IDSM with inline pairs causing mac move

Similar Messages

• IDSM-2 inline VLAN pair mode

  My customer has voice, video and data VLAN's. Customer wants to inspect only inter VLAN traffic ONLY for data to be inspected by IDSM-2 inline while bypassing other VLAN traffic to FWSM and then to WAN.
  Is that possible with Inline VLAN pair mode?
  I read the cisco document which states as below
  "You can configure IDSM-2 to simultaneously bridge up to 255 VLAN pairs on each data port. IDSM-2 replaces the VLAN ID field in the 802.1q header of each packet with the ID of the VLAN on which the packet is forwarded. It drops any packets received on VLANs that are not assigned to an inline VLAN pair."
  The last statement says it will drop all other vlan traffic which are not assigned to any inline vlan pair?
  Regards
  Vinod

  You can bypass analysis engine when inline bypass is activated , allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection. Inline bypass ensures that packets continue to flow through the sensor when the sensor processes are temporarily stopped for upgrades or when the sensor monitoring processes fail. But not always.

• When I connect my iphone to my mac it says itunes will not work with my iphone cause it needs version 10.6.3 itunes,. problem is i have no idea how to down load that to my iphone when my mac will not connet to it cause it nees the down load help please

  when I connect my iphone to my mac it says itunes will not work with my iphone cause it needs version 10.6.3 itunes,. problem is i have no idea how to down load that to my iphone when my mac will not connet to it cause it nees the down load help please

  Ive got the same problem, just got my iphone unlocked, and they told me to sync it to itunes to get it permently unlocked, well everytime i plug my iphone in it says; it wont work as it needs up dating to 10.6.3, which i have already updated, but still doesnt work, so how can i get my phone unlocked?

• I have 3 macs. 2 are Lion, 1 I left Snow leopard so I can access data from my old Quicken Application that doesn't work with Lion. If I move to iCloud, will I no longer be able to access my MobileMe email on the Snow Leopard mac?

  I have 3 macs. 2 are Lion, but 1 I left Snow leopard so I can access data from my old Quicken Application that doesn't work with Lion. If I move to iCloud, will I no longer be able to access my MobileMe email on the Snow Leopard mac?

  What version of word do you have? The TS3938 sounds like it's a PowerPC app- written for an old architecture that is no longer supported in Lion. If this is the case, your files are fine- you just need a newer version of word that will run in Lion in order to open them. The newest version (2011) should be readily available anywhere, and has worked fine for me ever since I switched to Lion on release day....

• Recently purchased a used IPad 2 but it still has previous owner's data.  I've been told not to sync it to my computer as it will cause problems.  What do I need to do to make it compatible with accounts on my mac and ipod touch?

  Recently purchased a used IPad 2 but it still has previous owner's data.  I've been told not to sync it to my computer as it will cause problems.  What do I need to do to make it compatible with accounts on my mac and ipod touch?  Thanks for any and all help!

  You can wipe the iPad's contents completely by going to Settings>General>Reset>Erase All Content and Settings. This will remove all of the previous user's apps, data, settings and so on from the iPad and you can set it up as your own.

• Authentication mac-move permit with NAC

  Hi,
  I have 2 switches with NAC configured on it. i also have "authentication mac-move permit" configured on my 2 switches that are connected togther. my understanding is authentication mac-move permit does not work with 802.1x enabled ports.
  so i would like to verify i my understanding is correct that if i have authentication mac-move permit configured and a laptop moves to another port without logging off the switch will see that as a violation and block the user right?

  anyone run into this before?

• Why does the "TAB" key no longer work to move the cursor from field to field with Firefox 17 in MAC OS 10.8?

  The "TAB" key will not move the cursor from field to field with Firefox 17 in MAC OS 10.8. You have to use the mouse to click on the new field to move the cursor.

  See:
  * http://kb.mozillazine.org/accessibility.tabfocus
  Note: In OS X (as of 2005-01), if this preference is not explicitly set, the “Full Keyboard Access” setting in System Preferences will be honored. All builds before that date (e.g., Firefox 1.0.x) will ignore that setting.
  This pref doesn't exist by default, so if you want to use it instead of the system settings then you need to create a new Integer pref with the name accessibility.tabfocus and set the value to what you want (7 is to tab through all the fields).

