Deny packets from routers
Hello!
Some users bring their own wifi routers to work and connet them to our network instead of computer(clone ip & mac adresses).
Is it possible to determine that pakets pass through such router and deny them using ASA 5515 with PRSM?
Thanks!
Thanks for your answer Collin!
Now we don't have Cisco switches.
Please, can you tell me how to do this. Give me link to manual or something.
Similar Messages
-
One computer at COMPANY-A is attempting to communicate with two
computers located at COMPANY-B, via an IPsec tunnel between the
two companies.
All communications are via TCP protocol.
All devices present public IP addresses to one another, although they
may have RFC 1918 addresses on other interfaces, and NAT may be in use
on the COMPANY-B side. (NAT is not being used on the COMPANY-A side.)
The players:(Note: first three octets have been changed for security reasons)
COMPANY-A computer 1.2.3.161
COMPANY-A router 1.2.3.8 (also IPsec peer)
COMPANY-A has 1.2.3.0/24 with no subnetting.
COMPANY-B router 4.5.6.228 (also IPsec peer)
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
COMPANY-B has 4.5.6.0/23 subnetted in various ways.
COMPANY-B also has 9.10.11.0/24, but it is not involved in the issue.
What works:
The COMPANY-A computer 1.2.3.161 can communicate via the single IPsec
tunnel to COMPANY-B computer #1 4.5.7.94 without problems.
The "show crypto session detail" command shows Inbound/Outbound packets
flowing in the dec'ed and enc'ed positions.
What doesn't:
When the COMPANY-A computer 1.2.3.161 attempts to communicate
via the single IPsec tunnel with the COMPANY-B computer #2 4.5.7.29,
the COMPANY-A router eventually reports five of these messages:
Oct 9 15:24:54.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:24:57.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:03.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:15.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:39.329: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:26:27.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
and the "show crypto session detail" shows inbound packets being dropped.
The COMPANY-A computer that opens the TCP connection never gets past the
SYN_SENT phase of the TCP connection whan trying to communicate with the
COMPANY-B computer #2, and the repeated error messages are the retries of
the SYN packet.
On the COMPANY-A side, this IPsec configuration has been set up on a 3745,
a 3725, and some 76xx routers were tried, all with similar behavior,
with packets from one far-end computer passing fine, and packets from
another far-end computer in the same netblock passing through the same
IPsec tunnel failing with the "failed SA identity" error.
The COMPANY-A computer directs all packets headed to COMPANY-B via the
COMPANY-A router at 1.2.3.8 with this set of route settings:
netstat -r -n
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
4.5.7.0 1.2.3.8 255.255.255.0 UG 0 0 0 eth3
1.2.3.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
10.1.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth3
10.0.0.0 10.1.1.1 255.0.0.0 UG 0 0 0 eth0
0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth3
The first route line shown is selected for access to both COMPANY-B computers.
The COMPANY-A router (IPsec tunnel endpoint, 1.2.3.8) has this
configuration:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 4.5.6.228
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set COMPANY-B01 esp-3des esp-sha-hmac
crypto map COMPANY-BMAP1 10 ipsec-isakmp
description COMPANY-B VPN
set peer 4.5.6.228
set transform-set COMPANY-B01
set pfs group2
match address 190
interface FastEthernet0/0
ip address 1.2.3.8 255.255.255.0
no ip redirects
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map COMPANY-BMAP1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.2.3.1
ip route 10.0.0.0 255.0.0.0 10.1.1.1
ip route 1.2.3.8.0 255.255.255.0 FastEthernet0/0
access-list 190 permit ip host 1.2.3.161 4.5.7.0 0.0.0.255
access-list 190 permit ip host 1.2.3.161 9.10.11.0 0.0.0.255
bridge 1 protocol ieee
One of the routers tried had this IOS/hardware configuration:
Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(25c),
RELEASE SOFTWARE (fc2)
isco 3725 (R7000) processor (revision 0.1) with 115712K/15360K bytes of memory.
Processor board ID XXXXXXXXXXXXXXX
R7000 CPU at 240MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
2 FastEthernet interfaces
4 ATM interfaces
DRAM configuration is 64 bits wide with parity disabled.
55K bytes of NVRAM.
