
logging enable
logging asdm debugging
logging mail errors
logging from-address hostmaster@xxxxxxxxx
logging recipient-address john@xxxxxxxxx level errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu Wireless-Guest 1500
mtu StateNet 1500
mtu InfraNet 1500
mtu PDNet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
object network obj_any
nat (inside,outside) static interface
object network obj-claggett-https
nat (inside,outside) static interface service tcp https https
object network obj-claggett-imap4
nat (inside,outside) static interface service tcp imap4 imap4
object network obj-claggett-pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network obj-claggett-smtp
nat (inside,outside) static interface service tcp smtp smtp
object network obj-claggett-imapoverssl
nat (inside,outside) static interface service tcp 993 993
object network obj-claggett-popoverssl
nat (inside,outside) static interface service tcp 995 995
object network obj-claggett-smtpwTLS
nat (inside,outside) static interface service tcp 465 465
object network obj-192.168.9.120
nat (inside,StateNet) static 10.63.198.12
object network obj-192.168.9.119
nat (any,StateNet) static 10.63.198.10
object network obj-192.168.9.121
nat (any,StateNet) static 10.63.198.11
object network obj-wirelessnet
nat (Wireless-Guest,outside) static interface
object network obj-dmznetwork
nat (any,outside) static interface
object network obj_InfraNet
nat (InfraNet,outside) static interface
access-group outside_access_in in interface outside
access-group StateNet_access_in in interface StateNet
route outside 0.0.0.0 0.0.0.0 173.166.117.190 1
route StateNet 10.0.0.0 255.0.0.0 10.63.198.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 5443
http 192.168.9.0 255.255.255.0 inside
http 74.xxx.xxx.xxx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 173.xxx.xxx.xxx
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.9.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 10800
dhcpd auto_config outside
dhcpd address 192.168.2.100-192.168.2.254 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd enable dmz
dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest
dhcpd enable Wireless-Guest
threat-detection basic-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 63.240.161.99 source outside prefer
ntp server 207.171.30.106 source outside prefer
ntp server 70.86.250.6 source outside prefer
webvpn
group-policy FDIPSECTunnel internal
group-policy FDIPSECTunnel attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec
username support password <removed> privilege 15
tunnel-group 173.xxx.xxx.xxx type ipsec-l2l
tunnel-group 173.xxx.xxx.xxx general-attributes
default-group-policy FDIPSECTunnel
tunnel-group 173.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
smtp-server 192.168.9.20
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e4dc3cef0de15123f11439822880a2c7
: end
Any ideas would be appreciated.
JohnI don't see any inspection-commands in your config. Is there a reason for not using any of them?
If your problem is only with ICMP, then you should enable at least icmp-inspection. You can do that easiely with the legacy command " fixup protocol icmp"
Sent from Cisco Technical Support iPad App -
Hi,
I have an ASA5510 running version 8.2(5). I have set up a new network on interface Ethernet0/1.777 of the fwl. The firewall works perfectly with remote access VPNs but has now given me the error with the new network that has been set up:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.159.159.3/49204 dst tru777:10.1.34.19/3389 denied due to NAT reverse path failure
The difference between the other networks and the new one that I have set up is that this is the first one using a private addressing scheme. I understand that NAT is not allowing something along the way but I cant figure out what needs to change in order to get it to work. My config is as follows:
interface Ethernet0/1.777
description TRU 777
vlan 777
nameif tru777
security-level 50
ip address 10.1.34.17 255.255.255.240 standby 10.1.34.18
access-list acl_tru777 remark * ALLOW ALL OUTBOUND *
access-list acl_tru777 extended permit ip any any
access-list RA-VPN extended permit ip 10.1.34.16 255.255.255.240 10.159.159.0 255.255.255.0
access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 172.16.0.0 255.240.0.0
access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list acl_ra-lock-tru777 extended permit ip 10.1.34.16 255.255.255.240 10.159.159.0 255.255.255.0
access-list acl_ra-lock-tru777 extended permit ip 10.159.159.0 255.255.255.0 10.1.34.16 255.255.255.240
ip local pool ra-pool 10.159.159.0-10.159.159.254 mask 255.255.255.0
nat (tru777) 4 access-list acl_no-nat
nat (tru777) 2 10.1.34.16 255.255.255.240
global (outside) 2 x.x.x.x
crypto isakmp nat-traversal 20
I think that is everything you should need, if not please just ask.
