Cisco loopback traffic?

Hi,
I have on a catalyst 2900 this config :
interface FastEthernet0/1
switchport access vlan 600
switchport trunk native vlan 600
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
switchport port-security mac-address sticky
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
on that port I have a linux box that get this arp traffic:
# tethereal
Capturing on eth0
0.000000 Cisco_53:78:83 -> Cisco_53:78:83 LOOP Reply
9.998184 Cisco_53:78:83 -> Cisco_53:78:83 LOOP Reply
# tcpdump -i eth0 -n
tcpdump: listening on eth0
00:58:15.592672 0:14:1c:53:78:83 0:14:1c:53:78:83 loopback 60:
0000 0100 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000
This is something I should worry about? In case the answer is yes, how should I block this kind of traffic?
Tahnkx in advance

Hello Luis,
I think what you are looking at are Ethertype 0x9000 frames, which basically are loopback frames sent to the MAC address of the FastEthernet0/1 interface, and which are used to test if the link is ok (those frames are also called ´Enet Config Test´). I am not sure how to turn them off, can you try:
interface FastEthernet0/1
-->no keepalive
Regards,
GP

Similar Messages

Cisco asa traffic flow

Hi,
Can somebody give the packet/traffic flow paths from a higher security interface to lower & viceversa..
For eg: session > acl > xlate > etc...
Are these checking different in both of the above scenarios ?

Hi Felipe,
But i do see find difference while reading the below URL.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9d00.shtml
I would like to know how is the traffic flow from outside to inside and inside to outside.
Hope you go it...
regards
rajesh

Cisco RV082 traffic monitoring

Hi,
I want to know is there any option/ tool etc to monitor specific website traffic from Cisco RV082 router?
If yes please guide me as its required in our office or help me to find a tool to monitor it.

Would you like to view the traffic that is being passed through different ports on the RV082? The RV082 does not support port mirroring, so you cannot use an application such as wireshark to view the traffic. If you would use a switch, then you could set up port mirroring and view all traffic. Does that help?
Zach

Cisco RV120W traffic redirect

I have a RV 120W VPN where I wish to route HTTP traffic from local host to remote proxy server. How can i do it.

I have a RV 120W VPN where I wish to route HTTP traffic from local host to remote proxy server. How can i do it.

Cisco asa traffic flow with destination nat

Hi Folks,
                   Can anybody comment on the below.
1. in source natting (inside users accessing internet), first the NAT will happen then the routing will happen. I agree with this..
2. in destination natting (outside users accessing inside server on public ip), what will happen first, NATTING or Routing. I am looking forward to hear an explanation.
regards
Rajesh

