ASA5520 access-list configuration?
I have two asa5520s, version 7.2(2).
I have use access-list for the firewall as:
access-list outside extended permit ip object-group mydomain any
access-list outside extended permit icmp object-group mydomain any
access-group outside in interface outside.
I believe that all the ip traffic should be allowed from machine AA in private network behind inside interface to a machine BB in public network (outside of outside interface of asa5520)
(private) AA->asa5520->BB (public)
However, it seems works for most of case, but, it do not work for certain port.
telnet AA 80 -> it seems working fine
telnet AA 3816 -> it is not work.
when I do the packet trace on asa5520, it said access-list not allowed.
Could anyone advice me what does my configuratin miss? How to corrrect this problem? and also, how can I see all the implicy rules which set by default?
any comments will be appreciated
Thanks in advance
please upload/copy your config so we can see
Similar Messages
-
Access-List configuration on ASR9k
hello All,
I have on my network an ASR 9000 and want to configure an access-list. But is there any command to refer an ACL via object network as ASA do.
and which is the command that refer to it?
So is it possible to create objects and then to refer at the acl
Regards,
meryHi Mery,
here is an example.
RP/0/RSP0/CPU0:ASR9K-PE2-R1#show configuration commit changes last 1
Mon Feb 24 00:06:10.681 UTC
Building configuration...
!! IOS XR Configuration 5.1.0
object-group network ipv4 real
host 100.1.1.1
ipv4 access-list real
10 permit icmp any any
20 permit tcp any net-group real eq www
30 permit tcp any net-group real eq www log
40 permit tcp any net-group real eq ftp
50 permit tcp any net-group real eq telnet
60 permit tcp any net-group real eq pop3
70 permit tcp any net-group real eq smtp
80 permit tcp any net-group real eq domain
90 permit tcp any net-group real eq ftp-data
100 permit tcp any net-group real established
110 permit tcp any net-group real eq 389
111 permit udp any net-group real eq 389
120 permit tcp any net-group real eq 636
121 permit udp any net-group real eq 636
200 permit ipv4 any any
end
RP/0/RSP0/CPU0:ASR9K-PE2-R1# -
hi
i have the following configuration:
interface FastEthernet0/1
description **** connected to Timsoret Line-code yy-yyyyy 1 Giga ***
no ip address
duplex full
speed 100
interface FastEthernet0/1.2007
description ***** Connect To MASTER_SHUKEI_ON *****
encapsulation dot1Q 2007
ip address 172.21.2.46 255.255.255.248
interface FastEthernet0/1.2008
description ***** Connect To TRAST *****
encapsulation dot1Q 2008
ip address 172.21.2.54 255.255.255.248
interface FastEthernet0/1.2009
description ***** Connect To TRAST *****
encapsulation dot1Q 2009
ip address 172.21.2.62 255.255.255.248
interface FastEthernet0/1.2010
description ***** Connect To TRAST *****
encapsulation dot1Q 2010
ip address 172.21.2.707 255.255.255.248
and i want to config a access deny between the vlans, that the user can't come in to anather vlans that don't belong to them
thanksHI
Configure access-list
access-list 10 deny u r vlan2007 range
access-list 10 permit any
int f0/0.2007
access-group 10 in
same for vlan 2008
Thanks
Mahmood -
Please assist me for access-list configuration
Dear Team,
Please help me to configure the access-list.
Requirement:
I have three different subnets(10.1.1.0/24, 20.1.1.0/24, 30.1.1.0/24). PC1, PC3 are within 10.1.1.0 subnets and PC2 and PC4 are within 30.1.1.0 subnets.
I want 10.1.1.0 subnet should not access 30.1.1.0 subnets but 30.1.1.0 subnets should access 10.1.1.0 subnets. Please find below configuration.
At R2:
ip access-list exstandard 101
deny ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
permit ip any any
int f0/0
ip access-group 101 in
But this configuration is not working, it's blocking the 30.1.1.0 subnet to access 10.1.1.0 also. Please help me!!!!!
