Exp neighbor zone TLS error

I'm trying to create a TLS neighbor zone between Exp-C and Jabber Guest.  I have my own internal CA signed certs on JG and Exp, but TLS is failing and Exp is throwing this error in the logs: No SSL error available, probably remote disconnect.  TCP works fine.  I've generated the CSR twice for JG and rebooted twice as well.  Not sure what is going on.  Thanks,  Mike

Ah, needed to read a little further in the JG install guide :)  I forgot to upload the CA root cert.  I would recommend adding this step to the install guide prior to configuring the neighbor zone on the expressway (or at least a note about it).  Then the neighbor zone won't error out.

Similar Messages

  • [solved] openvpn connection no longer working, tls error

    Hey!
    I have a strange problem. The same setup was working for months, nothing changed. Perhaps it`s due to an update and you guys can help me. I can`t establish a vpn connection to our openvpn server any more.
    I`m using tunnelblick as vpn client to connect from my mac to the office. It hangs at "waiting for response from server". I`m not an expert, but as I understand the tls handshake fails. I googled around and tried everything suggested, but no success.
    I haven`t used it since the latest openvpn package update, perhaps it has something to do with that?
    I found this, too, but it didn`t help either:
    http://openvpn.net/index.php/open-sourc … ivity.html
    This is the client log:
    2013-02-16 11:17:06 MANAGEMENT: >STATE:1361009826,WAIT,,,
    2013-02-16 11:18:06 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    2013-02-16 11:18:06 TLS Error: TLS handshake failed
    2013-02-16 11:18:06 TCP/UDP: Closing socket
    2013-02-16 11:18:06 SIGUSR1[soft,tls-error] received, process restarting
    2013-02-16 11:18:06 MANAGEMENT: >STATE:1361009886,RECONNECTING,tls-error,,
    2013-02-16 11:18:06 MANAGEMENT: CMD 'hold release'
    and this is the server log (verbose 5):
    Sat Feb 16 11:38:08 2013 us=118721 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Sat Feb 16 11:38:08 2013 us=133716 Diffie-Hellman initialized with 2048 bit key
    Sat Feb 16 11:38:08 2013 us=134619 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file
    Sat Feb 16 11:38:08 2013 us=134677 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sat Feb 16 11:38:08 2013 us=134707 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sat Feb 16 11:38:08 2013 us=134745 TLS-Auth MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Sat Feb 16 11:38:08 2013 us=134808 Socket Buffers: R=[212992->131072] S=[212992->131072]
    Sat Feb 16 11:38:08 2013 us=135268 TUN/TAP device tap0 opened
    Sat Feb 16 11:38:08 2013 us=135370 TUN/TAP TX queue length set to 100
    Sat Feb 16 11:38:08 2013 us=135572 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
    Sat Feb 16 11:38:08 2013 us=137116 UDPv4 link local (bound): [undef]
    Sat Feb 16 11:38:08 2013 us=137832 UDPv4 link remote: [undef]
    Sat Feb 16 11:38:08 2013 us=137870 MULTI: multi_init called, r=256 v=256
    Sat Feb 16 11:38:08 2013 us=138013 IFCONFIG POOL: base=192.168.1.220 size=10, ipv6=0
    Sat Feb 16 11:38:08 2013 us=138087 Initialization Sequence Completed
    Sat Feb 16 11:38:22 2013 us=273924 MULTI: multi_create_instance called
    Sat Feb 16 11:38:22 2013 us=274097 192.168.1.4:1194 Re-using SSL/TLS context
    Sat Feb 16 11:38:22 2013 us=274189 192.168.1.4:1194 LZO compression initialized
    Sat Feb 16 11:38:22 2013 us=274539 192.168.1.4:1194 Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Sat Feb 16 11:38:22 2013 us=274643 192.168.1.4:1194 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
