Console Gaming - NAT Issues - Workaround and Solut...

I've already used the BT Broadband Contact Us, to raise this issue. They said it was beyond them and that they'd forward me an address for a technical forum. They've not managed to do so yet, so I'm trying here.
Problem:
NAT hole punching regularly fails between peers/players, manifests as "Cannot chat to player due to NAT Issues" on many different broadband routers.
TL/DR:
The BT Home Hub iptables INPUT chain should have a default action of DROP and not REJECT.
Long Version:
I'm a network engineer and programmer analyst and have been for approaching two decades. I'm also a gamer. I'm regularly frustrated by NAT Issue errors while trying to play online games with my friends.
Frustrated for so long, we decided to start analysing the problem. Using packet captures and simulations, we have reproduced the problem and identified dubious logic in the netfilter conntrack module in the Linux kernel.
When it works:
When using a Playstation 4 to play Destiny, using either in-game or PS Party chat, each console uses a NAT discovery service to find it's external IP address and make an educated guess as to whether there is port translation.
At the end of this process, each Player Console receives IP/Port pairs for the other players, they then emit UDP from their desired port to the IP/Port pair of each of the other Players. These UDP packets pass through their NATing routers and establish conntrack entries for the source ip/port, destination ip/port and protocol (here on referred to as five-tuple) with NAT associations with the console's LAN ip address and port; this is the hole-punching.
All being well, each players console has created an association for each of the other players packets to come back through and then they are able to send each other data on these ports.
When it doesn't work:
However, here's the race condition: if player B's packet reaches player A's router before player A has sent theirs, there is no NAT association, no conntrack entry for the 5-tuple. The incoming packet instead considered as intended for the router.
The iptables configuration on the router says that the packet is not allowed and REJECTs it, sending an ICMP destination unreachable packet in response. This reply is then inspected by conntrack, which decapsulates is and erroneously creates a conntrack entry for the 5-tuple.
Now when Player A's console does manage to send it's own hole punching UDP packet, the 5-tuple for the desire hole is associated with the router's ICMP destination-unreachable. So Player A's packet can't have the desired port number and is renumbered to the first available port (e.g. 1025). Player B's subsequent packets to A follow the conntrack entry started by the ICMP destination-unreachable and are sent to the router which continues to reject them.
How to fix this mess
Linux conntrack
Arguably the decapsulation of the ICMP payload and the usage of it to create a conntrack entry is erroneous. The ICMP unreach should not stop the port from being used by a NAT client.
This will take a long time to fix and when fixed may never be back-ported to home routers which may never see new firmware again anyway.
Modify the routers configuration
If the router dropped instead of rejecting the traffic (relatively simple administrative task given appropriate access), the ICMP destination-unreachable wouldn't be generated, conntrack wouldn't create the erroneous entry and then even if Player B's packets arrived before Player A had sent theirs, it would still work.
Disable the "firewall" and put your console in the "DMZ"
These are terms borrowed from the Home Hub 3 admin interface. If you set your console as the "DMZ", it will receive any internet traffic that isn't associated with an already established flow. Actually at this point I'm not certain whether or not you *have* to set the "firewall" to disabled. It depends on how the "firewall" is implemented.
On my console disabling the firewall and setting the console to be the DMZ works around the problem. However, you can only have one default NAT target. So any other device suffering from this problem would be out of luck without you reconfiguring your router each time. Also I'm not thrilled by my console receiving unfiltered internet traffic.
In closing
Race-conditions depend on timings. This one is exacerbated by low latency between players. In this case the difference between server<->PlayerA and server<->PlayerB latencies has to be lower than the PlayerA<->PlayerB latency. If PlayerA and PlayerB have low latency between each other they are more likely to suffer from this problem.
Please, please, please bring this to the attention of someone who is responsible for the configuration of your routers. A simple configuration change on the HomeHub would prevent this problem from happening and remove the need for customers to add special configuration to their router and lowering their security.
Thanks for reading.
Matt

Welcome to this forum.
This is a customer to customer forum only,
This is where customers help each other get the most out of BT products & services.
Anything you post here does not go to BT. Although the forum is moderated by BT, not all posts are read.
This is a public forum which can be viewed worldwide, so please do not post any personal information, especially phone numbers, account numbers, fault numbers, address information or email addresses, as this could be used to impersonate you.
I would suggest that maybe you try using a different router?
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

Similar Messages

  • NAT issues with 5 XBOX consoles on network

    I have my other XBOXs connected to a 24 port switch but the one connected to the ea6500 directly gives me this moderate NAT issue. I thought this new router would be an upgrade to my old dlink but so far I get a new problem every day.
    I have reserved dhcp addresses for all the boxes and set up port triggering for the ports listed in several guides. But what else do I need to do? Is it likely I got a bad router?

    If your xbox is directly connected to the modem, do you have an open nat for your xbox? Have you tried forwarding the ports? If it did not work using port trigerring, try forwarding the ports then. One thing that you have to make sure if you do port forwarding is that you should be getting a public IP address on your router page. If you're not getting a public IP, there might be a need for your modem to be set to bridge mode. You may refer to this link for more info: http://www6.nohold.net/Cisco2/ukp.aspx?pid=80&vw=1&articleid=22385 (Resolving NAT type issues with gaming consoles through a Linksys router).
    Btw, are you using the cloud firmware or classic?

