Deny packets from routers

Similar Messages

• Getting "IPSEC(epa_des_crypt): decrypted packet failed SA identity check" messages on packets from only one of two far-end sources sharing the same tunnel, the other source works fine. What exactly does this error mean?

  One computer at COMPANY-A is attempting to communicate with two
  computers located at COMPANY-B, via an IPsec tunnel between the
  two companies.
  All communications are via TCP protocol.
  All devices present public IP addresses to one another, although they
  may have RFC 1918 addresses on other interfaces, and NAT may be in use
  on the COMPANY-B side.  (NAT is not being used on the COMPANY-A side.)
  The players:(Note: first three octets have been changed for security reasons)
  COMPANY-A computer      1.2.3.161
  COMPANY-A router        1.2.3.8 (also IPsec peer)
  COMPANY-A has 1.2.3.0/24 with no subnetting.
  COMPANY-B router        4.5.6.228 (also IPsec peer)
  COMPANY-B computer #1   4.5.7.94 (this one has no issues)
  COMPANY-B computer #2   4.5.7.29 (this one fails)
  COMPANY-B has 4.5.6.0/23 subnetted in various ways.
  COMPANY-B also has 9.10.11.0/24, but it is not involved in the issue.
  What works:
  The COMPANY-A computer 1.2.3.161 can communicate via the single IPsec
  tunnel to COMPANY-B computer #1 4.5.7.94 without problems.
  The "show crypto session detail" command shows Inbound/Outbound packets
  flowing in the dec'ed and enc'ed positions.
  What doesn't:
  When the COMPANY-A computer 1.2.3.161 attempts to communicate
  via the single IPsec tunnel with the COMPANY-B computer #2 4.5.7.29,
  the COMPANY-A router eventually reports five of these messages:
  Oct  9 15:24:54.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:24:57.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:25:03.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:25:15.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:25:39.329: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:26:27.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  and the "show crypto session detail" shows inbound packets being dropped.
  The COMPANY-A computer that opens the TCP connection never gets past the
  SYN_SENT phase of the TCP connection whan trying to communicate with the
  COMPANY-B computer #2, and the repeated error messages are the retries of
  the SYN packet.
  On the COMPANY-A side, this IPsec configuration has been set up on a 3745,
  a 3725, and some 76xx routers were tried, all with similar behavior,
  with packets from one far-end computer passing fine, and packets from
  another far-end computer in the same netblock passing through the same
  IPsec tunnel failing with the "failed SA identity" error.
  The COMPANY-A computer directs all packets headed to COMPANY-B via the
  COMPANY-A router at 1.2.3.8 with this set of route settings:
  netstat -r -n
  Kernel IP routing table
  Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
  4.5.7.0         1.2.3.8         255.255.255.0   UG        0 0          0 eth3
  1.2.3.8.0       0.0.0.0         255.255.255.0   U         0 0          0 eth3
  10.1.0.0        0.0.0.0         255.255.240.0   U         0 0          0 eth0
  169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth3
  10.0.0.0        10.1.1.1        255.0.0.0       UG        0 0          0 eth0
  0.0.0.0         1.2.3.1         0.0.0.0         UG        0 0          0 eth3
  The first route line shown is selected for access to both COMPANY-B computers.
  The COMPANY-A router (IPsec tunnel endpoint, 1.2.3.8) has this
  configuration:
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 4.5.6.228
  crypto ipsec security-association lifetime seconds 86400
  crypto ipsec transform-set COMPANY-B01 esp-3des esp-sha-hmac
  crypto map COMPANY-BMAP1 10 ipsec-isakmp
  description COMPANY-B VPN
  set peer 4.5.6.228
  set transform-set COMPANY-B01
  set pfs group2
  match address 190
  interface FastEthernet0/0
  ip address 1.2.3.8 255.255.255.0
  no ip redirects
  ip virtual-reassembly
  duplex auto
  speed auto
  no cdp enable
  crypto map COMPANY-BMAP1
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 1.2.3.1
  ip route 10.0.0.0 255.0.0.0 10.1.1.1
  ip route 1.2.3.8.0 255.255.255.0 FastEthernet0/0
  access-list 190 permit ip host 1.2.3.161 4.5.7.0 0.0.0.255
  access-list 190 permit ip host 1.2.3.161 9.10.11.0 0.0.0.255
  bridge 1 protocol ieee
  One of the routers tried had this IOS/hardware configuration:
  Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(25c),
  RELEASE SOFTWARE (fc2)
  isco 3725 (R7000) processor (revision 0.1) with 115712K/15360K bytes of memory.
  Processor board ID XXXXXXXXXXXXXXX
  R7000 CPU at 240MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
  2 FastEthernet interfaces
  4 ATM interfaces
  DRAM configuration is 64 bits wide with parity disabled.
  55K bytes of NVRAM.
  31296K bytes of ATA System CompactFlash (Read/Write)
  250368K bytes of ATA Slot0 CompactFlash (Read/Write)
  Configuration register is 0x2102
  #show crypto sess
  Crypto session current status
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
    IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
          Active SAs: 0, origin: crypto map
  #show crypto sess det
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.5.6.228
        Desc: (none)
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
            Capabilities:(none) connid:1 lifetime:06:26:27
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 651 drop 16 life (KB/Sec) 4496182/23178
          Outbound: #pkts enc'ed 574 drop 2 life (KB/Sec) 4496279/23178
    IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  The COMPANY-B device on their end of the IPsec VPN is a Juniper SSG1000
  Version 6.1 (ScreenOS)
  We only have a limited view into the Juniper device configuration.
  What we were allowed to see was:
  COMPANY-B-ROUTER(M)-> sh config | incl COMPANY-A
  set address "Untrust" "oss-COMPANY-A-1.2.3.161" 1.2.3.161 255.255.255.255
  set ike gateway "COMPANY-A-1-GW" address 1.2.3.8 Main outgoing-interface "ethernet2/1" preshare xxxxxxxxxxxxxxxxxxxxxx  proposal "pre-g2-3des-sha"
  set vpn "COMPANY-A-1-IKE" gateway "COMPANY-A-1-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha-28800"
  set policy id 2539 from "Untrust" to "Trust"  "oss-COMPANY-A-1.2.3.161" "9.10.11.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2500
  set policy id 2500 from "Trust" to "Untrust"  "9.10.11.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2539
  set policy id 2541 from "Trust" to "Untrust"  "4.5.7.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2540
  set policy id 2540 from "Untrust" to "Trust"  "oss-COMPANY-A-1.2.3.161" "4.5.7.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2541
  COMPANY-B-ROUTER(M)->
  I suspect that this curious issue is due to a configuration setting on the
  Juniper device, but neither party has seen this error before.  COMPANY-B
  operates thousands of IPsec VPNs and they report that this is a new error
  for them too.  The behavior that allows traffic from one IP address to
  work and traffic from another to end up getting this error is also unique.
  As only the Cisco side emits any error message at all, this is the only
  clue we have as to what is going on, even if this isn't actually an IOS
  problem.
  What we are looking for is a description of exactly what the Cisco
  IOS error message:
  IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  is complaining about, and if there are any known causes of the behavior
  described that occur when running IPsec between Cisco IOS and a Juniper
  SSG device.  Google reports many other incidents of the same error
  message (but not the "I like that IP address but hate this one" behavior),
  and not just with a Juniper device on the COMPANY-B end, but for those cases,
  not one was found where the solution was described.
  It is hoped that with a better explanation of the error message
  and any known issues with Juniper configuration settings causing
  this error, we can have COMPANY-B make adjustments to their device.
  Or, if there is a setting change needed on the COMPANY-A router,
  that can also be implemented.
  Thanks in advance for your time in reading this, and any ideas.

