Configuring management interface in transparent firewall

Similar Messages

• Transparent Firewall Configuration

  I m trying to configure ASA 5540 in transparent firewall mode. The server farm is connected to the inside zone and users are connected to the outside zone on Multiple VLANS routed via Inter-VLAN routing using core switch.
  As per Cisco Configuration guidelines for transparent firewall,INSIDE and OUTSIDE ZONE are configured to be in two different VLANS while the gateway ip address of the server farm is configured on the core switch.
  The transparent firewall works fine if connected to TWO different switches with ACL permit any any on the outside interface. But if TWO DIFFERENT VLANS ( ex. 111 & 222 ) are configured on the same Catalyst 4500 switch and the inside zone and outside zone ( 222 ) is connected to the respective ASA 5540 interfaces in TRANSPARENT MODE - inside interface to port 3/0/1 in VLAN 111 & Outside Interface to port 3/0/2 in VLAN 222, traffic is not flowing thru.
  VLAN 222 USED FOR SERVER FARM CONNECTED TO INSIDE ZONE HAS THE DEFAULT GATEWAY ADDRESS CONFIGURED in the CORE SWITCH under INT VLAN 111 which is connected to OUTSIDE interface of ASA.
  Core Switch int gig1/0/1...>vlan 111...>ASA OUTSIDE...>Vlan 222...> server farm in vlan 222
  No ARP entries are seen on the inside interface.Ethertype ACL to allow BPDU's on both INSIDE AND OUTSIDE interface of ASA has also been configured.
  Can you please provide me guidelines and a step by step procedure to configure ASA 5540 in transparent Firewall mode with INSIDE & OUTSIDE Interface connecting to TWO different VLANS on the same Catalyst SWITCH.
  Thanking you in advance,
  with best regards
  Meenaakshi Sundaram
  Network Consultant

  Hi Kirk,
  Yes, you can.
  You just have to make sure that you configure only 1 SVI on the switch.
  Example:
  L3 subnet: 10.1.1.0/24
  VLAN 100 -- Inside (ASA) Outside -- VLAN 200
  Hosts will all be connected to VLAN 100 on the switch.
  ASA inside interface will be connected to VLAN 100 on the switch
  ASA outside interface will be connected to VLAN 200 on the switch
  Switch should only have 1 SVI - interface vlan 200 (10.1.1.254 for example). Switch should never be configured with SVI on vlan 100 (should not have interface vlan 100).
  All hosts would be in the 10.1.1.0/24 subnets with default gateway set to 10.1.1.254.
  ASA should only have 2 interfaces (inside - security level 100, and outside - security level 0). They can't be on the same security level.
  Hope that helps.

• Transparent firewall

  Have a Cisco ASA 5510 Appliance Anti-X Edition Bundle and I've configured it as a transparent firewall.
  Traffic from the inside to outside works fine, but from the outside to inside it isn't working. IP access list applied on the outside interface.
  Anybody has a similar working configuration to mine?

  What software version are you using in the asa box ?

• Configuration Required for Transparent Firewall ASA8.2

  Dear All,
  I have one firewall need to be configured in transparent mode. I have inside and outside router. Can anyone just give me the configuration of transparent firewall ASA8.2 pelase. I didnt find the configuration on Cisco site.
  Regards,
  Ali.....

