ASA - What is allowing return HTTP traffic?
Hi,
I'm just playing around with a few ASA's and wondering what allows return HTTP traffic into the firewall? Also, what other traffic is allowed by default like HTTP?
Traffic is originating from a higher security interface (inside, 100) to a lower security interface (outside, 0). There is no ACL's applied on any interfaces.
I'm asking because ICMP doesn't work unless inspection is turned on (service-policy global_policy global).
Thanks for any help.
Firewalls like the ASA are stateful so for TCP and UDP (although with UDP state is handled a little differently) if traffic is allowed one way it is automatically allowed back.
So when a connection is initiated, if it is allowed through the firewall an entry is made in the state table and when the return packet arrives at the firewall if there is a matching entry the traffic is allowed and there is no acl check.
The entry is made on source and destination IP and port numbers, and for TCP it also used the connection flags.
ICMP doesn't use ports so originally it could not be treated statefully and you had to allow it back in with an acl (if traffic was from lower to higher security level).
But then stateful inspection was added for ICMP as well but you still need to enable it unlike TCP and UDP.
Jon
Similar Messages
-
ASA 5510 not allowing some https traffic
I have 2 ASA 5510's in a failover bundle. I have a weird issue right now, where a site (https) is apparently getting blocked behind the firewall. If I browse to the site, it just spins, then says the page could not be displayed. I can ping the IP address, and I can browse to the http version of the page, but I cannot browse to the https site. If I plug into the DMZ on the outside of the firewall, I can see the page no problem. There is something in the ASA that is blocking it. We certainly allow 443 out, and use https heavily, all the time. It's just this one site, which is weird, because I know ASA's don't do deep packet inspection. Can anyone think of what would be causing this?
Well, we figured this out. It actually wasn't the firewall. It was DNS resolution. This particular site's DNS was all messed up. When I was on the DMZ, I changed to another DNS server, which hadn't updated yet. External DNS tests were all returning either no records or just the generic Network Solutions IP, which would give you a landing page. We used the hosts file to get around it until they fixed their DNS pointers.
-
MPF ASA for Web Filtering. Https traffic
SOURCE: https://supportforums.cisco.com/docs/DOC-1268#Allow_specific_urls
Hi all,
I have the following configuration in my ASA based on guidelines from the above source to allow only certain sites in my home and block all requests to http and https sites. However,requests to HTTP sites are being blocked but not to HTTPS. Only one host in the network can access all sites
access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq www
access-list WEBFILTER extended deny tcp host 192.168.254.115 any eq https
access-list WEBFILTER extended permit tcp any any eq www
access-list WEBFILTER extended permit tcp any any eq https
regex allowex1 “website1\.com”
regex allowex2 “website2\.com”
class-map type inspect http match-all allow-url-class
match not request header host regex allowex1
match not request header host regex allowex2
class-map allow-user-class
match access-list WEBFILTER
policy-map type inspect http allow-url-policy
parameters
class allow-url-class
drop-connection
policy-map allow-user-url-policy
class allow-user-class
inspect http allow-url-policy
service-policy allow-user-url-policy interface inside
HOW can the HTTPS traffic be also blocked in the above configuration? What am I missing?
Thanks in advance for your help
JuanIs it even possible for for MPF ASA to inspect and filter HTTPS traffic? I do not even see it in the options:
(config)# class-map type inspect ?
configure mode commands/options:
dns Configure a class-map of type DNS
ftp Configure a class-map of type FTP
h323 Configure a class-map of type H323
http Configure a class-map of type HTTP
im Configure a class-map of type IM
sip Configure a class-map of type SIP -
Allow only http traffic on iphone
creating a mobileconfig file to allow our company iphones access our apn but we only want http only traffic to use this. anyone know the playload to use in the xml?
