ASA5520 access-list configuration?

I have two asa5520s, version 7.2(2).
I have use access-list for the firewall as:
access-list outside extended permit ip object-group mydomain any
access-list outside extended permit icmp object-group mydomain any
access-group outside in interface outside.
I believe that all the ip traffic should be allowed from machine AA in private network behind inside interface to a machine BB in public network (outside of outside interface of asa5520)
(private) AA->asa5520->BB (public)
However, it seems works for most of case, but, it do not work for certain port.
telnet AA 80 -> it seems working fine
telnet AA 3816 -> it is not work.
when I do the packet trace on asa5520, it said access-list not allowed.
Could anyone advice me what does my configuratin miss? How to corrrect this problem? and also, how can I see all the implicy rules which set by default?
any comments will be appreciated
Thanks in advance

please upload/copy your config so we can see

Similar Messages

  • Access-List configuration on ASR9k

    hello All,
    I have on my network an ASR 9000 and want to configure an access-list. But is there any command to refer an ACL via object network as ASA do.
    and which is the command that refer to it?
    So is it possible to create objects and then to refer at the acl
    Regards,
    mery

    Hi Mery,
    here is an example.           
    RP/0/RSP0/CPU0:ASR9K-PE2-R1#show configuration commit changes last 1
    Mon Feb 24 00:06:10.681 UTC
    Building configuration...
    !! IOS XR Configuration 5.1.0
    object-group network ipv4 real
    host 100.1.1.1
    ipv4 access-list real
    10 permit icmp any any
    20 permit tcp any net-group real eq www
    30 permit tcp any net-group real eq www log
    40 permit tcp any net-group real eq ftp
    50 permit tcp any net-group real eq telnet
    60 permit tcp any net-group real eq pop3
    70 permit tcp any net-group real eq smtp
    80 permit tcp any net-group real eq domain
    90 permit tcp any net-group real eq ftp-data
    100 permit tcp any net-group real established
    110 permit tcp any net-group real eq 389
    111 permit udp any net-group real eq 389
    120 permit tcp any net-group real eq 636
    121 permit udp any net-group real eq 636
    200 permit ipv4 any any
    end
    RP/0/RSP0/CPU0:ASR9K-PE2-R1#

  • Access-list configuration

    hi
    i have the following configuration:
    interface FastEthernet0/1
    description **** connected to Timsoret Line-code yy-yyyyy 1 Giga ***
    no ip address
    duplex full
    speed 100
    interface FastEthernet0/1.2007
    description ***** Connect To MASTER_SHUKEI_ON *****
    encapsulation dot1Q 2007
    ip address 172.21.2.46 255.255.255.248
    interface FastEthernet0/1.2008
    description ***** Connect To TRAST *****
    encapsulation dot1Q 2008
    ip address 172.21.2.54 255.255.255.248
    interface FastEthernet0/1.2009
    description ***** Connect To TRAST *****
    encapsulation dot1Q 2009
    ip address 172.21.2.62 255.255.255.248
    interface FastEthernet0/1.2010
    description ***** Connect To TRAST *****
    encapsulation dot1Q 2010
    ip address 172.21.2.707 255.255.255.248
    and i want to config a access deny between the vlans, that the user can't come in to anather vlans that don't belong to them
    thanks

    HI
    Configure access-list
    access-list 10 deny u r vlan2007 range
    access-list 10 permit any
    int f0/0.2007
    access-group 10 in
    same for vlan 2008
    Thanks
    Mahmood

  • Please assist me for access-list configuration

    Dear Team,
    Please help me to configure the access-list.
    Requirement:
    I have three different subnets(10.1.1.0/24, 20.1.1.0/24, 30.1.1.0/24). PC1, PC3 are within 10.1.1.0 subnets and PC2 and PC4 are within 30.1.1.0 subnets.
    I want 10.1.1.0 subnet should not access 30.1.1.0 subnets but 30.1.1.0 subnets should access 10.1.1.0 subnets. Please find below configuration.
    At R2:
    ip access-list exstandard 101
    deny ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
    permit ip any any
    int f0/0
    ip access-group 101 in
    But this configuration is not working, it's blocking the 30.1.1.0 subnet to access 10.1.1.0 also. Please help me!!!!!
    Regards,
    Sanjib

    Hello
    I assume the rtrs are performing the routing for these subnets and no the switches, anyway your acl doesn't look correct, try this:
    R2
    ip access-list extended 101
    deny ip 30.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
    permit ip any any
    int f0/0
    ip access-group 101 in
    or
    ip access-list extended 101
    deny ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
    permit ip any any
    int f0/0
    ip access-group 101 out
    reverse the acl for R3 if applicable
    res
    Paul

