DHCP Deny Filter
I had a question about the DHCP deny filter. I've added a few users to the deny filter in one of our scopes in DHCP. I see some users still in the scope with the filter profile of deny, and I see a few under the Filters > Deny. Can
I reasonably assume bot are working properly? And with this filter, these MAC addresses can no longer authenticate to the network?
The reason I'm asking is I'm debating whether or not to block the MAC addresses on the Aironet (these are all wifi users) or to just leave the deny policy on the DHCP.
Hi,
Im sorry to hear that. You do add them to the filter by going to the leased ip addresses an right-click add to filter, right? you could try to run the BPA associated with DHCP an see if there is something we've missed. Under normal conditions it works flawless
but it might depend on certain aspects that we currently don't know but we will find them out.
You are positive there is no other DHCP server/router/nas/etc leasing addresses in your network. The filter option in new to 2008 R2 and was not available in earlier versions, it's equivallent for 2003/2008 was something called
Callout DLL. You could try to run a packet sniffer like \wireeshark or Microsoft Network monitor to see what happens. Make sure that you are not filtering any reserved ip addresses.http://technet.microsoft.com/en-us/library/ee941155(WS.10).aspx.
You also might want to try the reverse if it;s not to much effort, create an Allow list and then the Deny list should be populated.
http://technet.microsoft.com/en-us/library/ee956897(WS.10).aspx
Also there is a Step by Step guide to demonstrating DHCP filtering in a lab/test enviroment. I reccomend using virtual machines : http://technet.microsoft.com/en-us/library/ee405265(WS.10).aspx
If you tried all of the above post an ipconfig /all from a DHCP Client that is not blocked, although his mac address is filtered.
You could bypass this MAC filter by using MAC spoofing or setting a different MAC address. Although I doubt this is the case have that in mind also.
Thanks.
MCTS - Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Similar Messages
-
DHCP still giving out addresses to clients on the Deny filter
My DHCP server is handing out addresses to clients that I have put on the deny list. The "Enable Deny List" is checked. Its not to every client either. It is just a handful that keeps popping back. What am I missing?
Hi Alphateam,
Have you confirmed that the deny is on all interfaces, wired and wireless of said machines. -
Dhcp mac binding issue.
Hi Team,
We are using DHCP mac filter option for connecting to wireless, One of our laptop mac address is not able to add in allow list it says its already exist but its not showing in added list, how can i find if its hidden or if its saved in some log.
I have to add this MAC to filter list until then i cant give access to LAN, pls suggest.Hi,
Open cmd.exe (on the dhcp server)
type netsh <enter>
type dhcp <enter>
type server \\IPaddress or hostname <enter>
type v4 <enter>
type show filter <enter>
You should get a list with MAC address and computer names in 2 sections allow and deny list.
Hope this helps.
Regards,
Calin -
Again thanks for the help getting up and running.
Now that I am up and running I know my task at hand and I have comleted most of it except for a couple of things. Here is my task:
To have 1 URL filter lists. Lets call it WhiteList-special. What my manager wants is this.
To all URL's matching the WhiteList-special filter allow the connections filtering out a set of mime types.
To all URL's not in the WhiteList (still allow them them) but apply a different set of mime type restrictions.
How can I go about doing this? Do I use the http:// resource and set up the whitelist-special there with a mime list and then in default set up an allow list of basically .* with a different mime type list ??
Also I noticed that in the mime.types file gnu zip (.gz) was listed as an encoding and not application. Thus if I include the gz mime type in my <Filter "filter-ct" ...> line the gz seems to be ignored. I block all other mime types that are of the application type but I cannot block any encoding type. Am I doing something wrong?
thanks
DougHere is what you can do:
(the simplest way)
Use a filter that will add a variable to all the mime-types that you want to whitelist.
Then use a filter to deny all the other types. In the below code, the identity filter is the one that you can use to touch all the whitelist -- (below, it only allows text/plain), and the deny filter will deny all the rest.
To your question on content-type, check how the content-length is obtained in the below code.
-------obj.conf------------
<Object ppath="http://.*">
ObjectType fn="cache-enable" query-maxlen="10" log-report="off"
ObjectType fn="cache-setting" lm-factor="0.10" max-uncheck="7200"
Output fn="insert-filter" type="text/plain" filter="identityfilter"
Output fn="insert-filter" type="*" filter="denyfilter"
Service fn="proxy-retrieve" method="*"
</Object>
|cat identityfilter.c
* Usage:
* At the end of magnus.conf:
* Init fn="load-modules"
* shlib="<path>/identityfilter.<ext>"
* NativeThread="no"
* Inside an object in obj.conf:
* Output fn="insert-filter"
* type="text/*"
* filter="identityfilter"
#include "nsapi.h"
int identityfilter_insert(FilterLayer *layer, pblock *pb) {
pblock_nninsert("identityfilter", 1, layer->context->rq->vars);
return REQ_PROCEED;
void identityfilter_remove(FilterLayer *layer) {
int identityfilter_write(FilterLayer *layer, const void *buf, int amount) {
return net_write(layer->lower, buf , amount);
NSAPI_PUBLIC int nsapi_module_init(pblock *pb, Session *sn, Request *rq) {
FilterMethods methods = FILTER_METHODS_INITIALIZER;
methods.insert = &identityfilter_insert;
methods.remove = &identityfilter_remove;
methods.write = &identityfilter_write;
const Filter *filter = filter_create("identityfilter", FILTER_CONTENT_TRANSLATION, &methods);
return REQ_PROCEED;
|cat denyfilter.c
* Usage:
* At the end of magnus.conf:
* Init fn="load-modules"
* shlib="<path>/denyfilter.<ext>"
* NativeThread="no"
* Inside an object in obj.conf:
* Output fn="insert-filter"
* type="text/*"
* filter="denyfilter"
#include "nsapi.h"
int denyfilter_insert(FilterLayer *layer, pblock *pb) {
char* processed = pblock_findval("identityfilter", layer->context->rq->vars);
if (!processed) {
pb_param *pp = pblock_remove("content-length", layer->context->rq->srvhdrs);
if (pp) param_free(pp);
layer->context->data = (void*)1;
Request* rq = layer->context->rq;
rq->status_num = 403;
pp = pblock_remove("status", rq->srvhdrs);
if (pp) param_free(pp);
pblock_nvinsert("status", "403", rq->srvhdrs);
} else {
layer->context->data = (void*)0;
return REQ_PROCEED;
void denyfilter_remove(FilterLayer *layer) {
int denyfilter_write(FilterLayer *layer, const void *buf, int amount) {
if ( layer->context->data ) return IO_ERROR;
else return net_write(layer->lower, buf, amount);
NSAPI_PUBLIC int nsapi_module_init(pblock *pb, Session *sn, Request *rq) {
FilterMethods methods = FILTER_METHODS_INITIALIZER;
methods.insert = &denyfilter_insert;
methods.remove = &denyfilter_remove;
methods.write = &denyfilter_write;
const Filter *filter = filter_create("denyfilter", FILTER_CONTENT_TRANSLATION, &methods);
return REQ_PROCEED;
-----------------------------------What is my best approach? Can I simply call another Filter from mine?
check out func_exec and friends in nsapi. -
We have a WLC 2100 series controller running on our LAN, its started having alot of problems and needs rebooting every 30 mins before anyone can connect.
We've just noticed the software its running is - 4.0.217.0, to upgrade we need to incrementaly go to version 4.2.176.0 although this doesnt appear to be available for download anymore.
Can we jump straight to version 5.x??Every 30 mins the WLC would disapear of the LAN and only a reboot would bring it back.
The Tech Support - "Crash report" has this in it repeatedly....
