H-Reap PreAuthentication ACL

Hi.
I have few APs working in hreap mode as local switching. I have Guest WLAN and after connection to that WLAN client must accept security regulations. The problem is that on WLC under Security->Web Auth -> Web login page  I put text saying:
"Read a regulation form and click accept"   and  There is button created in html:
<input type="button" value="Click to read"
onclick="window.open('http://192.168.1.100')">
When client click the button the page cannot be loaded and i guess it is because AP block any kind of traffic untill you choose Accept button (except dns traffic). That why i'm using PreAuthentication ACL which permits traffic to 192.168.1.100 - it does work for AP not being in H-reap modem, but for h-reap it doesnt work.
What i found in Cisco documentation is:
If you have configured a locally switched WLAN,  then Access Control Lists (ACLs) do not work and are not supported. On a  centrally switched WLAN, ACLs are supported
That statment is related to preauthentication ACL as well? Is there some workaround for that problem?
thanks in advance!

Strange thing. When i set my ACL for permit any any, i am not redirected to local auth page on my WLC after putting some adress in web browser. Whats worse the web page which i am trying to reach doesn't show up either. I have no idea what is going on.
What can block that kind of traffic?
Any help would be useful!
I cannot find any information about pre-auth acl saying who it works. Every document says that it should be used for external web auth server

Similar Messages

  • Urgent: ACL on WLC 5508 + Transperant Proxy

    Hello,
    I'm doing some experiment on a test SSID to configure ACL for limited resources on our Wired/Wireless network.
    I'm/using and I would like to use Web Authentication page. I have created an ACL under Access Control List namely, ICT. With this, I have created an ACL rules as follows;
    Seq     Action     Source IP/Mask     Destination IP/Mask     Protocol     Source Port     Dest Port     DSCP     Direction     Number of Hits     
    1    Permit    1.1.1.1 / 32    0.0.0.0 /0.0.0.0        TCP         Any         Any        Any    Outbound                                       
    2       Permit    0.0.0.0 / 32    1.1.1.1 /32             TCP        Any         Any        Any    Inbound
    3    Permit    0.0.0.0 / 32    192.168.10.190 /32      UDP         DNS         Any        Any    Inbound       
    4    Permit    192.168.10.190/32 0.0.0.0 /0.0.0.0      UDP         DNS         Any        Any    Outbound
    5    Permit    0.0.0.0 / 32    Proxy-vIP /32           Any         Any         Any        Any    Inbound
    6    Permit    Proxy-vIP / 32    0.0.0.0 /0.0.0.0        Any         Any         Any        Any    Outbound
    The authentication page comes fine, but as soon as I entered the username and password correctly, the page it doesn't redirect and IE error shows The Page cannot be displayed.
    In the Edit Page of the WLAN ->Security -> Layer 3, I have selected the Preauthentication ACL as ICT, but still I can't browse the Internet..
    Any help, highly appreciated.
    Regards,

    Hello,
    The Web Authentication proxy is for organizations who is having Explicit proxy in their browsers and want to implement Authentication Page from WLC. Sorry, this solution is not for what I'm intended to do.
    I have created a test ACL as below and the internet started working, but this rule is nothing actually, becuase I started reaching everything on other vLANs.
    Sequence
    Source
    Any
    Destination
    Any
    Protocol
    Any
    DSCP
    Any
    Direction
    Any
    Action
    Permit

  • Wlc 2504 7.4.100 to 7.4.110 upgrade fails

    Hello,
    I've got a strange behaviour while upgrading my 2504 wlc from 7.4.100 to 7.4.110. I used the gui procedure to transfer the updated aes file to the wlc. The procedure started fine, finished downloading, and then the wlc got completely stuck on "Writing New RTOS to flash" message, all ap loosed connection all clients down, claimings, etc... Then after more than 10 minutes watching my laptop screen I decided to hard reboot the wlc.
    Initially I saw the new image booting but, at the end, I finally figured out that the backup image instead booted and the show boot from the controller shows the following:
    (Cisco Controller) >show boot
    Primary Boot Image............................... 7.4.110.0 (default)
    Backup Boot Image................................ 7.4.100.0 (active)
    The controller now is working fine with the old image, but I need the upgrade.
    What do I have to do now ? I didn't understand what happened.
    Thank you for your help
    bye