    Sat Feb 16 11:38:22 2013 us=274701 192.168.1.4:1194 Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    Sat Feb 16 11:38:22 2013 us=274717 192.168.1.4:1194 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    Sat Feb 16 11:38:22 2013 us=274745 192.168.1.4:1194 Local Options hash (VER=V4): 'c5677ab3'
    Sat Feb 16 11:38:22 2013 us=274765 192.168.1.4:1194 Expected Remote Options hash (VER=V4): 'a7133b47'
    RSat Feb 16 11:38:22 2013 us=275000 192.168.1.4:1194 TLS: Initial packet from [AF_INET]192.168.1.4:1194 (via [AF_INET]192.168.1.205%br0), sid=e46fc8e5 4b4327b5
    WSat Feb 16 11:38:22 2013 us=275121 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
    RWSat Feb 16 11:38:24 2013 us=597178 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
    RWSat Feb 16 11:38:28 2013 us=80376 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
    RWSat Feb 16 11:38:36 2013 us=360017 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
    WSat Feb 16 11:38:52 2013 us=266108 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
    RWSat Feb 16 11:38:52 2013 us=284681 192.168.1.4:1194 write UDPv4: Invalid argument (code=22)
    RSat Feb 16 11:39:22 2013 us=604136 192.168.1.4:1194 TLS: new session incoming connection from [AF_INET]192.168.1.4:1194 (via [AF_INET]192.168.1.205%br0)
    Sat Feb 16 11:39:22 2013 us=604198 192.168.1.4:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sat Feb 16 11:39:22 2013 us=604219 192.168.1.4:1194 TLS Error: TLS handshake failed
    This is the server config. It`s located in /etc/openvpn/openvpn_server.conf and the server starts fine with systemctl start openvpn@openvpn_server.service.
    mode server
    dev tap0
    multihome
    server-bridge 192.168.1.205 255.255.255.0 192.168.1.220 192.168.1.229
    client-to-client
    proto udp
    port 1194
    comp-lzo
    persist-tun
    persist-key
    keepalive 10 120
    ca /etc/openvpn/keys/ca.crt
    dh /etc/openvpn/keys/dh2048.pem
    cert /etc/openvpn/keys/archvpn.crt
    key /etc/openvpn/keys/archvpn.key
    tls-auth /etc/openvpn/keys/ta.key 0
    tls-server
    verb 3
    cipher AES-128-CBC
    log /etc/openvpn/openvpn.log
    This is the client config:
    client
    remote myserver.dyndns.org 1194
    dev tap0
    proto udp
    port 1194
    comp-lzo
    ca ca.crt
    cert tom.crt
    key tom.key
    persist-tun
    persist-key
    resolv-retry infinite
    keepalive 10 120
    tls-auth ta.key 1
    tls-client
    ns-cert-type server
    verb 3
    cipher AES-128-CBC
    float
    What I checked and tried so far:
    0    did a lot of reading
    1    modules are loaded in /etc/modules-load.d/openvpn.conf
    tun
    bridge
    2 netcfg config starts tap and network config
    /etc/conf.d/netcfg
    NETWORKS=(openvpn_tap office_lan_openvpn)
    /etc/network.d/openvpn_tap
    INTERFACE='tap0'
    CONNECTION='tuntap'
    MODE='tap'
    USER='nobody'
    GROUP='nobody'
    /etc/network.d/office_lan_openvpn
    INTERFACE="br0"
    CONNECTION="bridge"
    DESCRIPTION="Ethernet/OpenVPN bridge"
    BRIDGE_INTERFACES="eth0 tap0"
    IP="static"
    ADDR="192.168.1.205"
    GATEWAY="192.168.2.1"
    DNS=("192.168.1.1")
    3    checked firewall port, even disabled iptables
    4    port forwarding in fritzbox is active
    5    all other connections from outside are working (http, ftp)
    6    certificates and keys should be fine, they were working in the past with the same setup
    Hope someone can help me, I really need my connection back… If anything else is needed just let me know.
    Last edited by archtom (2013-02-16 16:08:21)

