%CRYPTO-4-RECVD_PKT_MAC_ERR Error

Dear All,
I have received a few of this errors in my router logs, when i did a serach in cisco docs, I did see, its because of the packet verify failure and its Normal upto a particular limit.
when i did "sh crypto ipsec sa det" comand, i can see this total packet verification failed is 541 in number.
May i know is this an allowed limit ??
Could this packet failure result in BGP down or Tunnel down ???
I See a BGP failure in one of the logs after this logs, So i just confused is this has any relation to BGP, since crypto is just over the IPsec Tunnels??
Appreciate your valuable advice on this.
Thanks
Riyas Rasheed

It's a known issue but is only cosmetic. You can ignore or if you recently upgraded the IOS, downgrade.

Similar Messages

%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt mac verify failed

Hello,
I know this question has been asked many times on the forum, I am constantly getting the below error message on my 2811 Router:
*Aug 9 07:07:01.507: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=3004 local=3.3.3.1 remote=3.3.3.2 spi=CDE6EACF seqno=00005214
N.R-HQ#
*Aug 9 07:08:33.231: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=3004 local=3.3.3.1 remote=3.3.3.2 spi=CDE6EACF seqno=000056E4
I did some research and found the IOS is in the KAV list of bug#CSCsv43145. I upgraded the IOS to 12.4(25e) which doesn't appear in the list but still same error occurs.
-is the error just cosmetic
-is there anyway to go around it?
I have attached the config.
10x,
E.B:.

Hi,
12.4(25e) should not be affected by CSCsv43145, which is cosmetic. The issue you are seeing is likely not cosmetic, and is actually resulting in dropped packets due to mac authentication failures. To troubleshoot this type of issue, you really need to get sniffer traces on the WAN (encrypted) side from both tunnel end points and compare the packet in question (based on the spi/seq number reported in the log) and see if the packet is corrupted somehow. There is no easy way to get around this other than turning off authentication check in your ipsec transform, in which case no mac authentication will be performed on the packet, and you do need to consider the security implications when doing that.
Hope this helps,
Thanks,
Wen

Import javax.crypto not found error

Hi,
I have just installed the JDK1.7 on a windows machine.
Whenever I try to compile my module, I get an error on the import javax.crypto line. It tells me that it can't the javax\Crypto\Cipher.class.
I have the jdk installed on d:\glassfish3 and am pointing the classpath to d:\glassfish3\jdk7 (also tried d:\glassfish3\jdk7\jre as well) with no luck.
Any help would be greatly appreciated.
Thanks,
Drew Nathanson
Technical Synergy, Inc.

Thanks. Maybe I should explain a little better.
I am using JBuilder 2006 to my IDE. This environment requires that you put in the path to the JRE/JDK.
I have uninstalled and downloaded the jdk again and this time i'm getting a strange error:
"test.java": cannot access javax.crypto.Cipher; bad class file: D:\Program Files\Java\jre7\lib\jce.jar\javax\crypto\Cipher.class, class file has wrong version 51.0, should be 49.0, Please remove or make sure it appears in the correct subdirectory of the classpath. at line 19, column 21
Now this is strange because i'm using the right library.
Is there something that I'm missing here?
Again, thanks for your help.
Drew Nathanson

DMVPN error message

Hi,
i'm setting up the DMVPN with 1 HUB and 2 spoke topology, after completed there was error message prompt out as below may i know what is this about?
*Apr 7 21:06:38.818: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=257 local=100.100.100.2 remote=200.200.200.2 spi=753D30A6 seqno=00000018
Thanks your help
Thor

I have been searching for the same error as you are having, based on my search I came up with conclusion that it could be because a mismatch key, fast switching or just an IOS bug. If you said that the key is correct, then try to disable fast switching with no ip route-cache command on interface level. The last thing to try is by disabling the vpn accelarator on those routers, just keep in mind that then the encryption will be done on software. How often do you get the error?

Could not validate SPNEGO token.java.lang.Exception: Checksum error.

Hello consultant:
We are trying configurated SSO usind SPNEGO module
We have a portal 7.0 ehp1 and Active Directory Microsoft versión 2003 native
we have followed the steps described in note Sap 1457499"Note 1457499 - SPNego add-on"
When we have logged with user Active Directory and we try access to portal we obtain following error:
Authorization check user error
We have Deploy the Web diagtool from SAP Note 1045019 on the J2EE server, run it and perform the
following steps:
1. Select "Component" = "security" and "Activity" = "all"
2. Click the "Go" button, followed by the "Add All" button
3. Select "Component" = "All" and in the "Search pattern" field write "com.sap.security.spnego"
4. Click the "Go" button, followed by the "Add All" button
5. Start the tool
Then we have reproduce the problem and stop the tool. The generated zip file will contain following error:
15:45:20:078 Error J2EE_GST_PRD SAPEngine_Application_Thread[impl:3]_15 ~p.security.spnego.krb5.crypto.DesCrypto Checksum error! checksum: 0xc46bfed8d0dbc54221ee75405c8cd5ac; calculated checksum: 0x6ead7e801608b729a6957597327f2ba5
15:45:20:078 Error J2EE_GST_PRD SAPEngine_Application_Thread[impl:3]_15 ~m.sap.security.spnego.SPNEGOLoginModule Could not validate SPNEGO token.
java.lang.Exception: Checksum error.
at com.sap.security.spnego.krb5.crypto.DesCrypto.decrypt(DesCrypto.java:43)
at com.sap.security.spnego.krb5.KrbEncryptedData.decrypt(KrbEncryptedData.java:81)
at com.sap.security.spnego.krb5.KrbApReq.decrypt(KrbApReq.java:67)
at com.sap.security.spnego.SPNEGOLoginModule.parseAndValidateSPNEGOToken(SPNEGOLoginModule.java:234)
at com.sap.security.spnego.SPNEGOLoginModule.processAuthorizationHeader(SPNEGOLoginModule.java:385)
at com.sap.security.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:102)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:61)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:912)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:367)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:181)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:541)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:430)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:219)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
Could you help us?
Many thanks for your collaboration

