DAP rule for IPSec clients

I'm setting up DAP rules for AnyConnect clients. When I set the default policy to terminate, I get the right results from AnyConnect connections, but all IPSec clients cannont connect. I know I need to set up a DAP rule for IPSec clients to allow them through, but can't remember how to set that up.

Ok, that worked. Follow-up question though. So the only thing I'm looking at doing right now is setting up a policy to look at Anti-virus and disallow if the signature is more than a week old. Works fine with the AnyConnect. But if I add that to the IPSec rule (app = ipsec and av exists (< 7 days), it won't let the IPSec client connect at all. I seem to recall something about if we're doing posturing with IPSec client, we have to use endpoint assesment or pre-login policy? Is that the case; it would be nice to do it all w/in one DAP rule.
Thanks
Brian

Similar Messages

WRT110: I want to create an access rule for one client for one application during one time period

I have a problem with one of the clients on my LAN which is running uTorrent to detriment of everyone else. It saturates the pipe. I have been unable to prod this user into bothering to tweak their settings to throttle bandwidth back and so have resorted to an access rule on the router which kicks that MAC address off during a particular time period during the day. But as irritated as I am about this slacker sense of outrageous entitlement, kicking them off entirely seems a tad heavy handed even for me.
So, In the router I can create a rule per MAC address and specify time. But is it possible to limit this to denying uTorrent ONLY? And if so what port or port ranges would I use.
Alternatively I already use a QoS setting for one of my VoIP TA's. Would I gain anything by degrading the application indirectly by creating a QoS = LOW for that port range? Again, I don't really care about any other application, just uTorrent and just that client. How much degradation is there really in setting QoS to LOW?

Well it wont make much difference, when you enable QOS service on your router. Yes it is possible to Deny uTorrent application from your Router. When you are Under "Application and Gaming" Tab, Under "Blocked Application" you will find "Application Name" , "Port Range" and "Protocol" so you need to input under Application Name "uTorrent" and under port range you need to input the port number which uTorrent application use and then under protocol select "Both" and click on ADD. Then again in Application you will find uTorrent , select and click on (>>) right arrow so it will block that application on your Router. By doing this it will block uTorrent from your Router.

Firewall rule for Novell Client

My company recently purchased McAfee Desktop Firewall and I'm trying to
configure the rules prior to deployment but I'm having trouble getting
the Novell Client to cooperate. I've tried having the firewall "learn"
the client, addresses, ports, protocols, etc. but have had no luck.
My company is running a mix of Win2k/XP computers as well as Win95/98
computers so any assistance in creating a firewall rule to allow the
clients to log in is greatly apprecaited.
Thanks!
Ash

Excellent, thanks!!
> For NetWare connectivity over IP, you need ports TCP,UDP 524 and 427
> which are NCP over IP and SLP.
>
>
> --
> Edison Ortiz
> Novell Product Support Forum SysOp
> (No Email Support, Thanks !)

DAP default policy only for AnyConnect clients

Hello
Is it possible to apply DAP DfltAccessPolicy only for AnyConnect clients ?

Did you ever get an answer to this question?
It seems you should be able to set up a two different client profiles. Under Authentication, ssl-client would would specify "Both" and the sslclientless would specify AAA. You would likely have to duplicate much of the other work but the requirement would be satisfied.

Awesome window manager client rule for "GtkFileChooserDialog"