  • Simple SSH Access-List Question

    I am enabling SSH access for all of our Cisco devices and want to restrict access to just the following ip addresses: 192.168.200.1-192.168.200.50.  I forgot the exact access-list configuration to accomplish this.  The subnet is /24 and I don't want the whole subnet - just .1 - .50.
    Thank you,
    Thomas Reiling

    Hi there,
    If using ssh make sure you have a domain name, host name and a generated rsa key.  Assuing you've done that, the the following ACL and line vty command will do the trick.  Note that the 1-50 host list is not on a subnet barrier.
    To get it exactly
    access-list 1 remark ALLOW MANAGEMENT
    access-list 1 permit 192.168.200.0 0.0.0.31
    access-list 1 permit 192.168.200.32 0.0.0.15
    access-list 1 permit 192.168.200.48 0.0.0.1
    access-list 1 host 192.168.200.50
    access-list 1 deny any log
    It would be a good idea to put it on a boundary though, so the following would be much more simpler and easier to read.
    access-list 1 remark ALLOW MANAGEMENT
    access-list 1 permit 192.168.200.0 0.0.0.63
    access-list 1 deny   any log
    Apply the access-class on the vty lines and depending on authentication, i'd put something there too.
    line vty 0 4
    access-class 1 in
    transport input ssh
    password blahblah
    That ought to do it.
    good luck!
    Brad

  • Cleaning up Access Lists

    Here is an access list I want to know if I can "clean up" :
    access-list outside_access_in extended permit tcp any host 192.168.0.81 eq 7500
    access-list outside_access_in extended permit tcp any host 192.168.0.202 eq 3389
    access-list outside_access_in extended permit object RDP any any
    access-list outside_access_in extended permit tcp any interface outside eq 3389
    access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 7500
    access-list outside_access_in_1 extended permit object RDP any object FileServer
    access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53827
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 3389
    access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53828
    access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53829
    access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53830
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 53850
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 53810
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 53855
    access-list outside_access_in_1 extended permit tcp any object New_Server eq telnet
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 55443
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 7500
    access-list outside_access_in_1 extended permit tcp any object DattoDevice eq ssh
    access-list outside_access_in_1 extended permit udp any object DattoDevice eq ntp
    access-list outside_access_in_1 extended permit icmp any object DattoDevice
    access-list RemoteVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
    access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 156.30.21.200 255.255.255.248
    access-list outside_cryptomap_1 extended permit ip object host-192.168.0.81 156.30.21.200 255.255.255.248
    What is the significance of the _1 on most of these statements? Should/could I add an _1 to the top 4 lines to make this list symmetrical?  I suspect some of these lines were created when they migrated over from a PIX501 to this ASA......

    Hi,
    To my understanding the numbering in the format "_1" (and similiar) are generated by device when you configure it through the ASDM.
    The "access-list" configurations for "outside_access_in" and "outside_access_in_1" are for 2 totally different ACLs.
    I would imagine that only one of them it attached to your "outside" interface at the moment. You can check what ACLs are attached to the interfaces of the ASA with the command
    show run access-group
    You could add the same lines from the old ACL to the new ACL with the "_1" at the end but you probably wont need all the statements (if any). The first line of the ACL you seem to have in the new one already.
    The second ACL line might be in the new ACL. I am not sure as it contains "object" configurations which hold the IP addresses that I cant see.
    Same goes for the third line of the ACL. It contains an "object" configuration though it seems it allows RDP from "any" host to "any" host. You might already have the RDP rules for the required hosts but with this information I can not say whats the case.
    The last (fourth) line of the ACL seems to be a RDP rule that previously allowed RDP connections towards a host that used the PIX firewalls "outside" interface as its public IP address. This wont be needed anymore as in the new software that you are using you always allow the traffic to the local IP address, even if there is a NAT conigured.
    The ACL named "RemoveVPN_SplitTunnelAcl" is probably currently in the "group-policy" configurations of your VPN. I doubt you will have to touch this at all.
    At the end of the post you have ACLs named "outside_cryptomap" and "outside_cryptomap_1". These seems to be ACLs configured for L2L VPN connections. Considering the destinatin subnet in both of these is identical I imagine that also only one of these is in actual use at the moment.
    You can check what is in use with the command
    show run crypto map
    Hope this helps :)
    - Jouni

