Cisco FWSM 'deny inbound' error in ASDM

Hello
We have an explicit rule allowing inbound traffic, however it recently stopped working. The rule is still in place but we get a Deny message in the logs and the traffic does not pass. Would NAT have an affect on this? Someone changed the NAT from Static to Dynamic recently and I'm wondering if that might have broken something. Please let me know what further info you need.
Thanks
Amy

NAT could very well be the issue here if it has been changed.
You could check by running a packet tracer on the ASA from any public IP (4.2.2.2 for example) to the public IP of the server you are trying to reach.  Make sure that the source port is a random hight port (I normally use 12345) and make sure you specify the server port which is being used to access the server (for example, port 80 for webservers).
packet-tracer input outside tcp 4.2.2.2 12345 <public IP of server> <port> detail
Please remember to select a correct answer and rate helpful posts

Similar Messages

  • Deny inbound (no xlate)

    I have a problem with a fwsm on a 6509. I am on vlan1 and I want to ping a pc on vlan2. I find this error :
    Deny inbound (No xlate) icmp src Vlan2:x.x.x.x dst Vlan2:y.y.y.y (type 8, code 0)
    If I ping another pc on the vlan2 I don't have any problem. I know this error occurs because fwsm doesn't permit traffic when src and dst are on the same vlan. My question is: why does firewall see my pc on vlan2 even if my pc is on vlan1?
    There is a NAT exemption rule from vlan1 to vlan2.
    Thanks!

    I think type 8 code 0 are caused by the nachi worm.
    Better try this ACL in your device.
    access-list acl-in deny tcp any any eq 4444
    access-list acl-in deny tcp any any eq 135
    access-list acl-in deny udp any any eq 135
    access-list acl-in deny udp any any eq 69
    access-list acl-in deny icmp any any
    access-list acl-in permit ip any any
    access-group acl-in in interface inside

  • Traceroute "Deny inbound icmp"

    Hi,
    I'm having difficulties with getting traceroute to work from inside to outside. Regular pings work fine, but not traceroute. I thought the icmp inspection would allow alll icmp traffic, I have icmp inspection on globally as well as inside interface.
    Commands:
    policy-map global_policy-map
    class global_class-map
      inspect icmp
      inspect icmp error
    policy-map inside_policy-map
    class inside_class-map
      inspect icmp
      inspect icmp error
    service-policy global_policy-map global
    service-policy inside_policy-map interface inside
    icmp permit any outside
    Here is the output:
    On the Real-Time Log Viewer:
    3
    Deny inbound icmp src outside:4.69.150.77 dst inside:10.0.1.68 (type 11, code 0)
    Thanks for your help
    Delmiro

    Hello Delmiro,
    Amazing to hear that I could help someone else
    Let me explain you this:
    ICMP inspection : This command will convert the ICMP protocol into a stateful protocol but it will work with the basic icmp echo and echo reply , it will check the ICMP ID and place it into it's stateful table waiting for a reply...
    In our scenario we are sending from a windows machine ICMP echo paquets with a TTL of 1 and keeps growing as it keeps moving BUT the reply will be an ICMP unreachable which the ASA will not be expecting then dropping it..
    Hope that you could understand, if you do not have any other question please mark it as answered
    If not let me know an I will do it one more time
    Remember to rate all of the helpful posts ( by marking the stars at the left 5 being amazing 1 being the worst answer ever )
    Regards,