Regards,
SanjibHello
I assume the rtrs are performing the routing for these subnets and no the switches, anyway your acl doesn't look correct, try this:
R2
ip access-list extended 101
deny ip 30.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any
int f0/0
ip access-group 101 in
or
ip access-list extended 101
deny ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
permit ip any any
int f0/0
ip access-group 101 out
reverse the acl for R3 if applicable
res
Paul -
Simple SSH Access-List Question
I am enabling SSH access for all of our Cisco devices and want to restrict access to just the following ip addresses: 192.168.200.1-192.168.200.50. I forgot the exact access-list configuration to accomplish this. The subnet is /24 and I don't want the whole subnet - just .1 - .50.
Thank you,
Thomas ReilingHi there,
If using ssh make sure you have a domain name, host name and a generated rsa key. Assuing you've done that, the the following ACL and line vty command will do the trick. Note that the 1-50 host list is not on a subnet barrier.
To get it exactly
access-list 1 remark ALLOW MANAGEMENT
access-list 1 permit 192.168.200.0 0.0.0.31
access-list 1 permit 192.168.200.32 0.0.0.15
access-list 1 permit 192.168.200.48 0.0.0.1
access-list 1 host 192.168.200.50
access-list 1 deny any log
It would be a good idea to put it on a boundary though, so the following would be much more simpler and easier to read.
access-list 1 remark ALLOW MANAGEMENT
access-list 1 permit 192.168.200.0 0.0.0.63
access-list 1 deny any log
Apply the access-class on the vty lines and depending on authentication, i'd put something there too.
line vty 0 4
access-class 1 in
transport input ssh
password blahblah
That ought to do it.
good luck!
Brad -
Here is an access list I want to know if I can "clean up" :
access-list outside_access_in extended permit tcp any host 192.168.0.81 eq 7500
access-list outside_access_in extended permit tcp any host 192.168.0.202 eq 3389
access-list outside_access_in extended permit object RDP any any
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 7500
access-list outside_access_in_1 extended permit object RDP any object FileServer
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53827
access-list outside_access_in_1 extended permit tcp any object New_Server eq 3389
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53828
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53829
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53830
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53850
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53810
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53855
access-list outside_access_in_1 extended permit tcp any object New_Server eq telnet
access-list outside_access_in_1 extended permit tcp any object New_Server eq 55443
access-list outside_access_in_1 extended permit tcp any object New_Server eq 7500
access-list outside_access_in_1 extended permit tcp any object DattoDevice eq ssh
access-list outside_access_in_1 extended permit udp any object DattoDevice eq ntp
access-list outside_access_in_1 extended permit icmp any object DattoDevice
access-list RemoteVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 156.30.21.200 255.255.255.248
access-list outside_cryptomap_1 extended permit ip object host-192.168.0.81 156.30.21.200 255.255.255.248
What is the significance of the _1 on most of these statements? Should/could I add an _1 to the top 4 lines to make this list symmetrical? I suspect some of these lines were created when they migrated over from a PIX501 to this ASA......Hi,
To my understanding the numbering in the format "_1" (and similiar) are generated by device when you configure it through the ASDM.
The "access-list" configurations for "outside_access_in" and "outside_access_in_1" are for 2 totally different ACLs.
I would imagine that only one of them it attached to your "outside" interface at the moment. You can check what ACLs are attached to the interfaces of the ASA with the command
show run access-group
You could add the same lines from the old ACL to the new ACL with the "_1" at the end but you probably wont need all the statements (if any). The first line of the ACL you seem to have in the new one already.
The second ACL line might be in the new ACL. I am not sure as it contains "object" configurations which hold the IP addresses that I cant see.
Same goes for the third line of the ACL. It contains an "object" configuration though it seems it allows RDP from "any" host to "any" host. You might already have the RDP rules for the required hosts but with this information I can not say whats the case.
The last (fourth) line of the ACL seems to be a RDP rule that previously allowed RDP connections towards a host that used the PIX firewalls "outside" interface as its public IP address. This wont be needed anymore as in the new software that you are using you always allow the traffic to the local IP address, even if there is a NAT conigured.
The ACL named "RemoveVPN_SplitTunnelAcl" is probably currently in the "group-policy" configurations of your VPN. I doubt you will have to touch this at all.
