Firewall services module authentication issues

Have internal web apps and Nfuse available to remote users after they authenticate to our firewall using a ACS account. All was cool until we recently upgraded our FWSM and IOS image. Now some users are complaining that they do not get an authentication prompt from the firewall and cannot login. Most users can authenticate as usual.
Weird thing is that if the end user takes their home router or firewall out of the mix, the firewall authentication works. In some cases, an upgrade of the remote router or firewall firmware resolves the issue as well.
Any reason why the FWSM would start acting this way and not allow connections from devices that could connect previously? NAT issue? I don't want to have to upgrade firmware on users personal routers and firewalls to make this work...

The only workaround is to reboot the FWSM after creating new interfaces.
Try this Bug - CSCsg65455

Similar Messages

Firewall service module vs ASA

Hi
Someone told me that the cisco firewall service module of 6500 has poor performances compared to ASA
What do you recommend as a core firewall (to protect internal servers): ASA or firewall service module ?
thanks

Hi,
We are using 5 FWSMs at the moment but are moving away from them to ASA5585-X models.
I wouldnt suggest going to FWSMs anymore at this point if you have any plan on having support for new features.
End Of Life and End of Sale Notice
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/eol_c51-699134.html
The follower for the FWSM is the ASA Service Module which supports the newer softwares (while the FWSM doesnt). Heres a link to a document about the ASASM
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/data_sheet_c78-672507.html
Also you could always consider a separate ASA models. Here are links to both the orignal ASA 5500 series and new ASA 5500-X series
ASA 5500 Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
ASA 5500-X Series
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
I guess the question for you is what are the requirements for the device regarding performance. All of the above documentation should give you a clue about which model might be the best for you.
- Jouni

Question on how does load balancing work on Firewall Services Module (FWSM)

Hi everyone,
I have a question about the algorithm of load balancing on Firewall Services Module (FWSM).
I understand that the FWSM supports up to three equal cost routes on the same interface for load balancing.
Please see a lower simple figure.
outside inside
--- L3 SW --+
|
MHSRP +--- FWSM ----
|
--- L3 SW --+
I am going to configure the following default routes on FWSM point to each MHSRP VIP (192.168.13.29 and 192.168.13.30) for load balancing.
route outside_1 0.0.0.0 0.0.0.0 192.168.13.29 1
route outside_1 0.0.0.0 0.0.0.0 192.168.13.30 1　　　　　　
However I don't know how load balancing work on FWSM.
On FWSM, load balancing work based on
Per-Destination ?
Per-Source ?
Per-Packet ?
or
Other criteria ?
Your information would be greatly appreciated.
Best Regards,

Configuring "tunnel default gateway' on the concentrator allowed traffic to flow as desired through the FWSM.
FWSM is not capable of performing policy based routing, the additional static routes for the VPN load balancing caused half of the packets to be lost. As a result, it appears that the VPN concentrators will not be able to load balance.

Assigning VLANs to the Firewall Services Module

I need add a new vlan group to our fwsm module. I have some doubts:
What command do i need for it?
 firewall vlan-group 5 100,101,102,103,104,105
 firewall switch 2 module 4 vlan-group 5
 firewall switch 1 module 4 vlan-group 5
 or
 firewall vlan-group 5 100,101,102,103,104,105
 firewall switch 2 module 4 vlan-group 1,2,3,4,5
 firewall switch 1 module 4 vlan-group 1,2,3,4,5
Will it be disruptive?
Thanks!

So, just to confirm, in this case to add/append a new vlan-goup to the firewall module I should use:
Switch# firewall switch <1-2> module 02 vlan-group 2
My main concern is if with the command It will replace the curent vlan-goup (4,5,6) or if it just append the new vlan-group.
Thanks in advance!

