Encryption Fails during System Check
I am doing an enterprise rollout of Bitlocker and out of the thousands that have been prompted and successfully encrypted, I have two that fail during the system check. (Power Cable and CD/DVD). Bitlocker thinks that there is a disc in the drive, when
there is nothing in the drive (no mounted ISO either). I have at least 1000 more that have yet to be encrypted, so it is likely that I will bump into this again. I can't find anything in the Service & App logs that explain what is happening.
Does anyone have a solution to this???
Hi Hoosierdaddy42,
In the article "BitLocker Drive Encryption in Windows 7: Frequently Asked Questions" under the heading 'What causes BitLocker to start into recovery mode when attempting to start
the operating system drive?' one of the items listed is:
Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
There are other things on that list that may be related.
Hope this helps,
David
Similar Messages
-
Hello,
I'm hoping someone can assist. I have an image that was working but the builtin admin account was disabled. I went into the image and enabled the account and set a password. I ran sysprep and capture. Now, when i try to deploy either
image, it installs the OS, reboots and then sits at a login (does not go into the admin account to continue). I login and i notice that LTIBootstrap.vbs is sitting on the root of c along with the Minint folder and other MDT folders. I have MDT
on 2 servers and they both do the same thing. Unattend.xml in c:\minint has the correct local admin/password
Customsettings.ini:
[Settings]
Priority=Default
Properties=MyCustomProperties
[Default]
DeployRoot=\\ourserver\D$\DeploymentShare$
ComputerBackupLocation=Network
Home_Page=http://home
OSInstall=Y
SkipAdminPassword=YES
SkipApplications=YES
SkipAppsOnUpgrade=YES
SkipBDDWelcome=YES
SkipBitLocker=YES
SkipComputerName=YES
OSDComputerName=HDQ-%SerialNumber%
SkipComputerBackup=YES
SkipDeploymentType=YES
SkipDomainMembership=YES
JoinDomain=OurDomain
DomainAdmin=xxxx(Account with Join domain rights)
DomainAdminDomain= Our Domain
DomainAdminPassword=Password for account
SkipAdminAccounts=YES
SkipFinalSummary=NO
FinishAction=Reboot
SkipLocaleSelection=YES
KeyboardLocale=en-US
UserLocale=en-US
UILanguage=en-US
SkipPackageDisplay=YES
SkipProductKey=YES
SkipSummary=No
SkipTaskSequence=NO
SkipTimeZone=YES
TimeZoneName=Eastern Standard Time
SkipUserData=YES
EventService=http://OurServer:9800
[Settings]
Priority=Default
[Default]
DeployRoot=\\OurServer\D$\DeploymentShare$
UserID=account to join to domain
USerDomain=Our Domain
UserPassword=Account password to join domain
Any help would be greatly appreciated.
Thanks
Rick
BDD.LOG
<![LOG[ZTINextPhase COMPLETED. Return Value = 0]LOG]!><time="14:10:58.000+000" date="01-13-2014" component="ZTINextPhase" context="" type="1" thread="" file="ZTINextPhase">
<![LOG[ZTINextPhase processing completed successfully.]LOG]!><time="14:10:58.000+000" date="01-13-2014" component="ZTINextPhase" context="" type="1" thread="" file="ZTINextPhase">
<![LOG[Event 41001 sent: ZTINextPhase processing completed successfully.]LOG]!><time="14:10:58.000+000" date="01-13-2014" component="ZTINextPhase" context="" type="1" thread="" file="ZTINextPhase">
<![LOG[Command completed, return code = -2147021886]LOG]!><time="14:10:58.000+000" date="01-13-2014" component="LiteTouch" context="" type="1" thread="" file="LiteTouch">
<![LOG[Property LTIDirty is now = FALSE]LOG]!><time="14:10:58.000+000" date="01-13-2014" component="LiteTouch" context="" type="1" thread="" file="LiteTouch">
<![LOG[If there is a drive letter defined, make sure we clear it now so we can *force* recalcutation.]LOG]!><time="14:10:59.000+000" date="01-13-2014" component="LiteTouch" context="" type="1" thread=""
file="LiteTouch">
<![LOG[Property OSDTargetDriveCache is now = DIRTY]LOG]!><time="14:10:59.000+000" date="01-13-2014" component="LiteTouch" context="" type="1" thread="" file="LiteTouch">
<![LOG[LTI initiating task sequence-requested reboot.]LOG]!><time="14:10:59.000+000" date="01-13-2014" component="LiteTouch" context="" type="1" thread="" file="LiteTouch">
<![LOG[Event 41017 sent: LTI initiating task sequence-requested reboot.]LOG]!><time="14:10:59.000+000" date="01-13-2014" component="LiteTouch" context="" type="1" thread="" file="LiteTouch">Hi Rick,
To my understanding, sysprep and to be more specific the "gerenalize" step will make sure all personalized information will be removed before entering the capture mode.