• IDSM-2 inline vlan pair mode configs

  Dear all,
  1. Is it possible to associate 2 vlans( to be paired) on 2 different data ports on IDSM instead of pairing it on single data port on IDSM ?? & configuring these 2 ports on CAT6509 as access ports instead of trunk... Will this thing work ?
  2. Since bypass mode is ON by default(AUTO) in IDSM-2 in-line vlan pair mode but when I am testing the bypass its not happening..can any pls. guide what could be the reason for this ?
  Regards,
  Akhtar

  You can bypass analysis engine when inline bypass is activated , allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection. Inline bypass ensures that packets continue to flow through the sensor when the sensor processes are temporarily stopped for upgrades or when the sensor monitoring processes fail. But not always.

• Pair my mac book with hmdx jam wiresless speaker why?

  i can't pair my mac book with hmdx jam wiresless speaker why?

  We're you ever able to pair the device. I have tried with iPhone 4 and 5 and iPad 3 and iPad mini without any success.

• Help with inline VLAN Pair and switch configuration

  Hello,
  I'm new to IPS and IDS in general, but I have an IPS-4255 and a couple of Catalyst 2900 switches to experiment with. I'm currently trying to enable an Inline VLAN Pair configuration on the IPS and have a simple setup.
  SW1 and SW2 have vlans 100 and 200 configured. PC1 and PC2 are on the same IP range (no routing). PC1 on vlan 100 connects to Sw1. PC2 on vlan 200 connects to SW2. The IPS connects to a SW2 trunking port, and SW1 and SW2 are connected together on another trunking port.
  I know that my trunking is working because PC1 and PC2 can ping each other whenever they are on the same vlan of either switch. But, they can't ping when on the separate vlans.
  From what I've read, the IPS with an Inline VLAN Pair acts as a bridge between the two vlans and should forward the traffic if it passes inspection. However, the IPS does not appear to see any traffic at all.
  My IPS is configured with inline VLAN pair 100->200 and associated to vs0.
  Have I missed something in my config somewhere? Or am I misunderstanding how inline VLAN Pairs are supposed to work?
  Below are my configs for the switches and the IPS.
  Any help would be appreciated. Thank you!
  IPS Config
  service interface
  physical-interfaces GigabitEthernet0/0
  no description
  admin-state enabled
  duplex auto
  speed auto
  alt-tcp-reset-interface interface-name GigabitEthernet0/3
  subinterface-type inline-vlan-pair
  subinterface 1
  description test
  vlan1 100
  vlan2 200
  exit
  exit
  service analysis-engine
  virtual-sensor vs0
  physical-interface GigabitEthernet0/0 subinterface-number 1
  inline-TCP-session-tracking-mode vlan-only
  exit
  exit
  SW1 and SW2 config
  interface FastEthernet0/1
  switchport access vlan 100
  interface FastEthernet0/9
  switchport access vlan 200
  interface FastEthernet0/18
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface FastEthernet0/24 (Sw 2 only)
  description IPS port
  switchport trunk encapsulation dot1q
  switchport mode trunk

  It has been awhile since I've dealt with a 2900 switch to I am just trying to guess at what may be wrong with your setup.
  I noticed that neither of your trunk port configuration are specifically stating which vlans are allowed on the trunks.
  It is possible that for the trunk between the 2 switches there may be some protocol negotiation so the switches can determine which vlans to trunk, BUT no such negotiation will happen with the sensor. If I remember right you will need to specifically state which vlans the trunk to the sensor should carry. If I remember right the commmand would be something like:
  switchport trunk allowed-vlan 100,200
  You will want to find the show command on your switch that will show you which vlans are actually being trunked by the port. It might be something like "show switchport trunk"
  And you will want to verify that the switch is actually trunking vlans 100 and 200 to your sensor.
  On your sensor you will want to execute "show interfaces" and look at the statistics for Gig0/0 to see if it is receiving packets on vlan 100 and 200.
  You can also run "packet display GigabitEthernet0/0" to see if any packets are making it to your sensor.
  You will also want to check Link status and make sure your sensor is linking up properly with your switch. A common mistake is to connect the wrong ports, as some sensors do not have the port numbers clearly marked.
  NOTE: If the above doesn't help, then take the additional step of eliminating the second switch. Attach both pcs to the same SW2 switch (1 in each vlan). The second switch isn't necessary to test the inline vlan pair functionality. Connecting both PCs to the same switch will help eliminate any possibility of misconfiguration between the 2 switches.