<< Do not post the same question across a number of forums >>

CAP file generating ERROR

Hi everybody ,
I'm trying to build a javacard project by using ANT tool . The problem is when i use the JCOP tool converter (tric.jar) with JRE 1.4 or 1.5 i got the following error :
Error: class java.lang.RuntimeException, resolving constant-pool of clazz Lhun/eid/javacard/EIDApplet; failed: no such method getClass, ()Ljava/lang/Class; in Ljava/lang/Object;
and JCOP tool converter with JRE 1.6 , igot another error : invalid magic cafebabe
After that , i replaced the JCOP tool's converter by using the java_card_kit-2_2_2's converter , and i got another error :
[java] converting hun.eid.javacard.EIDApplet
[java] parsing C:\Users\mannykitty\workspace NEW\HUNEID\lib\api_export_files\javacard\framework\javacard\framework.exp
[java] parsing C:\Users\mannykitty\workspace NEW\HUNEID\lib\api_export_files\javacardx\crypto\javacard\crypto.exp
[java] error: line 2094: hun.eid.javacard.EIDApplet: method getClass() of class java.lang.Object not found in export file lang.exp or the method signature has changed.
[java] error: line 2094: hun.eid.javacard.EIDApplet: class java.lang.Class not found in export file lang.exp.
[java] error: line 2094: hun.eid.javacard.EIDApplet: class java.lang.Class in return type of method java.lang.Object.getClass() not found.
[java] error: line 2094: hun.eid.javacard.EIDApplet: method getClass() of class java.lang.Object not found in export file lang.exp or the method signature has changed.
[java] error: line 2094: hun.eid.javacard.EIDApplet: class java.lang.Class not found in export file lang.exp.
[java] error: line 2094: hun.eid.javacard.EIDApplet: class java.lang.Class in return type of method java.lang.Object.getClass() not found.
[java] conversion completed with 6 errors and 0 warnings.
[java] Java Result: 1
Can someone tell me how to fix this ? Any help will be appreciated !

I've added the api.jar to class path for compiling but it's seemed not to be changed . Here is my ANT build.xml config :
<property name="lib" value="lib"/>
     <property name="JCKlibHome" value="c:\Java\java_card_kit-2_2_2\lib"/>
<property name="JCOPlib" value="${lib}/slbJIop.jar;${lib}/jc_api_212.jar;${lib}/jce1_2_2.jar;${lib}/sunjce_provider.jar"/>
<property name="JCOPtools" value="${JCKlibHome}/converter.jar;${JCKlibHome}/offcardverifier.jar"/>
<property name="src" value="src"/>
     <property name="build" value="build"/>
<property name="classes" value="${build}/classes"/>
<property name="cardout" value="${build}/card"/>
<property name="tmp" value="${build}/tmp"/>
<property name="buildcp" value="${JCOPlib};${JCKlibHome}/api.jar"/>
Compile :
<target name="compile" depends="init" description="Compile the javacard source into class files">

<javac debug="yes" classpath="${buildcp}" srcdir="${src}" destdir="${classes}"/>
</target>
CAP generation:
<target name="createCAP" depends="compile,capuptodatecheck" unless="capfile.uptodate" description="Create the CAP file from the class files">
<java classname="com.sun.javacard.converter.Converter" classpath="${JCOPtools}" fork="yes">
     <arg line="-classdir ${classes}" />
     <arg line="-exportpath ${JCOPlib};C:\Java\java_card_kit-2_2_2\api_export_files"/>
     <arg line="-d ${cardout}" />
     <arg line="-v" />
     <arg line="-out CAP EXP JCA" />
     <arg line="-applet 0x41:0x70:0x70:0x68:0x75:0x6e:0x65:0x69:0x64 hun.eid.javacard.EIDApplet hun.eid.javacard 0x41:0x70:0x70:0x68:0x75:0x6e:0x65:0x69:0x64:0x01" />
     <arg line="1.0" />
ERROR :
[java] error: line 2094: hun.eid.javacard.EIDApplet: method getClass() of class java.lang.Object not found in export file lang.exp or the method signature has changed.
[java] error: line 2094: hun.eid.javacard.EIDApplet: class java.lang.Class not found in export file lang.exp.
[java] error: line 2094: hun.eid.javacard.EIDApplet: class java.lang.Class in return type of method java.lang.Object.getClass() not found.
[java] error: line 2094: hun.eid.javacard.EIDApplet: method getClass() of class java.lang.Object not found in export file lang.exp or the method signature has changed.
[java] error: line 2094: hun.eid.javacard.EIDApplet: class java.lang.Class not found in export file lang.exp.
[java] error: line 2094: hun.eid.javacard.EIDApplet: class java.lang.Class in return type of method java.lang.Object.getClass() not found.
[java] conversion completed with 6 errors and 0 warnings.
[java] Java Result: 1
:(

Is QOS causing IPSEC replay errors?

Should there be a "service-policy" command on the outbound interface when using the "qos pre-classify" under the crypto map?
I have several point-to-point links that use both the qos pre-classify and the service-policy on the interface, and all those links generate %CRYPTO-4-PKT_REPLAY_ERR errors under load.
Other links that only encrypt are not getting the %CRYPTO-4-PKT_REPLAY_ERR errors under load.
The documentation for QOS and VPN: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087ac4.html
Only states to use the "qos pre-classify" ???
I believe the packets are going through the QOS process twice. Once before encryption, and then again afterward resulting in the resequencing.

Hi,
IPSec replay error can also be caused due to a smaller replay window size. You might wanna try in creasing the replay window size.
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad4.html
HTH,
-Kanishka

Crypto Map on Loopback interface or Physical Interface

Dear All,
When we try to apply the crypto map on any physical interface or the loopback interface on WS-6506-E, it is showing the error. But the same i could apply on VLAN interface. Can anyone explain me what is the issue..?
6506(config)#interface loopback 3
6506(config-if)#crypto map XXXX
ERROR: Crypto Map configuration is not supported on the given interface
Any hardware limitation?