Beginning of Crash File: mwar_dump2.crash
* Start Cisco Crash Handler *
Version: 4.0.217.0
Timestamp: Thu Dec 16 13:50:02 2010
pid: 141
TID: 37925
Task Name: pemReceiveTask
Reason: Reaper Reset
timer tcb: 0x9
timer cb: 0x814b9c0 ('rrmSendTimerMsg+224')
timer arg1: 0xac0e1d4
timer arg2: 0x0
Analysis of Failure:
Software was stopped by the reaper for the following reason:
Reaper Reset: Task "pemReceiveTask" missed software watchdog
System Stack
Frame 0: 0x08051d72: sighup_handler+42
Frame 1: 0x4018608c: ssh_ldap_client_enable_tls+932996688
Frame 2: 0x401bf950: ssh_ldap_client_enable_tls+933232404
Frame 3: 0x0825f9f9: hapiBroffuSendIoctl+613
Frame 4: 0x08250fae: dapiCtl+1106
Frame 5: 0x081baf2e: dtlBsnFdbMacAddrDelete+278
Frame 6: 0x082cc129: pemDelScb+269
Frame 7: 0x082cc7d9: pemReceiveTaskEntry+301
Frame 8: 0x081f8ffd: osapiErrnoGet+405
Frame 9: 0x40183040: ssh_ldap_client_enable_tls+932984324
Frame 10: 0x40262cfa: ssh_ldap_client_enable_tls+933900990
Stacks from all busy tasks
Task pemReceiveTask is consuming 0% (0% user, 0% system)
Stackdump from pemReceiveTask
Frame 0: 0x08051d72: sighup_handler+42
Frame 1: 0x4018608c: ssh_ldap_client_enable_tls+932996688
Frame 2: 0x401bf950: ssh_ldap_client_enable_tls+933232404
Frame 3: 0x0825f9f9: hapiBroffuSendIoctl+613
Frame 4: 0x08250fae: dapiCtl+1106
Frame 5: 0x081baf2e: dtlBsnFdbMacAddrDelete+278
Frame 6: 0x082cc129: pemDelScb+269
Frame 7: 0x082cc7d9: pemReceiveTaskEntry+301
Frame 8: 0x081f8ffd: osapiErrnoGet+405
Frame 9: 0x40183040: ssh_ldap_client_enable_tls+932984324
Frame 10: 0x40262cfa: ssh_ldap_client_enable_tls+933900990
Semaphore and Mutex Usage
Mutex 'sshpmTftpRuleSemaphorePtr' @ 0xaa33f1c Created fp_main_task(sshpm.c:366)
Locked by sshpmReceiveTask(sshpmrecv.c:1180)
0 tasks waiting for resource.
Stackdump from sshpmReceiveTask
Frame 0: 0x08051d72: sighup_handler+42
Frame 1: 0x4018608c: ssh_ldap_client_enable_tls+932996688
Frame 2: 0x401bf950: ssh_ldap_client_enable_tls+933232404
Frame 3: 0x401858cd: ssh_ldap_client_enable_tls+932994705
Frame 4: 0x401820a9: ssh_ldap_client_enable_tls+932980333
Frame 5: 0x0857db0e: d_async_queue_pop+58
Frame 6: 0x081f5bc4: osapiMessageReceive+32
Frame 7: 0x0819d444: sshpmReceiveTaskEntry+644
Frame 8: 0x081f8ffd: osapiErrnoGet+405
Frame 9: 0x40183040: ssh_ldap_client_enable_tls+932984324
Frame 10: 0x40262cfa: ssh_ldap_client_enable_tls+933900990
Memory Information
System Memory Information:
Total System Memory: 256724992 bytes (244.84 Mb)
Used System Memory: 129019904 bytes (123.05 Mb)
Free System Memory: 127705088 bytes (121.79 Mb)
Heap information:
Bytes alloced from RTOS: 4146604 bytes (3.95 Mb)
Chunks free: 32 bytes
Number of mmapped regions: 21
Total space in mmapped regions: 17801216 bytes (16.97 Mb)
Total allocated space: 4098364 bytes (3.90 Mb)
Total non-inuse space: 48240 bytes (47.10 Kb)
Top-most, releasable space: 2808 bytes (2.74 Kb)
Total allocated (incl mmap): 21947820 bytes (20.93 Mb)
Total used (incl mmap): 21899580 bytes (20.88 Mb)
Total free (incl mmap): 48240 bytes (47.10 Kb)
Buffer Pooled Malloc Usage
Pool[00]: 16 byte chunks
chunks in pool: 800
chunks in use: 688
bytes in use: 11008
bytes requested: 7410 (3598 overhead bytes)
Pool[01]: 64 byte chunks
chunks in pool: 8300
chunks in use: 8243
bytes in use: 527552
bytes requested: 323145 (204407 overhead bytes)
Pool[02]: 128 byte chunks
chunks in pool: 5500
chunks in use: 5408
bytes in use: 692224
bytes requested: 459229 (232995 overhead bytes)
Pool[03]: 256 byte chunks
chunks in pool: 200
chunks in use: 140
bytes in use: 35840
bytes requested: 23236 (12604 overhead bytes)
Pool[04]: 1024 byte chunks
chunks in pool: 300
chunks in use: 246
bytes in use: 251904
bytes requested: 97960 (153944 overhead bytes)
Pool[05]: 2048 byte chunks
chunks in pool: 100
chunks in use: 33
bytes in use: 67584
bytes requested: 38852 (28732 overhead bytes)
Pool[06]: 4096 byte chunks
chunks in pool: 50
chunks in use: 38
bytes in use: 155648
bytes requested: 110254 (45394 overhead bytes)
Max number of Mbufs: 1536
number of Mbufs Free: 1531
number of Mbufs In Use: 5
Interrupt Status
Name Total Interupts PerSecond
0: Misc 390360 100
4: qŠ 208 0
7: qŠ 2 0
11: qŠ 201649 52
14: qŠ 2924 0
Message Logs
Thu Dec 16 13:40:35 2010 [ERROR] spam_lrad.c 13270: Unable to send Delete-Mobile request to unknown AP 00:0a:b8:cb:b2:80
Thu Dec 16 13:40:15 2010 [ERROR] spam_tmr.c 565: Did not receive hearbeat reply from AP 00:0a:b8:cb:b2:80
Thu Dec 16 13:40:04 2010 [ERROR] tftp_client.c 414: TFTP server timed out! (Connection Timeout)
Thu Dec 16 13:40:02 2010 [ERROR] spam_tmr.c 565: Did not receive hearbeat reply from AP 00:0a:b8:cb:92:f0
Thu Dec 16 13:40:02 2010 Previous message occurred 2 times
Thu Dec 16 13:37:47 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 13:37:47 2010 [SECURITY] aaa.c 666: Authentication succeeded for network user 'wendy'
Thu Dec 16 13:37:47 2010 Previous message occurred 7 times
Thu Dec 16 13:21:16 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 13:18:21 2010 [VERBOSE] sshpmrecv.c 868: pemUpdatedMobileIpAddress @ pem_api.c:2747: request to delete rule with Id SSH_IPSEC_INVALID_INDEX (0xddffffff)
Thu Dec 16 13:16:33 2010 [VERBOSE] sshpmrecv.c 868: pemUpdatedMobileIpAddress @ pem_api.c:2747: request to delete rule with Id SSH_IPSEC_INVALID_INDEX (0xddffffff)
Thu Dec 16 13:16:33 2010 Previous message occurred 2 times
Thu Dec 16 13:14:54 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 13:14:49 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 13:14:49 2010 Previous message occurred 3 times
Thu Dec 16 13:10:27 2010 [SECURITY] aaa.c 661: Authentication succeeded for admin user 'ACSwirelessadmin'
Thu Dec 16 13:08:42 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 13:07:57 2010 [SECURITY] aaa.c 661: Authentication succeeded for admin user 'admin'
Thu Dec 16 13:05:51 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 13:05:46 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 13:05:46 2010 Previous message occurred 12 times
Thu Dec 16 13:01:30 2010 [WARNING] radius_db.c 2149: Unable to find a valid RADIUS server