• IDSM-2 inline between multible VLAN

  Hi,
  I have a coreswitch 6509 which is include IDSM-2 actully the core switch handle the traffice between the usres VLANs and the server Vlan (vlan 11)
  The users Vlan are (Vlan 2 , 3, 4, 5, 6 and 7). I need to configure the core switch and IDSM to be inline between the Users VLANs and the Server farm Vlan to inspect the traffic comming from the useres.
  as my understanding I can use the ISDM inline mode between multible Vlan but unfortunattly my test to drop the ICMP request to server is faild.
  Kindly advice if that available or it should be only in promisecouse mode.
  also if there any sample of succesfully configuration.
  my configuration is as below:
  Core-SW-RYD#sh run | in intr
  intrusion-detection module 9 data-port 1 trunk allowed-vlan 2-7,11
  intrusion-detection module 9 data-port 2 trunk allowed-vlan 2-7,11
  intrusion-detection module 9 data-port 1 autostate include
  intrusion-detection module 9 data-port 2 autostate include
  intrusion-detection module 9 data-port 1 portfast 1
  intrusion-detection module 9 data-port 2 portfast 1
  VLAN Name                             Status    Ports
  1    default                          active    Gi9/2, Gi9/3, Gi9/4, Gi9/5, Gi9/6
  2    Food-D-VLAN                      active   
  3    Comm-D-VLAN                      active   
  4    Emar-D-VLAN                      active   
  5    Finance-D-VLAN                   active   
  6    Glucose-D-VLAN                   active   
  7    IT-D-VLAN                        active    Gi1/3
  11   servers-Vlan                     active    Gi1/2, Gi1/4, Gi1/5, Gi1/6, Gi1/7, Gi1/8, Gi1/9, Gi1/10, Gi1/12, Gi1/13
                                                  Gi1/14, Gi1/15, Gi1/16, Gi1/17, Gi1/18, Gi1/19, Gi1/20, Gi1/21, Gi1/22
                                                  Gi1/23, Gi1/24, Gi1/25, Gi1/26, Gi1/27, Gi1/28, Gi1/29, Gi1/31, Gi1/32
                                                  Gi1/33, Gi1/34, Gi1/35, Gi1/36, Gi1/37, Gi1/38, Gi1/39, Gi1/41, Gi1/42
                                                  Gi1/43, Gi1/44, Gi1/45, Gi1/46, Gi1/47, Gi1/48, Gi2/10, Gi2/11, Gi2/12
                                                  Gi2/13, Gi2/15, Gi2/16, Gi2/18, Gi2/19, Gi2/20, Gi2/21, Gi2/22, Gi2/23
                                                  Gi2/24, Gi3/1, Gi3/2, Gi3/3, Gi3/4, Gi3/5, Gi3/6, Gi3/7, Gi3/8, Gi3/9, Gi3/10
                                                  Gi3/11, Gi3/12, Gi3/13, Gi3/14, Gi3/15, Gi3/16, Gi3/17, Gi3/18, Gi3/19
                                                  Gi3/20, Gi3/21, Gi3/22, Gi3/23, Gi3/24
  your support will be highly appreciated.
  Best Regards,
  Magdy

  Hi Mohamed.
  with inline mode, you can only bridge vlans in pairs uniquely!. so you can only bridge vlan 11 to another single vlan. and remember since they are bridged, that means the 2 vlans need to have the same ip subnet.
  but looking at your requirements, i'm guess the different vlans are on different ip subnet ranges.
  In that case, you'll need to do promiscuous mode.
  However in promiscuous mode, you can only do acl blocking. and first packet will pass successfully but will trigger the sensor to configure the router to create an acl, and further packets will be dropped.
  However if you redesign a bit you can use promiscuous mode. for example create a new layer 2 vlan (let's say 14), move the servers to this vlan.
  You only need to trunk vlan11 and vlan14 to the idsm module, then create a single vlan-pair on the IPS which bridges vlan11 and vlan 14. then configure the signature to drop packets inline. SInce now for the clients who need to contact the servers need to pass traffic to vlan11, and the idsm is in the middle between vlan 11 and 14, then it should drop pings to the servers.
  Regards,
  Fadi.

