ASA 5505 Logging Issue - Warning: Configured logging host interface conflicts with route table entry
I am getting this warning on my ASA 5505 when I try to set up logging from my off site FW to the central FW, which is a 5510. What I am trying to do is send the FW logs through the VPN Tunnel into the central 5510 to our logging server at 192.168.22.99, but allow all other traffic out the outside interface so customers can hit our web servers down there. Here is an example of my config with fake IP's. I get this error when trying to do "logging inside host 192.168.22.99". If I try to put in "logging Tunnel host 192.168.22.99" I get the "Warning:Security Level is 1" message
5505
ethe0/0
desc To LA ISP (217.34.122.1)
switchport access vlan2
ethe0/1
desc To Redwood City HQ via VPN Tunnel
switchport access vlan1
ethe0/2
desc To Internal Web Server
switchport access vlan3
VLAN1
desc Tunnel to HQ
ifinterface Tunnel
security level 1
217.34.122.3 255.255.255.248
VLAN3
desc Internal Web Server
ifinterface inside
security level 100
192.168.0.1 255.255.255.0
access-list LosAngeles extended permit ip 192.168.0.0 255.255.255.0 192.168.22.0 255.255.255.0
(No access-group is performed, as I match from the crypto map instead since I have multiple sites going out of HQ - see HQ configs)
route Tunnel 192.168.22.0 255.255.255.0 65.29.211.198
crypto map TO-HQ 10 match address LosAngeles
crypto map TO-HQ set peer ip 65.29.211.198
5510 at HQ
access-list LA extended permit ip 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0
(again no access-group, since I have a couple other off sites)
crypto map TO-LA 20 match address LA
crypto map TO-LA 20 set peer ip 217.34.122.3
Hi Jouni,
I have the following configs in place with fake IPs
5505
1 outside interface with security level 0 (vlan1 direct connect to isp 217.33.122.2/30) - goes to ISP
1 Tunnel interface with security level 1 (vlan 2 direct connect to isp 217.33.122.6/30) - goes to Tunnel to our 5510
1 inside interface with security level 100 (servers connected to hub, with vlan3 ip of 192.168.0.1)
access-list LosAngeles extended permit ip 192.168.0.0 255.255.255.0 192.168.22.0 255.255.255.0 - acl to 5510 inside network
route outside 0.0.0.0 0.0.0.0 217.33.122.1 - route for all traffic (except for 192.168.22.0/24) to take the outside connection
route Tunnel 192.168.22.0 255.255.255.0 65.29.211.198 - route for 192.168.22.0 destined traffic to take the Tunnel connection
crypto map TO-HQ 10 match address LosAngeles
crypto map TO-HQ 10 set peer ip 65.29.211.198
tunnel-group 65.29.211.198 type ipsec-l2l
5510
1 outside interface with security level 0 (vlan1 direct connect to isp 65.29.211.198) - goes to isp
1 inside interface with security level 100 (vlan2 connection to corporate servers and SIP 192.168.22.0/24)
access-list LA extended permit ip 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list OUTBOUND extended permit icmp host 217.33.122.6 host 192.168.22.99 (allows Nagios monitor to ping the DE interface
access-group OUTBOUND in interface outside
nat (inside,outside) static 192.168.22.99 interface destination static 217.33.122.6
route outside 192.168.0.0 255.255.255.0 217.33.122.6
crypto map TO-LA 20 match address LA
crypto map TO-LA 20 set peer ip 217.33.122.6
tunnel-group 217.33.122.6 type ipsec-l2l
I am mistaken on the 5510 interfaces. They do not have vlans, and the IP address is directly applied to the interfaces for outside and inside.
Similar Messages
-
Cisco ASA 5505 Failover issue..
Hi,
I am having two firewalls (cisco ASA 5505) which is configured as active/standby Mode.It was running smoothly for more than an year,but last week the secondary firewall got failed and It made my whole network down.then I just removed the connectivity of the secondary firewall and run only the primary one.when I login by console i found out that the failover has been disabled .So again I connected to the Network and enabled the firewall.After a couple of days same issue happen.This time I take down the Secondary firewall erased the Flash.Reloaded the IOS image.Configured the failover and connected to the primary for the replication of configs.It found out the Active Mate.Replicated the configs and got synced...But after sync the same thing happened,The whole network gone down .I juz done the same thing removed the secondary firewall.Network came up.I feel there is some thing with failover thing ,but couldnt fin out :( .And the firewalls are in Router Mode.Please find the logs...
Secondary Firewall While Sync..
cisco-asa(config)# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 06:01:10 GMT Apr 29 2015
This host: Secondary - Sync Config
Active time: 55 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): No Link (Waiting)
Interface inside (10.11.0.20): No Link (Waiting)
Interface mgmt (10.11.200.21): No Link (Waiting)
slot 1: empty
Other host: Primary - Active
Active time: 177303 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
=======================================================================================
Secondary Firewall Just after Sync ,Active (primary Firewall got rebootted)
cisco-asa# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate Unknown
Last Failover at: 06:06:12 GMT Apr 29 2015
This host: Secondary - Active
Active time: 44 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): Normal (Waiting)
Interface inside (10.11.0.20): No Link (Waiting)
Interface mgmt (10.11.200.21): No Link (Waiting)
slot 1: empty
Other host: Primary - Not Detected
Active time: 0 (sec)
slot 0: empty
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
==========================================================================================
After Active firewall got rebootted failover off,whole network gone down.