Thank you very much in advance,
ChrisHi Julio,
Here you go:
FWL01# sh nameif
Interface Name Security
Ethernet0/0 outside 0
Ethernet0/1 CLIENTS 50
Ethernet0/1.314 tru01 50
Ethernet0/1.313 dmz01 50
Ethernet0/1.316 tru02 50
Ethernet0/1.776 dmz776 50
Ethernet0/1.777 tru777 50
Management0/0 management 100
FWL01# sh run nat
nat (tru02) 1 192.168.3.0 255.255.255.240
nat (tru777) 4 access-list acl_no-nat
nat (tru777) 2 10.1.34.16 255.255.255.240
FWL01# sh run glob
global (outside) 1 interface
global (outside) 2 x.x.x.x
Thanks,
Chris -
Asymmetric NAT rules matched for forward and reverse flows
Hi! I don't know why this comes up in the logs when I have configured my vpn like so:
crypto dynamic-map L2L_MAP 50 set reverse-route
crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_dyn_map 40 set pfs
crypto dynamic-map OUTSIDE_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_dyn_map 60 set pfs
crypto dynamic-map OUTSIDE_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_dyn_map 65535 set transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime seconds 288000
crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map INSIDE_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map L2L_MAP 20 match address IDP_VPN
crypto map L2L_MAP 20 set peer x.x.x.x
crypto map L2L_MAP 20 set transform-set ESP-3DES-SHA
crypto map L2L_MAP 40 match address cp_l2l_map_40
crypto map L2L_MAP 40 set peer x.x.x.x
crypto map L2L_MAP 40 set transform-set ESP-3DES-SHA
crypto map L2L_MAP 60 match address bwi_l2l
crypto map L2L_MAP 60 set peer x.x.x.x
crypto map L2L_MAP 60 set transform-set ESP-3DES-SHA
crypto map L2L_MAP 80 match address outside_80_cryptomap
crypto map L2L_MAP 80 set peer x.x.x.x
crypto map L2L_MAP 80 set transform-set ESP-3DES-SHA
crypto map L2L_MAP 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map
crypto map L2L_MAP interface outside
crypto map INSIDE_map 65535 ipsec-isakmp dynamic INSIDE_dyn_map
crypto map INSIDE_map interface inside
I am able to connect successfully via vpn client. Its just that i cant reach the internal servers... Any ideas?
i get this error:
Oct 18 2012 00:52:37: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.10.13.221/137 dst inside:10.10.13.255/137 deniedI put in the important configs:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0 standby x.x.x.x
ospf cost 10
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.13.5 255.255.255.0 standby 10.10.13.6
ospf cost 10
interface GigabitEthernet0/2
nameif dmz
security-level 50
no ip address
ospf cost 10
interface GigabitEthernet0/2.720
vlan 720
nameif dmz-vsp
security-level 50
ip address 172.24.0.1 255.255.255.0 standby 172.24.0.2
ospf cost 10
interface GigabitEthernet0/2.724
vlan 724
nameif dmz-dbz
security-level 75
ip address 172.24.4.1 255.255.255.0 standby 172.24.4.2
ospf cost 10
interface GigabitEthernet0/2.725
vlan 725
nameif dmz-smtp
security-level 50
ip address 172.24.5.1 255.255.255.0 standby 172.24.5.2
ospf cost 10
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.10.10.50
domain-name xxxx.local
access-list nonatacl extended permit ip 10.10.0.0 255.255.0.0 10.40.4.0 255.255.255.0
access-list nonatacl extended permit ip 172.16.0.0 255.255.0.0 10.40.4.0 255.255.255.0
access-list nonatacl extended permit ip 192.168.2.0 255.255.255.0 10.40.4.0 255.255.255.0
access-list nonatacl extended permit ip 192.168.3.0 255.255.255.0 10.40.4.0 255.255.255.0
access-list nonatacl extended permit ip 10.10.0.0 255.255.0.0 10.40.14.0 255.255.255.0
access-list nonatacl extended permit ip 10.10.13.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonatacl extended permit ip 10.10.10.0 255.255.255.0 10.10.13.0 255.255.255.0
