ASA5505 blocking return traffic
Our network has slowed to a crawl and upon investigation it looks as if the ASA5505 is blocking returning traffic. The syslog is full of these from legitimate sites:
2013-08-30 16:58:01 local4.critical 192.168.1.254 Aug 30 2013 16:53:38: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/46099 flags PSH ACK on interface outside\n
2013-08-30 16:58:03 local4.critical 192.168.1.254 Aug 30 2013 16:53:40: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/31820 flags ACK on interface outside\n
I'm not really sure where to go next so any help would be appreciated.
2013-08-30 16:58:01 local4.critical 192.168.1.254 Aug 30 2013 16:53:38: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/46099 flags PSH ACK on interface outside\n
2013-08-30 16:58:03 local4.critical 192.168.1.254 Aug 30 2013 16:53:40: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/31820 flags ACK on interface outside\n
We are also using Websense. I have a 'filter except' exception for the above examples (207.131.246.15) for both http and https. I have also reduced MTU to 1472 on the outside just to test. I also upgraded from 256 to 512 memory thinking maybe it was being stressed.
It seems to work for a while and then out of nowhere shuts everyone down from wherever they are browsing and then about 20 seconds to a minute later it starts up again.
I'm not really sure where to go next.
I have attached (what I hope is) a scrubbed config.
Thank you.
I looked for asymmetric routing. We have one other router attached to the internet but that just does VPN to a datacenter and has a specific route set up on the gateway for it. Nothing else should be getting to it other than the single IP address routed to it.
It seems to be affecting any ip address that needs a persistant connection. As an example I had to download Chrome to a PC this morning and it kept losing connection about 50% through the download. So from my experiments what I can tell is that it makes the first connection no problem, but quickly dies after that and a new connection has to be made. Also when this happens the IP address being accessed shows up in the "SYN Attack" list in ADSM. I have attached an image of the issue. The number one item on the list is a website we use all day long.
Similar Messages
-
ASA5505 - Blocking internal traffic between 2 servers
Hi guys/ladies
I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
10.50.15.4 > fileserver
10.50.15.5 > domain controller (exchange)
10.50.15.6 > terminal server
10.50.15.7 > terminal server
Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
2
Oct 27 2012
14:51:05
106007
10.50.15.6
55978
DNS
Deny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query
What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
Any idea why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
Any help you can give would be great as this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.Result of the command: "show cap asp | include 10.50.15.6"
15: 10:09:21.796849 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389: udp 163
16: 10:09:22.189153 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389: udp 163 Drop-reason: (acl-drop) Flow is denied by configured rule
17: 10:09:22.596252 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
18: 10:09:23.625913 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
19: 10:09:24.625227 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
20: 10:09:26.635236 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86
25: 10:09:30.653500 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86
27: 10:09:34.655025 802.1Q vlan#1 P0 10.50.15.6.137 > 10.50.15.255.137: udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
28: 10:09:34.655071 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.255.138: udp 237
29: 10:09:34.655193 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.5.138: udp 237 Drop-reason: (acl-drop) Flow is denied by configured rule
30: 10:09:34.764700 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
31: 10:09:34.899337 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
32: 10:09:35.901946 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
33: 10:09:36.915937 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
34: 10:09:37.773916 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
35: 10:09:38.942715 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
37: 10:09:42.937695 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
38: 10:09:43.788579 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
41: 10:09:55.803608 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
42: 10:09:56.814166 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
43: 10:09:57.820804 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule -
Cisco RV042 Firewall Blocking LAN Traffic
Hello Everyone,
I currently have an RV042G with a downstream SG-300 connected to one of the LAN interfaces. Connected to the SG-300 are a couple servers running ESXi. Intervlan routing is working fine on the current setup; however, I only able to connect to my ESXi hosts on a separate VLAN for approximately a minute before the connection is dropped. I have concluded that the firewall seems to be culprit in blocking my traffic. If I turn the firewall off, everything acts as expected. There is a default "ANY/ANY" rule for LAN traffic enabled and I have added a couple extras allowing all traffic for IP ranges, but I still seem to be losing my connections. To make matters more confusing, I can see ACCESS_RULE events in the firewall logs permitting the traffic (or so I'm interpretting).