31296K bytes of ATA System CompactFlash (Read/Write)
250368K bytes of ATA Slot0 CompactFlash (Read/Write)
Configuration register is 0x2102
#show crypto sess
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:06:26:27
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 651 drop 16 life (KB/Sec) 4496182/23178
Outbound: #pkts enc'ed 574 drop 2 life (KB/Sec) 4496279/23178
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
The COMPANY-B device on their end of the IPsec VPN is a Juniper SSG1000
Version 6.1 (ScreenOS)
We only have a limited view into the Juniper device configuration.
What we were allowed to see was:
COMPANY-B-ROUTER(M)-> sh config | incl COMPANY-A
set address "Untrust" "oss-COMPANY-A-1.2.3.161" 1.2.3.161 255.255.255.255
set ike gateway "COMPANY-A-1-GW" address 1.2.3.8 Main outgoing-interface "ethernet2/1" preshare xxxxxxxxxxxxxxxxxxxxxx proposal "pre-g2-3des-sha"
set vpn "COMPANY-A-1-IKE" gateway "COMPANY-A-1-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha-28800"
set policy id 2539 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "9.10.11.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2500
set policy id 2500 from "Trust" to "Untrust" "9.10.11.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2539
set policy id 2541 from "Trust" to "Untrust" "4.5.7.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2540
set policy id 2540 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "4.5.7.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2541
COMPANY-B-ROUTER(M)->
I suspect that this curious issue is due to a configuration setting on the
Juniper device, but neither party has seen this error before. COMPANY-B
operates thousands of IPsec VPNs and they report that this is a new error
for them too. The behavior that allows traffic from one IP address to
work and traffic from another to end up getting this error is also unique.
As only the Cisco side emits any error message at all, this is the only
clue we have as to what is going on, even if this isn't actually an IOS
problem.
What we are looking for is a description of exactly what the Cisco
IOS error message:
IPSEC(epa_des_crypt): decrypted packet failed SA identity check
is complaining about, and if there are any known causes of the behavior
described that occur when running IPsec between Cisco IOS and a Juniper
SSG device. Google reports many other incidents of the same error
message (but not the "I like that IP address but hate this one" behavior),
and not just with a Juniper device on the COMPANY-B end, but for those cases,
not one was found where the solution was described.
It is hoped that with a better explanation of the error message
and any known issues with Juniper configuration settings causing
this error, we can have COMPANY-B make adjustments to their device.
Or, if there is a setting change needed on the COMPANY-A router,
that can also be implemented.
Thanks in advance for your time in reading this, and any ideas.Hello Harish,
It is believed that:
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
both have at least two network interfaces, one with a public IP address
(which we are supposedly conversing with) and one with a RFC 1918 type
address. COMPANY-B is reluctant to disclose details of their network or
servers setup, so this is not 100% certain.
Because of that uncertainty, it occurred to me that perhaps COMPANY-B
computer #2 might be incorrectly routing via the RFC 1918 interface.
In theory, such packets should have been blocked by the access-list on both
COMPANY-A router, and should not have even made it into the IPsec VPN
if the Juniper access settings work as it appears they should. So I turned up
debugging on COMPANY-A router so that I could see the encrypted and
decrypted packet hex dumps.
I then hand-disassembled the decoded ACK packet IP header received just
prior to the "decrypted packet failed SA check" error being emitted and
found the expected source and destination IP addresses (4.5.7.29 and 1.2.3.161),
in the unecapsulated packet. I also found the expected port numbers of the TCP
conversation that was trying to be established in the TCP header. So, it
looks like COMPANY-B computer #2 is emitting the packets out the right
interface.
The IP packet header of the encrypted packet showed the IP addresses of the
two routers at each terminus of the IPsec VPN, but since I don't know what triggers
the "SA check" error message or what it is complaining about, I don't know what
other clues to look for in the packet dumps.
As to your second question, "can you check whether both encapsulation and
decapsulation happening in 'show crypto ipsec sa'", the enc'ed/dec'ed
counters were both going up by the correct quantities. When communicating
with the uncooperative COMPANY-B computer #2, you would also see the
received Drop increment for each packet decrypted. When communicating
with the working COMPANY-B computer #1, the Drop counters would not
increment, and the enc'ed/dec'ed would both increment.