The ASA will always apply NAT based on the order of the NAT table (which is directly derived from the running configuration), which can be viewed with 'show nat detail'. It takes the packet and walks down the table in order of the entries programmed into the table, looking for the first rule that has a matching interface(s) and matching IP subnets/ports that apply to the packet in question; at that point the NAT translation is applied and further processing stops.
The NAT phase that you show highlighted reflects the stage where the packet's IP headers in an existing connection are re-written by NAT; it is not the exact phase where the egress interface selection is overridden by the translation table.
That order of operations slide is really quite simplified, and intentionally missing some steps because I just don't have time to go over the nuances of NAT during the general troubleshooting presentation that the picture was pulled from. On the next slide titled "Egress Interface", I do explain that NAT can override the global routing table for egress interface selection. This order of operations is somewhat "rough", and there are corner cases that can make the order of operations confusing.
The confusion here probably stems from the doubt about which comes first when selecting egress interfaces, routing or NAT. Hopefully with my explanation below, you'll have the missing pieces needed to fully explain why you see the seemingly inconsistent behavior. Please let me know what is unclear or contradictory about my explanation and I'll try and clear it up. I would also appreciate your suggestions on how to simply and clearly show these steps on a slide, so that I can improve how we deliver this information to our customers. Anyway, on to the explanation...
The short answer:
The NAT divert check (which is what overrides the routing table) is checking to see if there is any NAT rule that specifies destination address translation for an inbound packet arriving on an interface.
     If there is no rule that explicitly specifies how to translate that packet's destination IP address, then the global routing table is consulted to determine the egress interface.
     If there is a rule that explicitly specifies how to translate the packets destination IP address, then the NAT rule "pulls" the packet to the other interface in the translation and the global routing table is effectively bypassed.
The longer answer:
For the moment, ignore the diagram above. For the first packet in the flow arriving inbound on an ASA's interface (TCP SYN packet for example):
Step 1: un-translate the packet for the Security check: Check the packet's headers for matching NAT rules in the NAT table. If the rules apply to the packet, virtually un-NAT the packet so we can check it against the access policies of the ASA (ACL check).
     Step 1.A: ACL Check: Check the un-translated packet against the interface ACL, if permitted proceed to step 2
Step 2: Check NAT-divert table for global routing table override: In this step the ASA checks the packet and determines if either of the following statements are true:
     Step 2 check A: Did the packet arrive inbound on an interface that is specified as the global (aka mapped) interface in a NAT translation (this is most common when a packet arrives inbound on the outside interface and matches a mapped ip address or range, and is forwarded to an inside interface)?
   -or-
     Step 2 check B: Did the packet arrive inbound on an interface that is specified as the local (real) interface in a NAT translation that also has destination IP translation explicitly specified (this is seen in your first example, the case with your NAT exempt configuration for traffic from LAN to WAN bypassing translation)?
     If either of these checks returns true, then the packet is virtually forwarded to the other interface specified in the matching NAT translation line, bypassing the global routing table egress interface lookup; Then, a subsequent interface-specific route lookup is done to determine the next-hop address to forward the packet to.
Put another way, Step 2 check B checks to see if the packet matches an entry in the NAT divert-table. If it does, then the global routing table is bypassed, and the packet is virtually forwarded to the other (local) interface specified in the nat translation. You can actually see the nat divert-table contents with the command 'show nat divert-table', but don't bother too much with it as it isn't very consumable and might be mis-leading.
Now lets refer to the specific example you outlined in your post; you said:
route ISP-1 0.0.0.0 0.0.0.0 1.1.1.1 1
route ISP-2 0.0.0.0 0.0.0.0 2.2.2.1 254
nat (LAN,ISP-1) after-auto source dynamic any interface
nat (LAN,ISP-2) after-auto source dynamic any interface
Now lets say that there is a connection coming from behind LAN interface with the source IP address 10.10.10.10 destined for 8.8.8.8 on destination port TCP/80. The flow chart would seem to indicate (with the above information/configuration in mind) that a NAT would be done before L3 Route Lookup?
The packet you describe will not match any nat-divert entries, and the egress interface selection will be performed based on the L3 routing table, which you have tested and confirmed. This is because the packet does not match Step 2 checks A or B.
It doesn't match Step 2 Check A because the packet did not arrive inbound on the mapped (aka global) interfaces ISP-1 or ISP-2 from the NAT config lines. It arrived inbound on the local (aka real) interface LAN.
It doesn't match Step 2 Check B because these NAT rules don't have destination IP address translation explicitly configured (unlike your LAN to WAN example)...therefore the ASA won't match a divert-table entry for the packet (actually you'll see a rule in the divert table, but it will have ignore=yes, so it is skipped).
Message was edited by: Jay Johnston

QoS in Cisco ASA Transparant

Guys,
Can you help me,
I am confuse about why Cisco ASA Transparant can't support QoS, Do transparant ASA don't traverse traffic with QoS tagging or they (transparant ASA) traverset traffic with QoS but don't support QoS modification/implementation in Cisco like traffic shapping, Queque management ?
Best Regards,
Rizal Ferdiyan