Do you know of any ways of manually editing the mobileconfig file to configure HTTP only proxies
-
Hi, Im student who studying MPF atm, and I just wodnering about the parameters(request args regex, request body length etc..) that http provides, I was looking up and went through some resources and information on cisco website, but it was diffcult to understand all of theses parametes,
how does ASA matches up with http traffic ?? is this parameters are located in HTML ??? (body java activ-x) , where does it located, ??
thanks in advance, !!!Hello Terry,
First thing to understand when we are talking about inspection on layer 5 to 7 ( In this case http) is that in order to work the client got to be on one ASA'Sinterface and the server needs to be on another one, this to allow the ASA to investigate the http session.
Now you are asking about how the ASA is going to match that traffic, well with the policy map type inspect we will decide what to match (the http request, response,etc) , we can use different things in order to do it, just as an example we can create a regular expressions that matches www.cisco.com (\.cisco\.com) and then let the ASA know that matches the header of the http packet using that particular rule and then we will be able to block cisco.com as an example.
You can also match the URI, etc etc and then apply the rigth http inspection paramater.
Please rate helpful posts.
Regards,
Julio -
Cisco ASA CSC HTTPS Traffic Filtering
Hello,
I am interesting how https filtering is working on ASA CSC module. When https filtering is enabled, should I import any certificate in csc which is trusted by users ? And what procedures should I complite to enable https filtering ?Hello,
Here is the configuration guide for https filtering. I hope it helps:
http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc4.html#wp1098125
Regards,
Felipe. -
WSA blocking HTTPS traffic -allowing HTTP
We have two S170 WSA appliances configured as Guest Wi-Fi Internet proxy servers. The local network design is as follows:
WLC5508 (Foreign) >> WLC5508 (Anchor) >> ACE20 Context >> WSA 170 >> FWSM >> Internet
Guest traffic is authenticated via WCS using RADIUS but is disabled for now.
Clients associate to SSID, receive IP address via local DHCP scope on anchor WLC and forward all traffic to DFWG which is ACE20 interface.
ACE20 has specific class-maps for public DNS use and loadbalance policy-map which forwards all other traffic (excluding DNS) to WSA.
HTTP traffic works fine, HTTPS traffic fails. The HTTPS proxy service uses a local self-signed certificate for initial decryption of the session. The browser and WSA negotiates to use TLSv1 then the error below is shown.
Fails
57666018.658 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54930 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
1357666018.760 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54931 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
1357666018.799 0 192.168.244.1 TCP_DENIED_SSL/403 0 GET https://post.packetconsulting.com:443/owa - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 1 cs-auth-group= - c-port= 54931 cs-bytes= 598 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; InfoPath.2; Tablet PC 2.0; MS-RTC LM 8)" cs-referer= - cs-cookie= -
I have seen this error posted before but no resolution. I'm sure this is a config problem, but cannot figure why or where!
Any ideas, thoughts or help would be great...
CheersHi axa,
This is an access policy blocking the SSL traffic based on the TCP_DENIED_SSL / 403. Also I would suspect that you do not have HTTPS proxy enabled which would be required since your not using port 80 for 443 traffic. I would recommend opening a ticket with the WSA Content Security Team.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator
Message was edited by: Erik Kaiser -
ASA 5505 NAT rules blocking inside traffic
Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a different outside network, but every time we get that far our internal network crashes. Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to the workstations is being blocked by the default implicit rule under the access rule heading that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to the servers is being allowed though. In an effort to start over again, the Cisco ASA has been Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the inside network, since most of our equipment will always be assigned statics. We reset our static NAT policies, and seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. Any help will be greatly appreciated.