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:54
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 5 life (KB/Sec) 4458308/28784
Outbound: #pkts enc'ed 401 drop 3 life (KB/Sec) 4458308/28784
Attempt a TCP communication to COMPANY-B computer #2...
show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:23
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 6 life (KB/Sec) 4458307/28753
Outbound: #pkts enc'ed 402 drop 3 life (KB/Sec) 4458307/28753
Note Inbound "drop" changed from 5 to 6. (I didn't let it sit for all
the retries.)
#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: COMPANY-BMAP1, local addr 1.2.3.8
protected vrf: (none)
local ident (addr/mask/prot/port): (1.2.3.161/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.5.7.0/255.255.255.0/0/0)
current_peer 4.5.6.228 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 402, #pkts encrypt: 402, #pkts digest: 402
#pkts decaps: 376, #pkts decrypt: 376, #pkts verify: 376
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 6
local crypto endpt.: 1.2.3.8, remote crypto endpt.: 4.5.6.228
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xDF2CC59C(3744253340)
inbound esp sas:
spi: 0xD9D2EBBB(3654478779)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDF2CC59C(3744253340)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
The "send" errors appear to be related to the tunnel reverting to a
DOWN state after periods of inactivity, and you appear to get one
each time the tunnel has to be re-negotiated and returned to
an ACTIVE state. There is no relationship between Send errors
incrementing and working/non-working TCP conversations to the
two COMPANY-B servers.
Thanks for pondering this very odd behavior. -
13017 Received TACACS+ packet from unknown Network Device or AAA Client
I am adding new routers to our Corporate network for a new MPLS network. I am getting 13017 Received TACACS+ packet from unknown Network Device or AAA Client errors for these new routers. They are added to ACS 5.4.0.30 correctly just like all of our other devices. We have never had real routers on the network before, just switches and access points. Is there something special I need to set in ACS for these to work and authenticate correctly? I can only access the currently with built in login locally.
One of the new router configs
Current configuration : 2370 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname T666
boot-start-marker
boot-end-marker
enable secret 5 $1$h7b3$.T2idTKb9H98BQ8Op0MAC/
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
voice-card 0
crypto pki trustpoint TP-self-signed-2699490457
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2699490457
revocation-check none
rsakeypair TP-self-signed-2699490457
username netadmin privilege 15 secret 5 $1$SIR2$A3MpShVNeAOlTPyLZESr..
interface FastEthernet0/0
ip address 10.114.2.1 255.255.255.0
ip helper-address 10.30.101.4
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface Serial0/1/0
ip address X.X.X.X 255.255.255.252
no fair-queue
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl ansi
no cdp enable
router bgp 65065
no synchronization
bgp log-neighbor-changes
network 10.114.2.0 mask 255.255.255.0
neighbor X.X.X.X remote-as 209
neighbor X.X.X.X default-originate
default-information originate
no auto-summary
ip forward-protocol nd
ip bgp-community new-format
ip http server
ip http authentication aaa
ip http secure-server
ip tacacs source-interface FastEthernet0/0
no logging trap
tacacs-server host 10.30.101.221 key 7 1429005B5C502225
tacacs-server host 10.30.101.222 key 7 1429005B5C502225
tacacs-server directed-request
control-plane
banner exec ^CC
C
Login OK
^C
banner motd ^CC
C
** UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED. USE OF
** THIS SYSTEM CONSTITUES CONSENT TO MONITORING AT ALL TIMES.
** RUAN Transport Corporation
** Network Services
** [email protected]
** 515.245.2512
^C
line con 0
line aux 0
line vty 0 4
exec-timeout 30 0
transport input all
line vty 5 15
exec-timeout 30 0
scheduler allocate 20000 1000
end
T666#AAA Protocol > TACACS+ Authentication Details
Date :
September 19, 2014
Generated on September 19, 2014 10:21:27 AM CDT
Authentication Details
Status:
Failed
Failure Reason:
13017 Received TACACS+ packet from unknown Network Device or AAA Client
Logged At:
Sep 19, 2014 10:21 AM
ACS Time:
Sep 19, 2014 10:21 AM
ACS Instance:
acs01
Authentication Method:
Authentication Type:
Privilege Level:
User
Username:
Remote Address:
Network Device
Network Device:
Network Device IP Address:
10.114.2.1
Network Device Groups:
Access Policy
Access Service:
Identity Store:
Selected Shell Profile:
Active Directory Domain:
Identity Group:
Access Service Selection Matched Rule :
Identity Policy Matched Rule:
Selected Identity Stores:
Query Identity Stores:
Selected Query Identity Stores:
Group Mapping Policy Matched Rule:
Authorization Policy Matched Rule:
Authorization Exception Policy Matched Rule:
Other
ACS Session ID:
Service:
AV Pairs:
Response Time:
Other Attributes:
ACSVersion=acs-5.3.0.40-B.839
ConfigVersionId=359
Device Port=59840
Protocol=Tacacs
Authentication Result
Steps
Received TACACS+ packet from unknown Network Device or AAA Client
Additional Details
DiagnosticsACS Configuration Changes -
How do I make a Datagram Packet from a String?
