Index block dump: "header address" doesn't match rdba
I did a dump on index leaf block, and I found "header address" doesn't match rdba, what's the "header address"? I also found several leaf blocks have the same "header address".
buffer tsn: 11 rdba: 0x1684d120 (90/315680)
========> 0x1684d120 (1)
header address 4403265988=0x1067481c4
========> 0x1067481c4 (2)
*** SERVICE NAME:(SYS$USERS) 2009-08-04 04:37:36.335
*** SESSION ID:(14234.24426) 2009-08-04 04:37:36.335
Start dump data blocks tsn: 11 file#: 90 minblk 315680 maxblk 315680
buffer tsn: 11 rdba: 0x1684d120 (90/315680)
========> 0x1684d120 (1)
scn: 0x0324.dda9ec3d seq: 0x01 flg: 0x04 tail: 0xec3d0601
frmt: 0x02 chkval: 0xeb2a type: 0x06=trans data
Hex dump of block: st=0, typ_found=1
Block header dump: 0x1684d120
Object id on Block? Y
seg/obj: 0x7ca10 csc: 0x324.dda9ec3d itc: 17 flg: O typ: 2 - INDEX
fsl: 0 fnx: 0x1684cf72 ver: 0x01
Itl Xid Uba Flag Lck Scn/Fsc
Leaf block dump
===============
header address 4403265988=0x1067481c4
========> 0x1067481c4 (2)
kdxcolev 0
KDXCOLEV Flags = - - -
kdxcolok 0
kdxcoopc 0x90: opcode=0: iot flags=I-- is converted=Y
kdxconco 2
kdxcosdc 5
kdxconro 0
kdxcofbo 36=0x24
kdxcofeo 7672=0x1df8
kdxcoavs 7636
kdxlespl 0
kdxlende 0
kdxlenxt 373579108=0x16445d64
kdxleprv 377801347=0x1684ca83
kdxledsz 0
kdxlebksz 7672
----- end of leaf block dump -----Thanks,
Daniel
Hi user646745
You didn't say why you need to do index block dump ?
Also take are that block structures and dumps some time are different from a ver to ver it 9i and 10g. Unless you now what exectaly you are looking for
Thanks
Similar Messages
-
ATT Mcell, address doesn't match account address
I got a text with similar content to the title of this post a few days ago. My Mcell has been set up for three years, and suddenly it went down and I have no reception in my home anymore. I looked through a few forums, and found that this problem is common and is due to an issue on ATT's end with the registration process and servers. A new Microcell won't fix it, since the issue is not with the device but with the servers that handle the device. I need this issue fixed ASAP, so I am posting here for further assistance.
I am a professional computer nerd and manage quite a few microcells, both older orange/white and new black.
While there might be a glitch in the reg system, the norm is that there is no requirement regarding the account address and the microcells physical location.
I have microcells on accounts with account address in Los Angeles or other major cities, but the microcells are physically located in Colorado, Montana, Hawaii, etc, (caveat: as long as ATT is authorized to provide service at the microcells location.)
One trick I use in rural locations when I get an address mismatch issue, is I use Apple Maps, Google Maps, or similar internet mapping site on my smart phone or tablet, with GPS enabled. I let it "tell me" what address it believes I am located at, and use that as the microcell location.
Sometimes it is right on the money, other times, it tells me that I am quite far from the address I think I am at. ie: the entry gate to the property is 1234 Any Canyon Road, but by the time you get to the house, it thinks we are at 1456 Any Canyon Road. The GPS and the county (or USPS) address fairies don't always use the same numbering standards. (I know that somebody somewhere must be shocked at this revelation!)
Generally rural fire and police/sheriff know the area well, and after the microcell is active, you can always contact your local agency 911 coordinator and ask them to put notes into the 911 system that if the get a cellular 911 call at 1456 Any Canyon Road, the entrance gate is actually at 1234 Any Canyon Road.
Not sure if this helps your situation, but I know some people that have encountered this same issue.
