DATETIME in Access
I have the following code which helps me to add element to the table after retriving result set from Access. I don't know how to set the types for DATETIME. Should i use Timestamp or what? I don't have any idea to write the code. Could any help?
private Vector getNextRow(ResultSet rs, ResultSetMetaData rsmd) throws SQLException {
Vector currentRow = new Vector();
for (int i = 1; i <= rsmd.getColumnCount(); ++i)
switch(rsmd.getColumnType(i)){
case Types.VARCHAR:
case Types.LONGVARCHAR:
currentRow.addElement(rs.getString(i));
break;
case Types.INTEGER:
currentRow.addElement(new Long(rs.getLong(i)));
break;
/*case Types.TIMESTAMP:
currentRow.addElement(new Timestamp(rs.getTimestamp(i)));
break;*/ // got stuck here!
default:
System.out.println("Type was: " +
rsmd.getColumnTypeName(i));
return currentRow;
}Many thanks, Julieta
Hi Julieta,
On my Windows XP machine with J2SE SDK 1.4.2 and Micro$oft Access 2002, database table columns with the "Date/Time" data-type map to the java "java.sql.Timestamp" class.
In any case, you don't need to worry about the column type, you can just use the "getObject()" method in "java.sql.ResultSet", as in:
currentRow.addElement(rs.getObject(i));The actual object returned will be the correct type. In other words "getObject()" for a "Date/Time" column will return an instance of "java.sql.Timestamp". Try it for yourself and see!
Good Luck,
Avi.
Similar Messages
-
Hi All,
I am new to powerpivot, I have the below structure on a SQL Server database. This is basically tracking when a desktop was rebooted, rebooted user name, createddate (scheduled to run daily 3 times).
Based on the data below, how to create powerpivot report, there are few questions end user would be interested.
1. Top 10 Desktop rebooted over the time
2. Top 10 Rebooted user over the time
3. Top 10 offline Desktops
5. Pivot chart by selecting a server name - displays the latest uptime, how many times rebooted, who rebooted.
CREATE TABLE [Server].[DesktopActivity](
[Server_Name] [nvarchar](128) NOT NULL,
[Uptime] [varchar](50) NULL,
[RebootedUser] [varchar](50) NULL,
[CreatedDate] [datetime] NULL
) ON [PRIMARY]
ALTER TABLE [Server].[DesktopActivity] ADD CONSTRAINT [DF_DesktopActivity_CreatedDate] DEFAULT (getdate()) FOR [CreatedDate]
and the sample data as follows
CSR-35R5M02,9/24/2014 10:36:58 AM,NULL,2014-09-24 23:01:14.363
CSR-35J4M02,Offline,NULL,2014-09-24 23:01:41.893
CSR-34K5M02,9/24/2014 2:01:49 AM,NULL,2014-09-24 23:02:01.007
CSR-34P3M02,9/24/2014 2:01:49 AM,NULL,2014-09-24 23:02:20.117
CSR-34Q4M02,9/20/2014 11:07:01 AM,NULL,2014-09-24 23:02:39.257
CSR-35H4M02,9/24/2014 10:36:26 AM,NULL,2014-09-24 23:02:58.773
CSR-35R4M02,9/24/2014 5:11:44 PM,NULL,2014-09-24 23:03:16.230
CSR-35Z2M02,9/24/2014 8:17:00 PM,NULL,2014-09-24 23:03:39.420
CSR-3656M02,Offline,NULL,2014-09-24 23:03:59.900
CSR-3662M02,Offline,NULL,2014-09-24 23:04:20.900
CSR-3663M02,9/24/2014 10:33:01 AM,NULL,2014-09-24 23:04:28.060
CSR-36N5M02,9/24/2014 10:32:39 AM,NULL,2014-09-24 23:04:47.657
CSR-3607M02,9/24/2014 3:22:02 AM,NULL,2014-09-24 23:05:06.770
CSR-34Q1M02,Offline,NULL,2014-09-24 23:05:28.403
CSR-3626M02,9/24/2014 4:19:50 AM,NULL,2014-09-24 23:05:47.670
CSR-3642M02,9/24/2014 2:18:10 PM,NULL,2014-09-24 23:05:54.893
CSR-35C4M02,9/24/2014 5:07:41 PM,NULL,2014-09-24 23:06:04.603
CSR-36D2M02,9/24/2014 10:34:03 AM,NULL,2014-09-24 23:20:00.053
CSR-34H3M02,9/24/2014 10:34:23 AM,NULL,2014-09-24 23:20:18.190
CSR-34S6M02,9/21/2014 7:59:33 AM,NULL,2014-09-24 23:20:56.640
CSR-3615M02,9/16/2014 12:19:05 PM,NULL,2014-09-24 23:21:08.527
CSR-35D5M02,Offline,NULL,2014-09-24 23:21:25.443
CSRS-D5HKVY1,Offline,NULL,2014-09-25 07:00:40.623
CSRS-5WKKVY1,Offline,NULL,2014-09-25 07:00:49.123
CSR-34F4M02,9/24/2014 7:24:59 AM,NULL,2014-09-25 07:01:17.377
CSR-3563M02,9/25/2014 2:01:49 AM,NULL,2014-09-25 07:01:40.923
CSR-35P2M02,9/25/2014 2:01:50 AM,NULL,2014-09-25 07:02:00.390
CSR-34Q4M02,9/25/2014 4:48:46 AM,NULL,2014-09-25 07:02:21.007
CSR-35H4M02,9/25/2014 2:01:50 AM,NULL,2014-09-25 07:02:39.280
CSR-35R4M02,9/25/2014 2:01:50 AM,NULL,2014-09-25 07:02:55.990
CSR-35J3M02,9/25/2014 2:01:50 AM,NULL,2014-09-25 07:03:15.500
CSR-34H5M02,9/25/2014 2:01:50 AM,NULL,2014-09-25 07:03:35.613
CSR-36N2M02,9/25/2014 2:01:52 AM,NULL,2014-09-25 07:03:59.180
CSR-3627M02,Offline,NULL,2014-09-25 07:04:31.133
CSR-36H1M02,9/25/2014 2:01:51 AM,NULL,2014-09-25 07:04:55.837
CSR-35G5M02,Offline,NULL,2014-09-25 07:05:19.133
CSR-3626M02,9/25/2014 4:33:55 AM,NULL,2014-09-25 07:05:36.423
CSR-34M4M02,9/25/2014 2:01:49 AM,NULL,2014-09-25 07:06:02.407
CSR-3565M02,9/24/2014 10:34:39 AM,NULL,2014-09-25 07:06:25.737
CSR-3676M02,Offline,NULL,2014-09-25 07:06:50.137
CSR-34S6M02,9/21/2014 7:59:33 AM,NULL,2014-09-25 07:07:07.180
CSR-35B4M02,9/24/2014 6:41:01 PM,NULL,2014-09-25 07:07:34.383
CSR-6K00J02,9/24/2014 4:56:26 PM,NULL,2014-09-25 07:07:58.527
CSR-34H1M02,9/25/2014 2:01:50 AM,NULL,2014-09-25 15:07:07.943
CSR-35S1M02,9/25/2014 2:01:58 AM,NULL,2014-09-25 15:07:12.697
CSR-35D7M02,9/25/2014 2:01:50 AM,NULL,2014-09-25 15:07:34.050
CSR-34Q2M02,Offline,NULL,2014-09-25 15:07:52.250
CSR-3686M02,Offline,NULL,2014-09-25 15:08:17.250
CSR-36C2M02,9/25/2014 10:56:55 AM,NULL,2014-09-25 15:08:39.120
CSR-36L5M02,Offline,NULL,2014-09-25 15:09:04.757
CSR-34J1M02,9/25/2014 7:12:03 AM,NULL,2014-09-25 15:09:24.123
CSR-35Y4M02,9/25/2014 2:35:30 AM,NULL,2014-09-25 15:09:44.747
CSR-3692M02,9/25/2014 2:01:50 AM,NULL,2014-09-25 15:10:03.857
CSR-34M4M02,9/25/2014 2:01:49 AM,NULL,2014-09-25 15:33:38.300
CSR-3542M02,9/25/2014 6:17:04 AM,NULL,2014-09-25 15:33:57.437
CSR-35R6M02,6/10/2014 9:05:08 AM,NULL,2014-09-25 15:34:31.080
CSR-3615M02,9/16/2014 12:19:05 PM,NULL,2014-09-25 15:34:57.917
CSR-35P4M02,9/25/2014 7:55:17 AM,NULL,2014-09-25 15:35:19.560
CSR-34S1M02,9/25/2014 2:01:48 AM,NULL,2014-09-25 23:05:13.580
CSR-3632M02,9/25/2014 4:41:10 AM,NULL,2014-09-25 23:05:34.410
CSR-35C4M02,9/25/2014 2:01:49 AM,NULL,2014-09-25 23:05:56.323
CSR-34Q7M02,Offline,NULL,2014-09-25 23:15:30.360
CSR-3542M02,9/25/2014 6:17:04 AM,NULL,2014-09-25 23:15:39.897
CSR-36H7M02,9/25/2014 9:31:06 AM,NULL,2014-09-25 23:16:06.240
CSR-35N5M02,9/25/2014 4:01:27 PM,NULL,2014-09-25 23:16:16.977
CSR-34N4M02,8/4/2014 8:00:58 AM,NULL,2014-09-25 23:16:38.230
CSR-3503M02,9/4/2014 3:03:16 PM,NULL,2014-09-25 23:16:47.820
CSR-35D5M02,Offline,NULL,2014-09-25 23:16:59.857
CSR-36F2M02,Offline,NULL,2014-09-25 23:17:13.857
CSR-6K10J02,9/25/2014 11:41:49 AM,NULL,2014-09-25 23:17:28.983
CSR-BCFQBZ1,9/26/2014 6:47:54 AM,NULL,2014-09-26 07:00:09.470
CSRS-3HYKVY1,Offline,NULL,2014-09-26 07:00:13.443
CSR-6K0YH02,9/26/2014 2:01:52 AM,NULL,2014-09-26 07:00:40.293
CSR-34R3M02,9/26/2014 2:01:54 AM,NULL,2014-09-26 07:00:50.220
CSR-34J5M02,Offline,NULL,2014-09-26 07:01:09.430
CSR-35J4M02,9/26/2014 2:01:49 AM,NULL,2014-09-26 07:01:19.130
CSR-34W3M02,9/26/2014 2:01:50 AM,NULL,2014-09-26 07:01:33.583
CSR-34K5M02,9/26/2014 2:01:49 AM,NULL,2014-09-26 07:01:38.330
CSR-34P3M02,9/26/2014 2:01:49 AM,NULL,2014-09-26 07:01:58.957
CSR-35C2M02,9/26/2014 2:01:47 AM,NULL,2014-09-26 07:02:13.427
CSR-34K3M02,Offline,NULL,2014-09-26 07:02:19.430
CSR-34H1M02,9/26/2014 2:01:52 AM,NULL,2014-09-26 07:02:39.360
CSR-35R4M02,9/26/2014 2:01:48 AM,NULL,2014-09-26 07:02:53.797
CSR-35P6M02,9/26/2014 2:01:49 AM,NULL,2014-09-26 07:02:56.250
CSR-35S4M02,9/26/2014 2:02:13 AM,NULL,2014-09-26 07:03:09.637
CSR-35Z2M02,9/26/2014 2:01:50 AM,NULL,2014-09-26 07:03:16.773
CSR-35H1M02,9/26/2014 2:01:50 AM,NULL,2014-09-26 07:03:19.150
CSR-35T4M02,9/25/2014 1:33:10 PM,NULL,2014-09-26 07:03:21.520
CSR-35M4M02,9/26/2014 2:01:50 AM,NULL,2014-09-26 07:03:27.900
CSR-34H5M02,9/26/2014 2:01:48 AM,NULL,2014-09-26 07:03:33.883
CSR-35H5M02,9/26/2014 2:01:48 AM,NULL,2014-09-26 07:03:36.360
CSR-3656M02,Offline,NULL,2014-09-26 07:03:39.930
CSR-34R7M02,Offline,NULL,2014-09-26 07:03:43.930
CSR-3653M02,9/25/2014 9:21:02 AM,NULL,2014-09-26 07:03:46.380
CSR-3652M02FORD,Offline,NULL,2014-09-26 07:03:52.587
CSR-36N2M02,9/26/2014 2:01:51 AM,NULL,2014-09-26 07:03:57.433
CSR-3663M02,9/26/2014 2:01:49 AM,NULL,2014-09-26 07:04:09.870
CSR-36C2M02,9/26/2014 2:01:50 AM,NULL,2014-09-26 07:04:14.740
CSR-36H2M02,Offline,NULL,2014-09-26 07:04:18.433
CSR-35W6M02,Offline,NULL,2014-09-26 07:04:22.433
GaneshHi Greg,
I really appreciate your time to discuss it. Here are my answers.
Server name - unique key for servers.
Nope, since I run it 3 times a day it will have 3 entries for each of the server.
Uptime - I'd expect this to be a length of time since last reboot, but this is clearly not the case.
It is datetime which is basically the last reboot time
Is this the time of the last reboot? Yes
Does offline mean it's offline at the time the row was loaded, or has been offline? Yes
How long has it been offline? There is a specific set most of the time it is offline
RebootedUser - these are all null so you cannot have top rebooteduser. Is this an error or am I missing
something? If it is NULL, the computer is offline.
CreatedDate - Is this the insert time into the table? Yes
These are all strictly greater than the dates in Uptime (I had to create a new field and remove the
'Offline' entries and cast to datetime) I don't see this field would have a Offline value.
Why do you have datetimes in a text field (Uptime)?. Because it will have either a datetime, Offline, Access
Denied.
How do I know how many time a server has been rebooted?
From the table data, for a given period of time, if I get the distinct Uptime for each server
is the no. of times it got rebooted.
Since RebootedUser is strictly null, how do I identify top rebooted users?
It is strictly NULL only for offline computer.
Let me give clean data and we will go from there.
Thanks again for your time.
Ganesh -
Accessing data in a MS Access DATETIME field
Can anybody please tell me how to retrieve and update data in a DATETIME field from a table in MS Access Database? (I have a JDBC connection and can query/update other fields, but not this one)
thxFor retrieving, use rs.getString("FIELD_NAME") or rs.getString(COLUMN_NO) method. For updating and/or inserting, use single quots('...') and proper datetime format.
-
Accessing datetime range data from table...
Hey Everyone,
I have table called vdet_sa_archive and in that table there are so many fields and i want to access the data on datetime range.
sample data in table
starttime endtime
1 14-02-13 01:30:15.000000000 AM 14-02-13 02:01:57.000000000 AM
2 14-02-13 4:30:01.000000000 AM 14-02-13 5:30:01.000000000 AM
3 14-02-13 01:30:01.000000000 PM 14-02-13 01:45:01.000000000 PM
So i want to access the data between 14-02-13 1:00:00 AM to 14-02-13 5:00:00 AM
So how can i get this data
i wrote like
select count(*) from vdet_sa_archive where starttime >= TO_DATE('14/FEB/2013 01:00:00 AM', 'dd/mm/yyyy HH:MI:SS AM') and endtime<=TO_DATE('14/FEB/2013 04:00:00 AM', 'dd/mm/yyyy HH:MI:SS AM');
But its not working.
Thanks and regards,
Gajanan HirojiHi, Gajanan,
Gajananh999 wrote:
Hey Everyone,
I have table called vdet_sa_archive and in that table there are so many fields and i want to access the data on datetime range.
sample data in table
starttime endtime
1 14-02-13 01:30:15.000000000 AM 14-02-13 02:01:57.000000000 AM
2 14-02-13 4:30:01.000000000 AM 14-02-13 5:30:01.000000000 AM
3 14-02-13 01:30:01.000000000 PM 14-02-13 01:45:01.000000000 PMWhenever you have a problem, post CREATE TABLE and INSERT statements for you sample data. This problem may hinge on what the data types of starttime and endtime are.
So i want to access the data between 14-02-13 1:00:00 AM to 14-02-13 5:00:00 AMIn the code below, the upper bound is 4:00 AM, not 5:00.
So how can i get this data
i wrote like
select count(*) from vdet_sa_archive where starttime >= TO_DATE('14/FEB/2013 01:00:00 AM', 'dd/mm/yyyy HH:MI:SS AM') and endtime<=TO_DATE('14/FEB/2013 04:00:00 AM', 'dd/mm/yyyy HH:MI:SS AM');
But its not working.What exactly is not working? When you post the CREATE TABLE and INSERT statements for the sample data, also post the results you want from that data.
As mentioned before, if you're using 'MM' format, the month is '02'. If you use 'MON' format, then 'FEB' means February, assuming your NLS_DATE_LANGUAGE is English.
If startdate and enddate are TIMESTAMPs (which is what it looks like) then it would be more efficient to use TO_<b>TIMESTAMP</b> rather than TO_<b>DATE</b> , but you should get the same results either way, unless perhaps if a value was a fraction of a second off from the given range. -
Getting a null when trying to access DateTime fields (that I've added) from my work item
I'm getting a null when trying to access (custom) DateTime fields from my work item.