Regardless, here's how my rules currently stand below. I put another ANY/ANY rule in because the default didn't seem to be working -- I immediately was able to ping other hosts on different VLANs after adding the rule. I was under the assumption allowing all traffic from any source to any destination would make the LAN pretty accessible. I would appreciate any guidance or resources on this topic to set up some quick firewall rules to get things up and running. Thanks in advance.
Priority
Enable
Action
Service
Source
Interface
Source
Destination
Time
Day
Delete
123
Allow
All Traffic [1]
LAN
10.10.21.1 ~ 10.10.21.31
10.10.10.10 ~ 10.10.10.10
Always
123
Allow
All Traffic [1]
LAN
10.10.10.10 ~ 10.10.10.10
10.10.21.1 ~ 10.10.21.31
Always
123
Allow
All Traffic [1]
LAN
Any
Any
Always
Allow
All Traffic [1]
LAN
Any
Any
Always
Deny
All Traffic [1]
WAN1
Any
Any
Always
Deny
All Traffic [1]
WAN2
Any
Any
AlwaysI guess I should clarify, the SG-300 is running in Layer 3 mode, and the VLANs are defined on it; however, the static routes are defined on the RV042. Maybe there's a more efficient way of doing this?
Below is a scrubbed copy of my switch configuration.
config-file-header
SWITCH01
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode router
vlan database
vlan 2
exit
no bonjour enable
hostname SWITCH01
no logging console
ip ssh server
ip ssh password-auth
clock timezone CEST +1
interface vlan 1
ip address 10.10.10.2 255.255.255.0
no ip address dhcp
interface vlan 2
name VIRTUAL-MANAGEMENT
ip address 10.10.21.1 255.255.255.224
interface gigabitethernet1
description ESXI01:VMNIC0:MGMT
switchport trunk allowed vlan add 2
interface gigabitethernet20
description UPLINK
exit
ip route 0.0.0.0 /0 10.10.10.1 metric 15
The routes I have defined is:
Destination IP
Subnet Mask
Default Gateway
Hop Count
Interface
10.10.21.0
255.255.255.224
10.10.10.2
1
eth0
10.10.10.0
255.255.255.0
0
eth0
255.255.252.0
0
eth1
239.0.0.0
255.0.0.0
0
eth0
default
0.0.0.0
40
eth1
Just to reiterate the problem, I am able to connect to hosts on VLAN 2 from my computer on VLAN 1, but I am disconnected a minute or so later. When the firewall is disabled, I have no issues with connecting to the host across VLANs and maintaining that connection. Maybe I have a misconfiguration somewhere that is causing some issues? I appreciate the help. -
ASA 5505 9.1(2) NAT/return traffic problems
As part of an office move we upgraded our ASA to 9.1(2) and have been having what seem to be NAT problems with some services ever since. These problems manifest themselves with return traffic. For example, network time sync (NTP, port 123) works fine from the ASA, but hosts on the inside network cannot access external NTP servers (ntpq -pe shows all servers stuck in .INIT. status), creating problems with drifting clocks. Services like XBox Live also do not work; the XBox device can contact the internet, but return traffic from the service never gets back to the device.
For NTP specifically, I've tried allowing NTP 123 through the firewall, but it doesn't help. Conceptually, this should not be required since an inside host is initiating the connection and the NAT rules "should" allow the return packets. To further muddy the waters around NTP, a Linux VM CAN get NTP if it's network adapter is in NAT mode (so it's NAT'ing through the host workstation, then through the Cisco) but CAN NOT get NTP if the adapter is running in bridged mode (so the VM is talking directly to the ASA as if it were just another machine on the inside network).
I've stripped down the ASA config to the basics level, but still can't get this resolved. The main symptom of the problem is that if I disable the access-list rules around ICMP, I'll see lots of ICMP warnings in the ASA logs, which seems to indicate that there are traffic problems communiating with the inside hosts. I've narrowed the problem down to the ASA since replacing the device with a simple Netgear consumer-grade "firewall" lets all this traffic flow just fine.
