CWA/ISE/WLC - client timeout when redirected to portal.

Similar Messages

• CWA over wireless, timeout when redirecting to ISE guestporal

  I configurated CWA following this guide https://supportforums.cisco.com/docs/DOC-26442
  And I apply a redirect-acl to allow traffic between endpoint and ise with dns allowed too.
  I use a static vlan on interface. And there is no vlan change after auth.
  Now endpoint can be redirected to ise node url, but visit timed out.
  Clients > Detail shows redirect-acl and redirect-url.
  Anyone here have some ideas?

  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf
  Kindly find the steps on the page no. 821

• Error when redirecting the portal logoff page

  Hello,
  we have a problem in redirecting the portal logoff page.
  Our production system is a cluster environment -windows 2003.
  we have developed customizing page for portal logoff.
  when the cluster is in Node A the functionality of the logoff page is working fine and it is redirecting to the customized page.
  But when we shift it to Node B and logoff the portal it is not showing the customized page.
  We have referred the following note also:696294.
  We have added the portal logoff page is IIS services also.
  But when we shift the server from NodeA-NodeB the functionality of the redirecting is not happening and it gives a message
  you are not authorized.
  I appreciate any one response.
  Regards,
  Krishna.

  Hi sridhar,
  Thanks for your reply.
  What my error is "iam getting the logoff page redirected when the cluster resources are in Node1 but iam not getting the same logoff page when the cluster is nodeB"
  Ie we have developed a customising logoff page and set the page.When the services are in Node A the fucntionality is working fine.But when the resources move to NodeB iam not getting the customized logoff page".It says no authentication.
  Aprreciate your further help.
  Regards,

• [WLC - CWA] [ISE] Wlan Portal with Local Switiching

  Description: Guest Portal ISE (WLAN) in a Flexconnect local switching enviorment.
  Problem: The communication stops everytime we turn on the feature Radius NAC on the WLC.
  We are trying to use Central WebAuth in a Flexconnect environment and with so the procedure that we are using it´s the one that´s available in the cisco DOCS ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html ) but there´s something occuring in my setup. I´ve configured step by step the WLC and ISE in accordance with previous DOC but I can´t establish communication everytime I turn on the feature RADIUS NAC in the WLC.
  All the ACL´s were configured, I can see the ISE policy beeing sent to the client but when the PC tries to establish the connection to him nothing leaves the PC ( a simple ping was done ). I´ve tried a bunch of setups to see if it was a misconfiguration or something else but at the end , everytime I trun on the NAC feature the final client looses all the comms to anywere.
  You can see in the following attachment the setup of WLC, and AP with flexconnect groups (I´ve also tried without a group but the final result was the same)
  We are using a WLC 5500 with 7.6.120.0 ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76.html ) and the only thing I can foun is a simple note stating,
  "Flex local switching with Radius NAC support is added in Release 7.2.110.0. It is not supported in 7.0 Releases and 7.2 Releases. Downgrading 7.2.110.0 and later releases to either 7.2 or 7.0 releases will require you to reconfigure the WLAN for Radius NAC feature to work."
  In the Flexconnect Feature Matrix the RADIUS NAC is supported in a local switching enviorment ( http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html?referring_site=RE&pos=3&page=http://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/113605-ewa-flex-guide-00.html) but what  we´ve found out so far it´s  the other way around.
  Another thing that we´ve found is that in the version 7.4 configuration guide ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0110100.html#ID2372 ) cisco says that the "FlexConnect local switching is not supported."
  So, after seeing several docs my question is: Does Cisco support Radius NAC in a local switching environment ?

  Viten,
  tnx for the quick reply but,
  a) what do you mean by webauth ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html) ?
  b) When I say comms stop is that I´m simple using ping as a test to see what happens in the client.Whenever I activate the radius feature the final client (laptop) ceases all comms in a local switching environment.
  BR,
  DS

• Https redirection issue for Wireless Guest CWA - ISE 1.3

  Our Setup is
  ISE 1.3 (Patch level 2) running on ACS 1121
  2 nodes clustered with Admin, monitoring, policy service enabled ( Primary and Secondary ).
  Configured SSID Guest for Centralized web authentication with ISE.
  We have issues in web redirection with chrome . It is not redirecting to the ISE page but rather showing " Page cannot be displayed".
  By default chrome is pointing to https. For example if we type https://google.com it is not redirecting to ISE page. But when I specify the same as http://google.com it works.
  There is no issue with IE, Firefox as it is redirecting to ISE page with default https and i can see it is hitting our rule.
  Please advice.

  Hi Neno
  They are using a third party certificate (digi cert) for client auth. They have confirmed even if they use a self-signed-cert the result is same.
  So basically none of the https page is not loading. If we manually browse some https site from Firefox, IE the result is same showing " page cannot be displayed".
  Redirection to https is the problem which i have never faced with my other customer. This is the upgraded version of ISE from 1.2 to 1.3.