Embarq : Network xxx.xxx.180.104
Gateway: xxx.xxx.180.105
Subnet Mask: 255.255.255.248
Our Static IP's: xxx.xxx.180.106 to xxx.xxx.180.110
Cisco Pix for VPN tunnels : xxx.xxx.180.107 outside IP
used for DataBase Servers : 100.1.0.2 Inside IP/ Gateway 2
Cisco ASA 5505: xxx.xxx.180.106 outside IP
all other traffic : 100.1.0.1 Inside IP/ Gateway 1
Inside Network: 100.1.0.0/24
Application Server: 100.1.0.115 uses Gateway 1
BackUp AppSrvr: 100.1.0.116 uses Gateway 1
DataBase Server: 100.1.0.113 uses Gateway 2
BackUp DBSrvr: 100.1.0.114 uses Gateway 2
Cobox/Receiver: 100.1.0.140
BackUp Cobox: 100.1.0.150
Workstation 1: 100.1.0.112
Workstation 2: 100.1.0.111
Network Speaker1,2,3,4: 100.1.0.125 to 100.1.0.128
Future Workstations: 100.1.0.0/24
1. Embarq Gateway feeds both Cisco Pix, and Cisco ASA. Both Ciscos feed a Dell Switch.
2. All inside network devices at 100.1.0.0/24 are networked into the Dell Switch.
3. All Workstations/Network Speakers need to be able to communicate with all four servers, and the Cobox/Receiver.
4. The DataBase Servers have VPN tunnels created in the Pix for clients to be able to login securely and edit their account info.
5. The App Server (100.1.0.115), and BackUp App Srvr (100.1.0.116) need to have a NAT rule created NAT'ing them to xxx.xxx.180.109.
A. The xxx.xxx.180.109 NAT rule needs to allow ALL UPD traffic TO and FROM ANY outside IP address.
B. The xxx.xxx.180.109 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
6. The Cobox/Receiver (100.1.0.140) and BackUp Cobox (100.1.0.150) need to have a NAT rule created NAT'ing them to xxx.xxx.180.108
A. The xxx.xxx.180.108 NAT rule needs to allow UDP traffic FROM ANY Outside IP address source port 6000 or 9000 to destination port 9000
B. The xxx.xxx.180.108 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
7. Right now the Cisco PIX is functioning and working perfectly for our VPN tunnels.
8.
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 100.1.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.180.106 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object icmp
protocol-object udp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object icmp
protocol-object udp
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any xxx.xxx.180.104 255.255.255.248
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 host xxx.xxx.180.108 any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_5 host xxx.xxx.180.108 any
access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_2 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list inside_nat_static extended permit udp host 100.1.0.140 eq 9000 any
access-list inside_nat_static_1 extended permit ip host 100.1.0.115 any
access-list inside_nat0_outbound extended permit ip 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
access-list outside_nat_static extended permit udp host xxx.xxx.180.108 eq 6000 host 100.1.0.140
access-list outside_nat_static_1 extended permit ip host xxx.xxx.180.109 host 100.1.0.115
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (inside) 1 100.1.0.3-100.1.0.254 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
static (inside,outside) udp xxx.xxx.180.108 6000 access-list inside_nat_static
static (outside,inside) udp 100.1.0.140 9000 access-list outside_nat_static
static (inside,outside) xxx.xxx.180.109 access-list inside_nat_static_1
static (outside,inside) 100.1.0.115 access-list outside_nat_static_1
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 100.1.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 100.1.0.5-100.1.0.15 inside
dhcpd dns 71.0.1.211 67.235.59.242 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
call-home reporting anonymous
Cryptochecksum:52e69fa95fcffd43ed9e73df320e3a55
: end
no asdm history enableOK. Thank you very much for your help. I am going to get with the powers that be to upgrade the "Base" license in this ASA.
In the meantime I will Close and Rate this post for now so others can get this info also.
If we have any further issues after the upgrade, then I will open a new post.
Thanks again. We new it was something simple. Not sure how we overlooked that, but hey we're getting somewhere now. -
How to return "HTTP/1.0 401 Authorization Required" from OSB's Message Flow
How can I return "HTTP/1.0 401 Authorization Required" header from OSB's Message Flow?
Using of "HTTP Transport -> Authentification" is not possible, because I need flow condition. Transports Headers activity from design palette doesn't allow to send such headers.
Practical usage: request for kerberos ticket by sending two headers: 401 and WWW-Authenticate: Negotiate...Can you briefly expand the use case for better understanding?