  Hello Harish,
  It is believed that:
  COMPANY-B computer #1   4.5.7.94 (this one has no issues)
  COMPANY-B computer #2   4.5.7.29 (this one fails)
  both have at least two network interfaces, one with a public IP address
  (which we are supposedly conversing with) and one with a RFC 1918 type
  address.   COMPANY-B is reluctant to disclose details of their network or
  servers setup, so this is not 100% certain.
  Because of that uncertainty, it occurred to me that perhaps COMPANY-B
  computer #2 might be incorrectly routing via the RFC 1918 interface.
  In theory, such packets should have been blocked by the access-list on both
  COMPANY-A router, and should not have even made it into the IPsec VPN
  if the Juniper access settings work as it appears they should.  So I turned up
  debugging on COMPANY-A router so that I could see the encrypted and
  decrypted packet hex dumps.
  I then hand-disassembled the decoded ACK packet IP header received just
  prior to the "decrypted packet failed SA check" error being emitted and
  found the expected source and destination IP addresses (4.5.7.29 and 1.2.3.161),
  in the unecapsulated packet.  I also found the expected port numbers of the TCP
  conversation that was trying to be established in the TCP header.  So, it
  looks like COMPANY-B computer #2 is emitting the packets out the right
  interface.
  The IP packet header of the encrypted packet showed the IP addresses of the
  two routers at each terminus of the IPsec VPN, but since I don't know what triggers
  the "SA check" error message or what it is complaining about, I don't know what
  other clues to look for in the packet dumps.
  As to your second question, "can you check whether both encapsulation and
  decapsulation happening in 'show crypto ipsec sa'",   the enc'ed/dec'ed
  counters were both going up by the correct quantities.  When communicating
  with the uncooperative COMPANY-B computer #2, you would also see the
  received Drop increment for each packet decrypted.  When communicating
  with the working COMPANY-B computer #1, the Drop counters would not
  increment, and the enc'ed/dec'ed would both increment.
  #show crypto sess det
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.5.6.228
        Desc: (none)
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
            Capabilities:(none) connid:1 lifetime:07:59:54
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 376 drop 5 life (KB/Sec) 4458308/28784
          Outbound: #pkts enc'ed 401 drop 3 life (KB/Sec) 4458308/28784
  Attempt a TCP communication to COMPANY-B computer #2...
  show crypto sess det
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.5.6.228
        Desc: (none)
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
            Capabilities:(none) connid:1 lifetime:07:59:23
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 376 drop 6 life (KB/Sec) 4458307/28753
          Outbound: #pkts enc'ed 402 drop 3 life (KB/Sec) 4458307/28753
  Note Inbound "drop" changed from 5 to 6.  (I didn't let it sit for all
  the retries.)
  #show crypto ipsec sa
  interface: FastEthernet0/0
      Crypto map tag: COMPANY-BMAP1, local addr 1.2.3.8
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (1.2.3.161/255.255.255.255/0/0)
     remote ident (addr/mask/prot/port): (4.5.7.0/255.255.255.0/0/0)
     current_peer 4.5.6.228 port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 402, #pkts encrypt: 402, #pkts digest: 402
      #pkts decaps: 376, #pkts decrypt: 376, #pkts verify: 376
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 3, #recv errors 6
       local crypto endpt.: 1.2.3.8, remote crypto endpt.: 4.5.6.228
       path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
       current outbound spi: 0xDF2CC59C(3744253340)
    inbound esp sas:
        spi: 0xD9D2EBBB(3654478779)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 2004, flow_id: SW:4, crypto map: COMPANY-BMAP1
          sa timing: remaining key lifetime (k/sec): (4458307/28600)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0xDF2CC59C(3744253340)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 2003, flow_id: SW:3, crypto map: COMPANY-BMAP1
          sa timing: remaining key lifetime (k/sec): (4458307/28600)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:
  The "send" errors appear to be related to the tunnel reverting to a
  DOWN state after periods of inactivity, and you appear to get one
  each time the tunnel has to be re-negotiated and returned to
  an ACTIVE state.  There is no relationship between Send errors
  incrementing and working/non-working TCP conversations to the
  two COMPANY-B servers.
  Thanks for pondering this very odd behavior.