  • Compilation of Lenovo X120e issues and solutions

    Just thought a compilation of issues may be beneficial for folks who own an X120e.
    Screen adjusts brightness automatically without user input depending on content on screen:
    http://forum.lenovo.com/t5/X-Series-ThinkPad-Laptops/X100e-screen-brightness-increasing-by-itself/td...
    This is caused by Vari-Bright being enabled in the Catalyst Control Center.  With this option enabled, the screen will automatically adjust its brightness depending on what is shown on the screen.  The display brightness is increased when the screen is predominantly white while the display brightness is decreased when the screen is predominantly dark.  An easiest way to see this effect happening is to have two tabs opened in a web browser window.  Set one tab to display a website that is mainly filled with white pixels (such as this Lenovo Forum) and another tab to display a website that is mainly filled with dark pixels (such as http://www.krijtenberg.nl/ ).  Switch between the two, pausing a few seconds in each tab.
    Solution:
    Open the Catalyst Control Center and select the PowerPlay option in the Power section.  Uncheck the Vari-Bright option (or adjust the slider) and click Apply.  Verify that the automatic adjustment is no longer occuring by doing the two tab experiment described above.
    Function keys for brightness control not working after waking from sleep / hibernation in some instances:
    http://forum.lenovo.com/t5/X-Series-ThinkPad-Laptops/x120e-Funtion-keys-for-brightness-not-working/t...
    For my X120e, whenever I have it sleeping or hibernating and change the power source (such as initiating sleep when on power and then waking it up while on battery, or vice versa), the function keys for brightness controls do not work.
    Solution:
    Restarting the machine will bring back functionality of the brightness control keys...
    A way to prevent this from happening in the first place is to wake the X120e in the same power state that the X120e was put to sleep in (wake up from power adapter if slept while connected to power adapter, or wake up from battery if slept while on battery).   
    All we can do now is wait for Lenovo to come up with a fix on their side of things.
    AMD SATA Controller and TRIM for SSD:
    The AMD SATA Controller provided by Lenovo does not support passing of TRIM command according to http://www.hardwarecanucks.com/forum/450343-post35.html for SSDs.  The Lenovo provided AMD SATA Controller is 1.2.1.197, before the official TRIM support in 1.2.1.263.  If you're using a HDD, this is of no concern.
    Solution:
    In order to have support for passing of TRIM command, one has to update the AMD SATA Controller to any version above 1.2.1.263 ( http://sites.amd.com/us/game/downloads/Pages/integrated_win7-64.aspx#3 for Windows 7 64-bit, for example) or uninstall the AMD SATA Controller to revert back to Microsoft's Standard AHCI 1.0 Serial ATA Controller. 
    Disclaimer:  Since the AMD SATA Controller driver linked is not from Lenovo themselves, I'm sure they won't provide any support if something is to occur so try at your own risk.
    As HP79 mentions below, at least according to the update notes, TRIM implementation is implemented for Hudson chipsets as of 1.2.001.263.
    Audio Stutter / Slurring occuring during playback of video/audio:
    http://forum.lenovo.com/t5/X-Series-ThinkPad-Laptops/x120e-Stuttering-Audio/td-p/389023
    This issue can be reproduced (at least on my X120e) by waking the X120e after putting it to sleep.  The symptom is the audio repeating a sound over a span of a second or two during playback and is quite noticable. 
    Solution:
    uEFI Bios version 1.11 seems to deal with the audio stuttering issue.  So far, results lead to positive outcomes.
    Old Solution:
    PWMTR64V.DLL that is loaded at Startup seems to be causing this issue.  Disabling it from launching when starting up seems to cure the Audio Stutter (even after waking up from sleep which was seen to be a pretty reliable way to get the issue to repro).  Start Menu > Launch MSCONFIG from the Search Bar > Select Startup Tab from the System Configuration window > Uncheck Thinkpad Power Manager > Restart. 
    This does not seem to turn off the power manager application itself so settings in Power Manager can be saved and it seems to still be in effect.  However, opening up Power Manager from the notification / taskbar can cause audio stuttering and mouse movement slowdown while it is launching and/or when applying settings.  This is only temporary and is gone when Power Manager is closed. (Thanks kns7977 for the find)
    Pending to see if those who uninstalled Power Manager are able to turn off the offending startup .dll.
    Mouse seems to stutter or stay in place for a moment when moving:
    This seems to be caused by the same issue causing the Audio Stutter / Slurring.  At least at this time, the cause of the issue and solution seems to be the same.
    Emulating Middle Mouse Button with Trackpoint:
    One can set up the middle button between the left and right click button for the TrackPoint to act like pressing a middle mouse button on a standard mouse by changing the scrolling type to Smooth instead of the default Standard. 
    Control Panel > Hardware & Sound > Mouse > UltraNav Tab > Setting for TrackPoint > Setting for Choose Scrolling or Magnifying Glass Function > Smooth.
    Trackpad's two finger gesture being hit or miss:
    The trackpad's two finger scrolling is very hit and miss.
    http://forum.lenovo.com/t5/X-Series-ThinkPad-Laptops/X120e-Touchpad-issues/td-p/393751
    Solution: Turning off Gesture Filtering may alleviate the problem.  As mentioned in http://forum.notebookreview.com/lenovo-ibm/561751-x120e-owners-thread-24.html#post7323293, it seems that the Gesture Filtering is counteracting any sort of two finger input.
    Get to Mouse Properties by Fn + F8, select Manage Settings.  At Mouse Properties, select the UltraNav tab > Settings for TouchPad.  Expand the Smart Check Settings, highlight Gesture Filtering, and uncheck the Enable Gesture Filtering box and Apply. 
    Screen flickers lines:
    http://forum.lenovo.com/t5/X-Series-ThinkPad-Laptops/x120e-Flickering/td-p/389523
    Had this issue occur on me once, but never seen it happen again.  Unsure what caused or cured it.
    Solution:
    If the flickering is occuring, a restart is all that is needed to alleviate the problem.  Haven't tested if hibernation fixes it, but neither sleep nor turning off the screen with the Power Manager dealt with the flickering.
    3-Cell Battery mentioned as a 40Wh in the Order Page of Lenovo X120e when it is actually rated as 32Wh according to Power Manager:
    http://forum.lenovo.com/t5/X-Series-ThinkPad-Laptops/X120e-3-cell-40Wh-battery-reported-as-32Wh-by-P...
    Yeah...
    Solution:
    Accept that it's a 32Wh you will get when selecting 3-Cell or go for the 6-Cell if you want more than 32Wh.
    2x2 ABGN Driver from Lenovo triggering Error Code 10:
    http://forum.lenovo.com/t5/X-Series-ThinkPad-Laptops/X120e-ABGN-Driver-issue-in-Windows-7-Pro-x64/td...
    The Wireless driver from Lenovo's site seems to not work with the 2x2 ABGN wireless when installed on a fresh copy of Windows 7 x64.
    Solution: 
    Not really quite a solution, but one can bypass this by either installing the 32-bit Windows 7 and installing the 32-bit driver, or using the factory recovery disc to install 64 bit windows 7 to have it install drivers that work for x64 windows 7.
     X120e bluescreens after installing LAN Realtek 7.26.902.2010 drivers from Lenovo's Driver download site.
    http://forum.lenovo.com/t5/X-Series-ThinkPad-Laptops/x120e-bluescreen-when-installing-lan-drivers/td...
    The drivers doesn't seem to work and it causes a bluescreen on fresh installed Windows 7 x64.
    Solution:
    As Clicq suggests, Realtek's own drivers from http://www.realtek.com.tw/downloads/downloadsView.aspx?Langid=1&PNid=13&PFid=5&Level=5&Conn=4&DownTy... seems to deal with the issue. 
    Screen quality on the X120e:
    http://forum.lenovo.com/t5/X-Series-ThinkPad-Laptops/x120e-poor-LCD-quality-viewing-angles/td-p/3945...
    The quality of the screen on an X120e is below expectations.
    This is common with low-quality TN panels not helped by glossy displays.  My personal X120e screen likes to bleed certain colors of red.
    Solution (not really): 
    One can use the Windows 7 built-in color calibration tool to adjust the colors to make it more tolerable.  Adjusting your own viewing angle in relation to the screen might deal with some color issues (hard to figure out what's the correct viewing angle because of TN panel's small range of optimal viewing angles).  Also, changing the refresh rate to 60Hz may deal with some headaches due to the screen (as it did for me).
    HDMI Overscan to HDTV issue:
    http://forum.lenovo.com/t5/X-Series-ThinkPad-Laptops/HDMI-overscan-to-HDTV-issue-on-x120e/m-p/395335
    There is a black border when outputting to HDTV through HDMI.
    Solution:
    AMD's CCC by default sets a specific value for overscan / underscan.  One can http://forum.lenovo.com/t5/X-Series-ThinkPad-Laptops/Output-to-TV-via-HDMI-port-black-border-on-the-... while the device is connected via HDMI (the option is hidden if the HDMI port is not used) and adjust the slider to an acceptable value.
    Skype asserts after 10-20 seconds of video chat:
    http://forum.lenovo.com/t5/X-Series-ThinkPad-Laptops/x120e-Skype-quits-after-10-20-seconds-of-video/...
    When doing a video chat, the video feed will freeze and then skype will crash to desktop.
    Solution:
    Version 5.3 of Skype seems to be the culprit.  Until Skype itself is fixed, one can use Skype 5.2.60.113 from http://www.filehippo.com/download_skype/changelog/9465/ to bypass this issue.  Just reject any offer to update to 5.3 after installing 5.2, for now.
    If there is anything I missed, please respond and I'll update this post with new information.  These are the ones that I have encountered so far with my Lenovo X120e.  Don't get me wrong, I like my X120e... it's just been a "learning" experience lol
    For a compilation of most X120e issues:
    Compilation of Lenovo X120e issues and solutions