Network is extremely basic:
DHCP ASSIGNED IP from ISP <----------> ASA <-----------------> inside (192.168.50.X)
^
|----------------------- guest vlan (10.0.1.X)
show running-config:
Result of the command: "show running-config"
: Saved
ASA Version 9.1(2)
hostname border
domain-name mydomain.com
enable password aaa encrypted
passwd bbb encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Guest-VLAN
security-level 10
ip address 10.0.1.1 255.255.255.0
boot system disk0:/asa912-k8.bin
boot system disk0:/asa911-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.104.2.36
domain-name domain
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 255.255.255.0
object network Guest-WLAN
subnet 0.0.0.0 255.255.255.0
description Interent access for guest Wireless
object network xbox-nat-tcp3074
host 192.168.50.54
object network xbox-nat-udp3074
host 192.168.50.54
object network xbox-nat-udp88
host 192.168.50.54
object service xbox-live-88
service udp destination eq 88
object network xbox
host 192.168.50.54
object network obj-inside
subnet 192.168.50.0 255.255.255.0
object network obj-xbox
host 192.168.50.54
object network plex-server
host 192.168.50.5
object network ubuntu-server
host 192.168.50.5
description Ubuntu Linux Server
object network ntp
host 192.168.50.5
object network plex
host 192.168.50.5
object network INTERNET
subnet 0.0.0.0 0.0.0.0
object-group service xbox-live-3074 tcp-udp
port-object eq 3074
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service plex-server-32400 tcp
description Plex Media Server
port-object eq 32400
access-list outside_access_in extended permit object-group TCPUDP any object xbox object-group xbox-live-3074 log alerts
access-list outside_access_in extended permit object xbox-live-88 any object xbox log alerts
access-list outside_access_in extended permit tcp any any eq echo
access-list outside_access_in remark Plex Live access
access-list outside_access_in extended permit tcp any object plex-server object-group plex-server-32400
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network xbox-nat-tcp3074
nat (inside,outside) static interface service tcp 3074 3074
object network xbox-nat-udp3074
nat (inside,outside) static interface service udp 3074 3074
object network xbox-nat-udp88
nat (inside,outside) static interface service udp 88 88
object network plex
nat (inside,outside) static interface service tcp 32400 32400
object network INTERNET
nat (inside,outside) dynamic interface
nat (Guest-VLAN,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=border
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xxxx
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate xxxx
quit
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 60
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.50.5-192.168.50.132 inside
dhcpd address 10.0.1.50-10.0.1.100 Guest-VLAN
dhcpd dns 208.104.244.45 208.104.2.36 interface Guest-VLAN
dhcpd lease 86400 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.50.0 255.255.255.0
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 152.19.240.5 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
username xxx password xxx/ encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr [email protected]
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:xxx
: endHi,
Configuration seems fine.
With regards to the ICMP, you could also add this
class inspection_default
inspect icmp error
I would probably start by trying out some other software level on the ASA
Maybe some 8.4(x) software or 9.0(x) software. See if it some bug perhaps.
One option is ofcourse to capture traffic directly on the ASA or on the hosts behind the ASA. And go through the information with Wireshark.
- Jouni -
BT is blocking specific traffic - Connection probl...
I started having this problem about two weeks ago, after multiple phonecalls to BT and a couple of emails nothing has been done, so hopefully someone on the forum can help.
The problem is the BT server that my hub connects to runs software to block specific traffic, I assume this is handy for restricted torrents or illegal downloads. But what it's blocking is a game called EVE Online, I used to play this game without a single problem until about two weeks ago. I logged in one day and the lag was unbearable, mainly due to the fact BT is blocking around 90% of packets that are sent to me. As I said, I used to be able to play no problem, but now I can't even go on for 2 minutes before I get kicked.
I've confirmed with the EVE support team that BT is causing the problem, EVE uses UDP and it only requires a packet loss of 5 consecutive packets before the game disconnects you. This may not seem like a lot, but due to the nature of it, any more than 5 packets can cause major problems in the game, so they just disconnect you. A friend of mine also had this problem, but to a lesser extent, but it did span accross multiple games, he has since then switched to another broadband provider which I will not name, and hasn't had the issue since. In EVE, recently BT have been known to block traffic, I'm not the first to ask EVE support for assistance on the matter, so they weren't strangers to the problem.