Hi Rizal,
Packets take a different code path internally when the ASA is in transparent mode versus routed mode and this path does not include QoS support. Your best bet would be to implement this on the switch connected to the ASA, or another device upstream.
I would also suggest contacting your Cisco account team and asking that a product enhancement request be filed if this is a requirement for you.
-Mike

Line Loop by Remote status on T1

Recently, my AS5400XM started getting this status on some of my T1(I have DS3). I've worked with our vendor and they indicated it is a Cisco bug. We have never had this issue before until they migrated our system to a different switch. The problem can be resolve if my provider restart their T1. But we are seeing the issue again from time to time. Needless to say, I just wanted to find ways to pin point the issue. I believe it is on their end, but i need to get data or anything at all to prevent this from happening again.
Can anyone help me out? I need some starting point.
Below is the output of "show controllers T1 | section is up":
1 7/0:9 is up. (Line Loop by Remote)
   Applique type is Channelized T1
   Receiver has no alarms.
   alarm-trigger is not set
   Soaking time: 3, Clearance time: 10
   AIS State:Clear LOS State:Clear LOF State:Clear
   Version info of slot 7: HW: 1536, PLD Rev: 7
   Framer Version: 0x58
T1 7/0:10 is up. (Line Loop by Remote)
   Applique type is Channelized T1
   Receiver has no alarms.
   alarm-trigger is not set
   Soaking time: 3, Clearance time: 10
   AIS State:Clear LOS State:Clear LOF State:Clear
   Version info of slot 7: HW: 1536, PLD Rev: 7
   Framer Version: 0x58
And this is output of my log:
013-05-29 09:20:34    Local7.Notice    192.168.1.6    7207: *Jun 28 04:10:42.775: %CONTROLLER-5-LOOPSTATUS: Controller T1 7/0:3, LINE loopback request from external network
2013-05-29 09:20:34    Local7.Notice    192.168.1.6    7208: *Jun 28 04:10:42.775: %CONTROLLER-5-LOOPSTATUS: Controller T1 7/0:4, LINE loopback request from external network
2013-05-29 09:20:34     Local7.Notice    192.168.1.6    7209: *Jun 28 04:10:42.775: %CONTROLLER-5-LOOPSTATUS: Controller T1 7/0:5, LINE loopback request from external network
2013-05-29 09:20:34    Local7.Notice    192.168.1.6    7210: *Jun 28 04:10:42.775: %CONTROLLER-5-LOOPSTATUS: Controller T1 7/0:6, LINE loopback request from external network
2013-05-29 09:20:34     Local7.Notice    192.168.1.6    7211: *Jun 28 04:10:42.775: %CONTROLLER-5-LOOPSTATUS: Controller T1 7/0:7, LINE loopback request from external network
2013-05-29 09:20:34    Local7.Notice    192.168.1.6    7212: *Jun 28 04:10:42.775: %CONTROLLER-5-LOOPSTATUS: Controller T1 7/0:8, LINE loopback request from external network
2013-05-29 09:20:35     Local7.Notice    192.168.1.6    7213: *Jun 28 04:10:42.775: %CONTROLLER-5-LOOPSTATUS: Controller T1 7/0:9, LINE loopback request from external network
2013-05-29 09:20:35    Local7.Notice    192.168.1.6    7214: *Jun 28 04:10:42.775: %CONTROLLER-5-LOOPSTATUS: Controller T1 7/0:10, LINE loopback request from external network
2013-05-29 11:17:37     Local7.Notice    192.168.1.6    7215: *Jun 28 06:07:46.027: %CONTROLLER-5-UPDOWN: Controller T1 7/0:1, changed state to down
2013-05-29 11:17:37    Local7.Notice    192.168.1.6    7216: *Jun 28 06:07:46.027: %CSM-5-PRI: delete PRI at slot 7, unit 1, channel 23 with index 12
2013-05-29 11:17:37    Local7.Notice    192.168.1.6    7217: *Jun 28 06:07:46.027: %CONTROLLER-5-UPDOWN: Controller T1 7/0:2, changed state to down
2013-05-29 11:17:37    Local7.Notice    192.168.1.6    7218: *Jun 28 06:07:46.035: %CSM-5-PRI: delete PRI at slot 7, unit 2, channel 23 with index 13
2013-05-29 11:17:37    Local7.Notice    192.168.1.6    7219: *Jun 28 06:07:46.039: %CONTROLLER-5-UPDOWN: Controller T1 7/0:12, changed state to down
2013-05-29 11:17:37    Local7.Notice    192.168.1.6    7220: *Jun 28 06:07:46.047: %CSM-5-PRI: delete PRI at slot 7, unit 12, channel 23 with index 11
2013-05-29 11:17:37    Local7.Notice    192.168.1.6     7221: *Jun 28 06:07:46.047: %CONTROLLER-5-UPDOWN: Controller T1 7/0:13, changed state to down
2013-05-29 11:17:37    Local7.Notice    192.168.1.6    7222: *Jun 28 06:07:46.055: %CSM-5-PRI: delete PRI at slot 7, unit 13, channel 23 with index 4
2013-05-29 11:17:37    Local7.Notice    192.168.1.6    7223: *Jun 28 06:07:46.055: %CONTROLLER-5-UPDOWN: Controller T1 7/0:14, changed state to down