    About the AHCI driver, if you download and open the install file, it'll extract files to where you instructed it to. Look in AMD SB7xx/W764A directory, and there are the AHCI files along with a text file. In that text it shows 
    AMD AHCI controller driver distribution list
    Version 1.2.001.0275, 11/11/2010
    Supported chipsets
    SB700 family
    SB800 family
    Hudson-1/2/3 family
    Revision History
    1.2.001.0275
    -          Memory usage optimization
    -          ZPODD power on incurred 10 sec delay workaround
    -          Potential DMA overrun bug fix
    1.2.001.263
    -          Performance optimization
    -          Boot Optimization
    -          TRIM implementation
    1.2.001.0238
                Renamed
    -     amdsata.inf -> amd_sata.inf
    -     amdsata.cat -> amd_sata.cat
    -     amdsata.sys -> amd_sata.sys
    -     amdxata.sys -> amd_xata.sys
    Added
    -     Zero Power ODD support (if enabled in BIOS; Windows 7 only); the ZPODD is powered off after 60 Sec w/o media inside and tray closed (for tray type ZPODDs)
    -     DAPS support
    -     DIPM Setting Index 3 added to AHCI Link Power Management Settings (in addition to existing Active(0), HIPM(1) and HIPM+DIPM(2) ) and can be chosen to any Power Scheme using the inbox utility powercfg.exe
    1.2.0.197
    -     Robustness improvement during hibernation / de-hibernation