I've ran a program called Ping Plotter to the EVE server, for those of you unaware Ping Plotter is a useful tool to (as the name suggests) Plot the latency (ping) of your connection to the server. PP also records packet loss and the exact route the client is using to connect to the server. The results average about 90% packet loss, Below are the results of PP.
500 trace count, 1 second per trace.
Packet loss is highlighted in RED
BT IP's are highlighted in BLUE
EVE IP's are highlighted in GREEN
Target Name: srv200-g.ccp.cc
IP: 87.237.38.200
Date/Time: 21/01/2014 2:41:46 AM to 21/01/2014 2:50:12 AM
Hop Sent Error PL% Min Max Avg Host Name / [IP]
1 500 0 0.0 1 34 2 BThomehub.home [192.168.1.254] PC TO HUB
2 500 423 84.6 9 57 21 esr19.edinburgh8.broadband.bt.net [213.1.130.142] HUB TO BT
3 500 474 94.8 10 149 26 [213.1.130.125]
4 500 480 96.0 18 66 29 [213.1.69.74]
5 500 481 96.2 19 63 31 [31.55.165.77]
6 500 476 95.2 19 71 35 [31.55.165.107]
7 14 11 78.6 18 53 29 acc1-10GigE-4-1-3.mr.21cn-ipp.bt.net [109.159.250.114]
8 133 126 94.7 29 62 47 core2-te0-13-0-14.ilford.ukcore.bt.net [109.159.250.46]
9 262 238 90.8 27 69 47 peer3-te0-1-0-7.telehouse.ukcore.bt.net [109.159.254.251]
10 500 443 88.6 25 74 40 ccpgames.com [195.66.226.23]
11 500 465 93.0 25 69 42 te-d2-e2.ccp.cc [87.237.37.246]
12 500 422 84.4 25 77 38 srv200-g.ccp.cc [87.237.38.200]
As you can see, that is completely unacceptable. The connection between my PC to my HUB is perfect, from the HUB to BT is where things go pearshaped.
Onto another note, the three times I've phoned, I've spoken to someone reading from a card. What I mean by that is they haven't got a clue what they're speaking about. They are denying there is a problem because 'ping google' works fine. the first time I was redirected to the tech support, but then found out I wasn't paying for the service so I couldn't use it. The second time the advisor hung up on me when I requested to speak to her supervisor, and the third I hung up because the advisor claimed BT broadband isn't designed to support online gaming, and he said a 90% packet loss is to be expected when online gaming, alright then.
Any help whatsoever on this issue is greatly appreciated, If I've missed anything out just ask for it and i'll post it
Thanks.What home hub model do you have and have you tried rebooting it? Lots of UDP traffic can be difficult for some routers to handle due to inbuilt firewall, an older router or possibly a router thats starting to have problems might cause issues(Dust blocking airflow slowing the processor down) like this due to load on the processor of the router(These things normally have very slow processors). Have you tried running extended ping tests ? I'd try ping -n 1000 www.google.co.uk and ping -n 1000 www.bbc.co.uk additionally try using ping -l 750 -n 1000 www.google.co.uk and ping -l 750 -n 1000 www.bbc.co.uk , What package are you on are you sure you're not on a package with traffic shaping? If the devices BT use to shape traffic dont understand what eve is it might assume its P2P related and throttle it? A glasnost test should help there. But the package you are on should be Totally unlimited rather than just unlimited and was introduced from sometime around Feb last year I believe. If you are on an older contract you are probably being traffic shaped. Additionally its best to concentrate on Packet loss to servers rather than to routers. Backbone routers are often setup to depriorize icmp traffic directed to their own addresses except from servers used to manage them, concentrating on packet loss to intermediate devices is often a red herring.
There are various utilities out there that can test a tcp or UDP in a similar sort of way to ping, however the remote servers if they are protected by firewalls and IDP systems might detect that as an anomoly and block it as a possible attack. -
Pl/sql block returning sql query.
Hello,
I am using oracle 10g apex 3.2 version.
I am using the following return statement inside my report which is pl/sql block returning sql query.
declare
pid varchar2(100);
begin
return 'select patient_id_code from t_files_data_exp where patient_id_code not in pid';
end;
How am i suppose to mention the pid inside the return stmt i mean with any quotes or anything? because the above return stmt gives error
"1 error has occurred
Query cannot be parsed within the Builder. If you believe your query is syntactically correct, check the ''generic columns'' checkbox below the region source to proceed without parsing. The query can not be parsed, the cursor is not yet open or a function returning a SQL query returned without a value."
