Dropping unknown session - Firewall

Similar Messages

• Firewall Dropping Packets - %FW-6-DROP_PKT: Dropping tcp session X.X.X.X X.

  Hi,
  Can anyone explain this error and what is a stray Segment with the IP ident 46866. I can't seem to find this error on the Cisco web site the only bug appears to be to do with Zone firewalls. I have an 877 Router on a remote site configured with IPSEC and a Tunnel back to the main office and I'm getting reported connection issues to network drives on servers located local to the LAN and on the headend LAN. Can't seem to find any other errors apart from this one.
  %FW-6-DROP_PKT: Dropping tcp session X.X.X.X X.X.X.X due to
  Stray Segment with ip ident 46866 tcpflags 0x5010 seq.no 1237259566 ack 3465174792
  If any one could help or point me in the right direction that would be great. Failing that I'm jumping off this building.
  Ta
  Jim

  This may help:
  Caveat "CSCsj30582"
  http://www.cisco.com/en/US/docs/ios/12_4t/release/notes/124TCAVS.html
  Symptoms: A Cisco IOS router that is running ZPF (Zone-based Policy Firewall) intermittently drops ESP packets even when it is configured to pass them. This causes traffic over an IPsec VPN tunnel through this router to fail intermittently, although the tunnel is up and phase 1 (isakmp) and phase 2 (ipsec) SAs have been established. If the router is configured to log dropped packets, it will log a %FW-6-DROP_PKT syslog message for these packets.
  Conditions: This symptom is observed on a Cisco IOS router that is enabled with ZPF (Zone-based Policy Firewall) and that is configured to pass the ESP traffic based on a "match access-group" policy, where the access list has entries to permit the ESP traffic specifically from one host to another.
  For example:
  class-map type inspect match-any cm-esp match access-group 100
  policy-map type inspect in2out class type inspect cm-esp pass
  access-list 100 permit esp host 10.0.0.2 host 10.1.1.2 access-list 100 permit esp host 10.1.1.2 host 10.0.0.2
  Workaround: Configure the access list so that the source is "any", for example:
  access-list 100 permit esp any host 10.1.1.2 access-list 100 permit esp any host 10.0.0.2
  First Alternate Workaround: Use the classic Cisco IOS firewall instead of ZPF; that is, use "ip inspect".
  Further Problem Description: If an explicit deny rule is added to the above example, for example:
  access-list 100 permit esp host 10.0.0.2 host 10.1.1.2 access-list 100 permit esp host 10.1.1.2 host 10.0.0.2 access-list 100 deny esp any any
  Then the show access-list command will indicate that the dropped packets are hitting the deny rule, although they should match one of the permit rules:
  Router# show access-lists 100
  Extended IP access list 100 10 permit esp host 10.0.0.2 host 10.1.1.2 (999 matches) 20 permit esp host 10.1.1.2 host 10.0.0.2 (999 matches) 30 deny ip any any (1 match)

• CM Services stand alone (Unknown session NWDI and grey components in NWDS)

  Hello.
  We are trying to configure NWDI in portal 7.3  using the following document http://scn.sap.com/docs/DOC-14706 however when Im trying the syncrhonize step (page 22)  it shows me an error HTTP 400 Unknown session wherever I click in the sync page.
  I dont know if it's because of this missing step but when I import this in NWDS the dependencies are empty and when I try to create a develpment it shows me greyed components with the mistake ( Software component does not support this development component type. Required DCs are located in an SC that is not visible from the selected one.). If any more information needed please ask me.
  Thanks in advance.
  Alex.

  Thank you !!! it seems that is solved now, it shows me some components good to go, eventhe less When I try to create a Wevdynpro it says "Support component (ACH) for vendor ''sap_com'' is required" Could it be because of some missing DC ?
  Great answer thank you !!https://service.sap.com/sap/support/notes/1536755
  BTW that note lead me to this other one where I found this part that made the trick
  Note 1536755 - DC type is grayed out.
  What can be done?
  Check in SLD if references from the developed SC to the found required SCs
  exist. Create them if they are missing. . Update the corresponding track in CMS
  by first syncing current dependencies from SLD to CMS  ("Update CMS" in CMS UI
  Landscape Configurator - Domain Data) and then adapting the track in "Track
  Data" by  using "Synchronize SC Dependencies" - "Show Software Components out of
  sync with SLD", select all SCs shown as out of sync and press "Accept SLD
  Definition" and then save the track.  Switch to Transport Studio in CMS WebUI
  and check in and import the corresponding SCA files. After that update the
  development configuration in NWDS.