  • Access denied. Error in File C:\WINDOWS\TEMP\

    I have searched on Google and all over this forum and none of the solutions have fixed my problem.
    Crystal Version: Crsytal.Net for Visual Studio.Net 2005
    Server: Windows Server 2003
    Error:
    Access denied. Error in File C:\WINDOWS\TEMP\JuryDutyReport {D6296178-3E72-483E-B876-2DFC03D00841}.rpt: Access to report file denied. Another program may be using it.
    When I run my app locally through the Web Server that comes with ASP.Net, everything is fine, it is only when I deploy the application to the Windows 2003 Server that I get the error.
    I'm using impersonation in my ASP.Net application.  I have given that domain user full access to 'C:\Windows\Temp'', the export folder and even the folder where the Crystal Report resides on the Server.  When I run the application on the Web Server, I actually see the ".rpt" get created in the "C:\Windows\Temp" folder but yet it still says there is a permissions error.
    What is bizarre is that the code below that just sends the file to the printer automatically works:
      private void PrintJuryDutyReport(DataSet ds)
            //create report document
            ReportDocument crDoc = new ReportDocument();
            //load, set datasource and print options
            crDoc.Load(Server.MapPath("~/Reports/JuryDutyReport.rpt"));
            crDoc.SetDataSource(ds); //set datasource
            crDoc.PrintOptions.PrinterName = ddlPrinters.SelectedValue.ToString(); //set printername
            crDoc.PrintOptions.PaperOrientation = PaperOrientation.Portrait; //set paper orientation
            crDoc.SetParameterValue("ParamUsername", User.Identity.Name); //set parameter
            crDoc.PrintToPrinter(1, false, 0, 0); //send to printer
    I have to change the code to export to a PDF and this code doesn't work:
        private void PrintJuryDutyReport(DataSet ds)
            //report document
            ReportDocument crDoc = new ReportDocument();
            string myfile = @"G:\COPFS\COPFSPROD\ReportsTemp\MyPDF.pdf";
            //load, set datasource and print options
            crDoc.Load(Server.MapPath("~/Reports/JuryDutyReport.rpt"));
            crDoc.SetDataSource(ds); //set datasource
            crDoc.SetParameterValue("ParamUsername", User.Identity.Name); //set parameter
            //export through http
            crDoc.ExportToDisk(ExportFormatType.PortableDocFormat, myfile);
            crDoc.Close();
            crDoc.Dispose();
            Response.ClearContent();
            Response.ClearHeaders();
            Response.ContentType = "Application/pdf";
            Response.AppendHeader("content-disposition", "attachment; filename=" + myfile);
            Response.WriteFile(myfile);
            Response.Flush();
            Response.Close();
    Any help is greatly appreciated as I have to present this to end users tomorrow.

    Don, thanks for the response.
    As a last ditch effort, I granted "modify" to the Network Service Account on C:\Windows\Temp and that fixed the error.
    There are two things that are troubling about this:
    1) I'm impersonating a domain user in my ASP.Net application and when the PDF is created, the owner is that domain user, so I know impersonation is working.  So I wonder if ASP.Net picks and chooses what account it runs under at different times?
    2) It is a little scary for the Network Service Account to have this access but that people seem to be fine with it.
    http://aspadvice.com/blogs/rjdudley/archive/2005/03/14/2566.aspx

  • Regedit Permissions -"Access Denied" or "Error while deleting key" EVEN AS ADMIN!

    Anyone tried deleting a registry key in Windows 7?  Got "access denied" or "Error while deleting key"?
    The usual response is, "You need to run regedit as an administrator".  but I *AM* logged in as Administrator, and running regedit as administrator, trying to assign administrator full permissions on that registry key in order to delete it!!  
    Am I mistaken, or isn't Administrator supposed to be able to administer and control all the settings on the computer, in order to set it up for the "Average Joe" user?
    So, under the permissions menu of that key, go to advanced, change the owner from System to Administrator, and try again.  It's no longer saying "access denied", but "Cannot delete xxxxxx. Error while deleting key".
    The scenario: Basically, the wireless has stopped working on a laptop. The device does not show up in Device Manager, but is in the registry, so the normal procedure is to delete the registry entry for the device in HKLM/System/CurrentControlSet (and /ControlSet001) /Enum/PCI    ,then attach the device or restart the computer, it finds the "new" hardware and reinstalls it. Easy!...
    Not with permission restrictions on the administrator account it's not!  So I need to give myself permission, to give myself permission, to do a simple task like delete a single registry key!  Why, Microsoft, why???!!!  Please just make the Administrator account a hidden "God mode" account that can do anything, and make the lives of us techies much easier in the process!  
    /RANT
    Now, where did I put that XP disc?!....