• Hi, I am using HP11 and iPlanet web server. When trying to upload files over HTTP using FORM ENCTYPE="multipart/form-data" that are bigger than a few Kilobytes i get a 408 error. (client timeout).

  Hi, I am using HP11 and iPlanet web server. When trying to upload files over HTTP using FORM ENCTYPE="multipart/form-data" that are bigger than a few Kilobytes i get a 408 error. (client timeout). It is as if the server has decided that the client has timed out during the file upload. The default setting is 30 seconds for AcceptTimeout in the magnus.conf file. This should be ample to get the file across, even increasing this to 2 minutes just produces the same error after 2 minutes. Any help appreciated. Apologies if this is not the correct forum for this, I couldn't see one for iPlanet and Web, many thanks, Kieran.

  Hi,
  You didnt mention which version of IWS. follow these steps.
  (1)Goto Web Server Administration Server, select the server you want to manage.
  (2)Select Preference >> Perfomance Tuning.
  (3)set HTTP Persistent Connection Timeout to your choice (eg 180 sec for three minutes)
  (4) Apply changes and restart the server.
  *Setting the timeout to a lower value, however, may    prevent the transfer of large files as timeout does not refer to the time that the connection has been idle. For example, if you are using a 2400 baud modem, and the request timeout is set to 180 seconds, then the maximum file size that can be transferred before   the connection is closed is 432000 bits (2400 multiplied by 180)
  Regards
  T.Raghulan
  [email protected]

• ISE, WLC: web auth, blocking user account

  Hello!
  We are implementing BYOD concept with ISE (1.1.4) and WLC 5508 (7.4.100).
  On WLC there is SSID(WLAN) with MAC filtering without L2 security. For authentication user is redirected to the ISE Guest Portal.
  Credentials are created at the ISE sponsor portal.
  We create user account in ISE sponsor portal with one hour lease.
  In 10 minutes we delete (or block)  user credentials.
  In spite of it the user is still able to work. Even if we manually disconnect client and reconnect it again, client opens the browser and there is no redirection to the ISE web auth page.
  This happens because WLC thinks, that client is still associated.
  There are session and idle timeout timers in WLC WLAN, but they can't solve the problem of automatic client session removing.
  From my point of you, ISE must send some kind of reauth request to the user after account deletion, to make user authentication impossible .
  In practice, ISE doesn't tell wlc or user, that client sesssion is blocked.
  How the user account blocking process can be automated without manually deleting the client session from WLC client database?

  It seems that there is some bug about CoA when deleting Guest accounts
  CSCuc82135
  Guests need to be removed from the network on Suspend/Delete/Expiration
  When a guest user is deleted from the system, the RADIUS sessions   associated with that guest user still exists.
  Workaround   Reissue the Change of Authorization using the   session information from Monitoring reports for the sessions associated with   that guest user.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
  from BUG Toolkit there is Release-Pending in "Fixed-in" option.

• ISE, WLC Device Profiling

  Hi, I hope someone can provide some advice/assistance. I am currently trialling ISE 1.1.1 on VM with a Cisco 5500 WLC 7.2.110.0. I have configured this setup so clients authenticate to the WLC via 802.1x and use the ISE as a AAA Server. I have setup this configuration so VLAN ID's can be pushed to clients based on their login credentials(from AD), this all works fine. I'd like to take this on a step further and differentiate users and their devices based on their device type, iPhone, iPad etc. I have enabled DHCP profiling on the WLC. I only seem to be able to identify a device based on their DHCP hostname, should it contain iPhone etc, is there another way I can get more information from the clients or their initial 802.1x communication? I want to use 802.1x as given the nature of the users connecting the VLAN push based on credentials is key to my possible deployment.
  My second query is relating to VLAN pushing on a Flex Auth AP. I've got a remote site with some AP's, it is over a L3 connection. I have my WAP at this site registered to the WLC. Over my sites I have standard VLAN numbers and IP address ranges, site 1 is x.1.a.x, x.1.b.x etc, site 2 is x.2.a.x, x.2.b.x etc. What I would ideally like to do is push VLAN's to the Flex Auth WAP's so that users in site 2 get a site 2 IP address and can use local switching for printing and other local activities. Is this supported? I know it wasn't in H-REAP when I trialled ISE/WLC 4400 last year. I tried to configure this and it looks like users always get IP addresses from site 1.
  Thanks for any advice/assistance.
  Kenny.