    Upgrading to Controller Software Release 7.4.100.60
    Guidelines and Limitations
    • When H-REAP access points that are associated with a controller that has all the 7.0.x software releases that are prior to 7.0.240.0 upgrade to the 7.4.100.60 release, the access points lose their VLAN support configuration if it was enabled. The VLAN mappings revert to the default values of the VLAN of the associated interface. This issue does not occur if you upgrade from 7.0.240.0 or later 7.0.x release to the 7.4.100.60 release.
    • While a client sends an HTTP request, the Controller intercepts it for redirection to login page. If the HTTP request intercepted by Controller is fragmented, the Controller drops the packet as the HTTP request does not contain enough information required for redirection.
    • We recommend that you install Wireless LAN Controller Field Upgrade Software for Release 1.7.0.0-FUS, which is a special AES package that contains several system-related component upgrades. These include the bootloader, field recovery image, and FPGA/MCU firmware. Installing the FUS image requires special attention because it installs some critical firmware. The FUS image is independent of the runtime image. For more information, see http://www.cisco.com/en/US/docs/wireless/controller/release/notes/fus_rn_1_7_0_0.html.
    • If you are using a Cisco 2500 Series controller and you intend to use the Application Visibility and Control (AVC) and NetFlow protocol features, you must install Wireless LAN Controller Field Upgrade Software for Release 1.8.0.0-FUS. This is not required if you are using other controller hardware models. For more information, see http://www.cisco.com/en/US/docs/wireless/controller/release/notes/fus_1_8_0_0.html.
    • After you upgrade to the 7.4 release, networks that were not affected by the existing preauthentication ACLs might not work because the rules are now enforced. That is, networks with clients configured with static DNS servers might not work unless the static server is defined in the preauthentication ACL.
    • On 7500 controllers if FIPS is enabled, the reduced boot options are displayed only after a bootloader upgrade.
    Note  Bootloader upgrade is not required if FIPS is disabled.
    • If you require a downgrade from one release to another, you might lose the configuration from your current release. The workaround is to reload the previous controller configuration files saved on the backup server or to reconfigure the controller.
    • It is not possible to directly upgrade to the 7.4.100.60 release from a release that is older than 7.0.98.0.
    • You can upgrade or downgrade the controller software only between certain releases. In some instances, you must first install an intermediate release prior to upgrading to software release 7.4.100.60. Table 2 shows the upgrade path that you must follow before downloading software release 7.4.100.60.
    For more information :
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn74mr1.html#wp976667

  • Cisco ISE - Reauthentication of client if server becomes alive again

    Dears,
    I have this case where Cisco ISE server is used to authenticate & authorize clients on the network.
    I configured the switch port to authorize the client in case the ISE server is dead (or not reachable).
    The thing is that I want to reauthenticate the client once the ISE server becomes alive again but I am not able to.. ("Additional Information is needed to connect to this network" bullet is not appearing and the client PC remains authenticated and assigned to the VLAN.
    Below is the switch port configuration:
    interface FastEthernet0/5
    switchport access vlan 240
    switchport mode access
    switchport voice vlan 156
    authentication event server dead action authorize vlan 240
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority mab
    authentication port-control auto
    mab
    dot1x pae authenticator
    spanning-tree portfast
    Anyone can help?
    Regards,