I've got a customized work item with 'extra' string and datetime fields.
<FieldDefinition name="Design Version" refname="XXX.DesignVersion" type="String" reportable="dimension" />
<FieldDefinition name="Date Closed" refname="XXX.DateClosed" type="DateTime" reportable="dimension" />
This code fails:
WorkItem workItem = workItemStore.GetWorkItem(workItemId);
var tt1 = workItem["XXX.DesignVersion"];//works
var tt3 = workItem["XXX.DateClosed"]; //tt3 == null, fails also for html fields
Any idea what's up? thanksHi TimB,
Thanks for your post.
What’s the version of your TFS?
If you open this work item in VS, there’s no date value in your Date Closed field? Please try below code snippet:
if (wr.Fields["XXX.DateClosed"].Value
== null)
Console.WriteLine(wr.Fields["XXX.DateClosed"].Value);
else
Console.WriteLine(wr.Fields["XXX.DateClosed"].Value);
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Dear gurus:
I have problems with the SSO configuration for Portal. I have executed the Diagtool from Note 957666 - Diagtool for Troubleshooting Security Configuration and this is the result:
<!LOGHEADER[START]/>
<!HELP[Manual modification of the header may cause parsing problem!]/>
<!LOGGINGVERSION[1.5.3.7185 - 630]/>
<!NAME[output\diagtool_080520_211200.log]/>
<!PATTERN[diagtool_080520_211200.log]/>
<!FORMATTER[com.sap.tc.logging.TraceFormatter([%s] %26d %m)]/>
<!ENCODING[UTF8]/>
<!LOGHEADER[END]/>
[Info] May 20, 2008 9:12:07 PM TXT*********************************************************************
[Info] May 20, 2008 9:12:07 PM diagtool version: 1.7.5
[Info] May 20, 2008 9:12:07 PM configiration file: J:\diagtool\conf\sso2.conf
[Info] May 20, 2008 9:12:07 PM configtool path: J:\usr\sap\EPI\JC01\j2ee\configtool\
[Info] May 20, 2008 9:12:07 PM
[Info] May 20, 2008 9:12:07 PM system name: EPI
[Info] May 20, 2008 9:12:07 PM system version: 7.00
[Info] May 20, 2008 9:12:07 PM SP number: 12
[Info] May 20, 2008 9:12:07 PM
[Info] May 20, 2008 9:12:07 PM Canonical Host Name: SAPIA64BW.gonvarri.com
[Info] May 20, 2008 9:12:07 PM Host: SAPIA64BW
[Info] May 20, 2008 9:12:07 PM IP: 10.20.1.91
[Info] May 20, 2008 9:12:07 PM
[Info] May 20, 2008 9:12:07 PM jdk vendor: Sun Microsystems Inc.
[Info] May 20, 2008 9:12:07 PM jdk version: 1.4.2_15
[Info] May 20, 2008 9:12:07 PM TXT*********************************************************************
[Error] May 20, 2008 9:12:09 PM JmxConnectionFactory.getMBeanServerConnection(...) failed for: com.sap.engine.services.jmx.exception.JmxConnectorException: Unable to connect to connector server. properties:{java.naming.provider.url=SAPIA64BW:50304, java.naming.factory.initial=com.sap.engine.services.jndi.InitialContextFactoryImpl, java.naming.security.principal=Administrator, java.naming.security.credentials=gonvarri1}
[Error] May 20, 2008 9:12:09 PM Log Viewer Client was not initialized.
[Error] May 20, 2008 9:12:10 PM JmxConnectionFactory.getMBeanServerConnection failed(...) for: com.sap.engine.services.jmx.exception.JmxConnectorException: Unable to connect to connector server. properties:{java.naming.provider.url=SAPIA64BW:50304, java.naming.factory.initial=com.sap.engine.services.jndi.InitialContextFactoryImpl, java.naming.security.principal=Administrator, java.naming.security.credentials=gonvarri1}
[Error] May 20, 2008 9:12:10 PM LC client was not initialized
[Info] May 20, 2008 9:12:10 PM TXT
com.sap.engine.config.diagtool.tests.util.PropertiesDump
[Info] May 20, 2008 9:12:10 PM (EvaluateAssertionTicketLoginModule) com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule
[Info] May 20, 2008 9:12:10 PM (EvaluateTicketLoginModule) com.sap.security.core.server.jaas.EvaluateTicketLoginModule
[Info] May 20, 2008 9:12:10 PM TicketKeystore (3 entries)
entry #1 (SAPLogonTicketKeypair-cert)
===========
CERTIFICATE entry:
Creation date : Tue May 20 20:44:00 CEST 2008 (20 May 2008 18:44:00 GMT)
Version : ver.3 X.509
Algorithm : DSA
Key Size : 1024 bits
Subject name : CN=EPI,OU=I0020275421,O=SAP Trust Community,C=DE
Issuer name : CN=EPI,OU=I0020275421,O=SAP Trust Community,C=DE
Serial number : 60679227
Signature Algorithm : dsaWithSHA (1.2.840.10040.4.3)
Validity:
not before : Tue May 20 20:42:00 CEST 2008 (20 May 2008 18:42:00 GMT)
not after : Wed May 20 20:42:00 CEST 2009 (20 May 2009 18:42:00 GMT)
Public key fingerprint : 97:56:3E:4F:D2:7E:71:97:5A:4B:BE:CD:47:90:00:18
Certificate fingerprint(MD5): 88:FE:7F:24:F7:64:2A:CC:D7:BE:16:70:74:73:96:27
Certificate extensions :
[critical]
[non critical]
SubjectKeyIdentifier: A3:2F:12:D4:B9:4C:33:00:A7:CB:22:F2:56:0A:3C:53:EE:57:13:F3
entry #2 (SAPLogonTicketKeypair)
===========
PRIVATE KEY entry
Creation date : Tue May 20 20:44:00 CEST 2008 (20 May 2008 18:44:00 GMT)
Version: : PKCS#8 DSA
Key Size : 1024 bits
CertificationChain has 1 certificate(s)
certificate #0 -
Version : ver.3 X.509
Algorithm : DSA
Key Size : 1024 bits
Subject name : CN=EPI,OU=I0020275421,O=SAP Trust Community,C=DE
Issuer name : CN=EPI,OU=I0020275421,O=SAP Trust Community,C=DE
Serial number : 60679227
Signature Algorithm : dsaWithSHA (1.2.840.10040.4.3)
Validity:
not before : Tue May 20 20:42:00 CEST 2008 (20 May 2008 18:42:00 GMT)
not after : Wed May 20 20:42:00 CEST 2009 (20 May 2009 18:42:00 GMT)
Public key fingerprint : 97:56:3E:4F:D2:7E:71:97:5A:4B:BE:CD:47:90:00:18
Certificate fingerprint(MD5): 88:FE:7F:24:F7:64:2A:CC:D7:BE:16:70:74:73:96:27
Certificate extensions :
[critical]
[non critical]
SubjectKeyIdentifier: A3:2F:12:D4:B9:4C:33:00:A7:CB:22:F2:56:0A:3C:53:EE:57:13:F3
entry #3 (BW_BWI_certificate)
===========
CERTIFICATE entry:
Creation date : Tue May 20 20:44:04 CEST 2008 (20 May 2008 18:44:04 GMT)
Version : ver.1 X.509
Algorithm : DSA
Key Size : 1024 bits
Subject name : CN=BWI,OU=I0020275421,OU=SAP Web AS,O=SAP Trust Community,C=DE
Issuer name : CN=BWI,OU=I0020275421,OU=SAP Web AS,O=SAP Trust Community,C=DE
Serial number : 0
Signature Algorithm : dsaWithSHA (1.2.840.10040.4.3)
Validity:
not before : Mon May 19 20:39:21 CEST 2008 (19 May 2008 18:39:21 GMT)
not after : Fri Jan 01 01:00:01 CET 2038 (1 Jan 2038 00:00:01 GMT)
Public key fingerprint : 96:9B:1F:02:D1:18:BC:25:61:16:BB:8D:AA:13:EA:68
Certificate fingerprint(MD5): 47:5D:87:50:89:F5:DD:72:A4:A3:B2:BA:FA:6A:B4:09
Certificate extensions :
NONE
[Info] May 20, 2008 9:12:10 PM <?xml version="1.0" encoding="UTF-8"?>
<!-- Configuration File for Authentication Schemes -->
<!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/authschemes.xml#4 $ from $DateTime: 2004/01/20 17:27:21 $ ($Change: 14181 $) -->
<document>
<authschemes>
<!-- authschemes, the name of the node is used -->
<authscheme name="uidpwdlogon">
<!-- multiple login modules can be defined -->
<authentication-template>
ticket
</authentication-template>
<priority>20</priority>
<!-- the frontendtype TARGET_FORWARD = 0, TARGET_REDIRECT = 1, TARGET_JAVAIVIEW = 2 -->
<frontendtype>2</frontendtype>
<!-- target object -->
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
<authscheme name="certlogon">
<authentication-template>
client_cert
</authentication-template>
<priority>21</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
<authscheme name="basicauthentication">
<authentication-template>
ticket
</authentication-template>
<priority>20</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.basicauthentication</frontendtarget>
</authscheme>
<authscheme name="header">
<authentication-template>
header
</authentication-template>
<priority>5</priority>
<frontendtype>2</frontendtype>
<frontendtarget>com.sap.portal.runtime.logon.header</frontendtarget>
</authscheme>
<!-- Reserved 'anonymous' authscheme added for being in the list of authschemes -->
<authscheme name="anonymous">
<priority>-1</priority>
</authscheme>
</authschemes>
<!-- References for Authentication Schemes, this section must be after authschemes -->
<authscheme-refs>
<authscheme-ref name="default">
<authscheme>uidpwdlogon</authscheme>
</authscheme-ref>
<authscheme-ref name="UserAdminScheme">
<authscheme>uidpwdlogon</authscheme>
</authscheme-ref>
</authscheme-refs>
</document>
[Info] May 20, 2008 9:12:10 PM <?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: //shared_tc/com.sapall.security/630_SP_COR/src/_deploy/dist/configuration/shared/dataSourceConfiguration_database_only.xml#2 $ from $DateTime: 2004/07/01 09:31:21 $ ($Change: 16627 $) -->
<!DOCTYPE dataSources SYSTEM "dataSourceConfiguration.dtd">
<dataSources>
<dataSource id="PRIVATE_DATASOURCE"
className="com.sap.security.core.persistence.datasource.imp.DataBasePersistence"
isReadonly="false"
isPrimary="true">
<homeFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</homeFor>
<notHomeFor/>
<responsibleFor>
<principals>
<principal type="group"/>
<principal type="user"/>
<principal type="account"/>
<principal type="team"/>
<principal type="ROOT" />
<principal type="OOOO" />
</principals>
</responsibleFor>
<privateSection/>
</dataSource>
</dataSources>
[Info] May 20, 2008 9:12:10 PM com.sap.security.core.umap.key = ******
login.authschemes.definition.file = authschemes.xml
login.serviceuser.lifetime = 100
login.ticket_client = 000
login.ticket_keyalias = SAPLogonTicketKeypair
login.ticket_keystore = TicketKeystore
login.ticket_lifetime = 8
login.ticket_portalid = auto
ume.acl.validate_cached_acls = false
ume.admin.account_privacy = true
ume.admin.addattrs =
ume.admin.allow_selfmanagement = false
ume.admin.auto_password = true
ume.admin.create.redirect =
ume.admin.debug_internal = false
ume.admin.display.redirect =
ume.admin.modify.redirect =
ume.admin.nocache = false
ume.admin.orgunit.adapterid =
ume.admin.password.migration = false
ume.admin.phone_check = true
ume.admin.public.addattrs =
ume.admin.search_maxhits = 1000
ume.admin.search_maxhits_warninglevel = 200
ume.admin.self.addattrs =
ume.admin.self.addressactive = false
ume.admin.self.generate_password = false
ume.admin.self.privacystatement.link =
ume.admin.self.privacystatement.version = 1
ume.admin.selfreg_company = false
ume.admin.selfreg_guest = true
ume.admin.selfreg_sus = false
ume.admin.selfreg_sus.adapterid = SUS
ume.admin.selfreg_sus.adminrole =
ume.admin.selfreg_sus.deletecall = true
ume.admin.wd.components.umeadminapp = {sap.com/tcsecumewdkit;com.sap.security.core.wd.maintainuser.MaintainUserComp},{sap.com/tcsecumewdkit;com.sap.security.core.wd.maintainrole.MaintainRoleComp},{sap.com/tcsecumewdkit;com.sap.security.core.wd.maintaingroup.MaintainGroupComp}
ume.admin.wd.locales =
ume.admin.wd.table.size.large = 20
ume.admin.wd.table.size.medium = 10
ume.admin.wd.table.size.small = 5
ume.admin.wd.tenant.identifier.all = - All -
ume.admin.wd.tenant.identifier.none = - None -
ume.admin.wd.url.help = http://help.sap.com/saphelp_nw04s/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htm
ume.admin.wdactive = true
ume.allow_nested_groups = true
ume.cache.acl.default_caching_time = 1800
ume.cache.acl.initial_cache_size = 10000
ume.cache.acl.permissions.default_caching_time = 3600
ume.cache.acl.permissions.initial_cache_size = 100
ume.cache.default_cache = distributableCache
ume.cache.group.default_caching_time = 3600
ume.cache.group.initial_cache_size = 500
ume.cache.notification_time = 0
ume.cache.principal.default_caching_time = 3600
ume.cache.principal.initial_cache_size = 500
ume.cache.role.default_caching_time = 3600
ume.cache.role.initial_cache_size = 500
ume.cache.user.default_caching_time = 3600
ume.cache.user.initial_cache_size = 500
ume.cache.user_account.default_caching_time = 3600
ume.cache.user_account.initial_cache_size = 500
ume.company_groups.description_template = Company
ume.company_groups.displayname_template = ()
ume.company_groups.enabled = false
ume.company_groups.guestusercompany_enabled = true
ume.company_groups.guestusercompany_name = Guest Users
ume.db.connection_pool.j2ee.is_unicode = false
ume.db.connection_pool_type = SAP/BC_UME
ume.db.or_search.max_arguments = 50
ume.db.parent_search.max_arguments = 300
ume.db.use_default_transaction_isolation = false
ume.ldap.access.action_retrial = 2
ume.ldap.access.additional_password.1 = ******
ume.ldap.access.additional_password.2 = ******
ume.ldap.access.additional_password.3 = ******
ume.ldap.access.additional_password.4 = ******
ume.ldap.access.additional_password.5 = ******
ume.ldap.access.auxiliary_naming_attribute.grup =
ume.ldap.access.auxiliary_naming_attribute.uacc =
ume.ldap.access.auxiliary_naming_attribute.user =
ume.ldap.access.auxiliary_objectclass.grup =
ume.ldap.access.auxiliary_objectclass.uacc =
ume.ldap.access.auxiliary_objectclass.user =
ume.ldap.access.base_path.grup =
ume.ldap.access.base_path.uacc =
ume.ldap.access.base_path.user =
ume.ldap.access.context_factory = com.sun.jndi.ldap.LdapCtxFactory
ume.ldap.access.creation_path.grup =
ume.ldap.access.creation_path.uacc =
ume.ldap.access.creation_path.user =
ume.ldap.access.dynamic_group_attribute =
ume.ldap.access.dynamic_groups = false
ume.ldap.access.flat_group_hierachy = true
ume.ldap.access.kerberos_data_url =
ume.ldap.access.msads.control_attribute = userAccountControl
ume.ldap.access.msads.control_value = 512
ume.ldap.access.msads.grouptype.attribute = grouptype
ume.ldap.access.msads.grouptype.value = 4
ume.ldap.access.multidomain.enabled = false
ume.ldap.access.naming_attribute.grup =
ume.ldap.access.naming_attribute.uacc =
ume.ldap.access.naming_attribute.user =
ume.ldap.access.objectclass.grup =
ume.ldap.access.objectclass.uacc =
ume.ldap.access.objectclass.user =
ume.ldap.access.password = ******
ume.ldap.access.server_name =
ume.ldap.access.server_port =
ume.ldap.access.server_type =
ume.ldap.access.size_limit = 0
ume.ldap.access.ssl = false
ume.ldap.access.ssl_socket_factory = com.sap.security.core.server.https.SecureConnectionFactory