Hi,
I've set up my current awesome wm so that the web browser (chromium) always opens on tag 2 of screen 1.
When I have an external screen however, I soemtimes like to move the web browser to the external screen.
The problem with my setup is that when I want to e.g. download something, the file chooser dialog opens (of course)
on tag 2 of screen 1, instead of the current tag and screen of the main window of my web browser.
Is there a way to set a rule for clients that are dialog windows to appear floating on the same tag and screen
as the window that started the dialog?
When I wanted to make a rule for this, the first problem I encountered is that the class and name of the dialog or the same as the main window.
So I wondered if I can use other properties of windows besides name, class or instance.
The second problem is that I do not know how to get the screen and tag of the window that opened the dialog?
xprop of main window:
_NET_WM_DESKTOP(CARDINAL) = 0
_NET_WM_USER_TIME(CARDINAL) = 1953613
WM_STATE(WM_STATE):
window state: Normal
icon window: 0x0
WM_HINTS(WM_HINTS):
Client accepts input or input focus: True
Initial state is Normal State.
bitmap id # to use for icon: 0x100004d
bitmap id # of mask for icon: 0x100004e
window id # of group leader: 0x1000001
_GTK_HIDE_TITLEBAR_WHEN_MAXIMIZED(CARDINAL) = 1
XdndAware(ATOM) = BITMAP
_MOTIF_DRAG_RECEIVER_INFO(_MOTIF_DRAG_RECEIVER_INFO) = 0x6c, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0
_NET_WM_ICON(CARDINAL) = Icon (64 x 64):
... (deleted icons) ...
WM_WINDOW_ROLE(STRING) = "browser"
_NET_WM_SYNC_REQUEST_COUNTER(CARDINAL) = 16777288
_NET_WM_WINDOW_TYPE(ATOM) = _NET_WM_WINDOW_TYPE_NORMAL
_NET_WM_USER_TIME_WINDOW(WINDOW): window id # 0x1000047
WM_CLIENT_LEADER(WINDOW): window id # 0x1000001
_NET_WM_PID(CARDINAL) = 1164
WM_LOCALE_NAME(STRING) = "en_US.UTF-8"
WM_CLIENT_MACHINE(STRING) = "arch"
WM_NORMAL_HINTS(WM_SIZE_HINTS):
program specified minimum size: 266 by 63
window gravity: NorthWest
WM_PROTOCOLS(ATOM): protocols WM_DELETE_WINDOW, WM_TAKE_FOCUS, _NET_WM_PING, _NET_WM_SYNC_REQUEST
WM_CLASS(STRING) = "chromium", "Chromium"
WM_ICON_NAME(STRING) = "Post new topic / Arch Linux Forums - Chromium"
_NET_WM_ICON_NAME(UTF8_STRING) = "Post new topic / Arch Linux Forums - Chromium"
WM_NAME(STRING) = "Post new topic / Arch Linux Forums - Chromium"
_NET_WM_NAME(UTF8_STRING) = "Post new topic / Arch Linux Forums - Chromium"
xprop of dialog:
WM_STATE(WM_STATE):
window state: Normal
icon window: 0x0
_NET_WM_STATE(ATOM) = _NET_WM_STATE_MODAL
WM_HINTS(WM_HINTS):
Client accepts input or input focus: True
Initial state is Normal State.
bitmap id # to use for icon: 0x100004d
bitmap id # of mask for icon: 0x100004e
window id # of group leader: 0x1000001
XdndAware(ATOM) = BITMAP
_MOTIF_DRAG_RECEIVER_INFO(_MOTIF_DRAG_RECEIVER_INFO) = 0x6c, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0
_NET_WM_ICON(CARDINAL) = Icon (64 x 64):
... (deleted icons) ...
WM_WINDOW_ROLE(STRING) = "GtkFileChooserDialog"
WM_TRANSIENT_FOR(WINDOW): window id # 0x1000046
_NET_WM_SYNC_REQUEST_COUNTER(CARDINAL) = 16796216
_NET_WM_WINDOW_TYPE(ATOM) = _NET_WM_WINDOW_TYPE_DIALOG
_NET_WM_USER_TIME(CARDINAL) = 1703990
_NET_WM_USER_TIME_WINDOW(WINDOW): window id # 0x1004a37
WM_CLIENT_LEADER(WINDOW): window id # 0x1000001
_NET_WM_PID(CARDINAL) = 1164
WM_LOCALE_NAME(STRING) = "en_US.UTF-8"
WM_CLIENT_MACHINE(STRING) = "arch"
WM_NORMAL_HINTS(WM_SIZE_HINTS):
program specified location: 0, 0
program specified minimum size: 545 by 294
window gravity: NorthWest
WM_PROTOCOLS(ATOM): protocols WM_DELETE_WINDOW, WM_TAKE_FOCUS, _NET_WM_PING, _NET_WM_SYNC_REQUEST
WM_CLASS(STRING) = "chromium", "Chromium"
WM_ICON_NAME(STRING) = "Save File"
_NET_WM_ICON_NAME(UTF8_STRING) = "Save File"
WM_NAME(STRING) = "Save File"
_NET_WM_NAME(UTF8_STRING) = "Save File"
So, something like:
{ rule = {window_role = "GtkFileChooserDialog"}, properties = {tag = mainwindow.tag, screen = mainwindow.screen} }
(apologies for the limited pseudo lua-code)
Any kind of help would be much appreciated
grtz