I am looking to make a Datagram Packet from a string. If I send a command to a server that allows remote connections via UDP, such as "restart" it will restart the server. I can accomplish this easily through the fput() method of PHP.
I want a Java version of my utility, and am using the DatagramSocket and DatagramPacket classes. I see that I need to make a byte array and put it inside a DatagramPacket. How would I go about putting the string "restart" into a byte array?
Thanks,Use the following code to send a Datagram:-
import java.io.*;
import java.net.*;
// This class sends the specified text as a datagram to port 6010 of the
// specified host.
public class UDPSend {
static final int port = 6010;
public static void main(String args[]) throws Exception {
if (args.length != 2) {
System.out.println("Usage: java UDPSend <hostname> <message>");
System.exit(0);
// Get the internet address of the specified host
InetAddress address = InetAddress.getByName(args[0]);
// Convert the message to an array of bytes
int msglen = args[1].length();
byte[] message = new byte[msglen];
args[1].getBytes(0, msglen, message, 0);
// Initilize the packet with data and address
DatagramPacket packet = new DatagramPacket(message, msglen,
address, port);
// Create a socket, and send the packet through it.
DatagramSocket socket = new DatagramSocket();
socket.send(packet);
}This uses argments, if you want a string change the code accordingly. -
Deny access from deleting *.txt file?
HI all,
I have created a *.txt file from xcode with objective c using NSFileManager.Also i gave permission to this file like below,
[NSDictionary dictionaryWithObject:[NSNumber numberWithUnsignedLong:0000u] forkey : NSFilePosixPermissions];
so that there is no read/write permissions.This is working fine too.
Apart from above,i want to deny users from deleting this file..How can i mention this in objective c.?Please help..
Thanks
AthiraHi Athira,
You'll have more luck in getting a response to this if you posted in on the Apple Developer Forums.
devforums.apple.com
You need to be a registered (and paid) up member to access the developer forums.
Good luck! -
Error -1074360271 occurred at IMAQdx Start Acquisition.vi
NI-IMAQdx: (Hex 0xBFF69031) The system did not receive a test packet from the camera. The packet size may be too large for the network configuration or a firewall may be enabled.Bruce Ammons wrote:
Did you try disabling test packets? I know Basler cameras have a "Enable Test Packets" setting buried in Advanced Network settings or something like that. You have to change the setting in MAX to show all settings instead of just acquisition, then locate the setting. I have been told regularly that the setting must be turned off for Basler cameras to work properly. Perhaps your camera has the same setting and the same requirement.
Bruce
A very specific firmware revision for certain Basler cameras had an issue where the test packet would not be sent for certain packet sizes and certain specific conditions, causing a false report of a test packet failure when a normal acquisition would in fact succeed. However, this was fixed in later firmware revisions and I have never seen a similar issue on any other types of cameras.
Aside from this specific case, if a test packet fails, it generally means an acquisition will as well. Given that Pleora's software can acquire, we can rule out networking topology and hardware, assuming you are using the same packet size as the Pleora software is. The only other thing that would seem a likely candidate would be a software issue like a firewall or some other filter driver that is interefering with IMAQdx receiving the data.