At the end of the post you have ACLs named "outside_cryptomap" and "outside_cryptomap_1". These seems to be ACLs configured for L2L VPN connections. Considering the destinatin subnet in both of these is identical I imagine that also only one of these is in actual use at the moment.
You can check what is in use with the command
show run crypto map
Hope this helps :)
- Jouni -
Configuring Extended Access List with Any statement
I have several questions where I'm fuzzy on a configuration already on my network. Whoever setup my network before me just put the same access-lists on all the interfaces at three different locations --
1. Are extended access-lists always source then destination? Like in the following statement:
permit ip host 172.16.4.20 any - Is the source 172.16.4.20 and destination any?
2. Further down though there is:
permit tcp any host 172.16.4.11 eq 443.
In that case is the source any host and the destination 172.16.4.11 ?
This had been placed on an inbound access-list but 4.11 is not internal to that network so I don't think that statement if valid.
3. Also, when you do a:
sho ip access-list -
Not many of the line items in that access have any counts - does that mean nothing is hitting them or like I think they could be misconfigured?
Thanks!Thank you Alex for your response.
Yes, this is an example:
permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
I have more ACLs and each ACL contains more conditions with multiples Por -
I have the following configuration in the msfc of a catalyst 6509:
interface Vlan5
description Vlan Medidores Electricos
ip address 172.23.60.1 255.255.255.0
no ip unreachables
no ip directed-broadcast
interface Vlan1
description Vlan Usuarios Pz-Jose
ip address 172.23.8.1 255.255.252.0
no ip unreachables
no ip directed-broadcast
In the subnet 172.23.8.0/22 I have the server 172.23.11.3 and in the subnet 172.23.60.0/24 I have meters of electricity.
I have the following request: The hosts active of the subnet 172.23.60.0/24 alone should have access to server 172.23.11.3, and alone the server 172.23.11.3 should have access to the hosts active of the network 172.23.60.0/24.
I think to carry out the following configuration:
interface Vlan5
description Vlan Medidores Electricos
ip address 172.23.60.1 255.255.255.0
ip access-group 103 in
no ip unreachables
no ip directed-broadcast
interface Vlan1
description Vlan Usuarios Pz-Jose
ip address 172.23.8.1 255.255.252.0
no ip unreachables
no ip directed-broadcast
access-list 103 permit ip host 172.23.60.2 host 172.23.11.3
access-list 103 permit ip host 172.23.60.3 host 172.23.11.3
access-list 103 permit ip host 172.23.60.4 host 172.23.11.3
access-list 103 permit ip host 172.23.60.5 host 172.23.11.3
access-list 103 permit ip host 172.23.60.6 host 172.23.11.3
access-list 103 permit ip host 172.23.60.7 host 172.23.11.3
access-list 103 permit ip host 172.23.60.8 host 172.23.11.3
access-list 103 permit ip host 172.23.60.9 host 172.23.11.3
access-list 103 permit ip host 172.23.60.10 host 172.23.11.3
access-list 103 permit ip host 172.23.60.11 host 172.23.11.3
access-list 103 permit ip host 172.23.11.3 172.23.60.0 0.0.0.255
access-list 103 deny any any
Is correct?
Some recomendation?I don't believe your source/destination address logic matches your access-group 3 in statement. Your configuration states inbound traffic on interface VLAN 5 sourced as 172.23.60.x destined for 172.23.11.3 is allowed. Using Leo's recommendations I suggest you reverse source and destination address.
access-list 103 permit ip host 172.23.11.3 172.23.60.0 0.0.0.15
Interface Vlan5
ip access-group 3 in
HTH,
Ryan -
Static NAT using access-lists?
Hi,
i have an ASA5520 and im having an issue with static nat configuration.
I have an inside host, say 1.1.1.1, that i want to be accessible from the outside as address 2.2.2.2.
This is working fine. The issue is that i have other clients who i would like to access the host using its real physical address of 1.1.1.1.
I have got this working using nat0 as an exemption, but as there will be more clients accessing the physical address than the nat address i would like to flip this logic if possible.