Good luck,
Mark -
I've successfully added 29 laptops via a computer list and been able to sync them with phd management. I have my last one that just won't go into the computer list. I can see it when I got to members and try to add it with the ..., but it never gets into the list. What I have determined is that the Mac address that is being seen in WGM is not the same one that shows up on the laptop. Don't know how to resolve this. Also, does anyone know if the apple list for client-management is down? I can't send any messages to it. Thanks.
The From name will be whatever name the sender is using. Not that the from address displayed in Mail is J S <etc....>. What you see within the angle brackets should be the actual mail address.
-
Interpreting an index data block dump
I have seen a few postings about reading index data blocks, mine doesnt quite look like those.
Ok: 11Gr1 (linux)
Tracing down a hot block issue with an index, I performed
alter system dump datafile 11 block 4030208;
Looking at the Web page "Index Block Dump: Index Only Section Part II (Station To Station)" and others they show a dump like this:
row#0[8021] flag: ——, lock: 0, len=15
col 0; len 5; (5): 42 4f 57 49 45
col 1; len 6; (6): 02 01 48 8a 00 00
row#1[8002] flag: ——, lock: 0, len=19
col 0; len 9; (9): 4d 41 4a 4f 52 20 54 4f 4d
col 1; len 6; (6): 02 01 48 8a 00 02
row#2[7987] flag: ——, lock: 0, len=15
col 0; len 5; (5): 5a 49 47 47 59
col 1; len 6; (6): 02 01 48 8a 00 01
—– end of leaf block dump —–
End dump data blocks tsn: 8 file#: 8 minblk 84234 maxblk 84234
I dont see anything that "obvious" in my dump. Am I looking at something other then an leaf block perhaps?
I am expecting/hoping to see some sort of pairs for an index like X(y number, z number)
Block dump from cache:
Dump of buffer cache at level 4 for tsn=6, rdba=50167552
BH (0x275f2aec8) file#: 11 rdba: 0x02fd7f00 (11/4030208) class: 4 ba: 0x274992000
set: 111 bsz: 8192 bsi: 0 sflg: 0 pwc: 0, 25 lid: 0x00000000,0x00000000
dbwrid: 2 obj: 127499 objn: 77784 tsn: 6 afn: 11
hash: [0x403d34650,0x403d34650] lru: [0x333f32878,0x209f4ea88]
lru-flags: hot_buffer
ckptq: [NULL] fileq: [NULL] objq: [0x22dede3f8,0x30ff9c3f8]
st: XCURRENT md: NULL tch: 2
flags: block_written_once redo_since_read gotten_in_current_mode
LRBA: [0x0.0.0] LSCN: [0x0.0] HSCN: [0xffff.ffffffff] HSUB: [34]
cr pin refcnt: 0 sh pin refcnt: 0
buffer tsn: 6 rdba: 0x02fd7f00 (11/4030208)
scn: 0x0001.19bccf84 seq: 0x02 flg: 0x04 tail: 0xcf841002
frmt: 0x02 chkval: 0x987f type: 0x10=DATA SEGMENT HEADER - UNLIMITED
Hex dump of block: st=0, typ_found=1
Dump of memory from 0x0000000274992000 to 0x0000000274994000
274992000 0000A210 02FD7F00 19BCCF84 04020001 [................]
274993FF0 00000000 00000000 00000000 CF841002 [................]
Extent Control Header
Extent Header:: spare1: 0 spare2: 0 #extents: 66 #blocks: 10239
last map 0x00000000 #maps: 0 offset: 4128
Highwater:: 0x047feb5b ext#: 65 blk#: 731 ext size: 1024
#blocks in seg. hdr's freelists: 0
#blocks below: 9946
mapblk 0x00000000 offset: 65
Unlocked
Map Header:: next 0x00000000 #extents: 66 obj#: 127499 flag: 0x40000000
Extent Map
0x02fd7f01 length: 127
0x0339ea80 length: 128
...Some time ago, I wrote a python script to print decimal form integer values from an index block dump. I don't know if it will help you, but it may be a start. It only prints the integer equivalent of the first column in the index, as that is what I needed at the time.