I'm aware additional created account's will be preserved, but I can't tell you about the built-in administrator account.
The first thing that comes to mind is that, your Build task sequence uses a Unattend.xml, just the same as your Deploy task sequence does this.
Assuming that you don't do anything you haven't mentioned with the account in the task sequence, like renaming the admin account or setting a different password during the task sequence. Cross checking both your Unattended.xml would be a good place to start.
Also, it is known, that Windows allows the machine to be auto logged on, a couple of times. So please check if this isn't also the case. See this link for more info: http://support.microsoft.com/kb/324737
Lastly if all else fails, you can set the account enabled, and a password by commandline, but this should only be done as a temporarily work around. See these links for more information: http://support.microsoft.com/kb/251394 and http://social.technet.microsoft.com/wiki/contents/articles/3040.enable-disable-the-local-hidden-built-in-administrator-account-in-windows-7.aspx
Good luck!
If this post is helpful please click "Mark for answer", thanks! Kind regards -
What happens when HTTPS communication fails during certificate check?
Hello Experts,
I have a scenario where a Bapi functionality(server proxy) is exposed as a webservice .
So scenario will be SOAP -> XI -> Proxy (calls a BAPI)
Here we are going to use HTTPS (SSL).
I would like to know :
What happens when a check for certificate validation fails in XI? It may be due to invalid certificate, expired certificate or a request from unauthorised user-
- Will it be raised as a exception and we need to do some configuration to inform it back to Sender?
- Will the message fail in Moni with red flag ?
- Alerts will be created ?
Please share your experiences and expert sugestions.
Thanks in Advance!!
Regards,
XI Queries.Hi Abhishek,
Thanks for the reply. I will keep this in mind and design the scenario & error handling accordingly.
Appropriate points awarded
Kind regards,
Xi Queries. -
CS3 Setup System Check states that Safari is open when it is closed
Running Setup under OSX, and during System Check, alert states that "Installation cannot continue until the following applications are closed: Safari".
I have verified that Safari is closed, and no other users logged on, but cannot satisfy this prompt.Closing Programs Interfering with Installation
PC - Task Manager: (CTRL-ALT-Delete) http://support.microsoft.com/kb/323527
Mac - Activity Monitor: http://osxdaily.com/2010/08/15/mac-task-manager/
Error "Installation cannot continue until... Adobe Bridge is closed" | Installation | CS5
http://helpx.adobe.com/creative-suite/kb/error-installation-cannot-continue-bridge.html -
During system checks, a Baisis administrator will check Buffer swaps under Export/Import Hit ratio, programs etc. What is the importance of checking these?
Hi,
Normally in SAP the buffers are used to store the SAP object/data from DB. This is done for easy access of data when the users need them, it helps to increase the performance of the system by decreasing the I/O of system i.e, when the user requests data the work process first checks the buffers for the data requsted by the user, if it finds it there then it returns to the user with the data thereby increasing the speed of the access and in turn the performance. If the data is not found in the buffer a physical access to DB is made thereby increasing the response time and lowering the performance. After the data is fetched and returned to the user a copy of the data is put into the buffer, this helps to increase the access when some other user requests the same data as said above.
This mechanism is accomplished when you have a better buffer size, if your buffer size is very small the data put into the buffer will be pushed out to accomodate the new data, the red color indicates the no.of objects swaped out from the buffer to accomodate the new object in the buffer.
In your case the buffers needs to be increased to accomodate more objects in them, keep in mind that performance tuning needs more analysis and skill.
Changing Buffer parameters involves more calculations and might lead to poor performance if done wrongly or prevent the system to start since you have to restart the system in order to make the profile parameters related to buffers active.
Please check the below links
http://help.sap.com/saphelp_nw04/helpdata/en/c4/3a6e98505211d189550000e829fbbd/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/EN/02/9625e3538111d1891b0000e8322f96/frameset.htm
http://help.sap.com/saphelp_nw70/helpdata/EN/bc/4a813b680c250fe10000000a114084/content.htm
Regards,
Ravi -
Always failed during operating system checking while installing NetWeaver.
I have installed NetWeaver Composition Envrionment Sneak Preview - Java EE only but always failed during operating system checking. Does this version not support Window XP Professional SP2? This is mostly used window system.