  • Asymmetric NAT rules matched for forward and reverse flows - NAT Issue

    Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505.   The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet).   I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside)
    The Error:
    5          Nov 12 2012          13:52:50                    192.168.9.19                                        Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.6.11 dst inside:192.168.9.19 (type 8, code 0) denied due to NAT reverse path failure
    I understand this is a NAT issue; but I not seeing the error and could use a second set of eyes.   Here's my current running configuration.
    : Saved
    ASA Version 8.3(2)
    hostname fw1
    domain-name xxxxxxxx.xxx
    enable password <removed>
    passwd <removed>
    names
    interface Vlan1
    description Town Internal Network
    nameif inside
    security-level 100
    ip address 192.168.9.1 255.255.255.0
    interface Vlan2
    description Public Internet
    nameif outside
    security-level 0
    ip address 173.xxx.xxx.xxx 255.255.255.248
    interface Vlan3
    description DMZ (CaTV)
    nameif dmz
    security-level 50
    ip address 192.168.2.1 255.255.255.0
    interface Vlan10
    description Infrastructure Network
    nameif InfraNet
    security-level 100
    ip address 192.168.10.1 255.255.255.0
    interface Vlan13
    description Guest Wireless
    nameif Wireless-Guest
    security-level 25
    ip address 192.168.1.1 255.255.255.0
    interface Vlan23
    nameif StateNet
    security-level 75
    ip address 10.63.198.2 255.255.255.0
    interface Vlan33
    description Police Subnet
    shutdown
    nameif PDNet
    security-level 90
    ip address 192.168.0.1 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    switchport trunk allowed vlan 1,5,10,13
    switchport trunk native vlan 1
    switchport mode trunk
    speed 100
    duplex full
    interface Ethernet0/2
    switchport access vlan 3
    interface Ethernet0/3
    interface Ethernet0/4
    switchport trunk allowed vlan 1,10,13
    switchport trunk native vlan 1
    switchport mode trunk
    interface Ethernet0/5
    switchport access vlan 23
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    switchport trunk allowed vlan 1
    switchport trunk native vlan 1
    switchport mode trunk
    shutdown
    banner exec                     Access Restricted to Personnel Only
    banner login                     Access Restricted to Personnel Only
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name xxxxxxx.xxx
    same-security-traffic permit inter-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object service IMAPoverSSL
    service tcp destination eq 993
    description IMAP over SSL     
    object service POPoverSSL
    service tcp destination eq 995
    description POP3 over SSL     
    object service SMTPwTLS
    service tcp destination eq 465
    description SMTP with TLS     
    object network obj-192.168.9.20
    host 192.168.9.20
    object network obj-claggett-https
    host 192.168.9.20
    object network obj-claggett-imap4
    host 192.168.9.20
    object network obj-claggett-pop3
    host 192.168.9.20
    object network obj-claggett-smtp
    host 192.168.9.20
    object network obj-claggett-imapoverssl
    host 192.168.9.20
    object network obj-claggett-popoverssl
    host 192.168.9.20
    object network obj-claggett-smtpwTLS
    host 192.168.9.20
    object network obj-192.168.9.120
    host 192.168.9.120
    object network obj-192.168.9.119
    host 192.168.9.119
    object network obj-192.168.9.121
    host 192.168.9.121
    object network obj-wirelessnet
    subnet 192.168.1.0 255.255.255.0
    object network WirelessClients
    subnet 192.168.1.0 255.255.255.0
    object network obj-dmznetwork
    subnet 192.168.2.0 255.255.255.0
    object network FD_Firewall
    host 74.94.142.229
    object network FD_Net
    subnet 192.168.6.0 255.255.255.0
    object network NETWORK_OBJ_192.168.10.0_24
    subnet 192.168.10.0 255.255.255.0
    object network obj-TownHallNet
    subnet 192.168.9.0 255.255.255.0
    object network obj_InfraNet
    subnet 192.168.10.0 255.255.255.0
    object-group service EmailServices
    description Normal Email/Exchange Services
    service-object object IMAPoverSSL
    service-object object POPoverSSL
    service-object object SMTPwTLS
    service-object tcp destination eq https
    service-object tcp destination eq imap4
    service-object tcp destination eq pop3
    service-object tcp destination eq smtp
    object-group service DM_INLINE_SERVICE_1
    service-object object IMAPoverSSL
    service-object object POPoverSSL
    service-object object SMTPwTLS
    service-object tcp destination eq pop3
    service-object tcp destination eq https
    service-object tcp destination eq smtp
    object-group service DM_INLINE_SERVICE_2
    service-object object IMAPoverSSL
    service-object object POPoverSSL
    service-object object SMTPwTLS
    service-object tcp destination eq https
    service-object tcp destination eq pop3
    service-object tcp destination eq smtp
    object-group network obj_clerkpc
    description Clerk's PCs
    network-object object obj-192.168.9.119
    network-object object obj-192.168.9.120
    network-object object obj-192.168.9.121
    object-group network TownHall_Nets
    network-object 192.168.10.0 255.255.255.0
    network-object object obj-TownHallNet
    object-group network DM_INLINE_NETWORK_1
    network-object 192.168.10.0 255.255.255.0
    network-object 192.168.9.0 255.255.255.0
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20
    access-list StateNet_access_in extended permit ip object-group obj_clerkpc any
    access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net
    pager lines 24
    logging enable
    logging asdm debugging
    logging mail errors
    logging from-address hostmaster@xxxxxxxxx
    logging recipient-address john@xxxxxxxxx level errors
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    mtu Wireless-Guest 1500
    mtu StateNet 1500
    mtu InfraNet 1500
    mtu PDNet 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-635.bin
    no asdm history enable
    arp timeout 14400
    nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
    nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net
    object network obj_any
    nat (inside,outside) static interface
    object network obj-claggett-https
    nat (inside,outside) static interface service tcp https https
    object network obj-claggett-imap4
    nat (inside,outside) static interface service tcp imap4 imap4
    object network obj-claggett-pop3
    nat (inside,outside) static interface service tcp pop3 pop3
    object network obj-claggett-smtp
    nat (inside,outside) static interface service tcp smtp smtp
    object network obj-claggett-imapoverssl
    nat (inside,outside) static interface service tcp 993 993
    object network obj-claggett-popoverssl
    nat (inside,outside) static interface service tcp 995 995
    object network obj-claggett-smtpwTLS
    nat (inside,outside) static interface service tcp 465 465
    object network obj-192.168.9.120
    nat (inside,StateNet) static 10.63.198.12
    object network obj-192.168.9.119
    nat (any,StateNet) static 10.63.198.10
    object network obj-192.168.9.121
    nat (any,StateNet) static 10.63.198.11
    object network obj-wirelessnet
    nat (Wireless-Guest,outside) static interface
    object network obj-dmznetwork
    nat (any,outside) static interface
    object network obj_InfraNet
    nat (InfraNet,outside) static interface
    access-group outside_access_in in interface outside
    access-group StateNet_access_in in interface StateNet
    route outside 0.0.0.0 0.0.0.0 173.166.117.190 1
    route StateNet 10.0.0.0 255.0.0.0 10.63.198.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable 5443
    http 192.168.9.0 255.255.255.0 inside
    http 74.xxx.xxx.xxx 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 2 match address outside_2_cryptomap
    crypto map outside_map 2 set pfs
    crypto map outside_map 2 set peer 173.xxx.xxx.xxx
    crypto map outside_map 2 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.9.0 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.9.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    dhcpd dns 208.67.222.222 208.67.220.220
    dhcpd lease 10800
    dhcpd auto_config outside
    dhcpd address 192.168.2.100-192.168.2.254 dmz
    dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
    dhcpd enable dmz
    dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest
    dhcpd enable Wireless-Guest
    threat-detection basic-threat
    threat-detection statistics host number-of-rate 2
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 63.240.161.99 source outside prefer
    ntp server 207.171.30.106 source outside prefer
    ntp server 70.86.250.6 source outside prefer
    webvpn
    group-policy FDIPSECTunnel internal
    group-policy FDIPSECTunnel attributes
    vpn-idle-timeout none
    vpn-tunnel-protocol IPSec l2tp-ipsec
    username support password <removed> privilege 15
    tunnel-group 173.xxx.xxx.xxx type ipsec-l2l
    tunnel-group 173.xxx.xxx.xxx general-attributes
    default-group-policy FDIPSECTunnel
    tunnel-group 173.xxx.xxx.xxx ipsec-attributes
    pre-shared-key *****
    smtp-server 192.168.9.20
    prompt hostname context
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:e4dc3cef0de15123f11439822880a2c7
    : end
    Any ideas would be appreciated.
    John

    I don't see any inspection-commands in your config. Is there a reason for not using any of them?
    If your problem is only with ICMP, then you should enable at least icmp-inspection. You can do that easiely with the legacy command " fixup protocol icmp"
    Sent from Cisco Technical Support iPad App