Partition cf in Firewall Services Module

Hi,
Reference CISCO: Flash Card in FWSM equals 128MB partition but on 6 cf, totaling about 20MB per cf.
I am upgrading my FWSM and ASDM software, but I can not because I have little space in flash.
Settings file 2MB
Old version:
FWSM 3.1 (5) - 5.59Mb
ASDM 5.0 (2) F - 3.09Mb
Configuration File: 2MB
Total Space in flash: 10.7Mb
New Version:
FWSM 4.1 (12) - 6.10Mb
ASDM 6.2 (3) F - 13.11Mb
Configuration File: 2MB
Total Space in flash: 21.20Mb (Insufficient space in memory)
How to solve this problem, I can not put software and ASDM configuration file in the same cf. Hi,
Reference CISCO: Flash Card in FWSM equals 128MB partition but on 6 cf, totaling about 20MB per cf.
I am upgrading my FWSM and ASDM software, but I can not because I have little space in flash.
Settings file 2MB
Old version:
FWSM 3.1 (5) - 5.59Mb
ASDM 5.0 (2) F - 3.09Mb
Configuration File: 2MB
Total Space in flash: 10.7Mb
New Version:
FWSM 4.1 (12) - 6.10Mb
ASDM 6.2 (3) F - 13.11Mb
Configuration File: 2MB
Total Space in flash: 21.20Mb (Insufficient space in memory)
How to solve this problem, I can not put software and ASDM configuration file in the same cf.

Hi Bro
Why don't you remove your old IOS version permanently and put in this new IOS version instead. Can I have a look at your show run output in your system context.
Regards,
Ram

Issue with calling external web service with authentication details ...

Hi,
     I am facing a deployment issue with Oracle ESB. I am trying to call an external Web Service with authentication from ESB SOAP Service. It is working fine with my local ESB version 10.1.3.3.0 Build PCBPEL_10.1.3.3.0_GENERIC_070615.0525; however it is getting an error at our development ESB version 10.1.3.3.1 Build PCBPEL_10.1.3.3.1_GENERIC_RELEASE.
     I am getting following error.
An unhandled exception has been thrown in the ESB system. The exception reported is: "org.collaxa.thirdparty.apache.wsif.WSIFException: exception during SOAP invoke: Server was unable to process request. ---> Object reference not set to an instance of an object.; nested exception is: javax.xml.rpc.soap.SOAPFaultException: Server was unable to process request. ---> Object reference not set to an instance of an object. at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.populateFaultMessage(WSIFOperation_JaxRpc.java:3086) at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.invokeOperation(WSIFOperation_JaxRpc.java:1728) at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.invokeRequestResponseOperation(WSIFOperation_JaxRpc.java:1473) at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.executeRequestResponseOperation(WSIFOperation_JaxRpc.java:1196) at oracle.tip.esb.server.common.wsif.WSIFInvoker.executeOperation(WSIFInvoker.java:867) at oracle.tip.esb.server.common.wsif.WSIFInvoker.nextService(WSIFInvoker.java:770) at oracle.tip.esb.server.common.wsif.WSIFInvoker.nextService(WSIFInvoker.java:790) at oracle.tip.esb.server.service.impl.outadapter.OutboundAdapterService.nextService(OutboundAdapterService.java:208) at oracle.tip.esb.server.service.impl.outadapter.OutboundAdapterService.processBusinessEvent(OutboundAdapterService.java:127) at oracle.tip.esb.server.dispatch.InitialEventDispatcher.dispatchNonRoutingService(InitialEventDispatcher.java:118) at oracle.tip.esb.server.dispatch.InitialEventDispatcher.dispatch(InitialEventDispatcher.java:95) at oracle.tip.esb.server.dispatch.BusinessEvent.raise(BusinessEvent.java:1424) at oracle.tip.esb.utils.EventUtils.raiseBusinessEvent(EventUtils.java:112) at oracle.tip.esb.server.service.EsbRouterSubscription.onBusinessEvent(EsbRouterSubscription.java:307) at oracle.tip.esb.server.dispatch.EventDispatcher.executeSubscription(EventDispat
     Could one of you please help me out to understand why it is happining.
Thanks in advance.
Jyotirmoy.