It is called as...
18:55:31 oracle@oh1xcwcdb01 /u02/admin/wcperf/udump >./blockdump.py wcperf1_ora_21618.trc
col 0: [ 4] c4 48 2a 53 converts to 71418200 on line #526 in the block dump.
col 0: [ 5] c4 48 2a 53 1d converts to 71418228 on line #640 in the block dump.
col 0: [ 6] c5 08 02 20 61 3f converts to 701319662 on line #648 in the block dump.
col 0: [ 6] c5 08 03 2f 33 17 converts to 702465022 on line #785 in the block dump.
col 0: [ 6] c5 08 03 2f 33 5f converts to 702465094 on line #793 in the block dump.
col 0: [ 6] c5 08 03 2f 40 38 converts to 702466355 on line #801 in the block dump.
col 0: [ 6] c5 08 03 30 09 5c converts to 702470891 on line #809 in the block dump.
col 0: [ 6] c5 08 03 32 61 05 converts to 702499604 on line #817 in the block dump.
col 0: [ 6] c5 08 03 33 0b 06 converts to 702501005 on line #827 in the block dump.
col 0: [ 6] c5 08 03 33 19 4b converts to 702502474 on line #835 in the block dump.
col 0: [ 6] c5 08 03 33 44 3d converts to 702506760 on line #843 in the block dump.
col 0: [ 6] c5 08 03 33 45 08 converts to 702506807 on line #851 in the block dump.
col 0: [ 6] c5 08 03 33 4e 5a converts to 702507789 on line #859 in the block dump.
col 0: [ 6] c5 08 03 33 5f 3b converts to 702509458 on line #867 in the block dump.
col 0: [ 6] c5 09 01 01 21 64 converts to 800003299 on line #875 in the block dump.
col 0: [ 6] c5 09 01 01 22 3b converts to 800003358 on line #883 in the block dump.
18:55:41 oracle@oh1xcwcdb01 /u02/admin/wcperf/udump >...and the script itself is below...
#!/usr/bin/python
#Author: Steve Howard
#Date: March 23, 2009
#Organization: AppCrawler
#Purpose: Simple script to print integer equivalents of block dump values in index.
import fileinput
import string
import sys
import re
#boo=1
boo=0
j=0
for line in fileinput.input([sys.argv[1:][0]]):
j=j+1
if re.match('^col 0:', line):
#print line
dep=int(string.replace(string.split(string.split(line,"]")[1])[0],"c","")) - 1
#print dep
i=0
tot=0
exp=dep
for col in string.split(string.split(line,"]")[1]):
if i > 0:
tot = tot + ((int(col, 16) - 1) * (100**exp))
exp = exp - 1
i = i + 1
print line.rstrip("\n") + " converts to " + str(tot) + " on line #" + str(j) + " in the block dump." -
At the end of the part 2 tutorial, this was the code:
@charset "utf-8";
/* CSS Document */
#container {
width: 968px;
background: #FFF;
margin: 0 auto;
padding-left: 10px;
padding-right: 10px;
overflow: hidden;
}#main_image {
background-image: url(images/main.jpg);
background-repeat: no-repeat;
#container #main_image {
height: 376px;
width: 968px;
#left_column, #center_column, #right_column {
width: 316px;
float: left;
#center_column, #right_column {
margin-left: 10px;
The part 3 tutorial instructed this:
Copy the <script> tags from the Edge Web Fonts site, and paste them into the <head> section of index.html in Dreamweaver just above the <link> that attaches the style sheet like this:
<head>
<meta charset="utf-8">
<title>Check Magazine</title>
<script src="http://use.edgefonts.net/sarina.js"></script>
<link href="styles/check_cs6.css" rel="stylesheet" type="text/css">
</head>
As you can see from the code at the end of part two (listed at the top), there is no reference to <head> anywhere in the code; therefore, I am uncertain as to where to insert these code instructions.I assume that the embedded tags are in the index document, not the styles type document? I appreciate the information, but I don't see how it relates to my question. Maybe your answer was just over my head? My original question was: If the instructions say this:
Copy the paste them into the section of index.html in
Dreamweaver just above the that attaches the style
sheet like this:
and there the word does not appear anywhere on the index file that I can see it (whether it's embedded or otherwise), where do I insert the code?