{ rule = { role = "GtkFileChooserDialog" },
properties = { floating = true, ontop = true },
callback = function (c)
awful.placement.centered(c, nil)
awful.client.movetotag(tags[mouse.screen][awful.tag.getidx()], c)
end

Static addressing for Cisco IPSEC client

Hey Guys,
Is there a way for Cisco client based users to use static addresses instead of receivinga a dhcp address? This will be setup on a Cisco 2801 router. We usually just do dhcp but this customer is requesting static address for each user.
Thanks
Jimmy

A scalable solution would be to configure a RADIUS server and provide the client their IP address via the frame-ip-address attribute. A hack could be to have a group defined on the EasyVPN server which is associated with an IP pool that has only one address available.

AnyConnect error " User not authorized for AnyConnect Client access, contact your administrator"

Hi everyone,
it's probably just me but I have tried real hard to get a simple AnyConnect setup working in a lab environment on my ASA 5505 at home, without luck. When I connect with the AnyConnect client I get the error message "User not authorized for AnyConnect Client access, contact your administrator". I have searched for this error and tried some of the few solutions out there, but to no avail. I also updated the ASA from 8.4.4(1) to 9.1(1) and ASDM from 6.4(9) to 7.1(1) but still the same problem. The setup of the ASA is straight forward, directly connected to the Internet with a 10.0.1.0 / 24 subnet on the inside and an address pool of 10.0.2.0 / 24 to assign to the VPN clients. Please note that due to ISP restrictions, I'm using port 44455 instead of 443. I had AnyConnect working with the SSL portal, but IKEv2 IPsec is giving me a headache. I have stripped down certificate authentication which I had running before just to eliminate this as a potential cause of the issue. When running debugging, I do not get any error messages - the handshake completes successfully and the local authentication works fine as well.
Please find the current config and debugging output below. I appreciate any pointers as to what might be wrong here.
: Saved
ASA Version 9.1(1)
hostname ASA
domain-name ingo.local
enable password ... encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ... encrypted
names
name 10.0.1.0 LAN-10-0-1-x
dns-guard
ip local pool VPNPool 10.0.2.1-10.0.2.10 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif Internal
security-level 100
ip address 10.0.1.254 255.255.255.0
interface Vlan2
nameif External
security-level 0
ip address dhcp setroute
regex BlockFacebook "facebook.com"
banner login This is a monitored system. Unauthorized access is prohibited.
boot system disk0:/asa911-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Internal
dns domain-lookup External
dns server-group DefaultDNS
name-server 10.0.1.11
name-server 75.153.176.1
name-server 75.153.176.9
domain-name ingo.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LAN-10-0-1-x
subnet 10.0.1.0 255.255.255.0
object network Company-IP1
host xxx.xxx.xxx.xxx
object network Company-IP2
host xxx.xxx.xxx.xxx
object network HYPER-V-DUAL-IP
range 10.0.1.1 10.0.1.2
object network LAN-10-0-1-X
access-list 100 extended permit tcp any4 object HYPER-V-DUAL-IP eq 3389 inactive
access-list 100 extended permit tcp object Company-IP1 object HYPER-V-DUAL-IP eq 3389
access-list 100 extended permit tcp object Company-IP2 object HYPER-V-DUAL-IP eq 3389
tcp-map Normalizer
check-retransmission
checksum-verification
no pager
logging enable
logging timestamp
logging list Threats message 106023
logging list Threats message 106100
logging list Threats message 106015
logging list Threats message 106021
logging list Threats message 401004
logging buffered errors
logging trap Threats
logging asdm debugging
logging device-id hostname
logging host Internal 10.0.1.11 format emblem
logging ftp-bufferwrap
logging ftp-server 10.0.1.11 / asa *****
logging permit-hostdown
mtu Internal 1500
mtu External 1500
ip verify reverse-path interface Internal
ip verify reverse-path interface External