  Kenny,
  For the first part of your question there is no more information you can get outside of the dhcp hostname (which will get you the info you are looking for) and the mac address (which only gets you to the Apple Device policy). If you do not want to perform any redirection, then your best bet is to use a span to span all the traffic over to the ISE node in order to span the http traffic in order to profile the devices using the http user agent string.
  As far as your 2nd question- the flex auth aps do not support COA and arent a "supported network access device" from Cisco's webpage.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp55038
  However the APs do support dynamic vlan assignment. So once an endpoint connects to these APs you can set them on the vlan once, however if you are performing posturing and need coa to place them in another rule once a decision has been made then this is where the deployment will break.
  http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE & WLC

  Quick question:
  If I deploy ISE+WLC and wlc is in HREAP / Flexconnect mode, the Access-Lists do not work, how am I supposed to posture clients at remote locations?
  [cuz I was gonna put an ACL to block everything but dns/etc untill they get pastured)
  Can I change VLAN as per user/device once they hit the AP? I am always talking about remote locations?

  Tarik,
  First thanks for your prompt reply, I haven't deployed it yet but here is what I my plans are:
  Software Version                 7.0.220.0, ISE 1.1.1, AP 3500, with local switching (it's called flexconnect now, HREAP legacy whatever)
  No DACL, Redirect ACLs defined in the controller and in ISE I plan to use AIRSPACE ACL attribute (I've labbed this - but not in flexconnect) ---> This is all for pasturing.
  If there is any other way of doing this (having clients denied any access and redirected to posture url) would be great.
  Here is a cisco HREAP/FlexConnect Limitation.
  Other H REAP Limitations
  If you have configured a locally switched WLAN, then Access Control  Lists (ACLs) do not work and are not supported. On a centrally switched  WLAN, ACLs are supported.
  Now, CoA is also a concern - if I have an AP<====TRUNK====>SWITCH----vlan/2/3/4, I want to be able to swap clients to different VLAN based on their user/device they are connecting, I am not sure if this will work on HREAP/Flexconnect mode and there is a slight change on the wording in the authorization policiy attribute in ISE 1.1.x, before it used to be just the vlan u want to set the clients to, now it has TAG ID which i am not sure what it is.
  Thanks for your help, I hope my question is clear.