access-list nonatacl extended permit ip 10.10.13.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list nonatacl extended permit ip 192.168.6.0 255.255.255.0 10.10.13.0 255.255.255.0
ip local pool inshse-vpn-pool2 192.168.6.220-192.168.6.230 mask 255.255.255.0
global (outside) 201 192.168.16.1-192.168.16.250
global (outside) 202 10.201.5.145-10.201.5.158
global (outside) 4 10.10.13.180-10.10.13.189 netmask 255.0.0.0
global (outside) 101 interface
global (outside) 1 x.x.x.x netmask 255.0.0.0
global (inside) 204 10.10.13.70-10.10.13.79 netmask 255.0.0.0
nat (inside) 0 access-list nonatacl
nat (inside) 201 access-list NAT_TO_IDP
nat (inside) 202 access-list inside2-vsp_nat_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz-vsp) 202 access-list dmz-vsp_nat_outbound
nat (dmz-vsp) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.0.0.0 255.240.0.0 10.10.13.1 1
route inside 10.40.1.0 255.255.255.0 10.10.13.1 1
route inside 10.40.2.0 255.255.255.0 10.10.13.1 1
route inside 10.40.3.0 255.255.255.0 10.10.13.1 1
route inside 10.40.4.0 255.255.255.0 10.10.13.1 1
route inside 10.40.13.0 255.255.255.0 10.10.13.1 1
route inside 10.40.254.0 255.255.255.0 10.10.13.1 1
route inside 172.16.0.0 255.255.0.0 10.10.13.1 1
route inside 192.168.2.0 255.255.255.0 10.10.13.1 1
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPN_Auth protocol radius
aaa-server VPN_Auth (inside) host 10.10.2.20
timeout 5
key *****
no mschapv2-capable
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map L2L_MAP 50 set reverse-route
crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_dyn_map 40 set pfs
crypto dynamic-map OUTSIDE_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_dyn_map 60 set pfs
crypto dynamic-map OUTSIDE_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_dyn_map 65535 set transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime seconds 288000
crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map INSIDE_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map L2L_MAP 20 match address IDP_VPN
crypto map L2L_MAP 20 set peer x.x.x.x
crypto map L2L_MAP 20 set transform-set ESP-3DES-SHA
crypto map L2L_MAP 40 match address cp_l2l_map_40
crypto map L2L_MAP 40 set peer x.x.x.x
crypto map L2L_MAP 40 set transform-set ESP-3DES-SHA
crypto map L2L_MAP 60 match address nonatacl
crypto map L2L_MAP 60 set peer x.x.x.x
crypto map L2L_MAP 60 set transform-set ESP-3DES-SHA
crypto map L2L_MAP 80 match address outside_80_cryptomap
crypto map L2L_MAP 80 set peer x.x.x.x
crypto map L2L_MAP 80 set transform-set ESP-3DES-SHA
crypto map L2L_MAP 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map
crypto map L2L_MAP interface outside
crypto map INSIDE_map 65535 ipsec-isakmp dynamic INSIDE_dyn_map
crypto map INSIDE_map interface inside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable dmz
crypto isakmp enable dmz-vsp
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
group-policy ihasavpn2_gp internal
group-policy ihasavpn2_gp attributes
dns-server value 10.10.10.52
vpn-tunnel-protocol IPSec
default-domain value xxxx.local
tunnel-group ihasavpn2 type remote-access
tunnel-group ihasavpn2 general-attributes
address-pool inshse-vpn-pool2
authentication-server-group VPN_Auth
authentication-server-group (inside) VPN_Auth
default-group-policy ihasavpn2_gp
tunnel-group ihasavpn2 ipsec-attributes
pre-shared-key *****
tunnel-group ihasavpn2 ppp-attributes
authentication ms-chap-v2 -
Can i use same address pool for different remote access VPN tunnel groups and policy
Hi all,
i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
thanks in advance
ShnailThanks Karsten..
but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below, this will achive waht i need right??