ume.ldap.access.time_limit = 0
ume.ldap.access.user =
ume.ldap.access.user_as_account = true
ume.ldap.blocked_accounts = Administrator,Guest
ume.ldap.blocked_groups = Administrators,Guests
ume.ldap.blocked_users = Administrator,Guest
ume.ldap.cache_lifetime = 300
ume.ldap.cache_size = 100
ume.ldap.connection_pool.connect_timeout = 25000
ume.ldap.connection_pool.max_connection_usage_time_check_interval = 120000
ume.ldap.connection_pool.max_idle_connections = 5
ume.ldap.connection_pool.max_idle_time = 300000
ume.ldap.connection_pool.max_size = 10
ume.ldap.connection_pool.max_wait_time = 60000
ume.ldap.connection_pool.min_size = 1
ume.ldap.connection_pool.monitor_level = 0
ume.ldap.connection_pool.retrial = 2
ume.ldap.connection_pool.retrial_interval = 10000
ume.ldap.default_group_member = cn=DUMMY_MEMBER_FOR_UME
ume.ldap.default_group_member.enabled = false
ume.ldap.record_access = FALSE
ume.ldap.unique_grup_attribute =
ume.ldap.unique_uacc_attribute =
ume.ldap.unique_user_attribute =
ume.locking.enabled = true
ume.locking.max_wait_time = 30
ume.login.basicauthentication = 1
ume.login.context = ticket
ume.login.context.default = ticket
ume.login.guest_user.uniqueids = Guest
ume.login.mdc.hosts =
ume.logoff.redirect.silent = false
ume.logoff.redirect.url =
ume.logon.allow_cert = false
ume.logon.branding_image = layout/branding-image.jpg
ume.logon.branding_style = css/ur/ur_.css
ume.logon.branding_text = layout/branding-text.gif
ume.logon.force_password_change_on_sso = true
ume.logon.httponlycookie = true
ume.logon.locale = false
ume.logon.logon_help = false
ume.logon.logon_help.name_required = false
ume.logon.logon_help.securityquestion = false
ume.logon.r3master.adapterid = master
ume.logon.security.enforce_secure_cookie = false
ume.logon.security.local_redirect_only = true
ume.logon.security.relax_domain.level = 1
ume.logon.security_policy.auto_unlock_time = 60
ume.logon.security_policy.cert_logon_required = false
ume.logon.security_policy.enforce_policy_at_logon = false
ume.logon.security_policy.lock_after_invalid_attempts = 6
ume.logon.security_policy.log_client_hostaddress = true
ume.logon.security_policy.log_client_hostname = false
ume.logon.security_policy.oldpass_in_newpass_allowed = false
ume.logon.security_policy.password_alpha_numeric_required = 1
ume.logon.security_policy.password_change_allowed = true
ume.logon.security_policy.password_change_required = TRUE
ume.logon.security_policy.password_expire_days = 90
ume.logon.security_policy.password_history = 0
ume.logon.security_policy.password_impermissible =
ume.logon.security_policy.password_last_change_date_default = 12/31/9999
ume.logon.security_policy.password_max_idle_time = 0
ume.logon.security_policy.password_max_length = 14
ume.logon.security_policy.password_min_length = 5
ume.logon.security_policy.password_mix_case_required = 0
ume.logon.security_policy.password_special_char_required = 0
ume.logon.security_policy.password_successful_check_date_default = 12/31/9999
ume.logon.security_policy.userid_digits = 0
ume.logon.security_policy.userid_in_password_allowed = false
ume.logon.security_policy.userid_lowercase = 0
ume.logon.security_policy.userid_special_char_required = 0
ume.logon.security_policy.useridmaxlength = 20
ume.logon.security_policy.useridminlength = 1
ume.logon.selfreg = false
ume.logonAuthenticationFactory = com.sap.security.core.logon.imp.SAPJ2EEAuthenticator
ume.multi_tenancy.automatic_logonid_prefixing = true
ume.multi_tenancy_support_enabled = false
ume.notification.admin_email =
ume.notification.create_approval = true
ume.notification.create_by_batch_performed = true
ume.notification.create_denied = true
ume.notification.create_performed = true
ume.notification.create_request = true
ume.notification.delete_performed = true
ume.notification.email_asynch = true
ume.notification.lock_performed = true
ume.notification.mail_host =
ume.notification.pswd_reset_performed = true
ume.notification.pswd_reset_request = true
ume.notification.selfreg_performed = true
ume.notification.system_email =
ume.notification.unlock_performed = true
ume.notification.update_by_batch_performed = true
ume.notification.workflow_email =
ume.persistence.batch.page_size = 25
ume.persistence.data_source_configuration = dataSourceConfiguration_database_only.xml
ume.persistence.pcd_roles_data_source_configuration = dataSourceConfiguration_PCDRoles.xml
ume.persistence.ume_roles_data_source_configuration = dataSourceConfiguration_UMERoles.xml
ume.principal.simple_search.attributes.account = j_user
ume.principal.simple_search.attributes.action = uniquename
ume.principal.simple_search.attributes.group = uniquename
ume.principal.simple_search.attributes.role = uniquename
ume.principal.simple_search.attributes.user = uniquename,firstname,lastname
ume.r3.connection.001.TimeZoneMapping =
ume.r3.connection.001.ashost =
ume.r3.connection.001.client =
ume.r3.connection.001.group =
ume.r3.connection.001.gwhost =
ume.r3.connection.001.gwserv =
ume.r3.connection.001.lang =
ume.r3.connection.001.msghost =
ume.r3.connection.001.passwd = ******
ume.r3.connection.001.poolmaxsize = 10
ume.r3.connection.001.poolmaxwait =
ume.r3.connection.001.r3name =
ume.r3.connection.001.receiverid = 001
ume.r3.connection.001.receiverid_guest = 001
ume.r3.connection.001.snc_lib =
ume.r3.connection.001.snc_mode =
ume.r3.connection.001.snc_myname =
ume.r3.connection.001.snc_partnername =
ume.r3.connection.001.snc_qop =
ume.r3.connection.001.sysnr =
ume.r3.connection.001.user =
ume.r3.connection.001.userole = false
ume.r3.connection.002.TimeZoneMapping =
ume.r3.connection.002.ashost =
ume.r3.connection.002.client =
ume.r3.connection.002.group =
ume.r3.connection.002.gwhost =
ume.r3.connection.002.gwserv =
ume.r3.connection.002.lang =
ume.r3.connection.002.msghost =
ume.r3.connection.002.passwd = ******
ume.r3.connection.002.poolmaxsize = 10
ume.r3.connection.002.poolmaxwait =
ume.r3.connection.002.r3name =
ume.r3.connection.002.receiverid = 002
ume.r3.connection.002.receiverid_guest = 002
ume.r3.connection.002.snc_lib =
ume.r3.connection.002.snc_mode =
ume.r3.connection.002.snc_myname =
ume.r3.connection.002.snc_partnername =
ume.r3.connection.002.snc_qop =
ume.r3.connection.002.sysnr =
ume.r3.connection.002.user =
ume.r3.connection.002.userole = false
ume.r3.connection.003.TimeZoneMapping =
ume.r3.connection.003.ashost =
ume.r3.connection.003.client =
ume.r3.connection.003.group =
ume.r3.connection.003.gwhost =
ume.r3.connection.003.gwserv =
ume.r3.connection.003.lang =
ume.r3.connection.003.msghost =
ume.r3.connection.003.passwd = ******
ume.r3.connection.003.poolmaxsize = 10
ume.r3.connection.003.poolmaxwait =
ume.r3.connection.003.r3name =
ume.r3.connection.003.receiverid = 003
ume.r3.connection.003.receiverid_guest = 003
ume.r3.connection.003.snc_lib =
ume.r3.connection.003.snc_mode =
ume.r3.connection.003.snc_myname =
ume.r3.connection.003.snc_partnername =
ume.r3.connection.003.snc_qop =
ume.r3.connection.003.sysnr =
ume.r3.connection.003.user =
ume.r3.connection.003.userole = false
ume.r3.connection.master.TimeZoneMapping =
ume.r3.connection.master.abap_debug =
ume.r3.connection.master.ashost =
ume.r3.connection.master.client =
ume.r3.connection.master.group =
ume.r3.connection.master.gwhost =
ume.r3.connection.master.gwserv =
ume.r3.connection.master.lang = EN
ume.r3.connection.master.msghost =
ume.r3.connection.master.msserv =
ume.r3.connection.master.passwd = ******
ume.r3.connection.master.poolmaxsize = 10
ume.r3.connection.master.poolmaxwait =
ume.r3.connection.master.r3name =
ume.r3.connection.master.receiverid = master
ume.r3.connection.master.receiverid_guest = master
ume.r3.connection.master.snc_lib =
ume.r3.connection.master.snc_mode =
ume.r3.connection.master.snc_myname =
ume.r3.connection.master.snc_partnername =
ume.r3.connection.master.snc_qop =
ume.r3.connection.master.sysnr =
ume.r3.connection.master.trace =
ume.r3.connection.master.user =
ume.r3.connection.tpd.adapterid = value of ume.r3.connection.tpd.systemid
ume.r3.connection.tpd.systemid = SUS
ume.r3.mastersystem = BWICLNT300
ume.r3.mastersystem.uid.mode = 1
ume.r3.orgunit.adapterid =
ume.r3.sync.sender = SAPMUM
ume.r3.use.role = false
ume.replication.adapters.001.companies =
ume.replication.adapters.001.scope =
ume.replication.adapters.002.companies =
ume.replication.adapters.002.scope =
ume.replication.adapters.003.companies =
ume.replication.adapters.003.scope =
ume.replication.adapters.index_1 =
ume.replication.adapters.index_2 =
ume.replication.adapters.index_3 =
ume.replication.adapters.master.companies =
ume.replication.adapters.master.scope =
ume.replication.crm_sup_register_check = BBP_SUS_BUPA_REGID_CHECK
ume.replication.messaging.active = false
ume.replication.sync.display_all_doc = false
ume.roles.pcd_roles_with_actions =
ume.roles.xml_files = *role.xml
ume.secaudit.get_object_name = false
ume.secaudit.log_actor = true
ume.spml.schema_name = schema.xml
ume.superadmin.activated = false
ume.superadmin.password = ******
ume.supergroups.anonymous_group.description = Built-in Group Anonymous Users
ume.supergroups.anonymous_group.displayname = Anonymous Users
ume.supergroups.anonymous_group.uniquename = Anonymous Users
ume.supergroups.authenticated_group.description = Built-in Group Authenticated Users
ume.supergroups.authenticated_group.displayname = Authenticated Users
ume.supergroups.authenticated_group.uniquename = Authenticated Users
ume.supergroups.everyone.description = Built-in Group Everyone
ume.supergroups.everyone.displayname = Everyone
ume.supergroups.everyone.uniquename = Everyone
ume.testum = false
ume.tpd.classloader =
ume.tpd.companies = 0
ume.tpd.imp.class = com.sap.security.core.tpd.SimpleTPD
ume.tpd.prefix = STPD_
ume.trace.external_trace_class = com.sap.security.core.util.imp.UMTrace_630
ume.usermapping.admin.pwdprotection = true
ume.usermapping.key.protection = TRUE
ume.usermapping.refsys.mapping.type = internal
ume.usermapping.unsecure = false
ume.users.displayname_template = ,
ume.users.email_pattern = ?@?.?*
ume.virtual_groups.description_template = Virtual group
ume.virtual_groups.displayname_template =
ume.virtual_groups.group_names_separator = ;
ume.virtual_groups.name_prefix =
ume.virtual_groups.names =
ume.virtual_groups.trim_group_names = true
ume.virtual_groups.user_attribute =
ume.virtual_groups.user_attribute.multivalue = true
ume.virtual_groups.user_attribute.namespace =
[Info] May 20, 2008 9:12:10 PM TXT
com.sap.engine.config.diagtool.tests.authentication.sso2.SSOTicketIssuerConfigTest
This test verifies the Single Sign-On (SSO) configuration on J2EE Engine.
It checks the prerequisites for issuing SSO logon tickets:
validity of the ticket client
the client is a three-digit string, e.g. 071
validity of the ticket signing private key/certificate
the ticket signing PK location, defined in UME properties,
must be a keypair and the acceptable algorithm is DSA.
[Info] May 20, 2008 9:12:10 PM client string OK
[Info] May 20, 2008 9:12:10 PM keystore view name found in UME: [TicketKeystore]
[Info] May 20, 2008 9:12:10 PM keystore alias name found in UME: [SAPLogonTicketKeypair]
[Info] May 20, 2008 9:12:10 PM
~ getName ~
SAPLogonTicketKeypair
~ isCertificate ~
false
~ isKeypair ~
true
~ getCertificate ~
Version: 3
Serial number: 60679227
Signature algorithm: dsaWithSHA (1.2.840.10040.4.3)
Issuer: CN=EPI,OU=I0020275421,O=SAP Trust Community,C=DE
Valid not before: Tue May 20 20:42:00 CEST 2008
not after: Wed May 20 20:42:00 CEST 2009
Subject: CN=EPI,OU=I0020275421,O=SAP Trust Community,C=DE
DSA public key (1024 bits):
y: 3c01d64c6c4f5459e7a436429d4e3905b5200333847262a730b65c35be02adc436a3962808a0ea1b544507364397075794dd8f11bc8528bd548141aec0a33d4f3c0818217d07484d43823fccc487038dd2aaa42f0d2c0498c853ed3c172902434674a9b3e7ff12dd6f4a2834978d35ca9cf69bdc1becec2c16267ae334f2fdc
p: 827dd49ca2056984e98371b1340d5d71839285b25acaa382d7ac386e9440843f0a467aa875a8c1ca3b70ba6a970712f6b199ed3eec5313f3940a67bbd69f38722961ab023d17a1333c52235d9fb7d10e95e3a55ef9b04fc7c920c572da7ac3d50f240dbb8e54da9ebb702111c53582e535852e9f593979b33250c88683961917
q: fa5079dafa3f3ab1e80a6df5bd16f224d8f8d71b
g: 4fbdf52e3304f051c17ca55c9381b5c17d4c205076853450cfd9fc72b2e1b2b16fa01048b8ff17e7a90ae1e018053e34d9d561df714cc8dc92b151b5df6659706b5e57c319a2d6583b7d32d2e9e1f1663eaaac460dcd4e677036f7f9be0b2e16a05d695d5b8113a903cb3863561abd364a5d6c156617fa10a32099e1d2347713
Certificate Fingerprint (MD5) : 88:FE:7F:24:F7:64:2A:CC:D7:BE:16:70:74:73:96:27
Certificate Fingerprint (SHA-1): DD:56:49:B1:D3:0B:BD:79:A3:03:CF:66:33:86:4C:A0:16:FD:04:8F
Extensions: 1
~ getChain ~
chain [1]
Subject:CN=EPI,OU=I0020275421,O=SAP Trust Community,C=DE
Algorithm:dsaWithSHA(1.2.840.10040.4.3)
~ getClass ~
class com.sap.engine.config.diagtool.lib.keystore.OfflineKeystoreEntry
[Info] May 20, 2008 9:12:10 PM The keystore entry test successful.
[Info] May 20, 2008 9:12:10 PM The keystore entry is a keypair.
[Info] May 20, 2008 9:12:10 PM The SSO private key signing algorithm is [DSA]
[Info] May 20, 2008 9:12:10 PM The private key format is [PKCS#8]
[Info] May 20, 2008 9:12:10 PM The system can issue SSO logon tickets.
[Info] May 20, 2008 9:12:10 PM The tickets will be issued with client [000], system [EPI]
[Info] May 20, 2008 9:12:10 PM TXT
com.sap.engine.config.diagtool.tests.authentication.sso2.SSOTicketVerifierConfigTest
This test verifies the Single Sign-On (SSO) configuration on J2EE Engine.
It checks all SSO certificates imported in the SSO trusted key store view
defined in UME properties table. The certificates are verified for validity,
algorithm identifier, and public/private key content. The test checks also
the Access Control Lists configured in evaluate authentication modules.