Date: Fri, 8 Feb 2013 10:29:29 -0800
From: [email protected]
To: [email protected]
Subject: The pt 3 tutorial code doesn't match the pt 2 tutorial code. Nowhere to insert <head> in pt 2 code.
Re: The pt 3 tutorial code doesn't match the pt 2 tutorial code. Nowhere to insert in pt 2 code.
created by Nancy O. in Dreamweaver - View the full discussion
The pair of and tags are an integral part of any HTML document. When you create a new page in DW, it automatically creates the core HTML tags for you, so in that regard, there's nothing for you to add except content and styles. Embedded CSS styles are inserted inside the document's tags like so: body #LeftSideBar #RightSideBar #MiddleContent
External CSS is a separate physical file to which all your HTML pages are linked. Similar to above, links to external style sheets go inside the tags like this:
HTML & CSS Tutorials - http://www.html.net/http://w3schools.com/ Nancy O.
Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at http://forums.adobe.com/message/5058678#5058678
Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page: http://forums.adobe.com/message/5058678#5058678
To unsubscribe from this thread, please visit the message page at http://forums.adobe.com/message/5058678#5058678. In the Actions box on the right, click the Stop Email Notifications link.
Start a new discussion in Dreamweaver by email or at Adobe Community
For more information about maintaining your forum email notifications please go to http://forums.adobe.com/message/2936746#2936746. -
The document Address doesn't show the block when country isn't USA
hello
i have a little problem, when I create a new document for a customer which ship to address's country is different from USA, the document Address doesn't show the block. i checked the bp address in the bp master data and the block is written, also when i click on the ... button near the ship or bill to address the block has a value !! but when i go back to the document, there is an empty space where the block has to be in the document address.
is there any configuration to solve this problem
thanks a lot!Hi,
The configuration is under Admin-Setup-BP-Address Format. Each country has a built-in format for address initially.
Thanks,
Gordon -
My billing address doesn't seem to match the credit card I entered. But I'm 10000% sure that I wrote the adress correct. Is this some kind of error?@
contact adobe support by clicking this link and then clicking 'still need help' as soon as it appears, https://helpx.adobe.com/contact.html
-
Your billing address doesn't seem to match the credit card you entered.
Hey everybody,
I would like to purchase the phoyoshop+lightroom programm but I constantly get the following error message:
"Your billing address doesn't seem to match the credit card you entered. Check to make sure you entered this information correctly, and if you still can't place your order, please call us at +1 800-585-0774. If you're not in North America, you can look up a local number here."
I am positive that the information I entered is correct as I checked and tried it more than ten times.
Does anybody know what could be the problem and how to fix it?
EstherI have the same issue. Haven't been able to get any work done for almost a week now. I have contacted the support chat 8 times by now - most unhelpful support ever. They all give me the same advice even though i say that i already tried that as if they are reading their answers off a pre-written sheet.
I have tried 2 credit cards, i have confirmed everything, including the address, with my bank - all good there. Desperate for help, my boss is gonna have my balls soon -.- -
Hi,
I'm trying to dump index blocks but the generated trace file has an error.
how can I resolve this issue?
Following is what I've done and got:
SQL> SELECT object_id FROM USER_objects WHERE object_name = 'NAME_5'
OBJECT_ID
71142
SQL> ALTER SESSION SET EVENTS 'immediate trace name treedump level 71142' ;
Trace file e:\oracle\diag\rdbms\ora11g\ora11g\trace\ora11g_ora_3700.trc
Oracle Database 11g Enterprise Edition Release 11.1.0.6.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Windows Server 2003 Version V5.2 Service Pack 2
----- begin tree dump
2010-04-08 01:21:53.043: [ OCROSD]utgdv:11:could not read reg value ocrmirrorconfig_loc os error= The system could not find the environment option that was entered.