This was proven to break CEF in the past and is a bad design choice by default.
Newer release do not allow you to configure this.
If you're curious if it will work for you check releases prior to 15.x.
M.

Javacardx.crypto.* and Converting and compiling

Hi,
i want to convert my class into a cap file.
During the compilation i am getting the following error:
package javacardx.crypto does not exist
import javacadx.crypto.*;
^
1 error
I tried it on Javacard 2.1.1.
I kow that javacardx.crypto is not implemented. But the converting should work or not??
Or do i need the special development kid from the vendor, in order to make it run??
Thx for your help.

Hi,
Since it is failing during the compilation stage, you will need to build against a version of the JC runtime that has that package and any classes you are compiling against. In this respect it is the same as compiling standard Java code. The only difference is at runtime, these packages are provided by the card or simulator.
To compile and convert, you will either have to use a newer JCDK or get the jar files from your vendor.
Cheers,
Shane

Problem : tcl script for filter IPSec cosmetic log

Hi all, I would like some advice from anyone who ever see this case. I applied tcl script for filter ipsec error log that log is cosmetic. But my site want to don't see this log from router log. I already create tcl script for filter it out. Ok script can work fine but it more work. It filter other message not just ipsec log out. I check cisco device that support script. How can I fix this problem.
See my detail of script and ios version of router :
script :
# VPN_Error.tcl This script deletes all log messages about VPN error messages
# The script will filter by combination between facility-serverity and mnemonic
# Created on 05-Oct-2012.
set msgs [list {CRYPTO-4-RECVD_PKT_MAC_ERR} {VPN_HW-1-PACKET_ERROR} {CRYPTO-4-RECVD_PKT_NOT_IPSEC} {CRYPTO-4-PKT_REPLAY_ERR}]
set fac_sev_mnem "${::facility}-${::severity}-${::mnemonic}"
foreach msg $msgs {
    if { $msg == $fac_sev_mnem } {
    return ""
return $::orig_msg
ios router version :
: c2800nm-adventerprisek9-mz.124-25f.bin
: c2800nm-adventerprisek9-mz.124-7b.bin
log information and configuration
When I applied command:
logging filter flash:VPN_Filter2.tcl
logging buffered filtered 4096 debugging
show log file:
router#sh logg
Syslog logging: enabled (11 messages dropped, 1 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering enabled)
    Console logging: level debugging, 18145 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 428 messages logged, xml disabled,
                     filtering disabled
        Logging to: vty322(2)
    Buffer logging: level debugging, 0 messages logged, xml disabled,
                    filtering enabled (0 messages logged)
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
Filter modules:
    flash:VPN_Filter2.tcl
    Trap logging: level informational, 47011 message lines logged
        Logging to 10.145.0.25 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
               filtering disabled
        Logging to 10.247.17.41 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
               filtering disabled
        Logging to 10.247.17.45 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
               filtering disabled
--More--
Log Buffer (4096 bytes):
router#
If you have some more information. Please tell me.
Thank you for your advice

It looks like your script has an error. You have an extra '}'. It should be:
# VPN_Error.tcl This script deletes all log messages about VPN error messages# The script will filter by combination between facility-serverity and mnemonic       # Created on 05-Oct-2012.#set msgs [list {CRYPTO-4-RECVD_PKT_MAC_ERR} {VPN_HW-1-PACKET_ERROR} {CRYPTO-4-RECVD_PKT_NOT_IPSEC} {CRYPTO-4-PKT_REPLAY_ERR}]set fac_sev_mnem "${::facility}-${::severity}-${::mnemonic}"foreach msg $msgs {    if { $msg == $fac_sev_mnem } {        return ""    } } return $::orig_msg

DMVPN GRE over IPSEC Packet loss

I have a hub and spoke DMVPN GRE over IPSec topology. We have many sites, over 10, and have a problem on one particular site, just one. First off I want to say that I have replaced the Router and I get the same exact errors. By monitoring the Terminal, I regularly get these messages
%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.X.X.X,dstadr=10.X.X.X,size=616,handle=0x581A
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=1
The tunnel is up, passes data, and always stays up. This router is a Spoke router. The routing protocol being used is EIGRP. When I do a
Show Crypto isakmp sa, it shows the state as being "QM_IDLE" which means it is up.
When I use the "Show Crypto Engine accelerator stat" this is what I get (Attached File)
You can see that there are ppq rx errors, authentication errors, invalid packets, and packets dropped. I know this is not due to mis-configuration because the config is the same exact as other sites that I have which never have any problems. Here is the tunnel interface and the tunnel source interface on the Spoke Router
interface Tunnel111
description **DPN VPN**
bandwidth 1000
ip address 172.31.111.107 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1300
ip pim sparse-dense-mode
ip nhrp authentication XXXX
ip nhrp map multicast dynamic
ip nhrp map multicast X.X.X.X
ip nhrp map X.X.X.X X.X.X.X
ip nhrp network-id 100002
ip nhrp holdtime 360
ip nhrp nhs 172.31.111.254
ip route-cache flow
ip tcp adjust-mss 1260
ip summary-address eigrp 100 10.X.X.X 255.255.0.0 5
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key XXXX
tunnel protection ipsec profile X.X.X.X
interface GigabitEthernet0/0
description **TO DPNVPN**
ip address 10.X.X.X 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip pim sparse-dense-mode
ip virtual-reassembly
duplex full
speed 100
no snmp trap link-status
no mop enabled
Is there anything that you can think of that may becausing this, do you think this can be a layer one or two issue? Thanks
Brenden

Have you try to turn off the hardware encryption (no crypto engine accelerator) just to see if it's better. But be careful, cause your CPU% will run much higher, but you only have 10 spokes sites, so it wont be at 100%.
It's better to start troubleshooting by layer 1 then layer 2 when it's possible. Have you ask the site's ISP for packet lost on their side ?