The ACLs must contain Subjects and Issuers that are available
in the SSO trusted key store view
[Info] May 20, 2008 9:12:10 PM keystore view name found in UME: [TicketKeystore]
[Info] May 20, 2008 9:12:10 PM keystore alias name found in UME: [SAPLogonTicketKeypair]
[Info] May 20, 2008 9:12:10 PM *** checking SSO anchors ***
[Info] May 20, 2008 9:12:10 PM found 2 entries
[Info] May 20, 2008 9:12:10 PM ************ entry #1 [SAPLogonTicketKeypair-cert] **************
[Info] May 20, 2008 9:12:10 PM
~ getName ~
SAPLogonTicketKeypair-cert
~ isCertificate ~
true
~ isKeypair ~
false
~ getCertificate ~
Version: 3
Serial number: 60679227
Signature algorithm: dsaWithSHA (1.2.840.10040.4.3)
Issuer: CN=EPI,OU=I0020275421,O=SAP Trust Community,C=DE
Valid not before: Tue May 20 20:42:00 CEST 2008
not after: Wed May 20 20:42:00 CEST 2009
Subject: CN=EPI,OU=I0020275421,O=SAP Trust Community,C=DE
DSA public key (1024 bits):
y: 3c01d64c6c4f5459e7a436429d4e3905b5200333847262a730b65c35be02adc436a3962808a0ea1b544507364397075794dd8f11bc8528bd548141aec0a33d4f3c0818217d07484d43823fccc487038dd2aaa42f0d2c0498c853ed3c172902434674a9b3e7ff12dd6f4a2834978d35ca9cf69bdc1becec2c16267ae334f2fdc
p: 827dd49ca2056984e98371b1340d5d71839285b25acaa382d7ac386e9440843f0a467aa875a8c1ca3b70ba6a970712f6b199ed3eec5313f3940a67bbd69f38722961ab023d17a1333c52235d9fb7d10e95e3a55ef9b04fc7c920c572da7ac3d50f240dbb8e54da9ebb702111c53582e535852e9f593979b33250c88683961917
q: fa5079dafa3f3ab1e80a6df5bd16f224d8f8d71b
g: 4fbdf52e3304f051c17ca55c9381b5c17d4c205076853450cfd9fc72b2e1b2b16fa01048b8ff17e7a90ae1e018053e34d9d561df714cc8dc92b151b5df6659706b5e57c319a2d6583b7d32d2e9e1f1663eaaac460dcd4e677036f7f9be0b2e16a05d695d5b8113a903cb3863561abd364a5d6c156617fa10a32099e1d2347713
Certificate Fingerprint (MD5) : 88:FE:7F:24:F7:64:2A:CC:D7:BE:16:70:74:73:96:27
Certificate Fingerprint (SHA-1): DD:56:49:B1:D3:0B:BD:79:A3:03:CF:66:33:86:4C:A0:16:FD:04:8F
Extensions: 1
~ getChain ~
chain [1]
Subject:CN=EPI,OU=I0020275421,O=SAP Trust Community,C=DE
Algorithm:dsaWithSHA(1.2.840.10040.4.3)
~ getClass ~
class com.sap.engine.config.diagtool.lib.keystore.OfflineKeystoreEntry
[Info] May 20, 2008 9:12:10 PM The certificate CN=EPI,OU=I0020275421,O=SAP Trust Community,C=DE algorithm OK.
[Info] May 20, 2008 9:12:10 PM ************ entry #2 [BW_BWI_certificate] **************
[Info] May 20, 2008 9:12:10 PM
~ getName ~
BW_BWI_certificate
~ isCertificate ~
true
~ isKeypair ~
false
~ getCertificate ~
Version: 1
Serial number: 0
Signature algorithm: dsaWithSHA (1.2.840.10040.4.3)
Issuer: CN=BWI,OU=I0020275421,OU=SAP Web AS,O=SAP Trust Community,C=DE
Valid not before: Mon May 19 20:39:21 CEST 2008
not after: Fri Jan 01 01:00:01 CET 2038
Subject: CN=BWI,OU=I0020275421,OU=SAP Web AS,O=SAP Trust Community,C=DE
DSA public key (1024 bits):
y: 8c6ac727a5a7048353e1bde69321c38bd99272f2bd771a678532dc0c8f8bb1f9c5d7c6443986345d0a2a2b4dd1c75b929667ebb6cf1412c4f99381b9ac571f8d2c334892db815547c4e418b001b2276e6a49c106c0248f1a8686650a656f33e648cf8d3e54becf5e0bcdcf5034afd94bf1d7f574258f6e75651b983187dd0093
p: ffe26acc911b083ba364f621c222f00778501509d9748e364824daf19f80448ebd439d2077cff772120bebf27319a108959ec959eb80047729c7d794eb73eff5eaa90def10b5b4aaee638e6b16a9e0608da6f489e259eeb0a3be1a7cac431361ab3bccc13967e571596889e6a605ab6721b0d18712acb8d349ced2f8c1e5cc21
q: 90648a4ec3287c602b63a4d44182fb284d790bfd
g: eb309896ee2cae22e23186d98244bd8910dc697c922930d561529d51a9bc72e9e30012e2205f60752c83a9665b3d8a4d9dbdc7a30a7cb118e97cf114f6571589ed037f39f926523fe08fef40e7339066368c7957c8b744441970497f3d09231cc9af95f178d1632a0c42ff603cb294668021e4a6bcb86fc69d15041fd0f554bb
Certificate Fingerprint (MD5) : 47:5D:87:50:89:F5:DD:72:A4:A3:B2:BA:FA:6A:B4:09
Certificate Fingerprint (SHA-1): 3B:CC:58:02:86:47:D2:02:E2:E2:DB:73:84:C1:F1:81:DB:D1:72:F3
~ getChain ~
chain [1]
Subject:CN=BWI,OU=I0020275421,OU=SAP Web AS,O=SAP Trust Community,C=DE
Algorithm:dsaWithSHA(1.2.840.10040.4.3)
~ getClass ~
class com.sap.engine.config.diagtool.lib.keystore.OfflineKeystoreEntry
[Info] May 20, 2008 9:12:10 PM The certificate CN=BWI,OU=I0020275421,OU=SAP Web AS,O=SAP Trust Community,C=DE algorithm OK.
[Info] May 20, 2008 9:12:10 PM *** com.sap.security.core.server.jaas.EvaluateTicketLoginModule ***
[Info] May 20, 2008 9:12:10 PM 28 configurations found.
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM | Auth stack [sap.com/com.sap.aii.security.ws*KeystoreHelp_client]
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM {[sap.com/com.sap.aii.security.ws*KeystoreHelp_client]}(size: 4)
1. ( com.sap.security.core.server.jaas.EvaluateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateTicketLoginModule
2. ( com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule
3. ( com.sap.engine.services.security.server.jaas.ClientCertLoginModule ) ( OPTIONAL ) com.sap.engine.services.security.server.jaas.ClientCertLoginModule
4. ( com.sap.security.core.server.jaas.CreateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.CreateTicketLoginModule
authentication properties:
realm_name=Upload Protected Area
policy_domain=/KeystoreHelp/client
auth_method=client-cert
[Warning] May 20, 2008 9:12:10 PM No options defined
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM | Auth stack [sap.com/com.sap.aii.af.ispeak.app*pip]
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM {[sap.com/com.sap.aii.af.ispeak.app*pip]}(size: 3)
1. ( com.sap.security.core.server.jaas.EvaluateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateTicketLoginModule
#1 ume.configuration.active = true
2. ( com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule ) ( REQUISITE ) com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule
3. ( com.sap.security.core.server.jaas.CreateTicketLoginModule ) ( OPTIONAL ) com.sap.security.core.server.jaas.CreateTicketLoginModule
#1 ume.configuration.active = true
authentication properties:
realm_name=ISPEAK
policy_domain=/RWB
auth_method=basic
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM | Auth stack [sap.com/tcslmslmapp*slmSolManServices_Config1]
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM {[sap.com/tcslmslmapp*slmSolManServices_Config1]}(size: 4)
1. ( com.sap.security.core.server.jaas.EvaluateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateTicketLoginModule
2. ( com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule
3. ( com.sap.engine.services.security.server.jaas.ClientCertLoginModule ) ( OPTIONAL ) com.sap.engine.services.security.server.jaas.ClientCertLoginModule
4. ( com.sap.security.core.server.jaas.CreateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.CreateTicketLoginModule
authentication properties:
realm_name=Upload Protected Area
policy_domain=/slmSolManServices/Config1
auth_method=client-cert
[Warning] May 20, 2008 9:12:10 PM No options defined
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM | Auth stack [sap.com/cafruntimeear*CAFDataService_Config]
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM {[sap.com/cafruntimeear*CAFDataService_Config]}(size: 4)
1. ( com.sap.security.core.server.jaas.EvaluateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateTicketLoginModule
2. ( com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule
3. ( com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule ) ( OPTIONAL ) com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule
4. ( com.sap.security.core.server.jaas.CreateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.CreateTicketLoginModule
authentication properties:
realm_name=Upload Protected Area
policy_domain=/CAFDataService/Config
auth_method=basic
[Warning] May 20, 2008 9:12:10 PM No options defined
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM | Auth stack [sap.com/com.sap.aii.af.service.trex.ws*TrexProcessor_basic]
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM {[sap.com/com.sap.aii.af.service.trex.ws*TrexProcessor_basic]}(size: 4)
1. ( com.sap.security.core.server.jaas.EvaluateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateTicketLoginModule
2. ( com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule
3. ( com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule ) ( OPTIONAL ) com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule
4. ( com.sap.security.core.server.jaas.CreateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.CreateTicketLoginModule
authentication properties:
realm_name=Upload Protected Area
policy_domain=/TrexProcessor/basic
auth_method=basic
[Warning] May 20, 2008 9:12:10 PM No options defined
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM | Auth stack [sap.com/tcsecwssec~app*wssproc_plain]
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM {[sap.com/tcsecwssec~app*wssproc_plain]}(size: 4)
1. ( com.sap.security.core.server.jaas.EvaluateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateTicketLoginModule
2. ( com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule
3. ( com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule ) ( OPTIONAL ) com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule
4. ( com.sap.security.core.server.jaas.CreateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.CreateTicketLoginModule
authentication properties:
realm_name=Upload Protected Area
policy_domain=/wssproc/plain
auth_method=basic
[Warning] May 20, 2008 9:12:10 PM No options defined
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM | Auth stack [sap.com/tckmcbc.rf.wsrfwsear*RepositoryFrameworkWS_Config1]
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM {[sap.com/tckmcbc.rf.wsrfwsear*RepositoryFrameworkWS_Config1]}(size: 4)
1. ( com.sap.security.core.server.jaas.EvaluateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateTicketLoginModule
2. ( com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule
3. ( com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule ) ( OPTIONAL ) com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule
4. ( com.sap.security.core.server.jaas.CreateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.CreateTicketLoginModule
authentication properties:
realm_name=Upload Protected Area
policy_domain=/RepositoryFrameworkWS/Config1
auth_method=basic
[Warning] May 20, 2008 9:12:10 PM No options defined
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM | Auth stack [sap.com/com.sap.xi.mdt*AdapterMessageMonitoring_basic]
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM {[sap.com/com.sap.xi.mdt*AdapterMessageMonitoring_basic]}(size: 4)
1. ( com.sap.security.core.server.jaas.EvaluateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateTicketLoginModule
2. ( com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule
3. ( com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule ) ( OPTIONAL ) com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule
4. ( com.sap.security.core.server.jaas.CreateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.CreateTicketLoginModule
authentication properties:
realm_name=Upload Protected Area
policy_domain=/AdapterMessageMonitoring/basic
auth_method=basic
[Warning] May 20, 2008 9:12:10 PM No options defined
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM | Auth stack [sap.com/com.sap.aii.af.ms.app*MessagingSystem]
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM {[sap.com/com.sap.aii.af.ms.app*MessagingSystem]}(size: 2)
1. ( com.sap.security.core.server.jaas.EvaluateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateTicketLoginModule
#1 ume.configuration.active = true
2. ( com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule ) ( REQUISITE ) com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule
authentication properties:
realm_name=Message Display Tool
policy_domain=/RWB
auth_method=basic
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM | Auth stack [sap.com/tcslmslmapp*slmServices_config]
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM {[sap.com/tcslmslmapp*slmServices_config]}(size: 4)
1. ( com.sap.security.core.server.jaas.EvaluateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateTicketLoginModule
2. ( com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.EvaluateAssertionTicketLoginModule
3. ( com.sap.engine.services.security.server.jaas.ClientCertLoginModule ) ( OPTIONAL ) com.sap.engine.services.security.server.jaas.ClientCertLoginModule
4. ( com.sap.security.core.server.jaas.CreateTicketLoginModule ) ( SUFFICIENT ) com.sap.security.core.server.jaas.CreateTicketLoginModule
authentication properties:
realm_name=Upload Protected Area
policy_domain=/slmServices/config
auth_method=client-cert
[Warning] May 20, 2008 9:12:10 PM No options defined
[Info] May 20, 2008 9:12:10 PM ----
[Info] May 20, 2008 9:12:10 PM | |
[Info] May 20, 2008 9:12:10 PM | Auth stack [sap.com/com.sap.lcr*sld]
[Info] May 20, 2008 9:12:10 PM |When I execute RSPOR_SETUP report from SE38 to check the configuration between BW and Protal, the system shows the following message:
http://img58.imageshack.us/img58/1910/j2eegw5.png
http://img53.imageshack.us/img53/4158/step7vf1.png
This is my configuration:
http://img58.imageshack.us/img58/5937/strustry9.png
http://img142.imageshack.us/img142/9721/keystorageyt6.png
http://img53.imageshack.us/img53/6971/ticketbl2.png
http://img53.imageshack.us/img53/2689/evaluatemr0.png
http://img177.imageshack.us/img177/1271/umeyz5.png
http://img53.imageshack.us/img53/9763/slddf1.png
Entry in dev_jrfc.trc
Message : java.lang.RuntimeException: call FM RSWR_RFC_SERVICE_TEST to ProgId SAPIA64BW_PORTAL_EPI on host SAPIA64BW with SSO not authorized: Missing Password
Datasource : 11197950:J:\usr\sap\EPI\JC01\j2ee\cluster\server0\dev_jrfc.trc
Could you please help me??
Thanks in advance
Edited by: Juan de la Cruz Arellano Royo on May 21, 2008 11:17 AM -
Hi guys,
I have a problem with my web application. I cannot access it from my internal network using my static public IP (i.e 49.123.456.7). However I can access it from an external network using my static public IP. Is there a way for me to allow access internally as well as externally?
I am using Cisco 800 series router. Here is my configuration:
Header 1
Current configuration : 2549 bytes
! Last configuration change at 09:35:38 SGT Thu Oct 18 2012 by xxxxx
! NVRAM config last updated at 16:56:45 SGT Wed Oct 17 2012 by xxxxx
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router01
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 10
clock timezone XXX X
ip source-route
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.222
ip dhcp pool NetworkPool
import all
network 192.168.1.0 255.255.255.0
dns-server XXX.XXX.XXX.66 XXX.XXX.XXX.66
default-router 192.168.1.1
ip cef
no ip domain lookup
ip domain name nacache1.m1net.com.sg
ip name-server XXX.XXX.XXX.66
ip name-server XXX.XXX.XXX.66
login block-for 30 attempts 5 within 10
login delay 3
login quiet-mode access-class 23
no ipv6 cef
license udi pid CISCOXXX-XXX sn XXXXXXXXXXX
username admin privilege 15 secret X ************************.jgis1
policy-map NGNBN
class class-default
set cos 1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
no ip address
duplex auto
speed auto
interface FastEthernet4.1103
description WAN_Link_100MbpsFibreBiz
encapsulation dot1Q 1103
ip address dhcp
ip nat outside
ip virtual-reassembly
no cdp enable
service-policy output NGNBN
interface Vlan1
description LocalLAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list NAT_Addresses interface FastEthernet4.1103 overload
ip nat inside source static tcp 192.168.1.198 80 49.123.456.7 80 extendable
ip nat inside source static tcp 192.168.1.198 443 49.123.456.7 443 extendable
ip nat inside source static tcp 192.168.1.198 8090 49.123.456.7 8090 extendable
ip access-list extended NAT_Addresses
permit ip 192.168.1.0 0.0.0.255 any
access-list 23 remark ** Managment_Segment **
access-list 23 permit XXX.XXX.0.0 0.0.0.255
access-list 23 permit XXX.XXX.XXX.0 0.0.0.255
access-list 23 permit XXX.XXX.XXX.0 0.0.0.255
access-list 23 permit XXX.XXX.XXX.0 0.0.0.255
access-list 23 permit 192.168.1.0 0.0.0.255
control-plane
line con 0
privilege level 15
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
scheduler max-task-time 5000
ntp server XX.XXX.XXX.1 prefer
ntp server XXX.XXX.XXX.81
end
Any help and suggestions will be appreciated
Regards,
AdeebHi Francesco,
Thanks for your reply, but your solution cannot solve my problem.
Here is many router show run again:
User Access Verification
Username: xxxxxx
Password:
RP_Router01#show run
Building configuration...
Current configuration : 2520 bytes
! Last configuration change at 12:29:38 SGT Fri Oct 19 2012 by xxxxxx
! NVRAM config last updated at 12:34:16 SGT Fri Oct 19 2012 by xxxxxx
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname RP_Router01
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 10
clock timezone XXX X
ip source-route
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.222
ip dhcp pool NetworkPool
import all
network 192.168.1.0 255.255.255.0
dns-server XXX.XXX.XXX.66 XXX.XXX.XXX.66
default-router 192.168.1.1
ip cef
no ip domain lookup
ip domain name XXXXX.XXXXX.com.XX
ip name-server XXX.XXX.XXX.66
ip name-server XXX.XXX.XXX.66
login block-for 30 attempts 5 within 10
login delay 3
login quiet-mode access-class 23
no ipv6 cef
license udi pid CISCOXXX-XXX sn XXXXXXXXXXX
username admin privilege 15 secret X ************************.jgis1
policy-map NGNBN
class class-default
set cos 1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
no ip address
duplex auto
speed auto
interface FastEthernet4.1103
description WAN_Link_100MbpsFibreBiz
encapsulation dot1Q 1103
ip address dhcp
ip nat enable
ip virtual-reassembly
no cdp enable
service-policy output NGNBN
interface Vlan1
description LocalLAN
ip address 192.168.1.1 255.255.255.0
ip nat enable
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat source list NAT_Addresses interface FastEthernet4.1103 overload
ip nat source static tcp 192.168.1.198 80 49.123.456.7 80 extendable
ip nat source static tcp 192.168.1.198 443 49.123.456.7 443 extendable
ip nat source static tcp 192.168.1.198 8090 49.123.456.7 8090 extendable
ip access-list extended NAT_Addresses
permit ip 192.168.1.0 0.0.0.255 any
access-list 23 remark ** Managment_Segment **
access-list 23 permit XXX.XXX.0.0 0.0.0.255
access-list 23 permit XXX.XXX.XXX.0 0.0.0.255
access-list 23 permit XXX.XXX.XXX.0 0.0.0.255
access-list 23 permit XXX.XXX.XXX.0 0.0.0.255
access-list 23 permit 192.168.1.0 0.0.0.255
control-plane
line con 0
privilege level 15
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
scheduler max-task-time 5000
ntp server XXX.XXX.XXX.1 prefer
ntp server XXX.XXX.XXX.81
end
I was following exactly your command but no idea why still cannot access my public static IP 49.123.456.7 from local network.