    Please check whether the switch is dropping the connection or the server.
    Symptoms or Issue
     802.1X and MAB authentication and authorization are successful, but the switch is dropping active sessions and the epm session summary command does not display any active sessions.
    Conditions
     This applies to user sessions that have logged in successfully and are then being terminated by the switch.
    Possible Causes
     •The preauthentication ACL (and the subsequent DACL enforcement from Cisco ISE) on the NAD may not be configured correctly for that session.  
    •The preauthentication ACL is configured and the DACL is downloaded from Cisco ISE, but the switch brings the session down.  
    •Cisco ISE may be enforcing a preposture VLAN assignment rather than the (correct) postposture VLAN, which can also bring down the session.
    Resolution
     •Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.  
    •Check to see whether or not the DACL name in Cisco ISE contains a blank space (possibly around or near a hyphen "-"). There should be no space in the DACL name. Then ensure that the DACL syntax is correct and that it contains no extra spaces.  
    •Ensure that the following configuration exists on the switch to interpret the DACL properly (if not enabled, the switch may terminate the session):  
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server vsa send accounting
    radius-server vsa send authentication

  • Integration between WLC WEb auth and NGS

    Im trying to integrate WLC and NGS and getting this error message:
    Preauthentication ACL needs to be configured/selected for external webauth to work.
    Where do I need to configure ACL?
    Thanks

    Hi Surendra,
    Thanks for the links.
    Even though im using the 5500 WLC I still need to add the ACL!
    Looking at the attachment , if I permit ANY source and dest, then I can connect to the internet, but it didint go through the login page and ask for the username and password, I could access the Internet without any authentication. If I set the rules as shown in the attachment, it get me to the logon page (which is good) but I could not logon, here's the radius log:
    rad_recv: Status-Server packet from host 127.0.0.1 port 43507, id=90, length=38
            Message-Authenticator = 0xf7233fc3f00a133f273b87e9c2359199
    Sending Access-Accept of id 90 to 127.0.0.1 port 43507
    Finished request 111.
    Cleaning up request 111 ID 90 with timestamp +5120
    Going to the next request
    Ready to process requests.
    rad_recv: Access-Request packet from host x.x.x.164 port 32770, id=65, length=169
            User-Name = ""
            CHAP-Challenge =
            CHAP-Password =
            Service-Type = Login-User
            NAS-IP-Address = x.x.x.164
            NAS-Port = 1
            NAS-Identifier = ""
            NAS-Port-Type = Wireless-802.11
            Airespace-Wlan-Id = 10
            Calling-Station-Id = "x.x.x.x"
            Called-Station-Id = "x.x.x.164"
            Message-Authenticator =
    +- entering group authorize {...}
    [radius-user-auth]      expand: %{User-Name} ->
    [radius-user-auth]      expand: %{User-Password} ->
    [radius-user-auth]      expand: %{NAS-IP-Address} -> x.x.x.164
    [radius-user-auth]      expand: %{Calling-Station-Id} ->
    Exec-Program output:
    Exec-Program: returned: 1
    ++[radius-user-auth] returns reject
    Delaying reject of request 112 for 1 seconds
    Going to the next request
    Waking up in 0.7 seconds.
    Sending delayed reject for request 112
    Sending Access-Reject of id 65 to x.x.x.164 port 32770
    Waking up in 4.9 seconds.
    Cleaning up request 112 ID 65 with timestamp +5144
    Ready to process requests.
    What is this message mean "++[radius-user-auth] returns reject"?
    Thanks for your time.

  • Bypassing specific traffic on Guest SSID

    Hey guys,
    I have a guest access setup with WISM and Anchor controllers in DMZ for internet access. L2 security policy is based on WAP2+PSK awith Layer3 on web authentication. Would it be possible to let un-authenticated users to connect to some web sites say Cisco.com (That is without being authenticated by WLC).
    Thanks in advance,
    Jay

    Sure, that is what the preauthentication ACL is for. Just create an ACL on the WLC and under the WLAN select that ACL for the preauth ACL on the layer-3 security tab. Anything that is permitted by the ACL will be allowed to pass through the controller regardless if the client has authenticated yet or not.