HTTP Client---> Hand Shakes or what ever ----> HTTP Proxy (OSB )---> Pipeline----
Philosophy behind pipeline is that it is designed to work on the request. Correct me if I'm wrong.
What you are asking is ability to control the hand shake either in Pipeline or some way during proxy configuration. Unfortunately there is no configuration that is exposed for HTTP proxies in OSB to control that behavior.
Manoj -
Kerberos encryption for HTTP traffic
Hello
I am writing client for WinRM service(Windows Vista). This service use SOAP protocol for communication.
And I cannot make subscription for Windows events using Push method.
The issue is when I try to make events subscription - Vista tries to test connection with my server, but I don't know what should I send back for test connection request to Vista WinRM... :(
I didn't find it in MSDN.
Subscription request is:
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:ew="http://www.example.com/warnings'" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:x="http://www.w3.org/2001/XMLSchema">
<env:Header>
<a:To s:mustUnderstand="true">HTTP://winrmcient:80/wsman/</a:To>
<w:ResourceURI>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</w:ResourceURI>
<a:Action s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/eventing/Subscribe</a:Action>
<a:MessageID s:mustUnderstand="true">uuid:a4b86ede-32d0-4a28-91f5-bc8f36bfca22</a:MessageID>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<w:MaxEnvelopeSize>262144</w:MaxEnvelopeSize>
<w:Locale xml:lang="en-US"/>
<w:OperationTimeout>PT5M0.000S</w:OperationTimeout>
<w:OptionSet>
<w:Option Name="ReadExistingEvents" mustComply="false"/>
<w:Option Name="ContentFormat">RenderedText</w:Option>
</w:OptionSet>
</env:Header>
<env:Body>
<e:Subscribe>
<e:Delivery e:Mode="http://schemas.xmlsoap.org/ws/2004/08/eventing/DeliveryModes/Push">
<e:NotifyTo>
<a:Address>http://Antares:443</a:Address>
</e:NotifyTo>
</e:Delivery>
<e:Expires>PT12H0M0.000S</e:Expires>
<w:Filter>
<QueryList>
<Query Path="Security">
<Select>*</Select>
</Query>
<Query Path="System">
<Select>*</Select>
</Query>
<Query Path="Application">
<Select>*</Select>
</Query>
</QueryList>
</w:Filter>
<w:SendBookmarks/>
</e:Subscribe>
</env:Body>
</env:Envelope>
WinRM connection test request is request with empty content length and with header:
Host=[Antares:443], Content-type=[application/soap+xml;charset=UTF-16], Content-length=[0], Connection=[Keep-Alive], Authorization=[Kerberos YIIE4wYJKoZIhvcSAQICAQBuggTSMIIEzqADAgEFoQMCAQ6iBwMFACAAAACjggOLYYIDhzCCA4OgAwIBBaEKGwhCUS5MT0NBTKIaMBigAwIBAqERMA8bBEhUVFAbB0FudGFyZXOjggNSMIIDTqADAgEXoQMCAQ2iggNABIIDPHstoHWBhepDeU/h3o6Uuzjtgxo5SlVRVaa9JjAUcEDb4k+DKQrtwia/GtvDsmoZ4VgE8gGpJmcuZHNUEBHwEmn48RAAuo/f3o/D7hBJ3XygexN8yPZFYtElT1CvtoVOuvox83xOr9TdUn+Dd12/AupkAIxwbdHNhftcOCajJOv3NnFGoeF5+NA54VguaW1XGZxoC1mviITkfeDW0rZnKQ3aJxRDG0kKfHvWYdIlifRydQkTY/XMGHBFvd8kA8Q3M6WYVmuCKLjjJwvHjfZ56GWUpax7MlYmOGs7ncHLptCyxiV7RTiP0c00MViangq4CoioLyPwdysG7V8oyMGcc32WpsWCbXJNm5N8ijy7JxRd4W2zfzL6rpkGFQ2F0AfsH/b+Dz45sYXKyEgJajA5TK/cPiECTIMbXnkehz2yC5mjY4XalhXf4U1j/D5E2ApbG0ITUrp10a6C/dy5yEtc4CNtVHDQ30BrdZS+vxO2PwwIKZovvvlzIyddgOqyKaKhs9i3eMfF61IjhUpquK4zZYYZEqpQtkgSaDz8rurD4M5Z1CzzlID5nlVg9YsA9JhPejsdU9Rmt51OjCu8rBvd+Kb7AMkujDogOli4NVNKssdLOJl7m3ulMQTs5AFT1O7YOW4SQsos1g2UEW+JzE+sj1IGdia8xmjxuZOsWks4QgX9O0PL3LNVE/iGgR2dOQhRzhuwEJEUfHpy1BIqZzbG48KkkNxFZLgeM+ztnrssw/zaD1vTs4+EF7KPVp1ldBwPId2P6PIyd4nyX+1tJt2SYHKyk0mdxkCw8pTAfrNxJGj9Ku573YcPfFdGhTtTTzo1CJPwSQFoNlEhh7wriaED/fseIEPPLASR+wIzGVPNBb5mTCd/vCPrwsShZl0wmtwUiDgNAu2732GVb7MDSKIc/hOjZAdFqoh3KzvWUSIsdrl1Mezcjb6VSuM87f4pWaR7f0RMexNB6ZEL0RzncbMXyhmUcqNaVyCWCgWN/ovKmWt53FkBQZkZIxLZUVyi6As3bhsfVxrw6dU4oKpHesDKldHFOz1fuEv8UKu6s7DaAd1VXiLmU4uzUSfiYH0iQCYkvf1sVqKBVyrFXHHQTKSCASgwggEkoAMCAReiggEbBIIBF2DcdvxWBV/D29hIBpQ8sJk8XF+q9tVNBHm3bFXtetxKwk1UxO64r7U5YQ4kqgvAyKTq/aL9V/QrO5x1M0mbqjKrfo/ehKGy5GGUZeQ0TYhkkmdNq8Mxo2CR5IIWqzEIaB00qSkombg/3IvniUoKbHfvoGMdr63DqRr8AbmXzHK+9kfyYMkkSMn72spoPBYadYAJZ02VUJp5fdNIqsMTREfEf3qfJNdvzaCRN/BcHVJ0C/5TChf8gFMThZzHShr2j1OdWBEZ/uLsMl2INqW0/AcCfLopSTcwgip/E63Zz/mKFCq2VIPp1++KvWPUKPalzdK9Pg/AwzXM6/+SBXdWfkUJGUW9x2nHFuZ6IeoAlhS2hvNLcjJ2ww==], User-agent=[Microsoft WinRM Client]
I tried to send empty response(with the same test request header) for test request but it doesn't take any effect.
WinRM subscription response is:
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xml:lang="en-US">
<s:Header>
<a:Action>http://schemas.xmlsoap.org/ws/2004/08/eventing/fault</a:Action>
<a:MessageID>uuid:B83898C7-9F93-4E7A-8C8C-B72C7D189908</a:MessageID>
<a:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:To>
<a:RelatesTo>uuid:a4b86ede-32d0-4a28-91f5-bc8f36bfca22</a:RelatesTo>
</s:Header>
<s:Body>
<s:Fault>
<env:Code xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<s:Value>s:Sender</s:Value>
<s:Subcode>
<s:Value>e:EventSourceUnableToProcess</s:Value>
</s:Subcode>
</env:Code>
<env:Reason xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<s:Text xml:lang="en-US">The connectivity test from the push subscription source to the client failed. This can happen if the client machine initiating the push subscription is unreachable from the server machine where the event source is located. Possible reasons include firewall or some other network boundary. Modify subscription to use Pull based subscription. </s:Text>
</env:Reason>
<s:Detail>
<w:FaultDetail>http://schemas.dmtf.org/wbem/wsman/1/wsman/faultDetail/UnusableAddress</w:FaultDetail>
<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858901" Machine="">
<f:Message>The connectivity test from the push subscription source to the client failed. This can happen if the client machine initiating the push subscription is unreachable from the server machine where the event source is located. Possible reasons include firewall or some other network boundary. Modify subscription to use Pull based subscription. </f:Message>
</f:WSManFault>
</s:Detail>
</s:Fault>
</s:Body>
</s:Envelope>
In WinRM documentation I see:
+Note: HTTP traffic by default only allows messages encrypted with
the Negotiate or Kerberos SSP.+
But I use simple java HttpConnection and there are no any references to Kerberos in JavaDoc for this class... :(
One more - I use BASIC authentication.