    I solved it
    I did more reading and it seemed to be a problem in the config files, anything else could be pretty much excluded.
    I started with fresh config files referring to the german wiki (it`s different) from .org. Since it was working with this I started to track the problem down. In the end I had to delete the
    multihome
    option in the server config. Everything seems fine now! Thanks for everyone that read it. Perhaps it helps someone in the future.

  • EXP-00084: Unexpected DbmsJava error -4031 at step 6661

    Hi,
    I'm getting the error below on export on Oracle Database 9i.
    . exporting synonyms
    . exporting views
    . exporting referential integrity constraints
    . exporting stored procedures
    EXP-00084: Unexpected DbmsJava error -4031 at step 6661
    EXP-00008: ORACLE error 4031 encountered
    ORA-04031: unable to allocate bytes of shared memory ("","","","")
    EXP-00000: Export terminated unsuccessfully
    Database Version:
    Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
    PL/SQL Release 9.2.0.1.0 - Production
    CORE 9.2.0.1.0 Production
    TNS for 32-bit Windows: Version 9.2.0.1.0 - Production
    NLSRTL Version 9.2.0.1.0 - Production
    System: Microsoft Windows Server 2003 Enterprise Edition SP2
    Computer: Interl Xeon CPU 3.40GHz 3.40GHz, 4.93 GB of RAM
    Hoping you can help me..
    Ben

    Hi,
    I think I'll try increasing the shared_pool_size parameter first because it can be done immediately. Since this is a production database, restarting it will need clearance.
    SQL> /
    NAME ISSYS_MOD
    shared_pool_size IMMEDIATE
    shared_pool_reserved_size FALSE
    java_pool_size FALSE
    SQL> show parameter java_pool_size
    NAME TYPE VALUE
    java_pool_size big integer 33554432
    SQL>

  • Time zone region error

    Hi all
    When I deploy my adf application to the weblogic server (10.3.3.0) and when I try to login to the app it is giving the following error
    Error 500--Internal Server Error
    From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
    +10.5.1 500 Internal Server Error+
    The server encountered an unexpected condition which prevented it from fulfilling the request.
    when I checked the logfiles it is showing a time zone region error.
    The application worked well when running from the Jdeveloper.
    The datasource is to a XE_ database.

    Please take a look at blog post this post.

  • VCS - CPL to block calls routing to and from the same neighbor zone

    Hello all,
    Is there a CPL rule that can be written to block calls originating from a neighbor zone destined to the same neighbor zone?
    We are having issues with calls being sent from CUCM to our VCS, then VCS routes the call back to CUCM, thus resulting in "Too Many Hops". 
    In Example
    Movi user on VCS Control tries to dial CTS endpoint registered to CUCM, but dials incorrectly
    Call does not match search rules for local zone
    Call does not match search rules for VCS Expressway
    Call matches catch all for CUCM (.*)@domain.com
    CUCM does not have a DN or URI for the mis-dialed number and the call gets routed back to VCS Control due to SIP route pattern of *.* on CUCM
    We have to have the catch all to CUCM at the end since we offer PSTN connectivity, as well as our users and phones have alphanumeric URIs assigned to the DNs for Jabber, etc.
    I'm afraid that there really isn't an easy way to do this, as I know since the call hits CPL first, CPL wouldn't know which zone it was destined to.

    It's probably more easily accomomplished with a slight modification to your search rules rather than spraying anthing "@domain" everywhere - something like:
    Direct anything incoming to @domain from the neighbour zone to the local zone (as it's inside your organisation, as if the CUCM hasn't found it and sent it to the VCS it's not going to be on the CUCM, so must be local (or non existant) - and Stop.
    And the opposite of the above - Route anything for @domain from the localzone (as it hasn't been found locally) to the CUCM neighbour - and Stop.
    And do similar for anything that's coming in from other external zones to route to wheverver the endpoints are going to be.  That way, your call shouldn't be bouncing back and forth between the CUCM and VCS and creating the loop you're currently experiencing.
    Of course, if your environmetn is a bit more complex than just the single CUCM and VCSes, this may be a little oversimiplified, but could lead you in the right direction.
    Another thing to consider too - if you put your endpoints in to a directory the users can use - that'll help stopping them from mis-typing stuff :)
    Wayne
    Please remember to rate responses and to mark your question as answered if appropriate.