  • Windows 7 Clients Not Working With Web-Auth

    I am using 5508 controllers, configured for WEB-AUTH passthrough, Windows XP clients work fine but Windows 7 clients are hit and miss getting redirected to the splash screen.
    The login page is customised showing T's & C's with two buttons Except or Reject.
    Do I need to Pre-Auth with ACL's? Has anyone had similar issues, or any good doc's etc.
    Thanks in advance for any replies.
    Jay

    Nicolas,
    Many thanks for your relpy, the problem is that this is a guest network that's also avalable to the public and I dont have any control over the end clients.
    After doing a quick search on the net I found this.
    NCSI : Uses a combination of DNS and/or HTTP look ups to tell if you are connected to the Internet. The way NCSI does this is either via a HTTP request for http://www.msftncsi.com/ncsi.txt or a DNS look up for dns.msftncsi.com that resovles to 131.107.255.255.
    NCSI does this whether you are logged on or not.
    Do I need to Create a Preauthentication ACL on the Guest WLAN interface:-
    Configure a preauthentication ACL on the WLAN to allow wireless clients to allow:-
    1.       Permit DNS resolution (UDP/53) to 213.199.181.90
    2.       Permit TCP port 80 to 131.107.255.255
    Jay

  • I can not push the configuration to the controllers

    Involved hardware / software:
    2x Cisco 6509E in VSS-1440 configuration
    6509E running software version 12.2(33)SXI
    2x WS-SVC-WISM-1-K9 WiSM module (1 per 6509)
    WiSM running software version 4.2.205.0
    1x WCS version 4.2.128.0
    This is according to Cisco the WCS version to use with the WiSM software version 4.2.205.0 - it was released for this version
    Configuration that makes problems:
    • First: I configure an ACL on the WCS - this is correctly pushed to the Controller configuration
    • Second: I set the configured ACL as “Preauthentication ACL” for the web authentication
    • This setting is NOT pushed to the controllers - I have to configure it via the CLI every time I apply the WLAN settings.

    WiSM running software version 4.2.205.0 and WCS version 4.2.128.0?
    Shouldn't the WCS be of the higher version?

  • Does WiSM 6.0.196.0 suport AIR-LAP1131AG-N-K9 in H-REAP mode

    Hello,
    I have WiSMs running code version 6.0.196.0. I have to deploy AIR-LAP1131AG-N-K9 in H-REAP mode.
    Q1. Does AIR-LAP1131AG-N-K9 require CAPWAP or can run off of LWAPP?
    Q2. Does anyone know how to find out if a WLC is running LWAPP or CAPWAP?
    Q3. If one has to convert LWAPP to CAPWAP, how is it done?
    Thanks
    Bo

    Hi,
    Q1. Does AIR-LAP1131AG-N-K9 require CAPWAP or can run off of LWAPP?
    A1. The AP will run CAPWAP as soon the WLC is running a CAPWAP image. There is nothing special to do on the AP, once it joins the WLC, the WLC will check the image on the AP and if using a diferent one, the WLC will push the correct image to the AP that matchs the WLC version.
    Q2. Does anyone know how to find out if a WLC is running LWAPP or CAPWAP?
    A2. CAPWAP was introuduced in WLC version 5.2 and all versions above are running CAPWAP software.
    •If  your firewall is currently configured to allow traffic only from access  points using LWAPP, you must change the rules of the firewall to allow  traffic from access points using CAPWAP.
    •Make  sure that the CAPWAP UDP ports 5246 and 5247 (similar to the LWAPP UDP  ports 12222 and 12223) are enabled and are not blocked by an  intermediate device that could prevent an access point from joining the  controller.
    •If  access control lists (ACLs) are in the control path between the  controller and its access points, you need to open new protocol ports to  prevent access points from being stranded.
    Q3. If one has to convert LWAPP to CAPWAP, how is it done?
    A1. On the APs nothing has to be done. Once the WLC is running CAPWAP software, it will automatically push the corresponding AP software to the AP.
    WLC runs CAPWAP if the software version is earlier then 5.2. WLC version 5.2 and all versions above are running CAPWAP software.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • IPad & 3502i WAP wlc 5508 H-REAP