Eric -
TACACS+ packet from unknown Network Device or AAA Client
Hi all,
I can't perform login using the credential set at ACS server, From the log it shown:
"Failure Reason: 13017 Received TACACS+ packet from unknown Network Device or AAA Client"
I know there's some changes on TACACS+ part for new catalyst IOS, so i refer the guide and this is my config snipet:
aaa group server tacacs+ TAC_PLUS
server name AUTH
tacacs server AUTH
address ipv4 10.10.21.251
key xxxxxx
aaa authentication login TAC_PLUS group tacacs+ local line
aaa authorization exec TAC_PLUS group tacacs+ none
aaa authorization commands 15 default if-authenticated
aaa accounting update periodic 1
aaa accounting exec TAC_PLUS start-stop group tacacs+
aaa accounting network TAC_PLUS start-stop group tacacs+
aaa accounting connection TAC_PLUS start-stop group tacacs+
My platform is
- C6500 running on IOS 12.2 (33) SXJ1
- ACS 5.2.0.26
Need guidance on this, thanks
NoelHello,
Is the appropriate IOS IP address defined on the Network Devices and AAA Clients for the ACS? If yes, which IP address is reported on the ACS Failure that includes the error "TACACS+ packet from unknown Network Device or AAA Client"? Is the ACS reporting the IP address as unknown when it is already defined appropriately?
Regards. -
Not encrypted dot1x packet from 0012.f0b9.87c3 has been discarded
I have a very basic config to setup wireless on on an 857W router.
When I get connected the log fills up the the following message.
Not encrypted dot1x packet from 0012.f0b9.87c3 has been discarded
What is causing this?
Config below
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
no aaa new-model
dot11 ssid TESTSSID_1
vlan 10
max-associations 10
authentication open
authentication key-management wpa
wpa-psk ascii 0 mywpapskpwd
dot11 ssid TESTSSID_2
vlan 20
max-associations 10
authentication open
authentication key-management wpa
wpa-psk ascii 0 mytestpassword
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1
ip dhcp pool HOME_1
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
ip dhcp pool HOME_2
network 10.20.0.0 255.255.255.0
default-router 10.20.0.3
ip cef
archive
log config
hidekeys
bridge irb
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
spanning-tree portfast
interface FastEthernet2
spanning-tree portfast
interface FastEthernet3
interface Dot11Radio0
no ip address
no ip route-cache cef
no ip route-cache
encryption vlan 10 mode ciphers tkip
encryption vlan 20 mode ciphers tkip
broadcast-key change 60
ssid TESTSSID_1
ssid TESTSSID_2
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
channel 2452
station-role root
world-mode dot11d country GB both
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
interface Vlan1
ip address 10.7.12.219 255.255.255.0
interface Vlan10
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1400
bridge-group 10
hold-queue 100 out
interface Vlan20
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1400
bridge-group 20
hold-queue 100 out
interface BVI10
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface BVI20
ip address 10.20.0.3 255.255.255.0
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.7.12.254
no ip http server
no ip http secure-server
control-plane
bridge 10 protocol ieee
bridge 10 route ip
bridge 20 protocol ieee
bridge 20 route ip
line con 0
no modem enable
line aux 0
line vty 0 4
login
scheduler max-task-time 5000
end
Router#Too funny... I get clients complain to me about issues and they have drivers that are from 2003 or 2004.
Now all you have to do is make sure all other devices are on the same firmware. Makes troubleshooting sooooooo much easier. -
Create one player to play RTP packets from many clients
Hi,
Am a JMF newbie and I want to create one player to play packets from many clients.
So I wrote a small UDPserver thread within the app to receive rtp packets from the clients on the LAN which in turn forwards them to the player.
I instatiated two threads one to forward RTP packets and another to forward RTCP packets which listens on RTPPort+1
The reason why i do this is that i don't want the whole internet to bombard the player with anonymous voice transmissions.So the server thread is acting as a firewall. To filter out packets from from unknown ip addresses.
this is a snippet of the player.
MY_IPADDRESS = InetAddress.getLocalHost().getHostAddress();+
url = "rtp://" + MY_IPADDRESS + ":" + RTPPlayer.PORT + "/audio/1";
MediaLocator mrl = new MediaLocator(url);
player = Manager.createPlayer(mrl);
More code which starts the server thread
if (player != null) {
player.addControllerListener(this);
player.realize();
player.start();When the server thread receives the packet it calls its forward method to forward the packet to the player by resetting the only the IP and PORT.
public void forward(DatagramPacket rtpPacket) {
//print out packet info to view which packets are being received
System.out.println("forwarding "+request.getAddress() + " -> " + MY_IPADDRESS+":"+portToSend);
//set address of packet to MY_IPADDRESS
rtpPacket.setAddress(
InetAddress.getByName(RTPPlayer.MY_IPADDRESS));
//set the port to the rtp port
rtpPacket.setPort(RTPPlayer.PORT);
datagramSocket.send(rtpPacket);
}This works fine for two clients.