Can i create a nat rule that only matches an access list i.e. 'for clients from network x.x.x.x, use the nat from 2.2.2.2 -> 1.1.1.1' and for everyone else, dont nat?
My Pix cli skills arent the best, but the ASDM suggests that this is possible - on the nat rules page there is a section for the untranslated source to ANY, and if i could change ANY i would but dont see how to...
Thanks,
DesDes,
You need to create an access-list to be used with the nat 0 statement.
access-list inside_nonat extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255
- this tells the pix/asa to NOT perform NAT for traffic going from 1.1.1.1 to 2.2.2.2
then use NAT 0 statement:
nat (inside) 0 access-list inside_nonat
to permit outside users to see inside addresses without NAT, flip this logic.
access-list outside_nonat extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
nat (outside) 0 access-list outside_nonat
you'll also have to permit this traffic through the ACL of the outside interface.
access-list inbound_acl extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
- Brandon -
I thought I would run this by the forum in case there is someone out there who experienced the same issue. I have users behind an ASA5520 firewall running 8.x code who are unable to access a particular ftp site through a web browser or an ftp client such as FileZilla. Keep in mind that other ftp sites are accessible. I was notified of this as it worked in the morning of a particular day and then stopped working in the afternoon on the same day. Accessing the site from our guest network(different firewall) is possible. The SysAdmin insists it is a firewall issue. I have run the packet tracer on the firewall and the traffic is allowed. FTP inspection is configured. I get the same results when I try to access with IE or Firefox. Anyways, I thought I would post the questions to see if anyone has seen something like this before. If anyone is interested, the site is ftp://authordev.healthstream.com. TIA for any help or advice.
Hi,
You could always take a packet capture on the firewall and/or on the actual host to see where the communication stops.
You could for example configure the ASA to capture the traffic between the client and the server.
Example configuration could be
access-list FTP-CAP permit ip host host
access-list FTP-CAP permit ip host host
capture FTP-CAP type raw-data access-list FTP-CAP interface buffer 10000000
You could naturally also capture the traffic on the internal side of the firewall if you want to compare the 2 captures on both sides of the firewall
access-list FTP-CAP-INTERNAL permit ip host host
access-list FTP-CAP-INTERNAL permit ip host host
capture FTP-CAP-INTERNAL type raw-data access-list FTP-CAP-INTERNAL interface buffer 10000000
You can then use the following command to confirm if traffic is captured
show capture
You can use the following command to show the capture on the CLI
show capture FTP-CAP
show capture FTP-CAP-INTERNAL
I would suggest copying the actual captures to your computer with following commands and then viewing the contents with Wireshark
copy /pcap capture:FTP-CAP tftp://x.x.x.x/FTP-CAP.pcap
copy /pcap capture:FTP-CAP-INTERNAL tftp://x.x.x.x/FTP-CAP-INTERNAL.pcap
You can remove the captures from the ASA with
no capture FTP-CAP
no capture FTP-CAP-INTERNAL
The ACLs will have to be removed separately.
These captures should give you a picture what happens to the FTP connection.
- Jouni -
Hellp Everyone,
I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
I want to allow the whole Intranet but few intranet websites also needs access to the internet.
Can we create such Access-List with the above requirement.
I tried to create the ACL on the switch but it blocks the whole internet access.
i want to do it for a subnet not for a specific IP.
Can someone help me in creating such access list.