• 13017 Received TACACS+ packet from unknown Network Device or AAA Client

  I am adding new routers to our Corporate network for a new MPLS network.  I am getting 13017 Received TACACS+ packet from unknown Network Device or AAA Client  errors for these new routers.  They are added to ACS 5.4.0.30 correctly just like all of our other devices.  We have never had real routers on the network before, just switches and access points.  Is there something special I need to set in ACS for these to work and authenticate correctly?  I can only access the currently with built in login locally.
  One of the new router configs
  Current configuration : 2370 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname T666
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$h7b3$.T2idTKb9H98BQ8Op0MAC/
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa session-id common
  clock timezone CST -6
  clock summer-time CDT recurring
  ip cef
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  voice-card 0
  crypto pki trustpoint TP-self-signed-2699490457
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-2699490457
   revocation-check none
   rsakeypair TP-self-signed-2699490457
  username netadmin privilege 15 secret 5 $1$SIR2$A3MpShVNeAOlTPyLZESr..
  interface FastEthernet0/0
   ip address 10.114.2.1 255.255.255.0
   ip helper-address 10.30.101.4
   duplex auto
   speed auto
  interface FastEthernet0/1
   no ip address
   shutdown
   duplex auto
   speed auto
  interface Serial0/1/0
   ip address X.X.X.X 255.255.255.252
   no fair-queue
   service-module t1 timeslots 1-24
   service-module t1 remote-alarm-enable
   service-module t1 fdl ansi
   no cdp enable
  router bgp 65065
   no synchronization
   bgp log-neighbor-changes
   network 10.114.2.0 mask 255.255.255.0
   neighbor X.X.X.X remote-as 209
   neighbor X.X.X.X default-originate
   default-information originate
   no auto-summary
  ip forward-protocol nd
  ip bgp-community new-format
  ip http server
  ip http authentication aaa
  ip http secure-server
  ip tacacs source-interface FastEthernet0/0
  no logging trap
  tacacs-server host 10.30.101.221 key 7 1429005B5C502225
  tacacs-server host 10.30.101.222 key 7 1429005B5C502225
  tacacs-server directed-request
  control-plane
  banner exec ^CC
  C
  Login OK
  ^C
  banner motd ^CC
  C
  **  UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED.  USE OF
  **  THIS SYSTEM CONSTITUES CONSENT TO MONITORING AT ALL TIMES.
  **  RUAN Transport Corporation
  **  Network Services
  **  [email protected]
  **  515.245.2512
  ^C
  line con 0
  line aux 0
  line vty 0 4
   exec-timeout 30 0
   transport input all
  line vty 5 15
   exec-timeout 30 0
  scheduler allocate 20000 1000
  end
  T666#