  Dear jcarvaja
  Reference made to our previous communication regarding transparent firewall. Following are my full config with your required capture. I can still ping to the managment of ASA from inside and outside. But traffic is not transiting.
  Inside Capture
  sh capture INSIDE
  24 packets captured
     1: 00:11:45.244326 802.3 encap packet
     2: 00:11:47.289245 802.3 encap packet
     3: 00:11:49.233325 802.3 encap packet
     4: 00:11:51.264039 802.3 encap packet
     5: 00:11:53.258607 802.3 encap packet
     6: 00:11:55.293060 802.3 encap packet
     7: 00:11:57.339719 802.3 encap packet
     8: 00:11:59.331113 802.3 encap packet
     9: 00:12:01.343549 802.3 encap packet
    10: 00:12:03.335218 802.3 encap packet
    11: 00:12:05.349347 802.3 encap packet
    12: 00:12:07.393152 802.3 encap packet
    13: 00:12:09.117242 arp who-has 7.7.7.3 tell 7.7.7.2
    14: 00:12:09.341931 802.3 encap packet
    15: 00:12:11.103693 arp who-has 7.7.7.3 tell 7.7.7.2
    16: 00:12:11.409341 802.3 encap packet
    17: 00:12:13.102198 arp who-has 7.7.7.3 tell 7.7.7.2
    18: 00:12:13.412393 802.3 encap packet
    19: 00:12:15.088832 arp who-has 7.7.7.3 tell 7.7.7.2
    20: 00:12:15.393244 802.3 encap packet
    21: 00:12:16.206959 802.3 encap packet
    22: 00:12:17.106043 arp who-has 7.7.7.3 tell 7.7.7.2
    23: 00:12:17.448661 802.3 encap packet
    24: 00:12:19.410760 802.3 encap packet
  Outside Capture
     1: 00:11:56.916105 802.3 encap packet
     2: 00:11:58.879074 802.3 encap packet
     3: 00:12:00.938367 802.3 encap packet
     4: 00:12:02.893935 802.3 encap packet
     5: 00:12:04.935437 802.3 encap packet
     6: 00:12:06.927488 802.3 encap packet
     7: 00:12:08.875702 802.3 encap packet
     8: 00:12:09.117242 arp who-has 7.7.7.3 tell 7.7.7.2
     9: 00:12:10.931104 802.3 encap packet
    10: 00:12:11.113244 arp who-has 7.7.7.3 tell 7.7.7.2
    11: 00:12:12.944088 802.3 encap packet
    12: 00:12:13.102198 arp who-has 7.7.7.3 tell 7.7.7.2
    13: 00:12:14.933331 802.3 encap packet
    14: 00:12:15.088832 arp who-has 7.7.7.3 tell 7.7.7.2
    15: 00:12:15.642453 802.3 encap packet
    16: 00:12:16.948101 802.3 encap packet
    17: 00:12:17.106043 arp who-has 7.7.7.3 tell 7.7.7.2
    18: 00:12:18.968348 802.3 encap packet
    19: 00:12:20.969066 802.3 encap packet
    20: 00:12:22.976695 802.3 encap packet
    21: 00:12:25.012572 802.3 encap packet
  ASA
  : Saved
  ASA Version 8.0(2)
  firewall transparent
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  names
  interface Ethernet0/0
  nameif outside
  security-level 0
  interface Ethernet0/1
  shutdown
  no nameif
  no security-level
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  interface Ethernet0/3
  nameif inside
  security-level 100
  interface Ethernet0/4
  shutdown
  no nameif
  no security-level
  interface Ethernet0/5
  shutdown
  no nameif
  no security-level
  passwd 2KFQnbNIdI.2KYOU encrypted
  ftp mode passive
  access-list OUT extended permit icmp any any
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip address 7.7.7.10 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  access-group OUT in interface outside
  access-group OUT in interface inside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  no crypto isakmp nat-traversal
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:00000000000000000000000000000000

• Cisco Ironport management interface IP configuration?

  Hi,
  For configuring the management interface IP for Cisco Ironport device, should it be on the public IP address or private IP address? Could you please confirm the IP address desing for the ironport management interface? thanks
  arman

  Greetings Aman,
  The answer to this question depends on several factors, what you intend to do with the appliance, how you intend on allowing access to the appliance and where it sits in your network. Typically customers will utilize the management interface on their internal network thus giving it a private IP. This way the web interface, ssh and ftp access are allowed internally but not to the public.  Those services can be enabled on other interfaces as well, but the most common practice is to set up the management interface for internal access only on your private network.
  Christopher C Smith
  CSE
  Cisco IronPort Customer Support 