    Hi,
    I explain you:
    Administrator does not mean "you get all rights to do anything." Administrator happens to be an account (or in your case, most likely the Local Administrators group) which by default is given some sensitive privileges like SeDebugPrivilege and
    similar. However, as far as the security subsystem is concerned, it is just an account. (Very much unlike root in
    Unix-like operating systems) If you aren't the owner of the key in question, and your account does not have WRITE_DAC access
    to the registry key in question, then you won't be able to change the access control list on the key in question.
    Try taking ownership first. By default, the local administrators group has SeTakeOwnershipPrivilege,
    which allows taking ownership of any object even without the WRITE_OWNER permission
    being granted by the object's discretionary access control list. Once you are the owner, you should be implicitly granted READ_CONTROL (which
    allows you to read the security descriptor on the object in question), and WRITE_DAC (which
    allows you to write to the DACL on the key in question). (Assuming the OWNER_RIGHTS SID
    isn't in use; that's extremely unlikely)

  • B2B Inbound Error : Need Clarification

    Hi All,
    I would like to illustrate a particular use case for B2B Inbound Errors and if there is any workaround available to get over the problem. We are using B2B version 10.1.2
    Use Case Details</strong1. Consider the scenario wherein we have a Inbound EDI File which has 100 transactions in it. B2B reads the file and automatically debatches into individual transactions and processes them separately.
    2. Out of the 100 transactions in the input file, if say 5 transactions are error transactions, we have observed that all the 100 transactions error out in B2B.
    3. The 95 correct transactions fail with the error "General Validation Error" and the 5 error transactions have the exact error details in the B2B Message Reports.
    4. Ideally, B2B should error out only the 5 error transactions and process rest of the 95 transactions without allowing them to fail with "General Validation Error".
    I am sure that most of us must have faced this error. Could someone please let me know the folllowing:
    1. Is there any setting in B2B by which we can enable it to error out only the transactions which have valid errors in a single file
    2. Is there any other workaround that we can take to avoid this issue.
    The reason we need to have a solution for this is because in our Production B2B environment we receive inbound files from Trading Partners which have hundreds of transactions in each file.
    If, even a single transaction has error, then the whole file errors out and it is quite cumbersome to browse through the B2B Message Reports to get the exact error transaction because all the correct transactions would failed with error "General Validation Error".
    Please let me know the inputs.
    Thanks,
    Dibya

    Hi Ramesh,
    Thanks for the clarification and information. We have already set the parameter OneErrorAllError = true and my understanding was that if we set this parameter to TRUE, it means that if one transaction in the OUTBOUND batch errors out then the whole batch will error out.
    I was not aware that it also holds true for INBOUND. Is there any other way that we can set this parameter based on direction (INBOUND or OUTBOUND).
    We would like to have this parameter set for OUTBOUND and disabled for INBOUND Transactions.
    Please let me know. Thanks Again.
    Regards,
    Dibya

  • Deny inbound UDP flood

    We are receiving thousands of "Deny inbound UDP from x.x.x.x/53 to x.x.x.x/2713 due to DNS Response" per minute on our ASA 5510. All of the responses are destined to a signal one of our external IP's. This is overloading the our ASA and preventing traffic getting out to the Internet during these attacks. Anyone have any suggestions as to what we can do to mitigate this problem? Thanks

    If this really is an attack then allowing the traffic into your network is not the correct action!
    How is the problem manifesting itself? If the outbound link is being saturated with traffic then talk to your ISP
    If you think the volume of syslog messages on your ASA is causing a performance problem, then you can configure the message ID to appear at a higher syslog level so that it does not appear at your current logging level. Obviously this would be in effect for all messages of this type so you may not be aware of similar attacks taking place.
    Talk to your ISP :)
    cheers,
    Seb.