  • Configuring Extended Access List with Any statement

    I have several questions where I'm fuzzy on a configuration already on my network.  Whoever setup my network before me just put the same access-lists on all the interfaces at three different locations --
    1.  Are extended access-lists always source then destination?  Like in the following statement:
    permit ip host 172.16.4.20 any - Is the source 172.16.4.20 and destination any?
    2.  Further down though there is:
    permit tcp any host 172.16.4.11 eq 443.
    In that case is the source any host and the destination 172.16.4.11 ?
    This had been placed on an inbound access-list but 4.11 is not internal to that network so I don't think that statement if valid.
    3.  Also, when you do a:
    sho ip access-list -
    Not many of the line items in that access have any counts - does that mean nothing is hitting them or like I think they could be misconfigured?
    Thanks!

    Thank you Alex for your response.
    Yes, this is an example:
    permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
    I have more ACLs and each ACL contains more conditions with multiples Por

  • Configuring Access List

    I have the following configuration in the msfc of a catalyst 6509:
    interface Vlan5
    description Vlan Medidores Electricos
    ip address 172.23.60.1 255.255.255.0
    no ip unreachables
    no ip directed-broadcast
    interface Vlan1
    description Vlan Usuarios Pz-Jose
    ip address 172.23.8.1 255.255.252.0
    no ip unreachables
    no ip directed-broadcast
    In the subnet 172.23.8.0/22 I have the server 172.23.11.3 and in the subnet 172.23.60.0/24 I have meters of electricity.
    I have the following request: The hosts active of the subnet 172.23.60.0/24 alone should have access to server 172.23.11.3, and alone the server 172.23.11.3 should have access to the hosts active of the network 172.23.60.0/24.
    I think to carry out the following configuration:
    interface Vlan5
    description Vlan Medidores Electricos
    ip address 172.23.60.1 255.255.255.0
    ip access-group 103 in
    no ip unreachables
    no ip directed-broadcast
    interface Vlan1
    description Vlan Usuarios Pz-Jose
    ip address 172.23.8.1 255.255.252.0
    no ip unreachables
    no ip directed-broadcast
    access-list 103 permit ip host 172.23.60.2 host 172.23.11.3
    access-list 103 permit ip host 172.23.60.3 host 172.23.11.3
    access-list 103 permit ip host 172.23.60.4 host 172.23.11.3
    access-list 103 permit ip host 172.23.60.5 host 172.23.11.3
    access-list 103 permit ip host 172.23.60.6 host 172.23.11.3
    access-list 103 permit ip host 172.23.60.7 host 172.23.11.3
    access-list 103 permit ip host 172.23.60.8 host 172.23.11.3
    access-list 103 permit ip host 172.23.60.9 host 172.23.11.3
    access-list 103 permit ip host 172.23.60.10 host 172.23.11.3
    access-list 103 permit ip host 172.23.60.11 host 172.23.11.3
    access-list 103 permit ip host 172.23.11.3 172.23.60.0 0.0.0.255
    access-list 103 deny any any
    Is correct?
    Some recomendation?

    I don't believe your source/destination address logic matches your access-group 3 in statement. Your configuration states inbound traffic on interface VLAN 5 sourced as 172.23.60.x destined for 172.23.11.3 is allowed. Using Leo's recommendations I suggest you reverse source and destination address.
    access-list 103 permit ip host 172.23.11.3 172.23.60.0 0.0.0.15
    Interface Vlan5
    ip access-group 3 in
    HTH,
    Ryan

  • Static NAT using access-lists?

    Hi,
    i have an ASA5520 and im having an issue with static nat configuration.
    I have an inside host, say 1.1.1.1, that i want to be accessible from the outside as address 2.2.2.2.
    This is working fine. The issue is that i have other clients who i would like to access the host using its real physical address of 1.1.1.1.
    I have got this working using nat0 as an exemption, but as there will be more clients accessing the physical address than the nat address i would like to flip this logic if possible.
    Can i create a nat rule that only matches an access list i.e. 'for clients from network x.x.x.x, use the nat from 2.2.2.2 -> 1.1.1.1' and for everyone else, dont nat?
    My Pix cli skills arent the best, but the ASDM suggests that this is possible - on the nat rules page there is a section for the untranslated source to ANY, and if i could change ANY i would but dont see how to...
    Thanks,
    Des