access-list 15 extended permit tcp any host 192.168.205.134 eq 80
username test password password test
username test attributes
vpn-group-policy TEST
vpn-filter value 15
group-policy TEST internal
group-policy TEST attributes
dns-server value 192.168.200.16
vpn-filter value 15
vpn-tunnel-protocol IPSec
address-pools value existing-pool
tunnel-group RAVPN type ipsec-ra
tunnel-group RAVPN general-attributes
address-pool existing-pool
default-group-policy TEST
tunnel-group Payroll ipsec-attributes
pre-shared-key xxx -
Hyper-V Resource Pools for Memory and CPU
Hi all,
I'm trying to understand the concepts and details of resource pools in Hyper-V in Windows Server 2012. It seems as if there is almost no documentation on all that. Perhaps somebody can support me here, maybe I've not seen some docs yet.
So far, I learned that resource pools in their current implementation serve mainly for metering purposes. You can create pools per tenant and then group VM resources into those pools to facilitate resource metering per tenant. That is, you enable metering
once per pool and get all the data necessary to bill that one customer for all their resources (without metering individual VMs). Is that correct?
Furthermore, it seems to me that an ethernet pool goes one step further by providing an abstraction level for virtual switches. As far as I've understood you can add multiple vSwitches to a pool and then connect a VM to the pool. Hyper-V then decides which
actual switch to use. This may be handy in a multi-host environment if vSwitches on different hosts use different names although they connect to the same network. Is that correct?
So - talking about actually managing that stuff I've learned how to create a pool and how to add VHD locations and virtual switches to a pool. Enabling resource metering for a pool then collects usage data from all the resources inside that pool.
But now: I can create a pool for memory and a pool for CPU. But I cannot add resources to those. Neither can I add a complete VM to a pool. Now I'm launching a VM that belongs to a customer whose resources I'm metering. How will Hyper-V know that it's
supposed to collect data on CPU and memory usage for that VM?
Am I missing something here? Or is pool-based metering only good for ethernet and VHD resources, and CPU and memory still need to be metered per VM?
Thanks for clarification,
Nils
Nils Kaczenski
MVP Directory Services
Hannover, GermanyThank you for the links. I already knew those, and unfortunately they are not matching my question. Two of them are about Windows Server 2008/R2, and one only lists a WMI interface. What I'm after is a new feature in Windows Server 2012, and I need conceptional
information.
Thanks for the research anyway. I appreciate that a lot!
In the meantime I've gotten quite far in my own research. See my entry above of January 7th. Some additions:
In Windows Server 2012, Hyper-V resource pools are mainly for metering purposes. You cannot compare them to resource pools in VMware.
A resource pool in Hyper-V (2012) facilitates resource metering and billing for VM usage especially in hosting scenarios. You can either measure resource usage for single VMs, or you can group existing resources (such as CPU power, RAM, virtual hard disk
storage, Ethernet traffic) into pools. Those pools will mostly be assigned to one customer each. That way you can bill the customer for their resource usage in a given time period by just querying the customer's pool.
Metering only collects aggregated data with one value per resource (i.e. overall CPU usage, maximum VHD storage, summed Ethernet traffic and so on). You can control the time period by explicitly resetting the counter at any given time (a day, a week, a
month or what you like).
There is no detailed data. The aggregate values serve as a basis for billing, not as monitoring data. If you need detailed monitoring data use Performance Monitor.
There is currently only one type of resource pool that adds an abstraction layer to a virtualization farm, and that is the Ethernet type. You can use that type for metering, but you can also use it to group a number of virtual switches (that connect to
the same network segment) and then a VM connected to that pool will automatically use an appropriate virtual switch from the pool. You need no longer worry about virtual switch names across multiple hosts as long as all equivalent virtual switches are
added to the pool.
While you can manage two types of pool resources in the GUI (VHD pools and Ethernet pools) you should only manage resource pools via PowerShell. Only there will you be able to control what happens. And only PowerShell provides a means to start, stop, and
reset metering and query metering data.
The process to use resource pools in Hyper-V (2012) in short:
First create a new pool via PowerShell (New-VMResourcePool). (In case of a VHD pool you must specify the VHD storage paths to add to the pool in the moment you create the pool.)