cisco-asa# sh failover
Failover Off
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
===========================================================================================
Primary Firewall after rebootting
cisco-asa# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: e0/7 Vlan3 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
Version: Ours 8.2(5), Mate Unknown
Last Failover at: 06:17:29 GMT Apr 29 2015
This host: Primary - Active
Active time: 24707 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.2(5)) status (Up Sys)
Interface outside (27.251.167.246): Normal (Waiting)
Interface inside (10.11.0.20): Normal (Waiting)
Interface mgmt (10.11.200.21): Normal (Waiting)
slot 1: empty
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: empty
Interface outside (27.251.167.247): Unknown (Waiting)
Interface inside (10.11.0.21): Unknown (Waiting)
Interface mgmt (10.11.200.22): Unknown (Waiting)
slot 1: empty
cisco-asa# sh failover history
==========================================================================
From State To State Reason
==========================================================================
06:16:43 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:29 GMT Apr 29 2015
Negotiation Just Active No Active unit found
06:17:29 GMT Apr 29 2015
Just Active Active Drain No Active unit found
06:17:29 GMT Apr 29 2015
Active Drain Active Applying Config No Active unit found
06:17:29 GMT Apr 29 2015
Active Applying Config Active Config Applied No Active unit found
06:17:29 GMT Apr 29 2015
Active Config Applied Active No Active unit found
==========================================================================
cisco-asa#
cisco-asa# sh failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Failed Comm Failure 06:17:43 GMT Apr 29 2015
====Configuration State===
====Communication State===
==================================================================================
Secondary Firewall
cisc-asa# sh failover h
==========================================================================
From State To State Reason
==========================================================================
06:16:32 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:05 GMT Apr 29 2015
Negotiation Disabled Set by the config command
==========================================================================
cisco-asa# sh failover
Failover Off
Failover unit Secondary
Failover LAN Interface: e0/7 Vlan3 (down)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 23 maximum
ecs-pune-fw-01# sh failover h
==========================================================================
From State To State Reason
==========================================================================
06:16:32 GMT Apr 29 2015
Not Detected Negotiation No Error
06:17:05 GMT Apr 29 2015
Negotiation Disabled Set by the config command
==========================================================================
cisco-asa# sh failover state
State Last Failure Reason Date/Time
This host - Secondary
Disabled None
Other host - Primary
Not Detected None
====Configuration State===
====Communication State===
Thanks... -
ASA 5505 VPN can't access inside host
I have setup remote VPN access on a ASA 5505 but cannot access the host or ASA when I login using the VPN. I can connect with the Cisco VPN client and the VPN light is on on the ASA and it shows that I'm connected. I have the correct Ip address but I cannot ping or connect to any of the internal addresses. I cannot find what I'm missing. I have the VPN bypassing the interface ACLs. Since I can login but not go anywhere I feel certian I missed something.
part of config below
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
ip local pool xxxx 10.1.1.50-10.1.1.55 mask 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
service-policy global_policy global
group-policy xxxxxxx internal
group-policy xxxxxxx attributes
banner value xxxxx Disaster Recovery Site
wins-server none
dns-server value 24.xxx.xxx.xx
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
default-domain none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value xxxxxx
smartcard-removal-disconnect enable
client-firewall none
webvpn
functions url-entry
vpn-nac-exempt none
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
tunnel-group xxxx type ipsec-ra
tunnel-group xxxx general-attributes
address-pool xxxx
default-group-policy xxxx
tunnel-group blountdr ipsec-attributes
pre-shared-key *I get the banner and IP adress info...
This is what the client log provides...
1 13:45:32.942 05/30/08 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 172.20.255.255
Netmask 255.255.255.255
Gateway 10.1.2.1
Interface 10.1.2.5
2 13:45:32.942 05/30/08 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: ac14ffff, Netmask: ffffffff, Interface: a010205, Gateway: a010201. -
We have a Cisco 515 as a headend firewall with ~30 VPN connections to remote sites. The existing remote sites are using Cisco 506 firewalls and work fine. I am trying to setup an ASA 5505 as a rmote firewall as a future replacement for the PIX 506's. I am able to get the site to site tunnels up just fine. The issue is that once the tunnels are up I am not able to ping the inside interface of the remote ASA from the headend LAN. I am able to telnet to the ASA and run the ASDM but no ping. I am also not able to ping from the ASA to the headend LAN but I can ping from a device on the remote ASA LAN to the headend LAN. I have rebuilt the configs manually and with the ASDM with the same results. The remote Ipsec rules prtect the outside interface to headend LAN just like I do on the 506's. It is almost like the ASA will not build a tunnel from the outside interface to the remote LAN. Can anyone tell me what I am missing or what is different about the ASA over the PIX? Any help appreciated.
Thanks for your reply. This is already set allong with the following.
icmp permit any inside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
When looking at the logs it looks like it builds an inbound connection and tears it down. On the PIX's it builds the inbound and outbound connection and then tears them down.
When I do an inspect on the ping packets from the remote LAN I get an interesting result.
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (ipsec-spoof) IPSEC Spoof detected -
Cisco ASA 5505 performance issues on downloads - data into the ASA from the Internet
I have having serious issues with performance on my ASA 5505s that I am testing with 9.2.3 code.