    Des,
    You need to create an access-list to be used with the nat 0 statement.
    access-list inside_nonat extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255
    - this tells the pix/asa to NOT perform NAT for traffic going from 1.1.1.1 to 2.2.2.2
    then use NAT 0 statement:
    nat (inside) 0 access-list inside_nonat
    to permit outside users to see inside addresses without NAT, flip this logic.
    access-list outside_nonat extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
    nat (outside) 0 access-list outside_nonat
    you'll also have to permit this traffic through the ACL of the outside interface.
    access-list inbound_acl extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
    - Brandon

  • ASA5520-Access to FTP site

    I thought I would run this by the forum in case there is someone out there who experienced the same issue.  I have users behind an ASA5520 firewall running 8.x code who are unable to access a particular ftp site through a web browser or an ftp client such as FileZilla.  Keep in mind that other ftp sites are accessible.  I was notified of this as it worked in the morning of a particular day and then stopped working in the afternoon on the same day.  Accessing the site from our guest network(different firewall) is possible.  The SysAdmin insists it is a firewall issue.  I have run the packet tracer on the firewall and the traffic is allowed.  FTP inspection is configured.  I get the same results when I try to access with IE or Firefox.  Anyways, I thought I would post the questions to see if anyone has seen something like this before.  If anyone is interested, the site is ftp://authordev.healthstream.com.  TIA for any help or advice.

    Hi,
    You could always take a packet capture on the firewall and/or on the actual host to see where the communication stops.
    You could for example configure the ASA to capture the traffic between the client and the server.
    Example configuration could be
    access-list FTP-CAP permit ip host host
    access-list FTP-CAP permit ip host host
    capture FTP-CAP type raw-data access-list FTP-CAP interface buffer 10000000
    You could naturally also capture the traffic on the internal side of the firewall if you want to compare the 2 captures on both sides of the firewall
    access-list FTP-CAP-INTERNAL permit ip host host
    access-list FTP-CAP-INTERNAL permit ip host host
    capture FTP-CAP-INTERNAL type raw-data access-list FTP-CAP-INTERNAL interface buffer 10000000
    You can then use the following command to confirm if traffic is captured
    show capture
    You can use the following command to show the capture on the CLI
    show capture FTP-CAP
    show capture FTP-CAP-INTERNAL
    I would suggest copying the actual captures to your computer with following commands and then viewing the contents with Wireshark
    copy /pcap capture:FTP-CAP tftp://x.x.x.x/FTP-CAP.pcap
    copy /pcap capture:FTP-CAP-INTERNAL tftp://x.x.x.x/FTP-CAP-INTERNAL.pcap
    You can remove the captures from the ASA with
    no capture FTP-CAP
    no capture FTP-CAP-INTERNAL
    The ACLs will have to be removed separately.
    These captures should give you a picture what happens to the FTP connection.
    - Jouni

  • How to create a Access list on core switch to bloxk all Internet Traffic & allow some specific Internet Traffic

    Hellp Everyone,
    I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
    I want to allow the whole Intranet but few intranet websites also needs access to the internet.
    Can we create such Access-List with the above requirement.
    I tried to create the ACL on the switch but it blocks the whole internet access.
    i want to do it for a subnet not for a specific IP.
    Can someone help me in creating such access list.
    Thanks in Advance

    The exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
    In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
    The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
    You would then use them as follows:
    ip access-list extended main_acl
    permit any object-group intranet any
    permit object-group allowed_servers object-group allowed_sites any
    interface vlan
    ip access-group main_acl in
    More details on the syntax and examples can be found here:
    http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66