When the clients become three(c1, c2 and c3),
two clients communicate well(c1 and c2) but c3's voice cannot be heard on any other pc(c1 or c2) though it plays voice from both c1 and c2.
But System.out.println("forwarding "+request.getAddress() + " -> " + MY_IPADDRESS+":"+portToSend);in the forward() method shows that packets from all clients on each pc are being received.
Does any one have an idea why this happens?
Are the packets so many that they overwhelm the player so it discards some or all?
Is this the best way of doing this?
Just to let u know all the mics are working fine.
Thx in advance
Edited by: noryak on Oct 29, 2008 10:29 AMTHAT IS MY MAIN PROBLEM. In the future, please do a little bit of research before you shout at people trying to help you. I'm so so sorry if you find my answer bothersom because it sheds some light on the fact that you have absolutely no idea what you're doing.
Your problem is that you obviously do not understand how JMF works...and you obviously havn't bothered to do any sort of research into it.
You also don't seem to understand the concept of streaming media, concurrency, politeness, good design, proper programming, audio interleaving, or common sense.
At least i have implemented a player playing packets from 2 different clients.Yeah, you implemented a player that plays packets from 2 different clients using a horrible workaround that doesn't treat the data correctly and manages to just drop data after scaling past 2 clients.
Oh yeah, you've definately found the holy grail there. At least.
You wanna know what your player is actually doing? It's playing a peice of data from A, and then a peice of data from B. It might sound like it's playing them both at the same time, but it's not. It's playing the data from one client in the gaps where there's no data, and once you've filled up the gaps in time by adding more nodes, you'll end up with data getting dropped (and that's the best case scenerio).
my issue is that i wouldn't like to create a player for each participant imagine they were people in a conference that makes it 10 players. Please understand that if you have 10 players, you'll receive 10 times as much data as you can play with one player. You end up either having to drop 90% of your data, or having to play the data at 1/10th the speed... because you're not mixing the audio data, you're interleaving it.
I just want to use one standard port on each client so that all clients send to the same port: The RTPManager class will allow you to receive as many streams as you want on a single port.
As a matter of fact, had you bothered to play with any of the source code readily available online, you'd realize there is a file that does exactly what you want.
[http://java.sun.com/javase/technologies/desktop/media/jmf/2.1.1/solutions/AVReceive2.java]
It handles receiving multiple RTP streams from a single port, and plays them all simultaniously using an array of player objects.
Does absolutely everything you want, out of the box.
That sounds like alot of threadsIf you're concerned that it's too many threads, well, maybe you should stick to hello world and other things less scary. Concurrent data processing requires threads...one per peice of concurrent data, as a matter of fact, and you're dealing with a lot of streams of concurrent data here. -
Can't Stop packet from transmitting and unable to understand packet format
I have used JPcap library for capturing the packet. But I can't block the packet from transmitting. How can I stop packet from reaching destination.
Another problem is that int the Example given i get packet but unable to understand it is like this
_.......d......(.........y... .......P......>I>...5..&....M..R.......6$.w......k._*
_...........Y...............P...P............<..........D....!...zq...b....o... ._*
_.^....d....w....Z.....T....".L..I.....&...?%..h.....9....8`#C'........).....(..._*
[email protected] ...D.&.l..0.a....H....;..t@.#................_.....T_+*
_...............(...r...$...`....v../..|H.......:.t.}.................E....}....._*
+_.P....rL....l......\...................$.[..Q....?....G,......A....J..<d... ...._+*
_...4.....3......7....U.....D...`.........p... .....k...8.......v#d...((..,......_*
+_.........#...3.....[...>N...N...YL.........I.................T...;..........._.._+*
_...l.........j.4.........u.`.........'.(.........2.T....d........j.......o.H...._*
_.!...z.t....9......,............$....7.....K.............\.M ..B ......V........_*
_.....X...*.........b...c...........n..QDV.. \.q4.c.....s......\..........y....._+*
_.B.........z.........6.......N.........L...A...........Z......|.......w........L_*
_...b.....x.W..\[email protected]... ......G..........d..........hb= X.9.. X.....0......._*
_....*..A...7.....<F....6.......1~......,....i..&...b..L.......i.9...&..........._*
_.#...#...........8C...........i....>t.K...........=..........$....u...........>._*
bd0..u.i.n..wt\.?y......U.. X................ [email protected].;......7..+*
+_..a....f;......:Y.Do.......o{.pX...d.....E}..Y...r....Q..O....x..DM..VC..>...)c._+*
+_.pB..... $...............~....-.....h.......V.{.................8..........P..!._+*
_............D.............,........ }...P............l....$...mw.IHw.>.|........_*
H.....M..........+y9....<[email protected]......\...Dn..W......w...$v5O+*
_.........<(...R....1`....P@..&...C...r........0......Y.........#...#...#....W..._*
Can anyone help me?Actually, I am 4th year student of Computer Science field and I am doing project on Internet Control access but i can't get how to stop packet from reaching destinaton. Is there any other library avilable for this?