  AAA Protocol > TACACS+ Authentication Details
  Date :
  September 19, 2014
  Generated on September 19, 2014 10:21:27 AM CDT
  Authentication Details
  Status:
  Failed
  Failure Reason:
  13017 Received TACACS+ packet from unknown Network Device or AAA Client
  Logged At:
  Sep 19, 2014 10:21 AM
  ACS Time:
  Sep 19, 2014 10:21 AM
  ACS Instance:
  acs01
  Authentication Method:
  Authentication Type:
  Privilege Level:
  User
  Username:
  Remote Address:
  Network Device
  Network Device:
  Network Device IP Address:
  10.114.2.1
  Network Device Groups:
  Access Policy
  Access Service:
  Identity Store:
  Selected Shell Profile:
  Active Directory Domain:
  Identity Group:
  Access Service Selection Matched Rule :
  Identity Policy Matched Rule:
  Selected Identity Stores:
  Query Identity Stores:
  Selected Query Identity Stores:
  Group Mapping Policy Matched Rule:
  Authorization Policy Matched Rule:
  Authorization Exception Policy Matched Rule:
  Other
  ACS Session ID:
  Service:
  AV Pairs:
  Response Time:
  Other Attributes:
  ACSVersion=acs-5.3.0.40-B.839 
  ConfigVersionId=359 
  Device Port=59840 
  Protocol=Tacacs
  Authentication Result
  Steps
  Received TACACS+ packet from unknown Network Device or AAA Client
  Additional Details
  DiagnosticsACS Configuration Changes

• How do I make a Datagram Packet from a String?

  I am looking to make a Datagram Packet from a string. If I send a command to a server that allows remote connections via UDP, such as "restart" it will restart the server. I can accomplish this easily through the fput() method of PHP.
  I want a Java version of my utility, and am using the DatagramSocket and DatagramPacket classes. I see that I need to make a byte array and put it inside a DatagramPacket. How would I go about putting the string "restart" into a byte array?
  Thanks,

  Use the following code to send a Datagram:-
  import java.io.*;
  import java.net.*;
  // This class sends the specified text as a datagram to port 6010 of the
  // specified host.
  public class UDPSend {
      static final int port = 6010;
      public static void main(String args[]) throws Exception {
          if (args.length != 2) {
              System.out.println("Usage: java UDPSend <hostname> <message>");
              System.exit(0);
          // Get the internet address of the specified host
          InetAddress address = InetAddress.getByName(args[0]);
          // Convert the message to an array of bytes
          int msglen = args[1].length();
          byte[] message = new byte[msglen];
          args[1].getBytes(0, msglen, message, 0);
          // Initilize the packet with data and address
          DatagramPacket packet = new DatagramPacket(message, msglen,
                                 address, port);
          // Create a socket, and send the packet through it.
          DatagramSocket socket = new DatagramSocket();
          socket.send(packet);
  }This uses argments, if you want a string change the code accordingly.

• Deny access from deleting *.txt file?

  HI all,
  I have created a *.txt file from xcode with objective c using NSFileManager.Also i gave permission to this file like below,
  [NSDictionary dictionaryWithObject:[NSNumber numberWithUnsignedLong:0000u] forkey : NSFilePosixPermissions];
  so that there is no read/write permissions.This is working fine too.
  Apart from above,i want to deny users from deleting this file..How can i mention this in objective c.?Please help..
  Thanks
  Athira

  Hi Athira,
  You'll have more luck in getting a response to this if you posted in on the Apple Developer Forums.
  devforums.apple.com
  You need to be a registered (and paid) up member to access the developer forums.
  Good luck!

• When I try to use the Vision Acquisitio​n vi, I get an error message saying that " The system did not receive a test packet from the camera."

  Error -1074360271 occurred at IMAQdx Start Acquisition.vi
  NI-IMAQdx: (Hex 0xBFF69031) The system did not receive a test packet from the camera. The packet size may be too large for the network configuration or a firewall may be enabled.