cboulanger wrote:I suggest you use the following controller command:   loopback network ignoreThe description mentions "Ignore the remote line loopback reqs from NI". This should prevent your AS5400XM to automatically activate line loopback.
Correct, but chances are that when some remote device is erroneously trying to command remote loopback, traffic will not pass anyway.

QOS Policy gets Policy hits but doesn't seem to do anything when put to the test

I have been trying to implement a policy that prioritizes certain types of of traffic over another namyly Lync Voice Traffic, Cisco CAPWAP traffic from controllers to AP's, and Citrix ICA Traffic.
I do recieve policy hits but when I load the connection up with say copying a file the policy seems to not work. This is on a 1921 router.
I will include the config as I may be doing somthing wrong.
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa session-id common
ip cef
ip domain name pmp.local
no ipv6 cef
multilink bundle-name authenticated
username XXXXXXXXXXXXXXXXXXXX
ip ssh time-out 60
ip ssh version 2
class-map match-any CAPWAP
match access-group 104
class-map match-any LYNC
match access-group 103
class-map match-any CITRIX
match protocol citrix
match access-group 110
policy-map OUTBOUND
class LYNC
priority percent 25
class CITRIX
priority percent 50
class CAPWAP
priority percent 20
class class-default
shape average 20000000
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.1
description LAN Facing
encapsulation dot1Q 1 native
ip address 172.16.27.254 255.255.255.0
ip helper-address 10.128.4.48
ip helper-address 10.128.4.20
ip helper-address 172.16.27.79
no ip redirects
ip flow ingress
interface GigabitEthernet0/0.5
encapsulation dot1Q 5
ip address 172.16.127.254 255.255.255.0
ip helper-address 10.128.4.48
no ip redirects
ip flow ingress
interface GigabitEthernet0/0.50
description ITTestVlan Interface
encapsulation dot1Q 50
interface GigabitEthernet0/1
description PointToPoint
bandwidth 20480
ip address 10.0.27.254 255.255.255.0
no ip redirects
ip flow ingress
duplex full
speed 100
service-policy output OUTBOUND
router eigrp 10
network 10.0.27.0 0.0.0.255
network 172.16.27.0 0.0.0.255
network 172.16.127.0 0.0.0.255
ip forward-protocol nd
ip forward-protocol udp 4011
ip forward-protocol udp bootps
no ip http server
ip http access-class 23
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 1000
ip route 0.0.0.0 0.0.0.0 172.16.27.253 200
access-list 23 permit 10.0.27.0 0.0.0.255
access-list 23 permit 172.16.0.0 0.0.0.255
access-list 23 permit 172.16.27.0 0.0.0.255
access-list 23 permit 172.16.127.0 0.0.0.255
access-list 103 remark LYNC-Priorisation
access-list 103 permit tcp any any eq 3389
access-list 104 remark CAPWAP-Priority
access-list 104 permit udp any eq 5246 any
access-list 104 permit udp any any eq 5246
access-list 104 permit udp any eq 5247 any
access-list 104 permit udp any any eq 5247
access-list 110 remark Citrix-Priorisation
access-list 110 permit tcp any eq 2598 any
access-list 110 permit tcp any any eq 2598
access-list 110 permit tcp any eq 1494 any
access-list 110 permit tcp any any eq 1494
snmp-server enable traps entity-sensor threshold
radius-server host 10.128.4.20 key XXXXXXXXXXXXXXXXXXXXXXXXXX
control-plane