Thu Dec 16 13:01:06 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 13:01:06 2010 Previous message occurred 4 times
Thu Dec 16 13:00:23 2010 [WARNING] radius_db.c 2149: Unable to find a valid RADIUS server
Thu Dec 16 13:00:02 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 13:00:02 2010 Previous message occurred 4 times
Thu Dec 16 12:59:16 2010 [WARNING] radius_db.c 2149: Unable to find a valid RADIUS server
Thu Dec 16 12:58:57 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 12:58:52 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 12:58:52 2010 Previous message occurred 16 times
Thu Dec 16 12:54:48 2010 [WARNING] radius_db.c 2149: Unable to find a valid RADIUS server
Thu Dec 16 12:53:51 2010 [SECURITY] aaa.c 661: Authentication succeeded for admin user 'ACSwirelessadmin'
Thu Dec 16 12:53:49 2010 [SECURITY] aaa.c 661: Authentication succeeded for admin user 'ACSwirelessadmin'
Thu Dec 16 12:53:49 2010 Previous message occurred 4 times
Thu Dec 16 12:53:41 2010 [WARNING] radius_db.c 2149: Unable to find a valid RADIUS server
Thu Dec 16 12:53:17 2010 [SECURITY] aaa.c 661: Authentication succeeded for admin user 'admin'
Thu Dec 16 12:53:12 2010 [SECURITY] aaa.c 661: Authentication failed for admin user 'adim'
Thu Dec 16 12:53:12 2010 [WARNING] radius_db.c 2149: Unable to find a valid RADIUS server
Thu Dec 16 12:53:12 2010 [SECURITY] file_db.c 1443: Username & password must be supplied (user = 0xaa96dc8, pass=(nil))
Thu Dec 16 12:53:00 2010 [VERBOSE] file_db.c 1677: Adding user 'admin' to AAA db
Thu Dec 16 12:52:38 2010 [SECURITY] aaa.c 661: Authentication succeeded for admin user 'ACSwirelessadmin'
Thu Dec 16 12:52:38 2010 Previous message occurred 2 times
Thu Dec 16 12:52:37 2010 [WARNING] radius_db.c 2149: Unable to find a valid RADIUS server
Thu Dec 16 12:52:36 2010 [SECURITY] aaa.c 661: Authentication succeeded for admin user 'ACSwirelessadmin'
Thu Dec 16 12:52:36 2010 Previous message occurred 2 times
Thu Dec 16 12:52:34 2010 [WARNING] radius_db.c 2149: Unable to find a valid RADIUS server
Thu Dec 16 12:52:29 2010 [SECURITY] aaa.c 661: Authentication failed for admin user 'ACSwireless'
Thu Dec 16 12:52:29 2010 [WARNING] radius_db.c 2149: Unable to find a valid RADIUS server
Thu Dec 16 12:52:17 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 12:52:12 2010 [SECURITY] aaa.c 661: Authentication failed for admin user 'ACSwireless'
Thu Dec 16 12:52:12 2010 [WARNING] radius_db.c 2149: Unable to find a valid RADIUS server
Thu Dec 16 12:51:44 2010 [ERROR] sshpmrules.c 3053: SSHPM: attempting to enable secure shell access when already enabled.
Thu Dec 16 12:51:36 2010 [SECURITY] aaa.c 661: Authentication succeeded for admin user 'ACSwirelessadmin'
Thu Dec 16 12:51:35 2010 [SECURITY] aaa.c 661: Authentication succeeded for admin user 'ACSwirelessadmin'
Thu Dec 16 12:51:35 2010 Previous message occurred 4 times
Thu Dec 16 12:51:27 2010 [WARNING] radius_db.c 2149: Unable to find a valid RADIUS server
Thu Dec 16 12:50:54 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 12:50:54 2010 Previous message occurred 2 times
Thu Dec 16 12:50:20 2010 [WARNING] radius_db.c 2149: Unable to find a valid RADIUS server
Thu Dec 16 12:49:31 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 12:49:31 2010 Previous message occurred 4 times
Thu Dec 16 12:49:13 2010 [WARNING] radius_db.c 2149: Unable to find a valid RADIUS server
Thu Dec 16 12:48:29 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 12:48:29 2010 Previous message occurred 4 times
Thu Dec 16 12:48:06 2010 [WARNING] radius_db.c 2149: Unable to find a valid RADIUS server
Thu Dec 16 12:47:47 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 12:47:39 2010 [SECURITY] aaa.c 661: Authentication succeeded for admin user 'ACSwirelessadmin'
Thu Dec 16 12:47:34 2010 [SECURITY] aaa.c 661: Authentication succeeded for admin user 'ACSwirelessadmin'
Thu Dec 16 12:47:34 2010 Previous message occurred 2 times
Thu Dec 16 12:47:05 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 12:47:03 2010 [VERBOSE] sshpmrecv.c 868: pemUpdatedMobileIpAddress @ pem_api.c:2747: request to delete rule with Id SSH_IPSEC_INVALID_INDEX (0xddffffff)
Thu Dec 16 12:47:03 2010 [WARNING] radius_db.c 2149: Unable to find a valid RADIUS server
Thu Dec 16 12:47:01 2010 [VERBOSE] sshpmrecv.c 868: pemUpdatedMobileIpAddress @ pem_api.c:2747: request to delete rule with Id SSH_IPSEC_INVALID_INDEX (0xddffffff)
Thu Dec 16 12:46:59 2010 [WARNING] radius_db.c 2149: Unable to find a valid RADIUS server
Thu Dec 16 12:46:33 2010 [ERROR] spam_lrad.c 1897: AP 00:0a:b8:cb:92:f0 associated. Last AP failure was due to Link Failure, reason: ECHO_REQUEST
Thu Dec 16 12:46:31 2010 [VERBOSE] spam_lrad.c 1346: nimMcastApplianceGetPortMap return error for interface 1 -- returning default index 49
Thu Dec 16 12:46:29 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 12:46:29 2010 Previous message occurred 2 times
Thu Dec 16 12:46:22 2010 [SECURITY] aaa.c 661: Authentication succeeded for admin user 'ACSwirelessadmin'
Thu Dec 16 12:46:17 2010 [ERROR] spam_lrad.c 1897: AP 00:0a:b8:cb:b2:80 associated. Last AP failure was due to Link Failure, reason: ECHO_REQUEST
Thu Dec 16 12:46:14 2010 [VERBOSE] spam_lrad.c 1346: nimMcastApplianceGetPortMap return error for interface 1 -- returning default index 48
Thu Dec 16 12:46:14 2010 Previous message occurred 4 times
Thu Dec 16 12:46:09 2010 [WARNING] dapi.c 336: call to hapi failed for usp 0,0,0, cmd 41
Thu Dec 16 12:45:52 2010 [WARNING] osapi_task.c 2071: Reaper cleaning up exited task 'SNMPCfgTask' (0x930bfe0)
Thu Dec 16 12:45:52 2010 [WARNING] osapi_task.c 2071: Reaper cleaning up exited task 'cliWebTask' (0x9316980)
Thu Dec 16 12:45:42 2010 [VERBOSE] gid.c 495: GID: Port # 1 is not found.
Thu Dec 16 12:45:42 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'mesh.cfg'
Thu Dec 16 12:45:42 2010 [VERBOSE] nvstore.c 248: Failed to read 'mesh.cfg' (size 400)
Thu Dec 16 12:45:38 2010 [ERROR] sshpmrules.c 3053: SSHPM: attempting to enable secure shell access when already enabled.