• Timeout when calling long running Oracle Apps Adapter API calls

  When making a Oracle Apps Based adapter from ESB, Transactions are getting timedout for running calls (~ > 5 mins)
  1) Created a Oracle Apps Adapter to execute a API call that returns, in our case, customer data.
  2) Created a BPEL Which invokes this API based Adapter via. a partner link.
  3) Following errors for calls which take ~ >5, transaction is timeout, when invoked from BPEL/ESB/SOAP UI Client.
  From domain.log
  ==========
  <2009-04-21 18:54:25,718> <DEBUG> <yeruvp.collaxa.cube.ws> <WSIFInvocationHandler::invoke> invoke failed
  org.collaxa.thirdparty.apache.wsif.WSIFException: exception during SOAP invoke: Timed out; nested exception is:
       javax.xml.rpc.soap.SOAPFaultException: Timed out
       at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.populateFaultMessage(WSIFOperation_JaxRpc.java:3086)
       at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.invokeOperation(WSIFOperation_JaxRpc.java:1728)
       at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.invokeRequestResponseOperation(WSIFOperation_JaxRpc.java:1473)
       at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.executeRequestResponseOperation(WSIFOperation_JaxRpc.java:1196)
       at com.collaxa.cube.ws.WSIFInvocationHandler.invoke(WSIFInvocationHandler.java:476)
       at com.collaxa.cube.ws.WSInvocationManager.invoke2(WSInvocationManager.java:436)
       at com.collaxa.cube.ws.WSInvocationManager.invoke(WSInvocationManager.java:251)
       at com.collaxa.cube.engine.ext.wmp.BPELInvokeWMP.__invoke(BPELInvokeWMP.java:790)
       at com.collaxa.cube.engine.ext.wmp.BPELInvokeWMP.__executeStatements(BPELInvokeWMP.java:395)
       at com.collaxa.cube.engine.ext.wmp.BPELActivityWMP.perform(BPELActivityWMP.java:195)
       at com.collaxa.cube.engine.CubeEngine.performActivity(CubeEngine.java:3715)
       at com.collaxa.cube.engine.CubeEngine.handleWorkItem(CubeEngine.java:1655)
       at com.collaxa.cube.engine.dispatch.message.instance.PerformMessageHandler.handleLocal(PerformMessageHandler.java:75)
       at com.collaxa.cube.engine.dispatch.DispatchHelper.handleLocalMessage(DispatchHelper.java:220)
       at com.collaxa.cube.engine.dispatch.DispatchHelper.sendMemory(DispatchHelper.java:317)
       at com.collaxa.cube.engine.CubeEngine.endRequest(CubeEngine.java:5710)
       at com.collaxa.cube.engine.CubeEngine.createAndInvoke(CubeEngine.java:1085)
       at com.collaxa.cube.engine.ejb.impl.CubeEngineBean.createAndInvoke(CubeEngineBean.java:132)
       at com.collaxa.cube.engine.ejb.impl.CubeEngineBean.syncCreateAndInvoke(CubeEngineBean.java:161)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.evermind.server.ejb.interceptor.joinpoint.EJBJoinPointImpl.invoke(EJBJoinPointImpl.java:35)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.interceptor.system.JAASInterceptor$1.run(JAASInterceptor.java:31)
       at com.evermind.server.ThreadState.runAs(ThreadState.java:646)
       at com.evermind.server.ejb.interceptor.system.JAASInterceptor.invoke(JAASInterceptor.java:34)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.interceptor.system.TxRequiresNewInterceptor.invoke(TxRequiresNewInterceptor.java:52)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.InvocationContextPool.invoke(InvocationContextPool.java:55)
       at com.evermind.server.ejb.StatelessSessionEJBObject.OC4J_invokeMethod(StatelessSessionEJBObject.java:87)
       at CubeEngineBean_LocalProxy_4bin6i8.syncCreateAndInvoke(Unknown Source)
       at com.collaxa.cube.engine.delivery.DeliveryHandler.initialRequestAnyType(DeliveryHandler.java:515)
       at com.collaxa.cube.engine.delivery.DeliveryHandler.initialRequest(DeliveryHandler.java:457)
       at com.collaxa.cube.engine.delivery.DeliveryHandler.request(DeliveryHandler.java:131)
       at com.collaxa.cube.ejb.impl.DeliveryBean.request(DeliveryBean.java:95)
       at sun.reflect.GeneratedMethodAccessor129.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.evermind.server.ejb.interceptor.joinpoint.EJBJoinPointImpl.invoke(EJBJoinPointImpl.java:35)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.interceptor.system.JAASInterceptor$1.run(JAASInterceptor.java:31)
       at com.evermind.server.ThreadState.runAs(ThreadState.java:646)
       at com.evermind.server.ejb.interceptor.system.JAASInterceptor.invoke(JAASInterceptor.java:34)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.interceptor.system.TxRequiredInterceptor.invoke(TxRequiredInterceptor.java:50)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.InvocationContextPool.invoke(InvocationContextPool.java:55)
       at com.evermind.server.ejb.StatelessSessionEJBObject.OC4J_invokeMethod(StatelessSessionEJBObject.java:87)
       at DeliveryBean_RemoteProxy_4bin6i8.request(Unknown Source)
       at com.collaxa.cube.ws.soap.oc4j.SOAPRequestProvider.processNormalOperation(SOAPRequestProvider.java:451)
       at com.collaxa.cube.ws.soap.oc4j.SOAPRequestProvider.processBPELMessage(SOAPRequestProvider.java:274)
       at com.collaxa.cube.ws.soap.oc4j.SOAPRequestProvider.processMessage(SOAPRequestProvider.java:120)
       at oracle.j2ee.ws.server.provider.ProviderProcessor.doEndpointProcessing(ProviderProcessor.java:956)
       at oracle.j2ee.ws.server.WebServiceProcessor.invokeEndpointImplementation(WebServiceProcessor.java:349)
       at oracle.j2ee.ws.server.provider.ProviderProcessor.doRequestProcessing(ProviderProcessor.java:466)
       at oracle.j2ee.ws.server.WebServiceProcessor.processRequest(WebServiceProcessor.java:114)
       at oracle.j2ee.ws.server.WebServiceProcessor.doService(WebServiceProcessor.java:96)
       at oracle.j2ee.ws.server.WebServiceServlet.doPost(WebServiceServlet.java:177)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
       at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
       at oracle.security.jazn.oc4j.JAZNFilter$1.run(JAZNFilter.java:396)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
       at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:410)
       at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:623)
       at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:370)
       at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:871)
       at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:453)
       at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:302)
       at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:190)
       at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
       at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
       at java.lang.Thread.run(Thread.java:595)
  Caused by: javax.xml.rpc.soap.SOAPFaultException: Timed out
       at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:568)
       at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
       at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
       at oracle.j2ee.ws.client.dii.CallInvokerImpl.directInvoke(CallInvokerImpl.java:726)
       at oracle.j2ee.ws.client.dii.BasicCall.directInvoke(BasicCall.java:743)
       at oracle.j2ee.ws.client.dii.BasicCall.invoke(BasicCall.java:649)
       at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.invokeOperation(WSIFOperation_JaxRpc.java:1714)
       ... 83 more
  <2009-04-21 18:54:25,721> <ERROR> <yeruvp.collaxa.cube.ws> <WSIFInvocationHandler::invoke> Fault happened: exception during SOAP invoke: Timed out; nested exception is:
       javax.xml.rpc.soap.SOAPFaultException: Timed out
  <2009-04-21 18:54:25,752> <DEBUG> <yeruvp.collaxa.cube.engine> AJPRequestHandler-RMICallHandler-61, a4 <invoke> partner OrgCustAdapter_pl, wikey:7990001-BpInv0-BpSeq0.3-3, bpel code line:84, Connection info:oracle_jdbc_driver_T4CConnection_Proxy@17f3851, connection hashCode:25114705, autocommit:false, Transaction info:[Transaction : orabpel : Xid( Global Id 1b.16.00.7d.00.00.00.00.2f.d3.6d.ca.20.01.00.00.17.41.03.00.00.00.00.00, Format Id 1330790740)], jtaTxState:1, CubeInstance:7990001, Process name:testCustomer_BPEL
  Now looking to troubleshoot this Timed out issue.
  i, Does this need to increase any configuration file timeout parameter on EBS Adapter or other component ?
  Any suggessions to fix/towards resolution is appricated.
  Thanks,
  sgaraga