I stripped the config and removed as much stuff as I could - no VPN etc. and I am ONLY getting about 30-40Mbps downloads from sites but 95Mbps uploads???? Anyone else seeing these problems? If I remove the firewall my PC can hit 300/300Mbps to the same sites using the same switch and cable.
I installed 1Gb of mem on the ASA 5505 but it made no difference. The ASA has a UL IP Security license but I am only using and inside and outside address for these tests, no other ports configured.
Is anyone else seeing this performance problem with the 9.2.3 code? I went to this from 8.2.5 to try to resolve QOS failure bugs that I found in the 8.2.5 code. I did not expect to have a performance hit though and it is only on downloads TO the ASA from the Internet from all speed test sites that I try. Uploading speeds seem fine. No access-lists on my interfaces either...barebones config.
My FIOS and switch interfaces are fine...no errors on any interfaces and the same switch interface hits 300/300Mbps when my laptop is directly attached.
Anyone have a barebones config on their ASA 5505 that flies...I will try it on mine and see if some command somewhere (hidden) is causing the issue. I even cleared the config and started with a clean slate just in case I was missing some command from the older configs that may have impacted performance.After changing the switch with a high end switch my performance increased but I am still not happy with the throughput out of my ASA. I have about 50+ ASAs 5505s and a dozen 5510s. Most remote sites have 5505s. All my sites right now have 8.2.5-51 and I wanted to put 9.2.3 out there to solve issues I have uncovered on the 8.2.5 code with regards to QOS issues.
I get much better results using the Cisco 3750X attached to the FIOS (right around 300/300 with my laptop directly attached to the 3750x bypassing the ASA - my FIOS circuit rating is also 300/300). Going through the ASA to the same test site I get download speeds of 35 to 75. Changes randomly which really bothers me. My uploads speeds are ALWAYS faster then my download speeds. Example - best download I would ever get is 75Mb and my upload would usually hit 95Mb during the same test period.
I may have to live with it but the inconsistency is what really bothers me.
Here is the config I am currently using. Nothing going on during testing since only a single PC is attached. VPN tunnel to the main site can be up or down...doesn't seem to make any difference. PC does to site directly from outside interface of ASA...split tunneling. Even when I removed tunnels and tested with just the ASA as a firewall to the Internet I was still seeing the same inconsistencies.
Anything obviously missing - new command or anything? Xlates causing issues? -
I have a cisco asa 5505 that I am setting up VPN access too. I have multiple subnets all routed through a layer 3 switch conected to my asa. My problem is I can ping everything on VLAN1 (192.168.100.0/24) but no other VLANS (10.141.152.0/23 etc.)
Post the config of your ASA and someone will be able to assist.
-
[logging] Problems to configure logging rotation.
Hi,
I have an application .ear deployed in weblogic v10.3.1.0
This application use java.util.logging to write a log file.
fh = new FileHandler(logFileName,0,1,true);
fh.setFormatter(new XMLFormatter());
logger.addHandler(fh);
FileHandler(String pattern, int limit, int count, boolean append)
pattern - the pattern for naming the output file
limit - the maximum number of bytes to write to any one file. If this is zero, then there is no limit. (Defaults to no limit).
count - the number of files to use
append - specifies append mode
http://www.javadocexamples.com/java/util/logging/java.util.logging.FileHandler.html
logFileName is dynamic with date formated like this yyyMMdd + ApplicationName + ".log"
This file is created but I have also yyyyMMddSEC.log.1, yyyyMMddSEC.log.2, yyyyMMddSEC.log.3,...
I DON'T WANT THESE FILES_, that's why I put limit to 0, count to 1 and append to true.
This code works without jdev/weblogic but has not effect in weblogic.
Q1. Why?
So I go to Weblogic console: Domain Structure-> DefaultDomain->Logging
Log file name: logs/DefaultDomain.log
Rotation type: None
NONE
Messages accumulate in a single file.
You must erase the contents of the file when the size is too large.
Note that WebLogic Server sets a threshold size limit of 500 MB before it forces a hard rotation to prevent excessive log file growth.
But it doesn't work, Weblogic continue to create log files like this *<filename>.log.<n>*
Q2. Why?
I have also created weblogic.xml in ViewControler/WEB-INF
thanks to this documentation:
http://download.oracle.com/docs/cd/E13222_01/wls/docs103/webapp/weblogic_xml.html#wp1063199
but it doesn't work...again.
Q3. Why?
Q4. If I want applications manage themselves their log, how to deactivate the logging handler in weblogic (LogFileMBean?)
Thanks for your help.You may want to ask in the WebLogic Server - Diagnostics / WLDF / SNMP forum. They own logging.
-
ASA 5505 initial build - Failed to locate egress interface (Please help :-) )
Hi, I have just purchased a ASA 5505 and have completed the initial setup via the wizard. I am currently unable to access services on the outside of the ASA.
The error: 'Failed to locate egress interface for UDP from inside'.... appears when ever my DNS server attempts a lookup.
I have configured this several times from scratch using the wizard and I am unable to figure out the issue with the NAT / Routing config.
If I run the packet tracer I get the error: "(no-route) no route to host", however I do have a default route configured so I suspect it maybe my NAT configuration.
Overview, 192.168.10.0/24 inside the ASA, 192.168.1.0/24 outside the ASA, 192.168.1.1 is the gateway to the internet. I ideally want the ASA to use PAT to mask the 192.168.10.0/24 network behind the ASAs 192.168.1.0/24 network address but still allow clients to gain internet access.