    I have a wierd situation occouring at a new remote location.
    Here is my scheme.
    At my phyiscal location =WHQ
    wlc 5508 (7.0.98.0)
    vlan 800
    ssid KWD-Guest
    open authentication
    wep 48bit key
    (ACL restricted to internet only access)
    Remote physical location = 80NY 
    2821 router (12.4ios) - routes and dhcp for the locations networks.
    3560-48 switch     - user connections and WAP connections.
    3502i WAP - H-REAP back to WHQ for management and configuration.
    Remote physical location = 1441NY
    3825 router (12.4ios) - routes and dhcp for the locations networks.
    3560-48 switch     - user connections and WAP connections.
    1131AG WAP - H-REAP back to WHQ for management and configuration.
    Here is the issue we are running into.
    At 80NY the users want to connect to the guest vlan 800 ssid KWD-Guest with iPads and smart phones (model unknown).
    They can see the ssid broadcasting. Try to connect to the ssid, input the wep key. wait, wait and time out on dhcp, giving themselves a 168.x.x.x addy
    From the router side, I can see the dhcp request on the correct vlan hitting the correct dhcp pool.
    The router hands out a valid ip address and associates it to the correct wireless devices Mac-Address
    But as I said the client times out waiting for the dhcp address.
    Now the kicker here is that the very same iPad and smart phone CAN connect to the guest ssid at 1441NY which is also hosted off the same 5508 at WHQ.
    The only difference I see is the WAP model and the network addresses I hand out at each location.
    To the best of my ability I have double checked my router/switch and controller/WAP configurations against each site to make sure there is a mirror in place.
    Any ideas?
    SR 617433573

    dmantill,
    Good morning and thank you for linking in the pdf.
    I read it and hit several of the hyperlinks included in the pdf.
    While I found the information useful and informative overall I did not really see anything that explained or covered the issue I am encountering.
    I have a SR open now and the TAC engineer wants me to capture some debugs on the client mac. Once I can get the local tech onsite again we will perform the connection attempt with the debugging enabled.
    FYI this is what the engineer wants to see.
    Here is the information that I need to see when the problem occurs:
    Disable/Disconnect the wireless client from the network – wait 1-2 mins
    Open Telnet/SSH session to the WLC CLI - (Use Putty/SecureCRT with logging enabled)
    type: Debug client
    Turn the wireless device back on and let it authenticate/associate to the wireless network.  Once the client experiences the problem, disable the debug process using the command: 
    debug disable-all
    Filename: DebugClient.TXT

  • Using ACLs to control guests paths to the internet

    Out global network consist of many sites world wide where 75% of the sites having their own internet connection.
    To streamline the wireless setup in our WLC's I have considered to run the LAP's in H-REAP mode and on the guest SSID use access control lists to prevent guest users to access internal IP's.
    The guest's shall still be authenticated by our NAC guest server.
    The guest traffic would then flow to the default gateway which is the nearest internet connection.
    I know that the guest might be able to craft an ethernet packet with spoofed source address and there might fool the ACL, but besides of that is there any major security risk I am missing here?
    In a perfect world I would isolate the guest traffic, but our network structure makes it hard to streamline that.
    The idea was to use 3-4 centralized controllers each with the same configuration and the H-REAP LAP's could then connect the one with lowest delay time via the "Enable Least Latency Controller Join" under the officeExtent AP settings (?).
    What am i missing here?

    Yep -- USB works well too.  The advantage of Bluetooth over Wifi, incidentally, is power consumption.  If you cannot cable the phone (e.g. to a charger or to the PC) then the difference will be material in terms of battery consumption if you choose Bluetooth over Wifi.  Wifi, however, works with pretty-much anything where Bluetooth obviously requires that capable for the other device.
    Market Information? Come read The Market Ticker!

  • Downloadable Access-list (ACL) on 440x/WiSM

    I need a wireless solution where an Access-list is downloaded / refered to on a per-user or per-group basis in order to do filtering.
    Does unified wireless (aka airespace) support this.
    To make it worse - is it support while using H-REAP AP's.
    TIA.
    Anders

    You can configure ACS 4.0 to return an ACL name after the user authenticates, and ensure that the ACS also returns the Tunnel Type attributes which tell which VLAN to use.