  After increasing sync-time-out and global transaction time out to 1800. Issue is still reported.
  We are not using the jdbc pool.
  Still not sure what we are missing here and running into this:
  WSIFInvocationHandler::invoke> invoke failed
  org.collaxa.thirdparty.apache.wsif.WSIFException: exception during SOAP invoke: Timed out; nested
  exception is:
  javax.xml.rpc.soap.SOAPFaultException: Timed out
  In addition:
  ========
  Tested calling this PL/SQL API (exactly the same API CALLED in BPEL) in TOAD and this ran for 20 mts in DB.
  With the changes(sync-time-out,global transaction time,hpptd.conf, and transaction-manager.xml ) in SOA configuration then we are getting the exception ..
  So, we need help with SOA configuration to get the BPEL service working when the API called within BPEL service is taking approximately 20 mts.
  Edited by: sgaraga on Apr 22, 2009 4:29 PM

• Timeout when calling Oracle Apps Adapter API calls.

  1) Create a Oracle Apps Adapter to execute a API call that returns, in our case, customer data.
  2) Create a BPEL Which invokes this API based Adapter via. a partner link.
  Observations:
  A) Posts the following errors for calls which take ~ >5, transaction is timeout, when invoked from BPEL/ESB/SOAP UI Client.
  <2009-04-21 18:54:25,718> <DEBUG> <yeruvp.collaxa.cube.ws> <WSIFInvocationHandler::invoke> invoke failed
  org.collaxa.thirdparty.apache.wsif.WSIFException: exception during SOAP invoke: Timed out; nested exception is:
       javax.xml.rpc.soap.SOAPFaultException: Timed out
       at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.populateFaultMessage(WSIFOperation_JaxRpc.java:3086)
       at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.invokeOperation(WSIFOperation_JaxRpc.java:1728)
       at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.invokeRequestResponseOperation(WSIFOperation_JaxRpc.java:1473)
       at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.executeRequestResponseOperation(WSIFOperation_JaxRpc.java:1196)
       at com.collaxa.cube.ws.WSIFInvocationHandler.invoke(WSIFInvocationHandler.java:476)
       at com.collaxa.cube.ws.WSInvocationManager.invoke2(WSInvocationManager.java:436)
       at com.collaxa.cube.ws.WSInvocationManager.invoke(WSInvocationManager.java:251)
       at com.collaxa.cube.engine.ext.wmp.BPELInvokeWMP.__invoke(BPELInvokeWMP.java:790)
       at com.collaxa.cube.engine.ext.wmp.BPELInvokeWMP.__executeStatements(BPELInvokeWMP.java:395)
       at com.collaxa.cube.engine.ext.wmp.BPELActivityWMP.perform(BPELActivityWMP.java:195)
       at com.collaxa.cube.engine.CubeEngine.performActivity(CubeEngine.java:3715)
       at com.collaxa.cube.engine.CubeEngine.handleWorkItem(CubeEngine.java:1655)
       at com.collaxa.cube.engine.dispatch.message.instance.PerformMessageHandler.handleLocal(PerformMessageHandler.java:75)
       at com.collaxa.cube.engine.dispatch.DispatchHelper.handleLocalMessage(DispatchHelper.java:220)
       at com.collaxa.cube.engine.dispatch.DispatchHelper.sendMemory(DispatchHelper.java:317)
       at com.collaxa.cube.engine.CubeEngine.endRequest(CubeEngine.java:5710)
       at com.collaxa.cube.engine.CubeEngine.createAndInvoke(CubeEngine.java:1085)
       at com.collaxa.cube.engine.ejb.impl.CubeEngineBean.createAndInvoke(CubeEngineBean.java:132)
       at com.collaxa.cube.engine.ejb.impl.CubeEngineBean.syncCreateAndInvoke(CubeEngineBean.java:161)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.evermind.server.ejb.interceptor.joinpoint.EJBJoinPointImpl.invoke(EJBJoinPointImpl.java:35)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.interceptor.system.JAASInterceptor$1.run(JAASInterceptor.java:31)
       at com.evermind.server.ThreadState.runAs(ThreadState.java:646)
       at com.evermind.server.ejb.interceptor.system.JAASInterceptor.invoke(JAASInterceptor.java:34)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.interceptor.system.TxRequiresNewInterceptor.invoke(TxRequiresNewInterceptor.java:52)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.InvocationContextPool.invoke(InvocationContextPool.java:55)
       at com.evermind.server.ejb.StatelessSessionEJBObject.OC4J_invokeMethod(StatelessSessionEJBObject.java:87)
       at CubeEngineBean_LocalProxy_4bin6i8.syncCreateAndInvoke(Unknown Source)
       at com.collaxa.cube.engine.delivery.DeliveryHandler.initialRequestAnyType(DeliveryHandler.java:515)
       at com.collaxa.cube.engine.delivery.DeliveryHandler.initialRequest(DeliveryHandler.java:457)
       at com.collaxa.cube.engine.delivery.DeliveryHandler.request(DeliveryHandler.java:131)