Regards,
Adeeb -
Access is Denied -- Site Upgrade Upgrade from Foundation 2010 to Foundation 2013
I'm trying to do a Site Upgrade from Foundation 2010 to 2013 and I keep getting Access Denied during the site upgrade process
This is the error I keep seeing:
Inner Exception: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Here is the log file.
"02/28/2014 10:23:02.36 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPWebWssSequence ajyxw DEBUG [Navision] NeedsUpgrade = true, SchemaVersion = 4.0.25.0, TargetSchemaVersion = 15.0.30.0. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.36 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUpgradeSiteSession ajxmv DEBUG NeedsUpgrade [Navision] true because of upgrader [Microsoft.SharePoint.Upgrade.SPWebWssSequence] 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.36 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUpgradeSiteSession ajxmx DEBUG NeedsUpgrade [Navision] returned: True. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.36 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUpgradeSiteSession ajxn3 DEBUG Disposing Navision. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.36 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUpgradeSiteSession ajxni DEBUG Upgrading [Navision]. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.36 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPWebWssSequence ajywv DEBUG Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.36 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPWebWssSequence2 ajy8z DEBUG Begin upgrade of SPWeb scoped features. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.37 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPXmlConfiguration ajy1p DEBUG Template upgrade: Skipped upgrade WebTemplate XML for template 'STS#0' at: 'C:\Program Files\Common Files\Microsoft
Shared\Web Server Extensions\15\CONFIG\Upgrade\WssUpgrade.xml'. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.37 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPXmlConfiguration ajy1t DEBUG Template upgrade: Upgrade XML: <WebTemplate ID="1" LocaleId="*" FromProductVersion="4"
BeginFromSchemaVersion="0" EndFromSchemaVersion="2" ToSchemaVersion="3" /> 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.37 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPXmlConfiguration ajy1q DEBUG Template upgrade: FromProductVersion '4' does not match current database version '3' for template 'STS#0'. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.37 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPXmlConfiguration ajy1p DEBUG Template upgrade: Skipped upgrade WebTemplate XML for template 'STS#0' at: 'C:\Program Files\Common Files\Microsoft
Shared\Web Server Extensions\15\CONFIG\Upgrade\WssUpgradeB2B.xml'. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.37 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPXmlConfiguration ajy1t DEBUG Template upgrade: Upgrade XML: <WebTemplate ID="1" LocaleId="*" FromProductVersion="4"
BeginFromSchemaVersion="0" EndFromSchemaVersion="2" ToSchemaVersion="3" /> 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.37 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPXmlConfiguration ajy1q DEBUG Template upgrade: FromProductVersion '4' does not match current database version '3' for template 'STS#0'. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.37 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPWebTemplateSequenceForWeb ajy7f INFO Template STS#0: Web template upgrade for web/site [I deleted URL]6052f9bdc7c9
02/28/2014 10:23:02.37 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPWebTemplateSequenceForWeb ajyw2 DEBUG SPRequest Objects=0 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.37 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPWebTemplateSequenceForWeb ajyw2 DEBUG SQL Query Count=0 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.37 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPWebTemplateSequenceForWeb ajyw2 DEBUG Execution Time=0.438254023905273 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.37 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPWebWssSequence ajyxl INFO [Navision] IsBackwardsCompatible = False, CurrentVersion = 4.0.25.0, BackwardsCompatibleSchemaVersion = 15.0.30.0, TargetSchemaVersion
= 15.0.30.0. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.37 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUpgradeSiteSession ajxn1 DEBUG UPGRADE PROGRESS: current object = [Navision], current sequence = [SPWebWssSequence], action 1 out of total 14 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.37 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUpgradeSiteSession ajxn2 DEBUG UPGRADE PERCENTAGE: 5.21488095% done, Total Elapsed Time 00:00:08.8762641. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.37 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade VisualUpgradeAction15 (15.0.3.0) ajywc DEBUG Begin Initialize() 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.37 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade VisualUpgradeAction15 (15.0.3.0) ajywd DEBUG End Initialize() 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.37 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade VisualUpgradeAction15 (15.0.3.0) ajywe INFO Provision new master pages for O15 onto all webs and perform Visual Upgrade. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.37 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade VisualUpgradeAction15 (15.0.3.0) ajywf DEBUG Begin Upgrade() 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:02.42 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade VisualUpgradeAction15 (15.0.3.0) ajyqo INFO Modifying UIVersion field choices on the master page gallery in site: navision Site Url: [I
deleted URL]6052f9bdc7c9
02/28/2014 10:23:03.65 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade VisualUpgradeAction15 (15.0.3.0) ajyqp INFO Provisioning seattle master page in site: navision Site Url: [I deleted URL]6052f9bdc7c9
02/28/2014 10:23:04.15 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUtility ajy0k INFO Master page 'seattle.master' already exists in the master page gallery, so there is no need to provision it. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:04.15 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade VisualUpgradeAction15 (15.0.3.0) ajyqq INFO Updating masterpage in site: navision Site Url: [I deleted URL]6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPWebWssSequence ajywk ERROR Action 15.0.3.0 of Microsoft.SharePoint.Upgrade.SPWebWssSequence failed. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPWebWssSequence ajywk ERROR Exception: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPWebWssSequence ajywk ERROR at Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(UnauthorizedAccessException ex)
at Microsoft.SharePoint.Library.SPRequest.OpenWeb(String bstrUrl, String& pbstrServerRelativeUrl, String& pbstrTitle, String& pbstrDescription, String& pbstrTitleResourceId, String& pbstrDescriptionResourceId, Guid& pguidID, DateTime&
pdtTimeCreated, String& pbstrRequestAccessEmail, UInt32& pwebVersion, Guid& pguidScopeId, UInt32& pnAuthorID, UInt32& pnLanguage, UInt32& pnLocale, UInt16& pnTimeZone, Boolean& bTime24, Int16& pnCollation, UInt32& pnCollationLCID,
Int16& pnCalendarType, Int16& pnAdjustHijriDays, Int16& pnAltCalendarType, Boolean& pbShowWeeks, Int16& pnFirstWeekOfYear, UInt32& pnFirstDayOfWeek, Int16& pnWorkDays, Int16& pnWorkDayStartHour, Int16& pnWorkDayEndHour,
Int16& pnMeetingCount, Int32& plFlags, Boolean& bConnectedToPortal, String& pbstrPortalUrl, String& pbstrPortalName, Int32& plWebTemplateId, Int16& pnProvisionConfig, String& pbstrDefaultTheme, String& pbstrDefaultThemeCSSUrl,
String& pbstrThemedCssFolderUrl, String& pbstrAlternateCSSUrl, String& pbstrCustomizedCssFileList, String& pbstrCustomJSUrl, String& pbstrAlternateHeaderUrl, String& pbstrMasterUrl, String& pbstrCustomMasterUrl, String& pbstrSiteLogoUrl,
String& pbstrSiteLogoDescription, Object& pvarUser, Boolean& pvarIsAuditor, UInt64& ppermMask, Boolean& bUserIsSiteAdmin, Boolean& bHasUniquePerm, Guid& pguidUserInfoListID, Guid& pguidUniqueNavParent, Int32& plSiteFlags,
DateTime& pdtLastContentChange, DateTime& pdtLastSecurityChange, String& pbstrWelcomePage, Boolean& pbOverwriteMUICultures, Boolean& pbMUIEnabled, String& pbstrAlternateMUICultures, Int32& plSiteSchemaMajorVersion, Int32& plSiteSchemaMinorVersion,
Int32& plSiteSchemaBuildVersion, Int32& plSiteSchemaRevisionVersion, Int32& puiVersion, Int16& pnClientTag, Boolean& pfIsEvalSite, Guid& pgSourceSiteId, DateTime& pdtExpirationDate, Guid& pgEvalSiteId, Guid& pguidAppProductId,
String& pbstrRemoteAppUrl, String& pbstrOAuthAppId, String& pbstrAppDatabaseName, Guid& pgAppDatabaseServerReferenceId, String& pbstrAppDatabaseTargetApplicationId, String& pbstrAppWebDomainId, Int32& plUpgradeFlags, DateTime&
pdtReminderDate, UInt64& pmaskDeny) at Microsoft.SharePoint.SPWeb.InitWeb() at Microsoft.SharePoint.SPWeb.get_Title() at Microsoft.SharePoint.SPSite.OpenWeb(Guid gWebId, Int32 mondoHint)
at Microsoft.SharePoint.SPWeb.<ClearMasterCssCaches>b__0() at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3() at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated
secureCode) at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param) at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)
at Microsoft.SharePoint.SPWeb.Update() at Microsoft.SharePoint.Upgrade.VisualUpgradeAction15.Upgrade() at Microsoft.SharePoint.Upgrade.SPActionSequence.Upgrade() 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade VisualUpgradeAction15 (15.0.3.0) ajywl DEBUG Begin Rollback() 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade VisualUpgradeAction15 (15.0.3.0) ajywm DEBUG End Rollback() 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade VisualUpgradeAction15 (15.0.3.0) ajywp DEBUG Begin Dispose() 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade VisualUpgradeAction15 (15.0.3.0) ajywq DEBUG End Dispose() 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade VisualUpgradeAction15 (15.0.3.0) ajywr DEBUG SPRequest Objects=6 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade VisualUpgradeAction15 (15.0.3.0) ajywr DEBUG SQL Query Count=17 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade VisualUpgradeAction15 (15.0.3.0) ajywr DEBUG Execution Time=4867.40689109929 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUpgradeSiteSession ajxnk ERROR Upgrade [Navision] failed. Microsoft.SharePoint.Upgrade.SPWebWssSequence has the ContinueOnFailiure bit set. Moving
on to the next object in sequence. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUpgradeSiteSession ajxnk ERROR Inner Exception: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUpgradeSiteSession ajxnk ERROR at Microsoft.SharePoint.SPGlobal.HandleUnauthorizedAccessException(UnauthorizedAccessException ex)
at Microsoft.SharePoint.Library.SPRequest.OpenWeb(String bstrUrl, String& pbstrServerRelativeUrl, String& pbstrTitle, String& pbstrDescription, String& pbstrTitleResourceId, String& pbstrDescriptionResourceId, Guid& pguidID, DateTime&
pdtTimeCreated, String& pbstrRequestAccessEmail, UInt32& pwebVersion, Guid& pguidScopeId, UInt32& pnAuthorID, UInt32& pnLanguage, UInt32& pnLocale, UInt16& pnTimeZone, Boolean& bTime24, Int16& pnCollation, UInt32& pnCollationLCID,
Int16& pnCalendarType, Int16& pnAdjustHijriDays, Int16& pnAltCalendarType, Boolean& pbShowWeeks, Int16& pnFirstWeekOfYear, UInt32& pnFirstDayOfWeek, Int16& pnWorkDays, Int16& pnWorkDayStartHour, Int16& pnWorkDayEndHour,
Int16& pnMeetingCount, Int32& plFlags, Boolean& bConnectedToPortal, String& pbstrPortalUrl, String& pbstrPortalName, Int32& plWebTemplateId, Int16& pnProvisionConfig, String& pbstrDefaultTheme, String& pbstrDefaultThemeCSSUrl,
String& pbstrThemedCssFolderUrl, String& pbstrAlternateCSSUrl, String& pbstrCustomizedCssFileList, String& pbstrCustomJSUrl, String& pbstrAlternateHeaderUrl, String& pbstrMasterUrl, String& pbstrCustomMasterUrl, String& pbstrSiteLogoUrl,
String& pbstrSiteLogoDescription, Object& pvarUser, Boolean& pvarIsAuditor, UInt64& ppermMask, Boolean& bUserIsSiteAdmin, Boolean& bHasUniquePerm, Guid& pguidUserInfoListID, Guid& pguidUniqueNavParent, Int32& plSiteFlags,
DateTime& pdtLastContentChange, DateTime& pdtLastSecurityChange, String& pbstrWelcomePage, Boolean& pbOverwriteMUICultures, Boolean& pbMUIEnabled, String& pbstrAlternateMUICultures, Int32& plSiteSchemaMajorVersion, Int32& plSiteSchemaMinorVersion,
Int32& plSiteSchemaBuildVersion, Int32& plSiteSchemaRevisionVersion, Int32& puiVersion, Int16& pnClientTag, Boolean& pfIsEvalSite, Guid& pgSourceSiteId, DateTime& pdtExpirationDate, Guid& pgEvalSiteId, Guid& pguidAppProductId,
String& pbstrRemoteAppUrl, String& pbstrOAuthAppId, String& pbstrAppDatabaseName, Guid& pgAppDatabaseServerReferenceId, String& pbstrAppDatabaseTargetApplicationId, String& pbstrAppWebDomainId, Int32& plUpgradeFlags, DateTime&
pdtReminderDate, UInt64& pmaskDeny) at Microsoft.SharePoint.SPWeb.InitWeb() at Microsoft.SharePoint.SPWeb.get_Title() at Microsoft.SharePoint.SPSite.OpenWeb(Guid gWebId, Int32 mondoHint)
at Microsoft.SharePoint.SPWeb.<ClearMasterCssCaches>b__0() at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3() at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated
secureCode) at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param) at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)
at Microsoft.SharePoint.SPWeb.Update() at Microsoft.SharePoint.Upgrade.VisualUpgradeAction15.Upgrade() at Microsoft.SharePoint.Upgrade.SPActionSequence.Upgrade() 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUpgradeSiteSession ajxnk ERROR Exception: Action 15.0.3.0 of Microsoft.SharePoint.Upgrade.SPWebWssSequence failed. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUpgradeSiteSession ajxnk ERROR at Microsoft.SharePoint.Upgrade.SPActionSequence.Upgrade() at Microsoft.SharePoint.Upgrade.SPUpgradeSession.Upgrade(Object
o, Boolean bRecurse) 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUpgradeSiteSession ajxnn DEBUG Elapsed time upgrading [Navision]: 00:00:04. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUpgradeSiteSession ajxn6 DEBUG Disposing Navision. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUpgradeSiteSession ajxp7 DEBUG Found subweb template STS#0 (lcid: 1033) for ContentDatabase WSS_Content. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUpgradeSiteSession ajxmf DEBUG CanUpgrade [Customer Service Team] returned: True. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUpgradeSiteSession ajxnh DEBUG Customer Service Team IsGrown=False IsRoot=False IsLeaf=True. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPUpgradeSiteSession ajxmf DEBUG CanUpgrade [Customer Service Team] returned: True. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPWebTemplateSequenceForWeb ajy68 DEBUG Loading onet.xml at C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\Template\SiteTemplates\STS\xml\onet.xml 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPWebTemplateSequenceForWeb ajy7b DEBUG Template STS#0: Calculated a target template version of '15.0.0.3' with target compatibility level of '15'
for the 'STS#0' template. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPXmlConfiguration ajy1p DEBUG Template upgrade: Skipped upgrade WebTemplate XML for template 'STS#0' at: 'C:\Program Files\Common Files\Microsoft
Shared\Web Server Extensions\15\CONFIG\Upgrade\WssUpgrade.xml'. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPXmlConfiguration ajy1t DEBUG Template upgrade: Upgrade XML: <WebTemplate ID="1" LocaleId="*" FromProductVersion="4"
BeginFromSchemaVersion="0" EndFromSchemaVersion="2" ToSchemaVersion="3" /> 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPXmlConfiguration ajy1q DEBUG Template upgrade: FromProductVersion '4' does not match current database version '3' for template 'STS#0'. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPXmlConfiguration ajy1p DEBUG Template upgrade: Skipped upgrade WebTemplate XML for template 'STS#0' at: 'C:\Program Files\Common Files\Microsoft
Shared\Web Server Extensions\15\CONFIG\Upgrade\WssUpgradeB2B.xml'. 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPXmlConfiguration ajy1t DEBUG Template upgrade: Upgrade XML: <WebTemplate ID="1" LocaleId="*" FromProductVersion="4"
BeginFromSchemaVersion="0" EndFromSchemaVersion="2" ToSchemaVersion="3" /> 42b4789c-6c14-203b-54a5-6052f9bdc7c9
02/28/2014 10:23:07.24 OWSTIMER (0x0678) 0x0A50 SharePoint Foundation Upgrade SPXmlConfiguration ajy1q DEBUG Template upgrade: FromProductVersion '4' does not match current database version '3' for template 'STS#0'. 42b4789c-6c14-203b-54a5-6052f9bdc7c9"do you have the any no access / locked sites in that database and also any site which exceed its quota.
Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog -
Access from Inside to Outside ASA 5510 ver 9.1
Hi All,
I need some help in getting an ASA up and processing traffic from the inside network to the internet. I have a Cisco 2811 Router behind a Cisco ASA 5510. From the ASA I can ping the 2811 and I can ping IP addresses on the internet. I have updated the IOS and ASDM on the router to the newest versions. 9.1(4) and 7.1. I believe the problem is in the Objects, ACL and getting those together, but I don't know much about the ASA and I don't know how the post 8.2 setup works. I am hoping I can get some help here to get me up and running so I can access the internet from behind the ASA.
Here is my ASA Config and I will post some of the 2811 Router config as well, though I am not sure thati s where the issue lies, but at this point, I haven't a clue. Both are up to date for the newest versions of the respective IOS.
I need to know what objects / ACL's et cetera to put in to get traffic flowing inside / out.
Thank you for the help!
ASA5510(config)# sh running-config
: Saved
ASA Version 9.1(4)
hostname ASA5510
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.195.168.100 255.255.255.240
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
shutdown
nameif management
security-level 0
no ip address
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.195.168.4
name-server 205.171.2.65
name-server 205.171.3.65
domain-name internal.int
access-list USERS standard permit 10.10.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
router rip
network 10.0.0.0
network 199.195.168.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username redacted password vj4PdtfGNFrB.Ksz encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
CISCO 2811:
Current configuration : 2601 bytes
! Last configuration change at 07:24:32 UTC Fri Jan 3 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
hostname RouterDeMitch
boot-start-marker
boot system flash
boot-end-marker
! card type command needed for slot/vwic-slot 0/0
no aaa new-model
dot11 syslog
ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 172.16.10.1 172.16.10.49
ip dhcp excluded-address 172.16.20.1 172.16.20.49
ip dhcp pool Mitchs_Network
network 192.168.1.0 255.255.255.0
dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
default-router 192.168.1.1
ip dhcp pool VLAN10
network 172.16.10.0 255.255.255.0
default-router 172.16.10.1
dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
ip dhcp pool VLAN20
network 172.16.20.0 255.255.255.0
dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
default-router 172.16.20.1
no ip domain lookup
ip name-server 199.195.168.4
ip name-server 205.171.2.65
ip name-server 205.171.3.65
ip name-server 8.8.8.8
multilink bundle-name authenticated
crypto pki token default removal timeout 0
redundancy
interface FastEthernet0/0
description CONNECTION TO INSIDE INT. OF ASA
ip address 10.10.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1.1
encapsulation dot1Q 10
ip address 172.16.10.1 255.255.255.0
interface FastEthernet0/1.2
encapsulation dot1Q 20
ip address 172.16.20.1 255.255.255.0
interface FastEthernet0/1.3
description Trunk Interface VLAN 1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
interface Dialer0
no ip address
router rip
version 2
network 172.16.0.0
network 192.168.1.0
network 199.195.168.0
no auto-summary
ip default-gateway 10.10.1.1
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
access-list 1 permit any
dialer-list 1 protocol ip permit
control-plane
line con 0
exec-timeout 0 0
password encrypted
login
line aux 0
line vty 0 4
exec-timeout 0 0
transport input all
scheduler allocate 20000 1000
endI made those changes, but still no internet. I did not add this statement nat (inside,outside) after-auto source dynamic any interface I went with the more granular.
ASA5510# sh running-config
: Saved
ASA Version 9.1(4)
hostname ASA5510
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd liqhNWIOSfzvir2g encrypted
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.195.168.123 255.255.255.240
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
shutdown
nameif management
security-level 0
no ip address
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.195.168.4
name-server 205.171.2.65
name-server 205.171.3.65
domain-name internal.int
object-group network PAT-SOURCE
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 10.10.1.0 255.255.255.252
access-list USERS standard permit 10.10.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface
router rip
network 10.0.0.0
network 199.195.168.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
Message was edited by: Mitchell Tuckness -
I can connect my cisco mobile vpn but can't ping & access internal IP
Hi somebody,
i've configured mobile vpn configuration in cisco 7200 with GNS3. i can connect VPN to my cisco router with cisco vpn client software from outside. but i can't ping to internal ip and can't access internal resources.
My Internal IP is 192.168.1.x . And IP for mobile VPN client from outside is 172.60.1.x.
Your advise will be appreciate.
here is my configuration with cisco 7200 in GNS 3,
OfficeVPN_Router#sh run
Building configuration...
Current configuration : 2186 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname OfficeVPN_Router
boot-start-marker
boot-end-marker
enable secret 5 $1$E0Gz$U8UzNtHOXy2CeoEFj30by0
aaa new-model
aaa authentication login userlist local
aaa authorization network grouplist local
aaa session-id common
ip cef
no ip domain lookup
username asm privilege 15 password 0 pncsadmin
username user privilege 15 password 0 pncsadmin
username user1 privilege 15 password 0 pncsadmin
username cisco123 secret 5 $1$lCOc$Db.e8AFd/0f02ZI4/aeV./
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp client configuration group MWG
key cisco
dns 165.21.83.88
pool vpnpool
acl 101
netmask 255.255.0.0
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map mymap client authentication list userlist
crypto map mymap isakmp authorization list grouplist
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
interface FastEthernet1/1
ip address 200.200.200.200 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
ip local pool vpnpool 172.60.1.10 172.60.1.100
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 200.200.200.201
no ip http server
no ip http secure-server
ip nat inside source list 111 interface FastEthernet1/1 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 permit ip any any
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
password cisco123
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco123
end
OfficeVPN_Router#sh ver
Cisco IOS Software, 7200 Software (C7200-A3JK9S-M), Version 12.4(25), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 21-Apr-09 18:50 by prod_rel_team
ROM: ROMMON Emulation Microcode
BOOTLDR: 7200 Software (C7200-A3JK9S-M), Version 12.4(25), RELEASE SOFTWARE (fc2)
OfficeVPN_Router uptime is 30 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 7206VXR (NPE400) processor (revision A) with 245760K/16384K bytes of memory.
Processor board ID 4279256517
R7000 CPU at 150MHz, Implementation 39, Rev 2.1, 256KB L2 Cache
6 slot VXR midplane, Version 2.1
Last reset from power-on
PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb0_mb1 has a total of 600 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.
3 FastEthernet interfaces
125K bytes of NVRAM.
65536K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102
OfficeVPN_Router#Dear Javier ,
Thanks for your info. i already tested as you say. but still i can't use & ping to my internal IP which is behind cisco VPN router. i posted my config file.
OfficeVPN_Router(config)#ip access-list resequence 111 10 10
OfficeVPN_Router(config)#do sh run
Building configuration...
Current configuration : 2201 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname OfficeVPN_Router
boot-start-marker
boot-end-marker
enable secret 5 $1$E0Gz$U8UzNtHOXy2CeoEFj30by0
aaa new-model
aaa authentication login userlist local
aaa authorization network grouplist local
aaa session-id common
ip cef
no ip domain lookup
username asm privilege 15 password 0 pncsadmin
username user privilege 15 password 0 pncsadmin
username user1 privilege 15 password 0 pncsadmin
username cisco123 secret 5 $1$lCOc$Db.e8AFd/0f02ZI4/aeV./
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp client configuration group MWG
key cisco
dns 165.21.83.88
pool vpnpool
acl 101
netmask 255.255.0.0
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map mymap client authentication list userlist
crypto map mymap isakmp authorization list grouplist
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
interface FastEthernet1/1
ip address 200.200.200.200 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
ip local pool vpnpool 172.60.1.10 172.60.1.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 200.200.200.201
no ip http server
no ip http secure-server
ip nat inside source list 111 interface FastEthernet1/1 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
password cisco123
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco123
end -
SSL VPN message "This (client) machine does not have the web access privilege."
Hello!
I am trying to configure the SSL VPN (WebVPN) and I am almost done but when clicking on the URL's I configured in the bookmarks, I get the message "This (client) machine does not have the web access privilege. Please contact your SSLVPN provider for assistance." I looked through the many tutorials and guides in existence and none talks about such error and the fix for it. In fact, if I search the net for this error message I get only one match, in the Cisco website, where is say that "The client computer does not meet the security criteria of having web access functionality through the SSL VPN gateway." and as fix it gave this tip "Check the URL to the gateway or contact the administrator if it persists." So, nothing on the website about what this issue is and how to fix it. I will provide my IOS configuration and hopefully someone will spot the issue. Here it goes:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
enable secret 5 $1$1LLX$u7aTc8XfNqPZhPVGwEF/J0
enable password xxxxxxxx
aaa new-model
aaa authentication login userAuthen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
aaa session-id common
crypto pki trustpoint TP-self-signed-1279712955
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1279712955
revocation-check none
rsakeypair TP-self-signed-1279712955
crypto pki certificate chain TP-self-signed-1279712955
certificate self-signed 01
3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323739 37313239 3535301E 170D3130 30333233 31313030
33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373937
31323935 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A8EF 34E3E792 36660498 9801F934 E8A41865 3599EA35 B073AC91 D7A53AF4
A4390D2F CB3DB2DE 936B28F0 A25F3CE1 6F40FD9E E79096F2 F89620E0 B31A7B34
649BBA22 AE44CB55 9F38BF0C 2F2770CF 8380C167 C17D760C 380E28E4 FF7D6874
9EFC310A 2AA60835 F1AA384F CD1A0173 19C98192 EBFBD531 24CB9203 EA9E7D54
B2C30203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603
551D1104 06300482 02523130 1F060355 1D230418 30168014 0D9D62EC DA77EAF3
11ABF64D 933633F9 2BA362DC 301D0603 551D0E04 1604140D 9D62ECDA 77EAF311
ABF64D93 3633F92B A362DC30 0D06092A 864886F7 0D010104 05000381 81006853
48ED4E3E 5721C653 D9A2547C 36E4F0CB A6764B29 9AFFD30A 1B382C8C C6FDAA55
265BCF6C 51023F5D 4AF6E177 C76C4560 57DE5259 40DE4254 E79B3E13 ABD0A78D
7E0B623A 0F2D9C01 E72EF37D 5BAB72FF 65A176A1 E3709758 0229A66B 510F9AA2
495CBB4B 2CD721A7 D6F6EB43 65538BE6 B45550D7 A80A4504 E529D092 73CD
quit
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool myPOOL
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 87.216.1.65 87.216.1.66
ip cef
ip name-server 87.216.1.65
ip name-server 87.216.1.66
ip ddns update method mydyndnsupdate
HTTP
add http://username:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 1 0 0 0
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group pppoe
request-dialin
protocol pppoe
username cisco privilege 15 password 0 xxxxxxxx
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp fragmentation
crypto isakmp client configuration group vpnclient
key cisco123
domain selfip.net
pool ippool
acl 110
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map clientmap client authentication list userAuthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Loopback2
description SSL VPN Website IP address
ip address 10.10.10.1 255.255.255.0
interface Loopback1
description SSL DHCP Pool Gateway Address
ip address 192.168.250.1 255.255.255.0
interface FastEthernet0
description $ES_LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface BRI0
no ip address
encapsulation hdlc
shutdown
interface FastEthernet1
interface FastEthernet2
switchport access vlan 2
interface FastEthernet3
interface FastEthernet4
interface FastEthernet5
interface FastEthernet6
interface FastEthernet7
interface FastEthernet8
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
bundle-enable
dsl operating-mode auto
interface Vlan1
no ip address
interface Dialer1
ip ddns update hostname myserver.selfip.net
ip ddns update mydyndnsupdate host members.dyndns.org
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip policy route-map VPN-Client
dialer pool 1
ppp chap hostname xxx
ppp chap password 0 xxxx
ppp pap sent-username xxx password 0 xxxx
crypto map clientmap
ip local pool ippool 192.168.50.100 192.168.50.200
ip local pool sslvpnpool 192.168.250.2 192.168.250.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.0.2 21 interface Dialer1 790
ip nat inside source static tcp 192.168.0.15 21 interface Dialer1 789
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.1 443 interface Dialer1 443
ip nat inside source static tcp 10.10.10.1 80 interface Dialer1 80
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 144 permit ip 192.168.50.0 0.0.0.255 any
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2
control-plane
banner motd ^C
================================================================
UNAUTHORISED ACCESS IS PROHIBITED!!!
=================================================================
^C
line con 0
line aux 0
line vty 0 4
password mypassword
transport input telnet ssh
webvpn gateway MyGateway
ip address 10.10.10.1 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-1279712955
inservice
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context SecureMeContext
title "My SSL VPN Service"
secondary-color #C0C0C0
title-color #808080
ssl authenticate verify all
url-list "MyServers"
heading "My Intranet"
url-text "Cisco" url-value "http://192.168.0.2"
url-text "NetGear" url-value "http://192.168.0.3"
login-message "Welcome to My VPN"
policy group MyDefaultPolicy
url-list "MyServers"
functions svc-enabled
svc address-pool "sslvpnpool"
svc keep-client-installed
default-group-policy MyDefaultPolicy
aaa authentication list userAuthen
gateway MyGateway domain testvpn
max-users 100
csd enable
inservice
end
Thank you!Hi,
Please check SAP note:
2004579 - You cannot create a FR company from a Package
Thanks & Regards,
Nagarajan -
VPN Clients cannot access remote site
Hey there,
I am pretty new in configuring Cisco devices and now I need some help.
I have 2 site here:
site A
Cisco 891
external IP: 195.xxx.yyy.zzz
VPN Gateway for Remote users
local IP: VLAN10 10.133.10.0 /23
site B
Cisco 891
external IP: 62.xxx.yyy.zzz
local IP VLAN10 10.133.34.0 /23
Those two sites are linked together with a Site-to-Site VPN. Accessing files or ressources from one site to the other is working fine while connected to the local LAN.
I configured VPN connection with Radius auth. VPN clients can connect to Site A, get an IP adress from VPN Pool (172.16.100.2-100) and can access files and servers on site A. But for some reason they cannot access ressources on site B. I already added the site B network to the ACL and when connecting with VPN it shows secured routes to 10.133.10.0 and 10.133.34.0 in the statistics. Same thing for other VPN Tunnels to ERP system.
What is missing here to make it possible to reach remote sites when connected through VPN? I had a look at the logs but could not find anything important.
Here is the config of site A
Building configuration...