  Bruce Ammons wrote:
  Did you try disabling test packets?  I know Basler cameras have a "Enable Test Packets" setting buried in Advanced Network settings or something like that.  You have to change the setting in MAX to show all settings instead of just acquisition, then locate the setting.  I have been told regularly that the setting must be turned off for Basler cameras to work properly.  Perhaps your camera has the same setting and the same requirement.
  Bruce
  A very specific firmware revision for certain Basler cameras had an issue where the test packet would not be sent for certain packet sizes and certain specific conditions, causing a false report of a test packet failure when a normal acquisition would in fact succeed. However, this was fixed in later firmware revisions and I have never seen a similar issue on any other types of cameras. 
  Aside from this specific case, if a test packet fails, it generally means an acquisition will as well. Given that Pleora's software can acquire, we can rule out networking topology and hardware, assuming you are using the same packet size as the Pleora software is. The only other thing that would seem a likely candidate would be a software issue like a firewall or some other filter driver that is interefering with IMAQdx receiving the data.
  Eric

• TACACS+ packet from unknown Network Device or AAA Client

  Hi all,
  I can't perform login using the credential set at ACS server, From the log it shown:
  "Failure Reason: 13017 Received TACACS+ packet from unknown Network Device or AAA Client"
  I know there's some changes on TACACS+ part for new catalyst IOS, so i refer the guide and this is my config snipet:
  aaa group server tacacs+ TAC_PLUS
  server name AUTH
  tacacs server AUTH
  address ipv4 10.10.21.251
  key xxxxxx
  aaa authentication login TAC_PLUS group tacacs+ local line
  aaa authorization exec TAC_PLUS group tacacs+ none
  aaa authorization commands 15 default if-authenticated
  aaa accounting update periodic 1
  aaa accounting exec TAC_PLUS start-stop group tacacs+
  aaa accounting network TAC_PLUS start-stop group tacacs+
  aaa accounting connection TAC_PLUS start-stop group tacacs+
  My platform is
  - C6500 running on IOS 12.2 (33) SXJ1
  - ACS 5.2.0.26
  Need guidance on this, thanks
  Noel

  Hello,
  Is the appropriate IOS IP address defined on the Network Devices and AAA Clients for the ACS? If yes, which IP address is reported on the ACS Failure that includes the error "TACACS+ packet from unknown Network Device or AAA Client"? Is the ACS reporting the IP address as unknown when it is already defined appropriately?
  Regards.

• Not encrypted dot1x packet from 0012.f0b9.87c3 has been discarded

  I have a very basic config to setup wireless on on an 857W router.
  When I get connected the log fills up the the following message.
  Not encrypted dot1x packet from 0012.f0b9.87c3 has been discarded
  What is causing this?
  Config below
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  no aaa new-model
  dot11 ssid TESTSSID_1
  vlan 10
  max-associations 10
  authentication open
  authentication key-management wpa
  wpa-psk ascii 0 mywpapskpwd
  dot11 ssid TESTSSID_2
  vlan 20
  max-associations 10
  authentication open
  authentication key-management wpa
  wpa-psk ascii 0 mytestpassword
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.100.1
  ip dhcp pool HOME_1
  network 192.168.100.0 255.255.255.0
  default-router 192.168.100.1
  ip dhcp pool HOME_2
  network 10.20.0.0 255.255.255.0
  default-router 10.20.0.3
  ip cef
  archive
  log config
  hidekeys
  bridge irb
  interface ATM0
  no ip address
  shutdown
  no atm ilmi-keepalive
  dsl operating-mode auto
  interface FastEthernet0
  interface FastEthernet1
  spanning-tree portfast
  interface FastEthernet2
  spanning-tree portfast
  interface FastEthernet3
  interface Dot11Radio0
  no ip address
  no ip route-cache cef
  no ip route-cache
  encryption vlan 10 mode ciphers tkip
  encryption vlan 20 mode ciphers tkip
  broadcast-key change 60
  ssid TESTSSID_1
  ssid TESTSSID_2
  speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
  channel 2452
  station-role root
  world-mode dot11d country GB both
  no cdp enable
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio0.10
  encapsulation dot1Q 10 native
  no ip route-cache
  bridge-group 10
  bridge-group 10 subscriber-loop-control
  bridge-group 10 spanning-disabled
  bridge-group 10 block-unknown-source
  no bridge-group 10 source-learning
  no bridge-group 10 unicast-flooding
  interface Dot11Radio0.20
  encapsulation dot1Q 20
  no ip route-cache
  bridge-group 20
  bridge-group 20 subscriber-loop-control
  bridge-group 20 spanning-disabled
  bridge-group 20 block-unknown-source
  no bridge-group 20 source-learning
  no bridge-group 20 unicast-flooding
  interface Vlan1
  ip address 10.7.12.219 255.255.255.0
  interface Vlan10
  no ip address
  ip virtual-reassembly
  ip tcp adjust-mss 1400
  bridge-group 10
  hold-queue 100 out
  interface Vlan20
  no ip address
  ip virtual-reassembly
  ip tcp adjust-mss 1400
  bridge-group 20
  hold-queue 100 out
  interface BVI10
  ip address 192.168.100.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  interface BVI20
  ip address 10.20.0.3 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 10.7.12.254
  no ip http server
  no ip http secure-server
  control-plane
  bridge 10 protocol ieee
  bridge 10 route ip
  bridge 20 protocol ieee
  bridge 20 route ip
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  login
  scheduler max-task-time 5000
  end
  Router#