       at com.collaxa.cube.ejb.impl.DeliveryBean.request(DeliveryBean.java:95)
       at sun.reflect.GeneratedMethodAccessor129.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.evermind.server.ejb.interceptor.joinpoint.EJBJoinPointImpl.invoke(EJBJoinPointImpl.java:35)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.interceptor.system.JAASInterceptor$1.run(JAASInterceptor.java:31)
       at com.evermind.server.ThreadState.runAs(ThreadState.java:646)
       at com.evermind.server.ejb.interceptor.system.JAASInterceptor.invoke(JAASInterceptor.java:34)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.interceptor.system.TxRequiredInterceptor.invoke(TxRequiredInterceptor.java:50)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
       at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:119)
       at com.evermind.server.ejb.InvocationContextPool.invoke(InvocationContextPool.java:55)
       at com.evermind.server.ejb.StatelessSessionEJBObject.OC4J_invokeMethod(StatelessSessionEJBObject.java:87)
       at DeliveryBean_RemoteProxy_4bin6i8.request(Unknown Source)
       at com.collaxa.cube.ws.soap.oc4j.SOAPRequestProvider.processNormalOperation(SOAPRequestProvider.java:451)
       at com.collaxa.cube.ws.soap.oc4j.SOAPRequestProvider.processBPELMessage(SOAPRequestProvider.java:274)
       at com.collaxa.cube.ws.soap.oc4j.SOAPRequestProvider.processMessage(SOAPRequestProvider.java:120)
       at oracle.j2ee.ws.server.provider.ProviderProcessor.doEndpointProcessing(ProviderProcessor.java:956)
       at oracle.j2ee.ws.server.WebServiceProcessor.invokeEndpointImplementation(WebServiceProcessor.java:349)
       at oracle.j2ee.ws.server.provider.ProviderProcessor.doRequestProcessing(ProviderProcessor.java:466)
       at oracle.j2ee.ws.server.WebServiceProcessor.processRequest(WebServiceProcessor.java:114)
       at oracle.j2ee.ws.server.WebServiceProcessor.doService(WebServiceProcessor.java:96)
       at oracle.j2ee.ws.server.WebServiceServlet.doPost(WebServiceServlet.java:177)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
       at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
       at oracle.security.jazn.oc4j.JAZNFilter$1.run(JAZNFilter.java:396)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
       at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:410)
       at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:623)
       at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:370)
       at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:871)
       at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:453)
       at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:302)
       at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:190)
       at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
       at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
       at java.lang.Thread.run(Thread.java:595)
  Caused by: javax.xml.rpc.soap.SOAPFaultException: Timed out
       at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:568)
       at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
       at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
       at oracle.j2ee.ws.client.dii.CallInvokerImpl.directInvoke(CallInvokerImpl.java:726)
       at oracle.j2ee.ws.client.dii.BasicCall.directInvoke(BasicCall.java:743)
       at oracle.j2ee.ws.client.dii.BasicCall.invoke(BasicCall.java:649)
       at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.invokeOperation(WSIFOperation_JaxRpc.java:1714)
       ... 83 more
  <2009-04-21 18:54:25,721> <ERROR> <yeruvp.collaxa.cube.ws> <WSIFInvocationHandler::invoke> Fault happened: exception during SOAP invoke: Timed out; nested exception is:
       javax.xml.rpc.soap.SOAPFaultException: Timed out
  <2009-04-21 18:54:25,752> <DEBUG> <yeruvp.collaxa.cube.engine> AJPRequestHandler-RMICallHandler-61, a4 <invoke> partner OrgCustAdapter_pl, wikey:7990001-BpInv0-BpSeq0.3-3, bpel code line:84, Connection info:oracle_jdbc_driver_T4CConnection_Proxy@17f3851, connection hashCode:25114705, autocommit:false, Transaction info:[Transaction : orabpel : Xid( Global Id 1b.16.00.7d.00.00.00.00.2f.d3.6d.ca.20.01.00.00.17.41.03.00.00.00.00.00, Format Id 1330790740)], jtaTxState:1, CubeInstance:7990001, Process name:testCustomer_BPEL
  Now i am looking to troubleshoot this Timed out issue.
  i, Does this need to increase any configuration file timeout parameter on EBS Adapter or other component ?
  Any suggestions to fix/towards resolution is appreciated.
  Thanks,
  sgaraga