• Can I have multiple different vlans in one Single Mode Transparent Firewall

  Hi,
  I am about configuring Data Center FW (ver 9.2) to protect multi tier Servers Farm; Web, Applications & Data Base. There is a requirement to set the FW in Transparent Mode, while the license is the base 2-contexts, only.
  I wonder if One Single Transparent Context, with different bridge-groups, one for each vlan is a workable solution. I have pasted the configuration of the FW, it may help in understanding the setup.
  ======
  firewall transparent
  names
  interface TenGigabitEthernet0/8
   description To Nx7K-1 Port-8
   channel-group 9 mode passive
   no shutdown
   no nameif
   no security-level
  interface TenGigabitEthernet0/9
   description Nx7K-1 Port-9
   channel-group 9 mode passive
   no shutdown
   no nameif
   no security-level
  interface TenGigabitEthernet1/8
   description Nx7K-2 Port-8
   channel-group 9 mode passive
   no shutdown
   no nameif
   no security-level
  interface TenGigabitEthernet1/9
   description Nx7K-2 Port-9
   channel-group 9 mode passive
   no shutdown
   no nameif
   no security-level
  interface BVI1
   desc Services Zone
   ip address x.x.41.250 255.255.255.0
  interface BVI2
   description WEB-APPS Zone
   ip address x.x.42.250 255.255.255.0
  interface BVI3
   desc Oracle management
  ip address x.x.43.250 255.255.255.0
  interface BVI4
   descr Oracle DB
   ip address x.x.44.250 255.255.255.0
  interface Port-channel9
   description ECLB Trunk to NX7Ks
   duplex full
   port-channel load-balance src-dst-ip-port
   no nameif
   no security-level
  switchport mode trunk
  switchport trunk allowed vlan 41-44,141-144
  interface Port-channel9.41
   vlan 41
   nameif Services-Outside
   bridge-group 1
   security-level 0
  interface Port-channel9.141
   description Services-Inside
   vlan 141
   nameif Services-Inside
   bridge-group 1
   security-level 100
  interface Port-channel9.42
  description WEB_APPS-Outside
   vlan 42
  nameif WEB_APPS-Outside
   bridge-group 2
   security-level 0
  interface Port-channel9.142
   description WEB_APPS-Inside
   vlan 142
   nameif WEB_APPS-Inside
   bridge-group 2
   security-level 100
  interface Port-channel9.43
  desc Oracle management
   vlan 43
   nameif Oracle_Mgmt-Outside
   bridge-group 3
   security-level 0
  interface Port-channel9.143
   description Oracle management Inside
   vlan 143
   nameif Oracle_Mgmt_Inside
   bridge-group 3
   security-level 100
  interface Port-channel9.44
  desc Oracle DB
   vlan 44
   nameif Oracle_DB_Outside
   bridge-group 3
   security-level 0
  interface Port-channel9.144
   description Oracle DB Inside
   vlan 144
   nameif Oracle_DB_Inside
   bridge-group 4
   security-level 100

  it is possible but it is not scaleable.  If I remember correctly you can only have a maximum of 8 BVI interfaces...so this means you can only have 8 subnets going across the ASA.  You would also need seperate VLANs for the inside interface and the outside interface since you can not configure two interfaces to be in the same VLAN, and then assign these interfaces to the appropriate BVI group.
  Please remember to select a correct answer and rate helpful posts

• Transparent Firewall with BVI

  Hi! I have a question regarding transparent firewalls using BVIs.
  Based from the diagram above, ASA1 is in Transparent mode.
  Port Gi0 is assigned BVI-1 and port Gi1 is assigned BVI-2.
  Is it possible for network 1 to communicate with network 2 ?
  The traffic will be passing through Firewall towards the router, The router will do the routing and then forward it back to the firewall then towards network 2?
  I am thinking of making port Gi2 of the firewall a trunk and use subinterfaces in order to forward BVI headers to the router.

  Hi Franzis,
  In transparent mode you can use only two interfaces which have to be on the same subnet:
  - The transparent security appliance uses an inside interface and an outside interface only. If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only.
  In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces.
  - Each directly connected network must be on the same subnet.
  Source link:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml
  Regards
  Mariusz

• Configuration Management Software

  Hi all,
  I'm putting it out there early. In two weeks (Dec 14th) I am going to release rConfig. This free and open source software has been over a year in the making and is specifically designed by a highly expereinced network engineer (Me!) for network engineers. And the best part IT'S FREE (oh yes, I mentioned that already).
  What is it? A Free, and Open Source, Network Configuration Management tool. Web based, fast, and customizable. Installs on Linux CentOS and written completely in PHP/MySQL.
  You can download the running-configs, cdp neighbor table, OSPF Neighbor table, BGP prefix table, routing table for routers, as well as show route for firewalls and show spanning-tree for switches easily... actually... whatever show command you care to choose for a given category of network devices.
  Why? Well, for me, a 'show run' and 'show start' from my network device configuration management tool wasn't enough. I needed more. I needed to see what my routers routing table looked like last week. I needed to know how many hits were on a particular ACL entry on my edge firewall two months ago and compare it to today. I wanted to know, which interface was the root bridge path (spanning-tree) on my one of my core switches yesterday. That's why!
  I am hoping to expand features as the community around this tool grows. It will be community led - I hope you can join early.
  Go check it out at www.rconfig.com, and if your interested, sign up for a beta release. I am still releasing content on the public site, so a video is due soon, and perhaps an online demo too. Any questions, just fire them back to me.
  Please forward to anyone you may think be interested
  Regards
  Stephen
  ==========================
  http://www.rConfig.com
  A free, open source network device configuration management tool, customizable to your needs!