ThanksHello,
I did exactly the way u told
declare
pid varchar2(100) := '(61092,61093)';
begin
return 'select patient_id_code from t_files_data_exp where patient_id_code not in ' || pid;
end;
patient_id_code is varchar2(100) only in table.
For this i am getting "invalid number error".
Thanks -
Report on QI, Blocked, Returned Stocks at Plant & Storage location level
Hi,
Would like to know any reports which gives QI, Blocked, Returned stocks at Plant & Storage location level.
Regards,
Vengathi,
What do you exactly mean say by "Returned stock"..
Also go through by MMBE tcode ...
Regards
Priyanka.P -
Automatic block return Sales Orders / Credit Notes
Hi,
Could someone please explain how I block return sales orders or credit notes?
Also is there a way of searching which sales order documet types have been used for credit notes?
ThanksHello Chris,
Well, I too guess it would have given better results if you posted this question on Security Forum.
Nevertheless, could you please send the scenerio details or a breif description of the same, inculding atleast the transactions you are executing, so that we are able to suggest you something better on the same.
Regards,
Hersh. -
Block return sales orders or credit notes?
Hi,
Could someone please explain how I block return sales orders or credit notes?
Also is there a way of searching which sales order documet types have been used for credit notes?
ThanksHi Friend,
The billing block is comming from the tx. VOV8 -> choose the Order type -> billing
block -> you could set billing block here.
In Shipping column, there is also a field Delivery block where you could set delivery
block for the order type.
Or you could also set delivery block and billing block manually when you create the order.
You could check order type which is used as return or credit memo request by following way:
SE16 -> TVAK -> use selection criteria VBTYP = H and K
H Returns
K Credit memo request
Then excecute, you could get the order type you want.
Best regards,
Alex -
A CSS command that would show return traffic...
We're running a pair of CSS's with a couple of back-end servers behind them. We could determine if the traffic is coming into the CSS by uing the sh flows command. However, this command will only show the connections from the CSS to the server, not back to the CSS, so if there's an asymetry in the flow, this command will not pick it up. Is there a similar command(s) that would show a return connection from back-end servers to the CSS?
Thanks..Good morning,
No, there is not such a command, but you can easily confirm that there is no asymmetric traffic from the fact that connections work.
If the CSS doesn't see the full TCP handshake for a connection (which includes the client and server directions), it will close the connection and log a SYN attack.
On top of that, unless you are defining the servers as transparent, the CSS will apply NAT to the destination IP (from the VIP to the server), so, if there is asymmetric routing, the NAT is not undone for the return traffic, which will cause connections to fail.
I hope this helps
Daniel -
ACLs on Dot11Radio interface blocks ALL traffic
On an AP1220 w/IOS 12.2(11)JA1, all traffic is blocked when an ACL is applied on either the RF interface or the FastE interface, even explicitly permitted traffic. Also, using the "log" command after an ACL line fails to log anything. Below is the ACL I want to apply to the Dot11Radio 0 interface. It blocks ALL traffic:
access-list 100 permit udp any any eq bootpc log
access-list 100 permit tcp any host 10.0.0.1 eq 1723 log
access-list 100 permit gre any host 10.0.0.1 log
access-list 100 deny ip any any log
Here is a test ACL that blocked ALL traffic, as well:
access-list 101 permit udp any any log
access-list 101 permit tcp any any log
access-list 101 permit icmp any any log
access-list 101 permit ip any any log
Both ACLs blocked all traffic and failed to log a single event. If the ACL is removed, everything works. HELP!It's a known bug CSCec28612 - AP1200 access-list doesnt work on radio int with a log keyword
-
Blocking international traffic to BC site
Does anyone know how to block international traffic to a BC website? We recieive a flood of traffic for international countries that drastically distort our analytic reports. Thanks for any help....
I understand the usability issue. It sucks to not have the information right when you log in. Sorry.
It is normal to get visits from international countries though. Sometimes I get a lot of visits from specific countries like you did from Ukraine. This usually happens in our case when companies or bots are trying to post their links in our blog.