  After increasing sync-time-out and global transaction time out to 1800. Issue is still reported.
  We are not using the jdbc pool.
  Still not sure what we are missing here and running into this:
  WSIFInvocationHandler::invoke> invoke failed
  org.collaxa.thirdparty.apache.wsif.WSIFException: exception during SOAP invoke: Timed out; nested
  exception is:
  javax.xml.rpc.soap.SOAPFaultException: Timed out
  In addition:
  ========
  Tested calling this PL/SQL API (exactly the same API CALLED in BPEL) in TOAD and this ran for 20 mts in DB.
  With the changes(sync-time-out,global transaction time,hpptd.conf, and transaction-manager.xml ) in SOA configuration then we are getting the exception ..
  So, we need help with SOA configuration to get the BPEL service working when the API called within BPEL service is taking approximately 20 mts.
  Edited by: sgaraga on Apr 22, 2009 4:29 PM

• Unable to use HTTPS proxy when redirecting HTTP/HTTPS via NAT

  I'm trying to get the WSA to work when redirecting HTTP and HTTPS traffic along the lines of the following:
  object network WSA-HOST
        host 10.0.210.2
  object network obj-10.0.1.0 subnet 10.0.1.0 255.255.255.0
  object service ORIG-HTTP-PORT
        service tcp destination eq www
  object service WSA-HTTP-DEST-PORT
        service tcp destination eq 8080
  object service ORIG-HTTPS-PORT
        service tcp destination eq https
  object service WSA-HTTPS-DEST-PORT
        service tcp destination eq https  << also tried 8080 etc.
  nat (inside,outside) source dynamic obj-10.0.1.0 interface destination static obj_any WSA-HOST service ORIG-HTTP-PORT WSA-HTTP-DEST-PORT
  nat (inside,outside) source dynamic obj-10.0.1.0 interface destination static obj_any WSA-PROXY-HOST service ORIG-HTTPS-PORT WSA-HTTPS-DEST-PORT
  This works just fine for HTTP, but with HTTPS I get the following response from the Ironport WSA:
  Based on your corporate access policies, access to this web site ( https://www.rbsdigital.com/ ) has been blocked.
  Notification codes:  (1, POLICY, UNKNOWN, 0x00000082, 1329750248.609, QAAAAAAAAAAAAAAAyf8AAP8AAAD/AAAAAAAAAAAAAAE=,
  https://www.rbsdigital.com/)
  The access log gives me the following:
  1329750248.602 404 10.0.4.140 NONE_SSL/200 0 TCP_CONNECT 10.0.210.2:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
  1329750248.609 0 10.0.4.140 TCP_DENIED_SSL/403 1840 GET https://www.rbsdigital.com:443/ - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
  If anyone has any idea why the WSA simply denies the connection instead of proxying it then I'd be grateful.
  The WSA and the decryption policies work fine in explisit mode.
  Thanks in advance!

  The policy doesn't require authentication. Now here are two tests I did, seconds apart, from the same client on 10.0.4.140:
  First one is where I use NAT as shown above:
  1329757052.027 118 10.0.4.140 NONE_SSL/200 0 TCP_CONNECT 10.0.210.2:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
  1329757052.311 0 10.0.4.140 TCP_DENIED_SSL/403 1840 GET https://www.rbsdigital.com:443/ - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,[Local],"-","-"> -
  Second test case is when I reconfigured the browser to explisitely use the WSA as a proxy on port 8080:
  1329757138.274 344 10.0.4.140 TCP_CLIENT_REFRESH_MISS_SSL/200 39 CONNECT tunnel://www.rbsdigital.com:443/ - DIRECT/www.rbsdigital.com - DECRYPT_WBRS_7-DefaultGroup-UK_Office-NONE-NONE-NONE-DefaultGroup -
  1329757138.566 200 10.0.4.140 TCP_CLIENT_REFRESH_MISS_SSL/200 39 CONNECT tunnel://www.rbsdigital.com:443/ - DIRECT/www.rbsdigital.com - DECRYPT_WBRS_7-DefaultGroup-UK_Office-NONE-NONE-NONE-DefaultGroup -
  Non-categorised stuff should be passed through:
  Global Policy
  Identity: All
  Pass Through: 1
  Monitor: 65
  Disabled
  Pass Through
  Any thoughts ?

• Wireless Anchor SSID for CWA ISE 1.3

  Hello Team,
  Trying to follow this guide: http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
  We are trying to enable for a guest access with an anchored WLC.
  However when we create the SSID with mac filtering, the local WLC is putting the mac address of the client in to the excluded clients list, instead of passing on the auth to the foreign DMZ WLC anchor.
  I have created the SSID with correct anchors.
  Any Ideas? Maybe this option doesn't actually work with anchor?