Thanks in AdvanceThe exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
You would then use them as follows:
ip access-list extended main_acl
permit any object-group intranet any
permit object-group allowed_servers object-group allowed_sites any
interface vlan
ip access-group main_acl in
More details on the syntax and examples can be found here:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66 -
IOS XR deny ace not supported in access list
Hi everybody,
We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
interface TenGigE0/3/0/0
cdp
mtu 1568
service-policy output TK-MPLS_TG
ipv4 address 172.16.19.134 255.255.255.252
mpls
mtu 1568
policy-map TK-MPLS_TG
class class-default
service-policy TK-MPLS_EDGE-WAN
shape average 2000000000 bps
bandwidth 2000000 kbps
and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
class-map match-any W_RTP
match mpls experimental topmost 5
match dscp ef
end-class-map
class-map match-any W_EMAIL
match mpls experimental topmost 1
match dscp cs1
end-class-map
class-map match-any W_VIDEO
match mpls experimental topmost 4 3
match dscp cs3 cs4
end-class-map
class-map match-any W_DATOS-CR
match mpls experimental topmost 2
match dscp cs2
end-class-map
class-map match-any W_AVAIL
match mpls experimental topmost 0
match dscp default
end-class-map
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
bandwidth percent 2
class class-default
end-policy-map
what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
ipv4 access-list PROXY-GIT-MEX
10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
50 permit tcp host 150.2.1.100 any
60 permit tcp host 10.15.221.100 any
policy-map EDGE-MEX3-PXY
class C_PXY-GIT-MEX3
police rate 300 mbps
class class-default
end-policy-map
class-map match-any C_PXY-GIT-MEX3
match access-group ipv4 PROXY-GIT-MEX
end-class-map
we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
service-policy EDGE-MEX3-PXY
class class-default
end-policy-map
and we get this:
Wed Sep 17 18:35:36.537 UTC
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
Wed Sep 17 18:35:49.662 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
!!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
end
Any kind of help is very appreciated.That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
if you have some traffic that you want to exclude you could do something like this:
access-list PERMIT-ME
1 permit
2 permit
3 permit
access-list DENY-me
!the exclude list
1 permit
2 permit
3 permit
policy-map X
class DENY-ME
<dont do anything> or set something rogue (like qos-group)
class PERMIT-ME
do here what you wanted to do as earlier.
eventhough the permit and deny may be overlapping in terms of match.
only the first class is matched here, DENY-ME.
cheers!
xander -
Static nat with port redirection 8.3 access-list using un-nat port?
I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3
object network obj-10.1.1.5-06
nat (inside,outside) static interface service tcp 3389 3398
object network obj-10.1.1.5-06
host 10.1.1.5
access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)
access-group outside_access_in in interface outside
So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?
Thanks in advance..Hello,
I would be more than glad to explain you what is going on!
The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.
After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.
Regards,
Julio
Rate helpful posts -
We are getting the below error when we see in Crawl logs
"The crawler could not communicate with the server. Check that the server is available and that the firewall access is configured correctly. If the repository was temporarily unavailable, an incremental crawl will fix this error."
This is happening in FAST search.
Here I can see soke of the logs related to this search crawl.
Could anyone please help on this?
web application 'http://xvy/' doesn't use search application 'FAST Query SSA', skipping it.
ABC\sp_search' on web application 'http://xvy/'. 2d7dba01-3d2e-4903-b59f-9a8601627bcd
07/30/2014 01:30:46.65 OWSTIMER.EXE (0x28DC) 0x1BC0 SharePoint Server Search Administration
dl2m Verbose Search application 'Search Service Application 1': Skipping web application '48ed7882-9f70-424e-bf72-e3c9f5340b97' because its outbound url 'http://ebc:30347' was automatically added once.