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'cliWebInitParms.cfg'
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 248: Failed to read 'cliWebInitParms.cfg' (size 368)
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'cids.cfg'
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 248: Failed to read 'cids.cfg' (size 1356)
Thu Dec 16 12:45:38 2010 [WARNING] apf_site_override.c 834: Unable to load APF Site configuration
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'rfidCfg.cfg'
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 248: Failed to read 'rfidCfg.cfg' (size 356)
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'rfidInitParms.cfg'
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 248: Failed to read 'rfidInitParms.cfg' (size 356)
Thu Dec 16 12:45:38 2010 Previous message occurred 17 times
Thu Dec 16 12:45:38 2010 [VERBOSE] sig_v1.c 290: Signature Interval set to default
Thu Dec 16 12:45:38 2010 [VERBOSE] dhcpd.c 76: dhcp server: binding to 0.0.0.0
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'sig.cfg'
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 248: Failed to read 'sig.cfg' (size 348)
Thu Dec 16 12:45:38 2010 [WARNING] dhcp_config.c 496: NPU/Driver DHCP CHADDR Filter disabled
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'dhcpServer.cfg'
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 248: Failed to read 'dhcpServer.cfg' (size 8028)
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'dhcpParms.cfg'
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 248: Failed to read 'dhcpParms.cfg' (size 356)
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'bcastInitParms.cfg'
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 248: Failed to read 'bcastInitParms.cfg' (size 356)
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'cdp.tcfg'
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 248: Failed to read 'cdp.tcfg' (size 108)
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'sntp.cfg'
Thu Dec 16 12:45:38 2010 [VERBOSE] nvstore.c 248: Failed to read 'sntp.cfg' (size 1644)
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'rrmInitParms.cfg'
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 248: Failed to read 'rrmInitParms.cfg' (size 488)
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'watchlist.cfg'
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 248: Failed to read 'watchlist.cfg' (size 8544)
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 17 - SSID '', VAP ID 0
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 16 - SSID '', VAP ID 0
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 15 - SSID '', VAP ID 0
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 14 - SSID '', VAP ID 0
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 13 - SSID '', VAP ID 0
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 12 - SSID '', VAP ID 0
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 11 - SSID '', VAP ID 0
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 10 - SSID '', VAP ID 0
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 9 - SSID '', VAP ID 0
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 8 - SSID '', VAP ID 0
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 7 - SSID '', VAP ID 0
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 6 - SSID '', VAP ID 0
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 5 - SSID '', VAP ID 0
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 4 - SSID '', VAP ID 0
Thu Dec 16 12:45:37 2010 [VERBOSE] sim.c 8415: simVlanPortNpuAdd: vlan=10, port=1, portBitMap=1
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 3 - SSID 'ACS-Guest', VAP ID 3
Thu Dec 16 12:45:37 2010 [VERBOSE] sim.c 8415: simVlanPortNpuAdd: vlan=2, port=1, portBitMap=1
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 2 - SSID 'ACS-VOIP', VAP ID 2
Thu Dec 16 12:45:37 2010 [VERBOSE] sim.c 8415: simVlanPortNpuAdd: vlan=0, port=1, portBitMap=1
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_api.c 8959: Created WARP Capabilities IE (length 12) for WLAN ACS-Wireless
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 1 - SSID 'ACS-Wireless', VAP ID 1
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_cfg_v2.c 721: Loading VAP Config 0 - SSID '', VAP ID 0
Thu Dec 16 12:45:37 2010 [VERBOSE] apf.c 2336: Support 256 mobile clients!
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'apfInitParms.cfg'
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 248: Failed to read 'apfInitParms.cfg' (size 356)
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_warp_utils.c 397: WARP KCID: f2:65:ac:2a:66:a6:7c:44
Thu Dec 16 12:45:37 2010 [VERBOSE] apf_warp_utils.c 450: apfWarpInit: Enabling WARP...
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'mmInitParms.cfg'
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 248: Failed to read 'mmInitParms.cfg' (size 392)
Thu Dec 16 12:45:37 2010 [VERBOSE] rfc3576.c 156: Running initRfc3576...
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '002255d4b8c2' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '0013e8b0ce9d' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '0013e8b0c963' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user 'wendy' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '00219111cda0' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '0014a5dc2d15' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '0013e8b0e04b' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '00231434f34c' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '0024d277715b' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '0027100dad98' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '0014a5b5714e' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '0013e8b0e65d' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '0013020d6b3b' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '001f3b423ddd' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '0019d2382fb4' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '0018de6e821d' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '001f3b41ffe7' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '0013e8b0c991' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '001b771ba0ff' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '0012f03c4cf8' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '0013e8b0cbfb' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '001fe2a36d39' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user 'ACSwirelessadmin' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user 'Claireo' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user 'Mattc' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user 'Andye' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user '0012f0a0031d' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 697: Adding user 'administrator' to AAA db
Thu Dec 16 12:45:37 2010 [VERBOSE] file_db.c 155: Creating AVL Tree with 512 entries
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'aaaapiInitParms.cfg'
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 248: Failed to read 'aaaapiInitParms.cfg' (size 356)
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'pemInitParms.cfg'
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 248: Failed to read 'pemInitParms.cfg' (size 356)
Thu Dec 16 12:45:37 2010 [VERBOSE] ccx_rm_task.c 57: Created CCX RM Task (rc=154205248)
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'ccx_rm.cfg'
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 248: Failed to read 'ccx_rm.cfg' (size 448)
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'l2roam.cfg'
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 248: Failed to read 'l2roam.cfg' (size 924)
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'dot1xInitParms.cfg'
Thu Dec 16 12:45:37 2010 [VERBOSE] nvstore.c 248: Failed to read 'dot1xInitParms.cfg' (size 356)
Thu Dec 16 12:45:37 2010 Previous message occurred 6 times
Thu Dec 16 12:45:34 2010 [ERROR] dtl_data.c 258: dtl_data.c 258: In dtlDataLowTask_rxBroffPkt call to 'dtlPduReceive' failed
Thu Dec 16 12:45:33 2010 [VERBOSE] sshpmcert.c 9900: Added ID Cert 'cscoDefaultIdCert'
Thu Dec 16 12:45:33 2010 [VERBOSE] sshpmcert.c 9900: Added ID Cert 'bsnDefaultIdCert'
Thu Dec 16 12:45:33 2010 [VERBOSE] sshpmcert.c 9900: Added ID Cert 'bsnOldDefaultIdCert'
Thu Dec 16 12:45:32 2010 [WARNING] sshpmcert.c 9236: Found Manufacturing-installed device certificates
Thu Dec 16 12:45:30 2010 [VERBOSE] phy.c 140: link on port 0 change to up
Thu Dec 16 12:45:29 2010 [VERBOSE] sshglue.c 688: No additional web auth redirect port configured
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'sshpmInitParms.cfg'
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 248: Failed to read 'sshpmInitParms.cfg' (size 368)
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'spam.cfg'
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 248: Failed to read 'spam.cfg' (size 348)
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'spamInitParms.cfg'
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 248: Failed to read 'spamInitParms.cfg' (size 100)
Thu Dec 16 12:45:28 2010 Previous message occurred 2 times
Thu Dec 16 12:45:28 2010 [WARNING] sim.c 247: Using invalid port 0 to index simInterfacePortTable
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 8415: simVlanPortNpuAdd: vlan=10, port=1, portBitMap=1
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 7856: simVlanPortUpdate: oldPort:0 newPort:1 oldVlan:10 newVlan:10 vlanName:acs-guset
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 3733: simInterfacePortSet -- interface 'acs-guset' priPort = 1
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 5531: simCreateInterface: interfaceName:acs-guset, vlanId:10
Thu Dec 16 12:45:28 2010 Previous message occurred 2 times
Thu Dec 16 12:45:28 2010 [WARNING] sim.c 247: Using invalid port 0 to index simInterfacePortTable
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 8415: simVlanPortNpuAdd: vlan=2, port=1, portBitMap=1
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 7856: simVlanPortUpdate: oldPort:0 newPort:1 oldVlan:2 newVlan:2 vlanName:voip
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 3733: simInterfacePortSet -- interface 'voip' priPort = 1
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 5531: simCreateInterface: interfaceName:voip, vlanId:2
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 8415: simVlanPortNpuAdd: vlan=0, port=1, portBitMap=1
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 7856: simVlanPortUpdate: oldPort:0 newPort:1 oldVlan:0 newVlan:0 vlanName:ap-manager
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 3733: simInterfacePortSet -- interface 'ap-manager' priPort = 1
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 5531: simCreateInterface: interfaceName:ap-manager, vlanId:0
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 3733: simInterfacePortSet -- interface 'virtual' priPort = 0
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 5531: simCreateInterface: interfaceName:virtual, vlanId:-1
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 3733: simInterfacePortSet -- interface 'service-port' priPort = 0
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 5531: simCreateInterface: interfaceName:service-port, vlanId:-1
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 8415: simVlanPortNpuAdd: vlan=0, port=1, portBitMap=1
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 7856: simVlanPortUpdate: oldPort:0 newPort:1 oldVlan:0 newVlan:0 vlanName:management
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 3733: simInterfacePortSet -- interface 'management' priPort = 1
Thu Dec 16 12:45:28 2010 [VERBOSE] sim.c 5531: simCreateInterface: interfaceName:management, vlanId:0
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'simInitParms.cfg'
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 248: Failed to read 'simInitParms.cfg' (size 356)
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'filterCfgData.cfg'
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 248: Failed to read 'filterCfgData.cfg' (size 15544)
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'fipsPrerequisite.cfg'
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 248: Failed to read 'fipsPrerequisite.cfg' (size 256)
Thu Dec 16 12:45:28 2010 [VERBOSE] gvr.c 112: GVRP: Create GVR.