• ISE question on desktop switches, MAC replace, MAC move

  Hi all,
  few questions on authenticator NAD (example: switch) to support on these items
  01. desktop switches, how we can enable other switch to plug in and extend the network? What is this deal with Network Edge Access Topology (NEAT)?
  what must configure on ISE policy node, authenticator switch and the new plug in extended switch?
  02. How and what need to do on authenticator switch and ISE on these:
  a. MAC Replace
  b. MAC Move   
  Thanks
  Noel

  mac replace -
  http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html#wp1143287
  mac move -
  http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1481527
  Before you consider NEAT -
  If you are using a dumb switch you can enable multi-auth so that all mac  addresses forwarded up to the switch port are authenticated, dynamic  vlan assignment is not a scalable solution for this solution since you  can only assign the first authenticated mac address to the dynamic vlan,  others either inherit the vlan or error disable the port (I can't  recall), but it is documented.
  NEAT is only supported on a few access or distribution switches, so make sure you follow the release notes to see if you platform supports this design.
  ISE policy node - must have the av-pair of device-traffic-class=switch to be configured to dynamically convert the authenticator's port over to a trunk port. Your design depends on either MAB or dot1x to succeed for this av-pair to be triggered in your authorization policy...i.e. profiled endpoint group or a user group with the credentials mapped to a user group or both.
  Authenticator switch - must allow radius authentication, authorization, and for proper license tracking an accounting.
  Client switch - credentials (see reference guides and config examples), forward traffic to trigger mab if dot1x is not part of this solution.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Mail will not work, it says "you can"t use this version of mail with this version of mac os x. mail version 4.5 help please

  Mail icon displays the following "you can't use this version of mail with this version of mac os x"
  Mail version 4.5
  It was ok on friday, my daughter used the mac to update her ipod to ios6, would this cause a problem?
  All my updates are up to date.
  Any help, thanks.