Hi Mahesh,
One you are missing is authentication token or credentials.
Please refer to the following articles.
http://www.cleverworkarounds.com/2014/02/05/tips-for-using-spd-workflows-to-talk-to-3rd-party-web-services/
A Series of articles related to Web Service in SPD Workflow
Trials or tribulation?
Inside SharePoint 2013 workflows–Part 1
Trials or tribulation?
Inside SharePoint 2013 workflows–Part 2
Trials or tribulation?
Inside SharePoint 2013 workflows–Part 3
Trials or tribulation?
Inside SharePoint 2013 workflows–Part 4
Trials or tribulation?
Inside SharePoint 2013 workflows–Part 5
Trials or tribulation?
Inside SharePoint 2013 workflows–Part 6
Trials or tribulation?
Inside SharePoint 2013 workflows–Part 7
Trials or tribulation?
Inside SharePoint 2013 workflows–Part 8
Trials or tribulation?
Inside SharePoint 2013 workflows–Part 9
Trials or tribulation?
Inside SharePoint 2013 workflows–Part 10
Trials or tribulation?
Inside SharePoint 2013 workflows–Part 11
Trials or tribulation?
Inside SharePoint 2013 workflows–Part 12
Please don't forget to mark it answered, if your problem resolved or helpful

Essbase 6.5 External Authentication Issue!! Urgent Please!!

Hi all,
I am great trouble over an external authentication issue in Essbase 6.5. I request you all to please give me your feedback on the same as soon as possible.
I am in a situation where I need to get my Essbase 6.5 external Authentication converted from LDAP to Active Directory services.
I suppose there has been necessary changes done to the .cfg file for the same. However, I think I am getting an error
"User [vikc]'c external authentication protocol [MSEX]'s password check module is not loaded".
Please let me know if you have come across such an issue earlier and can anybody to able to help me with the same.
Its kinda Urgent. so any replies for the same will be appreciated.
Thanks and Regards,
Vikram

Vikram,
Yes you will have to reconfigure the CSS.xml and cfg file for external auth.
Here is the Sample CSS
<spi>
 <provider>
 <msad name="full360">
 <trusted>false</trusted>
 <url>ldap://192.168.1.100:389/DC=full360,DC=com</url>
 <userDN>CN=Ravinder Singh,DC=full360,DC=com</userDN>
 <password>full@360</password>
 <authType>simple</authType>
 <identityAttribute>dn</identityAttribute>
 <maxSize>1000</maxSize>
 <user>
 <loginAttribute>sAMAccountName</loginAttribute>
 <nameAttribute>dn</nameAttribute>
 </user>
 <group>
 <nameAttribute>cn</nameAttribute>
 <objectclass>
 <entry>group?member</entry>
 </objectclass>
 </group>
 </msad>
Download this toll "http://www.ldapbrowser.com/download.htm"
LDAP browser to get the perfact DN information.
Let me know the status
Ravikant

Service module placement and the L2 adjacency problem

I'd be very interested to hear others opinions on this. You have a datacenter environment with L2 boundaries at end of row aggregators, then L3 back to the core and edge. You have 6500 service module switches hanging off the core housing ACE and FWSM modules. You want to offer firewalling and load-balancing services to servers around the datacenter.
What is the current best practice ways of resolving the L2 adjacency requirement that the firewalling and load-balancing services impose? L2TPv3? EoMPLS? Any relevant advice, deployment examples, whitepapers etc would be much appreciated!
Thanks for any replies,
George

George
You could i suppose look to use L2TPv3 if your switches support it or EoMPLS but to my mind this is actually using a band aid to fix a problem that shouldn't be there.
We too struggled in our data centres with this setup but remember you only need L2 adjacency if you are running the FWSM in transparent mode or the ACE in bridged mode.
If you are then the cleanest solutions are either
1) redesign core connections to L2
2) deploy 6500 switches in the distribution layer. I say distribution layer because it's not clear from your description what your topology actually is but i'm assuming L2 access to distro and then L3 distro to core and the core switches are the 6500 switches.
Personally i always use the routed L3 approach where possible for fast failover and no STP and in the campus environment it works really well.
However L3 from the access-layer to the distro in the data centre is very limiting and you often come across problems such as the one you are facing.
Now again it does depend on your topology but assuming the issue is your core is L3 connected and you need L2 adjacency with your distro to offer servers i would look to deploy 6500 switches in the distro layer with the service modules in them.
If i have misunderstood please come back with more details.
Jon