  • 10.4 Server TLS errors and other errors

    My mail server is giving me a variety of errors that I haven't been able to figure out how to fix.
    TLS server engine: cannot load cert/key data
    Feb 11 16:35:45 Mail-Server imap[421]: error initializing TLS
    Feb 11 16:35:45 Mail-Server imap[421]: TLS server engine: cannot load CA data
    Feb 11 16:35:45 Mail-Server imap[421]: unable to get certificate from '/etc/certificates/Default.crt'
    Feb 11 16:35:45 Mail-Server imap[421]: TLS server engine: cannot load cert/key data
    Feb 11 16:35:45 Mail-Server imap[421]: error initializing TLS
    DBERROR: skiplist recovery /var/imap/user/f/frances.seen: 0240 should be ADD or DELETE
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: opening /var/imap/user/f/frances.seen: cyrusdb error
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: skiplist recovery /var/imap/user/f/frances.seen: 0240 should be ADD or DELETE
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: opening /var/imap/user/f/frances.seen: cyrusdb error
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: skiplist recovery /var/imap/user/f/frances.seen: 0240 should be ADD or DELETE
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: opening /var/imap/user/f/frances.seen: cyrusdb error
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: skiplist recovery /var/imap/user/f/frances.seen: 0240 should be ADD or DELETE
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: opening /var/imap/user/f/frances.seen: cyrusdb error
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: skiplist recovery /var/imap/user/f/frances.seen: 0240 should be ADD or DELETE
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: opening /var/imap/user/f/frances.seen: cyrusdb error
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: skiplist recovery /var/imap/user/f/frances.seen: 0240 should be ADD or DELETE
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: opening /var/imap/user/f/frances.seen: cyrusdb error
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: skiplist recovery /var/imap/user/f/frances.seen: 0240 should be ADD or DELETE
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: opening /var/imap/user/f/frances.seen: cyrusdb error
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: skiplist recovery /var/imap/user/f/frances.seen: 0240 should be ADD or DELETE
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: opening /var/imap/user/f/frances.seen: cyrusdb error
    I'm using Plain authentication without SSL. I just bought a new MacBook Pro with 10.9.1, and whenever I send an email it says that Authentication fails, but sends the email anyway, and I'm not sure if that's something I should worry about or not.
    Feb 11 17:00:00 Mail-Server postfix/smtpd[626]: warning: AOD: Authentication failed for user rstilley. (Open Directroy error: -14090)
    Feb 11 17:00:00 Mail-Server postfix/smtpd[626]: warning: 24-178-136-163.dhcp.crtn.ga.charter.com[24.178.136.163]: SASL PLAIN authentication failed
    I haven't been able to find much out about this Open Directory error (odd that Directory is misspelled...)
    Any help anyone can give me would be most appreciated. I'll be glad to post any log files.
    Here is my postconf -n output:
    Mail-Server:/var/log root# postconf -n
    alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
    always_bcc =
    command_directory = /usr/sbin
    config_directory = /etc/postfix
    daemon_directory = /usr/libexec/postfix
    debug_peer_level = 2
    delay_warning_time = 1h
    disable_vrfy_command = yes
    enable_server_options = yes
    inet_interfaces = all
    luser_relay =
    mail_owner = postfix
    mailbox_transport = cyrus
    mailq_path = /usr/bin/mailq
    manpage_directory = /usr/share/man
    maps_rbl_domains =
    maximal_queue_lifetime = 2d
    message_size_limit = 0
    mydestination = $myhostname,localhost.$mydomain,times-georgian.com
    mydomain_fallback = localhost
    myhostname = times-georgian.com
    mynetworks = 127.0.0.1/32,10.1.6.0/24
    mynetworks_style = host
    newaliases_path = /usr/bin/newaliases
    owner_request_special = no
    queue_directory = /private/var/spool/postfix
    readme_directory = /usr/share/doc/postfix
    recipient_delimiter = +
    relayhost =
    sample_directory = /usr/share/doc/postfix/examples
    sendmail_path = /usr/sbin/sendmail
    setgid_group = postdrop
    smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_rbl_client zen.spamhaus.org,permit
    smtpd_enforce_tls = no
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_sasl_authenticated,permit_mynetworks,check_helo_access hash:/etc/postfix/helo_access,reject_non_fqdn_hostname,reject_invalid_hostname, permit
    smtpd_pw_server_security_options = plain
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit
    smtpd_sasl_auth_enable = yes
    smtpd_tls_loglevel = 0
    smtpd_use_pw_server = yes
    smtpd_use_tls = no
    unknown_local_recipient_reject_code = 550
    Thanks in advance.

    UPDATE: My VPN is now running!
    Through a series of Firewall configuration changes, I am now able to connect and access files on the server through VPN. I still have some small details to work-out (i.e., I can't browse the Windows environment under the Network tab of My Computer). I can however map to the drive directly using the IP address.
    Windows 7 and Vista clients connect via L2TP using shared secret.

  • Can't download itunes - security zone policy error message - please help!

    Hi there,
    I have had an ipod for a while now but can't use it as everytime i try to download itunes I just get the following error message;
    This download has been blocked by your security zone policy - edgesuite.net.
    I am using firefox on a windows vista with norton security protection. If you have any suggestions on how I can resolve this I would really appreciate it!