  • Moderate to open back and forth NAT issue

    I'm trying to play on Xbox Live but I've been having to reset my router everyday to create an open Nat. I've talked with customer support for Verizon and Actiontec. Verizon set me a new router, which solved nothing, but aside from this I've not been able to reach someone who could understand port forwarding or why I would want to do it.
    My issue is that I would like to forward the necessary ports once, keep them forwarded, and not have to reset (sometimes to factory specs) every day. To be clear, I've set up the forwarding but it is as if the router does not recognize the parameters until it is reset. Sometimes my nat will change during the middle of gameplay as well. This has been very frustrating so any help you can offer would be great because I'm not getting it from the phone techs.
    Specs:
    Actiontec MI424WR rev. l. firmware:40.19.36
    Xbox 360 wired to router
    Fios 75/35
    Ports Forwarded 3074 both, 53 both, 80 TCP, 88 UDP (yes they are set up correctly)
    Static IP set (yes it is set up correctly)
    Additionally, Xbox Live's website notes a bug in the MI424WR that causes nat switching. The solution is to go into the upnp settings, however, access to upnp is not available in rev. l's firmware.
    http://forums.xbox.com/xbox_forums/xbox_support/networking-hardware/01-modems-gateways/actiontec/f/3...
    Solved!
    Go to Solution.

    From http://forums.verizon.com/t5/FiOS-Internet/mi424wr-gen3g-with-hardware-version-g-doesn-t-have-upnp/t...
    UPNP was hidden in this release software.  Fortunately it's there, but you have to know the direct URL.
    Firmware 4.19.36
    UpNP hidden Menu
    http://192.168.1.1/index.cgi?active%5fpage=900
    IGMP proxy Hidden Menu
    http://192.168.1.1/index.cgi?active_page=6059
    If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

  • Dynamic PAT and Static NAT issue ASA 5515

    Hi All,
    Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
    - Bhal

    Hi,
    I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
    The very basic configured for Static NAT and Default PAT I would do in the following way
    object network STATIC
    host
    nat (inside,outside) static dns
    object-group network DEFAULT-PAT-SOURCE
    network-object
    nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
    The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
    This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
    You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
    https://supportforums.cisco.com/docs/DOC-31116
    Hope this helps
    - Jouni

  • User synchronization issue between Active Directory and Solution manager.

    Requirement:
    Synchronize the users between Active directory and solution manager system.
    <u>What we did:</u>
    1.     Created RFC connection (LDAP_RFC) for LDAP connector.
    2.     Created new LDAP connector that utilize the RFC (LDAP_RFC).
    3.     Created new logical LDAP Server(CUA).Here we have to maintain the connection
    details to the physical directory.
    4.     We maintained the communication user that is used by the LDAP connector to bind the LDAP Directory Server.
    5.     In transaction LDAPMAP specific SAP data fields, we mapped to the desired
    directory attributes.
    6.     Testing from LDAP transaction working fine. We are able to see the attributes and
    values       from Active directory.
    <b><u>Issue:</u></b>
    When executed the program RSLDAPSYNC_USER for user synchronization from t-code se38 with below selection .
    LDAP Server = CUA (created earlier)
    LDAP Connector = LDAP_RFC (RFC connection created created ealier)
    In the tab: (Object that exist both in the directory and in the Database:)
    Selected: Compare Time Stamp.
    In the tab: (Objects the only exist in the Directory.)
    Selected : Create in Database.
    In the tab(Objects that only Exist in the Database:
    Selected: Ignore Object.
    Result from the report shows that connection to LDAP server is fine and ‘0’(zero) objects in Directory.
    The program does not create any new user in the Solution Manager system.
    Any help on this issue greatly appreciated.
    Thanks & Regards,
    Harish

    where did you see this error ? is there anymore details.
    i think the account you are using for Sync does not have Replicate Directory Changes permission in AD. follow below article and give Replicate directory changes permission.
    http://technet.microsoft.com/en-us/library/hh296982(v=office.15).aspx
    Thanks, Noddy

  • I cannot select radial filter points after I create them in Lightroom.  Anyone experience this issue before and what might be the solution?

    I cannot select radial filter points after I create them in Lightroom.  Anyone experience this issue before and what might be the solution?

    Press H to hide/show control points.

  • I have an iPhone 4s. Suddnely for past two days, the contact names from my address book are disappeared.  Has anyone came across this issue earlier and know the solution please?

    I have an iPhone 4s. Suddnely for past two days, The contact names from my address book are disappeared.  Has anyone came across this issue earlier and know the solution please?

    You had to have some kudos for the effort put in to your thread as week as the point you make.

  • Vista "Problem Reports and Solutions" - Compatibility issues?

    The Visa +Problem Reports and Solutions control panel+ is reporting three problems which I cannot seem to be able to find a resolution to.
    ( So far I've just installed Vista 32 business ed. on my iMac 20". Installed bootcamp drivers, updated bootcamp to 2.1 and applied Vista updates.)
    *The Problem Reports and Solutions control panel reports the following:*
    1. Download and install the driver for Apple performance counter
    This problem was caused by Apple performance counter, which was created by Apple Inc..
    2. Compatibility issue between Intel 82801GBM (ICH7-M) LPC Interface Controller - 27B9 and Windows. This problem was caused by a compatibility issue between Intel 82801GBM (ICH7-M) LPC Interface Controller - 27B9 and this version of Windows. Intel 82801GBM (ICH7-M) LPC Interface Controller - 27B9 was created by Intel Corporation and is distributed by Apple Inc..
    3. Problem caused by Apple Desktop Null Driver.
    This problem was caused by a compatibility issue between this version of Windows and Apple Desktop Null Driver. This product is usually distributed by the company that manufactured your device or computer. Note. If you bought Apple Desktop Null Driver from a retailer and installed it yourself, you will need to contact its manufacturer.
    Are these genuine, and if so, is there a solution? No solutions are proposed by Vista itself.
    Mac OS 10.5.5 , bootcamp 2.1
    Message was edited by: noutram