I checked the instruction and comfirmed that it does support Window XP Professional (SP2):
System Requirements
<b>Windows XP Professional (Service Pack 2)</b> or Windows 2003 Server (Service Pack 1)
<b>This version runs on Windows XP (SP2)</b> with password accounts and Windows Server 2003 (32bit)
NTFS file system
Micrsoft Internet Explorer 6.0 or higher, or Firefox 1.0 or higher
Min. 1 GB, recommended 2 GB RAM
7 GB free hard disc space
Download file 1.8 GB
1.5 GHz PC or higher
Monitor 1024x768 pixels or more, 256 colors
Internet access (for CE online documentation)
If no DHCP server is available on your network (which dynamically determines the IP address) or your computer is not connected to any network, you need to install the virtual interface adapter MS Loopback Adapter.
To use SAP Interactive Forms by Adobe, you must install the necessary credential file and activate it using a unique password. Download the latest credential and passwort from SDN -
Recovery failed during homognuos System copy maxdb 7.7 red hat 5.4 ECC 6.0
Hi all,
*Actully i have one Development Server with ECC 6.0.. + maxdb 7.7 database OS Red Hat 5.4.
Please help us to what username and password we can give....i am from oracle backgroud so i am a newbie in maxdb.
Source System
ECC 6.0
OS Redhat 5.4
SAPSID WIA
Target system
ECC 6.0
OS Redhat 5.4
SAPSID WID
Now i am going to Create Quality Server for my landscape using homogenoues system copy ....option in target machine... and I have taken database backup (offline backup) also...
But during system copy it is asking for Database recovery . For recovery i am using DATABASE MANAGER TOOL (DBMGUI 7.6 maxdb) but it is asking for IP ,DBname username and password.
I have given the IP and DB Name but dont know the username and password for the target Machine SAPSID
Because at the time of system copy it asked for database recovery before creating the database users phase .
I checked with xuser list from command line it is showing no values.
Tried with the username and password given at OS level and the password for Source system but no luck.
So what to do.....
Please helpHi,
thanks for your reply.
I am sahil garg and amkum82 user we both are working on the same issue.
We both are from oracle backgroud.Newbie in maxdb.
We have are following the 129352 note for homogenous system copy.
2. Target system:
b) Restore:
Before the restore, you must initialize the target instance. This initialization formats the log area. Data volumes are only formatted if they are not configured as raw devices and are not available in the configured size.
We dont know how to create instancefor tarhet system in maxdb for homogenues system copy.Could you please help us out what steps needed to be executed for this.
Thanks Regards,
Sahil -
The user name or password is incorrect in the CRM system checks during installation
Hi everyone
I'm installing CRM 2013 on 2 servers (server 2012) - CRM Full server + SQL Server 2012.
I created 2 service accounts for this - CRMSVC + CRMSANDBOX (one for sandbox and another one for all the rest).
I'm getting the following error in the system checks during setup:
I've verified a billion times that the service accounts and passwords are valid - I even tried using different service accounts - same problem. As for now I also added the service accounts to the local admins groups just to be sure that it's not some permissions
issue (I also added them to the 'log on as service' & performance logs groups).
If i try to use NETWORK SERVICES instead of a service account - the installation goes through flawlessly - no issues at all.
I'm also gonna say that i tried another installation on a fresh server - SAME ISSUE.
So for now my ideas are either it's a GPO somehow blocking the service accounts - or some kind of other security issue.
I also found out that the security event log shows these two errors when these show up in the system checks:
Inside i found 'NULL SID' entry - it does not recognize the service accounts account and 0xC0000064 in the Sub
Status Codes
It's not a typo issue so don't bother - if i write a wrong password in purpose - it actually says that the password i typed for domain\service account is incorrect - here it seems that the service account is not being recognized.
Any ideas anyone?
Thanks
Please vote if you find my post helpful - ThanksNot sure you understood my point.
The installation process necessarily runs under the account of the installing user. The installation will query AD to identify information about the service accounts, and will add them to the relevant CRM AD groups. It is possible that the installing user
account does not have sufficient privileges on the AD objects for the service accounts to be able to identify them, and to add them to groups. This scenario is consistent with the errors that you get, and also with being able to install CRM to run under NetworkServices
(which doesn't have its own AD object)
Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk
Hi David
I understand this, but as far as i know running it under NETWORK SERVICES will add the machine names to the OU security groups - hence the user installing still needs to have delegated permissions on that OU. Anyway as mentioned above - ignoring the checks
and running the installation solved this and also added the accounts to the security groups - so this whole mess looks like some bug to me - not sure i will ever find out what it was :)
Please vote if you find my post helpful - Thanks -
Serial Number validation during Delivery Creation itself(PGI-system checks)
Process:
Sales Order PR(Purchase Order) GR( New Serial Numbers are created automatically or manually keyed in)
Once the Goods Receipt is received, we do the (SO) DELIVERYu2014SERIAL NUMBER ASSIGNMENT Post Goods Issue
Issue:
Current Serial Number Profile Management does not do a valid serial number check during DELIVERY CREATION where we do a SERIAL NUMBER ASSIGNMENT.