Does anybody know what should I send back for connection test request.Sorry, I forgot to set "java.security.krb5.conf" and "java.security.auth.login.config" properties.
But after I set these properties I've got another exception:
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:87)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
at sun.security.jgss.spnego.SpNegoMechFactory.getCredentialElement(SpNegoMechFactory.java:109)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:42)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:139)
at com.symantec.cas.ucf.sensors.ws_management.WSServer.start(WSServer.java:132)
Caused by: javax.security.auth.login.LoginException: No LoginModules configured for
at javax.security.auth.login.LoginContext.init(LoginContext.java:256)
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:499)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:244)
at sun.security.jgss.krb5.Krb5Util.getKeys(Krb5Util.java:185)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:82)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:79)
... 28 more
But it seems to me that I've set login module correctly:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=false useTicketCache=false;
May be I missed something...
What do yo think about it ? -
Transparent wsa and https traffic
folks
i've deploying a S300V in transparent mode and using wccp
i have a single policy allowing http and https
http works fine but https doesn't
i can see both sets of requests go out through my outer firewalls but the https handshake doesn't get past the client hello
the VM is being used on a guest wifi network so clients won't be authenticated, won't have a common root certificate and i don't want to decrypt traffic
tac are telling me i need to enable the https proxy but i can't as clients won't have the root certificate required
do i need to use https proxy?
thanks to anyone taking the time to replyKen,
If I dont to decrypt HTTPS but still want the traffic to be inspected for URL and web reputation, do I need to upload a root certificate still? I would have assume not as I do not want to decrypt HTTPS but the GUI doesn't allow me to enal HTTPS Proxy without uploading a certificate; basically I cannot "Enable HTTPS Proxy" and submit without a cert.
Basically what I just want to do is just pass through the HTTPS traffic to be check against the Access policies that the HTTP is being checked against.
Is this viable? If so can you let me know how I can achieve the above?
Thanks -
Hi,
We are facing the following error while trying to access the given Windows Azure Pack Public tenant API to query the virtual machines list along with network adaper details -
java.io.IOException: Server returned HTTP response code: 500 for URL: https://<hostname>:30006/<subscription-id>/services/systemcenter/vmm/VirtualMachines?$expand=VirtualNetworkAdapters&$top=10000&$skip=0
The response is proper when we access the following URL -
https://<hostname>:30006/<subscription-id>/services/systemcenter/vmm/VirtualMachines
Only on adding the $expand=VirtualNetworkAdapters, url parameter we are getting the above error.
Where can we check for the error logs on the Azure Pack server ? We checked for the logs using Windows Event Viewer but did not find any for the public tenant API.
What should be the cause for such an error and how can we fix this to get the proper data?
Thanks in advance.Yes, we tried this, $top=10&$skip=0 works for the following url
https://<hostname>:30006/<subscription-id>/services/systemcenter/vmm/VirtualMachines?$top=10&$skip=0
It is only when we add $expand=VirtualNetworkAdapters,
the server returns the mentioned error response -
URL for which the server returns the 500 error -
https://<hostname>:30006/<subscription-id>/services/systemcenter/vmm/VirtualMachines?$expand=VirtualNetworkAdapters&$top=10&$skip=0
Can
you point to the error logs for Windows Azure Pack and SPF ? -
I have this code for a long time and it always works:
URL url = new URL("http://www.infoamistades.net/load.do");
URLConnection urlConnection = null;
urlConnection = url.openConnection();
urlConnection.setRequestProperty("Content-Type","text/html; charset=utf-8");
urlConnection.setRequestProperty("Accept-Charset","utf-8");
BufferedReader bin = new BufferedReader(new InputStreamReader(urlConnection.getInputStream(),"utf-8"));
but....suddenly I always have the java.io.IOException: Server returned HTTP response code: 500 (?!?!?)