Full config follows, screen shots attached, any help would be very gratefully received.
Result of the command: "sh run"
: Saved
ASA Version 9.0(1)
hostname firewall
enable password (REMOVED) encrypted
passwd (REMOVED) encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.254 255.255.255.0
interface Vlan5
no nameif
security-level 50
ip address dhcp
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server1
host 192.168.10.10
object network GoogleDNS1
host 8.8.8.8
description Google DNS Server
object network GoogleDNS2
host 8.8.4.4
description Google DNS Server
object network 192.168.10.x
subnet 192.168.10.0 255.255.255.0
object network InternetRouter
host 192.168.1.1
object-group network DM_INLINE_NETWORK_1
network-object object GoogleDNS1
network-object object GoogleDNS2
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list inside_access_in remark External DNS Lookups
access-list inside_access_in extended permit udp object Server1 object-group DM_INLINE_NETWORK_1 eq domain
access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 255.255.255.255 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:(REMOVED)
: endJust to want to be sure, can you post output from show int ip brie and show route? And try to remove your ACL for testing purpose or at least don't applied it anywhere yet.
Once done, try do another packet-tracer to 8.8.8.8 using icmp packet instead of UDP paste the whole the output here. Before doing this, add icmp any any outside command on the ASA.
I know this should have anything to do with your issue, because if ACL is the issue then you will see output being denied by ACL on the packet tracer output. Let us know the results. -
PI 7.0 - SMICM - Host Name - Conflict with other places
Hi Friends,
We have host name conflict in SMICM and in other places.
For example, in SMICM it shows the host name 'A' for HTTP protocol and it is green, where as in other places like in RZ10 (Profiles in ABAP), Exchange Profiles (Connection Parameters, Host name), in SLD and in Visual Admin the host name is mentioned as 'B'.
At present, the messages are failing in SXMB_MONI with the error "CLIENT_RECEIVE_FAILED 402 ICM_HTTP_TIMEOUT ".
When we checked the paramter "icm/host_name_full" in RZ11,it shows the empty value.
This problem comes in our quality PI system, ABAP stack.
Could you kindly clarify in SMICM for the HTTP service from where the host name is taken and displays here?
Kind regards,
Jegathees P.Connect to the operating system. Check this file (replace xxx with your SID and, if applicable, 00 with the correct instance):
C:\usr\sap\xxx\SYS\profile\xxx_DVEBMGS00_ILBNKxxx
Find this line:
icm/host_name_full = hostname.company.corp
Is this maybe empty / incorrect / incomplete?
After changing this the server needs to be restarted.
Sometimes we had strange behaviors after host name changes, which went away after going to sicf -> execute -> right-click on default host -> deactivate -> right-click again -> activate -> in the pop-up click the second activate button, which is for activating the system and all dependent entries. -
ASA 5505 Speed Issue - Help Requested if possible
Hi All,
I am wondering if anybody here can shed some light on any potential configuration issues with the configuration below (Sanitized). Current State:
1. SIte to Site VPN is up and running perfectly.
2. Client to Site VPNs work through L2PT/IPSEC and through mobile devices such as IPhone.
3. The outside interface is at line speed - approximately 5-6MBits per second.
4. When performing a download of a service pack from microsoft - Bit rate on the inside interface is approximately 1/3rd of the outside interface (A lot of loss). Interface shows no CRC errors and no input errors.
5. The outside interface shows CRC errors and INPUT errors but due to the line speed being optimal (as the client experienced via their WAN router direct (with the ASA out of the mix), have not looked in to this further. I suspect the device it is directly attached to does not auto negotiate correctly even though the interface is set to 100Mb Full Duplex.
6. Outside interface MTU is set to 1492, purposely set this way due to PPPOE over head (Please correct me if I am wrong). (Approx 8 bytes)
7. Inside Interface MTU is set to 1500, no drops or loss detected on that interface so have left it as is.
8. All inspection has been disabled on the ASA as I thought that scans on the traffic could have impaired performance.
Current Environment Traffic Flow:
1. All hosts on the network have there DNS pointed to external IP addresses currently as the DNS server is out of the mix. This usually points to DNS servers in the US. If the hosts use this, the DNS queries are performed over the site-to-site VPN but the internet traffic is routed around the VPN as the traffic is a seperate established session. Split tunneling is enabled on the ASA to only trust the internal hosts from accessing the US hosts. Everything else uses the default route.
2. The version of software on this ASA is 8.2(1). I have checked and there does not seem to be any underlying issues that would cause this type of behaviour.
3. Memory is stable at roughly 190Mb out of 512Mb
4. CPU is constant at approximately 12%.
5. WAN and INSIDE switch are Fast Ethernet and the ASA interfaces are all Ethernet - Potential compatibility issue between standards? I'm aware they should be compatible - any body that has experienced any issues regarding this would be greatly apprecaited.
Current Issues:
1. Speed on the inside interface is approximately 1/3rd of the WAN/Outside interface - download speeds are sitting at approximately 250 - 300kb (should be sitting at approximately 700-800kb).
2. Noticed that when the DC is pointed to the USA Root Domain Controller (Across the tunnel) latency is approximately 400ms average. (Performed using host name).
3. I ping the IP address of the exact same server and the latency is still 400ms.
4. Changing the DCs DNS address to 8.8.8.8, I perform the same ping to the same servers. Still 400ms.
5. I ping google.co.nz and I still get 400ms (You would expect it to route out the default gateway but session is still active for that IP on the ASA).