Only during POST GOODS ISSUE, the check happens for valid serial numbers; this is too late in the game for business as there is a time lag of 3 days from the DELIVERY CREATION and PGI.
Reason being--- We donu2019t check the following u201C Existing Stock Checku201D( which does a serial number validation during delivery creation as well)
SPRO>Plant Maintenance and Customer Service>Master Data in Plant Maintenance and Customer Service>Technical Objects>Serial Number Management>Define Serial Number Profiles
If we check this option, the business requirement to do a valid serial number check does happen during delivery creation, however we cannot create new serial numbers during Purchase Order- GOODS RECEIPT.
QUESTION:
Can we have the system check the valid serial numbers from stock during delivery creation and serial number assignment.
And Also create new serial numbers during Purchase Order- Goods Receipt.Hi
1.In std SAP its not possible to check the serail number during Delivery creation, through enhancement it can be done.
2.During GR for PO serial numbers can be created.
Rgds
Ramesh -
Check HDD Part Number in Solaris 10 during System Running
Dear all,
Please help me,
I want to check the part number of HDD of Sun Fire V890 Server during system is running by the Solaris OS command. Can we check that part number of HDD by solaris OS command?
Or have other ways, except shutdown the system and unplug the HDD from the Server.
Thanks you and Regards,
Soret,The following command will list the vendor and product ID for each disk:
iostat -EFrom [Sun Fire[tm] V890 Server, RoHS:YL - Full Components List|http://sunsolve.sun.com/handbook_private/validateUser.do?target=Systems/SunFireV890_R/components#Disks] you should be able to find the matching Manufacturing Part for a given vendor and product ID. -
Potal Authorisation Error:"Failed to connect backend system.Check your syst
Hi Experts,
Please advise me on how to proceed....
I created a dashboard reports (5) based on 5 different reports in BI Queries using Visual Composer...I deployed them to portal and in portal i assigned those iviews to a role and assigned that role to a end user.
In BW end user is autorized to execute those 5 queries and in portal user is able to access those queries as well
But when he tried to execute Dashboard reports..it is displaying error
"Failed to connect backend system.Check your system definition and user priviliges"
Then i modified his authorisations in BW assigned SAP_J2EE_ADMIN role in BW and then in portal he is able to execute the Dashboard reports...by assigning the SAP_J2EE_ADMIN role he is able to execute dashboards in portal and he got more authorisation in portal than he required like 'Content Admin','User Admin' and 'System Admin'
I tried by using SAP_J2EE_GUEST role but he is getting error
"Failed to connect backend system.Check your system definition and user priviliges"
Please advise on how to proceed
ThanksHi,
Refer,
Visual composer
Failed to connect to backend system. Check your system definition and user
Regards,
P.Manivannan. -
"Failed to connect backend system.Check your system definition and user pri
Hi Experts,
I am a BW Consultant working on Portal & Visual Composer (7.0)
As a Developer i got SAP_ALL & SAP_J2EE_ADMIN roles in BW and System Admin and VC role in Portal.
In Portal Created/Published iviews for BW Queries (Transaction) and Published them to a role (role1) in portal.
In Visual Composer i developed Dashboard reports on BW Queries ,made them public and deployed them to a portal role(role 1) in portal.
I assigned portal role to my self and tested the queries and dashboards in portal everything is working perfectly.
In VC i can see 3 different systems defined in Portal
I created a Test user (with profile of end user) in BW,Testuser is authorised to view all the reports in BW and All data in all data targets and in portal testuser is assigned with Role1 and VC Role.
(Note: In BW Testuser doesn't had J2EE_ADMIN role).
Portal:
When i login to portal as testuser and tries to execute the BW Queries (Transaction) and it working perfectly.
When i tried to execute Dashboard reports developed in Visual Composer it gives me an error
"Failed to connect backend system.Check your system definition and user priviliges"
In Visual Composer i logged in as testuser (as test user got VC role assigned) i can't see any list of avaliable systems under "Find Data"
When i modified testuser profile in BW and updated with SAP_J2EE_ADMIN then i can execute the dashboard report but at the same time testuser got more than what he should have like user admin,system admin...etc
I searched the sdn and find some similar threads ...but nothing was useful
Please update me what went wrong and how to fix this...