  • Blocking SSID selectively in H-REAP mode

    Hi,
    We have deployed 500 access-points in 100 sites using 8 controllers.  SSID is switched locally and access-points are in H-REAP mode.
    Customer wanted us to host one more SSID, which will be used in only 10 sites. It will be using pre-configured user-name and password for authentication.
    1. How to block the SSID from advertising to remaining 90 sites? If I configure any SSID in controller, it is pushed to all 100 sites. How to block SSID selectively.
    2. Is there anyway to apply the acl on this SSID in local switching
    Thanks,
    Ramesh

    Ramesh:
    I think you asked question 2 as a suggested solution to question 1, right?
    So if we resolve question 1 the question 2 can be ignored.
    As Steve mentioned, you only add AP groups and that is it.
    Here is a config example: http://tiny.cc/j7tqcw
    Although config example shows old versoin, it is still be applicable to newer versions (with some few differences). But if you know the concept you'll be able to do it with no problems.
    Ask if you got to any issue while configuring this.
    Good luck.
    Amjad

  • CAN NOT FIND DESCRIPTION DATA for ACLs in ACL VIEWS

    Hi,
    anyone knows where acl description data stored? (fixed_table, view, sys table)
    (I know XDB.XDB$ACL and xdb.xs$securityclass objects, but I do not want to parse those xmls)
    BEGIN
    DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(acl => '/sys/acls/my.xml',
    description => 'ACL_DESC',

    See XDS_ACL view, it does the parsing for you :
    SQL> SELECT description FROM sys.xds_acl;
    DESCRIPTION
    Read-only privileges to anonymous
    Protected:Readable by PUBLIC and all privileges to OWNER
    Protected:Readable by PUBLIC and all privileges to OWNER
    Public:All privileges to PUBLIC
    Private:All privileges to OWNER only and not accessible to others
    Read-Only:Readable by all and writeable by none
    6 rows selected
    And it was not that hard to do it "manually" BTW :
    SQL> SELECT x.description
      2  FROM XDB.XDB$ACL
      3     , XMLTable(
      4         XMLNamespaces(default 'http://xmlns.oracle.com/xdb/acl.xsd')
      5       , '/acl'
      6         passing object_value
      7         columns description varchar2(4000) path '@description'
      8       ) x
      9  ;
    DESCRIPTION
    Read-only privileges to anonymous
    Protected:Readable by PUBLIC and all privileges to OWNER
    Protected:Readable by PUBLIC and all privileges to OWNER
    Public:All privileges to PUBLIC
    Private:All privileges to OWNER only and not accessible to others
    Read-Only:Readable by all and writeable by none
    6 rows selected