  Too funny... I get clients complain to me about issues and they have drivers that are from 2003 or 2004.
  Now all you have to do is make sure all other devices are on the same firmware. Makes troubleshooting sooooooo much easier.

• Create one player to play RTP packets from many clients

  Hi,
  Am a JMF newbie and I want to create one player to play packets from many clients.
  So I wrote a small UDPserver thread within the app to receive rtp packets from the clients on the LAN which in turn forwards them to the player.
  I instatiated two threads one to forward RTP packets and another to forward RTCP packets which listens on RTPPort+1
  The reason why i do this is that i don't want the whole internet to bombard the player with anonymous voice transmissions.So the server thread is acting as a firewall. To filter out packets from from unknown ip addresses.
  this is a snippet of the player.
  MY_IPADDRESS =   InetAddress.getLocalHost().getHostAddress();+
  url = "rtp://" + MY_IPADDRESS + ":" + RTPPlayer.PORT + "/audio/1";
  MediaLocator mrl = new MediaLocator(url);
  player = Manager.createPlayer(mrl);
  More code which starts the server thread
  if (player != null) {
         player.addControllerListener(this);
         player.realize();
  player.start();When the server thread receives the packet it calls its forward method to forward the packet to the player by resetting the only the IP and PORT.
  public void forward(DatagramPacket rtpPacket) {
           //print out packet info to view which packets are being received
           System.out.println("forwarding "+request.getAddress() + " -> " + MY_IPADDRESS+":"+portToSend);
           //set address of packet to MY_IPADDRESS
         rtpPacket.setAddress(
                 InetAddress.getByName(RTPPlayer.MY_IPADDRESS));
            //set the port to the rtp port
         rtpPacket.setPort(RTPPlayer.PORT);
         datagramSocket.send(rtpPacket);
  }This works fine for two clients.
  When the clients become three(c1, c2 and c3),
  two clients communicate well(c1 and c2) but c3's voice cannot be heard on any other pc(c1 or c2) though it plays voice from both c1 and c2.
  But System.out.println("forwarding "+request.getAddress() + " -> " + MY_IPADDRESS+":"+portToSend);in the forward() method shows that packets from all clients on each pc are being received.
  Does any one have an idea why this happens?
  Are the packets so many that they overwhelm the player so it discards some or all?
  Is this the best way of doing this?
  Just to let u know all the mics are working fine.
  Thx in advance
  Edited by: noryak on Oct 29, 2008 10:29 AM

  THAT IS MY MAIN PROBLEM. In the future, please do a little bit of research before you shout at people trying to help you. I'm so so sorry if you find my answer bothersom because it sheds some light on the fact that you have absolutely no idea what you're doing.
  Your problem is that you obviously do not understand how JMF works...and you obviously havn't bothered to do any sort of research into it.
  You also don't seem to understand the concept of streaming media, concurrency, politeness, good design, proper programming, audio interleaving, or common sense.
  At least i have implemented a player playing packets from 2 different clients.Yeah, you implemented a player that plays packets from 2 different clients using a horrible workaround that doesn't treat the data correctly and manages to just drop data after scaling past 2 clients.
  Oh yeah, you've definately found the holy grail there. At least.
  You wanna know what your player is actually doing? It's playing a peice of data from A, and then a peice of data from B. It might sound like it's playing them both at the same time, but it's not. It's playing the data from one client in the gaps where there's no data, and once you've filled up the gaps in time by adding more nodes, you'll end up with data getting dropped (and that's the best case scenerio).
  my issue is that i wouldn't like to create a player for each participant imagine they were people in a conference that makes it 10 players. Please understand that if you have 10 players, you'll receive 10 times as much data as you can play with one player. You end up either having to drop 90% of your data, or having to play the data at 1/10th the speed... because you're not mixing the audio data, you're interleaving it.
  I just want to use one standard port on each client so that all clients send to the same port: The RTPManager class will allow you to receive as many streams as you want on a single port.
  As a matter of fact, had you bothered to play with any of the source code readily available online, you'd realize there is a file that does exactly what you want.
  [http://java.sun.com/javase/technologies/desktop/media/jmf/2.1.1/solutions/AVReceive2.java]
  It handles receiving multiple RTP streams from a single port, and plays them all simultaniously using an array of player objects.
  Does absolutely everything you want, out of the box.
  That sounds like alot of threadsIf you're concerned that it's too many threads, well, maybe you should stick to hello world and other things less scary. Concurrent data processing requires threads...one per peice of concurrent data, as a matter of fact, and you're dealing with a lot of streams of concurrent data here.