  • IOS XR deny ace not supported in access list

    Hi everybody,
    We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
    interface TenGigE0/3/0/0
     cdp
     mtu 1568
     service-policy output TK-MPLS_TG
     ipv4 address 172.16.19.134 255.255.255.252
     mpls
      mtu 1568
    policy-map TK-MPLS_TG
    class class-default
      service-policy TK-MPLS_EDGE-WAN
      shape average 2000000000 bps
      bandwidth 2000000 kbps
    and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy  help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
    class-map match-any W_RTP
     match mpls experimental topmost 5
     match dscp ef
     end-class-map
    class-map match-any W_EMAIL
     match mpls experimental topmost 1
     match dscp cs1
     end-class-map
    class-map match-any W_VIDEO
     match mpls experimental topmost 4 3
     match dscp cs3 cs4
     end-class-map
    class-map match-any W_DATOS-CR
     match mpls experimental topmost 2
     match dscp cs2
     end-class-map
    class-map match-any W_AVAIL
     match mpls experimental topmost 0
     match dscp default
     end-class-map
    policy-map TK-MPLS_EDGE-WAN
    class W_RTP
      bandwidth percent 5
    class W_VIDEO
      bandwidth percent 5
    class W_DATOS-CR
      bandwidth percent 30
    class W_EMAIL
      bandwidth percent 15
    class W_AVAIL
      bandwidth percent 2
    class class-default
    end-policy-map
    what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
    ipv4 access-list PROXY-GIT-MEX
    10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
    20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
    30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
    40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
    50 permit tcp host 150.2.1.100 any
    60 permit tcp host 10.15.221.100 any
    policy-map EDGE-MEX3-PXY
     class C_PXY-GIT-MEX3
      police rate 300 mbps
     class class-default
     end-policy-map
    class-map match-any C_PXY-GIT-MEX3
     match access-group ipv4 PROXY-GIT-MEX
     end-class-map
    we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
    policy-map TK-MPLS_EDGE-WAN
    class W_RTP
      bandwidth percent 5
    class W_VIDEO
      bandwidth percent 5
    class W_DATOS-CR
      bandwidth percent 30
    class W_EMAIL
      bandwidth percent 15
    class W_AVAIL
      service-policy EDGE-MEX3-PXY
    class class-default
    end-policy-map
    and we get this:
    Wed Sep 17 18:35:36.537 UTC
    % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
    RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
    Wed Sep 17 18:35:49.662 UTC
    !! SEMANTIC ERRORS: This configuration was rejected by
    !! the system due to semantic errors. The individual
    !! errors with each failed configuration command can be
    !! found below.
    !!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
    end
    Any  kind of help is very appreciated.

    That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
    unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
    if you have some traffic that you want to exclude you could do something like this:
    access-list PERMIT-ME
    1 permit
    2 permit
    3 permit
    access-list DENY-me
    !the exclude list
    1 permit
    2 permit
    3 permit
    policy-map X
    class DENY-ME
    <dont do anything> or set something rogue (like qos-group)
    class PERMIT-ME
    do here what you wanted to do as earlier.
    eventhough the permit and deny may be overlapping in terms of match.
    only the first class is matched here, DENY-ME.
    cheers!
    xander

  • Static nat with port redirection 8.3 access-list using un-nat port?

    I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3
    object network obj-10.1.1.5-06
    nat (inside,outside) static interface service tcp 3389 3398
    object network obj-10.1.1.5-06
    host 10.1.1.5
    access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)
    access-group outside_access_in in interface outside
    So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?
    Thanks in advance..

    Hello,
    I would be more than glad to explain you what is going on!
    The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.
    After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.
    Regards,
    Julio
    Rate helpful posts

  • The crawler could not communicate with the server. Check that the server is available and that the firewall access is configured correctly. If the repository was temporarily unavailable, an incremental crawl will fix this error