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
So what do you have, a 100 Mbps Ethernet hand-off with a 20 Mbps bandwidth cap?
If so, you want to shape for your logical bandwidth cap and then priorize, as desired, in a child policy.
BTW, you normally don't use LLQ for other than very time critical traffic, e.g. VoIP bearer, and Cisco recommends you don't allocate more than a third of your bandwidth to LLQ.
I would suggest you just shape for your 20 Mbps and try FQ for all traffic.
e.g.
policy-map Sample
class class-default
shape average 20000000
fair-queue
NB: I'm unsure whether FQ will apply to the shaped traffic, if not:
policy-map SampleParent
class class-default
shape average 20000000
service-policy SampleChild
policy-map SampleChild
class class-default
fair-queue
NB: SampleChild is where/how you would provide a custom policy for your shaped traffic.
PS:
BTW, you apply the policy with the shaper to the interface.

[solved] lxdm, slim: startup delay

I'm trying to switch from lightdm to lxdm in order to work around the awesome keymap bug.
When I start lxdm using systemctl start lxdm.service I get a black screen and nothing happens for about 70 seconds. Then the lxdm greeter finally shows up, everything works fine and there are no errors or hints in the logs.
Any idea what could cause the delay? I tried lxdm-git from AUR, but no difference.
Thanks in advance,
lynix
Last edited by lynix (2013-01-28 21:40:59)

Okay, solved my own problem (another episode of strace-to-the-rescue)
The login managers in question seem to open a connection to '::1' (the IPv6 loopback) on startup. My ip6tables lacked a rule for accepting all loopback traffic, and as my default target for INPUT is DROP, the connection attempt was dropped and startup therefore delayed until the timeout for connection establishment is reached.
Damn this was weird...

Streams Kernel Module

Hi,
I have a STREAMS module to be inserted between TCP & IP. My requirement is to capture all traffic to & fro this box & apply custom TCP based filtering (including the local loopback traffic).
My problem is with Solaris 2.6. After pushing in the module between TCP & IP all incoming socket connections are reset. I get the following Strace errors :
000083f9 1 ... 5105 15 tcp_accept: did not find queue 0xf61b21d8
000083f9 1 ... 5105 15 tcp_xmit_ctl: 'tcp_eager_blowoff, can't wait', seq 0x289e704, ack 0x0, ctl 0x4
I already have a module running for Solaris 8,9.
I was advised that the TCP & IP interface is a private one and I may be facing such a problem in 2.6 due to this fact.
Any pointers to what else could be going wrong? Note that the module works fine with outgoing connections.
I desperately need to get this resolved...
Would be grateful for any help,
Krishna

Hello,
Also, if you are on Solaris 8, you can use lockstat. Please check
the man page of lockstat(1M) for more information.
Hope this helps.
-- Gopinath
Sun - DTS