6. I ping 74.x.x.x (The IP from the resolution from step 5) and I get the same result.
7. I flush dns, same issue for 5/6.
8. I clear xlate on the ASA and the same issue persists.
9. I close command line, repen it, and perform the test again - latency is now back to 40 - 50ms as we would expect for non-vpn traffic.
I am currently out of ideas and would like some advice on what I have actually missed.
Things I suspect that I may need to do:
1. Upgrade IOS to latest version (Other than that - I'm out of ideas).
ASA Version 8.2(1)
hostname BLAH
enable password x.x.x.x encrypted
passwd x.x.x.x encrypted
names
name x.x.x.x BLAHPC
name 8.8.8.8 Google-DNS description Google-DNS
name 202.27.184.3 Telecom-Alien-Pri description Telecom-Alien-Pri
name 202.27.184.5 Telecom-Terminator-Sec description Telecom-Terminator-Sec
name 203.96.152.4 TelstraClearPri description TCL-PRI
name 203.96.152.12 TelstraClearSec description TCL-Sec
name x.x.x.x BLAH_Network description BLAH-Internal
name x.x.x.x DC description DC VPN Access
name x.x.x.x Management-Home description Allow RDP Access from home
name x.x.x.x SentDC description BLAHDC
name x.x.x.x Outside-Intf
dns-guard
interface Vlan1
nameif inside
security-level 100
ip address x.x.x.x 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group pppoex
ip address pppoe setroute
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner exec [BLAH MANAGED DEVICE] - IF YOU ARE UNAUTHORIZED TO USE THIS DEVICE, LEAVE NOW!!!
banner login If you are Unauthorized to use this device, leave now. Prosecution will follow if you are found to access this device without being Authorized.
banner asdm [BLAH MANAGED DEVICE] - IF YOU ARE UNAUTHORIZED TO USE THIS DEVICE, LEAVE NOW!!!
ftp mode passive
clock timezone WFT 12
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server Google-DNS
name-server Telecom-Alien-Pri
name-server Telecom-Terminator-Sec
name-server TelstraClearPri
name-server TelstraClearSec
object-group service RDP tcp
description RDP
port-object eq 3389
object-group network BLAH-US
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group network x.x.x.x
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group service Management_Access_Secure
description Management Access - SECURE
service-object tcp eq https
service-object tcp eq ssh
service-object tcp eq 4434
object-group service FileTransfer tcp
description Allow File Transfer
port-object eq ftp
port-object eq ssh
object-group service WebAccess tcp
description Allow Web Access
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service AD_Access udp
description Allow Active Directory AD ports - UDP Only
port-object eq 389
port-object eq 445
port-object eq netbios-ns
port-object eq 636
port-object eq netbios-dgm
port-object eq domain
port-object eq kerberos
object-group network DM_INLINE_NETWORK_2
group-object x.x.x.x
group-object x.x.x.x
object-group network DM_INLINE_NETWORK_3
group-object x.x.x.x
group-object x.x.x.x
object-group network BLAH_DNS
description External DNS Servers
network-object host Telecom-Alien-Pri
network-object host Telecom-Terminator-Sec
network-object host TelstraClearSec
network-object host TelstraClearPri
network-object host Google-DNS
object-group service AD_Access_TCP tcp
description Active Directory TCP protocols
port-object eq 445
port-object eq ldap
port-object eq ldaps
port-object eq netbios-ssn
port-object eq domain
port-object eq kerberos
port-object eq 88
object-group network DM_INLINE_NETWORK_4
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object x.x.x.x 255.255.255.0
network-object x.x.x.x 255.255.255.0
object-group network DM_INLINE_NETWORK_6
group-object x.x.x.x
group-object x.x.x.x
object-group network DM_INLINE_NETWORK_1
group-object x.x.x.x
group-object x.x.x.x
access-list inside_access_in remark Allow Internal ICMP from BLAH
access-list inside_access_in extended permit icmp Sentinel_Network 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list inside_access_in remark Allow Internal ICMP to BLAH
access-list inside_access_in extended permit icmp object-group DM_INLINE_NETWORK_3 BLAH 255.255.255.0
access-list inside_access_in remark External DNS
access-list inside_access_in extended permit object-group TCPUDP BLAH 255.255.255.0 object-group BLAH_DNS eq domain
access-list inside_access_in remark Allows Web Access
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group WebAccess
access-list inside_access_in remark Allow Remote Desktop Connections to the Internet
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group RDP
access-list inside_access_in remark Allow File Transfer Internet
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 any object-group FileTransfer
access-list inside_access_in remark ldap, 445, 137, 636, dns, kerberos
access-list inside_access_in extended permit udp BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_4 object-group AD_Access
access-list inside_access_in remark ldap, 445, 137, 636, dns, kerberos
access-list inside_access_in extended permit tcp BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_5 object-group AD_Access_TCP
access-list inside_access_in extended permit ip any any
access-list outside_cryptomap_65535.1 extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_6
access-list nonat extended permit ip BLAH 255.255.255.0 object-group BLAH-US
access-list nonat extended permit ip BLAH 255.255.255.0 object-group BLAH-USA
access-list nonat extended permit ip BLAH 255.255.255.0 x.x.x.x 255.255.255.0
access-list tekvpn extended permit ip BLAH 255.255.255.0 object-group BLAH-US
access-list tekvpn extended permit ip BLAH 255.255.255.0 object-group BLAH-USA
access-list tekvpn extended permit ip BLAH 255.255.255.0 x.x.x.x 255.255.255.0
access-list inbound extended permit icmp any any
access-list inside_nat0_outbound extended permit ip BLAH 255.255.255.0 10.1.118.192 255.255.255.224
access-list inside_nat0_outbound extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_1_cryptomap extended permit ip BLAH 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging monitor informational
logging buffered notifications
logging trap informational
logging asdm informational
logging class auth monitor informational trap informational asdm informational
mtu inside 1500
mtu outside 1492
ip local pool ipsec_pool x.x.x.x-x.x.x.x mask 255.255.255.0
ip local pool Remote-Access-DHCP x.x.x.x-x.x.x.x mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 BLAH 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server
http server enable RANDOM PORT
http 0.0.0.0 0.0.0.0 outside
http x.x.x.x x.x.x.x inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1428
sysopt connection tcpmss minimum 48
auth-prompt prompt You are now authenticated. All actions are monitored! if you are Unauthorized, Leave now!!!