Voice mail and Embedded-Service-Engine0/0 issue

Recently I added PSTN and SCUE-ISM-8.6-K9 to be applay (IVR and Voicemail) on my Cisco Router 2921 ,
The PSTN now is working properly ,But I facing three issue of the voicemail ,Embedded-service Engine and IVR configuration as the following:
1- I recieved the following error message when enable the Embedded-Service-Engine0/0
"Memory size does not meet the requirements of Embedded-Service-Engine0/0"
Cisco CISCO2921/K9 (revision 1.0) with 479232K/45056K bytes of memory.
Processor board ID FCZ162670HW
4 Gigabit Ethernet interfaces
2 terminal lines
1 Virtual Private Network (VPN) Module
2 Voice FXO interfaces
1 Internal Services Module (ISM) with Services Ready Engine (SRE)
Cisco Unity Express 8.6.6 in slot/sub-slot 0/0
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
2- Kindly the attached file of the Voice mail configuration but not working.
3- Please, can you provide of a document about IVR configuration ?

Hello Ammar,
As per the error you required more memory for ESE module to work, you have only 512MB memory. Now I assuem you configured on Service-Module right ? It will work fine without any issue.
Next for your voicemail not working can verify that you have configured the SIP dial-peer to reach the Voicemail tiggered phonenumber i.e. 700 in your case.
dial-peer voice 101 voip
session protocol sipv2
session target ipv4:192.168.130.101
destination-pattern 700
Thanks
Selva

Windows Firewall Service Crashes on Windows Server 2012

Hello Team,
I am facing issues with Windows Firewall Service in new Windows 2012 R2 deployments. when i try to start the Firewall service it wont start and it throws an error message to check the system event logs for information
The Windows Firewall service terminated with the following service-specific error:
The data is invalid.
I deployed this OS on a VM running with latest VM tools and HW version which is running on ESXi 5.1 U1
2 GB RAM, 1 vCPU
OS deployed through ISO downloaded from MS portal and License activated through KMS system, performed a couple of reboots as well.
any advise on this issue? i am sure some of you might have also faced the same issue

1. VMware support forum and knowledge base may give you more specific advice.
2. Windows services may be dependent on another service(s). Analyze these dependences. Do it after you understand implications of VMware firewall function.
3. More detailed info from Event log is needed for analysis (Event ID, etc)
4. Hope you have connectivity configured correctly.
5. For firewall in VMware read the following article(s):
http://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-52188148-C579-4F6A-8335-CFBCE0DD2167.html&__utma=207178772.2027713003.1393320147.1393320147.1393320147.1&__utmb=207178772.0.10.1393320147&__utmc=207178772&__utmx=-&__utmz=207178772.1393320147.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided)&__utmv=-&__utmk=174193441
Regards
Milos