  All,
  There has been some uptake and some great feedback on rConfig since I made this announcement two weeks ago. rConfig is offically released as Version1 today. Please login to www.rconfig.com and download a copy.
  You know, it takes less than 1 hour to install rConfig on Linux and more than 2 hours to get some of it's well known commercial counterparts up and running. There is even a complete, easy-to-follow Linux build document designed especially for the rConfig installation on www.rconfig.com. You'll be backing up Cisco configuration and show outputs in no time with rConfig. And even learning a bit of Linux along the way.
  And remember, it's free & open source.
  Regards
  Stephen
  ==========================
  http://www.rConfig.com 
  A free, open source network device configuration management tool, customizable to your needs!

• Cisco ASA won't send Syslog out management interface

  I have been trying to get my ASA to send syslog out of the management interface without any luck. When I do a packet tracer it says that the global implicit deny rule is blocking it, but I tried to add a permit all in front of it and it still blocks it. Everything is configured correctly from what I can tell and the static routes and routing are correct. This has me baffled. Does anyone know what might be causing this or what I should look at in the config to get this working?

  Hi Mark,
        Talking of packet tracer, it would give you correct output for a through the box traffic, not for to the box or from the box traffic.
  So firstly we have two questions:
  1) Is this a through the box traffic, then you need to permit the traffic through ACL(if from lower sec level to higher) and add a NAT statement(depending on the ASA IOS Version you are using anything above 8.2.5 wont require a NAT).
  2) If this is a syslog from the firewall scenario, then you need to make sure to get the following logging configuration on ASA
  -enable logging
  -logging host management X.X.X.X --------(X.X.X.X is the ip of the syslog server)
  -logging trap debugging ----------(debugging is the level, you could use any other too, but to check would sugest this one)
  -Further if you have already sorted out till here, get us the following outputs:
  -show run
  -show logging
  -show logging queue
  Hope it helps
  Cheers,
  Naveen
  Please Rate Helpful posts.

• ECMP through Transparent Firewall

  I have an interesting question.  We are going to try and run equal-cost multi-pathing through a transparent firewall.  There will be two routers on one side and two on the other running eigrp between them.  The question is, if a packet leaves one port but the response comes back on a different port, would this cause issues?
  I can explain more if needed.

  Hi,
  When you run Equal cost multi path in ASA, you will not get a return packet on a different port. It will not do round robin fashion. Below mentioned excerpt from cisco document will clarify your doubt.
  This document provides information on how to configure the Adaptive Security Appliance (ASA) with up to three equal cost routes to the same destination network per interface. The ASA hashes the source and destination IP addresses of the outbound packet to determine which route it will use to determine the next hop for the packet (the ASA does not employ a round-robin algorithm to choose the next hop). As opposed to round-robin load balancing, packets with the same source and destination pair are always sent towards the same next hop, as per the computed hash.
  Regards
  Karthik

• Cisco Transparent firewall and cisco switch issues.

  Dears,
  I have a very plain scenario
   LAN cisco switch <2 vlans>  ----------> cisco transparent firwall with bvi interface ------------>  crypto box ---------> cisco router ------ <remote/other site>
  i have vlan 61 configured on bvi interface of firewall, crypto box and also on the switch port and vlan of 61 is up up .
  The issue is i can connect remotely to cisco transparent firewall but cannot ping or connect to cisco switch. ???????????
  Need to know some trobuleshooting tips and basic settings that i need to verify. I simply want lan switch with 2 vlans to pass through the cisco transparent firewall and go to other site/remote site.

  Well,
  i have put the inspection icmp turned on for the sessions , and the version i am using is 9.1 
  moreover, i have put u p the ACLs for inbound and outboudn traffic, and while i ping across the firewall from the inside interface towards outside interface PC, i can see packet counts increasing on the acl , during the show access-llist command.
  i have requested the client to verify his part. do let me know further tips if you have any.
  [ moreover we cannot try to use packet-tracer from cli in transparent mode ]

• IGMP settings on transparent firewall.