    We are getting the below error when we see in Crawl logs
    "The crawler could not communicate with the server. Check that the server is available and that the firewall access is configured correctly. If the repository was temporarily unavailable, an incremental crawl will fix this error."
    This is happening in FAST search.
    Here I can see soke of the logs related to this search crawl.
    Could anyone please help on this?
    web application 'http://xvy/' doesn't use search application 'FAST Query SSA', skipping it.
    ABC\sp_search' on web application 'http://xvy/'. 2d7dba01-3d2e-4903-b59f-9a8601627bcd
    07/30/2014 01:30:46.65  OWSTIMER.EXE (0x28DC)                    0x1BC0 SharePoint Server Search       Administration               
     dl2m Verbose  Search application 'Search Service Application 1': Skipping web application '48ed7882-9f70-424e-bf72-e3c9f5340b97' because its outbound url 'http://ebc:30347' was automatically added once.
    Ensure full read access to the indexing account 'ABC\sp_search' on web application 'http://nvcp/'. 85041609-d618-4132-ac8e-195a910d99a0
    07/30/2014 01:31:46.53  OWSTIMER.EXE (0x28DC)                    0x05F4 SharePoint Server Search       Administration               
     dl2m Verbose  Search application 'FAST Query SSA': Skipping web application '57718ea1-8cb5-4adc-abd2-9e55415e5791' because its outbound url 'http://nvcp' was automatically added once. 85041609-d618-4132-ac8e-195a910d99a0
    07/30/2014 01:31:46.53  OWSTIMER.EXE (0x28DC)                    0x05F4 SharePoint Server Search       Administration               
     dl2n Verbose  Search application 'FAST Query SSA': Adding start address 'http://nvcp' for web application '57718ea1-8cb5-4adc-abd2-9e55415e5791' to list of valid start addresses. 85041609-d618-4132-ac8e-195a910d99a0
    07/30/2014 01:31:46.53  OWSTIMER.EXE (0x28DC)                    0x05F4 SharePoint Server Search       Administration               
     dmb6 Verbose  Ensure full read access to the indexing account 'ABc\sp_search' on web application 'http://nvcp'ext/'. 85041609-d618-4132-ac8e-195a910d99a0
    07/30/2014 01:31:46.53  OWSTIMER.EXE (0x28DC)                    0x05F4 SharePoint Server Search       Administration               
     dl2m Verbose  Search application 'FAST Query SSA': Skipping web application '64d562a1-535e-4917-8979-88840e2a67fe' because its outbound url 'http://nvcp'ext' was automatically added once. 85041609-d618-4132-ac8e-195a910d99a0
    07/30/2014 01:31:46.53  OWSTIMER.EXE (0x28DC)                    0x05F4 SharePoint Server Search       Administration               
     dl2n Verbose  Search application 'FAST Query SSA': Adding start address 'http://nvcpext' for web application '64d562a1-535e-4917-8979-88840e2a67fe' to list of valid start addresses. 85041609-d618-4132-ac8e-195a910d99a0
    07/30/2014 01:31:46.53  OWSTIMER.EXE (0x28DC)                    0x05F4 SharePoint Server Search       Administration               
     dmb6 Verbose  Ensure full read access to the indexing account 'ABC\sp_search' on web application 'http://nvcpnew/'. 85041609-d618-4132-ac8e-195a910d99a0
    executing SQL query {? = call dbo.proc_MSS_PropagationIndexerGetReadyQueryComponents}  [propdatabase.cxx:70]  d:\office\source\search\native\ytrip\tripoli\propagation\propdatabase.cxx 
    07/30/2014 01:32:04.31  mssearch.exe (0x0588)                    0x1DE4 SharePoint Server Search       Propagation Manager          
     e3o3 Verbose  executing SQL query {? = call dbo.proc_MSS_PropagationIndexerGetReadyQueryComponents}  [propdatabase.cxx:70]  d:\office\source\search\native\ytrip\tripoli\propagation\propdatabase.cxx 
    07/30/2014 01:32:04.68  mssdmn.exe (0x15CC)                      0x1060 SharePoint Server Search       HTTP Protocol
    Handler          du4i                     0x29E4 SharePoint Server Search       HTTP
    Protocol Handler          du4i Verbose  CHttpAccessorHelper::InitRequestInternal - opening request for '/robots.txt'.   [httpacchelper.cxx:353]  d:\office\source\search\native\gather\protocols\http\httpacchelper.cxx 
    07/30/2014 01:32:04.70  mssdmn.exe (0x15CC)                      0x29E4 SharePoint Server Search       HTTP Protocol
    Handler          du54 High     CHttpAccessorHelper::InitRequestInternal - unexpected status (503) on request for 'http://ppecpnew/robots.txt' Authentication 0.  [httpacchelper.cxx:703] 
    d:\office\source\search\native\gather\protocols\http\httpacchelper.cxx 
    07/30/2014 01:32:04.70  mssearch.exe (0x0588)                    0x130C SharePoint Server Search       Gatherer                     
     cd11 Warning  The start address http://nvcp'/sites/quipme cannot be crawled.  Context: Application 'FAST_Content_SSA', Catalog 'Portal_Content'  Details: 
    The crawler could not communicate with the server. Check that the server is available and that the firewall access is configured correctly. If the repository was temporarily unavailable, an incremental crawl will fix this error.   (0x80041200) 
    07/30/2014 01:32:04.70  mssdmn.exe (0x15CC)                      0x104C SharePoint Server Search       HTTP Protocol
    Handler          du4i Verbose  CHttpAccessorHelper::InitRequestInternal - opening request for '/robots.txt'.   [httpacchelper.cxx:353]  d:\office\source\search\native\gather\protocols\http\httpacchelper.cxx 