XML Publisher with Service Module - Service Request Reports -- URGENT

Hi all ... any pointers/help/guidance with the problem listed below would be much appreciated.
I'm working in the context of the Oracle Service Module & Service Request Reports.
I'm required to configure the XML Publisher Responsibility seeded functionality with the service module reports.
Listed below are the two reporting requirements that I'm considering , corresponding to the following seeded XMLP Responsibility seeded components:
(I'm quoting an extract from the Oracle TeleService Implementation & User Guide here).
Detailed Report
Data Definition: Service Request Detail Definition (CS_SR_DETAIL_DEF)
Corresponding Template: Service Request Detail Report Template (CS_SR_DETAIL_TMP.en)
Template Description: Includes all of the available service request attributes including charges, the two descriptive flexfields, and extensible attributes.
Summary Report
Data Definition: Service Request Summary Definition (CS_SR_SUMMARY_DEF)
Corresponding Template: Service Request Summary Report Template (CS_SR_SUMMARY_TMP_en)
Template Description: Includes a subset of the detailed report attributes including the same charges information as the detailed report.
When I log into the EBS >> XML Publisher Administrator Responsibility >> Service Application ... I find these seeded XMLP components, together with the preview data, downloadable templates & sample output.
The question is:
Where (responsibility/application/navigation/etc.) do I find the seeded EBS Service Reports to provide the expected XML input to the seeded XMLP Service Request Data Definitions & Templates????
Notes ...
I have found the following two reports, under the Service Application in EBS, set their output type to XML and viewed the output of the submitted request:
- Service Request Detail Report
- Service Request Summary Report
... but each of these two reports produce XML output of a different data model/structure to that expected by each of the corresponding seeded XMLP data-definitions/templates.
Additionally, I cannot find any corresponding concurrent program definitions on the system with the same SHORT-NAME/CODE as the seeded XMLP data definitions themselves i.e. CS_SR_DETAIL_DEF and CS_SR_SUMMARY_DEF.
Are the necessary reports not actually seeded within EBS? Do the seeded XMLP data definitions & templates require development of new Concurrent Programs from scratch to access the database tables and provide the necessary data/input, or am I missing something here??

I am sure you found a solution to your problem. If not, to give a pointer to this issue, I guess these reports are gererated right from the service request screen and this definition is used there.This report can be generated from several places based on where you are within SR scree.
Thanks
Nagamohan

How to configure link between 2921 and SM-D-ES3G-48-P EtherSwitch Service Module

hi,
I can't do that like the procedure given by Cisco.
http://www.cisco.com/en/US/partner/docs/routers/access/interfaces/software/feature/guide/eesm_sw.html#wp1942894
Cisco Procedure :
interface gi10/0
ip address x.x.x.x x.x.x.x
service-module gigabitethernet 1/0 session
My result :
R2921-8CPITR-1(config)#int gi 1/1
R2921-8CPITR-1(config-if)#ip address 2.2.2.2 255.255.255.192
% IP addresses may not be configured on L2 links.
R2921-8CPITR-1(config-if)
R2921-8CPITR-1(config)#interface gigabitEthernet 1/1.1 ?
% Unrecognized command
R2921-8CPITR-1(config)#interface gigabitEthernet 1/1 ?
<cr>
R2921-8CPITR-1(config)#
the session is not possible also ?
R2921-8CPITR-1#service-module gigabitEthernet 1/1 sess
 ^
% Invalid input detected at '^' marker.
R2921-8CPITR-1#
The routeur said that it's not a L3 port, so how to configure it to allow communication between the 2921 and the card ?
Is there a bug with that version I'm in 15.1(4)M4 ????
R2921-8CPITR-1#sh ver
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 20-Mar-12 18:57 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
R2921-8CPITR-1 uptime is 19 hours, 21 minutes
System returned to ROM by power-on
System restarted at 16:00:45 GAB Fri Sep 14 2012
System image file is "flash0:c2900-universalk9-mz.SPA.151-4.M4.bin"
Last reload type: Normal Reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO2921/K9 (revision 1.0) with 479232K/45056K bytes of memory.
Processor board ID FGL1618119E
6 Gigabit Ethernet interfaces
2 terminal lines
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
Device# PID SN
*0 CISCO2921/K9 FGL1618119E
Technology Package License Information for Module:'c2900'
Technology Technology-package Technology-package
 Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security None None None
uc None None None
data None None None
Configuration register is 0x2102
R2921-8CPITR-1#