In case of an Ethernet pool add existing virtual switches to the pool (Add-VMSwitch).
Reconfigure existing VMs that you want to measure so that they use resources from the pool. The PowerShell
Set-VM* commands accept a parameter -ResourcePoolName to do that. Example:
Set-VMMemory -VMName APP-02 -ResourcePoolName MyPool1
Start measuring with Enable-VMResourceMetering.
Query collected data as often as you need with Measure-VMResourcePool.
Note that you should specify the pool resource type in the command to get reliable data (see my post above, Jan 7th).
When a metering period (such as a week or a month) has passed, reset the counter to zero with
Reset-VMResourceMetering.
Hope that helps. I consider this the answer to my own question. ;)
Here's some links I collected:
http://itproctology.blogspot.ca/2012/12/hyper-v-resource-pool-introduction.html
http://www.ms4u.info/2012/12/configure-ethernet-resource-pool-in.html
http://blogs.technet.com/b/virtualization/archive/2012/08/16/introduction-to-resource-metering.aspx
http://social.technet.microsoft.com/Forums/en-US/winserverhyperv/thread/1ce4e2b2-8fdd-4f16-8ab6-e1e1da6d07e3
Best wishes, Nils
Nils Kaczenski
MVP Directory Services
Hannover, Germany -
How to resolve "getPooledConn: No more connections in the pool for Host"
I am using the wl9.1 proxy in a SunOne WebServer 6.1 (solaris), and I regularly get this error:
getPooledConn: No more connections in the pool for Host
I found several postings with this error, but no reactions on how to solve this.
in the proxy log, I see this info:
================New Request: [wls-app/page.do] =================
Tue Nov 13 13:05:30 2007 <18781194955530286> CookieName is deprecated and replaced by WLCookieName
Tue Nov 13 13:05:30 2007 <18781194955530286> Uri as read from rq (request) data structure /wls-app/page.do
Tue Nov 13 13:05:30 2007 <18781194955530286> Uri after pathTrim /wls-app/page.do
Tue Nov 13 13:05:30 2007 <18781194955530286> Uri resolved to /wls-app/page.do?page=messages
Tue Nov 13 13:05:30 2007 <18781194955530286> resolveRequest return code is [0]
Tue Nov 13 13:05:30 2007 <18781194955530286> URI=[wls-app/page.do?page=messages]
Tue Nov 13 13:05:30 2007 <18781194955530286> INFO: SSL is not configured
Tue Nov 13 13:05:30 2007 <18781194955530286> Found cookie from cookie header: wlsappCookie=H5TccKpNWGqfnvv2wG1znjmJkqNhMyhct0h93HDgfGnc7phpkdxW!-1488879380!864729474
Tue Nov 13 13:05:30 2007 <18781194955530286> Parsing cookie wlsappCookie=H5TccKpNWGqfnvv2wG1znjmJkqNhMyhct0h93HDgfGnc7phpkdxW!-1488879380!864729474
Tue Nov 13 13:05:30 2007 <18781194955530286> getpreferredServersFromCookie: [-1488879380!864729474]
Tue Nov 13 13:05:30 2007 <18781194955530286> primaryJVMID: [-1488879380]
secondaryJVMID: [864729474]
Tue Nov 13 13:05:30 2007 <18781194955530286> No of JVMIDs found in cookie: 2
Tue Nov 13 13:05:30 2007 <18781194955530286> Trying to locate Primary or Secondary using SrvrInfo with JVMID: -1488879380
Tue Nov 13 13:05:30 2007 <18781194955530286> getPreferredFromCookie: Found Primary 10.0.0.102:8514:0
Tue Nov 13 13:05:30 2007 <18781194955530286> Trying to locate Primary or Secondary using SrvrInfo with JVMID: 864729474
Tue Nov 13 13:05:30 2007 <18781194955530286> getPreferredFromCookie: Found Secondary 10.0.0.101:8514:0
Tue Nov 13 13:05:30 2007 <18781194955530286> getPreferredFromCookie: Found 2 servers
Tue Nov 13 13:05:30 2007 <18781194955530286> attempt #0 out of a max of 5
Tue Nov 13 13:05:30 2007 <18781194955530286> trying connect to PRIMARY '10.0.0.102'/8514/0
Tue Nov 13 13:05:30 2007 <18781194955530286> getPooledConn: No more connections in the pool for Host[10.0.0.102] Port[8514] SecurePort[0]