Current configuration : 24257 bytes
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Englerstrasse
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
aaa new-model
aaa group server radius Radius-AD
server 10.133.10.5 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_2 group Radius-AD local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
clock timezone Berlin 1 0
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
crypto pki trustpoint TP-self-signed-27361994
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-27361994
revocation-check none
rsakeypair TP-self-signed-27361994
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name [email protected]
revocation-check crl
crypto pki certificate chain TP-self-signed-27361994
certificate self-signed 01
30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373336 31393934 301E170D 31323038 32373038 30343238
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D323733 36313939
3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B709
64CE1874 BF812A9F 0B761522 892373B9 10F0BB52 6263DCDB F9877AA3 7BD34E53
BCFDA45C 2A991777 4DDC7E6B 1FCEE36C B6E35679 C4A18771 9C0F871F 38310234
2D89A4FF 37B616D8 362B3103 A8A319F2 10A72DC7 490A04AC 7955DF68 32EF9615
9E1A3B31 2A1AB243 B3ED3E35 F4AAD029 CDB1F941 5E794300 5C5EF8AE 5C890203
010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
18301680 14D0F5E7 D3A9311D 1675AA8F 38F064FC 4D04465E F5301D06 03551D0E
04160414 D0F5E7D3 A9311D16 75AA8F38 F064FC4D 04465EF5 300D0609 2A864886
F70D0101 05050003 818100AB 2CD4363A E5ADBFB0 943A38CB AC820801 117B52CC
20216093 79D1F777 2B3C0062 4301CF73 094B9CA5 805F585E 04CF3301 9B839DEB
14A334A2 F5A5316F C65EEF21 0B0DF3B5 F4322440 F28B984B E769876D 6EF94895
C3D5048A A4E2A180 12DF6652 176942F8 58187D7B D37B1F1A 4DDD7AE9 5189F9AF
AF3EF676 26AD3F31 D368F5
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
no ip source-route
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip inspect log drop-pkt
ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
ip inspect name CCP_MEDIUM ftp
ip inspect name CCP_MEDIUM h323
ip inspect name CCP_MEDIUM sip
ip inspect name CCP_MEDIUM https
ip inspect name CCP_MEDIUM icmp
ip inspect name CCP_MEDIUM netshow
ip inspect name CCP_MEDIUM rcmd
ip inspect name CCP_MEDIUM realaudio
ip inspect name CCP_MEDIUM rtsp
ip inspect name CCP_MEDIUM sqlnet
ip inspect name CCP_MEDIUM streamworks
ip inspect name CCP_MEDIUM tftp
ip inspect name CCP_MEDIUM udp
ip inspect name CCP_MEDIUM vdolive
ip inspect name CCP_MEDIUM imap reset
ip inspect name CCP_MEDIUM smtp
ip cef
no ipv6 cef
appfw policy-name CCP_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
parameter-map type inspect global
log dropped-packets enable
multilink bundle-name authenticated
redundancy
ip tcp synwait-time 10
class-map match-any CCP-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map match-any CCP-Voice-1
match dscp ef
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any CCP-Routing-1
match dscp cs6
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any CCP-Signaling-1
match dscp cs3
match dscp af31
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any CCP-Management-1
match dscp cs2
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
policy-map sdm-qos-test-123
class class-default
policy-map sdmappfwp2p_CCP_MEDIUM
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_kazaa
class sdm_p2p_bittorrent
policy-map CCP-QoS-Policy-1
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_kazaa
class sdm_p2p_bittorrent
class CCP-Voice-1
priority percent 33
class CCP-Signaling-1
bandwidth percent 5
class CCP-Routing-1
bandwidth percent 5
class CCP-Management-1
bandwidth percent 5
class CCP-Transactional-1
bandwidth percent 5
class class-default
fair-queue
random-detect
crypto ctcp port 10000
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key REMOVED address 62.20.xxx.yyy
crypto isakmp key REMOVED address 195.243.xxx.yyy
crypto isakmp key REMOVED address 195.243.xxx.yyy
crypto isakmp key REMOVED address 83.140.xxx.yyy
crypto isakmp client configuration group VPN_local
key REMOVED
dns 10.133.10.5 10.133.10.7
wins 10.133.10.7
domain domain.de
pool SDM_POOL_2
acl 115
crypto isakmp profile ciscocp-ike-profile-1
match identity group VPN_local
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA11 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA1 esp-des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA11
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to62.20.xxx.xxx
set peer 62.20.xxx.xxx
set transform-set ESP-3DES-SHA
match address 105
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to195.243.xxx.xxx
set peer 195.243.xxx.xxx
set transform-set ESP-3DES-SHA4
match address 107
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to83.140.xxx.xxx
set peer 83.140.xxx.xxx
set transform-set ESP-DES-SHA1
match address 118
interface Loopback2
ip address 192.168.10.1 255.255.254.0
interface Null0
no ip unreachables
interface FastEthernet0
switchport mode trunk
no ip address
spanning-tree portfast
interface FastEthernet1
no ip address
spanning-tree portfast
interface FastEthernet2
no ip address
spanning-tree portfast
interface FastEthernet3
no ip address
spanning-tree portfast
interface FastEthernet4
description Internal LAN
switchport access vlan 10
switchport trunk native vlan 10
no ip address
spanning-tree portfast
interface FastEthernet5
no ip address
spanning-tree portfast
interface FastEthernet6
no ip address
spanning-tree portfast
interface FastEthernet7
no ip address
spanning-tree portfast
interface FastEthernet8
description $FW_OUTSIDE$$ETH-WAN$
ip address 62.153.xxx.xxx 255.255.255.248
ip access-group 113 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect CCP_MEDIUM out
no ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
crypto map SDM_CMAP_1
service-policy input sdmappfwp2p_CCP_MEDIUM
service-policy output CCP-QoS-Policy-1
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet8
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
interface Vlan1
no ip address
interface Vlan10
description $FW_INSIDE$
ip address 10.133.10.1 255.255.254.0
ip access-group 112 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
ip local pool SDM_POOL_1 192.168.10.101 192.168.10.200
ip local pool VPN_Pool 192.168.20.2 192.168.20.100
ip local pool SDM_POOL_2 172.16.100.2 172.16.100.100
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip forward-protocol nd
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 62.153.xxx.xxx
ip access-list extended VPN1
remark VPN_Haberstrasse
remark CCP_ACL Category=4
permit ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
ip radius source-interface Vlan10
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 195.243.xxx.xxx
access-list 23 permit 10.133.10.0 0.0.1.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.133.10.0 0.0.1.255 any
access-list 101 remark CCP_ACL Category=16
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
access-list 102 remark auto generated by CCP firewall configuration
access-list 102 remark CCP_ACL Category=1
access-list 102 deny ip 10.10.10.0 0.0.0.7 any
access-list 102 permit icmp any host 62.153.xxx.xxx echo-reply
access-list 102 permit icmp any host 62.153.xxx.xxx time-exceeded
access-list 102 permit icmp any host 62.153.xxx.xxx unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 103 remark auto generated by CCP firewall configuration
access-list 103 remark CCP_ACL Category=1
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.133.34.0 0.0.1.255 10.133.10.0 0.0.1.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.133.34.0 0.0.1.255 192.168.10.0 0.0.1.255
access-list 103 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
access-list 103 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq isakmp
access-list 103 permit esp host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 103 permit ahp host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.133.20.0 0.0.0.255 10.133.10.0 0.0.1.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.10.0 0.0.1.255 10.133.10.0 0.0.1.255
access-list 103 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
access-list 103 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq isakmp
access-list 103 permit esp host 62.20.xxx.xxx host 62.153.xxx.xxx
access-list 103 permit ahp host 62.20.xxx.xxx host 62.153.xxx.xxx
access-list 103 permit udp any host 62.153.xxx.xxx eq non500-isakmp
access-list 103 permit udp any host 62.153.xxx.xxx eq isakmp
access-list 103 permit esp any host 62.153.xxx.xxx
access-list 103 permit ahp any host 62.153.xxx.xxx
access-list 103 permit udp host 194.25.0.60 eq domain any
access-list 103 permit udp host 194.25.0.68 eq domain any
access-list 103 permit udp host 194.25.0.68 eq domain host 62.153.xxx.xxx
access-list 103 deny ip 10.10.10.0 0.0.0.7 any
access-list 103 permit icmp any host 62.153.xxx.xxx echo-reply
access-list 103 permit icmp any host 62.153.xxx.xxx time-exceeded
access-list 103 permit icmp any host 62.153.xxx.xxx unreachable
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 104 remark CCP_ACL Category=4
access-list 104 permit ip 10.133.10.0 0.0.1.255 any
access-list 105 remark CCP_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.133.10.0 0.0.1.255 10.133.20.0 0.0.0.255
access-list 106 remark CCP_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 192.168.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.133.10.0 0.0.1.255 10.133.20.0 0.0.0.255
access-list 106 permit ip 10.10.10.0 0.0.0.7 any
access-list 106 permit ip 10.133.10.0 0.0.1.255 any
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
access-list 108 remark Auto generated by SDM Management Access feature
access-list 108 remark CCP_ACL Category=1
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq telnet
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq 22
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq www
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq 443
access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq cmd
access-list 108 deny tcp any host 10.133.10.1 eq telnet
access-list 108 deny tcp any host 10.133.10.1 eq 22
access-list 108 deny tcp any host 10.133.10.1 eq www
access-list 108 deny tcp any host 10.133.10.1 eq 443
access-list 108 deny tcp any host 10.133.10.1 eq cmd
access-list 108 deny udp any host 10.133.10.1 eq snmp
access-list 108 permit ip any any
access-list 109 remark CCP_ACL Category=1
access-list 109 permit ip 10.133.10.0 0.0.1.255 any
access-list 109 permit ip 10.10.10.0 0.0.0.7 any
access-list 109 permit ip 192.168.10.0 0.0.1.255 any
access-list 110 remark CCP_ACL Category=1
access-list 110 permit ip host 195.243.xxx.xxx any
access-list 110 permit ip host 84.44.xxx.xxx any
access-list 110 permit ip 10.133.10.0 0.0.1.255 any
access-list 110 permit ip 10.10.10.0 0.0.0.7 any
access-list 110 permit ip 192.168.10.0 0.0.1.255 any
access-list 111 remark CCP_ACL Category=4
access-list 111 permit ip 10.133.10.0 0.0.1.255 any
access-list 112 remark CCP_ACL Category=1
access-list 112 permit udp host 10.133.10.5 eq 1812 any
access-list 112 permit udp host 10.133.10.5 eq 1813 any
access-list 112 permit udp any host 10.133.10.1 eq non500-isakmp
access-list 112 permit udp any host 10.133.10.1 eq isakmp
access-list 112 permit esp any host 10.133.10.1
access-list 112 permit ahp any host 10.133.10.1
access-list 112 permit udp host 10.133.10.5 eq 1645 host 10.133.10.1
access-list 112 permit udp host 10.133.10.5 eq 1646 host 10.133.10.1
access-list 112 remark auto generated by CCP firewall configuration
access-list 112 permit udp host 10.133.10.5 eq 1812 host 10.133.10.1
access-list 112 permit udp host 10.133.10.5 eq 1813 host 10.133.10.1
access-list 112 permit udp host 10.133.10.7 eq domain any
access-list 112 permit udp host 10.133.10.5 eq domain any
access-list 112 deny ip 62.153.xxx.xxx 0.0.0.7 any
access-list 112 deny ip 10.10.10.0 0.0.0.7 any
access-list 112 deny ip host 255.255.255.255 any
access-list 112 deny ip 127.0.0.0 0.255.255.255 any
access-list 112 permit ip any any
access-list 113 remark CCP_ACL Category=1
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.133.34.0 0.0.1.255 192.168.10.0 0.0.1.255
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.60.16.0 0.0.0.255 192.168.10.0 0.0.1.255
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.60.16.0 0.0.0.255 10.133.10.0 0.0.1.255
access-list 113 permit udp host 83.140.100.4 host 62.153.xxx.xxx eq non500-isakmp
access-list 113 permit udp host 83.140.100.4 host 62.153.xxx.xxx eq isakmp
access-list 113 permit esp host 83.140.100.4 host 62.153.xxx.xxx
access-list 113 permit ahp host 83.140.100.4 host 62.153.xxx.xxx
access-list 113 permit ip host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 113 permit ip host 84.44.xxx.xxx host 62.153.xxx.xxx
access-list 113 remark auto generated by CCP firewall configuration
access-list 113 permit udp host 194.25.0.60 eq domain any
access-list 113 permit udp host 194.25.0.68 eq domain any
access-list 113 permit udp host 194.25.0.68 eq domain host 62.153.xxx.xxx
access-list 113 permit udp host 194.25.0.60 eq domain host 62.153.xxx.xxx
access-list 113 permit udp any host 62.153.xxx.xxx eq non500-isakmp
access-list 113 permit udp any host 62.153.xxx.xxx eq isakmp
access-list 113 permit esp any host 62.153.xxx.xxx
access-list 113 permit ahp any host 62.153.xxx.xxx
access-list 113 permit ahp host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 113 permit esp host 195.243.xxx.xxx host 62.153.xxx.xxx
access-list 113 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq isakmp
access-list 113 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.133.34.0 0.0.1.255 10.133.10.0 0.0.1.255
access-list 113 permit ahp host 62.20.xxx.xxx host 62.153.xxx.xxx
access-list 113 remark IPSec Rule
access-list 113 permit ip 192.168.10.0 0.0.1.255 10.133.10.0 0.0.1.255
access-list 113 permit esp host 62.20.xxx.xxx host 62.153.xxx.xxx
access-list 113 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq isakmp
access-list 113 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.133.20.0 0.0.0.255 10.133.10.0 0.0.1.255
access-list 113 remark Pop3
access-list 113 permit tcp host 82.127.xxx.xxx eq 8080 host 62.153.xxx.xxx
access-list 113 remark Pop3
access-list 113 permit tcp any eq pop3 host 62.153.xxx.xxx
access-list 113 remark SMTP
access-list 113 permit tcp any eq 465 host 62.153.xxx.xxx
access-list 113 remark IMAP
access-list 113 permit tcp any eq 587 host 62.153.xxx.xxx
access-list 113 deny ip 10.133.10.0 0.0.1.255 any
access-list 113 deny ip 10.10.10.0 0.0.0.7 any
access-list 113 permit icmp any host 62.153.xxx.xxx echo-reply
access-list 113 permit icmp any host 62.153.xxx.xxx time-exceeded
access-list 113 permit icmp any host 62.153.xxx.xxx unreachable
access-list 113 deny ip 10.0.0.0 0.255.255.255 any
access-list 113 deny ip 172.16.0.0 0.15.255.255 any
access-list 113 deny ip 192.168.0.0 0.0.255.255 any
access-list 113 deny ip 127.0.0.0 0.255.255.255 any
access-list 113 deny ip host 255.255.255.255 any
access-list 113 deny ip host 0.0.0.0 any
access-list 113 deny ip any any log
access-list 114 remark auto generated by CCP firewall configuration
access-list 114 remark CCP_ACL Category=1
access-list 114 deny ip 10.133.10.0 0.0.1.255 any
access-list 114 deny ip 10.10.10.0 0.0.0.7 any
access-list 114 permit icmp any any echo-reply
access-list 114 permit icmp any any time-exceeded
access-list 114 permit icmp any any unreachable
access-list 114 deny ip 10.0.0.0 0.255.255.255 any
access-list 114 deny ip 172.16.0.0 0.15.255.255 any
access-list 114 deny ip 192.168.0.0 0.0.255.255 any
access-list 114 deny ip 127.0.0.0 0.255.255.255 any
access-list 114 deny ip host 255.255.255.255 any
access-list 114 deny ip host 0.0.0.0 any
access-list 114 deny ip any any log
access-list 115 remark VPN_Sub
access-list 115 remark CCP_ACL Category=5
access-list 115 permit ip 10.133.10.0 0.0.1.255 172.16.0.0 0.0.255.255
access-list 115 permit ip 10.133.34.0 0.0.1.255 172.16.0.0 0.0.255.255
access-list 115 permit ip 10.133.20.0 0.0.0.255 any
access-list 116 remark CCP_ACL Category=4
access-list 116 remark IPSec Rule
access-list 116 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 117 remark CCP_ACL Category=4
access-list 117 remark IPSec Rule
access-list 117 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 118 remark CCP_ACL Category=4
access-list 118 remark IPSec Rule
access-list 118 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
access-list 118 remark IPSec Rule
access-list 118 permit ip 192.168.10.0 0.0.1.255 10.60.16.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 106
control-plane
mgcp profile default
line con 0
transport output telnet
line 1
modem InOut
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
session-timeout 45
access-class 110 in
transport input telnet ssh
line vty 5 15
access-class 109 in
transport input telnet ssh
scheduler interval 500
endThe crypto ACL for the site to site vpn should also include the vpn client pool, otherwise, traffic from the vpn client does not match the interesting traffic for the site to site vpn.
On Site A:
should include "access-list 107 permit ip 172.16.100.0 0.0.0.255 10.133.34.0 0.0.1.255"
You should also remove the following line as the pool is incorrect:
access-list 107 permit ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
On Site B:
should include: permit ip 10.133.34.0 0.0.1.255 172.16.100.0 0.0.0.255"
NAT exemption on site B should also be configured with deny on the above ACL. -
Remote Access VPN with existing site-to-site tunnel
Hi there!
I have successfully configured my Cisco router to create a VPN tunnel to Azure. This is working fine. Now I am trying to add a remote access VPN for clients. I want to use IPsec and not PPTP.
I'm not a networking guy, but from what I've read, you basically need to add a dynamic crypto map for the remote access VPN to the crypto map on the external interface (AzureCryptoMap in this case). I've read that the dynamic crypto map should be applied after the non-dynamic maps.
The problem is that the VPN clients do not successfully negotiate phase 1. It's almost like the router does not try the dynamic map. I have tried specifying it to come ahead of the static crypto map policy, but this doesn't change anything. Here is some output from the debugging ipsec and isakmp:
murasaki#
*Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Oct 6 08:06:43: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Oct 6 08:06:43: ISAKMP (0): vendor ID is NAT-T v7
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v3
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is XAUTH
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is Unity
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 6 08:06:43: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 6 08:06:43: ISAKMP:(0): processing vendor id payload
*Oct 6 08:06:43: ISAKMP:(0): vendor ID is DPD
*Oct 6 08:06:43: ISAKMP:(0):No pre-shared key with 1.158.149.255!
*Oct 6 08:06:43: ISAKMP : Scanning profiles for xauth ... Client-VPN
*Oct 6 08:06:43: ISAKMP:(0): Authentication by xauth preshared
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Proposed key length does not match policy
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 256
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption AES-CBC
*Oct 6 08:06:43: ISAKMP: keylength of 128
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption 3DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash SHA
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 6 08:06:43: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Oct 6 08:06:43: ISAKMP: life type in seconds
*Oct 6 08:06:43: ISAKMP: life duration (basic) of 3600
*Oct 6 08:06:43: ISAKMP: encryption DES-CBC
*Oct 6 08:06:43: ISAKMP: auth XAUTHInitPreShared
*Oct 6 08:06:43: ISAKMP: hash MD5
*Oct 6 08:06:43: ISAKMP: default group 2
*Oct 6 08:06:43: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 6 08:06:43: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 6 08:06:43: ISAKMP:(0):no offers accepted!