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo External
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (Internal,External) dynamic interface
object network LAN-10-0-1-x
nat (Internal,External) dynamic interface
object network HYPER-V-DUAL-IP
nat (Internal,External) static interface service tcp 3389 3389
access-group 100 in interface External
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server radius protocol radius
aaa-server radius (Internal) host 10.0.1.11
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console radius LOCAL
http server enable
http LAN-10-0-1-x 255.255.255.0 Internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map External_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map External_map interface External
crypto ca trustpoint srv01_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint asa_cert_trustpoint
keypair asa_cert_trustpoint
crl configure
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpool policy
crypto ca server
cdp-url http://.../+CSCOCA+/asa_ca.crl:44435
issuer-name CN=...
database path disk0:/LOCAL_CA_SERVER/
smtp from-address ...
publish-crl External 44436
crypto ca certificate chain srv01_trustpoint
certificate <output omitted>
quit
crypto ca certificate chain asa_cert_trustpoint
certificate <output omitted>
quit
crypto ca certificate chain LOCAL-CA-SERVER
certificate <output omitted>
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable External client-services port 44455
crypto ikev2 remote-access trustpoint asa_cert_trustpoint
telnet timeout 5
ssh LAN-10-0-1-x 255.255.255.0 Internal
ssh xxx.xxx.xxx.xxx 255.255.255.255 External
ssh xxx.xxx.xxx.xxx 255.255.255.255 External
ssh timeout 5
ssh version 2
console timeout 0
no vpn-addr-assign aaa
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd dns 75.153.176.9 75.153.176.1
dhcpd domain ingo.local
dhcpd option 3 ip 10.0.1.254
dhcpd address 10.0.1.50-10.0.1.81 Internal
dhcpd enable Internal
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address LAN-10-0-1-x 255.255.255.0
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter use-database
dynamic-filter enable interface Internal
dynamic-filter enable interface External
dynamic-filter drop blacklist interface Internal
dynamic-filter drop blacklist interface External
ntp server 128.233.3.101 source External
ntp server 128.233.3.100 source External prefer
ntp server 204.152.184.72 source External
ntp server 192.6.38.127 source External
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
ssl trust-point asa_cert_trustpoint External
webvpn
port 44433
enable External
dtls port 44433
anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 1
anyconnect profiles profile1 disk0:/profile1.xml
anyconnect enable
smart-tunnel list SmartTunnelList1 mstsc mstsc.exe platform windows
smart-tunnel list SmartTunnelList1 putty putty.exe platform windows
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
webvpn
anyconnect profiles value profile1 type user
username write.ingo password ... encrypted
username ingo password ... encrypted privilege 15
username tom.tucker password ... encrypted
class-map TCP
match port tcp range 1 65535
class-map type regex match-any BlockFacebook
match regex BlockFacebook
class-map type inspect http match-all BlockDomains
match request header host regex class BlockFacebook
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 1500
id-randomization
policy-map TCP
class TCP
set connection conn-max 1000 embryonic-conn-max 1000 per-client-max 250 per-client-embryonic-max 250
set connection timeout dcd
set connection advanced-options Normalizer
set connection decrement-ttl
policy-map type inspect http HTTP
parameters
protocol-violation action drop-connection log
class BlockDomains
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map dynamic-filter-snoop
inspect http HTTP
service-policy global_policy global
service-policy TCP interface External
smtp-server 199.185.220.249
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command service-policy
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:41a021a28f73c647a2f550ba932bed1a
: end
Many thanks,
Ingo