  What are the requirements for allowing IGMP traffic to pass through a transparent ASA 5550?
  I have inherited a configuration that is currently configured to alloww IGMP from any to any and would like to restrict this protocol.  On the trusted side I ave a single host configured for multicast and on the untrusted side there is a switch and then router.  I do not control the router or switch configuration on the untrusted side.
  My questions are:
  -  Is IGMP allowed through by default?
  -  Are the ACL entrys   "access-list outside-in extended permit igmp any any" and "access-list inside-out extended permit igmp any any"
     required to allow IGMP join, query, leave etc...?
  - If this is required how do I limit the source and destination ip range?
  Thanks

  It is really very simple topolgy.    single host inside ---  my ASA --- other company ASA Outside --  Other company switch  then router Inside.
  My server acts as both multicast Server and client.
  Additional question...
  can anyone clarify this statement? 
  These destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.
  IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
  I assume this follows the same rule as anything else and that it only allows these from a higher number interface to a lower number interface...

• SCCM 2012 R2 Configuration Manager Client Package - stuck "In Progress"

  Hi Team; I’m having 2 issues with SCCM 2012 R2:
  Issue 1: I'm having a strange issue with the default XXX00002 package - "Configuration Manager Client Package",
  it will not deploy to the Secondary Site DP. The console is saying "In Progress" - below is the output from the
  distmgr.log file.
  ~Package BDC00002 does not have a preferred sender. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.443+240><thread=6032 (0x1790)>
  ~CDistributionSrcSQL::UpdateAvailableVersion PackageID=BDC00002, Version=1, Status=2301 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.444+240><thread=6032 (0x1790)>
  ~StoredPkgVersion (1) of package BDC00002. StoredPkgVersion in database is 1. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.462+240><thread=6032 (0x1790)>
  ~SourceVersion (1) of package BDC00002. SourceVersion in database is 1. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.462+240><thread=6032 (0x1790)>
  ~Package BDC00003 does not have a preferred sender. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.443+240><thread=6092 (0x17CC)>
  ~CDistributionSrcSQL::UpdateAvailableVersion PackageID=BDC00003, Version=1, Status=2301 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.464+240><thread=6092 (0x17CC)>
  STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=BBK-SCCM-PRI.bbk2310.com SITE=PRI PID=2768 TID=6032 GMTDATE=Mon Mar 17 20:00:23.476 2014
  ISTR0="Configuration Manager Client Package" ISTR1="BDC00002" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="BDC00002" 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.477+240><thread=6032 (0x1790)>
  StateTable::CState::Handle - (2301:1 2014-03-17 20:00:23.476+00:00) >> (0:0 2014-02-28 16:33:45.383+00:00) 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.484+240><thread=6032 (0x1790)>
  CStateMsgReporter::DeliverMessages - Queued message: TT=1401 TIDT=0 TID='8ACCAE01-5079-4FCD-A988-C1CD3004B698' SID=2301 MUF=0 PCNT=2, P1='PRI' P2='2014-03-17 20:00:23.476+00:00' P3='' P4=''
  P5=''  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.495+240><thread=6032 (0x1790)>
  ~StoredPkgVersion (1) of package BDC00003. StoredPkgVersion in database is 1. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.496+240><thread=6092 (0x17CC)>
  ~SourceVersion (1) of package BDC00003. SourceVersion in database is 1. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.497+240><thread=6092 (0x17CC)>
  STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=BBK-SCCM-PRI.bbk2310.com SITE=PRI PID=2768 TID=6092 GMTDATE=Mon Mar 17 20:00:23.510 2014