  !! WARNING !!
  about the September 2012
  "Security Update 2012-004"
  If you've got "Mail.app" in a folder OTHER THAN the root "Applications" folder,
  MOVE "MAIL.APP" TO THE APPLICATIONS FOLDER
  **BEFORE** INSTALLING THE "004" UPDATE!!
  Because *IF* you use OSX's integrated Software Update app from the Apple menu to do the "004" updating, and *IF* your Mail.app is NOT in the Applications folder, then buddy, you've got some sitdown fixit time ahead of ya and/or some internet tie-up time downloading the "004" update file itself.
  Been through it all, already.  In fact, just got done getting my Mail back up & running. And I tried everything short of attempting to unpacking my "Mail.pkg" receipt file using... whatever... even Pacifist couldn't get it out. So that fixit "Plan D" died quick. And I'm not savvy enough to use Terminal commands to do "Plan E," so that SUDO stuff was my brick wall.
  So I compressed my entire "Mail" subdirectory that contain all my emails, for safekeeping during the required surgery, or whatever would work, leaving the original Mail directory where it was. In case something bad happened in all my fixit whatevers, the one thing I *didn't* want to cross paths with was a hosed Library -> Mail folder. Then I'd be pssd. But I can wipe out that ZIP now 'cause all's well now. After 6 hrs of downloading thru a mobile broadband hotspot running at only 14KB/sec speed due to my having gone over my T-Mobile hotspot plan's bandwidth amount (throttled-down after reaching the limit, tho not cut off completely. Kinda nice, but it's a huge speed drop).
  I tried moving the two Mail.app versions around, compressing them & then trashing the original so they wouldn't be recognized, blabla, even booted my Mac in Safe Mode & reinstalled the "MacOSX 10.6.8 (Snow Leopard) Update Combo.dmg" update file, which in the past has fixed many problems. But after restarting, not this one.
  Like a dummy who ignored knowing better, I had my Mail.app in a folder other than the Applications folder, with only an alias to that being in the Applications folder. NOT GOOD ENOUGH. The updater don't see that as nuthin special or useful.
  So if you've got, like I've got, "old" icons for Mail.app (v4.5) in your Finder toolbar & in your Dock that all point to "Mail.app v4.5" in whatever folder you've got that in, other than in the Applications folder (where Apple apparently REQUIRES that it be located, and ONLY there, at least for OSX updating purposes), then after you download & autorun that "004" updater using Software Update, NONE of your pre-existing Mail icons will work. And MOST aggravatingly, **NOR** will your brand-new "Mail.app v4.6" work that came out of the "004" updating installation.  So basically, your Mail.app's... all of 'em.... are hosed. But only if you run the "004" update without your "Mail.app v4.5" being located in your Applications folder and ONLY in your Applications folder. And duplicates of Mail.app, scattered around your HDD??  Always a problem with many Apple apps.... The Apple software engineers apparently like 'em to be in the Applications folder, and in ONLY there, and ONLY the latest version, and ONLY 1 single copy of each on your entire HDD. They just don't seem to stress that enough, it appears. Kind of an oversight for them to not emphasize that, IMO...
  My recommendation for this particular September 2012 "004" update:
  If you run Software Update, and if you see the "Security Update 2012-004" listed as available for download, UNCHECKMARK IT.  DO NOT DOWNLOAD IT USING SOFTWARE UPDATE !  Instead, download the actual update file itself.
  Same thing, only a different way of doing it. Most importantly, you'll be skipping the auto-installation that Software Update performs.
  AND you'll have that update file on your HDD for future fixits, should a nasty "unfixable" problem come up.
  First, #1. Do a filename search for "Mail" (Option-Command-Spacebar). Scroll down to where the "Apps" are located in the list under the "Kind" column heading. First, find your Mail.app that's v4.5. Get that bugger into your Applications folder if it's not already there. Next, Trash all other "Mail.app" apps you see in that same list that you may have elsewhere on your HDD.
  #2. Go here: https://support.apple.com/kb/DL1586
  And download the actual "004" DMG update file: "SecUpd2012-004.dmg"
  And of course, it's a biggie.... 270MB... so watching grass grow may be involved here if you've got a slow connection (go to a MacDonalds & do it, like I shoulda done).
  3. After downloading, I'd recommend closing down all apps, emptying the Trash, and restarting.
  Then, after restarting, run Disk Utility's "Repair Disk Permissions."
  Then, doublecheck that the Mail.app version 4.5 is in your Applications folder.
  THEN fire up & install "SecUpd2012-004.dmg."
  Reboot.
  After the reboot, your Mail.app version 4.5 in the Applications folder will have become Mail.app version 4.6 in the Applications folder, and all will be well again.
  And you can dump that zipped-up "Username -> Library -> Mail" folder then, too.
  Happy Mac'in!
  Kevin Kendall
  Macbook 7,1
  (Apple's very last all-white Macbook model)
  2.4GHz - 256GB Crucial SSD - 8GB Crucial RAM
  OS 10.6.8 Build 10K549 + Win 7 Ultimate thru VMWare Fusion v5.0.1

• XSLT List View Web part with Inline Editing changing value for one field changes the other lookup field

  Hi
  It's a bit of a weird one. In an XSLT List View web part when Inline editing is enabled if I change the date column, it changes the lookup field column as well. This behavior only occurs if the lookup list has more than 20 entries. Below 20 and we are
  OK.
  Let me explain by example:
  MileStones List - Having more than 20 items
  Tasks List - having a lookup to the Title field from MileStones list. Also having a due date field.
  Simple web part page with one XSLT List View web part for Tasks having inline editing enabled.
  When I edit the first record's due date and press enter (which saves the changes and moves onto next record) and change the due date on second record without even touching the MileStone field. Press enter to commit changes and you see the milestone changing
  on first record!
  The wierd thing is that if the MileStone list has less than 20 items all works as expected.
  Any pointers will be appreciated
  Thanks

  Hi,
  This is a known limitation when working with complex fields like Lookup field.
  A workaround is that we can avoid using the inline edit feature when there are
  complex fields in a list.
  You can take a look at this KB from Microsoft Support to get more details:
  http://support.microsoft.com/kb/2600186/en-us
  A similar thread for your reference:
  http://social.technet.microsoft.com/Forums/sharepoint/en-US/3d369611-ee79-4b5c-86bb-c0f3878cd746/standard-list-view-with-inline-editing-lookup-column-copies-preceding-or-following-items-related?forum=sharepointgeneralprevious
  Thanks
  Patrick Liang
  TechNet Community Support