Thanks in advanceHi,
Refer,
Visual composer
Failed to connect to backend system. Check your system definition and user
Regards,
P.Manivannan. -
An error message appeared during system recovery which waid "failed to replace file"
Failed to replace file C:\Program files (x86)\coupon companion\coupon companion.exe
(Ox80070002) error during system restore.Do you mean you actually ''want'' Coupon Companion? It's malware, or at best, adware.
If you can't remove Coupon Companion from your computer, first try using Malwarebytes' Anti-Malware.
* http://www.malwarebytes.org
If it can't get rid of it, then post in the Malware Removal section of the following forum.
* http://forums.malwarebytes.org
Related:
* [[Troubleshoot Firefox issues caused by malware]] -
Hi,
I have a slight issue I'm having some problems resolving..
The scenario is as follows;
I have an external provider which connects to me via VPN to a Juniper SSG firewall, that works fine.
I then have an external site, which does NOT reside in my MPLS cloud, so I have to deploy IPSec via Internet to reach it.
That also works fine and I have multiple SA's running on that site with no issues or problems.
The external provider has a small network device deployed on the external site which monitor cooling values in one of our warehouses.
The external site which is connect via IPSEC has a Cisco 1921 and a numerous Cisco 3550 deployed.
The VLAN for the cooling provider is vlan 150 and is setup with 10.150.4.0/24 where .1 is the def gw and .10 is the cooling monitor device.
The external provider's servers are located within 192.168.220.0/24 subnet.
As of right now, we can reach the Cisco 1921 through the whole IPsec tunnel from 192.168.220.182 with all services, ping, telnet whatnot, but we are unable to ping the cooling device from 192.168.220.0/24.
However from the Cisco 1921, we can ping both 192.168.220.0/24 and the locally connected 10.150.4.10
So basicly it seems to be the last bit when the traffic goes through the 1921 and to the switch where it fails and I can't for the life of me figure out why.
Network diagram attached.. any ideas?
This is the 1921 config:
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname bergen-vpn-gw
boot-start-marker
boot system flash flash:c1841-adventerprisek9-mz.124-25d.bin
boot-end-marker
logging buffered 50000
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
aaa session-id common
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
no ipv6 cef
no ip source-route
ip cef
no ip bootp server
no ip domain lookup
ip domain name xxxxx
multilink bundle-name authenticated
license udi pid CISCO1921/K9 sn FCZ1508C1P4
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
vtp mode client
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key harakiri address 1.2.3.4
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto map VPN 10 ipsec-isakmp
set peer 1.2.3.4
set transform-set 3DES-SHA
match address VPN
interface GigabitEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
interface GigabitEthernet0/0.99
description *** Test VLAN To be removed ***
encapsulation dot1Q 99
ip address 10.90.90.1 255.255.255.0
no ip route-cache
interface GigabitEthernet0/0.112
encapsulation dot1Q 112
ip address 192.168.112.1 255.255.255.0
ip helper-address 172.30.1.223
no ip route-cache
interface GigabitEthernet0/0.150
encapsulation dot1Q 150
ip address 10.150.4.1 255.255.255.0
no ip redirects
no ip proxy-arp
no ip route-cache
interface GigabitEthernet0/0.178
encapsulation dot1Q 178
ip address 192.168.178.1 255.255.255.0
ip helper-address 172.30.1.223
no ip redirects
no ip proxy-arp
no ip route-cache
interface GigabitEthernet0/0.999
encapsulation dot1Q 999
no ip route-cache
interface GigabitEthernet0/1
ip address 1.2.3.4 255.255.255.252
no ip redirects
no ip proxy-arp
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map VPN
interface FastEthernet0/0/0
switchport access vlan 99
interface FastEthernet0/0/1
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface Vlan1
no ip address
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 85.200.203.29
ip access-list extended VPN
permit ip 10.90.90.0 0.0.0.255 172.30.1.0 0.0.0.255
permit ip 10.90.90.0 0.0.0.255 172.22.0.0 0.0.255.255
permit ip 10.90.90.0 0.0.0.255 172.18.5.0 0.0.0.255
permit ip 10.90.90.0 0.0.0.255 10.50.0.0 0.0.255.255
permit ip 192.168.112.0 0.0.0.255 172.30.1.0 0.0.0.255
permit ip 192.168.112.0 0.0.0.255 172.22.0.0 0.0.255.255
permit ip 192.168.112.0 0.0.0.255 172.18.5.0 0.0.0.255
permit ip 192.168.112.0 0.0.0.255 10.50.0.0 0.0.255.255
permit ip 192.168.178.0 0.0.0.255 172.30.1.0 0.0.0.255
permit ip 192.168.178.0 0.0.0.255 172.22.0.0 0.0.255.255