auth-prompt accept Accepted
auth-prompt reject Denied
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set transform-set TRANS_ESP_3DES_SHA TRANS_ESP_3DES_MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh x.x.x.x 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname **************
vpdn group pppoex ppp authentication pap
vpdn username ************** password PPPOE PASSPHRASE HERE
dhcpd auto_config outside
dhcpd address x.x.x.x/x inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server x.x.x.x source outside prefer
tftp-server outside x.x.x.x /HOSTNAME
webvpn
group-policy DfltGrpPolicy attributes
banner value Testing ONE TWO THREE
vpn-idle-timeout 300
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value outside_cryptomap_65535.1
user-authentication enable
nem enable
address-pools value Remote-Access-DHCP
webvpn
svc keepalive none
svc dpd-interval client none
USER CREDENTIALS HERE
vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key SITETOSITE PSK
peer-id-validate nocheck
tunnel-group DefaultRAGroup general-attributes
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key CLIENTTOSITE PSK
peer-id-validate nocheck
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
authentication eap-proxy
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspect_default
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:894474af5fe446eeff5bd9e7f629fc4f
: endHi all, this post can be officially closed. The issue had nothing to do with the ASA but required a firmware upgrade on the WAN router which boosted the throughput on the external interface on the ASA to 10Mbps and the inside throughput naturally corrected itself to what was expected.
Thanks to everybody who looked at this issue.
Andrew -
ASA 5505 VPN can't access inside hosts
I have configured VPN on the 5505 using ASDM and I'm able to connect to the 5505 and the client is also getting an IP-address from the configured pool.
The Cisco VPN client shows an error in the log: AddRoute failed to add a route: code 87
CiscoNo I can't ping anything.
And here is the route -print after connection
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0c 29 48 d4 50 ...... VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
0x10004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.222.101 192.168.222.100 1
85.82.25.170 255.255.255.255 192.168.129.2 192.168.129.130 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.129.0 255.255.255.0 192.168.129.130 192.168.129.130 10
192.168.129.0 255.255.255.0 192.168.222.101 192.168.222.100 10
192.168.129.130 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.129.254 255.255.255.255 192.168.129.130 192.168.129.130 1
192.168.129.255 255.255.255.255 192.168.129.130 192.168.129.130 10
192.168.222.100 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.222.255 255.255.255.255 192.168.222.100 192.168.222.100 10
224.0.0.0 240.0.0.0 192.168.129.130 192.168.129.130 10
224.0.0.0 240.0.0.0 192.168.222.100 192.168.222.100 10
255.255.255.255 255.255.255.255 192.168.129.130 192.168.129.130 1
255.255.255.255 255.255.255.255 192.168.222.100 192.168.222.100 1
Default Gateway: 192.168.222.101
===========================================================================
Persistent Routes:
None -
Issues while configuring java application using JDO with MS JDBC Driver 1.0
We are in the process of configuring our java application with the production version of SQL Server 2005 Java Database Connectivity (JDBC) Driver 1.0. We are facing issues getting it to work with Sun App Server using JDO concept.
After creating the data store, adding the JDBC driver to the application server classpath through console and also copying the driver into the lib directory, we are still getting the below error.
Following is the stack trace encountered while running the application
[#|2006-02-15T10:21:25.493+0530|WARNING|sun-appserver-pe8.1_02|javax.enterprise.system.container.ejb.entity.finder|_ThreadID=30;|JDO74010: Bean 'InventoryEJB' method ejbFindAllInventoryItems: problems running JDOQL query.
com.sun.jdo.api.persistence.support.JDOFatalInternalException: JDO76519: Failed to identify vendor type for the data store.