  • RADIUS in 10.6 to authenticate Cisco ASA 5505 Strange Error

    I have followed the steps as discussed: http://discussions.apple.com/thread.jspa?threadID=2177670&tstart=0
    It did work for a number of weeks without any problem.
    Did not change anything on the Firewall or server, regarding updates etc.
    But now something really strange is happening:
    If I test the Radius server from the firewall, the test comes back successful and I see a line in the password server log:
    Jan 10 2011 12:58:16 AUTH2: {0x4c3c0bfd77981d110000000600000006, <username>} DIGEST-MD5 authentication succeeded.
    So I think everything is happy..... Not.
    Whenever I try to connect via a vpn client (regardless if using the Mac OS X Cisco client or using Cisco native client), the user is rejected and the following 2 lines appear in the password server log:
    Jan 10 2011 12:58:57 AUTH2: {0x4c3c0bfd77981d110000000600000006, <username>} DIGEST-MD5 authentication succeeded.
    Jan 10 2011 12:58:57 AUTH2: {0x4c3c0bfd77981d110000000600000006, <username>} DIGEST-MD5 authentication failed, SASL error -13 (password incorrect).
    At the same time the process is run twice, and one is always failing....
    Tried sofar:
    Update to latest versions, ASA and Mac Server.
    Removed and added the radius client on the server
    Changed the hashing on the IPSec tunnel from SHA to MD5.
    Added a new AAA server using LDAP to communicate directly with OD without going trough the RADIUS service. Same kind of error, using LDAP directly I see the following log lines:
    Jan 10 2011 13:27:00 AUTH2: {0x4c3c0bfd77981d110000000600000006, <username>} CRAM-MD5 authentication succeeded.
    Jan 10 2011 13:27:00 AUTH2: {0x4c3c0bfd77981d110000000600000006, <username>} DIGEST-MD5 authentication failed, SASL error -13 (password incorrect).
    Remarkable is the fact that using radius is a DIGEST-MD5 authentication and using the LDAP is a CRAM-MD5 authentication methods.
    Removed the Radius server from the FW and re-added it.
    Rebooted the server/fw a number of times.
    Does anyone else experience the same issue? Do I need to go deeper into the config of the fw or keep on looking in Mac OS X Server?
    I hope someone can help.
    Cheers,
    Arnold

    I think I may have figured out how to get this to work. Can someone else test this?
    This is still based on the discussion referenced in the first post.
    -Stop RADIUS
    -For this test of 10.6 I did not change the default /etc/raddb/users. I think the thing that I have missed in trying to get this to work is that there is no default to "system" in the current file to change to opendirectory.
    -One change required to /etc/raddb/clients.conf, same as before:
    Add your ASA to the list of accepted clients. Entry should look something like:
    client IPaddressof_yourASA {
    secret = ServerSecretKey
    shortname = Common_Password
    ServerSecretKey is contents of "Server Secret Key" in the ASDM for the ASA
    Common_Password is contents of "Common Password" in the ASDM for the ASA
    -Restart RADIUS
    I just tested this change alone and ran the "Test" from the AAA Servers page in the ASA ASDM and was able to authenticate as a OD user. If someone else can get this to happen, I think we have an answer.
    -Erich

  • HTTP 404 error on ASDM access

    I have a cisco ASA 5510 runing IOS version 7.2(5).
    I am using asdm-647.bin file for accessing asdm.
    But when i do https:\\<ASAIP>     , it takes me to user authentication. on entering the username password it gives me the below error.
    The page cannot be found
    The page you are looking for might  have been removed, had its name changed, or is temporarily  unavailable.
    Please try the following:
    If you typed the page address in the Address bar, make sure that it  is spelled correctly.
    Open the 172.16.5.3 home page, and then look for  links to the information you want.
    Click the Back button to try another link.
    Click Search to look for information on the Internet.
    HTTP 404 - File not  found
    Internet Explorer
    not sure what the issue is.
    I am accessing it from the inside network. I have enabled http server and also gave inside network http access.
    what should i do?
    Thanks,
    Pratik

    Pratik,
    You should chose correct ADSM file .
    The one which you uploaded not compatible with your ASA OS.
    asdm-647.bin
    Release Date: 09/JAN/2012
    Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, and 8.4.
    Here is what you can download and use it.
    asdm-525.bin
    Release Date: 11/MAY/2010
    Cisco Adaptive Security Device Manager for ASA 7.2
    Thanks
    Ajay

  • Cisco 5550 blocking inbound unsolicited echo-replies

                       I would like to block non-stateful unsolicited echo-replies from entering inbound to my Cisco 5550 firewall.  I received the following advice to configure:
    policy-map global_policy
    class inspection_default
       inspect icmp
       inspect icmp error
    My follow on question is, if I add the "inspect icmp", does this still permit stateful icmp echo request/echo replies while blocking non-stateful echo-replies from the outside?  
    Also, what does configuring "inspect icmp error" do?
    Thanks in advance

    http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735986
    https://supportforums.cisco.com/thread/2069501
    Michael
    Please rate all helpful posts