• Can't Stop packet from transmitting and unable to understand packet format

  I have used JPcap library for capturing the packet. But I can't block the packet from transmitting. How can I stop packet from reaching destination.
  Another problem is that int the Example given i get packet but unable to understand it is like this
  _.......d......(.........y... .......P......>I>...5..&....M..R.......6$.w......k._*
  _...........Y...............P...P............<..........D....!...zq...b....o... ._*
  _.^....d....w....Z.....T....".L..I.....&...?%..h.....9....8`#C'........).....(..._*
  [email protected] ...D.&.l..0.a....H....;..t@.#................_.....T_+*
  _...............(...r...$...`....v../..|H.......:.t.}.................E....}....._*
  +_.P....rL....l......\...................$.[..Q....?....G,......A....J..<d... ...._+*
  _...4.....3......7....U.....D...`.........p... .....k...8.......v#d...((..,......_*
  +_.........#...3.....[...>N...N...YL.........I.................T...;..........._.._+*
  _...l.........j.4.........u.`.........'.(.........2.T....d........j.......o.H...._*
  _.!...z.t....9......,............$....7.....K.............\.M ..B ......V........_*
  _.....X...*.........b...c...........n..QDV.. \.q4.c.....s......\..........y....._+*
  _.B.........z.........6.......N.........L...A...........Z......|.......w........L_*
  _...b.....x.W..\[email protected]... ......G..........d..........hb= X.9.. X.....0......._*
  _....*..A...7.....<F....6.......1~......,....i..&...b..L.......i.9...&..........._*
  _.#...#...........8C...........i....>t.K...........=..........$....u...........>._*
  bd0..u.i.n..wt\.?y......U.. X................ [email protected].;......7..+*
  +_..a....f;......:Y.Do.......o{.pX...d.....E}..Y...r....Q..O....x..DM..VC..>...)c._+*
  +_.pB..... $...............~....-.....h.......V.{.................8..........P..!._+*
  _............D.............,........ }...P............l....$...mw.IHw.>.|........_*
  H.....M..........+y9....<[email protected]......\...Dn..W......w...$v5O+*
  _.........<(...R....1`....P@..&...C...r........0......Y.........#...#...#....W..._*
  Can anyone help me?

  Actually, I am 4th year student of Computer Science field and I am doing project on Internet Control access but i can't get how to stop packet from reaching destinaton. Is there any other library avilable for this?

• Why is implicit deny missing from outside int incoming access rules after upgrade from 8.25 to 9.1?

                     i have just noticed that after upgarde of image and asdm to 911 and 711, the implicit deny acl is missing from the outside interface. Is this deliberate or a poor upgrade. i am upgrading from 8.25 normally, depends what the reseller sends me.
  should this be happening or am i upgrading in too large a jump?
  thanks,
  david

  Hi,
  Would really see some screencapture / output of the thing you are referring to.
  I imagine that you are perhaps referring to something related to ASDM? I dont personally really use ASDM at all for ASA configurations to I am not up to date on the possible problems it might have or changes made to its interface.
  I am not sure if you have an ACL attached to the "outside" interface? If so then I think the ASDM should show the Implicit Deny at the end while this wont show on the CLI side at all.
  I did just check my own ASA at home which is running 9.0(2) and ASDM 7.1(2) at the moment and it doesnt show an Implicit Deny for my LAN or WAN interfaces ACL.
  Though the basic ACL operation is still in effect. If its not allowed in the ACL then its blocked by Implicit Deny. This can be confirmed with "packet-tracer" test on your firewall also.
  - Jouni

• Access List (ACL) to Block Russian and Chinese Nets From Routers

  I see people asking if there are premade ACL's to block Chinese and Russian nets from their edge routers. Since I spent so much time creating entries for them based on information received from http://www.ipdeny.com/ipblocks/ i decided to share them. They are in the attached Word Docs.
  There are alot of entires but since it is in a standard ACL it should not tax your routers too greatly.
  Sean Odom
  Sybex/Wiley Cisco Author

  Well, I'd rather not tax the IPS even further for something that the edge router should be capable taking care of. Especially since the source of the traffic should be denied at the closest managed point.
  If you do not want this traffic coming inbound, closest for some would be the edge router. Others may only have their firewall as the closest manageable point.
  Suggestion to those that do not manage their edge router would be to compile a list such as the one listed above. Then send it to your provider requesting they place it on this router. Of course this may become a double edge sword in a sense. If there is legit traffic from one of these source IP addresses that you identify down the road, it might be a hassle to get the block resolved.
  Or, you can also apply these right there on your firewall as well.
  Thank you for providing this list!