Ensure full read access to the indexing account 'ABC\sp_search' on web application 'http://nvcp/'. 85041609-d618-4132-ac8e-195a910d99a0
07/30/2014 01:31:46.53 OWSTIMER.EXE (0x28DC) 0x05F4 SharePoint Server Search Administration
dl2m Verbose Search application 'FAST Query SSA': Skipping web application '57718ea1-8cb5-4adc-abd2-9e55415e5791' because its outbound url 'http://nvcp' was automatically added once. 85041609-d618-4132-ac8e-195a910d99a0
07/30/2014 01:31:46.53 OWSTIMER.EXE (0x28DC) 0x05F4 SharePoint Server Search Administration
dl2n Verbose Search application 'FAST Query SSA': Adding start address 'http://nvcp' for web application '57718ea1-8cb5-4adc-abd2-9e55415e5791' to list of valid start addresses. 85041609-d618-4132-ac8e-195a910d99a0
07/30/2014 01:31:46.53 OWSTIMER.EXE (0x28DC) 0x05F4 SharePoint Server Search Administration
dmb6 Verbose Ensure full read access to the indexing account 'ABc\sp_search' on web application 'http://nvcp'ext/'. 85041609-d618-4132-ac8e-195a910d99a0
07/30/2014 01:31:46.53 OWSTIMER.EXE (0x28DC) 0x05F4 SharePoint Server Search Administration
dl2m Verbose Search application 'FAST Query SSA': Skipping web application '64d562a1-535e-4917-8979-88840e2a67fe' because its outbound url 'http://nvcp'ext' was automatically added once. 85041609-d618-4132-ac8e-195a910d99a0
07/30/2014 01:31:46.53 OWSTIMER.EXE (0x28DC) 0x05F4 SharePoint Server Search Administration
dl2n Verbose Search application 'FAST Query SSA': Adding start address 'http://nvcpext' for web application '64d562a1-535e-4917-8979-88840e2a67fe' to list of valid start addresses. 85041609-d618-4132-ac8e-195a910d99a0
07/30/2014 01:31:46.53 OWSTIMER.EXE (0x28DC) 0x05F4 SharePoint Server Search Administration
dmb6 Verbose Ensure full read access to the indexing account 'ABC\sp_search' on web application 'http://nvcpnew/'. 85041609-d618-4132-ac8e-195a910d99a0
executing SQL query {? = call dbo.proc_MSS_PropagationIndexerGetReadyQueryComponents} [propdatabase.cxx:70] d:\office\source\search\native\ytrip\tripoli\propagation\propdatabase.cxx
07/30/2014 01:32:04.31 mssearch.exe (0x0588) 0x1DE4 SharePoint Server Search Propagation Manager
e3o3 Verbose executing SQL query {? = call dbo.proc_MSS_PropagationIndexerGetReadyQueryComponents} [propdatabase.cxx:70] d:\office\source\search\native\ytrip\tripoli\propagation\propdatabase.cxx
07/30/2014 01:32:04.68 mssdmn.exe (0x15CC) 0x1060 SharePoint Server Search HTTP Protocol
Handler du4i 0x29E4 SharePoint Server Search HTTP
Protocol Handler du4i Verbose CHttpAccessorHelper::InitRequestInternal - opening request for '/robots.txt'. [httpacchelper.cxx:353] d:\office\source\search\native\gather\protocols\http\httpacchelper.cxx
07/30/2014 01:32:04.70 mssdmn.exe (0x15CC) 0x29E4 SharePoint Server Search HTTP Protocol
Handler du54 High CHttpAccessorHelper::InitRequestInternal - unexpected status (503) on request for 'http://ppecpnew/robots.txt' Authentication 0. [httpacchelper.cxx:703]
d:\office\source\search\native\gather\protocols\http\httpacchelper.cxx
07/30/2014 01:32:04.70 mssearch.exe (0x0588) 0x130C SharePoint Server Search Gatherer
cd11 Warning The start address http://nvcp'/sites/quipme cannot be crawled. Context: Application 'FAST_Content_SSA', Catalog 'Portal_Content' Details:
The crawler could not communicate with the server. Check that the server is available and that the firewall access is configured correctly. If the repository was temporarily unavailable, an incremental crawl will fix this error. (0x80041200)
07/30/2014 01:32:04.70 mssdmn.exe (0x15CC) 0x104C SharePoint Server Search HTTP Protocol
Handler du4i Verbose CHttpAccessorHelper::InitRequestInternal - opening request for '/robots.txt'. [httpacchelper.cxx:353] d:\office\source\search\native\gather\protocols\http\httpacchelper.cxx
07/30/2014 01:32:04.70 mssdmn.exe (0x15CC) 0x104C SharePoint Server Search HTTP Protocol
Handler du54 High
07/30/2014 01:32:04.70 mssearch.exe (0x0588) 0x2948 SharePoint Server Search Gatherer
cd11 Warning The start address
http://nvcp'/sites/MDPPubng cannot be crawled. Context: Application 'FAST_Content_SSA', Catalog 'Portal_Content' Details: The crawler could not communicate with the server. Check that the server is