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'garp.cfg'
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 248: Failed to read 'garp.cfg' (size 664)
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'dot1dCfgData.cfg'
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 248: Failed to read 'dot1dCfgData.cfg' (size 804)
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'dot1dInitParms.cfg'
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 248: Failed to read 'dot1dInitParms.cfg' (size 380)
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'fdb.cfg'
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 248: Failed to read 'fdb.cfg' (size 49496)
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'fdbInitParms.cfg'
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 248: Failed to read 'fdbInitParms.cfg' (size 356)
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'snmpCfgData.cfg'
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 248: Failed to read 'snmpCfgData.cfg' (size 1752)
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'snmpInitParms.cfg'
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 248: Failed to read 'snmpInitParms.cfg' (size 368)
Thu Dec 16 12:45:28 2010 Previous message occurred 2 times
Thu Dec 16 12:45:28 2010 [ERROR] sim_util.c 1581: Unable to set uranium QOS Profile ACM
Thu Dec 16 12:45:28 2010 [ERROR] sim_util.c 1588: Unable to set platinum QOS Profile ACM
Thu Dec 16 12:45:28 2010 [ERROR] sim_util.c 1581: Unable to set platinum QOS Profile ACM
Thu Dec 16 12:45:28 2010 Previous message occurred 2 times
Thu Dec 16 12:45:28 2010 [ERROR] sim_util.c 1581: Unable to set gold QOS Profile ACM
Thu Dec 16 12:45:28 2010 [ERROR] sim_util.c 1588: Unable to set bronze QOS Profile ACM
Thu Dec 16 12:45:28 2010 [ERROR] sim_util.c 1581: Unable to set bronze QOS Profile ACM
Thu Dec 16 12:45:28 2010 Previous message occurred 2 times
Thu Dec 16 12:45:28 2010 [ERROR] sim_util.c 1581: Unable to set silver QOS Profile ACM
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'simRouteCfgData.cfg'
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 248: Failed to read 'simRouteCfgData.cfg' (size 1148)
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'simInitParms.cfg'
Thu Dec 16 12:45:28 2010 [VERBOSE] nvstore.c 248: Failed to read 'simInitParms.cfg' (size 356)
Thu Dec 16 12:45:28 2010 [CRITICAL] timerlib.c 442: Task 154182432 unable to acquire timer lock.
Thu Dec 16 12:45:28 2010 [CRITICAL] osapi_sem.c 777: osapiBsnTimerCreate() @ timerlib.c:442: ERROR: 'timerSema' is a NULL pointer.
Thu Dec 16 12:45:27 2010 [CRITICAL] timerlib.c 442: Task 154182432 unable to acquire timer lock.
Thu Dec 16 12:45:27 2010 [CRITICAL] osapi_sem.c 777: osapiBsnTimerCreate() @ timerlib.c:442: ERROR: 'timerSema' is a NULL pointer.
Thu Dec 16 12:45:27 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'dtlCfgData.cfg'
Thu Dec 16 12:45:27 2010 [VERBOSE] nvstore.c 248: Failed to read 'dtlCfgData.cfg' (size 344)
Thu Dec 16 12:45:27 2010 [VERBOSE] nvstore.c 255: Creating default configuration for 'dtlInitParms.cfg'
Thu Dec 16 12:45:27 2010 [VERBOSE] nvstore.c 248: Failed to read 'dtlInitParms.cfg' (size 356)
Thu Dec 16 12:45:26 2010 [CRITICAL] bootos.c 836: Starting code...
* End Cisco Crash Handler * -
Error 5: Access Denied can not start the DHCP Client service on Local Computer.
Ran into this error problem with both the DHCP and BFE service. Neither will start and both give me the same error code 5 access denied.
Found this little nugget below:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp
Right click and choose Permissions. There should be the following:
System = Full Control
Local Service = Read
Network Service = Read
Local Admin = Full Control
Local Users = Read
Dhcp = Read with special permissions
No problem adding the missing Local Service and Network Service. How does one add Dhcp? Is there a way to create this because under permissions there is no way to add this or search it up. Is there a NetSH reset command that will add this in for me?
The Netlogon service was not running and to get the Netlogon service going I ran NetSH int ip reset and it started to work. The other services were not running either and I was hoping they would after resetting IP
Any ideas on to fix this problem? Also, the user turned off the laptop when it was doing updates. Still I do not think it would have created this headache.
TIA
Spammer HammerHi,
Was your issue resolved?
If no, please reply and tell us the current situation in order to provide further help.
Karen Hu
TechNet Community Support -
Problem Report -
Access denied to system because of URL Filter Configuration.
Message ID -
FILTER_DENIED
Problem Description -
Your system was configured to deny access to the requested URL.
Possible Problem Cause -
Request denied, as specified in the local filter list configuration.
Possible Solution -
Contact your network support team if this problem persists.
It comes up with thie above in a box with two colums. i can only usse internet explorer now.Does any body know how to fix it?
I just got off the phone to my new isp and they said they could not help me at all. -
Create Set with Access Denied with filter permissons correct
I am standing up a FIM lab and need to create a set. I'm logged in as an administrator and the attribute I want to use in the SET's filter is "HR Effective Status." I give the set a name, create the filter with the HR Effective
Status attribute and view the members with no problems. However, when I click the submit button, I get an access denied error (see screen shot). Prior to creating the set, I had added this HR Effective Status attribute to both the Filter permission objects
(Administration-->All Resources-->Filter Permission), but this does not seem to be the problem. Both MPRs that are kicked off seem to be set properly too. Any ideas on what the problem might be?
Thank you in advance for any help!Just checking some things that people sometimes forget:
since you created your new attribute/binding, have you restarted the FIMService and performed an IISRESET on the FIM web server?
have you checked the FIM event log (Event Viewer/Applications and Services Logs) for a more detailed error when you get the general "Denied" exception when saving your query-based set?
if the FIM database has been used for a while, chances are you will need to reindex some things - you may just be getting timeouts.
Bob Bradley (FIMBob @
TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM -
When editing DHCP Scope in IPAM, get "Error: 5 - Access is denied"
Hello all!
I have a pair of Server 2012 DHCP servers configured for Failover. I also have a Server 2012 IPAM server that manages the first server in that pair, but not the second one. The reason is that I have the DHCP Failover Auto Config Sync tool running
on the first server and it can only be installed on one server of a Failover pair.
So, my diagram would look something like this:
IPAM --manages--> DHCP 1 <--Failover/Auto Sync--> DHCP 2
So, here is my problem. I can make a change to a DHCP Scope directly on DHCP 1 and it is instantaneously replicated to DHCP 2. That is no problem.
But, when I try to edit the same Scope through IPAM, it fails and returns the following error: (Error:5 - Access is denied.)
Any help would be greatly appreciated.
Thanks!Hi,
One of our service engineers here was able to reproduce the problem by removing the
IPAM computer account from the IPAMUG security group in Active Directory.
Interestingly, doing this does not change the status of the server from green to red in terms of manageability.
Can you please check and see if this is the problem?
Thanks,
-Greg
P.S. If this is not the problem, please answer a few more questions:
Is the IPAM and DHCP server joined to the same domain?
Are they multihomed servers or have only one NIC?
Are you using the same user account on IPAM and DHCP server?