    A performance counter is not something that is usually in use by any application except by the developers of the unit itself. nothing to be alarmed about (well, except perhaps that it should have been removed).
    A null driver is (as the name indicates) null, there is no functionality assigned with it. MS error message is just brilliant "there is an error in your null driver", like what, there is no functionality in a null driver. So no problems there either.
    I got the 2 above error messages on the very first generation 17" MBP for ages and so far not seen any impacts in it for my work.
    The Intel issue is interesting, it might be a good idea to see if Intel has an updated driver for the problem.

  • Z97 GAMING 9 AC - PCIE and the wi-fi module no longer detecting

    Hi,
    I 'm Overclocking enthusiast and recently decided to take to my hometown in Brazil using a platform products from MSI, to make disclosure of benchmark tests in social networks and in gaming blogs.
        So i purchased a new system including the MSI Z97 GAMING 9 AC motherboard and MSI Gaming N770 TF 4GD5/OC GeForce GTX 770 4GB graphics card. After building the system I initially had problems with the graphics card not being detected and the wi-fi module (that hard to fit in the mobo) don't even appear in device manager. I already tried to dismount and remount the module on the motherboard with extreme care, no success. After some research I updated the bios to 1.5 and used the onboard graphics card to install windows 8.1, drivers etc. After windows, drivers etc were installed the graphics card and the wi-fi module still would not detect.
    I have tried another graphics card in this system and it does not seem to work either. In bios it just always says that the PCIE slots are 'empty'.
    So I have tried the following:
    1. Cleared CMOS.
    2. Updated BIOS.
    3. Updated Chipset, drivers etc.
    4. Tested the Graphics Card in other computers.
    5. Used a different graphics card in this system.
    6. Tried PCIE 2.0, 3.0 and auto.
    7. Completely reformated and started from scratch.
    So after many attempts I am disappointed with MSI and need some solution to my problem, since I saw that several customers who have purchased from MSI are the same product with exactly the same problem which possibly conclude that MSI has a duty to resolve these cases.
    Full Specs:
    •   EVGA SuperNOVA 1300G2 ATX12V/EPS12V 1300W 80Plus Gold Power Supply 120-G2-1300-XR
    •   Corsair Cooling Hydro Series H100i Liquid CPU Cooler - Extreme Performance CPU Cooling and Built-In
    •   Intel Core i7 4790 LGA1150 CPU 3.6Ghz
    •   Corsair Vengeance Pro 16GB 2x8GB DDR3
    •   2 x Kingston 120GB SSD 6Gbs
    •   Microsoft Windows 8.1 Pro 64bit OEM
    •   MSI Z97 Gaming 9 AC Motherboard
    •   MSI Gaming N770 TF 4GD5/OC GeForce GTX 770 4GB 256-Bit GDDR5 PCI Express 3.0 HDCP Ready SLI Support Video Card

    I have the exact same problem with my gaming 9 AC only the PCIe slot for gfx card worked initially. MSI support sent me a new WiFi adapter, it also didnt work. When I installed it, the PCIe slot would not identify my graphics card anymore. MSI support then advised me to return the board to the reseller, where it is now - they are checking it for defects before they do anything.
    Ill keep you updated how they proceed from here. If there are any more problems I will just ask my reseller to downgrade me to a gaming 7, I can add a pcie wifi card on my own, and avoid the hassle.

  • My Iphone/ Ipod touch 4th gen WiFi problems and solution

    Just wanted to let people know the problems that I had with my 4th gen Ipod touch and Iphone 4 WiFi connections (and my solution).
    I was having consistent problems with my WiFi connection at home - my devices were connecting fine to the router and apparently the signal was full strength; however, nothing was working properly (internet, itunes, app store). To be specific the devices would work for 5-10 minutes but then the connection would start to falter. My other wireless devices were working fine (HTC Hero, laptops etc.) - just the ipod and iphone seemed to suffer from this signal problem (although the router was always apparently connected).
    Obviously, I read countless forums to try and diagnose the problem. There seemed to be a litany of possible causes and I tried the following to resolve the issue:
    - updated router (Netgear WGR614 v6) firmware
    - rotated wireless encryption (WEP/WAP/nothing)
    - changed router channel
    - reset router power
    - reset network settings on Apple devices
    - changed g and b settings on router
    Nothing seemed to work so I began to question the hardware i.e. the router (which I knew was working from my other devices) and the iphone/ipod.
    I tested my iphone and ipod on other wireless networks (McDonalds in the UK has free WiFi) and found that, in contrast, they worked fine on other networks. I had read a few posts from people saying that my router was perhaps too old. So as a last resort I bought myself a new router (Netgear WNR2000 v2). I was loathe to do this earlier in case it didn't work, since reasonable spec routers are £50
    Anyway it worked ... straight away. I have tested the new connection at home using this SpeedTest app. D/load = 9.01 Mbps, U/load = 0.46 Mbps, Ping 65ms. The router is using the full encryption (WAP2 something ...) and N connection.
    As you can probably tell I'm no WiFi expert - I just wanted to post this in case people are having similar issues with older routers. I wasn't able to find any definitive advice and solutions from other users so I though I'd contribute here, which I guess is the first port of call for new Apple users, like me
    I bought the new router 10 days ago and have been enjoying my full speed connection ever since - touch wood. Hope this helps.