    Click here and follow the instructions. You may need to completely remove and reinstall iTunes and all related components, or run the process multiple times; this won't normally affect its library, but that should be backed up anyway.
    (99360)

  • Synthetic Transactions Fail with TLS error

    Hi,
    Most of the test-cs cmdlets fail with the error: The operation failed due to issues with Tls. See the exception for more information.
    Inner Exception:CertificateInfoNative::AcquireCredentialsHandle() failed; HRESULT=-2146893043.
    Lync itself is working fine. 
    Any thoughts?

    Hi,
    Are you trying this command via remote power shell which is not exactly the lync server, if this is the case then with which user are you logged in, does this user have required permissions. also have a look in to this.
    http://social.msdn.microsoft.com/Forums/en-US/ucmanagedsdk/thread/ca0d7758-d51b-4728-be0f-ae2c222546eb and
    http://blog.greenl.ee/2009/03/25/troubleshooting-tlsexception-in-ucma-2-0-applications/
    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

  • Enhancement Pack 4: Time Zone Soft Error

    We are testing Enhancement Pack 4 in ECC 6.0. We have a few ship-to customer numbers that we use where we use the same cusomer number but update the address from order to order.
    When we udpate the Region in the sales order to a region that is not in the current time zone, we get a "Time Zone EST (or whatever time zone is there) is not valid in country US (several possibilities)" soft error. This is not happening in Production or in any of our other test clients; only the client that we are testing Enhancement Pack 4 in.
    We've searched config and can't find anything that may be causing this. We've also seen references to note 1505591 that would make this warning go away, but this note appears to be being reworked and is not available.
    Does anyone have any suggestions? Thank you!

    Execute STZGC in both the clients and compare whether the Time Zone EST is maintained for country US.
    thanks
    G. Lakshmipathi

  • Solaris Express Zone install error with SUNWiiimr and SUNWcnetr

    Hi all,
    I got these errors when installing a new zone on a Solaris Express 1/08 (5.11) on a x64 box:
    Installation of these packages generated errors: SUNWiiimr
    Installation of these packages generated warnings: SUNWcnetr
    The zone creation log shows:
    *** package -SUNWiiimr- failed to install with fatal errors:
    /export/zones/newzone/root/var/sadm/pkg/SUNWiiimr/install/postin stall: /export/zones/newzone/root/lib/postrun: not found
    /export/zones/newzone/root/var/sadm/pkg/SUNWiiimr/install/postinstall: /export/zones/newzone/root/lib/postrun: not found
    pkgadd: ERROR: postinstall script did not complete successfully
    Installation of -SUNWiiimr- on zone -newzone- failed.
    *** package -SUNWcnetr- installed with warnings:
    pkgadd: ERROR: unable to create package object -/export/zones/newzone/root/etc/dladm-.
    owner name -dladm- not found in passwd table(s)
    ERROR: attribute verification of -/export/zones/newzone/root/etc/dladm/aggregation.conf- failed
    owner name -dladm- not found in passwd table(s)
    ERROR: attribute verification of -/export/zones/newzone/root/etc/dladm/linkprop.conf- failed
    owner name -dladm- not found in passwd table(s)
    ERROR: attribute verification of -/export/zones/newzone/root/etc/dladm/secobj.conf- failed
    owner name -dladm- not found in passwd table(s)
    Installation of -SUNWcnetr- on zone -newzone- partially failed.
    -newzone- was configured to be a whole root zone. Are there any ways to solve these installation errors?
    Thanks in advance.

    This problem seems some strange - this time with Solaris 10u4, from 10 containers installed on a brand new X2200 (2x cpu) only one do not output those errors, but just this one cannot install the dsee or proxy. This time the errors were from:
    Installation of <SUNWxwplr> on zone <dsee-proxy> partially failed.
    Installation of <SUNWdtdmr> on zone <dsee-proxy> partially failed.
    Installation of <SUNWmconr> on zone <dsee-proxy> partially failed.
    Installation of <SUNWrmwbr> on zone <dsee-proxy> partially failed.
    Installation of <SUNWlvmr> on zone <dsee-proxy> partially failed.
    Installation of <SUNWzebrar> on zone <dsee-proxy> partially failed.
    So the machine was, too, just installed. After several hours, anoter atempt to install a zone, this time just this one, returned no errors - and the dsee installed without any complains. All configurations were for whole root zones. Used was Solaris 10u4 with the most recent patch cluster applied.