  "However when we create the SSID with mac filtering, the local WLC is putting the mac address of the client in to the excluded clients list, instead of passing on the auth to the foreign DMZ WLC anchor."
  In the anchoring scenario, the AAA authentication comes from the Foreign not the Anchor as it is layer 2 authentication.
  Make sure your Local WLC is able to authenticate the user.
  Steve

• Phonefactor with RRAS(Windows Server 2003) - VPN client timeout after 20 seconds -- too fast!

  [Note that I have previously posted this question on Experts Exchange... but have not found a solution yet].
  We are a small business and would like to switch to two-factor authentication for VPN connections. We spent nearly a year helping Barracuda debug their small business VPN appliance and finally they took their boxes back and gave us back our money - they
  just couldn't get file sharing to work consistently with some new firmware they had to install due to a patent case.
  So... now we are trying Phonefactor.
  Our VPN setup is RRAS on a Windows Server 2003 domain controller.
  We have installed Phonefactor, enabled it as a Radius server, and configured RRAS to point to Phonefactor for Radius authentication. We configured phonefactor to send text messages for authentication, as we figured that would be less disruptive than a phone
  call.
  It all works except... the timeout for VPN clients is only 20 seconds! By the time we receive the text message on a cell phone, sometimes there is only 5 or 6 seconds to get the six digit code typed into a reply on the cell phone... and unless we are really
  nimble, that is frequently not enough time!
  When the VPN client times out, it gives an Error 718 "The connection was terminated because the remote computer did not respond in a timely manner."
  How can we increase the timeout on the VPN clients, so we can more reliably enter the authentication code in a reply back to phonefactor?
  Things we have tried:
  1) Connecting (PPTP) from different Windows clients to see if we get different timeout limits. So far we have tried several Windows 7 boxes and a Windows Server 2003 as the client, but in all cases the timeout is 20 seconds.
  2) On the windows clients: Searching through the PPTP client settings to see if there is one labeled "connection timeout". So far we have found nothing.
  3) On the windows 2003 server: Modifying the RRAS Radius Server time-out to be 30 seconds, 60 seconds, 300 seconds. We've tried restarting RRAS after these changes, but the client connection timeout is still 20 seconds.
  4) In the phonefactor configuration: Searching through the radius server settings to see if there is one labeled "connection timeout". So far we have found nothing.
  5) Using NTRadPing to connect directly to the phonefactor radius server. With NTRadPing we were able to wait more than 60 seconds without a timeout from phonefactor. So we don't *think* at this point that the issue is within phonefactor.
  6) We have asked phonefactor support, but their response is "hmmm... good question, we don't know, that sounds like a problem with your vpn client". And they could well be correct.
  7) Search the web for how to increase either the stock windows VPN client timeout, or the RRAS radius authentication timeout. No luck so far.
  8) Try this registry hack:
  http://windowsitpro.com/networking/solving-ras-718-error. Didn't help.
  Any ideas?
  thanks!

  Hi fdc2005,
  Thanks for the post.
  However, generally, we first type User Name, Password, then click connect to establish the VPN connection. Such as:
  Therefore, I have a little confusion about the timeout you mentioned. Would you please provide us more details.
  Regarding error 718, please check if the following could help:
  If you have a third-party VPN server which does not support MS-CHAPv2 as an authentication method and supports only MS-CHAPv1, you will need to use either CHAP or PAP to connect from the Windows Vista VPN client until the server you use starts supporting MS-CHAPv2.
  Steps to follow for resolution:
  (1) Check if the Routing and Remote Access Server (RRAS) is configured to allow connections with MS-CHAPv2
  (2) Check if the RADIUS server policy supports MSCHAPv2 (This step is needed if you control access to clients using Remote Access Policies on the IAS/NPS server)
  Quote from:
  Troubleshooting Vista VPN problems.
  Hope this helps.
  Jeremy Wu
  TechNet Community Support

• Servlet/JSP client timeout handling

  Hi,
  Is it possible to detect a client timeout in a servlet / jsp ?
  Example,
  I go to a page that is displayed by a servlet. I put Thread.sleep in the servlet to simulate the request processing time.
  Assuming now I close the browser (or any other client) and the servlet tries to write the response, will it throw any exceptions ?
  What can I do to check the client status before trying to write the response back ?
  Thanks
  Mandar

  Hi,
  The servlet did not throw any exception when I tried to write the response back after sleep.
  Code is as shown below
  try{
  Thread.sleep(60000);
  catch (InterruptedException ie){
  logger.error("Someone interrupted my sleep",ie);
  logger.info("End sleep for 1 minute");
  try{
  response.getOutputStream().write(2);
  response.flushBuffer();
  catch (IOException ioe){
  logger.error("IOException occured",ioe);
  throw ioe;
  }