available and that the firewall access is configured correctly. If the repository was temporarily unavailable, an incremental crawl will fix this error. (0x80041200)
CHttpProbeHelper::ProbeServer: InitRequest failed for 'http://ppecpnew/_vti_bin/sitedata.asmx'. Return error to caller, hr=80041200 [stscommon.cxx:490] d:\office\source\search\native\gather\protocols\common\stscommon.cxx
07/30/2014 01:32:26.06 mssdmn.exe (0x15CC) 0x193C SharePoint Server Search PHSts
dvg0 High STS3::COWSServer::InitializeClaimsCookie: Probing url 'http://pncvr' failed. Return error to caller, hr=80041200 [sts3util.cxx:1332] d:\office\source\search\native\gather\protocols\sts3\sts3util.cxx
07/30/2014 01:32:26.06 mssdmn.exe (0x15CC) 0x193C SharePoint Server Search PHSts
en0e High CSTS3Accessor::InitURLType: Return error to caller, hr=80041200 [sts3acc.cxx:2214] d:\office\source\search\native\gather\protocols\sts3\sts3acc.cxx
07/30/2014 01:32:26.06 mssdmn.exe (0x15CC) 0x193C SharePoint Server Search PHSts
dv3p High CSTS3Accessor::GetServer fails, Url sts4://pnvpr/siteurl=sites/product/siteid={7ebfb072-08a8-4df7-8f74-e06730325d9a}/weburl=/webid={bd7ae724-1256-4b26-9633-416447d6bc5c}, hr=80041200 [sts3acc.cxx:185]
d:\office\source\search\native\gather\protocols\sts3\sts3acc.cxx
07/30/2014 01:32:26.06 mssdmn.exe (0x15CC) 0x193C SharePoint Server Search PHSts
dvb1 High CSTS3Accessor::Init fails, Url sts4:/mngbv/siteurl=sites/product/siteid={7ebfb072-08a8-4df7-8f74-e06730325d9a}/weburl=/webid={bd7ae724-1256-4b26-9633-416447d6bc5c}, hr=80041200 [sts3handler.cxx:312]
d:\office\source\search\native\gather\protocols\sts3\sts3handler.cxx
07/30/2014 01:32:26.06 mssdmn.exe (0x15CC) 0x16FC SharePoint Server Search HTTP Protocol
Handler du2z Verbose CHttpProbeHelper::ProbeServer: Probing server with url 'http://pnvpr/_vti_bin/sitedata.asmx'. [stscommon.cxx:476] d:\office\source\search\native\gather\protocols\common\stscommon.cxx
07/30/2014 01:32:26.08 mssdmn.exe (0x15CC) 0x193C SharePoint Server Search PHSts
dvb2 High CSTS3Handler::CreateAccessorExD: Return error to caller, hr=80041200 [sts3handler.cxx:330] d:\office\source\search\native\gather\protocols\sts3\sts3handler.cxx
07/30/2014 01:32:26.08 mssdmn.exe (0x15CC) 0x16FC SharePoint Server Search HTTP Protocol
Handler du4i Verbose CHttpAccessorHelper::InitRequestInternal - opening request for '/_vti_bin/sitedata.asmx'. [httpacchelper.cxx:353] d:\office\source\search\native\gather\protocols\http\httpacchelper.cxx
earch application 'FAST Query SSA': Adding start address 'http://mnvfgext' for web application '64d562a1-535e-4917-8979-88840e2a67fe' to list of valid start addresses. a6b7948a-dc16-419d-b58a-0ee798a0bb9c
07/30/2014 01:32:46.53 OWSTIMER.EXE (0x28DC) 0x1444 SharePoint Server Search Administration
dmb6 Verbose Ensure full read access to the indexing account 'ABC\sp_search' on web application 'http://nvpr/'. a6b7948a-dc16-419d-b58a-0ee798a0bb9c
07/30/2014 01:32:46.53 OWSTIMER.EXE (0x28DC) 0x1444 SharePoint Server Search Administration
dl2m Verbose Search application 'FAST Query SSA': Skipping web application 'cea7b67b-fd5f-4c9a-a300-64a7d7ca3093' because its outbound url 'http://pnvpr' was automatically added once. a6b7948a-dc16-419d-b58a-0ee798a0bb9c
07/30/2014 01:32:46.53 OWSTIMER.EXE (0x28DC) 0x1444 SharePoint Server Search Administration
dl2n Verbose Search application 'FAST Query SSA': Adding start address 'http://pnvpr' for web application 'cea7b67b-fd5f-4c9a-a300-64a7d7ca3093' to list of valid start addresses. a6b7948a-dc16-419d-b58a-0ee798a0bb9c
07/30/2014 01:32:46.53 OWSTIMER.EXE (0x28DC) 0x1444 SharePoint Server Search Administration
dl2k Verbose web application 'http://abcrsp/' doesn't use search application 'FAST Query SSA', skipping it. a6b7948a-dc16-419d-b58a-0ee798a0bb9c
07/30/2014 01:32:46.53 OWSTIMER.EXE (0x28DC) 0x1444 SharePoint Server Search Administration
dl2k Verbose web application 'http://excb/' doesn't use search application 'FAST Query SSA', ski
Anil LokaHi,
According to your post, my understanding is that you got error when communicating to the server.