  • New Project - New Problems or The day the Reaper died

    Ok, this is more like telling a story than a cry for help.
    The story is about a new project, new (great) results and the disaster that followed.
    Well story starts October 21st with me upgrading rig 1 with new parts. They came for my Opteron165 setup which oc'ed nicely but didn't make it far enough. So board, cpu and ram of rig 1 (sig) got replaced by the following parts:
    The new cpu is an Athlon X2 5200+ EE (TDP 65W), 2.6ghz, 2x 1024kb L2 cache, 90nm, F3 stepping.
    The board is from MSI (of course), a K9N SLi Platinum. Very nice board and luckily it is PCB version 1.2 which features a heatpipe while the older version just had a very bad cooling, passive aluminium heat sink. The older version is the one still to be seen on MSI product site.
    The new one looks therefor way better and stays cooler:
    In addition I threw a pair of the finest ddr2 ram in it. A 2gb dual channel kit of OCZs new DDR2 PC2-6400 Reaper CL3 Edition. DDR2-800 with 3-4-4-15 (stock), guranteed to work with 2.3volts.
    So suppositions for oc were great and I started:
    First of all upgraded the bios from 1.8 to the latest 1.10. Then I thought why go step by step, why not starting big. So I set HT clock to 250mhz, resulting in a cpu clock of 3250mhz (multi 13), Hyper transport link set to 800mhz (x4), ram very relaxed (divider 667, 5-5-5-15 2T). It didn't post but I thought solution is easy, forgot to set extra voltage for cpu. Next try at 3250 mhz with 1.25v and set 0.1v extra in bios. It didn't post. I set voltage to maximum but no luck. Tried again but this time I lowered the HT link to 600mhz (x3). Now it posted even with 1v extra and it also booted XP but seemed to be not very stable. So set extra voltage to 0.15v which enhanced stability greatly.
    After minor driver problems my old XP installation worked pretty perfectly with the new setup. Time had come to see if it was stable and I started Orthos. It seemed to be ok, 1hour no problems, 2hours, 3hours and bam... 3hours 40 minutes and that's it. I thought "Damn, but it will make it with more voltage". I added more voltage (0.2v extra) and started Orthos again but no way, at 4hours 32 minutes it stopped again.   
    I'm not easy to discourage and so I added 0.25v to the 1.25v vcore and tried another time. Still 250x13 = 3250mhz.
    And it worked!
    Orthos now easiely worked six hours when I stopped it myself to see if it would also be stable with more intensed ram settings. I set ram divider to 800mhz (1:1) resulting in DDR2-929 and timings to 4-4-4-15 2T.
    I started Orthos and left the machine alone... Outstanding 16 hours later it was still working!
    After 17hours 5 minutes and 50 seconds of running Orthos I knew I had a stable beast!
    It also worked with ram set to divider 667 (resulting in 406mhz or ddr2-812) and 3-4-4-15 2T. However 1T was a real killer, thats why I left command rate at 2T and were happy so far.
    Performance was really good and I wanted to know if this would increase my 3dmark06 results which were already great with old setup because of nicely oc'ed 8800GTS 320. The opteron could do 9572 3dmarks with it.
    The new setup easiely broke the 10.000 points by reaching 10306 points with cpu at 3250mhz, ram at ddr2-929 (4-4-4-15 2T), vga as seen in sig.
    It really seemed to be finished. The rest would be just playing around and going for suicide clocks. At least that was what I thought at that time.
    Before maxing it out I wanted to have the Vista 64 Ultimate installation also running with the new setup. I hadn't booted vista since upgrading to the am2 system, so I tried for the first time....
    AND NOW EVERYTHING GOT F***** UP
    Vista welcomed me with a blue screen instead of a logon screen. I was pi**** but aware it might not like changing from NForce4 SLi to NForce 570 SLI. Next step was trying safe mode but vista thought of blue mode and showed a screen of that colour. I thought "ok, maybe you dislike setup change" and so I went for a clean install. I even formated the partition and gave it a go. Installation was fine 'til first start. Well, it wasn't a start to be honest as vista told me it was not able to do this. Repair wasn't successful either.
    Assumption was now system is not making the oc clocks although proved to be stable under XP. So I removed any oc and loaded fail-safe mode in bios. Relaxed ram timings to 5-5-5-18. I started installing vista again, thought I could oc again when it is installed.
    Oh boy, how wrong I were...  The 2nd installation turned out to be as faulty as the first and I tried again and again... After installation failed nine times I were finally discouraged.
    I just wanted to boot XP for now, forget about installing vista and maybe ask here if it this was a known issue.
    Well, I didn't get to see XP. I was just informed about a missing file that also prevented to boot safe mode. I took my XP cd and started automatic repair. After this was nearly finished the first errors and notifications about unknown, missing or corrupted files appeared. Although XP made it to finish install and booted successfully. But this XP wasn't a real XP as many things didn't work. I couldn't install drivers because loads of errors and crc crap made working with it impossible. Clear install time! But no way, same issues like seen in vista.
    Now I were pretty desperate and I urgently needed an idea.  I came to the solution maybe I could try with single channel, using just one mem stick. I removed one and tried installing XP again. It worked without any issue. Even driver installation and other software worked without a problem. Now I were even able to install Vista.
    But still I didn't know what caused all the trouble. I had three suspects: Mobo, ram, cpu. I doubted in faulty board but cpu (failing to control dual channel) or the ram stick I removed were my favorites. As it was the easiest to try I put the other stick back in but used a slot combination that would cause single channel.  Booting Vista now turned out to be a disaster. Errors, corrupt files and so on. Same with XP.
    Conclusion: Dual channel is not the problem. Added mem stick was now suspect no.1. I took the first one out and started memtest. Memtest didn't show errors after 8hours. I wondered and started Vista. Result was the same as seen before with two sticks. Errors and access violations. Replaced this stick with the other one and everything was fine again.
    Next day I tried with a borrowed MDT 2gb dual channel kit which also worked without a problem. 
    Sad but true one of the Reapers is K.I.A. . Damn....
    Now I'm sitting here with a borrowed kit of value ram which luckily allows me to let the cpu run at 3250mhz with mem divider at 667mhz (result: 406mhz) and which I can luckily keep 'til I get another kit of Reapers. I have to send my current Reapers back to vendor these days and wait for the rma process and wait and wait....
    So what started greatly ended not so great. For now I'm sick and tired of seeing bios screens or installing windows and I'm also pretty pi**** because of all the data I lost. Some crucial ones among them.
    Main problem remains: I have no idea WHY the Reaper died. I never set any higher vdimm than 2.3v what should be ok for it. It never felt hot and was directly in the main airflow. Also I have no clue why memtest didn't find any error with the faulty stick.