NestedException: java.sql.SQLException: Error in allocating a connection. Cause: javax.transaction.SystemException
at com.sun.jdo.spi.persistence.support.sqlstore.impl.SQLPersistenceManagerFactory.initializeSQLStoreManager(SQLPersistenceManagerFactory.java:870)
at com.sun.jdo.spi.persistence.support.sqlstore.impl.SQLPersistenceManagerFactory.getFromPool(SQLPersistenceManagerFactory.java:786)
at com.sun.jdo.spi.persistence.support.sqlstore.impl.SQLPersistenceManagerFactory.getPersistenceManager(SQLPersistenceManagerFactory.java:673)
at com.sun.jdo.spi.persistence.support.sqlstore.impl.PersistenceManagerFactoryImpl.getPersistenceManager(PersistenceManagerFactoryImpl.java:849)
at com.sun.jdo.spi.persistence.support.sqlstore.impl.PersistenceManagerFactoryImpl.getPersistenceManager(PersistenceManagerFactoryImpl.java:681)
at com.sun.j2ee.blueprints.supplier.inventory.ejb.InventoryEJB1142755294_ConcreteImpl.jdoGetPersistenceManager(InventoryEJB1142755294_ConcreteImpl.java:530)
at com.sun.j2ee.blueprints.supplier.inventory.ejb.InventoryEJB1142755294_ConcreteImpl.ejbFindAllInventoryItems(InventoryEJB1142755294_ConcreteImpl.java:146)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.sun.enterprise.security.SecurityUtil.invoke(SecurityUtil.java:147)
at com.sun.ejb.containers.EJBLocalHomeInvocationHandler.invoke(EJBLocalHomeInvocationHandler.java:185)
at $Proxy164.findAllInventoryItems(Unknown Source)
at com.sun.j2ee.blueprints.supplier.inventory.web.DisplayInventoryBean.getInventory(Unknown Source)
at org.apache.jsp.displayinventory_jsp._jspService(displayinventory_jsp.java:119)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:105)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:336)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:301)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:251)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:257)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:723)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:482)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:417)
at org.apache.catalina.core.ApplicationDispatcher.access$000(ApplicationDispatcher.java:80)
at org.apache.catalina.core.ApplicationDispatcher$PrivilegedForward.run(ApplicationDispatcher.java:95)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:313)
at com.sun.j2ee.blueprints.supplier.inventory.web.RcvrRequestProcessor.doPost(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:767)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:257)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:173)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:132)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:933)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:185)
at com.sun.enterprise.web.connector.grizzly.ProcessorTask.process(ProcessorTask.java:653)
at com.sun.enterprise.web.connector.grizzly.ProcessorTask.process(ProcessorTask.java:534)
at com.sun.enterprise.web.connector.grizzly.ProcessorTask.doTask(ProcessorTask.java:403)
at com.sun.enterprise.web.connector.grizzly.WorkerThread.run(WorkerThread.java:55)
Can anyone help me on this issue?
Regards,
BinduI have already tried this before and this not work too, but strange that even if I use JDBC:ODBC bridge driver, the return value for output parameters are not correct, that is, only return the value that I input but not the value after executed in the procedure....
The code that I used with JDBC:ODBC bridge is as follow:
public static void main(String[] args) {
String url = "jdbc:odbc:;DRIVER=SQL Server;Persist Security Info=False;database=db;Server=sql;uid=sa;pwd=pwd";
Connection con;
ResultSet rs = null;
CallableStatement callS = null;
try {
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
} catch(java.lang.ClassNotFoundException e) {
System.err.print("ClassNotFoundException: ");
System.err.println(e.getMessage());
try {
con=DriverManager.getConnection(url);
callS = con.prepareCall("{ call dbo.CpJavaTest (?)}");
callS.registerOutParameter(1, Types.INTEGER);
callS.execute();
rs=callS.getResultSet();
int ret = callS.getInt(1);
System.out.println("return value : " + ret);
while (rs.next()) {
String f1 = rs.getString(4);
String f2 = rs.getString(5);
System.out.println(f1 + " " + f2);
} catch(SQLException ex) {
System.out.println("SQLException: " + ex.getMessage());
The value of the output parameter is same as what I inputed! Hope any one can teach me how to correct it...
Thank you very much! -
New Asa 5505... Anyway to set up behind home router with no internal DNS?
Since the home router is the DNS server, the Asa has no internal DNS which is probably the cause of no internet. Is there any way around this?
Can you not simply use the ASA as the DHCP server and include the DNS server in your DHCP configuration ?
Jon -
Cisco ASA 5505 VPN Routing/Networking Question
I have a very basic question about Cisco ASA 5505 IPsec Site to Site VPNs. I want to install a Cisco ASA 5505 at a Data Center, in a LAN subnet that utilizes publicly routable IP addresses. I would like to install a second Cisco ASA 5505 in a remote branch office as its peer.
Regardless of whether I use publicly routable IPs at the branch office in the "inside" network or non-routable IPs, how would the devices and servers at the Data Center know to route IP packets destined for the branch office back through the Cisco ASA instead of through the default gateway at the Data Center? I can see accomplishing this if every single device at the Data Center is configured with routing table entries, but that isn't feasible. It also isn't feasible to use the Cisco ASA 5505 as the default gateway for all of the devices as the Data Center, allowing it to decide where the traffic should go.
What am I missing? Is the solution to try to map branch office IPs to IP addresses within the Data Center's LAN subnet so that all of the traffic is on the same subnet?You can do it in several different ways.
One way is to tell the server that if it has traffic to network x then it needs to go to the ASA all other traffic is to head for the default gateway.