This happens when crawler is not able to connect to the server. Make sure server name is correct. Couple of steps to troubleshoot it
You should be able to ping the server from the server having crawl component. Make sure there is an entry for the server in the host file under c:\Windows\System32\drivers\etc folder.
Ping <servername>
2. You should be able to connect to the server using telnet command
Telnet< servername> <port number>
More information:
Troubleshooting of FAST Search Configuration
If the issue still exists, you can delete the old search application and recreate from the beginning.
You can also reset the index and do a full crawl after.
Here is a similar thread for your reference:
http://social.technet.microsoft.com/Forums/en-US/f3c61b53-304a-4c2a-a370-d0e573219d1d/an-unrecognized-http-response-was-received-when-attempting-to-crawl-this-item?forum=sharepointadminprevious
Best Regards,
Linda Li
Linda Li
TechNet Community Support -
Acl-name in access-list requirements
Hi,
I would ask about the acl-name in access-list,
Does it act as a link between the ACL and an interface?
or it could be written as any-thing, without any constrains?
such as
access-list test_ACL extended permit tcp host 10.105.10.22 host 10.140.180.35 eq ssh
is it OK?
or test_ACL should be defined somewhere prior using it in ACL?just because the ACL is not defined in an access-group doesn't mean it is not in use. There are several other areas that use ACLs. Class-maps are another common place where ACLs are used to match on traffic that will be used in a policy-map. Another comon use for ACLs is to define interesting traffic, or traffic that is to be encrypted, over a site to site VPN.
But for this specific ACL that you mention, the question you need to answer is, does the ACL define IPs that are assigned within your network, and do you have any applications that require the tcp timeout to be adjusted? If the answer is no to either of thaese then it is safe to assume you can remove the class-map test_ACL and the class test_ACL under the policy-map configuration.
Whether the ACL itself can be removed, I would assume it is safe to remove as it is called test_ACL, but then again, I have see people set up test configurations and then leave them as is without changing the name. So I would suggest investigating further to see if the name test_ACL is referenced any other places in your configuration.
Please remember to select a correct answer and rate helpful posts
Maybe you are looking for
-
Ringtones and email notifications!
I just got the droid razr yesterday (it's also my first smartphone) and I can't figure out how to get ringtones! My husband has a plain phone and sent me ringtones but when I open them they play the music but there is nothing under options saying use
-
Hi, can you tell me a table where i can get vendor master general details and bank details (both in one table)?
-
Syncing 2 iPhones to same Macbook pro
I have a Macbook pro running OSX (10.6.8) and both my wife and I have iPhones (3 and 4). Is there a way to sync both to iTunes and keep the data separate (we both have different contact lists, etc.)?
-
Unable to delete a set of records from PSA
Hello All, I am trying to delete a PSA request (INIT With data transfer) which had about crores of records. But in my PSA, I can still see about 16000 records from the earlier deleted request. Please advice as my next INIT is not brininging in any re
-
Hi Experts, In BW 3.5, in DB24 there's a missing_index warning for a transparent table /BIC/Fxxxx (xxxx is not the name of the infocube) In SE14, it says thaht this primary index /BIC/Fxxxx-0 must not be created on the database. First of all, what ki