Note: I tried reproducing this and when the IPAM server is removed from the IPAMUG group it does cause Error 5 - Access is denied, however I was able to get the status to turn red after doing this. I think it is critical that an Active Directory update
occur, so you should try running gpupdate /force on your DC, DHCP server, and IPAM server. -
17:06:13 Synchronizer Version 14.0.6123
17:06:13 Synchronizing Mailbox '[email protected]'
17:06:13 Synchronizing Hierarchy
17:06:13 4 folder(s) added to online store
17:06:13 1 folder(s) updated in online store
17:06:13 Synchronizing local changes in folder 'Inbox'
17:06:13 Error synchronizing folder
17:06:13 [80041004-0-0-430]
17:06:13 Error with Send/Receive.
17:06:13 There was an error synchronizing your folder hierarchy. Error : 80041004.
17:06:13 Synchronizing server changes in folder 'Calendar'
17:06:13 Synchronizing server changes in folder 'Contacts'
17:06:13
17:06:13
*Request*
17:06:13 17:06:13:0590
17:06:13 POST
17:06:13 http://
17:06:13 contacts.msn.com
17:06:13 /ABService/ABService.asmx
17:06:13
17:06:13 <ABFindAll xmlns="http://www.msn.com/webservices/AddressBook"> <abId>00000000-0000-0000-0000-000000000000</abId><abView>Full</abView><deltasOnly>false</deltasOnly></ABFindAll>
17:06:13
*Response*
17:06:13 17:06:13:0870
17:06:13 HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
Via: 1.1 TMG
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Connection: close
Proxy-Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 707
17:06:13
17:06:13
17:06:13
17:06:13 Error with Send/Receive.
17:06:13 There was an error synchronizing a contacts folder. Error : 80004005.
17:06:13 Synchronizing server changes in folder 'Drafts'
17:06:13 Synchronizing local changes in folder 'Inbox'
17:06:13 Error synchronizing folder
17:06:13 [80041004-0-0-430]
17:06:13 Synchronizing server changes in folder 'Sent Items'
17:06:13 Synchronizing server changes in folder 'Deleted Items'
17:06:13 Synchronizing server changes in folder 'Junk E-mail'
17:06:13 Done
17:06:13
17:06:13
*Request*
17:06:13 17:06:13:0870
17:06:13 POST
17:06:13 http://
17:06:13 mail.services.live.com
17:06:13 /DeltaSync_v2.0.0/Settings.aspx
17:06:13
17:06:13 <?xml version="1.0" encoding="utf-8"?><Settings xmlns="HMSETTINGS:"><ServiceSettings><SafetySchemaVersion>1</SafetySchemaVersion><SafetyLevelRules><GetVersion/></SafetyLevelRules><SafetyActions><GetVersion/></SafetyActions><Properties><Get/></Properties></ServiceSettings><AccountSettings><Get><Options/><Properties/></Get></AccountSettings></Settings>
17:06:13
*Response*
17:06:13 17:06:13:0870
17:06:13 HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
Via: 1.1 TMG
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Connection: close
Proxy-Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 707
17:06:13
17:06:13Hi,
According to the log, it seems that TMG firewall denied the request and replied with an HTTP 407 response, indicating that proxy authentication was required. This was done because the Forefront TMG firewall did not have any access rules which would allow
the anonymous request. Please check if you have configured related access rules.
When did you recieve this log? Is there anyting wrong? Which authentication method you have used, Kerberos, NTLM or other?
It seems that each time a web proxy client requests a resource through a Forefront TMG firewall that requires NTLM authentication the client is actually denied twice during the transaction before being successfully authenticated and allowed access. When
the Forefront TMG firewall is configured to use Kerberos there is only a single denied request and HTTP 407 response and then contact a domain controller and obtain a Kerberos ticket to present to the TMG firewall to gain access to the resource.
If you configured the TMG clients with a certain proxy name, please make sure you typed the TMG's domain computer name only (not IP address nor alias).
Best regards,
Susie -
I have Cisco 2821 with NM-AIR-WLC6-K9 installed. And number of AIR-AP1131AG-E-K9. Now I set up trivial task to make WLC6 to work as bridge between on of WLANs and one of VLANs on a network segment. I have already attained the following: all is working fine while I use on my test notebook statically assgned IP-address. Broadcasts as ARP-requests are going through the network free. But as soon as I change IP assigning method I hear nothing on DHCP's side. Notebook is unable to acquire address through DHCP. But when I assing IP-address to vlan20 interface on WLC6 and set up correct DHCP-server all works fine again. Now with DHCP. But I don't want use IP on vlan20! I need totally bridged diagram! Is there an exit? :-)
http://www.united-networks.ru/doku.php?id=hardware_configuration&#ciscoconfiguring_wlc6
- Cisco works as bridge (relative configuration):
interface GigabitEthernet0/1.20 (plugged into trunk on a wired segment)
encapsulation dot1Q 20
bridge-group 20
interface wlan-controller1/0.20
encapsulation dot1Q 20
bridge-group 20
interface BVI20
no ip address
bridge irb
bridge 20 protocol ieee
bridge 20 route ip
- WLC6 configured as follows (open system, no auth at all):
(Cisco Controller) >config interface create vlan20 20
(Cisco Controller) >config interface port vlan20 1
(Cisco Controller) >config wlan interface 2 vlan20
(Cisco Controller) >config wlan security wpa wpa2 ciphers aes disable 2
(Cisco Controller) >config wlan security wpa wpa2 disable 2
(Cisco Controller) >config wlan security wpa akm 802.1x disable 2
(Cisco Controller) >config wlan security wpa disable 2
(Cisco Controller) >config wlan enable 2
show wlan 2
WLAN Identifier.................................. 2
Profile Name..................................... free.united-networks.ru
Network Name (SSID).............................. free.united-networks.ru
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. Infinity
Webauth DHCP exclusion........................... Disabled
Interface........................................ vlan20
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Quality of Service............................... Silver (best effort)
WMM.............................................. Allowed
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
IP Security Passthru.......................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
Infrastructure MFP protection................. Enabled (Global Infrastructure MFP Disabled)
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Mobility Anchor List
WLAN ID IP Address Status
show wlan summary
Number of WLANs.................................. 2
WLAN ID WLAN Profile Name / SSID Status Interface Name
1 united-networks.ru / united-networks.ru Enabled management
2 free.united-networks.ru / free.united-networks.ru Enabled vlan20
show interface summary
Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
ap-manager 1 10 172.16.0.51 Static Yes No
management 1 10 172.16.0.50 Static No No
virtual N/A N/A 1.1.1.1 Static No No
vlan20 1 20 0.0.0.0 Dynamic No No
Kind regards,
Ellad YatskoEllad,
The WLC is a DHCP proxy by default, which means that client DHCP traffic is not transparently passed through the WLC onto the upstream network. Instead, it is repackaged as unicast traffic originating from the WLC interface tied to the client's WLAN. If you want upstream servers or relays to hear client DHCP traffic directly without WLC meddling, then do this on your WLC's command line to disable DHCP proxy:
(wlc6) > config dhcp proxy disable
This is currently (as of 7.0) a global setting and affects all WLANs.
Justin
Ps. I have been disabling DHCP proxy on my WLC deployments as a best practice for about a year now. As a result, one thing I have noticed is that DHCP responses to clients seem to come much faster from the DHCP services behind the WLC (e.g., W2Kx DHCP server, IOS DHCP, ISC-dhcpd, etc.), especially if those DHCP servers are themselves highly responsive. With DHCP proxy turned on (on the WLC), DHCP assignments seem to take sometimes 4x to 5x longer, even on lightning fast networks with lightning fast DHCP servers. I chalk this delay up to a slow, buggy and unevolved DHCP engine in the controllers, which, IMO, has caused more trouble than it's worth over the years--I never use internal DHCP on the controllers, and these days I'm no longer letting them handle the proxying. -
Deny Mac address cannot use client ip address
Dear Team
How I can restrict Mac address in the denied list ,cannot use ip address.