using this URL works properly
URL url = new URL("http://www.infoamistades.net/");
but now it doesn't works with URL url = new URL("http://www.infoamistades.net/load.do");
and putting thia addrees to the browser it works, of course..
no changes at the server, not firewalls.. (?!?!)
thanks,Hi,
Actually I am also having exactly same problem that you mentioned, I am new to the world of servlets. I could not get what you mean by "put variable in the request" Please tell me exactly what to do to solve this problem.
Someone please help......... -
Segmentation Error : Server returned HTTP response code: 500 for URL
Hi,
when we do customer segmentation in Applet Java Builder, we create a target group using 2 or more criterion, then it prompts us an error "Communication Error" - Server returned HTTP response code: 500 for URL: http//xxxxxxxxxxx/bc/bsp/sap/CRM_MKTTG_SEGAP/communication.do
we're in CRM 7.0 SP 6.
What we have done
- activated the service CRM_MKTTG_SEGAP
- implement sap note 1481289, 1359890, 1161753
any info is really appreciated.
Thanks
JDHI ,
Communication error occurs because of two active versions of segment builder jar files are appearing , deletion of older version resolves this issue .
Go to SE80 u2013 Select the BSP Application - CRM_MKTTG_SEGAP and check segmentbuilder.jar Segment Builder Applet under MIME folder and check the size and delete the older version .
Regards,
Satish Bondu -
Server returned HTTP response code: 500.. i need help
i have this applet that communicates with a servlet.. when the applet connects to the servlet, i get the Server returned HTTP response code: 500 error.. when i am testing in my own pc, everything is fine.. when i tried deploying it in a server, the error occurs.. i do not have any idea what is wrong.. please help
sir, what do you mean by trace?
here is what i got from the java console..
java.io.IOException: Server returned HTTP response code: 500 for URL: http://mental_boi.s46.eatj.com/myServlet/loadMap?action=load&fileName=http://mental_boi.s46.eatj.com/CityNavigator/mapSpain.svg
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at edu.citynavigator.map.editor.MapEditor.loadMap(MapEditor.java:685)
at edu.citynavigator.map.editor.MapEditor.init(MapEditor.java:130)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
java.lang.NullPointerException
at java.io.StringReader.<init>(Unknown Source)
at edu.citynavigator.map.editor.MapEditor.stringToSVG(MapEditor.java:703)
at edu.citynavigator.map.editor.MapEditor.init(MapEditor.java:131)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
and does the applet have to be signed?
Message was edited by:
hardcoder
Maybe you are looking for
-
Lost all my music from IPod, but music is still in library
Lost all my music from IPod, but music still in my library. How do I get it back on my IPod?
-
Ghost connections "Java(TM) 2 Platform Standard Edition"
We have a server application with multiple threads each using JDBC connections. On the Database server (MS SQL Server 7) we notice more and more connections with the SQLQueryAnalyzer-ProgramName "Java(TM) 2 Platform Standard Edition". But all our (kn
-
'An unexpected error occurred' using AirPort Utility to configure an Extreme
Hi all, I've been fighting with this problem for a while. I have a 2011 Mac Mini running OS X 10.7.5 and AirPort Ulility 6.2. I also have a new-ish AirPort Extreme A1408. They've never really seemed to work properly together. The only way to configur
-
How do you get the count of number of checkbox selected?
hi, plz tell me how do you get the count of number of checkbox selected?
-
When running Mozilla Foxfire we get the error message listed in question. It asks: For information on how your program can cause assertion failure, see Visual C++ documentation on asserts (Pree retry to debug the application - JLT must be enabled. Th