Puzzler... Cant access RRAS with VPN connected client

I have a series of 4 VMs running server 2012 r2;
dc- my domain and wsus server
rds- my remote desktop server for remoteapps, RRAS for connecting to VPN
sql- sql server for database needed for one of the apps published
av- hosts kaspersky and manages backups
So, I have a VPN set up through RRAS and am connecting with it and all is well. I can ping every computer on the network EXCEPT the rds server. I can ping from the rds server to the vpn client.
I am trying to use a remote app over the vpn but the remote app is unable to reach the rds server.
Does something have to be setup manually to loopback traffic to the rds server when it is coming in on the same server through RRAS?
Any insight would be appreciated!
Matt

Hi,
According to your description, my understanding is that rds installed RRAS and configured it as VPN server, VPN client successfully ping internal clients, but failed to ping the VPN server.
Are there 2 NICs on the VPN server? One connects to internal and another connects to external?
In general, a ping packet is sent by the client from its own IP address to the external IP address of VPN server, it will be unpacked once the VPN server receives it, and the VPN server will dispatch this pack due to the internal IP address. So, if this
packet is sent to the VPN server, when it unpack the packet and find it is sent to itself, the VPN server should reply to this packet.
You may try to turn off firewall/anti-virus software temporally, and then check to see if it can successfully ping. Besides, use a monitoring tool(Network Monitor, Wireshark ) to
capture packets on both client and VPN server, check to see if the packets are sent/answered to the correctly destination.
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

VSS Switchport Issue

Hello Guys,
I am having an issue withVSS ports that I was hopingyou could assist with. I have a pair of 4500x switch, and VSS is completely configured and working properly, however when I uplink both switches using the same port on both to another switch, I cannot pass traffic between them. I have a trunk port setup on both ends, and vlans on both sides, however traffic doesn't cross the trunks. I have tested these same ports as layer 3 routed ports and they work fine. I uplink directly into my laptop with them using a copper GBIC, but when i connect to another cisco switch, traffic does not pass. Could there be a setting im missing to be configrued on the 4500x switches?

Hey Jon,
Thanks for the prompt response, I've attached the requested config output below. If you need anything else, just let me know. I am tryin to communciate over VLAN 19.
Cisco Layer 2 Switch
interface FastEthernet0/1
switchport mode trunk
interface FastEthernet0/2
switchport mode trunk
Switch# show int trunk
Port        Mode             Encapsulation Status        Native vlan
Fa0/1       on               802.1q         trunking      1
Fa0/2       on               802.1q         trunking      1
Port        Vlans allowed on trunk
Fa0/1       1-4094
Fa0/2       1-4094
Port        Vlans allowed and active in management domain
Fa0/1       1,19-20,200
Fa0/2       1,19-20,200
Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1,19-20,200
Fa0/2       1,19-20,200
Cisco 4500x Switch Primary
interface TenGigabitEthernet1/1/3
description UPLINK_TO_SWITCH
switchport mode trunk
interface TenGigabitEthernet2/1/3
description UPLINK_TO_SWITCH
switchport mode trunk
4500x#show int trunk
Port        Mode             Encapsulation Status        Native vlan
Te1/1/3     on               802.1q         trunking      1
Te2/1/3     on               802.1q         trunking      1
Po10        on               802.1q         trunking      1
Po20        on               802.1q         trunking      1
Port        Vlans allowed on trunk
Te1/1/3     1-4094
Te2/1/3     1-4094
Po10        1-4094
Po20        1-4094
Port        Vlans allowed and active in management domain
Te1/1/3     1,19-20,200
Te2/1/3     1,19-20,200
Po10        1,19-20,200
Po20        1,19-20,200
Port        Vlans in spanning tree forwarding state and not pruned
Te1/1/3     1,19-20,200
Te2/1/3     1,19-20,200
Po10        none
Po20        none