Decrypt the encrypted password

Hi there,
I have been scratching my head for some time to fix one issue. We are planning to change the plateform/technology and we need to bring over existing login to new system. In order to have the same password I need to decrypt the password before I send it to new system. When we stored the password, it encrypts them and stores it in database. I am using following code to decrypt it. it's not worlking . This is error I am getting.
Given final block not properly padded
Here is some more information:
Key is :javax.crypto.spec.SecretKeySpec@18f3a
Format is :RAW
getAlgorithm() is :DES
String encrypted = abcdefgh
Provider is: com.sun.crypto.provider.SunJCE()
This is my code to decrypt which throws error " Given final block not properly padded" :
public String decrypt(String encrypted){
          Cipher ci = null;
          byte [] result = null;
          try {
               ci = Cipher.getInstance("DES");
               ci.init(Cipher.DECRYPT_MODE, key);
               System.out.println("CryptoUtil()" +"before hexToByteArray. Byte Data: "+encrypted);
               byte [] encryptedData = hexToByteArray(encrypted, false);
               //Log.out("CryptoUtil()" +"after hexToByteArray. lenth: "+ encryptedData.length);
               result = ci.doFinal(encryptedData);
          catch (Exception e) {
               System.out.println("CryptoUtil()" +"ERROR: "+ e.getMessage());
               return encrypted;
          String strResult = new String(result);
          return strResult;
Please help.
Thank you.

These are the two values I am getting for encrypted password:
97654de7857cd9aab331995cba044fc6
a125a6b2a71e23adc002ac7fbe1a1042
Is this a hex code?
I think the key is: abcdefgh
This is my code to encrypt and decrypt:
      * empty constructor
      * @param keydata
     public CryptoUtil(String keydata){
          if (keydata.trim().equals("")){
               logDebug("CryptoUtil()" +" Constructor didn't get a valid key!");
               usage();
               System.exit(0);
          }else{
               keyBytes = keydata.getBytes();
               key = new SecretKeySpec(keyBytes, 0, keyBytes.length, "DES");
          try {
               Provider sp = new com.sun.crypto.provider.SunJCE();
               //logDebug("CryptoUtil() " + sp.getInfo());
                Security.addProvider(sp);
              }catch (Exception ex) {
                     logDebug("CryptoUtil() " +"Problem loading crypto provider \n error:"+ex.getMessage());
               usage();
                System.exit(0);
      * Encrypt
      * @param s
     public String encrypt(String s){
          Cipher ci = null;
              byte [] result = null;
              try {
               ci = Cipher.getInstance("DES");
               ci.init(Cipher.ENCRYPT_MODE, key);
               result = ci.doFinal(s.getBytes());
              }catch (Exception e) {
                    logDebug("CryptoUtil()" +"ERROR: "+ e.getMessage());
          String strResult = byteArrayToHex(result);
              return strResult;
      * decrypt a card number
      * @param encrypted
     public String decrypt(String encrypted){
          Cipher ci = null;
              byte [] result = null;
              try {
               ci = Cipher.getInstance("DES");
               ci.init(Cipher.DECRYPT_MODE, key);
               //Log.out("CryptoUtil()" +"before hexToByteArray. Byte Data: "+encrypted);
               byte [] encryptedData = hexToByteArray(encrypted, false);
               //Log.out("CryptoUtil()" +"after hexToByteArray. lenth: "+ encryptedData.length);
               result = ci.doFinal(encryptedData);
              catch (Exception e) {
               logError("CryptoUtil()" +"ERROR: "+ e.getMessage());
               return encrypted;
          String strResult = new String(result);
          return strResult;
     static final String hexDigitChars = "0123456789abcdef";
      * @param a
     public static final String byteArrayToHex(byte [] a) {
          int hn, ln, cx;
          StringBuffer buf = new StringBuffer(a.length * 2);
          for(cx = 0; cx < a.length; cx++) {
                hn = ((int)(a[cx]) & 0x00ff) / 16;
                ln = ((int)(a[cx]) & 0x000f);
                buf.append(hexDigitChars.charAt(hn));
                buf.append(hexDigitChars.charAt(ln));
                buf.append(' ');
         return buf.toString();
      * @param str
      * @param rev
     public static final byte [] hexToByteArray(String str, boolean rev) {
          StringBuffer acc = new StringBuffer(str.length() + 1);
          int cx, rp, ff, val;
          char [] s = new char[str.length()];
          str.toLowerCase().getChars(0, str.length(), s, 0);
          for(cx = str.length() - 1, ff = 0; cx >= 0; cx--) {
          if (hexDigitChars.indexOf(s[cx]) >= 0) {
               acc.append(s[cx]);
               ff++;
           }else {
               if ((ff % 2) > 0) acc.append('0');
                    ff = 0;
          if ((ff % 2) > 0) acc.append('0');
          byte [] ret = new byte[acc.length() / 2];
          for(cx = 0, rp = ret.length - 1; cx < acc.length(); cx++, rp--) {
                val = hexDigitChars.indexOf(acc.charAt(cx));
                cx++;
                val += 16 * hexDigitChars.indexOf(acc.charAt(cx));
                ret[rp] = (byte)val;
          if (rev) {
                byte tmp;
                int fx, bx;
                for(fx = 0, bx = ret.length - 1; fx < (ret.length / 2); fx++, bx--) {
                    tmp = ret[bx];
                    ret[bx] = ret[fx];
                    ret[fx] = tmp;
          return ret;
Will that give you any more information to help me?

Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP

Hi Rizwan,
Thanks for your response. I updated the configuration per your response below... It still doesn't work. please see my new config files below. Please help. Thanks in advance for your help....
Hi Pinesh,
Please make follow changes on host: officeasa
remove this line below highlighted.
crypto dynamic-map L2LMap 1 match address Crypto_L2L
It is only because group1 is weak, so please change it to group2
crypto dynamic-map L2LMap 1 set pfs group1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117
Please make follow changes on host: homeasa
It is only because group1 is weak, so please change it to group2
crypto map L2Lmap 1 set pfs group1
route outside 10.10.5.0 255.255.255.0 xxx.xxx.xxx.xxx default gateway on homeasa.
Hope that helps, if not please open a new thread.
Thanks
Rizwan Rafeek
New config files..
Site-A:   (Office):
Hostname: asaoffice
Inside: 10.10.5.0/254
Outside e0/0: Static IP 96.xxx.xxx.118/30
Site-B:   (Home):
Hostname: asahome
Inside: 10.10.6.0/254
Outside e0/0: Dynamic IP (DG: 66.xxx.xxx.1)
SIte-A:
officeasa(config)# sh config
: Saved
: Written by enable_15 at 15:34:23.899 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname officeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address 96.xxx.xxx.118 255.255.255.252
interface Vlan3
nameif inside
security-level 100
ip address 10.10.5.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 192.168.100.0 255.2
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.2
access-list ormtST standard permit 10.10.5.0 255.255.255.0
access-list OCrypto_L2L extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ormtIPP 192.168.100.100-192.168.100.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 96.xxx.xxx.117 1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set OSite2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OL2LMap 1 set pfs
crypto dynamic-map OL2LMap 1 set transform-set OSite2Site
crypto dynamic-map OL2LMap 1 set reverse-route
crypto map out_L2lMap 65535 ipsec-isakmp dynamic OL2LMap
crypto map out_L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.5.101-10.10.5.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy ormtGP internal
group-policy ormtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ormtST
address-pools value ormtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type remote-access
tunnel-group ormtProfile type remote-access
tunnel-group ormtProfile general-attributes
default-group-policy ormtGP
tunnel-group ormtProfile webvpn-attributes
group-alias OFFICE enable
tunnel-group defaultL2LGroup type ipsec-l2l
tunnel-group defaultL2LGroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:46d5c2e1ac91d73293f2fb1a0045180c
officeasa(config)#
Site-B:
Home ASA Configuration:
homeasa# sh config
: Saved
: Written by enable_15 at 15:48:42.479 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname homeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif inside
security-level 100
ip address 10.10.6.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list hrmtST standard permit 10.10.6.0 255.255.255.0
access-list Crypto_L2L extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool hrmtIPP 192.168.101.100-192.168.101.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 10.10.5.0 255.255.255.0 66.xxx.xxx.1 1   (IP address of the Dynamic IP from ISP)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map L2Lmap 1 match address Crypto_L2L
crypto map L2Lmap 1 set peer 96.xxx.xxx.118
crypto map L2Lmap 1 set transform-set Site2Site
crypto map L2LMap 1 set pfs
crypto map L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.6.101-10.10.6.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy hrmtGP internal
group-policy hrmtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value hrmtST
address-pools value hrmtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type admin
tunnel-group hrmtProfile type remote-access
tunnel-group hrmtProfile general-attributes
default-group-policy hrmtGP
tunnel-group hrmtProfile webvpn-attributes
group-alias hrmtCGA enable
tunnel-group 96.xxx.xxx.118 type ipsec-l2l
tunnel-group 96.xxx.xxx.118 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d16a0d49f275612dff7e404f49bcc499
homeasa#

Thanks Rizwan,
Still no luck. I can't even ping the otherside (office).. I am not sure if i'm running the debug rightway.   Here are my results...
homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side. I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
Success rate is 0
homeasa(config)# debug crypto isakmp 7
homeasa(config)# debug crypto ipsec 7
homeasa(config)# sho crypto isakmp 7
                                   ^
ERROR: % Invalid input detected at '^' marker.
homeasa(config)# sho crypto isakmp
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
There are no ipsec sas
homeasa(config)#

Cisco ASA 5505 Reset-I Problem with TCP State Bypass

Hello,
I have a Cisco ASA 5505 that functions as my primary firewall and a Mitel 5000 controller behind it. I have two external phone users that have been connecting through the firewall with no issues for six months until about two weeks ago. I am now seeing the following log entry on the phone trying to connect to the Mitel Controller.
6
May 16 2014
14:52:52
302014
72.135.115.37
6915
192.168.20.2
6801
Teardown TCP connection 1203584 for outside:72.135.115.37/6915 to inside:192.168.20.2/6801 duration 0:00:00 bytes 0 TCP Reset-I
My phones are designed to work with the Mitel 5000 and Mitel 3300 phone controllers. The 5000 will only use port 6800 for call control, while the 3300 will use 6801 (Secured Minet), 6802 (Minet SSH), and if those fail, port 6800 (Minet Unsecured). When the phones initiate a connection, they try 6801 first. If 6801 is unavailable, the phone controller adds the RST flag to the ACK packet. When the phone sees the RST flag, it is supposed to reset and use the next port (6802). The same process happens again for port 6802, then the phone knows to try 6800. The problem is that the ASA sees the RST flag now and terminates the connection at the firewall. Therefore, the phones never see the RST flag, and continue to try the connection with port 6801.
I have tried to use the TCP State Bypass feature to correct the situation, but the log shows that the connection is still being terminated immediately by the firewall. I am a novice when it comes to configuring the ASA. Any help would be greatly appreciated, as the company that I bought the phone system from is out of troubleshooting options. I do not think that I have made any changes to the firewall around this time. I have packet captures and logs from my ASA and I have wireshark data on the inside of my network. I need to figure out how to configure the ASA so that it ignores the RST flag and sends the packet back to the source.
Any help would be greatly appreciated!