Same issue here.
I just waited a few minutes and the interface went down and back up, this time it was a L3 interface.
My guess is that it was booting the switch module IOS, and it detected it until it was fully booted:
Apr 11 05:26:52.091: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down
Apr 11 05:26:52.091: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
Apr 11 05:26:52.091: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to down
Apr 11 05:26:52.091: %LINK-3-UPDOWN: Interface GigabitEthernet1/0, changed state to up
Apr 11 05:26:52.795: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
Apr 11 05:26:53.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
Apr 11 05:26:53.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
Apr 11 05:26:53.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down
Apr 11 05:26:53.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0, changed state to up
Apr 11 05:27:46.895: %LINK-5-CHANGED: Interface Embedded-Service-Engine0/0, changed state to administratively down
Apr 11 05:27:46.895: %LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to administratively down
Apr 11 05:27:46.947: %LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to administratively down
Apr 11 05:27:47.031: %LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state to administratively down
Apr 11 05:27:47.083: %LINK-5-CHANGED: Interface GigabitEthernet1/0, changed state to administratively down
Apr 11 05:27:47.895: %LINEPROTO-5-UPDOWN: Line protocol on Interface Embedded-Service-Engine0/0, changed state to down
Apr 11 05:27:48.083: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0, changed state to down
Apr 11 05:27:49.283: %IP-5-WEBINST_KILL: Terminating DNS process
Apr 11 05:27:52.499: %LINK-3-UPDOWN: Interface GigabitEthernet1/1, changed state to up
Apr 11 05:27:53.087: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 04-Sep-12 16:50 by prod_rel_team
Apr 11 05:27:53.255: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold start
Apr 11 05:27:53.499: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1, changed state to up
Apr 11 05:28:21.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
Apr 11 05:29:22.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1, changed state to down
Apr 11 05:29:22.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
Router>en
Router#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/1 unassigned YES unset administratively down down
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet1/0 unassigned YES unset administratively down down
GigabitEthernet1/1 unassigned YES unset up down
Vlan1 unassigned YES unset down down
Router#
Apr 11 05:29:46.106: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1, changed state to upconf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int g1/0
Router(config-if)#ip add 1.1.1.1 255.255.255.0
Router(config-if)#no shut
Router(config-if)#
Apr 11 05:30:09.046: %LINK-3-UPDOWN: Interface GigabitEthernet1/0, changed state to up
Apr 11 05:30:10.046: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0, changed state to up
Router(config-if)#end

Service Module - Contract Template

Hello Experts,

We plan to implement service module in our SBO8.8 (pl6). I've been reading subjects about it for several weeks and do some testing. We've been using SBO almost about 1.5 years and trying to utilize its capabilities from time to time.

Our requirements for Service Module consist of 2 scenarios,

- Serial numbered items.
Create contract templates with "serial number" contract type.
Set automatic creation in General settings for customer equipment card (CEC).
Assigned to item in item master data.
Whenever delivery or A/R invoice made, CEC made automatically "per serial number" bassis,
while Service contract also automatically made in "per delivery/AR invoice" basis.

The questions I still wonder are,
1. In which part of the setup tells SBO to create Service contract automatically?
The reason I asked is, what happened if there are 2 differenct contract template? one based on serial number, and the other one
based on customer. When I got to choose which Contract Template to use?
This would be the same with how can I choose contract template in Item Master Data general tab when I want to assign
contract template based on Customer/Items Group contract type?

2. When the customer make a complain, and the item needs to be send back for repair. How can I received this item without
using the Return/AP credit memo windows? 
The reason is, the item has been sold to distributor, distributor sold to dealer, and
then dealer sold to end user. While the end prices in between are beyond our control, we do not know what amount to put on
return/AP credit memo form. Is there a way we could just received it without involving journal entry (the amount)? and after repair, delivery it back to customer.

3. Item A sold to Customer A, item B sold to Customer B. Then in reality, Customer A sold item A to Customer B. In our database, both CEC and Service Contract for item A will be under customer A. When customer B calls to make service call, how do we choose
that item serial number (being sold to customer A) for the service being made for Customer B?
I tried to choose the serial number first on the servic call windows to bring that specific items, apparently Customer A automatically
filled in the customer field. If I tried to change the customer, the serial number field will be gone and can only be updated by
items belongs to Customer A.