2010-04-08 01:21:53.059: [ OCROSD]utgdv:11:could not read reg value ocrmirrorconfig_loc os error= The system could not find the environment option that was entered.
leaf: 0x18057e4 25188324 (0: nrow: 10 rrow: 10)
----- end tree dumpahb72 wrote:
SQL> SELECT object_id FROM USER_objects WHERE object_name = 'NAME_5'
OBJECT_ID
71142
SQL> ALTER SESSION SET EVENTS 'immediate trace name treedump level 71142' ;
Trace file e:\oracle\diag\rdbms\ora11g\ora11g\trace\ora11g_ora_3700.trc
Oracle Database 11g Enterprise Edition Release 11.1.0.6.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
Windows Server 2003 Version V5.2 Service Pack 2
----- begin tree dump
2010-04-08 01:21:53.043: [ OCROSD]utgdv:11:could not read reg value ocrmirrorconfig_loc os error= The system could not find the environment option that was entered.
2010-04-08 01:21:53.059: [ OCROSD]utgdv:11:could not read reg value ocrmirrorconfig_loc os error= The system could not find the environment option that was entered.
leaf: 0x18057e4 25188324 (0: nrow: 10 rrow: 10)
----- end tree dump
If your table has 10 rows, then this leaf block is the entire index and the two error lines are probably irrelevant.
Create a table with a few thousand rows and see if the errors appear for every line in the tree dump, or just once at the start. If the former than you can probably live with it.
Regards
Jonathan Lewis -
Contention on index block splits consuming significant database time
Hi Guys,
can anybody suggest on how to remove Contention on index block splits,this is giving so many issues on my production DB,the CPU usage shots up and application hangs for few minutes.
DB is 10.2.0.3 and OS is IBM AIX 5.3I found this.. it might be useful
One possibility is that this is caused by shared CBC latching peculiarities:
1) during normal selects your index root block can be examined under a
shared cache buffers chains latch.
So as long as everybody is only reading the index root block, everybody can
do it concurrently (without pinning the block). The "current holder count"
in the CBC latch structure is just increased by one for every read only
latch get and decreased by one on every release. 0 value means that nobody
has this latch taken currently.
Nobody has to wait for others for reading index root block in all read only
case. That greatly helps to combat hot index root issues.
2) Now if a branch block split happens a level below the root block, the
root block has to be pinned in exclusive mode for reflecting this change in
it. In order to pin a block you need to get the corresponding CBC latch in
exclusive mode.
If there are already a bunch of readers on the latch, then the exclusive
latch getter will just flip a bit in the CBC latch structure - stating it's
interest for exclusive get.
Every read only latch get will check for this bit, if it's set, then the
getters will just spin instead, waiting this bit to be cleared (they may
yield or sleep immediately as well, I haven't checked). Now the exclusive
getter has to spin/wait until all the shared getters have released the latch
and the "current holder count" drops to zero. Once it's zero (and the getter
manager to get on to CPU) it can get the latch, do its work and release the
latch.
During all that time starting from when the "exclusive interest" bit was
set, nobody could access this indexes root block except the processes which
already had the latch in shared mode. Depending on latch spin/sleep strategy
for this particular case and OSD implementation, this could mean that all
those "4000 readers per second" start just spinning on that latch, causing
heavy spike in CPU usage and they all queue up.
How do diagnose that:
You could sample v$latch_misses to see whether the number of "kcbgtcr:
kslbegin shared" nowaitfails/sleeps counter takes an exceptional jump up
once you observe this hiccup.
How to fix that once diagnosed:
The usual stuff, like partitioning if possible or creating a single table
hash cluster instead.
If you see that the problem comes from excessive spinning, think about
reducing the spinning overhead (by reducing spincount for example). This
could affect your other database functions though..