permit ip 192.168.178.0 0.0.0.255 172.18.5.0 0.0.0.255
permit ip 192.168.178.0 0.0.0.255 10.50.0.0 0.0.255.255
permit ip 192.168.112.0 0.0.0.255 172.30.240.0 0.0.0.255
permit ip 192.168.178.0 0.0.0.255 172.30.240.0 0.0.0.255
permit ip 192.168.112.0 0.0.0.255 10.70.0.0 0.0.0.255
permit ip 192.168.178.0 0.0.0.255 10.70.0.0 0.0.0.255
permit ip 10.150.4.0 0.0.0.255 192.168.220.0 0.0.0.255 log
ip sla 1
icmp-echo 172.30.1.223 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 1 start-time now
ip sla 2
icmp-echo 10.50.1.200 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 2 start-time now
ip sla 3
icmp-echo 172.18.5.121 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 3 start-time now
ip sla 4
icmp-echo 172.22.0.140 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 4 start-time now
ip sla 5
icmp-echo 172.30.240.40 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 5 start-time now
ip sla 6
icmp-echo 10.70.0.200 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 6 start-time now
cdp source-interface GigabitEthernet0/0.112
snmp-server community bamacomro RO
cdp source-interface GigabitEthernet0/0.112
snmp-server community bamacomro RO
snmp-server community bamacomrw RW
control-plane
banner motd ^CCC-----------------------------------------------------------------------------
This system is solely for the use of authorised users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all their activities monitored and recorded by system personell.
Use of this system evidence an express consent to such monitoring and
agreement that if such monitoring reveals evidence of possible abuse or
criminal activity, system personell may provide the result of such
monitoring to appropiate officials.
-----------------------------------------------------------------------------^C
line con 0
exec-timeout 5 0
logging synchronous
line aux 0
line vty 0 4
access-class telnet in
exec-timeout 180 0
logging synchronous
transport input telnet ssh
line vty 5 15
access-class telnet in
exec-timeout 180 0
password 7 094F471A1A0A
logging synchronous
transport input telnet ssh
scheduler allocate 20000 1000
endI had that issue 1 year go
"decrypted packet failed SA identity check" means that we have decrypted a traffic that does not match the proxy ID negotiated
Juniper is violating RFC4301. there is nothing we can do against RFC violation
As mentioned in Section 4.4.1, "The Security Policy Database (SPD)",
the SPD (or associated caches) MUST be consulted during the
processing of all traffic that crosses the IPsec protection boundary,
including IPsec management traffic. If no policy is found in the SPD
that matches a packet (for either inbound or outbound traffic), the
packet MUST be discarded.
I know JNPR can do 2 vpn modes. There is one where we could use a VTI instead of a crypto map on the Cisco side. That was the solution to the problem we had.
Cheers, -
One computer at COMPANY-A is attempting to communicate with two
computers located at COMPANY-B, via an IPsec tunnel between the
two companies.
All communications are via TCP protocol.
All devices present public IP addresses to one another, although they
may have RFC 1918 addresses on other interfaces, and NAT may be in use
on the COMPANY-B side. (NAT is not being used on the COMPANY-A side.)
The players:(Note: first three octets have been changed for security reasons)
COMPANY-A computer 1.2.3.161
COMPANY-A router 1.2.3.8 (also IPsec peer)
COMPANY-A has 1.2.3.0/24 with no subnetting.
COMPANY-B router 4.5.6.228 (also IPsec peer)
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
COMPANY-B has 4.5.6.0/23 subnetted in various ways.
COMPANY-B also has 9.10.11.0/24, but it is not involved in the issue.
What works:
The COMPANY-A computer 1.2.3.161 can communicate via the single IPsec
tunnel to COMPANY-B computer #1 4.5.7.94 without problems.
The "show crypto session detail" command shows Inbound/Outbound packets
flowing in the dec'ed and enc'ed positions.
What doesn't:
When the COMPANY-A computer 1.2.3.161 attempts to communicate
via the single IPsec tunnel with the COMPANY-B computer #2 4.5.7.29,
the COMPANY-A router eventually reports five of these messages:
Oct 9 15:24:54.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:24:57.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:03.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:15.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:39.329: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:26:27.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
and the "show crypto session detail" shows inbound packets being dropped.