  • Zone shutdown error - SNMP request returned error status 6 (no access)

    When trying to shutdown a zone though SunMC it get the following error from the web page
    SNMP request returned error status 6 (no access) snmp://xx.xx.com:nnnn/mod/scm-container/Zones/ZoneTable/ZoneEntry/zoneState#zonename
    the log on the agent has
    [0000008f 00a8 ]warning Nov 28 12:20:10 agent preValidateSetPDU: zoneState(zonename) [1.3.6.1.4.1.42.2
    .12.2.2.85.6.1.1.10.10.98.111.116.97.110.105.120.45.97.100] - noAccess
    I probably am missing a simple undocumented permissions problem.
    Any help would be appreciated
    Thanks

    marcusj99 wrote:
    When trying to shutdown a zone though SunMC it get the following error from the web page
    SNMP request returned error status 6 (no access) snmp://xx.xx.com:nnnn/mod/scm-container/Zones/ZoneTable/ZoneEntry/zoneState#zonename
    the log on the agent has
    [0000008f 00a8 ]warning Nov 28 12:20:10 agent preValidateSetPDU: zoneState(zonename) [1.3.6.1.4.1.42.2
    .12.2.2.85.6.1.1.10.10.98.111.116.97.110.105.120.45.97.100] - noAccess
    I probably am missing a simple undocumented permissions problem.
    Any help would be appreciatedSCM security can be tricky to get right the first time you use it. Have you performed these operations in the global zone?:
    - run es-config to add your SunMC userID to the scm-container ACL?
    - made sure the Project Managment and Pool Management entries are in /etc/security/prof_attr and exec_attr files?
    - added your SunMC userID to the Zone/Pool/Project entries in /etc/user_attr (or used the 'usermod' command to add the entries for you)?
    If any of those steps were missed then SunMC (or Solaris) may not believe you have permisson to make changes to zones/pools etc. There are a couple of SCM docs listed in with the SunMC doc set:
    http://docs.sun.com/app/docs/coll/810.8?l=en
    Regards,
    [email protected]
    http://www.HalcyonInc.com
    New !! : http://forums.HalcyonInc.com !!

  • [Cisco ACS 5.2] Windows XP - EAP-TLS error

    Hi,
    We used RADIATOR with Cisco WLC and Cisco AP in our WiFi architecture.
    We just replaced RADIATOR with Cisco ACS 5.2 .
    Few computers with Windows XP SP3 have this error : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client
    Description:
    While  trying to negotiate a TLS handshake with the client, ACS expected to  receive a non-empty TLS message or TLS alert message, but instead  received an empty TLS message. This could be due to an inconformity in  the implementation of the protocol between ACS and the supplicant. For  example, it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message. It might also involve  the supplicant not trusting the ACS server certificate for some reason.  ACS treated the unexpected message as a sign that the client rejected  the tunnel establishment.
    Resolution Steps :
    Ensure  that the client's supplicant does not have any known compatibility  issues and that it is properly configured. Also ensure that the ACS  server certificate is trusted by the client, by configuring the  supplicant with the CA certificate that signed the ACS server  certificate. It is strongly recommended to not disable the server  certificate validation on the client!
    Most of the computers (hundreds of Windows XP and Windows 7) got no problem.
    ACS says "it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message".
    If it was a known issue, we would have this error for other computer but we don't have (fortunately )
    Wireless profile is sent to computers using GPO so they trust ACS server certificate...
    Do you know how to correct this issue on XP supplicant? I dont find this issue on Google
    Thanks for your help,
    Patrick

    Patrick,
    One way to troubleshoot is to physically have one of the laptops and see if unchecking the box that validates the server certificate fixes the issue. I have seen the same issue as you are seeing before and I would like for you to verfiy that.
    If that doesnt fix the issue then we will have to proceed to taking a wireshark of the client and running a few debugs on the ACS.
    Thanks,
    Tarik Admani

  • EAP-TLS Error

    Hello.
    I cannot get EAP-TLS auth to work on windows 7 wired setup. I've tested EAP-PEAP on wireless and wired - works fine. Also EAP-TLS for wireless works great. Clients are on same domain as radius (wich is Cisco ISE), we've deployed CA-services on that same domain too and are distributing certificates to clients via GPOs. Authenticators (switchports) are configured correctly, certificates work on EAP-TLS wireless setup, everything seems to be ok, but wired connection still cannot auth and  EAP timeouts.
    Here is the error:
    Logged At: May 14,2013 11:52:12.159 AM
    RADIUS Status: No response received during 120 seconds on last EAP message sent to the client : 5411 No response received during 120 seconds on last EAP message sent to the client

    Have you confirmed that the Supplicant is configured properly for EAP-TLS authentication? I have done this type of deployment many times and haven't had this issue. 
    Thank you for rating helpful posts! 