If you can't do the above - then if you have off-peak time, then analyse
indexes (using treedump for start) and if you see a block split coming in a
branch below root block, then force the branch block to split during
off-peak time by inserting carefully picked values into the index tree,
which go exactly in the range which cause the proper block to split. Then
you can just roll back your transaction - the block splits are not rolled
back nor coalesced somehow, as this is done in a separate recursive
transaction.
And this
With indexes, the story is more complicated since you can't just insert a
row into any free block available like with tables. Multiple freelists with
tables help us to spread up inserts to different datablocks, since every
freelist has its distinct set of datablocks in it. With indexes, the
inserted key has to go exactly to the block where the structure of b?tree
index dictates, so multiple freelists can't help to spread contention here.
When any of the index blocks has to split, a new block has to be allocated
from the freelist (and possibly unlinked from previous location in index),
causing an update to freelist entry in segment header block. Now if you had
defined multiple freelists for your segment, they'd still remain in the
single segment header block and if you'd have several simultaneous block
splits, the segment header would become the bottleneck.
You could relieve this by having multiple freelist groups (spreading up
freelists into multiple blocks after segment header), but this approach has
it's problems as well - like a server process which maps to freelist group 1
doesn't see free blocks in freelist group 2, thus possibly wasting space in
some cases...
So, if you have huge contention on regular index blocks, then you should
rethink the design (avoid right hand indexes for example), or physical
design (partition the index), increasing freelists won't help here.
But if you have contention on index segment's header block because of block
splits/freelist operations, then either partition the index or have multiple
freelist groups, adding freelists again won't help here. Note that adding
freelist groups require segment rebuild. -
Serial number doesn't match product
My coworker downloaded Adobe Acrobat XI Standard on our computers recently and now whenever I try to open up a PDF file a pop up screen appears with the heading "Serial Number Upgrade" asking me to chose a product and type in the serial number I have tried matching every single product option with my serial number and none of them work. The screen does say my serial number is correct but it doesn't match any of the products. I'm not sure what to do at this point...?
Ok, so what you are saying is we bought the upgraded Adobe Acrobat, but we would need to buy the previous version if we want the serial number to work?
King & Wood, P.A.
1701 Hermitage Blvd., Ste. 104
(850) 580-7711
(850) 205-4501 fax
Privileged & Confidential: This email is intended for the named recipient(s) only and may contain information that is proprietary, privileged, confidential, or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy, or disseminate this message or any part of it. Nothing in this email is intended to constitute a waiver of any privilege or the confidentiality of this message. If you have received this email in error, please notify the sender immediately and delete this message. Circular 230 Disclosure:To ensure compliance with Treasury Department regulations, we advise you that, unless expressly indicated, any federal tax advice contained in this message or any attachments cannot be used for the purpose of avoiding penalties imposed by the Internal Revenue Code, or (ii) promoting, marketing, or recommending to another party any matters addressed herein -
How to Block Specific IP Address (YouTube)
This is a follow-up question to one I posted earlier this week. I want to block YouTube (and a handful of other sites) from my stepson's new iMac and it was suggested I try/use Leopard's "Parental Control" feature.
I tried that, but the problem is, when he attempts to visit the site, a warning page pops up informing him Parental Controls have blocked the site, then gives him the option to log in as the administrator or to email the admin for access...and that's pretty much the worst thing that could happen. He has serious Obsessive Compulsive Disorder (OCD) and it HUGELY upsets him that he can't guess the Admin password.
Soooooo...can anyone suggest an alternative means of blocking a specific IP address that does so WITHOUT serving up a "Contact the Administrator" message? Someone has suggested blocking the IP address via the network router, but I haven't a clue how to do that.
Any help?
Thanks.Something else you might look at to see if it is suitable for you is to use the DNS servers from www.opendns.com (on your router for example) and set up an account on there, then exclude the sites you don't want accessed - either by the names of the sites OR by the category of site they are.
What that does is NOT actually "blocking the site" as such, what it does is when the workstation wants to resolve the hostname into an IP address, OpenDNS will fail the request. The user will see a browser page from OpenDNS saying that the site was blocked by the network administrator - you can change the wording and even add an icon if you like.