The COMPANY-A computer that opens the TCP connection never gets past the
SYN_SENT phase of the TCP connection whan trying to communicate with the
COMPANY-B computer #2, and the repeated error messages are the retries of
the SYN packet.
On the COMPANY-A side, this IPsec configuration has been set up on a 3745,
a 3725, and some 76xx routers were tried, all with similar behavior,
with packets from one far-end computer passing fine, and packets from
another far-end computer in the same netblock passing through the same
IPsec tunnel failing with the "failed SA identity" error.
The COMPANY-A computer directs all packets headed to COMPANY-B via the
COMPANY-A router at 1.2.3.8 with this set of route settings:
netstat -r -n
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
4.5.7.0 1.2.3.8 255.255.255.0 UG 0 0 0 eth3
1.2.3.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
10.1.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth3
10.0.0.0 10.1.1.1 255.0.0.0 UG 0 0 0 eth0
0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth3
The first route line shown is selected for access to both COMPANY-B computers.
The COMPANY-A router (IPsec tunnel endpoint, 1.2.3.8) has this
configuration:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 4.5.6.228
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set COMPANY-B01 esp-3des esp-sha-hmac
crypto map COMPANY-BMAP1 10 ipsec-isakmp
description COMPANY-B VPN
set peer 4.5.6.228
set transform-set COMPANY-B01
set pfs group2
match address 190
interface FastEthernet0/0
ip address 1.2.3.8 255.255.255.0
no ip redirects
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map COMPANY-BMAP1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.2.3.1
ip route 10.0.0.0 255.0.0.0 10.1.1.1
ip route 1.2.3.8.0 255.255.255.0 FastEthernet0/0
access-list 190 permit ip host 1.2.3.161 4.5.7.0 0.0.0.255
access-list 190 permit ip host 1.2.3.161 9.10.11.0 0.0.0.255
bridge 1 protocol ieee
One of the routers tried had this IOS/hardware configuration:
Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(25c),
RELEASE SOFTWARE (fc2)
isco 3725 (R7000) processor (revision 0.1) with 115712K/15360K bytes of memory.
Processor board ID XXXXXXXXXXXXXXX
R7000 CPU at 240MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
2 FastEthernet interfaces
4 ATM interfaces
DRAM configuration is 64 bits wide with parity disabled.
55K bytes of NVRAM.
31296K bytes of ATA System CompactFlash (Read/Write)
250368K bytes of ATA Slot0 CompactFlash (Read/Write)
Configuration register is 0x2102
#show crypto sess
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:06:26:27
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 651 drop 16 life (KB/Sec) 4496182/23178
Outbound: #pkts enc'ed 574 drop 2 life (KB/Sec) 4496279/23178
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
The COMPANY-B device on their end of the IPsec VPN is a Juniper SSG1000
Version 6.1 (ScreenOS)
We only have a limited view into the Juniper device configuration.
What we were allowed to see was:
COMPANY-B-ROUTER(M)-> sh config | incl COMPANY-A
set address "Untrust" "oss-COMPANY-A-1.2.3.161" 1.2.3.161 255.255.255.255
set ike gateway "COMPANY-A-1-GW" address 1.2.3.8 Main outgoing-interface "ethernet2/1" preshare xxxxxxxxxxxxxxxxxxxxxx proposal "pre-g2-3des-sha"
set vpn "COMPANY-A-1-IKE" gateway "COMPANY-A-1-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha-28800"
set policy id 2539 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "9.10.11.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2500
set policy id 2500 from "Trust" to "Untrust" "9.10.11.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2539
set policy id 2541 from "Trust" to "Untrust" "4.5.7.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2540
set policy id 2540 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "4.5.7.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2541
COMPANY-B-ROUTER(M)->
I suspect that this curious issue is due to a configuration setting on the
Juniper device, but neither party has seen this error before. COMPANY-B
operates thousands of IPsec VPNs and they report that this is a new error
for them too. The behavior that allows traffic from one IP address to
work and traffic from another to end up getting this error is also unique.
As only the Cisco side emits any error message at all, this is the only
clue we have as to what is going on, even if this isn't actually an IOS
problem.
What we are looking for is a description of exactly what the Cisco
IOS error message:
IPSEC(epa_des_crypt): decrypted packet failed SA identity check
is complaining about, and if there are any known causes of the behavior
described that occur when running IPsec between Cisco IOS and a Juniper
SSG device. Google reports many other incidents of the same error
message (but not the "I like that IP address but hate this one" behavior),
and not just with a Juniper device on the COMPANY-B end, but for those cases,
not one was found where the solution was described.