Regards
NjsinghHi,
If you want to filter DHCP client by MAC address in order to prevent some device from obtaining IP address. You may enable Deny Filters on DHCP console first, and then New Filter by MAC address. Detailed steps you may reference the link below:
http://technet.microsoft.com/en-us/library/dd759190.aspx
Windows Server 2008 R2 or above system version has this function. Reference:
http://blogs.technet.com/b/teamdhcp/archive/2009/02/26/new-features-in-dhcp-for-windows-server-2008-r2-windows-7.aspx
If there is any misunderstanding about your question, please correct.
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Is there any way to effectively use a Pix 506e as a content filter? I see some example configurations involving an ASA 5500, but I was wondering if the pix alone will allow content filtering. We are a small business that is looking to restrict just a few websites to our DHCP users. (i.e. eBay, yahoo mail, Amazon). We already have the pix. Thanks!
Suppose if you want to filter streaming media content with PIX 506E, you have two options. The first one is to block ports on the PIX and the second is to use Proxy Server to filter URLs. Since our main concern is doing it on the PIX, You may enter these commands on the PIX for well-known ports that you could block on the firewall:
access-list nostream deny udp any any eq 2979
access-list nostream deny udp any any eq 1790
access-list nostream deny udp any any eq 1755
access-list nostream deny udp any any eq 1736
access-list nostream deny udp any any eq 554
access-list nostream deny udp any any eq 537
access-list nostream deny tcp any any eq 2979
access-list nostream deny tcp any any eq 1790
access-list nostream deny tcp any any eq 1755
access-list nostream deny tcp any any eq 1736
access-list nostream deny tcp any any eq 554
access-list nostream deny tcp any any eq 537
access-list nostream permit tcp any any eq 80
access-list nostream permit ip any any
access-group nostream in interface inside
However, some streaming applications use random ports using auto-configure options that are difficult to block with the PIX. To resolve this issue, you have the second option, using a proxy server to filter the URLs. You may use Websense and any other software to filter web traffic. -
Really Slow web surfing through ZBF with IOS Content filter
Edited: attached partial output of "sh policy-map type inspect zone-pair urlfilter"
Hey, all
We have a 1921 router with IOS Content filter subscribsion and it is also configured as ZBF running latest IOS v15.1. End-user keep complaining about slow web surfing. I connected to network and tested myself and found intermittent surfing experience.
For example, access to www.ibm.com or www.cnn.com hangs 7 times of 10 attempts and maybe only loads reasonablly quick in 1-2 time of the 3. This also affects the speed of download from websites.
I have the case openned with Cisco TAC and CCIE checked my configure but nothing caught his eyes...
I decide to post the issue here in case we both missed something:
Current configuration : 18977 bytes
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname abc_1921
boot-start-marker
boot system flash:/c1900-universalk9-mz.SPA.151-4.M4.bin
boot-end-marker
aaa new-model
aaa authentication login default local
aaa authentication login NONE_LOGIN none
aaa authorization exec default local
aaa session-id common
clock timezone AST -4 0
clock summer-time ADT recurring 3 Sun Mar 2:00 2 Sun Nov 2:00
no ipv6 cef
ip source-route
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.9
ip dhcp excluded-address 192.168.1.111 192.168.1.254
ip dhcp pool DHCPPOOL
import all
network 192.168.1.0 255.255.255.0
domain-name abc.local
dns-server 192.168.10.200 192.168.10.202
netbios-name-server 4.2.2.4
default-router 192.168.1.150
option 202 ip 192.168.1.218
lease 8
ip domain name abc.locol
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip port-map user-port-1 port tcp 5080
ip port-map user-port-2 port tcp 3389
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type inspect global
log dropped-packets enable
parameter-map type urlfpolicy trend cprepdenyregex0
allow-mode on
block-page message "The website you have accessed is blocked as per corporate policy"
parameter-map type urlf-glob cpaddbnwlocparapermit2
pattern www.alc.ca
pattern www.espn.com
pattern www.bestcarriers.com
pattern www.gulfpacificseafood.com
pattern www.lafermeblackriver.ca
pattern 69.156.240.29
pattern www.tyson.com
pattern www.citybrewery.com
pattern www.canadianbusinessdirectory.ca
pattern www.homedepot.ca
pattern ai.fmcsa.dot.gov
pattern www.mtq.gouv.qc.ca
pattern licenseinfo.oregon.gov
pattern www.summitfoods.com
pattern www.marine-atlantic.ca
pattern www.larway.com
pattern www.rtlmotor.ca
pattern *.abc.com
pattern *.kijiji.ca
pattern *.linkedin.com
pattern *.skype.com
pattern toronto.bluejays.mlb.com
pattern *.gstatic.com
parameter-map type urlf-glob cpaddbnwlocparadeny3
pattern www.facebook.com
pattern www.radiofreecolorado.net
pattern facebook.com
pattern worldofwarcraft.com
pattern identityunknown.net
pattern static.break.com
pattern lyris01.media.com
pattern www.saltofreight.com
pattern reality-check.com
pattern reality-check.ca
parameter-map type ooo global
tcp reassembly timeout 5
tcp reassembly queue length 128
tcp reassembly memory limit 8192
parameter-map type trend-global global-param-map
cache-size maximum-memory 5000
crypto pki token default removal timeout 0
crypto pki trustpoint Equifax_Secure_CA
revocation-check none
crypto pki trustpoint NetworkSolutions_CA
revocation-check none
crypto pki trustpoint trps1_server
revocation-check none
crypto pki trustpoint TP-self-signed-3538579429
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3538579429
revocation-check none
rsakeypair TP-self-signed-3538579429
!! CERTIFICATE OMITED !!
redundancy
ip ssh version 2
class-map type inspect match-any INCOMING_VPN_TRAFFIC_MAP
match access-group name REMOTE_SITE_SUBNET
class-map type inspect match-all PPTP_GRE_INSPECT_MAP
match access-group name ALLOW_GRE
class-map type inspect match-all INSPECT_SKINNY_MAP
match protocol skinny
class-map type inspect match-all INVALID_SOURCE_MAP
match access-group name INVALID_SOURCE
class-map type inspect match-all ALLOW_PING_MAP
match protocol icmp
class-map type urlfilter match-any cpaddbnwlocclasspermit2
match server-domain urlf-glob cpaddbnwlocparapermit2
class-map type urlfilter match-any cpaddbnwlocclassdeny3
match server-domain urlf-glob cpaddbnwlocparadeny3
class-map type urlfilter trend match-any cpcatdenyclass2
class-map type inspect match-all cpinspectclass1
match protocol http
class-map type inspect match-any CUSTOMIZED_PROTOCOL_216
match protocol citriximaclient
match protocol ica
match protocol http
match protocol https
class-map type inspect match-any INSPECT_SIP_MAP
match protocol sip
class-map type urlfilter trend match-any cptrendclasscatdeny1
match url category Abortion
match url category Activist-Groups
match url category Adult-Mature-Content
match url category Chat-Instant-Messaging
match url category Cult-Occult
match url category Cultural-Institutions
match url category Gambling
match url category Games
match url category Illegal-Drugs
match url category Illegal-Questionable
match url category Internet-Radio-and-TV
match url category Joke-Programs
match url category Military
match url category Nudity
match url category Pay-to-surf
match url category Peer-to-Peer
match url category Personals-Dating
match url category Pornography
match url category Proxy-Avoidance
match url category Sex-education
match url category Social-Networking
match url category Spam
match url category Tasteless
match url category Violence-hate-racism
class-map type inspect match-any INSPECT_PROTOCOLS_MAP
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol icmp
class-map type urlfilter trend match-any cptrendclassrepdeny1
match url reputation ADWARE
match url reputation DIALER
match url reputation DISEASE-VECTOR
match url reputation HACKING
match url reputation PASSWORD-CRACKING-APPLICATIONS
match url reputation PHISHING
match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
match url reputation SPYWARE
match url reputation VIRUS-ACCOMPLICE
class-map type inspect match-all CUSTOMIZED_NAT_MAP_1
match access-group name CUSTOMIZED_NAT_1
match protocol user-port-1
class-map type inspect match-all CUSTOMIZED_NAT_MAP_2
match access-group name CUSTOMIZED_NAT_2
match protocol user-port-2
class-map type inspect match-any INSPECT_H323_MAP
match protocol h323
match protocol h323-nxg
match protocol h323-annexe