  • Cisco Network Assistant access error

    Dear all,
    I've just installed Cisco Network Assistant (CNA) on my Windows 7 laptop but whenever I try to start it I get an error message as shown below:
    Read/write access problems:
    Access is denied
    =======================================
    Note: Read/write access is required for user home directory and installation directory:
    C:\Users\...........
    C:\Program Files (x86)\Cisco Systems\Cisco Network Assistant
    =======================================
    My Windows is 64-bit.
    Any ideas on how to sort out this will be appreciated.
    Regards,
    Davis M Onsakia

    i had the same problem and i wasn't willing to open the whole of the programs directory to what username cisco used when installing or when run, so i opt'ed to install in a root directory, make c:\cisco and install there, that way if there's a permissions error I can add what I wanted, but thats how i got mine to work. Install in a different directory, one that you can add read/write permissions to.
    BR Aylu

  • Server 2012 R2 - "Access is denied." error

    so this has been happening ever since i've installed Windows updates on our accounting server(windows server 2012 r2), and upgraded the RAM on the VM server(all these Server 2012 R2's are hosted on a VMware 5.5, client & server) . Sometimes, when trying
    to log in as an Active Directory user via RDP, i'll get an "Access is denied" error. This occurs for 3 different users, all of whom are domain admins. When this done happen, I'm only able to log in as the local machine administrator. Our AD server
    is also a 2012 R2.
    Some things to note:
    1) I can ping to the AD server, and ping from AD to the accounting server in question- all traffic is allowed over a VPN connection, and no traffic is being blocked by the firewall. Windows Firewall is turned off completely for both servers. Tracert finds
    both servers in 3 hops, but times out on the 2nd hop. also, the preferred DNS server for the accounting is the IP address for the primary domain controller.
    2) The time is the same on both the AD and accounting servers(at least when logged in as a local admin on the accounting server). Most of the most recent Windows updates are installed on both.
    3) I've tried removing the accounting server from the domain, and adding it back to the domain, and removing the accounting computer object in AD- the computer object was never added back after rejoining the domain, automatically or manually.
    3) I can't run a gpupdate on this accounting server. It returns this error:
    Computer policy could not be updated successfully. The following errors were encountered:
    Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user or computer because this computer's clock is not synchronized with the clock of one of the domain controllers for the domain. Because of this issue, this computer system may not be in compliance with the network administrator's requirements, and users of this system may not be able to use some functionality on the network. Windows will periodically attempt to retry this operation, and it is possible that either this system or the domain controller will correct the time settings without intervention by an administrator, so the problem will be corrected.
    If this issue persists for more than an hour, checking the local system's clock settings to ensure they are accurate and are synchronized with the clocks on the network's domain controllers is one way to resolve this problem. A network administrator may be required to resolve the issue if correcting the local time settings does not address the problem. User Policy could not be updated successfully. The following errors were encountered:
    The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windowswill automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful. To diagnose thefailure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.so this has been happening ever since i've installed Windows
    updates on our accounting server(windows server 2012 r2), and upgraded
    the RAM on the VM server(all these Server 2012 R2's are hosted on a
    VMware 5.5, client & server) . Sometimes, when trying to log in as
    an Active Directory user via RDP, i'll get an "Access is denied" error.
    This occurs for 3 different users, all of whom are domain admins. When
    this done happen, I'm only able to log in as the local machine
    administrator. Our AD server is also a 2012 R2.
    Some things to note:
    1) I can ping to the AD server, and ping from AD to the accounting
    server in question- all traffic is allowed over a VPN connection, and no
    traffic is being blocked by the firewall. Windows Firewall is turned
    off completely for both servers. Tracert finds both servers in 3 hops,
    but times out on the 2nd hop. also, the preferred DNS server for the
    accounting is the IP address for the primary domain controller.
    2) The time is the same on both the AD and accounting servers(at
    least when logged in as a local admin on the accounting server). Most of
    the most recent Windows updates are installed on both.