It is hoped that with a better explanation of the error message
and any known issues with Juniper configuration settings causing
this error, we can have COMPANY-B make adjustments to their device.
Or, if there is a setting change needed on the COMPANY-A router,
that can also be implemented.
Thanks in advance for your time in reading this, and any ideas.Hello Harish,
It is believed that:
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
both have at least two network interfaces, one with a public IP address
(which we are supposedly conversing with) and one with a RFC 1918 type
address. COMPANY-B is reluctant to disclose details of their network or
servers setup, so this is not 100% certain.
Because of that uncertainty, it occurred to me that perhaps COMPANY-B
computer #2 might be incorrectly routing via the RFC 1918 interface.
In theory, such packets should have been blocked by the access-list on both
COMPANY-A router, and should not have even made it into the IPsec VPN
if the Juniper access settings work as it appears they should. So I turned up
debugging on COMPANY-A router so that I could see the encrypted and
decrypted packet hex dumps.
I then hand-disassembled the decoded ACK packet IP header received just
prior to the "decrypted packet failed SA check" error being emitted and
found the expected source and destination IP addresses (4.5.7.29 and 1.2.3.161),
in the unecapsulated packet. I also found the expected port numbers of the TCP
conversation that was trying to be established in the TCP header. So, it
looks like COMPANY-B computer #2 is emitting the packets out the right
interface.
The IP packet header of the encrypted packet showed the IP addresses of the
two routers at each terminus of the IPsec VPN, but since I don't know what triggers
the "SA check" error message or what it is complaining about, I don't know what
other clues to look for in the packet dumps.
As to your second question, "can you check whether both encapsulation and
decapsulation happening in 'show crypto ipsec sa'", the enc'ed/dec'ed
counters were both going up by the correct quantities. When communicating
with the uncooperative COMPANY-B computer #2, you would also see the
received Drop increment for each packet decrypted. When communicating
with the working COMPANY-B computer #1, the Drop counters would not
increment, and the enc'ed/dec'ed would both increment.
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:54
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 5 life (KB/Sec) 4458308/28784
Outbound: #pkts enc'ed 401 drop 3 life (KB/Sec) 4458308/28784
Attempt a TCP communication to COMPANY-B computer #2...
show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:23
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 6 life (KB/Sec) 4458307/28753
Outbound: #pkts enc'ed 402 drop 3 life (KB/Sec) 4458307/28753
Note Inbound "drop" changed from 5 to 6. (I didn't let it sit for all
the retries.)
#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: COMPANY-BMAP1, local addr 1.2.3.8
protected vrf: (none)
local ident (addr/mask/prot/port): (1.2.3.161/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.5.7.0/255.255.255.0/0/0)
current_peer 4.5.6.228 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 402, #pkts encrypt: 402, #pkts digest: 402
#pkts decaps: 376, #pkts decrypt: 376, #pkts verify: 376
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 6
local crypto endpt.: 1.2.3.8, remote crypto endpt.: 4.5.6.228
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xDF2CC59C(3744253340)
inbound esp sas:
spi: 0xD9D2EBBB(3654478779)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDF2CC59C(3744253340)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
The "send" errors appear to be related to the tunnel reverting to a
DOWN state after periods of inactivity, and you appear to get one
each time the tunnel has to be re-negotiated and returned to
an ACTIVE state. There is no relationship between Send errors
incrementing and working/non-working TCP conversations to the
two COMPANY-B servers.
Thanks for pondering this very odd behavior.
Maybe you are looking for
-
Setting starting and ending times in Ical
is there a setting, to eliminate nighttime hours in Ical?
-
Thinkpad can't connect to TC network
Hello. Been trying to connect my work's new Thinkpad to my Time Capsule wireless network but to no avail. My old Thinkpad worked fine but not the new one for some reason. Of course, all my Apple devices (Apple TV, MacBook Pro, iPhone) connect flawles
-
Problems with distorted frames when making movies in After Effects
I'm a 3D animator. When I get through with rendering all of the frames of an animation and they're fine, I create a preview in After FX and it builds and plays back the preview fine. But when I go to make a movie, with those same frames, it produce
-
Creating a Windows installer for Java applications
Hello, I have a question about deployment: I have a pure Java desktop application. Obviously, it's in the form of a JAR file. I want to sell this to users who are "clueless" about Java, so I need to wrap it up in an installer file that does the follo
-
Error: Object "MFModule" of type ApplicationModule is not found !!
Hi all ,,, Am facing a problem in my "MFApplication" that I developed using oracle jdeveloper 11g R2 all the screens is developed as a page fragments task flows and they are shown in an oracle dynamic shell tabs starting page All the task flows are t