Thanks Rizwan,
Still no luck. I can't even ping the otherside (office).. I am not sure if i'm running the debug rightway. Here are my results...
homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side. I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
Success rate is 0
homeasa(config)# debug crypto isakmp 7
homeasa(config)# debug crypto ipsec 7
homeasa(config)# sho crypto isakmp 7
^
ERROR: % Invalid input detected at '^' marker.
homeasa(config)# sho crypto isakmp
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
There are no ipsec sas
homeasa(config)#

Apache 2.2.3 recompilation problem with updated openssl

I am trying to recompile an apache 2.2.3 with an updated openssl and stumble on httpd-2.2.3 make. I did compile this setup in the last year successfully, only difference is updated openssl.
First, I installed openssl-0.9.6m from source. Test install:
/usr/local/ssl/bin/openssl version
OpenSSL 0.9.6m 17 Mar 2004
Using following gcc version:
gcc -v
Reading specs from /usr/local/lib/gcc/sparc-sun-solaris2.10/3.4.6/specs
Configured with: ../configure with-as=/usr/ccs/bin/as with-ld=/usr/ccs/bin/ld enable-shared enable-languages=c,c++,f77
Thread model: posix
gcc version 3.4.6
PATH output:
echo $PATH
/usr/sbin:/usr/bin:/usr/local:/usr/local/bin:/usr/ccs/bin:/usr/openwin/bin:/usr /dt/bin:/usr/platform/SUNW,Sun-Fire-V240/sbin:/opt/sun/bin:/opt/SUNWvts/bin
This is my apache config options:
./configure enable-so enable-ssl enable-rewrite enable-proxy enable-proxy-balancer with-ssl=/usr/local/ssl
make output:
Making all in srclib
Making all in pcre
Making all in os
Making all in unix
Making all in server
Making all in mpm
Making all in prefork
Making all in modules
Making all in aaa
Making all in filters
Making all in loggers
Making all in metadata
Making all in proxy
Making all in ssl
In file included from /usr/local/ssl/include/openssl/ecdh.h:79,
from /usr/local/ssl/include/openssl/engine.h:85,
from ssl_toolkit_compat.h:45,
from ssl_private.h:59,
from mod_ssl.c:27:
/usr/local/ssl/include/openssl/ossl_typ.h:79: error: redefinition of typedef 'ASN1_INTEGER'
/usr/local/ssl/include/openssl/asn1.h:241: error: previous declaration of 'ASN1_INTEGER' was here
/usr/local/ssl/include/openssl/ossl_typ.h:80: error: redefinition of typedef 'ASN1_ENUMERATED'
/usr/local/ssl/include/openssl/asn1.h:242: error: previous declaration of 'ASN1_ENUMERATED' was here
/usr/local/ssl/include/openssl/ossl_typ.h:81: error: redefinition of typedef 'ASN1_BIT_STRING'
/usr/local/ssl/include/openssl/asn1.h:243: error: previous declaration of 'ASN1_BIT_STRING' was here
/usr/local/ssl/include/openssl/ossl_typ.h:82: error: redefinition of typedef 'ASN1_OCTET_STRING'
/usr/local/ssl/include/openssl/asn1.h:244: error: previous declaration of 'ASN1_OCTET_STRING' was here
/usr/local/ssl/include/openssl/ossl_typ.h:83: error: redefinition of typedef 'ASN1_PRINTABLESTRING'
/usr/local/ssl/include/openssl/asn1.h:245: error: previous declaration of 'ASN1_PRINTABLESTRING' was here
/usr/local/ssl/include/openssl/ossl_typ.h:84: error: redefinition of typedef 'ASN1_T61STRING'
/usr/local/ssl/include/openssl/asn1.h:246: error: previous declaration of 'ASN1_T61STRING' was here
/usr/local/ssl/include/openssl/ossl_typ.h:85: error: redefinition of typedef 'ASN1_IA5STRING'
/usr/local/ssl/include/openssl/asn1.h:247: error: previous declaration of 'ASN1_IA5STRING' was here
/usr/local/ssl/include/openssl/ossl_typ.h:86: error: redefinition of typedef 'ASN1_GENERALSTRING'
/usr/local/ssl/include/openssl/asn1.h:248: error: previous declaration of 'ASN1_GENERALSTRING' was here
/usr/local/ssl/include/openssl/ossl_typ.h:87: error: redefinition of typedef 'ASN1_UNIVERSALSTRING'
/usr/local/ssl/include/openssl/asn1.h:249: error: previous declaration of 'ASN1_UNIVERSALSTRING' was here
/usr/local/ssl/include/openssl/ossl_typ.h:88: error: redefinition of typedef 'ASN1_BMPSTRING'
/usr/local/ssl/include/openssl/asn1.h:250: error: previous declaration of 'ASN1_BMPSTRING' was here
/usr/local/ssl/include/openssl/ossl_typ.h:89: error: redefinition of typedef 'ASN1_UTCTIME'
/usr/local/ssl/include/openssl/asn1.h:251: error: previous declaration of 'ASN1_UTCTIME' was here
/usr/local/ssl/include/openssl/ossl_typ.h:90: error: redefinition of typedef 'ASN1_TIME'
/usr/local/ssl/include/openssl/asn1.h:252: error: previous declaration of 'ASN1_TIME' was here
/usr/local/ssl/include/openssl/ossl_typ.h:91: error: redefinition of typedef 'ASN1_GENERALIZEDTIME'
/usr/local/ssl/include/openssl/asn1.h:253: error: previous declaration of 'ASN1_GENERALIZEDTIME' was here
/usr/local/ssl/include/openssl/ossl_typ.h:92: error: redefinition of typedef 'ASN1_VISIBLESTRING'
/usr/local/ssl/include/openssl/asn1.h:254: error: previous declaration of 'ASN1_VISIBLESTRING' was here
/usr/local/ssl/include/openssl/ossl_typ.h:93: error: redefinition of typedef 'ASN1_UTF8STRING'
/usr/local/ssl/include/openssl/asn1.h:255: error: previous declaration of 'ASN1_UTF8STRING' was here
/usr/local/ssl/include/openssl/ossl_typ.h:94: error: redefinition of typedef 'ASN1_BOOLEAN'
/usr/local/ssl/include/openssl/asn1.h:256: error: previous declaration of 'ASN1_BOOLEAN' was here
/usr/local/ssl/include/openssl/ossl_typ.h:95: error: redefinition of typedef 'ASN1_NULL'
/usr/local/ssl/include/openssl/asn1.h:259: error: previous declaration of 'ASN1_NULL' was here
/usr/local/ssl/include/openssl/ossl_typ.h:107: error: redefinition of typedef 'BIGNUM'
/usr/local/ssl/include/openssl/bn.h:241: error: previous declaration of 'BIGNUM' was here
/usr/local/ssl/include/openssl/ossl_typ.h:108: error: redefinition of typedef 'BN_CTX'
/usr/local/ssl/include/openssl/bn.h:254: error: previous declaration of 'BN_CTX' was here
/usr/local/ssl/include/openssl/ossl_typ.h:109: error: redefinition of typedef 'BN_BLINDING'