    3) I've tried removing the accounting server from the domain, and
    adding it back to the domain, and removing the accounting computer
    object in AD- the computer object was never added back after rejoining
    the domain, automatically or manually.
    3) I can't run a gpupdate on this accounting server. It returns this error:
    Computer policy could not be updated successfully. The following errors were encountered:
    Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user or computer because this computer's clock is not synchronized with the clock of one of the domain controllers for the domain. Because of this issue, this computer system may not be in compliance with the network administrator's requirements, and users of this system may not be able to use some functionality on the network. Windows will periodically attempt to retry this operation, and it is possible that either this system or the domain controller will correct the time settings without intervention by an administrator, so the problem will be corrected.
    If this issue persists for more than an hour, checking the local system's clock settings to ensure they are accurate and are synchronized with the clocks on the network's domain controllers is one way to resolve this problem. A network administrator may be required to resolve the issue if correcting the local time settings does not address the problem. User Policy could not be updated successfully. The following errors were encountered:
    The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windowswill automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful. To diagnose thefailure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
    so GPResults.html shows this(domain and AD user hidden just in case):
    DOMAIN\ADuser on ACCOUNTING2
    Data collected on: 12/16/2014 1:02:44 PM show all
    Summaryhide
      During last computer policy refresh on 12/16/2014 12:56:05 PM
       A fast link was detected More information...
      During last user policy refresh on 12/16/2014 12:56:05 PM
       A fast link was detected More information...
    Computer Detailshide
    Generalhide
    Computer name ACCOUNTING2
    Domain Local
    Site (None)
    Security Group Membership hide
    Mandatory Label\System Mandatory Level
    Everyone
    BUILTIN\Users
    NT AUTHORITY\SERVICE
    CONSOLE LOGON
    NT AUTHORITY\Authenticated Users
    NT AUTHORITY\This Organization
    NT SERVICE\BITS
    NT SERVICE\CertPropSvc
    NT SERVICE\DsmSvc
    NT SERVICE\Eaphost
    NT SERVICE\hkmsvc
    NT SERVICE\IKEEXT
    NT SERVICE\iphlpsvc
    NT SERVICE\LanmanServer
    NT SERVICE\MMCSS
    NT SERVICE\MSiSCSI
    NT SERVICE\NcaSvc
    NT SERVICE\RasAuto
    NT SERVICE\RasMan
    NT SERVICE\RemoteAccess
    NT SERVICE\Schedule
    NT SERVICE\SCPolicySvc
    NT SERVICE\SENS
    NT SERVICE\SessionEnv
    NT SERVICE\SharedAccess
    NT SERVICE\ShellHWDetection
    NT SERVICE\wercplsupport
    NT SERVICE\Winmgmt
    NT SERVICE\wuauserv
    LOCAL
    BUILTIN\Administrators
    Component Statushide
    Component Name Status Time Taken Last Process Time Event Log
    Group Policy Infrastructure Success   12/16/2014 12:56:05 PM   
    Registry Success   12/12/2014 8:05:55 AM   
    Security Success   12/12/2014 8:06:01 AM   
    Settingshide
    No settings defined.
    Group Policy Objectshide
    Applied GPOshide
    Denied GPOshide
    Local Group Policy [LocalGPO]show
    Link Location Local
    Extensions Configured   
    Enforced No
    Disabled None
    Security Filters   
    Revision AD (0), SYSVOL (0)
    WMI Filter   
    Reason Denied Empty
    WMI Filtershide
    Name Value Reference GPO(s)
    None
    User Detailshide
    Generalhide
    User name DOMAIN\ADuser
    Domain domainname.local
    Security Group Membership show
    DOMAINNAME\Domain Users
    Everyone
    BUILTIN\Users
    BUILTIN\Administrators
    NT AUTHORITY\REMOTE INTERACTIVE LOGON
    NT AUTHORITY\INTERACTIVE
    NT AUTHORITY\Authenticated Users
    NT AUTHORITY\This Organization
    LOCAL
    DOMAINNAME\Backup Admins
    DOMAINNAME\Scans FTP Users
    DOMAINNAME\Scans FTP Admin
    DOMAINNAME\Domain Admins
    Authentication authority asserted identity
    DOMAINNAME\Denied RODC Password Replication Group
    Mandatory Label\High Mandatory Level
    Component Statushide
    Component Name Status Time Taken Last Process Time Event Log
    Group Policy Infrastructure Success   12/16/2014 12:56:05 PM   
    Settingshide
    No settings defined.
    Group Policy Objectshide
    Applied GPOshide
    Denied GPOshide
    Local Group Policy [LocalGPO]hide
    Link Location Local
    Extensions Configured   
    Enforced No
    Disabled None
    Security Filters   
    Revision AD (0), SYSVOL (0)
    WMI Filter   
    Reason Denied Empty
    WMI Filtershide
    Name Value Reference GPO(s)
    None
    Also, in the accounting server, i get multiple Microsoft-Windows-Security-Kerberos (codes 4 & 5)
    and
    Microsoft-Windows-GroupPolicy (codes 1030 & 1126) in the All
    Servers > Events page. Where can i find the "Details" tab for the
    error code and description?
    any help would be greatly appreciated. thanks!