- The second scenario would be how to give service contract to customer whom items they bought mosly are managed by batch.
It almost the same with question #1 above. When do we got to choose to link a service contract to 'specific' customer that we
want to provide service warranty? So when delivery/AR being made, all items inside it reflect the service contract we want.

Seems like I stil have a lot to learn the advantages and limitation for this service module before implementing in our production database. Hope to hear any advices and feedback.

Thank you,
Peter
Edited by: Peter Widjaja on May 14, 2010 10:10 AM

roadman18,
This article should cover the issue you are experiencing. Give the steps outlined under the light patern a shot and let us know if it helps.
Best of Luck!
You can say thanks by clicking the Kudos Star in my post. If my post resolves your problem, please mark it as Accepted Solution so others can benefit too.

Cisco SSL Services Module (on 6500)

Hi all,
A customer has asked me a few questions on an SSL Services Module they have (that we haven't sold and have little experience with). I've been reading the documents, but I have some questions and things to verify...
As I can understand, they already have services and trustpoints configured on the module, but with certificates created with a previously-existing internal AD-integrated CA. Now, they want to switch their services to run a certificate they've obtained from a legitimate CA.
1) They are trying to import the new certificate with copy-paste method, through the terminal. As far as I can see, both the server certificate and the CA certificate issuing the server cert. should be in base64 encoded for this to work, right? Or, can we import somehow PKCS or PEM certs thorough the terminal?
2) They would like to use a wildcard certificate for a few of their servers/services they publish. (Like, instead of getting 3 different certificates for service1.domain.com, service2.domain.com and service3.domain.com, they'd like a certificate for *.domain.com which would work for all of the 3 services.) Is this possible? Should they need to change their configuration? (Now I understand that they have different trustpoints, certificates and service configurations for each of the servers...)
I'd really like if some good soul with experience could shed a little light on this...
Or, any leads on documentation (that I may have missed) would also be appreciated.
Thanks in advance,
Emre

Good day Emre-
For question 1 - You can import PEM base64 certificates via the terminal only, all other types need to be loaded over tftp/sftp/ftp.
For question 2 - There is nothing special about how the SSLM handles the Issed To field in a certificate, it doesn't matter if it is specifc or wildcard. Multi domain certificates are also ok (using a Subject Alternative Name field.) The only thing I can think of here in terms of a difference is you might have less trustpoints and configuration on you SSLM since you no longer require multiple server certificates.
Outiside of your direct questions, make sure you upload the root and intermediate(s) into the SSLM. It has to be able to complete the SSL chain from server to root in order to operate.
Regards,
Chris Higgins

Authentication issue getting "UMELoginException"

Dear Guys,
I am facing an authentication issue. The situation is like this,
My NT password was about to expire (had 6 more days for expiry). I was able to login till yesterday and all of the sudden today, when I was trying to login, I was not able to (it gave me password change message). So I went back and changed my NT password and tried to login again into the portal, however I am still not able to. I am pasting the stack trace,
#1.5#001143FDCEA7006700000008000018C40004196E4AD849E8#1153861399615#com.sap.security.core.imp#sap.com/irj#com.sap.security.core.imp.[cf=com.sap.security.core.sapmimp.logon.SAPMLogonLogic][md=doLogon][cl=20282]#Guest#192####fff21cf01c2011dba425001143fdcea7#SAPEngine_Application_Thread[impl:3]_0##0#0#Error##Java###doLogon failed
[EXCEPTION]
#1#com.sap.security.core.logon.imp.UMELoginException
     at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:318)
     at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:344)
     at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)
     at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
     at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:312)
     at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:368)
     at com.sap.portal.navigation.Gateway.service(Gateway.java:101)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
     at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
     at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
     at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
     at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
     at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
     at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
     at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
     at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Please help.
Regards,
Deepak

Hi Deepak,
it is most times that it needs to replicate through your system(s).
Regards,
Kai
PS: Please reward points if that was helpful.

Firewall services module authentication issues

Similar Messages

Maybe you are looking for