-
i have just noticed that after upgarde of image and asdm to 911 and 711, the implicit deny acl is missing from the outside interface. Is this deliberate or a poor upgrade. i am upgrading from 8.25 normally, depends what the reseller sends me.
should this be happening or am i upgrading in too large a jump?
thanks,
davidHi,
Would really see some screencapture / output of the thing you are referring to.
I imagine that you are perhaps referring to something related to ASDM? I dont personally really use ASDM at all for ASA configurations to I am not up to date on the possible problems it might have or changes made to its interface.
I am not sure if you have an ACL attached to the "outside" interface? If so then I think the ASDM should show the Implicit Deny at the end while this wont show on the CLI side at all.
I did just check my own ASA at home which is running 9.0(2) and ASDM 7.1(2) at the moment and it doesnt show an Implicit Deny for my LAN or WAN interfaces ACL.
Though the basic ACL operation is still in effect. If its not allowed in the ACL then its blocked by Implicit Deny. This can be confirmed with "packet-tracer" test on your firewall also.
- Jouni -
Access List (ACL) to Block Russian and Chinese Nets From Routers
I see people asking if there are premade ACL's to block Chinese and Russian nets from their edge routers. Since I spent so much time creating entries for them based on information received from http://www.ipdeny.com/ipblocks/ i decided to share them. They are in the attached Word Docs.
There are alot of entires but since it is in a standard ACL it should not tax your routers too greatly.
Sean Odom
Sybex/Wiley Cisco AuthorWell, I'd rather not tax the IPS even further for something that the edge router should be capable taking care of. Especially since the source of the traffic should be denied at the closest managed point.
If you do not want this traffic coming inbound, closest for some would be the edge router. Others may only have their firewall as the closest manageable point.
Suggestion to those that do not manage their edge router would be to compile a list such as the one listed above. Then send it to your provider requesting they place it on this router. Of course this may become a double edge sword in a sense. If there is legit traffic from one of these source IP addresses that you identify down the road, it might be a hassle to get the block resolved.
Or, you can also apply these right there on your firewall as well.
Thank you for providing this list! -
ASA 5505 remote vpn - not receiving packets from ASA
I am having problem configuring remote vpn between ASA5505 and Cisco VPN client v5. I can successfully establish connection between ASA and Vpn client and receive IP address from ASA. VPN client statistics windows shows that packets are send and encrypted but none of the packets is Received/Decrypted. Any ideas on what I have missed?
Thanks in advance for any help,Mcrypto isakmp nat-traversal
Please rate helpful posts. -
"access denied" error from Java Web Start
I can successfully download the jar file, but always have error message "access denied" when the java application tries to open a local file in C:\temp\poc1.xml.
I can successfully execute the java application from DOS,but failed when using Java Web Start. The error message is as follows:
Java Web Start Console, started Wed Nov 28 16:30:31 PST 2001Java 2 Runtime Environment: Version
1.3.1 by Sun Microsystems Inc.java.security.AccessControlException: access denied
(java.io.FilePermission C:\temp\poc1.xml read) at
org.apache.xerces.framework.XMLParser.parse(Unknown Source) at
org.apache.xerces.framework.XMLParser.parse(Unknown Source) at
com.hotlocker.client.HLSessionParser.parse(Unknown Source) at
com.hotlocker.client.UploadDownloadClient.uploadFiles(Unknown Source) at
com.hotlocker.client.UploadDownload.main(Unknown Source) at
java.lang.reflect.Method.invoke(Native Method) at
com.sun.javaws.Launcher.executeApplication(Unknown Source) at
com.sun.javaws.Launcher.executeMainClass(Unknown Source) at
com.sun.javaws.Launcher.continueLaunch(Unknown Source) at
com.sun.javaws.Launcher.handleApplicationDesc(Unknown Source) at
com.sun.javaws.Launcher.handleLaunchFile(Unknown Source) at
com.sun.javaws.Launcher.run(Unknown Source) at java.lang.Thread.run(Unknown Source)Hi,
you can't get a file like in a "normal" app
because a JWS-app runs in the restricted
sandbox environment by default.