Localhost linux java.sql.SQLException: Io exception: The Network Adapter co

I recently upgraded from Redhat 9 to Fedora Core 4, and am running an Oracle 9i on this machine.
Since this upgrade, I'm unable to connect from the machine itself to the db, using the JDBC thin driver. This worked on Redhat 9.
I'm also able to connect from any other machine to this db with the JDBC driver.
Also, any ping, tnsping, sqlplus work from localhost and other machines.
Only the JDBC connection from the localhost itself fails, with following exception:
java.sql.SQLException: Io exception: The Network Adapter could not establish the connection
at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:134)
at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:179)
at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:333)
at oracle.jdbc.driver.OracleConnection.<init>(OracleConnection.java:404) at oracle.jdbc.driver.OracleDriver.getConnectionInstance(OracleDriver.java:468)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:314)
at java.sql.DriverManager.getConnection(DriverManager.java:512)
at java.sql.DriverManager.getConnection(DriverManager.java:171)
at Jdbctest.main(Jdbctest.java:97)
*** SQLException caught ***
SQLState: null
Message: Io exception: The Network Adapter could not establish the connection
Error Code: 17002
In following URL - jdbc:oracle:thin:@myserver:1521:mydb - I tried 'localhost', '127.0.0.1', 'dns name', 'ip address', but all fail.
Any ideas would be highly appreciated (I'm searching for days now...)
Thanks in advance,
Tim

EtherrealTake this with a grain of salt; I know a lot of the theory but don't have much hands on experience...
Not a bad idea, but you need to understand more if it's going to work (it might not). Etherreal and most other sniffers work by capturing traffic at the network interface (NIC) level, this allows the NIC to be switched into "promiscuous" mode and capture all the network traffic "on the wire" in that network segment, even traffic destined for other machines.
You can think of "networking" as an onion, or a stack of layers (see "OSI 7 laye model", Google or http://www.webopedia.com/quick_ref/OSI_Layers.asp for one theoretical approach), and etherreal works at pretty "outside" ot "low" level; the "internal" traffic that your interested in seeing either never gets to the level that Etherreal is monitoring, or is doing so in an area that is parallel to the one you're monitoring.
It's possible that you might be able to configure etherreal to see the "loopback" traffic. I suspect that somewhere, you can specify which network interface is to be monitored, and you can change it to monitor the "local" network interface. If your Linux setup is typical, etherreal is probably monitoring interface "eth0" and you probably want to monitor "lo" to see local traffic.
You can find out what interfaces you have with the command:
ifconfig -a
On the Red Hat Entrerprise that I have, that command is not in the default PATH, but is in /sbin; on other flavors of Unix I know it is found in /usr/sbin
If you can get etherreal monitoring the local interface, you should be able to see the traffic generated by "ping 127.0.0.1"
BTW, that command will also give you raw counts of the number of packets on all interfaces; if you have the machine to yourself, you might try a connection attempt and see which (if any) interfaces have packet numbers increase; if none do, then the connection attempt is failing before it gets to the packet level and Etherreal won't tell you anything.

Keep 443 open for profile updates, but limit profile manager login

I notice that port 443 is used by clients to communicate with the server when profiles are pushed (I assume as an encrypted connection for transmitting the profile file). Therefore it seems that for profiles to be pushed to devices outside the LAN 443 needs to be available when clients come calling to the FQDN to get a new profile (when Apple's push notification service says 'hey something is waiting for you').
However, from a security standpoint I'm not thrilled about exposing the profile manager login to the page to the whole world. Is there a way to limit access to this page to say just our LAN (e.g., using .htaccess) and still allow clients to come calling to the server from anywhere on 443 to fetch profiles? How have others handled this scenario?
Thanks!