Hi Jose,
here is what I got now:
ASA(config)# sh run | begin tunnel-group
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPNPool
authorization-required
and DAP debugging still the same:
ASA(config)# DAP_TRACE: DAP_open: CDC45080
DAP_TRACE: Username: tom.tucker, aaa.cisco.grouppolicy = DfltGrpPolicy
DAP_TRACE: Username: tom.tucker, aaa.cisco.username = tom.tucker
DAP_TRACE: Username: tom.tucker, aaa.cisco.username1 = tom.tucker
DAP_TRACE: Username: tom.tucker, aaa.cisco.username2 =
DAP_TRACE: Username: tom.tucker, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
DAP_TRACE: Username: tom.tucker, DAP_add_SCEP: scep required = [FALSE]
DAP_TRACE: Username: tom.tucker, DAP_add_AC:
endpoint.anyconnect.clientversion="3.1.02026";
endpoint.anyconnect.platform="win";
DAP_TRACE: Username: tom.tucker, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: tom.tucker, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: tom.tucker, DAP_close: CDC45080
Unfortunately, it still doesn't work. Hmmm.. maybe a wipe of the config and starting from scratch can help?
Thanks,
Ingo

Copy transfer structure transfer rules from one client to other client

Hi
Our R3 client 100 is mapped to BW client 100.
R3 client 100 is source system in BW.
As the master data is created by users in R3 client 200 we want to get the data from client 200 to BW. We dont want to replicate each datasource and do all stuff form scratch for client 200.
Now the question is as we need to create transfer rules, transfer structure for all master data objects for client 200 in BW.
1. Going to create R3 200 client in BW.--this is possible.
2.Like create a transport connection in BW for client 200 for all master data infoobjects transfer rules transfer structure,process chain, infopackages..etc
3.Do the source system mapping for new client 200.
4.and then execute the process chain..
What are the best ways to achieve this.
creating all transfer structure and transfer rules only for those we are loading daily ..rather than all active ones.. How can I get the list of that master data that is loading daily.. and how easily can I create transfer structure..etc dependent objects in one go than manually.
Any help or thoughts are appreciated..
can anyone throw some light please....

Hi,
BW is not client dependent!!! When you sign on to BW, you have the client required. However, this field does not appear in any table (master data, ODS, cubes, whatever).
This means that a same BW server with a single client can have multiple R/3 connections (for multiple R/3 clients).
The database do not care about the client in BW. The data will be consolidated.
So, you do not need any new client in BW, just two R/3 connections for your two clients.
Regards,

Config for Production client

Dear all,
I'm a new basis and now I'm working in big project ERP. I have a disturbed about config for Production client.
In scc4 we must set client role is Production and No change allowed for Objects. But in production some time we need do Open and Close Period, or change following business requirement, ... This is not allowed to do in Production client.
How do we config for Production client to cover this requirements ?
Do we need a config client for maintain Production client ? Example: Production client is 500, Config client is 100. When we need Open or Close Period or change anything, we do in 100 and transfer request to 500.
Thank you very much.
Regards,
Thanh.
Do not use text message language, the next time your thread will be deleted.
Read the "Rules of Engagement"
Edited by: Juan Reyes on Dec 1, 2010 11:06 AM

You can customize transaction to be executable although the setting in SCC4 is "productive", this is accomplished by using transaction SOBJ:
Note 1497640 - Open and close periods in productive client
You can theoretically put every customizing view there and make it "executable" in a production system.
Markus

Capital Project Settlement Rule for lower WBS

Hello,
At my present client, for Investment projects the client want to settle top level WBS to AUC and capitalise it. So ideally the cost from lower level WBS should flow to top WBS. I am using substitution to remove investment profile from lower WBS.My concern is how do I auto populate the settlement rule for lower WBS to top WBS. I am aware about settlement strategy and OSS note 211324 (however dont want to implement this note)
The appraoch I am looking for is using "WBS_SETTLEMENT_RULE' BAdI . However this BADI calls for strategy and I could not maintain the required strategy (settlement to top WBS). Is there some BADI/Function module available which can be called for updating the settlement rules on lower WBS while saving or Release ? Can I make use of exits in Substitution?
Please let me know your opinions.
Thanks
Sarang

Thanks Virendra. I agrree the only approach is development. But I need to give inputs to my developer.
We tried with BADI "WBS_SETTLEMENT_RULE" but it didnt work as it calls strategy in configuration.
So I am checking for some other options for e.g "WORKBREAKDOWN_UPDATE" which is called during save or Fn modules K_SETTLEMENT_RULE_FILL or K_SETTLEMENT_RULE_SAVE which I can use. This is a client requirement to create AUC only at top level n all cost to be rolled up to superior WBS n then settle to AUC.
The other option I was thinking is of using exits thru substitution.
What will be the best approach?
Thanks
Sarang

How to restrict executing tcodes in transaction tab for master clients

This question applies SOLMAN project implementation tools: SOLAR01, SOLAR02 and so on.
Our ERP2005 development U50 system has two clients:
One is master client 101 where all customizing should take place but no transactions are allowed
second client 102 works as sandbox client where new customizing can be test and master data and transaction are allowed.
Only U50/101 is defined in Solution manager SMSY in system role 'development system'. Currently U50/102 is not defined in Solution manager to any system role at all.
As configuration should take place via Solution manager, the consultants use SOLAR01 and SOLAR02 in system role 'development system' meaning that they are connected to U50/101 if want to execute transactions in transaction tabs or IMG nodes in Configuration nodes.
But U50/101 is our MASTER client and no transactions nor most master data are allowed in there. We want to keep it clean. How can I avoid tcodes being executed in system role 'development'. I want to allow consultants use tcodes if they change to system role 'quality system'. But they might forget to change the system role before executing the transaction.
Is there an option in Solution manager Project implementation tools that do not allow tcode launch from transaction tabs when system role is 'development system'.
Of course I can restrict tcode execution with authorizations in satellite systems, but then I would need to disable authorizations for each tcode possibly being used. So I don't like that option.
br: Kimmo