• Unknown Session Problem in FPN.

  Hi All,
  Currently we implemented our Webdynpro Java Application in Federated Portal Network. In that portal we are using Multiple Environment with Multiple Roles and tht Application also Configured with one Role. While navigating from one Environment to another Environment.We are Facing Unknown Seesion Issue. This happens while navigating the tabs or Click on some Buttons in that Webdynpro Application. Kindly Suggest Some Solution to avoid unknown Session Issue in FPN.
  Edited by: Karthick Vijayakumar on Jan 25, 2012 6:37 AM

  Hello Flo,
  since this thread is 2 years old, I sure hope for Karthick, that the problem was solved.
  If you have a similar issue, you should open a thread of your own and include the information, Mahendran was asking in this one and information about your portal versions, so that the other users can help you.
  Regards,
  Steffi.

• Error code:10000004 error:Unknown session

  Dear Expert
       When i am open sales analysis by customer report then these system message occur " Error code:10000004 error:Unknown session"..
                so please find these error and immediate reply.......
  Thanks & Regards
  Ashish Singh

  Dear Ashish,
  Please check the thread : Re: Addon connection error on 64-bit system ( windows 2008) , might be useful for you.
  Regards
  Arshdeep Singh Makker

• Error 100000004 Unknown Session when Company change on Addon

  I am experiencing in some customers error "100000004 unknown session", when customer changes company, and Addon has to be reloaded in automatic mode.
  Addon is developed under VB.Net running B1 SP00 and SP01 version.
  error is aleatory, do not occur always.
  Error is trigged when trying to connect DI-API under single sign on mode.
  Somebody has any information of what can be causing this error ??
  Thanks in advance,
  WIllie Ballesty

  Hi!
  I don't know what may be causing this error to you, I eventually get it once in a month or something. When it appears more than three or four times in a row, reinstalling the SBO client helps a lot.
  By the way, have you tried to remove the temp folder the diapi is creating? maybe it has gotten corrupted
  Hope it helps;
                      Jon Arranz

• "Failed to Process Request. Request refers to an unknown session" - Error

  We have several BPM WDJ applications ( NW 7.2 ) and our users are getting "Failed to Process Request. Request refers to an unknown session" errors constantly.
  It appears to have something to do with session timeouts. However, we have set all potential timeouts, but still having issues.
  We have turned off all pop-up blockers etc..

  Hi, all:
  I use dialog before wdFireComplete method than show the error message.
  I fixed the program and solved my issue.
  FYI.

• 400 Session Not Found, Failed to process the request: Request refers to an unknown session.

  Dear Team,
  NW 7.3
  SRM 7.02
  We are facing the following error, whenever we try to "Transfer all" material from MDM catalog to SRM shopping cart.
  400  Session Not Found
  SAP NetWeaver Application Server/Java AS
  Failed to process the request: Request refers to an unknown session
  Entries in the  Define External Web Services.  as follows..
  Please find the attached Java components list in "srm_components.txt" and the detailed error description in "MDM_400_error.txt" document.
  Please help on this.
  Regards
  Amit...

  Dear Experts,
  Any suggestions ???
  Regards
  Amit...

• VPN SA rekey drops oracle sessions

  Hello
  We have had this issue for sometime now.  We have solved it for numerous sites with dedicated L2 connections but for some outstanding sites with s2s VPN tunnels (asa to asa) we still run into it.
  Basically when the VPN rekey's the SA (sametime everyday) all Oracle sessions are dropped.  The tunnel stays up and the user stays connected but the oracle sessions ALWAYS drops.  I cant for the life of me find a way to stop this from happening and it only happens with Oracle.   It happens to both remote vpn clients and vpn tunnels.
  Does anyone have any idea what I can do to pinpoint or log the problem from the ASA's?

  Hello,
  I have something similar with ica/metaframe connection.
  Any help will be appreciated.
  Regards
  Sent from Cisco Technical Support iPad App

• Can i capture a network package and modify it?or drop it like firewall?

  how can i do that?
  jnetcap? or some others?

  Jnetcap and the various versions of Jpcap are all based on libpcap which doesn't have any facility for dropping packets. I'm not aware of any way of doing that in Java short of writing an operating-system-specific protocol stack driver in a native language and using Java+JNI to communicate with it.
  You're much better off investigating the existing firewall products and freebies than trying to shoehorn Java into this.