Tue Nov 13 13:05:30 2007 <18781194955530286> INFO: New NON-SSL URL
Tue Nov 13 13:05:30 2007 <18781194955530286> Connect returns -1, and error no set to 150, msg 'Operation now in progress'
Tue Nov 13 13:05:30 2007 <18781194955530286> EINPROGRESS in connect() - selecting
Tue Nov 13 13:05:30 2007 <18781194955530286> Local Port of the socket is 64242
Tue Nov 13 13:05:30 2007 <18781194955530286> Remote Host 10.0.0.102 Remote Port 8514
Tue Nov 13 13:05:30 2007 <18781194955530286> created a new connection to preferred server '10.0.0.102/8514' for '/wls-app/page.do?page=messages', Local port: 64242
Tue Nov 13 13:05:30 2007 <18781194955530286> WLS info : 10.0.0.102:8514 recycled? 0
Tue Nov 13 13:05:30 2007 <18781194955530286> Adding header for WLS 'WL-Proxy-Client-Cert: ###
---removed client cert info---
Tue Nov 13 13:10:30 2007 <18781194955530286> *******Exception type [READ_TIMEOUT] (no read after 300 seconds) raised at line 205 of Reader.cpp
Tue Nov 13 13:10:30 2007 <18781194955530286> caught exception in readStatus: READ_TIMEOUT [os error=0, line 205 of Reader.cpp]: no read after 300 seconds at line 822
Tue Nov 13 13:10:30 2007 <18781194955530286> PROTOCOL_ERROR: Backend Server not responding - isRecycled:0
Tue Nov 13 13:10:30 2007 <18781194955530286> *******Exception type [PROTOCOL_ERROR] (Backend Server not responding) raised at line 842 of URL.cpp
Tue Nov 13 13:10:30 2007 <18781194955530286> got PROTOCOL_ERROR exception in sendRequest phase at line 1364; Msg: PROTOCOL_ERROR [line 842 of URL.cpp]: Backend Server not responding
Tue Nov 13 13:10:30 2007 <18781194955530286> request [wls-app/page.do?page=messages] did NOT process successfully..................
Does anyone know how to resolve this issue ?
Thanks,
Cappaert LucWe are seeing a similar connection pool error captured in the WL proxy log doing load testing. Is there an answer to this question of how to increase this pool size?
Fri Jan 16 14:59:02 2009 <535212321359422334> Trying a pooled connection for '191.228.175.226/7003/0'
Fri Jan 16 14:59:02 2009 <535212321359422334> getPooledConn: No more connections in the pool for Host[191.228.175.226] Port[7003] SecurePort[0]
Fri Jan 16 14:59:02 2009 <535212321359422334> general list: trying connect to '191.228.175.226'/7003/0 at line 1319 for '/SIT-cccpol/PTGadget/SetCookies.jsp'
Fri Jan 16 14:59:02 2009 <535212321359422334> INFO: New NON-SSL URL
Fri Jan 16 14:59:02 2009 <535212321359422334> Connect returns -1, and error no set to 10035, msg 'Unknown error'
Fri Jan 16 14:59:02 2009 <535212321359422334> EINPROGRESS in connect() - selecting
Fri Jan 16 14:59:02 2009 <535212321359422334> Local Port of the socket is 2097
Fri Jan 16 14:59:02 2009 <535212321359422334> Remote Host 191.228.175.226 Remote Port 7003 -
GetPooledConn: No more connections in the pool for Host
We are receiving these types of errors in our NSAPI plugin debug logs:
Mon Dec 15 09:29:29 2008 <267131229354969494> trying connect to PRIMARY '172.16.81.45'/7141/7142
Mon Dec 15 09:29:29 2008 <267131229354969494> getPooledConn: No more connections in the pool for Host[172.16.81.45] Port[7141] SecurePort[7142]
Mon Dec 15 09:29:29 2008 <267131229354969494> Connect returns -1, and error no set to 150, msg 'Operation now in progress'
Mon Dec 15 09:29:29 2008 <267131229354969494> EINPROGRESS in connect() - selecting
How can we increase the number of connections in the pool so that these don't happen?We are seeing a similar connection pool error captured in the WL proxy log doing load testing. Is there an answer to this question of how to increase this pool size?