• Error: Could not continue scan with nolock due to data movement, DBCC proccache will clear the probelm

  SQL Server: 2008 R2 SP2
  Before describing my problem, I have gone via the forum, there is no view or functions inside my stored procedure
  When running a particular stored procedure inside crystal report, the error " Could not continue scan with nolock due to data movement" comes once every few weeks. After I clear the query cache plan, it works again for few weeks and the problem
  comes again. During these few weeks, there is no restart or query plan clearing.
  If I run the stored procedure inside SSMS, where the SQL statement is copied and pasted from SQL profiler during crystal report run, there is no error.
  I discovered running in SSMS and crystal report generate 2 different query plans even I copied the SQL from SQL profiler, I have actually saved the query plans. Unfortunately, this forum does not accept attachments, or otherwise I will post my query plans
  here.
  There is one thing I notice about the query plan is during nested loop operation, there is a warning "no join predicate". I don't use any views or UDF in the statement, nor did I use pre-1992 ANSI join syntax. However, I did use table variables.
  My guess is whether this will cause " Could not continue scan with nolock due to data movement", after I clear the cache, I run crystal report again, and I look at the plan again, the "nested loop no join predicate" warning is gone.
  Running this stored procedure took 1 second maximum, even when this error is popping up, it pop up within 1 second.
  DBCC checkdb has been run
  The same stored procedure running by crystal report in a SQL 2008 (non r2) live environment has no problems, so I am thinking this is R2 specific problems.
  The "nested loop no join predicate" error SQL statment is below, no views, no udf, but table variables
  INSERT @ChequeAccount
  SELECT        PS.PaySummaryID, PS.EmployeeID, PS.CostCentreID,
              (PS.GrossPay    + PS.LumpSumA + PS.LumpSumB    + PS.LumpSumD+ PS.LumpSumE+ PS.ETP+ PS.PaymentsAfterTax    - PS.DeductionsAfterTax  
   - PS.Tax- PS.ETPTax    + PS.TaxRebate) * -1 AS Amount,
              CGLM.GLAccountID
  FROM Pay_Summary PS JOIN Input_Sheet ISH ON PS.InputSheetID = ISH.InputSheetID  AND  ISH.PayrollID = @binPayrollID   
  AND PS.PaySummaryID NOT IN (SELECT PaySummaryID FROM @ChequeAccount)
  JOIN Payroll P ON P.PayrollID = ISH.PayrollID AND P.EmployerID = @binEmployerID
  JOIN CustomGLFixMapping CGLM ON CGLM.EmployerID = P.EmployerID AND CustomGLFixMappingNameID = 1 AND CGLM.CostCentreID IS NULL

  The error Could not continue scan with nolock due to data movement can occur when you use the NOLOCK table hint, or use the command SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED. That is, so-called dirty reads. The error is not related to the
  query plan per se, but when scanning a table, the storage engine will use an IAM scan rather than following the clustered index. If there is simultaneous activity, the storage engine may detect this and abort the operation to avoid returning incorrect data.
  Or it may not detect it, and return uncommitted data or fail to return committed data.
  All of these effects are transitory and they will not show up when you are alone on the system, only when there is concurrent activity in one or more of the tables in the query.
  Using dirty reads is a risky business for the reasons explained above, and it takes careful analysis to understand whether you can live with the errors you can get from a particular query. The error about data movement can be handled: trap the error and
  resubmit the query. But what about spurious incorrect results?
  If you believe locking to be a problem, you should consider setting the database to READ_COMMITTED_SNAPSHOT
  and take out all use of READ UNCOMMITTED/NOLOCK. When the database is in READ_COMMITTED_SNAPSHOT, readers read from the snapshot and only see committed data without blocking writers. This has some other effects like requiring a bigger tempdb,
  and there is a risk for other types of concurrency errors, but they tend to be smaller risks.
  I discovered running in SSMS and crystal report generate 2 different query plans even I copied the SQL from SQL profiler,
  This is because SSMS by default runs with SET ARITHABORT ON. I discuss this in more detail in this article on my web site:
  http://www.sommarskog.se/query-plan-mysteries.html
  However, as I said, this problem is not related to the query plan as such, although some query plans are more susceptible to this error than others. (All plans are suscpeitble to produce incorrect results).
  Erland Sommarskog, SQL Server MVP, [email protected]