/usr/local/ssl/include/openssl/bn.h:264: error: previous declaration of 'BN_BLINDING' was here
/usr/local/ssl/include/openssl/ossl_typ.h:110: error: redefinition of typedef 'BN_MONT_CTX'
/usr/local/ssl/include/openssl/bn.h:276: error: previous declaration of 'BN_MONT_CTX' was here
/usr/local/ssl/include/openssl/ossl_typ.h:111: error: redefinition of typedef 'BN_RECP_CTX'
/usr/local/ssl/include/openssl/bn.h:288: error: previous declaration of 'BN_RECP_CTX' was here
/usr/local/ssl/include/openssl/ossl_typ.h:114: error: redefinition of typedef 'BUF_MEM'
/usr/local/ssl/include/openssl/buffer.h:71: error: previous declaration of 'BUF_MEM' was here
/usr/local/ssl/include/openssl/ossl_typ.h:116: error: redefinition of typedef 'EVP_CIPHER'
/usr/local/ssl/include/openssl/evp.h:330: error: previous declaration of 'EVP_CIPHER' was here
/usr/local/ssl/include/openssl/ossl_typ.h:117: error: redefinition of typedef 'EVP_CIPHER_CTX'
/usr/local/ssl/include/openssl/evp.h:331: error: previous declaration of 'EVP_CIPHER_CTX' was here
/usr/local/ssl/include/openssl/ossl_typ.h:118: error: redefinition of typedef 'EVP_MD'
/usr/local/ssl/include/openssl/evp.h:276: error: previous declaration of 'EVP_MD' was here
/usr/local/ssl/include/openssl/ossl_typ.h:119: error: redefinition of typedef 'EVP_MD_CTX'
/usr/local/ssl/include/openssl/evp.h:328: error: previous declaration of 'EVP_MD_CTX' was here
/usr/local/ssl/include/openssl/ossl_typ.h:120: error: redefinition of typedef 'EVP_PKEY'
/usr/local/ssl/include/openssl/evp.h:186: error: previous declaration of 'EVP_PKEY' was here
/usr/local/ssl/include/openssl/ossl_typ.h:122: error: redefinition of typedef 'DH'
/usr/local/ssl/include/openssl/dh.h:78: error: previous declaration of 'DH' was here
/usr/local/ssl/include/openssl/ossl_typ.h:123: error: redefinition of typedef 'DH_METHOD'
/usr/local/ssl/include/openssl/dh.h:93: error: previous declaration of 'DH_METHOD' was here
/usr/local/ssl/include/openssl/ossl_typ.h:125: error: redefinition of typedef 'DSA'
/usr/local/ssl/include/openssl/dsa.h:87: error: previous declaration of 'DSA' was here
/usr/local/ssl/include/openssl/ossl_typ.h:126: error: redefinition of typedef 'DSA_METHOD'
/usr/local/ssl/include/openssl/dsa.h:112: error: previous declaration of 'DSA_METHOD' was here
/usr/local/ssl/include/openssl/ossl_typ.h:128: error: redefinition of typedef 'RSA'
/usr/local/ssl/include/openssl/rsa.h:76: error: previous declaration of 'RSA' was here
/usr/local/ssl/include/openssl/ossl_typ.h:129: error: redefinition of typedef 'RSA_METHOD'
/usr/local/ssl/include/openssl/rsa.h:114: error: previous declaration of 'RSA_METHOD' was here
/usr/local/ssl/include/openssl/ossl_typ.h:131: error: redefinition of typedef 'RAND_METHOD'
/usr/local/ssl/include/openssl/rand.h:76: error: previous declaration of 'RAND_METHOD' was here
/usr/local/ssl/include/openssl/ossl_typ.h:136: error: redefinition of typedef 'X509'
/usr/local/ssl/include/openssl/x509.h:280: error: previous declaration of 'X509' was here
/usr/local/ssl/include/openssl/ossl_typ.h:137: error: redefinition of typedef 'X509_ALGOR'
/usr/local/ssl/include/openssl/x509.h:130: error: previous declaration of 'X509_ALGOR' was here
/usr/local/ssl/include/openssl/ossl_typ.h:138: error: redefinition of typedef 'X509_CRL'
/usr/local/ssl/include/openssl/x509.h:407: error: previous declaration of 'X509_CRL' was here
/usr/local/ssl/include/openssl/ossl_typ.h:139: error: redefinition of typedef 'X509_NAME'
/usr/local/ssl/include/openssl/x509.h:176: error: previous declaration of 'X509_NAME' was here
/usr/local/ssl/include/openssl/ossl_typ.h:140: error: redefinition of typedef 'X509_STORE'
/usr/local/ssl/include/openssl/x509_vfy.h:176: error: previous declaration of 'X509_STORE' was here
/usr/local/ssl/include/openssl/ossl_typ.h:141: error: redefinition of typedef 'X509_STORE_CTX'
/usr/local/ssl/include/openssl/x509_vfy.h:157: error: previous declaration of 'X509_STORE_CTX' was here
/usr/local/ssl/include/openssl/ossl_typ.h:143: error: redefinition of typedef 'X509V3_CTX'
/usr/local/ssl/include/openssl/x509v3.h:132: error: previous declaration of 'X509V3_CTX' was here
/usr/local/ssl/include/openssl/ossl_typ.h:144: error: redefinition of typedef 'CONF'
/usr/local/ssl/include/openssl/conf.h:81: error: previous declaration of 'CONF' was here
/usr/local/ssl/include/openssl/ossl_typ.h:165: error: redefinition of typedef 'CRYPTO_EX_DATA'
/usr/local/ssl/include/openssl/crypto.h:194: error: previous declaration of 'CRYPTO_EX_DATA' was here
/usr/local/ssl/include/openssl/ossl_typ.h:168: error: redefinition of typedef 'CRYPTO_EX_new'
/usr/local/ssl/include/openssl/crypto.h:198: error: previous declaration of 'CRYPTO_EX_new' was here
/usr/local/ssl/include/openssl/ossl_typ.h:170: error: redefinition of typedef 'CRYPTO_EX_free'
/usr/local/ssl/include/openssl/crypto.h:201: error: previous declaration of 'CRYPTO_EX_free' was here
/usr/local/ssl/include/openssl/ossl_typ.h:172: error: redefinition of typedef 'CRYPTO_EX_dup'
/usr/local/ssl/include/openssl/crypto.h:204: error: previous declaration of 'CRYPTO_EX_dup' was here
In file included from /usr/local/ssl/include/openssl/engine.h:91,
from ssl_toolkit_compat.h:45,
from ssl_private.h:59,
from mod_ssl.c:27:
/usr/local/ssl/include/openssl/store.h:230: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:232: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:234: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:237: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:239: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:241: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:246: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:248: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:251: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:252: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:255: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:257: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:259: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:264: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:266: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:268: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:271: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:273: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:275: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:280: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:282: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:284: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:286: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:289: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:291: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:296: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:298: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:301: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:303: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:305: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:307: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:310: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:312: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:323: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:324: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:325: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:328: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:329: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:330: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:331: error: syntax error before "OPENSSL_ITEM"
/usr/local/ssl/include/openssl/store.h:377: error: syntax error before '*' token
In file included from ssl_toolkit_compat.h:45,
from ssl_private.h:59,
from mod_ssl.c:27:
/usr/local/ssl/include/openssl/engine.h:624: warning: no semicolon at end of struct or union
/usr/local/ssl/include/openssl/engine.h:624: error: syntax error before '*' token
/usr/local/ssl/include/openssl/engine.h:627: error: syntax error before '}' token
/usr/local/ssl/include/openssl/engine.h:627: warning: data definition has no type or storage class
/usr/local/ssl/include/openssl/engine.h:660: error: syntax error before '*' token
*** Error code 1
The following command caused the error:
/usr/local/apache2/build/libtool silent mode=compile gcc -g -O2 -DSOLARIS2=10 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -D_LARGEFILE64_SOU
RCE -I/tmp/httpd-2.2.3/srclib/pcre -I. -I/tmp/httpd-2.2.3/os/unix -I/tmp/httpd-2.2.3/server/mpm/prefork -I/tmp/httpd-2.2.3/modules/http -I/t
mp/httpd-2.2.3/modules/filters -I/tmp/httpd-2.2.3/modules/proxy -I/tmp/httpd-2.2.3/include -I/tmp/httpd-2.2.3/modules/generators -I/tmp/httpd-2
.2.3/modules/mappers -I/tmp/httpd-2.2.3/modules/database -I/usr/local/apache2/include -I/tmp/httpd-2.2.3/modules/proxy/../generators -I/usr/loc
al/ssl/include -I/usr/sfw/include -I/tmp/httpd-2.2.3/modules/ssl -I/tmp/httpd-2.2.3/modules/dav/main -prefer-non-pic -static -c mod_ssl.c && to
uch mod_ssl.lo
make: Fatal error: Command failed for target `mod_ssl.lo'
Current working directory /tmp/httpd-2.2.3/modules/ssl
*** Error code 1
The following command caused the error:
otarget=`echo all-recursive|sed s/-recursive//`; \
list=' '; \
for i in $list; do \
if test -d "$i"; then \
target="$otarget"; \
echo "Making $target in $i"; \
if test "$i" = "."; then \
made_local=yes; \
target="local-$target"; \
fi; \
(cd $i && make $target) || exit 1; \
fi; \
done; \
if test "$otarget" = "all" && test -z 'libmod_ssl.la'; then \
made_local=yes; \
fi; \
if test "$made_local" != "yes"; then \
make "local-$otarget" || exit 1; \
fi
make: Fatal error: Command failed for target `all-recursive'
Current working directory /tmp/httpd-2.2.3/modules/ssl
*** Error code 1
The following command caused the error:
otarget=`echo all-recursive|sed s/-recursive//`; \
list=' aaa filters loggers metadata proxy ssl http generators mappers'; \
for i in $list; do \
if test -d "$i"; then \
target="$otarget"; \
echo "Making $target in $i"; \
if test "$i" = "."; then \
made_local=yes; \
target="local-$target"; \
fi; \
(cd $i && make $target) || exit 1; \
fi; \
done; \
if test "$otarget" = "all" && test -z ''; then \
made_local=yes; \
fi; \
if test "$made_local" != "yes"; then \
make "local-$otarget" || exit 1; \
fi
make: Fatal error: Command failed for target `all-recursive'
Current working directory /tmp/httpd-2.2.3/modules
*** Error code 1
The following command caused the error:
otarget=`echo all-recursive|sed s/-recursive//`; \
list=' srclib os server modules support'; \
for i in $list; do \
if test -d "$i"; then \
target="$otarget"; \
echo "Making $target in $i"; \
if test "$i" = "."; then \
made_local=yes; \
target="local-$target"; \
fi; \
(cd $i && make $target) || exit 1; \
fi; \
done; \
if test "$otarget" = "all" && test -z 'httpd '; then \
made_local=yes; \
fi; \
if test "$made_local" != "yes"; then \
make "local-$otarget" || exit 1; \
fi
make: Fatal error: Command failed for target `all-recursive'
Any help appreciated

I'm experiencing the same problem with the current DirecTV remote not being able to learn more than the first button prompted to enter (arrow-down). The error message "appletv has already learned this button" appears when attempting to enter the second button prompted (arrow-up). Furthermore, I have attempted configuration on two separate DirecTV HR21 remotes in both AV1 and AV2 modes.
Come on Apple -- don't tease us! Testing wasn't done to make sure AppleTV can learn to respond to a current DirecTV remote? Yikes. I wonder what 3rd-party remotes were tested and confirmed to work.

%CRYPTO-4-RECVD_PKT_MAC_ERR Error

Similar Messages

Maybe you are looking for