If the user doesn't have admin access to the workstation (whereby they could change the DNS server locally to your ISP's normal DNS, which presumably doesn't offer this sort of lookup-filtering) and they don't know the IP address(es) of the sites they want to access - obviously if the workstation doesn't have to go to a DNS to look the address up, it doesn't matter whether the DNS is blocking the lookup for you - this works well.
There's more information on www.opendns.com - as I said maybe it won't be appropriate for you, but if it is, it's pretty easy to set up and to administer. -
Error: The decapsulated inner packet doesn't match the negotiated policy in the SA
I upgraded my ASA from 8.2(1) to 8.4(3) as I wanted to try to get Android devices to properly connect via VPN.
After some effort, I was able to get the Android devices to connect via VPN. However, my syslog server has a number of errors recorded that look this this:
%ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x1E76EFA6, sequence number= 0x1F0) from x.x.x.x (user= testuser) to y.y.y.y. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as z.z.z.z, its source as a.a.a.a, and its protocol as tcp. The SA specifies its local proxy as y.y.y.y/255.255.255.255/udp/42246 and its remote_proxy as x.x.x.x/255.255.255.255/udp/0.
Digging further, it seems this error might be due to a NAT issues with the VPN connections. VPN previously worked with Cisco's VPN client on Windows, though I did not test to see if that is no longer working. However, I made no changes in the config, except for those related to additions needed to support L2TP. With the below config, Android clients can connect to the ASA and access the internal network, but they cannot connect to external addresses. I'm at a loss.
The addresses used in the config: 192.168.1.0/24 are on the internal LAN and 192.168.3.0/24 are addresses assigned to VPN clients.
I noted in the config this line:
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
The access list is not referenced anywhere, though it was referenced in the 8.2(1) config like this:
nat (inside) 0 access-list inside_nat0_outbound
I'm not sure what else changed, but I've looked over the config and I just cannot see what the issue might be. I'm hoping somebody might be able to point out my error.
Here's the config file (at least the parts that might be of interest):
: Saved
ASA Version 8.4(3)
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
boot system disk0:/asa843-k8.bin
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_access_in extended permit icmp any interface outside time-exceeded
access-list outside_access_in extended permit icmp any interface outside echo-reply
access-list outside_access_in extended permit icmp any interface outside unreachable
access-list outside_mpc extended permit ip any interface outside
access-list inside_mpc extended permit ip 192.168.1.0 255.255.255.0 any
access-list testVPN_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
ip local pool VPN-Pool-1 192.168.3.1-192.168.3.254 mask 255.255.255.0
ip verify reverse-path interface outside
nat (inside,any) source static any any destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp
object network obj-192.168.3.0
nat (outside,outside) dynamic interface
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANSP esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANSP mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSP esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSP mode transport
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set ikev1 transform-set ESP-AES-128-SHA-TRANSP ESP-3DES-SHA-TRANSP
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy testVPN internal
group-policy testVPN attributes
wins-server value 192.168.1.8
dns-server value 192.168.1.8 192.168.1.4
vpn-idle-timeout none
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value testVPN_splitTunnelAcl
default-domain value test.us
group-policy testVPNnsl2tp internal
group-policy testVPNnsl2tp attributes
wins-server value 192.168.1.8
dns-server value 192.168.1.8 192.168.1.4
vpn-idle-timeout none
vpn-tunnel-protocol l2tp-ipsec
group-policy testVPNns internal
group-policy testVPNns attributes
wins-server value 192.168.1.8
dns-server value 192.168.1.8 192.168.1.4
vpn-idle-timeout none
vpn-tunnel-protocol ikev1
username testuser password PASSWORD encrypted privilege 15
username testuser2 password PASSWORD nt-encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-Pool-1
default-group-policy testVPNnsl2tp
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group testVPN type remote-access
tunnel-group testVPN general-attributes
address-pool VPN-Pool-1
default-group-policy testVPN
tunnel-group testVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group testVPNns type remote-access
tunnel-group testVPNns general-attributes
address-pool VPN-Pool-1
default-group-policy testVPNns
tunnel-group testVPNns ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group testVPNnsl2tp type remote-access
tunnel-group testVPNnsl2tp general-attributes
address-pool VPN-Pool-1
default-group-policy testVPNnsl2tp
tunnel-group testVPNnsl2tp ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group testVPNnsl2tp ppp-attributes
authentication ms-chap-v2
One last question: in order to get the connection from Android to work, I was forced to use "tunnel-group DefaultRAGroup". Is that actually a limitation, or did I make an error that forced that requirement? I wanted to use "tunnel-group testVPNnsl2tp".