In windows this is done via the route command
do not forget to make it "persistent" otherwise the route will disapear when your reboot the server.
in unix/linux
It is also the route command
Or you can tell your "default gateway" to route that network to the ASA
Good luck
HTH -
Cisco ASA 5505 Configurations. Help... Beyond Frustrated
Hello All,
I'm fairly new to Cisco products and Network management in general. At my place of employment, I was hired as an IT Tech- Repair and Building computers, most aspects of Physical networking, and software refresh/upgrades as well as solving compatibility issues among a plethora of other things. I've configured APs, a couple Catalyst switches, a router or two, and that is about the breadth of my Cisco knowledge. I was kind of thrown into a project which is to update the current inventory of computers which all run Windows XP Professional. We are making a capital purchase of 20 Laptops and 40 Desktops all of which will run Windows 7. This means the outdated PIX they were using is now useless. I purchased a Cisco ASA 5505 (Version 8.2(1)) because it is compatible with Windows XP and Windows 7. I have spent several days and sleepless nights trying to figure out how to configure this thing. I was hoping to use SSL for the VPN. I did some basic configurations just to get started but like I said, I have no real experience with Adaptive Security Appliances and I am so frustrated right now. I tried using the Wizard to no avail. I did a write erase using CLI and tried to configure that way but I'm doing something wrong as far as I can tell. The configurations were mostly pulled from here, the Cisco Community, and a couple other web sites.
I’m connecting the ASA 5505 to a cable modem (gateway 24.39.245.33) and to our Netvanta for VPN purposes. Here are the commands/what I have configured so far:
hostname AMDASA
domain-name asa.(mydomain).com
enable password (encrypted)
passwd (encrypted)
interface Ethernet0/0
description TWCoutside
switchport access vlan 2
no shutdown
write mem
exit
interface Ethernet0/1
description Port1inside
switchport access vlan 1
no shutdown
write mem
exit
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.250 255.255.255.0
write mem
exit
interface Vlan2
nameif outside
security-level 0
ip address 24.39.245.36 255.255.255.240
write mem
exit
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
write mem
exit
ftp mode passive
write mem
clock timezone EST -5
clock summer-time EDT recurring
write mem
exit
dns server-group DefaultDNS
domain-name asa.adcmotors.com
write mem
exit
access-list acl_outside extended permit icmp any any object-group DefaultICMP
access-group acl_outside in interface outside
access-list acl_inside extended permit icmp any any object-group DefaultICMP
access-group acl_inside in interface inside
write mem
exit
write mem
That is the extent of the configurations I made via CLI. I don't know how to set the DNS lookup from a static port and I have no idea what else I'm supposed to do after the above configurations I have done. Is there a place to actually obtain ALL of the configurations needed to VPN in? Is there an easier way to make this thing work? I've seriously grown a patch of gray hair because of this device. Please help me if you can!!!!!!Hi our desperate friend .
First I would suggest to use the Cisco VPN client instead of SSL VPN (AnyConnect). The configuration is a bit simpler and for the SSL VPN you would need to install the client on the ASA and purchase additional license if you plan to have more than 2 clients. The VPN Client usually comes with the ASA. If you dont have it or dont have access to download it from cisco.com go to the person from which you purchased your ASA and ask him how to get it.
That said, I also think that your ASA lacks of some basic configuration as of now. If you are planning to use this in replacement for your current PIX. You would need to configure a default route and some basic NAT:
route outside 0.0.0.0 0.0.0.0 24.39.245.33
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
Now regarding the VPN Client configuration you would need to something like this:
Create an isakmp policy:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Create a couple of ACLs that we will use later:
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list split_tun standard permit 192.168.0.0 255.255.255.0
Create a Pool for the VPN Clients to use:
ip local pool TestPool 192.168.100.1-192.168.100.20 mask 255.255.255.0
Create a Group Policy:
group-policy TEST internal
group-policy TEST attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tun
Create a group:
tunnel-group TEST type ipsec-ra
tunnel-group TEST general-attributes
address-pool TestPool
authentication-server-group ABTVPN
default-group-policy TEST
tunnel-group TEST ipsec-attributes
pre-shared-key cisco123
Create crypto map and do a NAT 0:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface outside
nat (inside) 0 access-l nonat
Finally create a user that you will use to connect:
username test password test123
Then you would need to configure your VPN Client to connect with the ASA.
Here is a config Example of VPN clients to the ASA. It uses an external server for the authentication but just skip those parts. For the initial config you might want to keep the authentication local.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
I hope this helps. Feel free to ask if you have any questions. Also it would very usefull if you could upload the current config (show run) of the ASA in case you need to ask something else.
Have fun.
Raga
Maybe you are looking for
-
APPCRASH on Windows Vista 32-Bit
This has been happening for awhile now and is really getting under my skin. My computer is free of viruses and spyware (I'm a computer pro) and yet I still cannot figure this out or find a solution. Every time I plug in my iPod to sync it on my Windo
-
Interactive reporting power user create wizard
Hi, i have configured interactive reporting in CRM 7.0. I have SAP_CRM_OR_ADMIN and SAP_CRM_OR_ACTIVATE and SAP_CRM_OR_USER roles assigned to power user. i am able to assign work centers Report_sch to CRM_MASTER_PROFILE_ALL and in generic OP mapping
-
R: (forte-users) How can I write numbers with 7 digit in aListView?
-
I have a 2011 Macbook Pro. I'm trying to burn an iMovie trailer onto a DVD that will play on a TV. When I follow the directions and go to share, my computer can't find iDVD. Help?
-
Updating thumbnails and the disappearing iPhoto library
i was greeted with a message asking if I wanted to updated my thumbnails in iPhoto 08 earlier today. When I selected "yes", every photo I had vanished. I can still find them on my hard drive, but, I recently spent a good amount of time creating event