    Quote from: flobelix on 30-October-07, 06:12:31
    Be aware that you have to keep an eye on shader clocks when oc'ing the gpu. With common tools you're oc'ing gpu and shaders at the same time. Since I'm suspecting a misproportion of gpu/shader clocks to be one of the reasons for problems with factory oc'ed Geforce 8 you should try with different combinations. With the latest Riva Tuner you can change 'em seperately without having to mod the bios.
    Memory is at it's end I suppose, that's the problem with most high end cards, no potential. Seems as you have to live with that.
    That's true for HD2900 series I think but as far as I know 8800GTX needs it even for stable working.
    Could be your psu is too weak, maybe really time for the new Corsair. On the other hand should be strong enough I guess.
    You're ungrateful! That good old 3500+ oc'ed so well and was once a real performer and you call him crap.... bad boy.
    "You're ungrateful! That good old 3500+ oc'ed so well and was once a real performer and you call him crap.... bad boy. "
    yes you are right the CPU perform great, but its just old..(is not CPU fault in direct sense )
    "Be aware that you have to keep an eye on shader clocks when oc'ing the gpu. With common tools you're oc'ing gpu and shaders at the same time. Since I'm suspecting a misproportion of gpu/shader clocks to be one of the reasons for problems with factory oc'ed Geforce 8 you should try with different combinations. With the latest Riva Tuner you can change 'em seperately without having to mod the bios."
    Yes im aware about it, but not this is the case.. i got instability even with 2Mhz on the GD more...SD remain @ stock 1350 and memory stock as well.. and go instability...
    Reversed story if i put everythink is stock, but +2Mhz more on the memory i got the same instability....
    "With the latest Riva Tuner you can change 'em separately without having to mod the bios."
    hmm nope here, its locked increasing GD clock inscrease SD clock as well. they are locked and increased in parallel.(etc, both in same time)
    "Memory is at it's end I suppose, that's the problem with most high end cards, no potential. Seems as you have to live with that."
    mem. chips used are for 1000Mhz the VGA stock, MSI is not OCed them.. so they must have potencial.. also VGA is adverted with DOT... at least its designed to handle till 5-6% OC, i have done few review(don't trust much here,but anyway its an info) and user opinion no problem to OC till 2100Mhz(1050). So i doubt that is memory problem.
    "Could be your psu is too weak, maybe really time for the new Corsair. On the other hand should be strong enough I guess."
    Yes that is the only conclusion which i can stuck at the moment... Good news is that i have talked with distributor today and they ensured me that will delivered tomorow for me. So tomorow i will know more about that mistery when i install the more powerful(and hope so great) PSU.

Maybe you are looking for