  • Authentication failure for zone 1 error

    We did some cleanup of old user accounts in our edir tree and after that I noticed a whole bunch of error messages on our catalina.out file. Problem is the error message does not specify what account it is looking for so I do not know what account I need to restore/recreate. Vibe seems to be working okay so I'm not sure what is broken with this account missing. Error message reads:
    2014-01-18 18:38:02,429 WARN [http-8443-55] [org.kablink.teaming.module.authentication.impl.Aut henticationModuleImpl] - Authentication failure for zone 1: org.springframework.security.userdetails.UsernameN otFoundException: User account disabled or deleted; nested exception is org.kablink.teaming.security.authentication.UserAc countNotActiveException: This account has been disabled or deleted.
    We are running on Vibe 3.4.0. Any help in identifying the account needed would be much appreciated.
    Thank you,
    Ronnie

    This looks okay.  An authFail indicates that someone is polling this device with the wrong community string.  Check x.x.x.x to make sure there aren't any applications polling this device with wrong credentials.
    Something else to note is that you should not be using '@' in your community strings.  While this shouldn't really matter for routers, it's a good rule of thumb not to use '@' on Cisco devices as that character is reserved for community string indexing.

  • EAP-TLS error .........failed SSL/TLS handshake because of an unknown CA in client certificate chain

    Hi,
    I am using 802.1x and EAP-TLS as authentication protocol. The clients are not able to pass the authentication the error log on ACS is
    Authentication failed: EAP-TLS handshake failed SSL/TLS handshake because of an unknown CA in the client certification chain.
    I have installed certificates on the WLC and ACS, however authentication is unsuccessful.
    Can anybody help regarding this issue.

    Hi Sandeep,
    Web auth certificate is defult certificate in wlc but you can also use your own(3rd party).
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.html
    Virtual interface : This interface handles any mobility management, VPN Termination, Web authentication, and is also a DHCP relay for WLAN clients.
    Yes its interconnected, the purpose for this entry is so that the controller knows the name of the of the certificates to virtual address translation.
    1. Guest Client go to google.com
    2. Client goes to DNS (the one its is assign in DHCP)
    3. DNS resolves the DNS for google.com
    4. Client then attempts to go to google.com
    5. Controller intercepts GET and replaces it with a 1.1.1.1
    6. Controller then takes the 1.1.1.1 and translates this to the DNS name to negat the (accpet this cert screen)
    7. DNS then gets resolve to the name (example guest.xxx.com)
    8. Controller presents the guest screen
    Hope it helps.
    Regards
    Dont forget to rate helpful posts

Maybe you are looking for

  • Finding errors in a PDF

    I am generating some PDFs from scratch. One of the files opens fine in Acroba but it still clearly has a structural problem because if I check the file with the preflight in Acrobat it says thet the file is damaged and needs repair, and if I close th

  • TS1702 Refund on Apps.

    Has the refund on apps changed.  I ask this as I have got a far as report a problem via iTunes.  Following iTunes>Store>View Account>Purchase History>View All>Report A Problem> This now takes you to Apple Support where you have even more options that

  • HT4137 Using Find my iphone with a 6th device

    I originally setup my child's iPhone using my AppleID (so as to help her keep her programs insync) However, unable to use Find my iPhone because I already have 5 devices registered. Should I start separate apple ID account or is there a another way t

  • V1.1 Mac OS X combo v10.6.8 crashed safari

    I've installed update v1.1 Mac OS X combo v10.6.8 on my snow leopard 10.6 but now safari doesn't run...why??

  • My Toshiba Will Not Reset. Gets To 36% and freezes

    Hi Guys, Right i've encountered a major problem, i needed to reset my laptop to its factory settings, so therefor i followed out procedures as normal, it started resetting, but when it got to 36% it just stopped froze and shut dwn the laptop. Is anyo