So you either sign your app with a digital certificate
or you use a special FileOpenService (JNLP-API).
You could also put the file into the app-jar and
load it by a classloader.
Regards,
Mathias -
[SOLVED] Weird new access denied error from Samba
This just started when I did a system upgrade last week (from samba 3.4.3-something to 3.5.2-something).
The hardware: Server is arch, of course; workstation 2 feet away is Windows XP connected by ethernet to a cheap Gateway brand switch.
The filesystem: a folder called /pub with owner set to my primary (non-root) login and group set to the household group, perms 775 so both owner and group have full rw perms. Also /tmp, owned by root:root with perms 777. /pub has a symbolic link to /tmp so you can use /pub/tmp as a fully writeable junk area on the network.
The shares: /pub is given smb.conf parameters public=yes, writable=yes, create mask=0775
The login: My XP box has a login that makes it a member of the family group
Up until the upgrade, this all worked fine. The XP could attach the public share (drive P:) and go to P:\tmp when I wanted to save a temp file, knowing that it would be erased when I reboot the server.
Now, the public share still works great in that I can go to drive P: and all the subdirectories within and read/write to my heart's content... EXCEPT the symbolic link to /tmp. When I try CD P:\tmp
I get
Access is denied.
The same thing happens on my Windows 7 VM (running on the linux box), so it's not XP. Other than the upgrade from 3.4 to 3.5, nothing else in the above environment has changed.
Yes, I know there are numerous workarounds. I could create an actual /pub/tmp folder and include that in the reboot purge... but it's the principle of the thing. I shouldn't HAVE to do that.
Any thoughts on what's broken and how to fix it, or do I need to take this to the Samba folks? I always try here first in case it's an arch-specific problem...
Last edited by WyoPBS (2010-04-29 20:12:38)Thanks! That wasn't the answer, but it prompted me to do some more hunting. Turns out the latest upgrade fixes a security hole: Enabling UNIX extensions automatically disables wide links. Since I did not define UNIX extensions, it defaults to yes, so even explicitly adding wide links = yes to smb.conf did not fix the problem.
http://www.linuxquestions.org/questions … ks-801633/
Looks like I can have one or the other, but not both. So I have to decide which is more important to me. Or create the folder /pub/tmp and symlink /tmp to it rather than the other way around.
Maybe you are looking for
-
How to connect multiple nanos and minis to one computer and share content
I have 3 iPod nano's and 1 iPod mini in my house and would like to make a central repository of music on one computer that can be shared across nanos where users can select all or some of the available tunes. How can I do this? Dell Windows XP Pro
-
Hello all, I need help desperately! Ok. so, I created a for from an existing document (PDF) on a mac computer. I did a test to see what would happen from the receiving end. When I distribute the form, the client receives it and fills in the blanks wi
-
Problems on selecting views with french characters into column names
Hi All, I have views with column names such as "Détermination Planimétriq" or "Année de construction:*"; I can get in my c# function this columns names from ALL_VIEWS dictionary table, but if I try to make a selectionby use of an OracleCommand, Oracl
-
Browse sequences in WebHelp Pro
I publish my project to WebHelp Pro and the browse sequence buttons appear but they do not work. Do browse sequences work in WebHelp Pro. They work fine for the same project when published to WebHelp. Thanks for any help. I am using RoboHelp 7 and Ro
-
hello here is my code ... db[] dbapp = new db[]; compile: [javac] Compiling 12 source files to D:\PADMA\work\APPLIC~1\PRINTING\SOURCE~ 1\build [javac] D:\PADMA\work\APPLIC~1\PRINTING\SOURCE~1\Source\DbController.java:15 6: array dimension missing [ja