Fri Jan 16 14:59:02 2009 <535212321359422334> Trying a pooled connection for '191.228.175.226/7003/0'
Fri Jan 16 14:59:02 2009 <535212321359422334> getPooledConn: No more connections in the pool for Host[191.228.175.226] Port[7003] SecurePort[0]
Fri Jan 16 14:59:02 2009 <535212321359422334> general list: trying connect to '191.228.175.226'/7003/0 at line 1319 for '/SIT-cccpol/PTGadget/SetCookies.jsp'
Fri Jan 16 14:59:02 2009 <535212321359422334> INFO: New NON-SSL URL
Fri Jan 16 14:59:02 2009 <535212321359422334> Connect returns -1, and error no set to 10035, msg 'Unknown error'
Fri Jan 16 14:59:02 2009 <535212321359422334> EINPROGRESS in connect() - selecting
Fri Jan 16 14:59:02 2009 <535212321359422334> Local Port of the socket is 2097
Fri Jan 16 14:59:02 2009 <535212321359422334> Remote Host 191.228.175.226 Remote Port 7003 -
Advantages of using laster printers for SAP SCRIPTS
Dear Friends,
Here client is saying use scripts for Dotmatrix printer, for all graphics. can i know
<b>Wht are the advantages of using laser printers for SAP Scripts and wht are the disadvantages of using Dot-matrix printer.</b>
Thanks & Regards
HussainDear Friends,
Here client is saying use scripts for Dotmatrix printer, for all graphics. can i know
<b>Wht are the advantages of using laser printers for SAP Scripts and wht are the disadvantages of using Dot-matrix printer.</b>
Thanks & Regards
Hussain -
Advantages of using laser printers for SAP SCRIPTS compare to Dot matrix
Dear Friends
<b>Wht are the advantages of using laser printers for SAP Scripts and wht are the disadvantages of using Dot-matrix printer.</b>
Thanks & Regards
HussainDear Friends
<b>Wht are the advantages of using laser printers for SAP Scripts and wht are the disadvantages of using Dot-matrix printer.</b>
Thanks & Regards
Hussain -
Different connection pool for a report
Hi experts,
For one my reports using 'CLOBS' like explained (http://oraclebizint.wordpress.com/2007/11/12/oracle-bi-ee-101332-working-with-clob-fields/) I need to disable parallel processing because it's not supported.
NO_PARALLEL and NO_INDEX_PARALLEL hints at the query level couldn't disable the parallelism.the optimizer still use it.
I thought about having a new connection pool that contains 'before query' and 'after query' statements that will disable the parallelism.This will take me a lot of time to rebuild the whole Presentation and Business layers to point to a new physical tables.
Any one has an idea about how I can use another connection pool for a specific report?
RegardsI have the problem. My issue is that I need to have a webservice use the 2 database connection pools I have created. Originally the pools were Non-XA. When I change them to XA I cannot get the JMS JDBC Store to work.
java.lang.Exception: WebLogic Pool Driver doesn't support XA driver, Please change your config to use a Non-XA driver
However, part of what you wrote below I don't understand. You said you configured a brand new JMS JDBC Store and was able to use an XA Connection Pool? I tried to delete my existing one and create it anew, but was not able to use an XA pool.
Is there any solution around this? I need to have an XA Pool for a webservice but non-XA for my JMS Store.
"After much digging I found documentation that you cannot configure an XA JDBC Connection Pool for use with a JMS JDBC Store: http://edocs.bea.com/wls/docs81/ConsoleHelp/jms_config.html#1128929
The only thing is that if I configure a brand new JMS JDBC Store and make it use the XA JDBC Connection Pool (instead of just selecting the new MySQLXAConnPool from the list that includes the non XA pool) it works without an error." -
Custom thread pool for Java 8 parallel stream
It seems that it is not possible to specify thread pool for Java 8 parallel stream. If that's so, the whole functionality is useless in most of the situations. The only situation I can safely use it is a small single threaded application written by one person.