• PL/SQL to create a temp table that will be dropped after session ends

  Is it possible in PL/SQL to create a temp table that will be dropped after the session ends? Please provide example if possible. I can create a global temp table in PL/SQL but I am not sure how (if possible) to have it 'drop' once the session ends.
  DB: 10g
  OS: Wiindoze 2003 Server
  :-)

  As others have mentioned (but probably not clearly explained), Oracle treats temporary tables differently to SQL Server.
  In SQL Server you create a temporary table and it gets dropped (automatically I assume, I dont do SQL Server) after the session finishes. This will obviously allow each session to "request" a temporary table to use, then use it, and not have to worry about cleaning up the database after the session has finished.
  Oracle takes a different approach...
  On the assumption that each session is likely to be creating a temporary table for the same purposes, with the same structure, Oracle let's you create a Global Temporary Table a.k.a. GTT (which you've already come across). You only have to create this table once and you leave it on the database. This then means that any code written to use that table doesn't have to be dynamic code and can be verified and checked at compile time, just like code written for any other table. The difference of a GTT from a regular table is that any data you put into that table can only be seen by that session and will not interfere with any data of other sessions and, when you either commit, or end the session (depending on the "on commit delete rows" or "on commit preserve rows" option used when creating the GTT), that data from your own session will automatically be removed and hence the table is cleaned up that way, whilst the actual table itself remains.
  Some people from SQL Server backgrounds try and create and drop tables dynamically in their PL/SQL code, but this leads to problems...
  SQL> ed
  Wrote file afiedt.buf
    1  begin
    2    execute immediate 'create table my_temp (x number)';
    3    insert into my_temp values (1);
    4    execute immediate 'drop table my_temp';
    5* end;
  SQL> /
    insert into my_temp values (1);
  ERROR at line 3:
  ORA-06550: line 3, column 15:
  PL/SQL: ORA-00942: table or view does not exist
  ORA-06550: line 3, column 3:
  PL/SQL: SQL Statement ignoredi.e. the code will not compile for direct DML statements trying to use that table.
  They then try and get around this issue by making their DML statements dynamic too...
  SQL> ed
  Wrote file afiedt.buf
    1  create or replace procedure my_proc is
    2  begin
    3    execute immediate 'create table my_temp (x number)';
    4    execute immediate 'insert into my_temp values (''A'')';
    5    execute immediate 'drop table my_temp';
    6* end;
  SQL> /
  Procedure created.... which looks great and it compiles ok... but... when they try and run it...
  SQL> exec my_proc;
  BEGIN my_proc; END;
  ERROR at line 1:
  ORA-01722: invalid number
  ORA-06512: at "SCOTT.MY_PROC", line 4
  ORA-06512: at line 1... oops the code has a bug in it. Our DML statement was invalid.
  This is really something that would have been caught at compile time, if the statement had been a direct DML statement rather than dynamic. And thus we see the problem with people trying to write all their code as dynamic SQL... it's more likely to contain bugs that won't be detected at compile time and only come to light at run time... sometimes only under certain conditions and sometimes once it's got into a production environment. Bad Idea!!!! ;)
  Far better to never create tables (or most other database objects) at run time. Just create them once as part of the database design/implementation and use them as required, allowing you to catch the most common coding errors up front before they get anywhere near a test environment or worse still, a production environment.

• SCCP Unknown sessions

  We have a problem where the SCCP get stuck in 'UNKNOWN' / 'inactive' state. we run 'show sccp conn' command to check it manually. Looking for a script where we check for 'UNKNOWN' / 'inactive' sessions every hour, if there are 'n' number of sessions, then it would send out SNMP trap. Example output shown from 'sh sccp conn' command -
  #sh sccp conn
  sess_id    conn_id      stype mode     codec   sport rport ripaddr conn_id_tx
  53645003   50656921     conf  inactive UNKNOWN 31106 0     UNKNOWN
  53667104   50665149     conf  inactive UNKNOWN 16976 0     UNKNOWN
  53671501   50666736     conf  inactive UNKNOWN 32456 0     UNKNOWN
  Total number of active session(s) 3, and connection(s) 3
  Thanks in advance...totally new to EEM scripting.....