Okay, I'll continue dialog with myself. I found solution how to assign other clients on one system to other system roles, which are so-called 'customer roles'.
See solution manager help:
http://help.sap.com/saphelp_sm40/helpdata/en/3b/8be61c54d22945837fd69861d21a08/content.htm
I did not know until know, that system roles are actually customizable. The roles with letter P,D,C,T,E, etc. are reserved for SAP but you can create your own system roles into table SMSY_ROLES. You would not do it with SM30, but from tcode SMSY and following menu Utilities-System Settings->tab:System Roles. Switch to change mode. Roles with 0-9 are available for "customer roles". Choose role type and write your own description ( like: Sandbox client in development system ).
Now the new role is available in SMSY. But You cannot see it yet in SOLAR_PROJECT_ADMIN/System Landscape tab. In there you must press button 'System role assignment' and in the opening window add your own 0-9 role defined earlier and save. Now you see your new role in 'system landscape' tab and you can assign systems to it like you had done with SAP standard roles.
Now users using implementation tools can change their current system role to your new 'customer role'.
But what it comes to my original problem (see title), that still remains. I have debugged the tcode execution from transaction tabs and don't see any possible way to avoid tcodes being executed for an unwanted system role. An Enhancement Spot ( =new BADI) can of cource be used for making custom rule for my requirement.
I'll make this thread answered. Hope you joined my self-dialog.
Keywords: DEFINE EDIT SYSTEM CUSTOMER ROLES SMSY_ROLES
br: Kimmo

Automatic Generation of Settlement Rules for PM order

Hi All,
I am doing a maintenance orders settlement and I have the fallowing issue:
My client has 2 types of equipment, namely vehicles and industrial equipment. Both have particular rules.
For vehicles, we need to control all cost by an internal order
Industrial equipment costs will be control by cost center.
So, cost center is maintained for industrial equipment, and Settlement Order for vehicle equipment.
I have a unique order type for which in Settlement profile I have entered Order and Cost Center as 'Settlement Optional' and default object type as CTR.
When I create a PM order for vehicle, system cannot generate automatically the settlement rule, because in order type I have entered default object type as CTR and in equipment I just have the Settlement Order.
But if I create a PM order for industrial equipment system create automatically the settlement rule, because cost center is maintained for industrial equipment and order type has default object type as CTR.
In the allocation structure I have a receiver category for CTR and ORD.
So, Could you help me how to generate automatically settlement rule for both cases without 2 order types?
Thanks & regards,
Hélder Nunes

hi
i think it is not possible to generate settlement rule based on equipment ,if you have specified the default settlement category in IMG ,it will be generated .
check with your technical team whether user exit IWO10027 can be mapped
regards
thyagarajan

Automatic Business Area Derivation Rule for Vendor Line Item in MIRO

Hello Experts,
We trying to use Business Area concept for our client.
I have completed all configuration setting for the business are derivation like
1. Creation of Business Area
2. Assign Business area to Plant / Division (OMJ7)
3. Business area determination from sales area (TVTA)
4. Business Area by Sales Area
5. Checked Field Status Group for Customer and Vendor Reconciliation Account
It is working for for compelete sales process and in Procurement cylce it is picking business for MIGO transaction both the line items.
But
In MIRO (Purchase invoice posting) it is automatically taking Business area to the GR/IR line item and it not taking Business area for the vendor line item (automatically)
I comes know that there is a business area derivation rule for this to happen automatically.
Can you please propose the soulution for the automatic derivation of business in MIRO for vendor line item.
Regards,
Chalapathi

Hi,
I do mot think there is a BA derivation rule for MIRO.
The best you can do is:
1. Use a user exit or enhancement point for deriving the BA from the GR/IR line and populate that in the vendor line
or
2. You make BA as a mandatory field in the field status group for the vendor reconciliation account. This will then force the user update the BA. We use this option. This is so because at times, the vendor item may need a different business area than the GR/IR line.
Cheers.