class-map type inspect match-all INSPECT_H225_MAP
match protocol h225ras
class-map type inspect match-all CUSTOMIZED_216_MAP
match class-map CUSTOMIZED_PROTOCOL_216
match access-group name CUSTOMIZED_NAT_216
policy-map type inspect OUT-IN-INSPECT-POLICY
class type inspect INCOMING_VPN_TRAFFIC_MAP
inspect
class type inspect PPTP_GRE_INSPECT_MAP
pass
class type inspect CUSTOMIZED_NAT_MAP_1
inspect
class type inspect CUSTOMIZED_NAT_MAP_2
inspect
class type inspect CUSTOMIZED_216_MAP
inspect
class class-default
drop
policy-map type inspect urlfilter cppolicymap-1
description Default abc Policy Filter
parameter type urlfpolicy trend cprepdenyregex0
class type urlfilter cpaddbnwlocclasspermit2
allow
class type urlfilter cpaddbnwlocclassdeny3
reset
log
class type urlfilter trend cptrendclasscatdeny1
reset
log
class type urlfilter trend cptrendclassrepdeny1
reset
log
policy-map type inspect IN-OUT-INSPECT-POLICY
class type inspect cpinspectclass1
inspect
service-policy urlfilter cppolicymap-1
class type inspect INSPECT_PROTOCOLS_MAP
inspect
class type inspect INVALID_SOURCE_MAP
inspect
class type inspect INSPECT_SIP_MAP
inspect
class type inspect ALLOW_PING_MAP
inspect
class type inspect INSPECT_SKINNY_MAP
inspect
class type inspect INSPECT_H225_MAP
inspect
class type inspect INSPECT_H323_MAP
inspect
class class-default
drop
zone security inside
description INTERNAL_NETWORK
zone security outside
description PUBLIC_NETWORK
zone-pair security INSIDE_2_OUTSIDE source inside destination outside
service-policy type inspect IN-OUT-INSPECT-POLICY
zone-pair security OUTSIDE_2_INSIDE source outside destination inside
service-policy type inspect OUT-IN-INSPECT-POLICY
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key password address 11.22.3.1
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set TunnelToCold esp-3des
crypto map TunnelsToRemoteSites 10 ipsec-isakmp
set peer 11.22.3.1
set transform-set TunnelToCold
match address TUNNEL_TRAFFIC2Cold
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description OUTSIDE_INTERFACE
ip address 1.1.1.186 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex full
speed 1000
crypto map TunnelsToRemoteSites
crypto ipsec df-bit clear
interface GigabitEthernet0/1
description INSIDE_INTERFACE
ip address 192.168.1.150 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex full
speed 1000
ip forward-protocol nd
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.1.217 5080 interface GigabitEthernet0/0 5080
ip nat inside source route-map NAT_MAP interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.216 80 1.1.1.187 80 extendable
ip nat inside source static tcp 192.168.1.216 443 1.1.1.187 443 extendable
ip nat inside source static tcp 192.168.1.216 1494 1.1.1.187 1494 extendable
ip nat inside source static tcp 192.168.1.216 2598 1.1.1.187 2598 extendable
ip nat inside source static tcp 192.168.1.213 3389 1.1.1.187 3390 extendable
ip nat inside source static tcp 192.168.1.216 5080 1.1.1.187 5080 extendable
ip route 0.0.0.0 0.0.0.0 1.1.1.185
ip access-list standard LINE_ACCESS_CONTROL
permit 192.168.1.0 0.0.0.255
ip access-list extended ALLOW_ESP_AH
permit esp any any
permit ahp any any
ip access-list extended ALLOW_GRE
permit gre any any
ip access-list extended CUSTOMIZED_NAT_1
permit ip any host 192.168.1.217
permit ip any host 192.168.1.216
ip access-list extended CUSTOMIZED_NAT_2
permit ip any host 192.168.1.216
permit ip any host 192.168.1.212
permit ip any host 192.168.1.213
ip access-list extended CUSTOMIZED_NAT_216
permit ip any host 192.168.1.216
ip access-list extended INVALID_SOURCE
permit ip host 255.255.255.255 any
permit ip 127.0.0.0 0.255.255.255 any
ip access-list extended NAT_RULES
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended REMOTE_SITE_SUBNET
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ABM
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2Bridgewater
permit ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ColdbrookDispatch
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ColdbrookETL
permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ColdbrookTrailershop
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2Moncton
permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2MountPearl
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2Ontoria
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
ip access-list extended WEB_TRAFFIC
permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 10 permit 192.168.1.0 0.0.0.255
route-map NAT_MAP permit 10
match ip address NAT_RULES
snmp-server community 1publicl RO
control-plane
line con 0
logging synchronous
login authentication NONE_LOGIN
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class LINE_ACCESS_CONTROL in
exec-timeout 30 0
logging synchronous
transport input all
scheduler allocate 20000 1000
ntp server 0.ca.pool.ntp.org prefer
ntp server 1.ca.pool.ntp.org
endHi,
I know this is for a different platform but have a look at this link:
https://supportforums.cisco.com/thread/2089462
Read through it to get some idea of the similarity, but in particular note the last entry almost a year after the original post.
I too am having trouble with http inspection, if I do layers 3 & 4 inspection there is no issue whatsoever, but as soon as I enable layer 7 inspection then I have intermittent browsing issues.
The easy solution here is to leave it at layers 3 & 4, which doesn't give you the flixibility to do cool things like blocking websites, IM, regex expression matching etc... but in my opinion I just don't think these routers can handle it.
It appears to be a hit and miss affair, and going on the last post from the above link, you might be better off in having the unit replaced under warranty.
The alternative is wasting a lot of time and effort and impacting your users to get something up and running that in the end is so flaky that you have no confidence in the solution and you are then in a situation where ALL future issues users are facing MIGHT be because of this layer 7 inspection bug/hardware issue etc?
I would recommend you use the router as a frontline firewall with inbound/outbound acl's (no inspection), and then invest a few $ in getting an ASA dedicated firewall (but that's just me ) -
Hi i want to block on an ap where wlan clients are connected, dhcp server from the clients. bc the clients are getting the ip from my dhcp server. but when he also starts an dhcp server i ahve two server in my wlan. so i want to block dhcp ports on my ap.
i have tried it:
i made an port filter: port 67 and 68 (bootp server and client) then i places the filter on RADIO recive site. but then the client doenst get an ip. so i tried it only with port 67 or 68 it also doesnt work.
hope anybody can help me with this issue.
regards BernhardDHCP client requests are sent from DHCP client (68) to server's DHCP server port (67). Server replies using port 67 to client's port 68. All above are UDP obviously. So to block rogue DHCP servers put an input ACL 'deny any eq 68 any' to AP radio interface and this should work. Also remember that DHCP client for initial message exchanges uses 0.0.0.0 as src IP and 255.255.255.255 as dest IP so do not replace 'any' with your IP subnets. Hope this helps.
Maybe you are looking for
-
An error occured while trying to access the service
i'm continually having issues with trying to convert my files from PDF to excel. I keep on getting the error message "An error occured while trying to access the service" with no real explanation as to what is wrong. I've tried several times on sev
-
some one can help me please i have no idea what i must to do. an unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
-
New to the apple world. I migrated the itunes Music Folder from my wife's macbook to mine - using Migration assistant - do I need to aim iTunes at the folder to import - or is iTunes way more clever than I , and just do this for me. Thanks for your
-
Photoshop CC doesn't allow painting on fill layer
I just installed photoshop CC and wanted to continue working on my old photoshop files (which I previously edited with photoshop CS3 and photoshop 7). I use a lot of fill layers to color my drawings because they are easier to edit later. Things is, i
-
Why RW2 & DNG versions of the same RAW picture look much different?
Dears! RAW format for my camera is RW2. I used conversion of RW2 files into DNG to process it in Ps. When previewing pictures in IRFAN VIEW I noticed that RW2 and DNG versions of the same picture (before any processing) are quite different. RW2 one i