• ASA 5505 remote vpn - not receiving packets from ASA

  I am having problem configuring remote vpn between ASA5505 and Cisco VPN client v5. I can successfully establish connection between ASA and Vpn client and receive IP address from ASA. VPN client statistics windows shows that packets are send and encrypted but none of the packets is Received/Decrypted. Any ideas on what I have missed?
  Thanks in advance for any help,M

  crypto isakmp nat-traversal
  Please rate helpful posts.

• "access denied" error from Java Web Start

  I can successfully download the jar file, but always have error message "access denied" when the java application tries to open a local file in C:\temp\poc1.xml.
  I can successfully execute the java application from DOS,but failed when using Java Web Start. The error message is as follows:
  Java Web Start Console, started Wed Nov 28 16:30:31 PST 2001Java 2 Runtime Environment: Version
  1.3.1 by Sun Microsystems Inc.java.security.AccessControlException: access denied
  (java.io.FilePermission C:\temp\poc1.xml read)     at
  org.apache.xerces.framework.XMLParser.parse(Unknown Source)     at
  org.apache.xerces.framework.XMLParser.parse(Unknown Source)     at
  com.hotlocker.client.HLSessionParser.parse(Unknown Source)     at
  com.hotlocker.client.UploadDownloadClient.uploadFiles(Unknown Source)     at
  com.hotlocker.client.UploadDownload.main(Unknown Source)     at
  java.lang.reflect.Method.invoke(Native Method)     at
  com.sun.javaws.Launcher.executeApplication(Unknown Source)     at
  com.sun.javaws.Launcher.executeMainClass(Unknown Source)     at
  com.sun.javaws.Launcher.continueLaunch(Unknown Source)     at
  com.sun.javaws.Launcher.handleApplicationDesc(Unknown Source)     at
  com.sun.javaws.Launcher.handleLaunchFile(Unknown Source)     at
  com.sun.javaws.Launcher.run(Unknown Source)     at java.lang.Thread.run(Unknown Source)

  Hi,
  you can't get a file like in a "normal" app
  because a JWS-app runs in the restricted
  sandbox environment by default.
  So you either sign your app with a digital certificate
  or you use a special FileOpenService (JNLP-API).
  You could also put the file into the app-jar and
  load it by a classloader.
  Regards,
  Mathias

• [SOLVED] Weird new access denied error from Samba

  This just started when I did a system upgrade last week (from samba 3.4.3-something to 3.5.2-something).
  The hardware: Server is arch, of course; workstation 2 feet away is Windows XP connected by ethernet to a cheap Gateway brand switch.
  The filesystem: a folder called /pub with owner set to my primary (non-root) login and group set to the household group, perms 775 so both owner and group have full rw perms.  Also /tmp, owned by root:root with perms 777.  /pub has a symbolic link to /tmp so you can use /pub/tmp as a fully writeable junk area on the network.
  The shares: /pub is given smb.conf parameters public=yes, writable=yes, create mask=0775
  The login: My XP box has a login that makes it a member of the family group
  Up until the upgrade, this all worked fine.  The XP could attach the public share (drive P:) and go to P:\tmp when I wanted to save a temp file, knowing that it would be erased when I reboot the server.
  Now, the public share still works great in that I can go to drive P: and all the subdirectories within and read/write to my heart's content... EXCEPT the symbolic link to /tmp.  When I try CD P:\tmp
  I get
  Access is denied.
  The same thing happens on my Windows 7 VM (running on the linux box), so it's not XP.  Other than the upgrade from 3.4 to 3.5, nothing else in the above environment has changed.
  Yes, I know there are numerous workarounds.  I could create an actual /pub/tmp folder and include that in the reboot purge... but it's the principle of the thing.  I shouldn't HAVE to do that.
  Any thoughts on what's broken and how to fix it, or do I need to take this to the Samba folks?  I always try here first in case it's an arch-specific problem...
  Last edited by WyoPBS (2010-04-29 20:12:38)

  Thanks!  That wasn't the answer, but it prompted me to do some more hunting.  Turns out the latest upgrade fixes a security hole: Enabling UNIX extensions automatically disables wide links.  Since I did not define UNIX extensions, it defaults to yes, so even explicitly adding wide links = yes to smb.conf did not fix the problem.
  http://www.linuxquestions.org/questions … ks-801633/
  Looks like I can have one or the other, but not both.  So I have to decide which is more important to me.  Or create the folder /pub/tmp and symlink /tmp to it rather than the other way around.