  ISTR0="Configuration Manager Client Upgrade Package" ISTR1="BDC00003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400
  AVAL0="BDC00003"  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.510+240><thread=6092 (0x17CC)>
  StateTable::CState::Handle - (2301:1 2014-03-17 20:00:23.510+00:00) >> (0:0 2014-02-28 16:33:45.383+00:00)
   $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.515+240><thread=6092 (0x17CC)>
  CStateMsgReporter::DeliverMessages - Queued message: TT=1401 TIDT=0 TID='8ACCAE01-5079-4FCD-A988-C1CD3004B698' SID=2301 MUF=0 PCNT=2, P1='PRI' P2='2014-03-17 20:00:23.510+00:00' P3='' P4=''
  P5=''  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.526+240><thread=6092 (0x17CC)>
  CStateMsgReporter::DeliverMessages - Created state message file: D:\Program Files\Microsoft Configuration Manager\inboxes\auth\statesys.box\incoming\1sfb1dbj.SMX  
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.571+240><thread=6032 (0x1790)>
  Successfully send state change notification 8ACCAE01-5079-4FCD-A988-C1CD3004B698 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.572+240><thread=6032 (0x1790)>
  ~Exiting package processing thread. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.574+240><thread=6032 (0x1790)>
  CStateMsgReporter::DeliverMessages - Created state message file: D:\Program Files\Microsoft Configuration Manager\inboxes\auth\statesys.box\incoming\abaibh8y.SMX  
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.637+240><thread=6092 (0x17CC)>
  Successfully send state change notification 8ACCAE01-5079-4FCD-A988-C1CD3004B698 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.683+240><thread=6092 (0x17CC)>
  ~Exiting package processing thread. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:23.685+240><thread=6092 (0x17CC)>
  Sleep 30 minutes... 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:26.886+240><thread=2936 (0xB78)>
  ~Used 0 out of 3 allowed processing threads. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:27.948+240><thread=4900 (0x1324)>
  ~Sleep 3600 seconds... 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:27.950+240><thread=4900 (0x1324)>
  Sleep 30 minutes... 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:31.934+240><thread=2936 (0xB78)>
  ~Used 0 out of 3 allowed processing threads. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:33.021+240><thread=4900 (0x1324)>
  ~Sleep 3600 seconds... 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:33.023+240><thread=4900 (0x1324)>
  ~Used 0 out of 3 allowed processing threads. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:38.108+240><thread=4900 (0x1324)>
  ~Sleep 3600 seconds... 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:00:38.111+240><thread=4900 (0x1324)>
  Sleeping for 60 minutes before content cleanup task starts.~ 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:06:28.094+240><thread=4968 (0x1368)>
  Sleep 30 minutes... 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 16:30:52.271+240><thread=2936 (0xB78)>
  Sleep 30 minutes... 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 17:01:10.002+240><thread=2936 (0xB78)>
  ~Used 0 out of 3 allowed processing threads. 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 17:01:10.977+240><thread=4900 (0x1324)>
  ~Sleep 3600 seconds... 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 17:01:10.979+240><thread=4900 (0x1324)>
  Sleeping for 60 minutes before content cleanup task starts.~ 
  $$<SMS_DISTRIBUTION_MANAGER><03-17-2014 17:06:55.337+240><thread=4968 (0x1368)>
  Issue 2: I'm trying to deploy a couple of Packages/Applications using SCCM 2012 R2 running on Win2K8 R2 with no luck, knowing that I could install the packages
  on a test VM “in the DataCenter site”, but when trying to deploy the packages to production PC “in the Office Site”,
   the status is packages deployment compliance stuck at 0%
  Infrastructure:
  3 SCCM servers: CAS, PRI & SEC. Both CAS and PRI are in the DataCenter site, and SEC is in the Office site. The office site has several IP subnets.
  Boundaries are configured through Forest Discovery “IP Ranges and AD Sites” since that the AD site should contain all the IP subnets that the AD site contains, Boundaries groups are also configured and a site reference
  server is configured for each group respectively.
  A OU based Collection has been configured that contains 13 PC "the collection contains the PCs that the packages should be installed.
  Packages/Applications are configured correctly since that I could successfully deploy the packages to the test VM which is on the same subnet as the CAS and the PRI servers "the DataCenter subnet". The issue
  is that I can't deploy the packages to production PCs in the Office subnet!
  Firewall rules are configured and applied via GP, and I even turned Windows Firewall off, and still nothing! I tried to manually initiate Computer Policy download via the SCCM GUI and via a script, still no luck!
  I tried configuring IP Subnet Boundaries, still no luck!!
  Here are the last 2 lines in the LocationServices.log of a client PC at the Office Site:
  <![LOG[MPLIST requests are throttled for 00:00:44]LOG]!><time="14:47:00.766+240" date="03-17-2014" component="LocationServices" context="" type="2" thread="5776"
  file="lssecurity.cpp:4528"> <![LOG[Current AD site of machine is Default-First-Site-Name]LOG]!><time="14:47:00.777+240" date="03-17-2014" component="LocationServices" context="" type="1"
  thread="4884" file="lsad.cpp:770">
  And here are the last 4 lines in the ClientLocation.log
  <![LOG[Rotating assigned management point, new management point [1] is: BBK-SCCM-PRI.bbk2310.com (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState"
  Value="0"/></Capabilities>]LOG]!><time="14:49:04.880+240" date="03-17-2014" component="ClientLocation" context="" type="1" thread="3600" file="lsad.cpp:6311">
  <![LOG[Assigned MP changed from <BBK-SCCM-PRI.bbk2310.com> to <BBK-SCCM-PRI.bbk2310.com>.]LOG]!><time="14:49:04.891+240" date="03-17-2014" component="ClientLocation" context="" type="1"
  thread="3600" file="lsad.cpp:1532"> <![LOG[Rotating proxy management point, new management point [1] is: BBK-SCCM-SEC.bbk2310.com (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState"
  Value="0"/></Capabilities>]LOG]!><time="14:49:05.345+240" date="03-17-2014" component="ClientLocation" context="" type="1" thread="3600" file="lsad.cpp:6374">
  <![LOG[Rotating local management point, new management point [1] is: BBK-SCCM-SEC.bbk2310.com (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>]LOG]!><time="14:49:05.786+240"
  date="03-17-2014" component="ClientLocation" context="" type="1" thread="3600" file="lsad.cpp:6436">
  It looks like clients in the Office Site can’t connect to the DP/MP of the Secondary Site server which is also a DP.
  While on the PC that the application was installed on I see the folowing in the LocationService.log:
  <![LOG[Distribution Point='http://BBK-SCCM-PRI.bbk2310.com/SMS_DP_SMSPKG$/Content_69547d2a-339f-4ac4-9523-238c79ff8a52.1', Locality='LOCAL', DPType='SERVER', Version='7958', Capabilities='<Capabilities SchemaVersion="1.0"><Property
  Name="SSLState" Value="0"/></Capabilities>', Signature='http://BBK-SCCM-PRI.bbk2310.com/SMS_DP_SMSSIG$/Content_69547d2a-339f-4ac4-9523-238c79ff8a52.1.tar', ForestTrust='TRUE',]LOG]!><time="14:42:59.506+240"
  date="03-17-2014" component="LocationServices" context="" type="1" thread="224" file="lsutils.cpp:415"> <![LOG[Calling back with locations for location request {144620BC-4BF0-4878-9554-F67D305ECCF8}]LOG]!><time="14:42:59.522+240"
  date="03-17-2014" component="LocationServices" context="" type="1" thread="224" file="replylocationsendpoint.cpp:220">
  Is there something wrong with the Distribution point on the Secondary Site server?
  Please help…
  Thanks..