  thanks Joseph, it works. The only difference I had to make was the following to match my requirements, thanks a lot to you and this forum.
  event manager applet sccp_watch
  event timer watchdog time 3600
  action 1.0 cli command "enable"
  action 2.0 cli command "show sccp conn"
  action 3.0 set i 0
  action 4.0 foreach line $_cli_result "\n"
  action 4.1  regexp inactive $line
  action 4.2  if $_regexp_result eq 1
  action 4.3   increment i 1
  action 4.4  end
  action 4.5 end
  action 4.6 if i ge N
  action 4.7  snmp-trap strdata "The number of inactive SCCP sessions are $i"
  action 4.8 end

• Toruble with dropped ARD sessions requiring a logout to fix

  I am having a major problem with ARD on my work Mac. It is a Rev A Intel iMac 17" running the latest ARD client.
  I was given the ARD admin to take home for telecommuting which I have installed on my PowerMac G5. I connect to my work Mac through a Cisco VPN (this VPN software is very buggy)
  Far too frequently while I am connected to the Intel iMac (curtained) I suddenly lose connection to the Mac. Whatever was on my screen at the time freezes in my ARD window. Closing the session reveals that the iMac still has a Locked Screen. I can unlock the screen but can never connect to it unless I log out. I've tried using the shell command kickstart to restart the ARD client and a variety of other things trying to bring it back but that actually causes much more damage and usually results in the need for a hard reboot (power cycle).
  The problem only seems to (or most frequently) occur when Mail is open. If I leave it closed I don't see this problem (maybe very rarely if ever). Of course without access to email what good is ARD in my situation? Other than that there doesn't seem to be any pattern.
  Anyone have any ideas? Need help badly!
  Josh

  Far too frequently while I am connected to the Intel
  iMac (curtained) I suddenly lose connection to the
  Mac. Whatever was on my screen at the time freezes
  in my ARD window. Closing the session reveals that
  the iMac still has a Locked Screen. I can unlock the
  screen but can never connect to it unless I log out.
  To clarify I must logout of the remote machine to enable a new ARD connection.
  I can use Manage -> Logout Current User in the admin. So most of the remote option are still functional just not a full Control.

• Airtunes failes in 10.4.11 with -3256 unknown error - firewall not blocking

  Until this morning I was able to connect to three remote airtunes speakers from my MBP running the latest iTunes. I'm on 10.4.11, and the firewall is configured to allow both UDP and the iTunes Music sharing.
  Any idea what's changed?

  I have exactly the same problem on OSX 10.4.11 and Safari 3. Outgoing traffic from Safari 3 is blocked to some non-standard ports, including port 563 that I need to use. I get the same error message as the first poster.
  Firewall doesn't help - firewall talks about INCOMING connections, while the problem with Safari 3 and ports is about OUTGOING connections.
  This is very similar to what Firefox is doing. Firefox also blocks connections to "nonstandard" ports, but in Firefox, you can manually override it in configuration by going to "about:config" and changing the value of option "network.security.ports.banned.override" and manually entering the port values that you want to access. It then works. (See http://kb.mozillazine.org/Network.security.ports.banned.override for more info.)
  In case of Safari 3, I don't see an easily-accessible UI option to enter nonstandard port numbers in some sort of whitelist. So you can say that as of now, if you want to use Safari 3 to access a web app running on some nonstandard port, you just can't do that? Or is there a way in the UI or elsewhere to edit the port whitelist/blacklist?

• ASA drop upload session

  Hi, I have asa with policy map below when ever anybody wants to upload large file it drops after some time, since i have multiple services i exclude ip of upload server from access-list and then evrything works normally i want to add and fine tune the below policy map
  tcp-map tcp-NORM_Map
    check-retransmission
    checksum-verification
    exceed-mss drop
    queue-limit 5 timeout 3
    syn-data drop
    window-variation drop-connection
  policy-map CONNS_policy
  class CONNS_Class
    set connection conn-max 1500 embryonic-conn-max 200 per-client-max 10 per-client-embryonic-max 15
    set connection timeout embryonic 0:00:45 half-closed 0:05:00 tcp 0:10:00 reset dcd 0:00:20 3
    set connection advanced-options tcp-NORM_Map

  Hi,
  Have you gathered any firewalls logs or traffic capture data from the dropped connections?
  Are you sure that the TCP Map setting of "window-variation drop-connection" is not doing this to your connections? If this setting simply refers to a situation where the window size is changed and because of that dropped I would imagine large transfers will get dropped as I imagine the window size changed during the transfer.
  Does the command "show service-policy" provide any information?
  - Jouni