    07/30/2014 01:32:04.70  mssdmn.exe (0x15CC)                      0x104C SharePoint Server Search       HTTP Protocol
    Handler          du54 High  
    07/30/2014 01:32:04.70  mssearch.exe (0x0588)                    0x2948 SharePoint Server Search       Gatherer                     
     cd11 Warning  The start address
    http://nvcp'/sites/MDPPubng cannot be crawled.  Context: Application 'FAST_Content_SSA', Catalog 'Portal_Content'  Details:  The crawler could not communicate with the server. Check that the server is
    available and that the firewall access is configured correctly. If the repository was temporarily unavailable, an incremental crawl will fix this error.   (0x80041200) 
     CHttpProbeHelper::ProbeServer: InitRequest failed for 'http://ppecpnew/_vti_bin/sitedata.asmx'. Return error to caller, hr=80041200  [stscommon.cxx:490]  d:\office\source\search\native\gather\protocols\common\stscommon.cxx 
    07/30/2014 01:32:26.06  mssdmn.exe (0x15CC)                      0x193C SharePoint Server Search       PHSts                        
     dvg0 High     STS3::COWSServer::InitializeClaimsCookie: Probing url 'http://pncvr' failed. Return error to caller, hr=80041200  [sts3util.cxx:1332]  d:\office\source\search\native\gather\protocols\sts3\sts3util.cxx 
    07/30/2014 01:32:26.06  mssdmn.exe (0x15CC)                      0x193C SharePoint Server Search       PHSts                        
     en0e High     CSTS3Accessor::InitURLType: Return error to caller, hr=80041200                 [sts3acc.cxx:2214]  d:\office\source\search\native\gather\protocols\sts3\sts3acc.cxx 
    07/30/2014 01:32:26.06  mssdmn.exe (0x15CC)                      0x193C SharePoint Server Search       PHSts                        
     dv3p High     CSTS3Accessor::GetServer fails, Url sts4://pnvpr/siteurl=sites/product/siteid={7ebfb072-08a8-4df7-8f74-e06730325d9a}/weburl=/webid={bd7ae724-1256-4b26-9633-416447d6bc5c}, hr=80041200  [sts3acc.cxx:185] 
    d:\office\source\search\native\gather\protocols\sts3\sts3acc.cxx 
    07/30/2014 01:32:26.06  mssdmn.exe (0x15CC)                      0x193C SharePoint Server Search       PHSts                        
     dvb1 High     CSTS3Accessor::Init fails, Url sts4:/mngbv/siteurl=sites/product/siteid={7ebfb072-08a8-4df7-8f74-e06730325d9a}/weburl=/webid={bd7ae724-1256-4b26-9633-416447d6bc5c}, hr=80041200  [sts3handler.cxx:312] 
    d:\office\source\search\native\gather\protocols\sts3\sts3handler.cxx 
    07/30/2014 01:32:26.06  mssdmn.exe (0x15CC)                      0x16FC SharePoint Server Search       HTTP Protocol
    Handler          du2z Verbose  CHttpProbeHelper::ProbeServer: Probing server with url 'http://pnvpr/_vti_bin/sitedata.asmx'.  [stscommon.cxx:476]  d:\office\source\search\native\gather\protocols\common\stscommon.cxx 
    07/30/2014 01:32:26.08  mssdmn.exe (0x15CC)                      0x193C SharePoint Server Search       PHSts                        
     dvb2 High     CSTS3Handler::CreateAccessorExD: Return error to caller, hr=80041200            [sts3handler.cxx:330]  d:\office\source\search\native\gather\protocols\sts3\sts3handler.cxx 
    07/30/2014 01:32:26.08  mssdmn.exe (0x15CC)                      0x16FC SharePoint Server Search       HTTP Protocol
    Handler          du4i Verbose  CHttpAccessorHelper::InitRequestInternal - opening request for '/_vti_bin/sitedata.asmx'.  [httpacchelper.cxx:353]  d:\office\source\search\native\gather\protocols\http\httpacchelper.cxx 
    earch application 'FAST Query SSA': Adding start address 'http://mnvfgext' for web application '64d562a1-535e-4917-8979-88840e2a67fe' to list of valid start addresses. a6b7948a-dc16-419d-b58a-0ee798a0bb9c
    07/30/2014 01:32:46.53  OWSTIMER.EXE (0x28DC)                    0x1444 SharePoint Server Search       Administration               
     dmb6 Verbose  Ensure full read access to the indexing account 'ABC\sp_search' on web application 'http://nvpr/'. a6b7948a-dc16-419d-b58a-0ee798a0bb9c
    07/30/2014 01:32:46.53  OWSTIMER.EXE (0x28DC)                    0x1444 SharePoint Server Search       Administration               
     dl2m Verbose  Search application 'FAST Query SSA': Skipping web application 'cea7b67b-fd5f-4c9a-a300-64a7d7ca3093' because its outbound url 'http://pnvpr' was automatically added once. a6b7948a-dc16-419d-b58a-0ee798a0bb9c
    07/30/2014 01:32:46.53  OWSTIMER.EXE (0x28DC)                    0x1444 SharePoint Server Search       Administration               
     dl2n Verbose  Search application 'FAST Query SSA': Adding start address 'http://pnvpr' for web application 'cea7b67b-fd5f-4c9a-a300-64a7d7ca3093' to list of valid start addresses. a6b7948a-dc16-419d-b58a-0ee798a0bb9c
    07/30/2014 01:32:46.53  OWSTIMER.EXE (0x28DC)                    0x1444 SharePoint Server Search       Administration               
     dl2k Verbose  web application 'http://abcrsp/' doesn't use search application 'FAST Query SSA', skipping it. a6b7948a-dc16-419d-b58a-0ee798a0bb9c
    07/30/2014 01:32:46.53  OWSTIMER.EXE (0x28DC)                    0x1444 SharePoint Server Search       Administration               
     dl2k Verbose  web application 'http://excb/' doesn't use search application 'FAST Query SSA', ski
    Anil Loka