EasyVPN :crypto ipsec client ezvpn xauth

Hi
Everytime when I reboot a easyVPN client it is prompting for username and password by prompting following command "crypto ipsec client ezvpn xauth".
How do I make connection persistent, so that it won't ask for username and password during next reboot.
I am using cisco 877 router as easyVPN server and Cisco 877 router as EasyVPN client.
My Easy VPN server configuration is as follows cisco 877
sh run
Building configuration...
Current configuration : 2306 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
dot11 syslog
ip cef
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
multilink bundle-name authenticated
username cisco password 5 121A0C0411045D5679
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group vpngrp
key cisco123
save-password
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface Loopback10
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password
crypto map clientmap
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip dns server
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
scheduler max-task-time 5000
ntp clock-period 17182092
ntp server 202.83.64.3
end
My cisco877 router client configuration...
sh run
Building configuration...
Current configuration : 1919 bytes
! No configuration change since last restart
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Goldcoast
boot-start-marker
boot-end-marker
no aaa new-model
dot11 syslog
ip cef
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
multilink bundle-name authenticated
crypto ipsec client ezvpn ez
connect auto
group vpngrp key cisco123
mode network-extension
peer 165.228.130.43
xauth userid mode interactive
archive
log config
hidekeys
interface Loopback0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn ez inside
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password
crypto ipsec client ezvpn ez
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
login
scheduler max-task-time 5000
ntp clock-period 17182119
ntp server 202.83.64.3
end
I am able to connect. But I want to make the connection dynamic rather than user interactive. Please help me.
Siva.

Sorry for the late reply.
I am getting following error after removing xauth. Here is the error.
ay 14 12:43:47.020: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:47.020: EZVPN(ez): *** Logic Error ***
May 14 12:43:47.020: EZVPN(ez): Current State: READY
May 14 12:43:47.020: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:47.020: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:47.020: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:49.272: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:49.272: EZVPN(ez): *** Logic Error ***
May 14 12:43:49.272: EZVPN(ez): Current State: READY
May 14 12:43:49.272: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:49.272: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:49.272: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:51.620: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:51.620: EZVPN(ez): *** Logic Error ***
May 14 12:43:51.620: EZVPN(ez): Current State: READY
May 14 12:43:51.620: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:51.620: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:51.624: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:53.701: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:53.701: EZVPN(ez): *** Logic Error ***
May 14 12:43:53.701: EZVPN(ez): Current State: READY
May 14 12:43:53.701: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:53.701: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:53.701: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr= Server_public_addr=
May 14 12:43:55.989: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:55.989: EZVPN(ez): *** Logic Error ***
May 14 12:43:55.989: EZVPN(ez): Current State: READY
May 14 12:43:55.989: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:55.989: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:55.989: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
Goldcoast(config-crypto-ezvpn)#
May 14 12:43:58.009: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:58.009: EZVPN(ez): *** Logic Error ***
May 14 12:43:58.009: EZVPN(ez): Current State: READY
May 14 12:43:58.009: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:58.009: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:58.009: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
Thanks,
siva.

Transfer Rules for two Source System in Production

Hi All,
I have a question.
I have source system ECDCLNT230 (ECC Devlopment) which is connected to BIDCLNT200(BID Devlopment) I have two production source system ECPCLNT410 (ECP Pre Production Client) & ECPCLNT400 (ECP Production Client) which i want to connect with BIPCLNT400. when i transport my content from ECDCLNT230 to ECPCLNT410 and ECPCLNT400 , it works fine. i created 2 source system in BIPCLNT400 and replicated data source in to BIPCLNT400 so all data source has replicated.
Now when i transport the request from BIDCLNT200 to BIPCLNT400, i need two transfer rules, two transformation one for each source system. for that what kind of settings are required.
Thanks is advance.
Regards,
Komik Shah

Hi,
If I understand correctly, in your BW Production system, you want to connect / load data from your ECC Pre Production and Production system.
In this case, to automate the transport needed for changes of transfer rules for both source system, you will need to have two tranfer rules in your BW Dev. You can either create two source system in Dev pointing to the same ECC Dev system, or one to ECC Dev and the second to ECC QA. Use different name for this two source system.
In BW Production, you then then maintain the source system conversion of both source system.
Thanks.

DAP rule for IPSec clients

Similar Messages

Maybe you are looking for