Take advantage of the captcha from BC if you don't use it yet in your forms. I found extremely helpful lowering the number of spam that I was getting in both my blog posts and contact request tickets.
These are some other links it might help you....
To exclude certain IP Adresses in BC
With Google Analytics these links may help you...
DATA FILTERS FOR VIEWS - Filter on geography
https://support.google.com/analytics/answer/1034773?hl=en&ref_topic=1034830
These are all the filters you can apply
https://support.google.com/analytics/answer/1034380?hl=en&ref_topic=1034830
Hope it helps.
PJ -
I am having a problem with the WISM blade blocking UDP traffic on port 6001. This is for a Sentinel Hardware Key. The software sends out a UDP request but it appears that the controller just drops it. I have tried an explicit permit ACL on this network for all UDP traffic. This did not work either. This software work fine on the wire. Anyone else seen this?
All layer two broadcasts (FF:FF:FF:FF:FF:FF) are stopped at the WISM. This is a function of the controller. I found a white paper from Cisco stating this. The hardware key I was trying to use, utilized a layer two broadcast and it was stopped at the controller. There were no ACL's present when I started testing. I even tried it with an allow all ACL just to make sure.
-
How to Block Return to Supplier for Inactive Subinventories
In Purchasing Module while making a Return to Supplier & when we query an Item, all relevant receipt lines are visible including Inactive Subinventories.
User is able to make return to supplier for Inactive Subinventories also.
How do we block Return to supplier for Inactive SubinventoriesHow to block calls has been asked hundreds, and hundreds of times at CSC, a simple search would have provided you with all the necesarry information. Please search before you ask
https://supportforums.cisco.com/docs/DOC-19628
HTH
java
if this helps, please rate
www.cisco.com/go/pdihelpdesk -
WRT54G blocking INTERNAL traffic ?
Hello everybody!
I own a WRT 54 G v3.1 Firmware Version: v4.30.5.
Everything works fine except Age of Empires 2 Lan Games. I tried a direct connection between 2 PCs with a crossover cable and the game worked, but when we want to play via our router, we can't find hosted games. We don't want to play on the Internet, only on LAN. Is there any setting that is blocking internal Traffic ? Whats also strange: I tried DXdiag, as AOE2 uses DirectPlay, and DXdiag could establish a connection even when both PCs were connected via the router. Any ideas ? Thanks in advance.If you have a software firewall installed connected a computer to a different router does make a difference. Those software firewalls remember the firewall settings based on where they are connected. A different router is a different location and thus has different firewall settings. Thus, you have to disable the firewall completely, maybe have to deinstall it completely (ZA is a good candidate for that) to verify whether or not it is related to the computer configuration.
Also, how do you connect between those computers for the game? Do they automatically detect each other? Do you have to enter IP addresses? Or how does it work?
Technically the LAN side of the router is a simple switch. It does not do any filtering there. It may be slightly different if a connection is wireless. It can be completely different if a router runs a 3rd party firmware.
Maybe you are looking for
-
Can't print from Windows to Mac
I've always had trouble printing to a printer attached to my Mac from Windows. Bonjour used to see the printer, but I could only occasionally actually print. For a while everything but PDFs worked, then even text stopped. As a last resort I tried the
-
SAP BusinessObjects Analysis, Edition for Microsoft Office - 1.4 SP6 SAP BusinessObjects BI Platform - 4.1 SP2 BW 7.3 SAP Logon pad - 7300.1.0.1074 We are trying to implement What-if analysis in Analysis Office tool like Revenue increase by N per
-
Font problem with Openoffice 3
This image shows the problem, its KDE ina virtual Machines (Currently on ubuntu and testing arch for a near-future change and real installation) Can anyone help me? Last edited by Xi0N (2008-12-01 20:44:00)
-
Help! TouchUp Object tool erases my lines!!
I hope someone can help me figure this out. I create a PDF with graphics and text. I want to print pages with 4 images per page, then quarter-cut them to make flash cards. In order to have the images centered correctly on all 4 cards, I have to ma
-
FastSwap Deployment in Weblogic.
Hi everyone, I am new to weblogic.Please anyone let me know why fastswap deployment is disabled in produciton mode. If possible please explain in detail about fastswap deployment. Regards, Vardhan.