    Hi,
    According to your post, my understanding is that you got error when communicating to the server.
    This happens when crawler is not able to connect to the server. Make sure server name is correct. Couple of steps to troubleshoot it
    You should be able to ping the server from the server having crawl component. Make sure there is an entry for the server in the host file under c:\Windows\System32\drivers\etc folder.
              Ping <servername>
          2.  You should be able to connect to the server using telnet command
    Telnet< servername> <port number>
    More information:
    Troubleshooting of FAST Search Configuration
    If the issue still exists, you can delete the old search application and recreate from the beginning.
    You can also reset the index and do a full crawl after.
    Here is a similar thread for your reference:
    http://social.technet.microsoft.com/Forums/en-US/f3c61b53-304a-4c2a-a370-d0e573219d1d/an-unrecognized-http-response-was-received-when-attempting-to-crawl-this-item?forum=sharepointadminprevious
    Best Regards,
    Linda Li
    Linda Li
    TechNet Community Support

  • Acl-name in access-list requirements

    Hi,
    I would ask about the acl-name in access-list,
    Does it act as a link between the ACL and an interface?
    or it could be written as any-thing, without any constrains?
    such as
    access-list test_ACL extended permit tcp host 10.105.10.22 host 10.140.180.35 eq ssh
    is it OK?
    or test_ACL should be defined somewhere prior using it in ACL?

    just because the ACL is not defined in an access-group doesn't mean it is not in use. There are several other areas that use ACLs.  Class-maps are another common place where ACLs are used to match on traffic that will be used in a policy-map.  Another comon use for ACLs is to define interesting traffic, or traffic that is to be encrypted, over a site to site VPN.
    But for this specific ACL that you mention, the question you need to answer is, does the ACL define IPs that are assigned within your network, and do you have any applications that require the tcp timeout to be adjusted?  If the answer is no to either of thaese then it is safe to assume you can remove the class-map test_ACL and the class test_ACL under the policy-map configuration.
    Whether the ACL itself can be removed, I would assume it is safe to  remove as it is called test_ACL, but then again, I have see people set up test configurations and then leave them as is without changing the name.  So I would suggest investigating further to see if the name test_ACL is referenced any other places in your configuration.
    Please remember to select a correct answer and rate helpful posts

Maybe you are looking for

  • Ringtones and email notifications!

    I just got the droid razr yesterday (it's also my first smartphone) and I can't figure out how to get ringtones! My husband has a plain phone and sent me ringtones but when I open them they play the music but there is nothing under options saying use

  • Vendor Master details

    Hi, can you tell me a table where i can get vendor master general details and bank details (both in one table)?

  • Syncing 2 iPhones to same Macbook pro

    I have a Macbook pro running OSX (10.6.8) and both my wife and I have iPhones (3 and 4). Is there a way to sync both to iTunes and keep the data separate (we both have different contact lists, etc.)?

  • Unable to delete a set of records from PSA

    Hello All, I am trying to delete a PSA request (INIT With data transfer) which had about crores of records. But in my PSA, I can still see about 16000 records from the earlier deleted request. Please advice as my next INIT is not brininging in any re

  • Primary Index to create

    Hi Experts, In BW 3.5, in DB24 there's a missing_index warning for a transparent table /BIC/Fxxxx (xxxx is not the name of the infocube) In SE14, it says thaht this primary index /BIC/Fxxxx-0 must not be created on the database. First of all, what ki