...minor updates (see below) after some additional testing. Added /auth as this is another mechanism for authenticating against the admin panel. Also Added an additional allow for loopback traffic since logs showed some items being blocked on : : 1
<Location /profilemanager>
    AllowOverride None
    Options MultiViews FollowSymlinks
    Order deny,allow
    Deny from all
    Allow from 10.0.0.0/8                   #OUR LAN
    Allow from XXX.XXX.XXX.XXX              #SERVER'S PUBLIC IP
    Allow from 127.0.0.0/255.0.0.0 ::1/128    #FOR INTERNAL LOOPBACK TRAFFIC
    Header Set Cache-Control no-cache
</Location>
<Location /mydevices>
    AllowOverride None
    Options MultiViews FollowSymlinks
    Order deny,allow
    Deny from all
    Allow from 10.0.0.0/8                   #OUR LAN
    Allow from XXX.XXX.XXX.XXX              #SERVER'S PUBLIC IP
    Allow from 127.0.0.0/255.0.0.0 ::1/128    #FOR INTERNAL LOOPBACK TRAFFIC
    Header Set Cache-Control no-cache
</Location>
<Location /auth>
    AllowOverride None
    Options MultiViews FollowSymlinks
    Order deny,allow
    Deny from all
    Allow from 10.0.0.0/8                   #OUR LAN
    Allow from XXX.XXX.XXX.XXX              #SERVER'S PUBLIC IP
    Allow from 127.0.0.0/255.0.0.0 ::1/128    #FOR INTERNAL LOOPBACK TRAFFIC
    Header Set Cache-Control no-cache
</Location>

Unable to allow traffic from remote office - Cisco RV220W

Hi there,
I have just bought the RV220W Cisco router firewall because my DLINK-1600 got broken and now I am unable to allow access to the machines located behind this router from the machines located at a remote office. Any help would be much appreciated!!
This is the situation:
1. Two remote offices A and B connected by a VPN tunnel (this connection is managed by an external provider and it is properly functioning)
2. IP range A office: 192.168.236.0/24
3. IP range B office: 192.168.237.0/24
4. Office A: CISCO RV220W router/firewall (the one that I´ve just bought as the old dlink has broken). This RV220W is connected to a cisco router (managed by provider) that is the one with the VPN tunnel to the other office. The CISCO router does not do NAT. On the other end (Office B) there is another CISCO router managed by the provider.
5. Everything was working smoothly until our old router/firewall got broken and that is when I bought the rv220w. I have set up the CISCO RV220W at office A and the machines can ping the machines located at office B and can browse the internet, i.e., the traffic going out is OK and in that sense everything works smoothly.
6. The problem is that the machines located at office B cannot access the machines located behind the CISCO RV220W and I know it is a problem of the firewall as if I capture traffic coming from office B, I can see that it is dropped by the CISCO RV220W.
7. I have tried to enable an access rule in the firewall to allow traffic from office B (see picture below) but it does not seem to work. In the field, Send to Local Server (DNAT IP) I have entered the WAN IP of my router (you cannot leave it blank) … this rule does not work at all. I think that is not properly configured but I don´t know how to do it.
8. As you see, the problem is that I don´t know how to set up a rule to allow specific traffic coming from the WAN (traffic from remote office – 192.168.237.0/24) to the LAN at office A - 192.168.236.0/24.
In the old router/firewall I just had to create a rule specifying the source interface (WAN) and network (Office B) and the destination interdace (LANOfficeA) and network (Office A). It does not seem that here I can do the same. i mean, you always have to point to a server ip inside the LAN??
I know it has to be a very easy thing to do but at this moment I am completely stuck. If anyone can give me some advice would be great.
Thanks a lot for your help in advanced!
Eva

Hi Eva, the default inbound policy cannot be changed. It will block all inbound traffic. To my knowledge there is not a way around this. Access rules are the only way to 'poke' a hole through the firewall but as you note, it is for a specific host. Values such as .0 and .255 do not work.
-Tom
Please mark answered for helpful posts

Cisco loopback traffic?

Similar Messages

Maybe you are looking for