  Update:
  I fixed the issue with the default XXX00002 package - "Configuration Manager Client Package", it will not deploy to the Secondary Site DP. I did that through "Update Distribution Points" option, and after a while the status was 100%.
  However; the second issue is still unsolved...
  Please help..

• ASA 5515 management interface

  I started to configure a new ASA 5515 to replace an 5510.  When I attempted to remove the "management-only" command from the Management0/0 interface I was greeted with the following error:
  "ERROR: It is not allowed to make changes to this option for management interface on this platform."
  Does this mean we can't use the managment interface anymore on these newer ASAs?  I was planning on using that port when we bought it.  If this is the case, let this be a warning to whoever is counting the managment port as a 7th interface on the 5515!

  Update: I just found out that you can't use the management interface for failover purposes either.     Argggggg.
  "Management interface cannot be configured for failover on this platform."

• Can't create Source Instance in Configuration manager (BI Apps 11.1.1.7.1)

  Hi
  While configuration i created one source instance for EBS R12.1.3 but I logged into to ODI client Studio and By mistake i deleted 'Data Server' from Topology which i created during Source Instance Creation/configuration on Configuration Manager(CM).
  It wasn't intentionally by mistake i deleted. Due to that reason i am not able to edit source instance. once i try to edit when i save it error pop-ups ""Error: ODI-10182: uncategorized exception during repository access. ORA-00001: unique constrain (DEV_BIA_ODIREPO.AK_CONNECT) violated" .
  Its was bug but after ODI 11.1.1.6.0 they fix it
  Metalink Note (
  1- Note 1545938.1: ODI-10182 and ORA-02292 Errors Signalled After Deleting Unnecessary Datastore in ODI 11g Integration Interface
  2- BUG
  https://support.oracle.com/epmos/faces/BugDisplay?_afrLoop=96427980024293&id=13916069&_afrWindowMode=0&_adf.ctrl-state=1536syzwe9_437
  However I tried following Cases:
  1- Tried to Edit Source Instance from Configuration manager (CM) but Gave me Error: "Error: ODI-10182: uncategorized exception during repository access. ORA-00001: unique constrain (DEV_BIA_ODIREPO.AK_CONNECT) violated".
  2- Tried to Create New Data Server by using Same Source Source Instance on Configuration manager (CM). Failed with error message:'Source system invalid '.
  3- Tried to re-create Same Data Server Name in ODI Studio with Same name. Failed due to error: "Alread Data Server exists"
  So no success so far. I am trying to edit source System Instance but no success so far.
  Versions:
  OBI Apps: 11.1.1.7.1
  OBIEE: 11.1.1.7.0
  ODI: 11.1.1.7.0
  Database: Oracle 11.2.0.3
  OS: Windows 2008 R2
  regards
  sher ullah baig

  I rise SR with oracle and they offered below solution,  i hope it will help someone. 
  How to delete a source system?
  The Configuration Manager user interface does not include a way to delete a source system. In the Define Business Intelligence Applications page you can only add or edit a source system.
  By manually removing the source system from Oracle Data Integrator and from the tables in the back-end database you can effectively delete a source system.
  To manually delete the source system:
  1. Connect to the application database through a utility such as SQL*Plus or SQL Developer, logged in as the same user configured in the WebLogic data source.
  2. Find the source system identifier number of the source system you want to delete by executing the following SQL and looking at the value of column DATASOURCE_NUM_ID:
  SELECT DATASOURCE_NAME, DATASOURCE_NUM_ID FROM C_DATA_SOURCE;
  3. Go to ODI Studio and delete the physical schema associated with the source system.
  4. In ODI Studio go to the respective logical schema:
  2.1. Go to flexfield tab
  2.2. Mark the checkbox for Data source num id flexfield to use default value.
  5. In SQL*Plus or SQL Developer execute the following statements where the bind variable, :Bind_DatasourceNumId, is set to the value of the source system identifier. These SQL statements may also be placed in a script, if needed for later use.
  DELETE FROM C_DATA_SERVER WHERE DATASOURCE_NUM_ID = :Bind_DatasourceNumId;
  DELETE FROM C_DATA_SOURCE_DISABLEDOFFR_REL WHERE DATASOURCE_NUM_ID = :Bind_DatasourceNumId;
  DELETE FROM C_EXECUTION_PLAN_FACTGROUP_REL WHERE DATASOURCE_NUM_ID = :Bind_DatasourceNumId;
  DELETE FROM C_LOAD_PLAN_GENERATION_STEP WHERE EXECUTION_PLAN_ID IN (SELECT EXECUTION_PLAN_ID FROM C_EXECUTION_PLAN WHERE EXECUTION_PLAN_ID NOT IN (SELECT EXECUTION_PLAN_ID FROM C_EXECUTION_PLAN_FACTGROUP_REL));
  DELETE FROM C_EXECUTION_PLAN WHERE EXECUTION_PLAN_ID NOT IN (SELECT EXECUTION_PLAN_ID FROM C_EXECUTION_PLAN_FACTGROUP_REL);
  DELETE FROM C_SRC_DOMAIN_MEMBER_TL WHERE DATASOURCE_NUM_ID = :Bind_DatasourceNumId;
  DELETE FROM C_SRC_DOMAIN_MEMBER WHERE DATASOURCE_NUM_ID = :Bind_DatasourceNumId;
  DELETE FROM C_DOMAIN_MEMBER_MAP WHERE DATASOURCE_NUM_ID = :Bind_DatasourceNumId;
  DELETE FROM C_PARAM_DW_VAL WHERE DATASOURCE_NUM_ID = :Bind_DatasourceNumId;
  DELETE FROM C_PARAM_DW_VAL_AUDIT WHERE DATASOURCE_NUM_ID = :Bind_DatasourceNumId;
  DELETE FROM C_DATA_SOURCE WHERE DATASOURCE_NUM_ID = :Bind_DatasourceNumId;
  COMMIT;
  =========================================
  Regards
  Sher ullah baig