In all other cases, if I can not specify the thread pool, I have to share the default pool with other parts of the application. If someone submits a task that takes a lot of time, my tasks will get stuck. Is that correct or am I overlooking something?
Imagine that someone submits slow networking operation to the fork-join pool. It's not a good idea, but it's so tempting that it will be happening. In such case, all CPU intensive tasks executed on parallel streams will wait for the networking task to finish. There is nothing you can do to defend your part of the application against such situations. Is that so?You are absolutely correct. That isn't the only problem with using the F/J framework as the parallel engine for bulk operations. Have a look http://coopsoft.com/ar/Calamity2Article.html
-
Help in creating the connection pool for Oracle 8i using Jdriver
Hi
Iam pretty new to Weblogic and would be greatfull if some one can help me
out in finding the parameters to be specified in Weblogic console for creating
a Connection pool for Oracle 8i database running on solaris. I have installed
necessary client libraries in weblogic machine.
The details for my database are as follows
database name : mydb
database server : 173.24.24.1
database port : 1521
username : myuser
I would appreciate if you can provide me the following details to be entered in
weblogic console for creating the connection pool
URL
DRIVER CLASS NAME
PROPERTIES
ACL NAME
PASSWORD
Thanks,
S HariHari
Jdbc Connection Pool Configuration
URL= jdbc:weblogic:oracle
DRIVER CLASS NAME=weblogic.jdbc.oci.Driver
PROPERTIES
user=myuser
password=<password in mydb>
server=mydb
After configuring Connection Pool Select Targets tab. Select Server from Available
to Chosen.
Deepak
Hari wrote:
Hi
Iam pretty new to Weblogic and would be greatfull if some one can help me
out in finding the parameters to be specified in Weblogic console for creating
a Connection pool for Oracle 8i database running on solaris. I have installed
necessary client libraries in weblogic machine.
The details for my database are as follows
database name : mydb
database server : 173.24.24.1
database port : 1521
username : myuser
I would appreciate if you can provide me the following details to be entered in
weblogic console for creating the connection pool
URL
DRIVER CLASS NAME
PROPERTIES
ACL NAME
PASSWORD
Thanks,
S Hari -
Unable create Connection pool for Oracle apps Adapter.
Hi All,
We are trying to create a connection pool for Oracle Apps adapter in 11G SOA suite.
However during the process getting the following error:
An error occurred during activation of changes, please see the log for details.
A <jndi-name> is specified for the resource adapter bean in weblogic-ra.xml, however no <resourceadapter-class> element is specified in ra.xml
Can any one help us on this.
Thanks
Parker.Please refer section "Configuring Connection Information" at below link -
http://download.oracle.com/docs/cd/E17904_01/integration.1111/e10537/T430238T430340.htm#T464886
Regards,
Anuj
Maybe you are looking for
-
FI DOCUMENT NOT POSTED FOR 201 MOVEMENT
HI ALL, In one of the my client having one issue for particular one material ,FI document not posted ,while issue the goods to shop floor 201 movement type & same document we cancelled ,but FI document posted. Same cancellation document again cancell
-
Table Height Missing in DW CS3?
I just upgraded from DW8 to CS3. The Properties panel is missing the table height fields. I see width, but where height is supposed to be is blank... I tried searching for "table" in help and couldn't find an answer. Any help would be greatly appreci
-
Time stamp edit manually.
Hi all , I had a delta running for one of my country cubes. The work flow being , R/3 to PSA to CUBE. But for some unknown reason it was not getting completed in expected tiem limit. After checking the process overview (No job running), I forced RED
-
Dear Friend, Resampling concept is not working through coding. Can anyone help me. Dim oPSDapp As Photoshop.Application Dim oPhotoDoc As Photoshop.Document oPSDapp.Preferences.RulerUnits = Photoshop.PsUnits.psMM oPSDapp.Pr
-
Hi there! I need help badly. My Mac have recently experienced Kernel Panics as many as 3 times a day. Its only started a few days back when i tried to burn a Video CD with Toast 7. Then it start "freeze" while surfing in Firefox. And also when i was