    Sounds like an intermittent contact problem some where eon the logic board. Hard to trace down and fix

  • My iSight is not working on my Macbook Pro. What are the possible problems and solutions?

    My iSight is not working on my Macbook Pro. What are the possible problems and solutions?

    Hello Douglas,
    Thank you for the details of the issue you are experiencing with the built-in iSight camera on your MacBook Pro.  I recommend the following steps for this issue:
    Important: Follow these instructions in order. Test the camera between steps to see if the issue is resolved.
    Built-in iSight cameras
    These steps are for iSight cameras that are built into a computer, such as the iMac G5 (iSight) or later, the MacBook, or MacBook Pro.
    See if the issue is application-specific.
    Try another application (iSight works with applications like iChat, PhotoBooth, and iMovie HD 6) to see if the iSight camera exhibits the same behavior in all applications. If it only happens in one application, try reinstalling that application.
    See if the issue is user-specific.
    Test your iSight camera in another user account. If the issue only occurs in one user, the issue would be isolated to user settings.
    Find out if the computer recognizes the iSight
    Check System Profiler (in the Utilities folder, inside the Applications folder). Under the USB header, check to see if the iSight camera is detected.
    Reset SMC or PMU
    Reset your computer's SMC or PMU, and then check System Profiler again. (SMC reset instructions for iMac G5 (iSight), Intel-based iMacs; PMU reset instructions for MacBook and MacBook Pro.)
    If your built-in iSight camera is still not behaving correctly after trying all these steps, you may need to contact Apple or an Apple-Authorized Service Provider for service.
    You can find the full article here:
    How to Troubleshoot iSight
    http://support.apple.com/kb/ht2090
    Thank you for using Apple Support Communities.
    Best,
    Sheila M.

  • NAT issue - WRT54G Version 1.1 with Vista Home Premium

    Router = WRT54G Version 1.1
    I am trying to figure out the cause of my problems, this router or Vista?
    I have 2 PC’s (just want to use my Vista 1) connected to the same router that is connected to a cable modem – the Windows XP machine has no problems bar its age and spec. I have a brand new PC with Vista Home Premium installed on it, now it is this new PC that I am having NAT problems with and port blocking.
    I have installed Windows Live Messenger and when setting it up I went into Tools/Options/Connections and I get an error message:- "You are connected to the internet through a UPnP port restricted NAT. The Windows Firewall is enabled. (User)"
    I have no option to run the trouble shooter (greyed out)…….
    If I turn off Windows Vista Firewall I get:- "You are connected to the internet through a UPnP port restricted NAT. (User)”
    Since this I have installed Media server software and have to reset the port it uses every time as it is always stating that it is blocked.
    I have downloaded OpenOffice via a torrent client which also stated that I had NAT problems.
    I have no NAT issues at all on my older XP PC and as a result I believe it is safe to rule out my router and modem……..I have only disabled Windows Firewall and this had made no difference, but I have not tried uninstalling it (no idea if that would make a difference)
    Oh, I do not have UPnP enabled (router setting) – does this matter (I have tried turning it on but made no difference to this issue so I turned it off again)?
    Message Edited by jomuir on 08-23-2007 02:50 AM

    user11241256 wrote:
    Documentation states that Oracle is supported on Vista business and Ultra. unfortuntatly Ihave Home Premium 64 and was curious if anyone had experience imstalling on this OS. I did attempt to install the 11g and I got one warning below that I could not find in the documentation for errors. You have answered your query yourself.
    You might be able to get the things running on an unsupported combination but there is no guarantee about the stability.

  • Av check disabled in issue order and enabled in delivery

    Hi guys,
    we are looking for a solution to deactivate the order av. check in the issue order and activate the av. check in the delivery at creation:
    -requirement class : 0041 -> av. check  enabled
    -vov6 schedule line disabled
    - delivery item category av check enabled.
    with checking group 02 from material master (av. check active)
    -> the av check happens at order level
    with checking group Z. (no check)  the av,. check happens only at time of goods issue
    Does any one have any idea if this is not working for consignment process?
    Thanks a lot in advance
    Dominique

    1) Check the reservations for the material in MD04. The available quantity might have been confirmed for earlier sale orders and hence reserved for those sale orders.
    There are 11,000 cases in unrestricted stock. No reservations for the material.
    2) Check the inhouse production time in MRP2 view of the material master. It should be filled with production lead time.
    Done
    3) In OVZ9, the checkbox "check w/o RLT" is unchecked.
    This is our current setup
    Net, issue is still there.

Maybe you are looking for