    So I believe that I've fixed the time issue, but it still sometimes kicks off users on this accounting server, and gpupdate doesn't work. I have 2 domain controllers, and it seems that when this server queries the secondary domain controller(which was "screwed
    up", i was told by the previous IT guy who set this environment up), i get the Event ID 1030[GroupPolicy (Microsoft-Windows-GroupPolicy)] error and error # 4(Security-Kerberos) after the gpupdate fails.
    and Vivian, i do have a problem with AD replication. i cannot replicate the secondary DC with the primary DC. i get several event id 4 codes on the secondary DC.
    when i try to force a replication via AD Sites & Services > Sites... Servers > NTDS Settings of primary DC > Right-click > Replicate Now, i get the error:
    "The follow error occured during the attempt to contact the Domain Controller DCPRIMARYNAME(actual domain name hidden for privacy): The target principal name is incorrect."
    which is interesting, because i've seen this "target principal name is incorrect" error in several event viewer error codes in different Servers(all 2012 R2).

  • Cisco SG300 HOSTP_flash_operation: fatal error during read operation!

    I have 2 Cisco SG300-52P switches.   Earlier this week, one of them started dropping connections and POE was not working on a couple of devices...  I came in this morning to restart them when no one else was around. After restarting them, the troublesome one was still not detecting POE devices.  
    I have been waiting for some down time to do a firmware update, so I thought this might straighten things out.  I Downloaded the updated bootloader and firmware from Cisco's site.  Updating the (non-problem) SG300 went exactly as it should.  Upgrading the the bootloader on the problem SG300 went exactly as it should.  Started the firmware update on the problem switch ....... and it didn't come back online.  The power light was flashing, and occasionally the lights on ports would blink like they were trying to reset, but they never made it.   There weren't really any special configurations on this switch so I had nothing to lose by trying a factory reset via the pinhole on the front ...... same result.
    I connected to the serial port via a win7 PC with putty. .. All setting per Cisco. I got a message that the connection was detected, but it would not accept keyboard input.  I power cycled the SG300 and watched the messages go by ... It looked like everything was working.  I even got a message that the "Initialization task was completed"..
    Then this message "HOSTP_flash_operation: fatal error during read operation!"
    We have had a couple of internet and power outages recently, but I am trying to rule out other issues before blaming it on that. 
    any suggestions?
    putty output file attached

    I am not familiar with SG series products, but looking at the error message in the attached file, it appears there is an issue with reading from the flash.  It could be that the flash file is corrupted and the flash needs to be formatted and then reload the software again.
    If you have support contract on the product, I would suggest you open a TAC ticket with Cisco and have them help you.
    HTH

  • EDI inbound error message

    Hi
    While processing the inbound DELINS Idoc, i am getting the error message Vendor number & has not been saved for customer &.
    Could you please guide me to do the necessary configuration to avoid this error.
    Thanks in Advance
    Regards
    Shaju

    you can goto We 19 and reprocess the idoc in debug mode to find the actual problem.
    GO TO WE02
    Get the Partner Number
    GOTO WE20
    Get the inbound Process code
    Get the function module associated with the same
    Make a Break Point on the function module

  • CIF Inbound error in APO

    Hello Guru,
    May am trying to CIF and activate a plant from R/3 to APO via, doing in R/3 rimodgen and rimodac the result in APO is error in SMQ2 (Inbound queue) saying ::023 XXXX Production Plant, or message no. Message no. SR053
    Hope you can help me resolve this APO error.
    Thanks

    Totchiki,
    Pretty self explanatory.  The address that is moved over with the plant contains basic configuration data that does not exist in your SCM system.
    Configuration of Regions in SCM are found at OVK2.  Configuration for Regions in ERP are found in the same transaction.  Ideally, you would like these two to be identical for both systems.  At a bare minimum, though, the regions that are contained in every address transferred across to SCM must exist in the SCM configuration.  Add the regions to SCM that the error messages tell you are undefined.
    Best Regards,
    DB49

Maybe you are looking for