*Oct 6 08:06:43: ISAKMP:(0): phase 1 SA policy not acceptable! (local x.x.x.x remote 1.158.149.255)
*Oct 6 08:06:43: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct 6 08:06:43: ISAKMP:(0): Failed to construct AG informational message.
*Oct 6 08:06:43: ISAKMP:(0): sending packet to 1.158.149.255 my_port 500 peer_port 500 (R) MM_NO_STATE
*Oct 6 08:06:43: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 6 08:06:43: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct 6 08:06:43: ISAKMP (0): FSM action returned error: 2
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Oct 6 08:06:43: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 1.158.149.255)
*Oct 6 08:06:43: ISAKMP: Unlocking peer struct 0x87B97490 for isadb_mark_sa_deleted(), count 0
*Oct 6 08:06:43: ISAKMP: Deleting peer node by peer_reap for 1.158.149.255: 87B97490
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
*Oct 6 08:06:43: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 6 08:06:47: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (R) MM_NO_STATEmurasaki#
*Oct 6 08:06:43: ISAKMP (0): received packet from 1.158.149.255 dport 500 sport 500 Global (N) NEW SA
*Oct 6 08:06:43: ISAKMP: Created a peer struct for 1.158.149.255, peer port 500
*Oct 6 08:06:43: ISAKMP: New peer created peer = 0x87B97490 peer_handle = 0x80000082
*Oct 6 08:06:43: ISAKMP: Locking peer struct 0x87B97490, refcount 1 for crypto_isakmp_process_block
*Oct 6 08:06:43: ISAKMP: local port 500, remote port 500
*Oct 6 08:06:43: ISAKMP:(0):insert sa successfully sa = 886954D0
*Oct 6 08:06:43: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 6 08:06:43: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
If I specify my key like a site-to-site VPN key like this:
crypto isakmp key xxx address 0.0.0.0
Then it does complete phase 1 (and then fails to find the client configuration). This suggests to me that the dynamic map is not being tried.
Configuration:
! Last configuration change at 07:55:02 AEDT Mon Oct 6 2014 by timothy
version 15.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
hostname murasaki
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login client_vpn_authentication local
aaa authorization network default local
aaa authorization network client_vpn_authorization local
aaa session-id common
wan mode dsl
clock timezone AEST 10 0
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
ip inspect name normal_traffic tcp
ip inspect name normal_traffic udp
ip domain name router.xxx
ip name-server xxx
ip name-server xxx
ip cef
ipv6 unicast-routing
ipv6 cef
crypto pki trustpoint TP-self-signed-591984024
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-591984024
revocation-check none
rsakeypair TP-self-signed-591984024
crypto pki trustpoint TP-self-signed-4045734018
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4045734018
revocation-check none
rsakeypair TP-self-signed-4045734018
crypto pki certificate chain TP-self-signed-591984024
crypto pki certificate chain TP-self-signed-4045734018
object-group network CLOUD_SUBNETS
description Azure subnet
172.16.0.0 255.252.0.0
object-group network INTERNAL_LAN
description All Internal subnets which should be allowed out to the Internet
192.168.1.0 255.255.255.0
192.168.20.0 255.255.255.0
username timothy privilege 15 secret 5 xxx
controller VDSL 0
ip ssh version 2
no crypto isakmp default policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxx address xxxx no-xauth
crypto isakmp client configuration group VPN_CLIENTS
key xxx
dns 192.168.1.24 192.168.1.20
domain xxx
pool Client-VPN-Pool
acl CLIENT_VPN
crypto isakmp profile Client-VPN
description Remote Client IPSec VPN
match identity group VPN_CLIENTS
client authentication list client_vpn_authentication
isakmp authorization list client_vpn_authorization
client configuration address respond
crypto ipsec transform-set AzureIPSec esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
mode tunnel
crypto dynamic-map ClientVPNCryptoMap 1
set transform-set TRANS_3DES_SHA
set isakmp-profile Client-VPN
reverse-route
qos pre-classify
crypto map AzureCryptoMap 12 ipsec-isakmp
set peer xxxx
set security-association lifetime kilobytes 102400000
set transform-set AzureIPSec
match address AzureEastUS
crypto map AzureCryptoMap 65535 ipsec-isakmp dynamic ClientVPNCryptoMap
bridge irb
interface ATM0
mtu 1492
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Ethernet0
no ip address
shutdown
interface FastEthernet0
switchport mode trunk
no ip address
interface FastEthernet1
no ip address
spanning-tree portfast
interface FastEthernet2
switchport mode trunk
no ip address
spanning-tree portfast
interface FastEthernet3
no ip address
interface GigabitEthernet0
switchport mode trunk
no ip address
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface Vlan1
description Main LAN
ip address 192.168.1.97 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer1
mtu 1492
ip address negotiated
ip access-group PORTS_ALLOWED_IN in
ip flow ingress
ip inspect normal_traffic out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 1
dialer-group 1
ipv6 address autoconfig
ipv6 enable
ppp chap hostname xxx
ppp chap password 7 xxx
ppp ipcp route default
no cdp enable
crypto map AzureCryptoMap
ip local pool Client-VPN-Pool 192.168.20.10 192.168.20.15
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat translation timeout 360
ip nat inside source list SUBNETS_AND_PROTOCOLS_ALLOWED_OUT interface Dialer1 overload
ip nat inside source static tcp 192.168.1.43 55663 interface Dialer1 55663
ip nat inside source static tcp 192.168.1.43 22 interface Dialer1 22
ip nat inside source static udp 192.168.1.43 55663 interface Dialer1 55663
ip access-list extended AzureEastUS
permit ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
ip access-list extended CLIENT_VPN
permit ip 172.16.0.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list extended PORTS_ALLOWED_IN
remark List of ports which are allowed IN
permit gre any any
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit tcp any any eq 55663
permit udp any any eq 55663
permit tcp any any eq 22
permit tcp any any eq 5723
permit tcp any any eq 1723
permit tcp any any eq 443
permit icmp any any echo-reply
permit icmp any any traceroute
permit icmp any any port-unreachable
permit icmp any any time-exceeded
deny ip any any
ip access-list extended SUBNETS_AND_PROTOCOLS_ALLOWED_OUT
deny tcp object-group INTERNAL_LAN any eq smtp
deny ip object-group INTERNAL_LAN object-group CLOUD_SUBNETS
permit tcp object-group INTERNAL_LAN any
permit udp object-group INTERNAL_LAN any
permit icmp object-group INTERNAL_LAN any
deny ip any any
mac-address-table aging-time 16
no cdp run
ipv6 route ::/0 Dialer1
route-map NoNAT permit 10
match ip address AzureEastUS CLIENT_VPN
route-map NoNAT permit 15
banner motd Welcome to Murasaki
line con 0
privilege level 15
no modem enable
line aux 0
line vty 0
privilege level 15
no activation-character
transport preferred none
transport input ssh
line vty 1 4
privilege level 15
transport input ssh
scheduler max-task-time 5000
scheduler allocate 60000 1000
ntp update-calendar
ntp server au.pool.ntp.org
end
Any ideas on what I'm doing wrong?Hi Marius,
I finally managed to try with the official Cisco VPN client on Windows. It still fails at phase 1, but now talks about 'aggressive mode', which didn't seem to be mentioned in the previous logs. Any ideas?
*Oct 9 20:43:16: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (N) NEW SA
*Oct 9 20:43:16: ISAKMP: Created a peer struct for 192.168.1.201, peer port 49727
*Oct 9 20:43:16: ISAKMP: New peer created peer = 0x878329F0 peer_handle = 0x80000087
*Oct 9 20:43:16: ISAKMP: Locking peer struct 0x878329F0, refcount 1 for crypto_isakmp_process_block
*Oct 9 20:43:16: ISAKMP: local port 500, remote port 49727
*Oct 9 20:43:16: ISAKMP:(0):insert sa successfully sa = 886697E0
*Oct 9 20:43:16: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 9 20:43:16: ISAKMP:(0): processing ID payload. message ID = 0
*Oct 9 20:43:16: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : timothy
protocol : 17
port : 500
length : 15
*Oct 9 20:43:16: ISAKMP:(0):: peer matches *none* of the profiles
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is XAUTH
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is DPD
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 9 20:43:16: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 9 20:43:16: ISAKMP:(0): processing vendor id payload
*Oct 9 20:43:16: ISAKMP:(0): vendor ID is Unity
*Oct 9 20:43:16: ISAKMP : Scanning profiles for xauth ... Client-VPN
*Oct 9 20:43:16: ISAKMP:(0): Authentication by xauth preshared
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 2 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 256
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Proposed key length does not match policy
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption AES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP: keylength of 128
*Oct 9 20:43:16: ISAKMP:(0):Hash algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 11 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash SHA
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 12 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption 3DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 13 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth XAUTHInitPreShared
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 9 20:43:16: ISAKMP:(0):Checking ISAKMP transform 14 against priority 10 policy
*Oct 9 20:43:16: ISAKMP: encryption DES-CBC
*Oct 9 20:43:16: ISAKMP: hash MD5
*Oct 9 20:43:16: ISAKMP: default group 2
*Oct 9 20:43:16: ISAKMP: auth pre-share
*Oct 9 20:43:16: ISAKMP: life type in seconds
*Oct 9 20:43:16: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Oct 9 20:43:16: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Oct 9 20:43:16: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 9 20:43:16: ISAKMP:(0):no offers accepted!
*Oct 9 20:43:16: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxxx remote 192.168.1.201)
*Oct 9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Oct 9 20:43:16: ISAKMP:(0): Failed to construct AG informational message.
*Oct 9 20:43:16: ISAKMP:(0): sending packet to 192.168.1.201 my_port 500 peer_port 49727 (R) AG_NO_STATE
*Oct 9 20:43:16: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 9 20:43:16: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
*Oct 9 20:43:16: ISAKMP:(0): processing KE payload. message ID = 0
*Oct 9 20:43:16: ISAKMP:(0): group size changed! Should be 0, is 128
*Oct 9 20:43:16: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Oct 9 20:43:16: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
*Oct 9 20:43:16: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Oct 9 20:43:16: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY
*Oct 9 20:43:16: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 192.168.1.201
*Oct 9 20:43:16: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 192.168.1.201)
*Oct 9 20:43:16: ISAKMP: Unlocking peer struct 0x878329F0 for isadb_mark_sa_deleted(), count 0
*Oct 9 20:43:16: ISAKMP: Deleting peer node by peer_reap for 192.168.1.201: 878329F0
*Oct 9 20:43:16: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 9 20:43:16: ISAKMP:(0):Old State = IKE_READY New State = IKE_DEST_SA
*Oct 9 20:43:16: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 9 20:43:21: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE
*Oct 9 20:43:26: ISAKMP (0): received packet from 192.168.1.201 dport 500 sport 49727 Global (R) MM_NO_STATE -
Remote access VPN with Cisco Router - Can not get the Internal Lan .
Dear Sir ,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Below is the IP address of the device.
Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
IP address:10.10.10.1
Mask:255.255.255.0 F0/0
IP Address :20.20.20.1
Mask :255.255.255.0
F0/1
IP address :192.168.1.3
Mask:255.255.255.0
F0/0
IP address :20.20.20.2
Mask :255.255.255.0
F0/1
IP address :192.168.1.1
Mask:255.255.255.0
I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
Need your help to fix the problem.
Router R2 Configuration :!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip tcp synwait-time 5
interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
Router R1 Configuration :
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login USERAUTH local
aaa authorization network NETAUTHORIZE local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
username vpnuser password 0 strongpassword
ip tcp synwait-time 5
crypto keyring vpnclientskey
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group remotevpn
key cisco123
dns 192.168.1.2
wins 192.168.1.2
domain mycompany.com
pool vpnpool
acl VPN-ACL
crypto isakmp profile remoteclients
description remote access vpn clients
keyring vpnclientskey
match identity group remotevpn
client authentication list USERAUTH
isakmp authorization list NETAUTHORIZE
client configuration address respond
crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10
set transform-set TRSET
set isakmp-profile remoteclients
crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpnpool 192.168.50.1 192.168.50.10
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
ip access-list extended NAT-ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
endDear All,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Waiting for your responce .
--Milon -
Hi,
I am new to using EWS managed APIs.
Following is the issue:
1. I am using a service account e.g. [email protected]. This user is a global administrator and also has ApplicationImpersonation role assigned. (Sign into Online Office 365 account -> Admin -> select "Exchange" tab- > select Permissions
on the left panel -> create an impersonation role -> assign ApplicationImpersonation in Roles: and [email protected] in Members: -> Click on save)
2. Create a calendar item by other user for e.g. [email protected], and invite an attendee - [email protected].
3. In a c# program, I connect to EWS service using a service account - [email protected], fetch its calendar events. If organizer of an event is some other user - [email protected] then
I use impersonation in the following way to update the calendar event/item properties- subject, body text etc.
private static void Impersonate(string organizer)
string impersonatedUserSMTPAddress = organizer;
ImpersonatedUserId impersonatedUserId =
new ImpersonatedUserId(ConnectingIdType.SmtpAddress, impersonatedUserSMTPAddress);
service.ImpersonatedUserId = impersonatedUserId;
4. It was working fine till yesterday afternoon. Suddenly, it started throwing an exception "Access is denied. Check credentials and try again." Whenever I try to
update that event.
private static void FindAndUpdate(ExchangeService service)
CalendarView cv = new CalendarView(DateTime.Now, DateTime.Now.AddDays(30));
cv.MaxItemsReturned = 25;
try
FindItemsResults<Item> masterResults = service.FindItems(WellKnownFolderName.Calendar, cv);
foreach (Appointment item in masterResults.Items)
if (item is Appointment)
Appointment masterItem = item as Appointment;
if (!masterRecurEventIDs.Contains(masterItem.ICalUid.ToString()))
masterItem.Load();
if (!masterItem.Subject.Contains(" (Updated content)"))
//impersonate organizer to update and save for further use
Impersonate(masterItem.Organizer.Address.ToString());
// Update the subject and body
masterItem.Subject = masterItem.Subject + " (Updated content)";
string currentBodyType = masterItem.Body.BodyType.ToString();
masterItem.Body = masterItem.Body.Text + "\nUpdated Body Info:
xxxxxxxxxxxx";
// This results in an UpdateItem operation call to EWS.
masterItem.Update(ConflictResolutionMode.AutoResolve);
// Send updated notification to organizer of an appointment
CreateAndSendEmail(masterItem.Organizer.Address.ToString(), masterItem.Subject);
masterRecurEventIDs.Add(masterItem.ICalUid.ToString());
else
Console.WriteLine("Event is already updated. No need to update again.:\r\n");
Console.WriteLine("Subject: " + masterItem.Subject);
Console.WriteLine("Description: " + masterItem.Body.Text);
catch (Exception ex)
Console.WriteLine("Error: " + ex.Message);
5. What could be an issue here? Initially I thought may be its a throttling policy which is stopping same user after making certain API call limits for the day, but I am still seeing this issue today.
Any help is appreciated.
ThanksYour logic doesn't sound correct here eg
2. Create a calendar item by other user for e.g. [email protected], and invite an attendee - [email protected]
3. In a c# program, I connect to EWS service using a service account - [email protected], fetch its calendar events. If organizer of an event is some other user - [email protected] then
I use impersonation in the following way to update the calendar event/item properties- subject, body text etc.
When your connecting to [email protected] mailbox the only user that can make changes to items within
abccalendar is abc (or ABC's delegates). If your impersonating the Organizer of the appointment pqr that wouldn't work unless the organizer had rights to abc's calendar. If you want to make updates to a calendar
appointment like that you should connect to the Organizers mailbox first update the original, send updates and then accept the updates.
When you impersonate your impersonating the security context of the Mailbox your impersonating so its the same a logging on as that user in OWA or Outlook.
Cheers
Glen
Maybe you are looking for
-
Hello There Can any of you advise on the below? Tried to connect Mac mini with a 30" display through a DVI dual link mini display port adapter. For the first try Mac mini go connected to the display, then i've chosen the highest resolution (2560x1600
-
We have gone live for one of our Indian clients recently. At the time of upload of vendor open items,TDS details were not put in vendor master,the balance figures were net of TDS. After upload of balances,TDS data was filled in the vendor masters. No
-
Trial Fails to Install or ask for serial
I was able to get the Trial version of CS4 to install but then I had problems and uninstalled it the second day. More on this problem in another post. Ever since this uninstall the trial version refuses to install again. One of two things happen: 1)
-
My ipad air worked great for a day and then got stuck going back and forth between the apple logo that comes up during a reboot and the little spinning circle. When I connect to itunes it says to enter the passcode, but the passcode entry screen neve
-
Where can i find the location to download ps 5 on my new computer?
where can i find the location to download my ps 5 on my new computer?