Thanks!Chris,
This is still a bit off the mark. I think I might be confusing the issue by including some of the VPN configuration that I had previously installed and working (e.g., two other VPN tunnel groups with split tunneling on one of them). Let's just remove that stuff from consideration. I actually tested the current configs just to see if they are working since the upgrade. testVPN is working with the split tunneling, but testVPNns (no-split tunneling) does not allow external access. I guess there is a NAT config issue there, too, but not sure what it is, yet. I've not investigated that closely.
I want to solve one problem at a time, though I understand there are some interdependencies.
What I'd like to focus on right now is just the L2TP VPN connection.
From what I've been able to understand from the documentation, what I need are these lines:
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANSP esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANSP mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSP esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSP mode transport
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set ikev1 transform-set ESP-AES-128-SHA-TRANSP ESP-3DES-SHA-TRANSP
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
group-policy testVPNnsl2tp internal
group-policy testVPNnsl2tp attributes
wins-server value 192.168.1.8
dns-server value 192.168.1.8 192.168.1.4
vpn-idle-timeout none
vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-Pool-1
default-group-policy testVPNnsl2tp
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key P74bmqL6rT40bl5
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
I still want to assign the IP addresses to VPN clients out of 192.168.3.0/24.
The tricky part is understanding exactly what NAT rules to insert and to avoid that error message I'm getting relatred to the encapsulated packets. I tried to introduce the commands you had, but it's missing stuff that I would need for L2TP/IPSec (e.g., "mode transport"). I also don't think I want "pfs group5". The above config "works" in that I get connected -- all negotiation is done. It's just that packets from the VPN client are not able to go out to the Internet and I'm seeing that encapsulation error messages when I try to send a packet.
Paul -
The app console doesn't match. It gives error -1712
THE app console doesn't match. It gives erro -1712. The store has already changed the memory
Try using Google's DNS instead of the one your IPS is providing.
- To change on the iPod go to Settings>wifi and change the DNS to 8.8.8.8
- For the computer see:
Public DNS — Google Developers
- Did anything happen to your router right before this started? Maybe the router is blocking the port used. -
Error: parse error before '.' & number of arguments doesn't match
Compiling my simple source code reports error error: parse error before '.' . But in fact there is not any "." token on this line.
At my guess it has something to do with JNI C macros but I really have no idea how to find that bug
// ##net_java_dev_jssm_MulticastSSM.h: line 55
JNIEXPORT void JNICALL Java_net_java_dev_jssm_MulticastSSM_join2
(JNIEnv *, jobject, jstring, jstring);
// ##net_java_dev_jssm_MulticastSSM.c: line 306
JNIEXPORT void JNICALL Java_net_java_dev_jssm_MulticastSSM_join2
(JNIEnv *env, jobject obj, jstring s_addr, jstring g_addr) {
// no code yet
mingw32-gcc.exe -DWIN32 -Wall -c -IC:\java\JNI_headerFiles\jdk1.6.0/include -IC:\java\JNI_headerFiles\jdk1.6.0/include/win32 -shared src_c/net_java_dev_jssm_MulticastSSM.c -DNODEBUG
src_c/net_java_dev_jssm_MulticastSSM.c:307: error: parse error before '.' token
src_c/net_java_dev_jssm_MulticastSSM.c: In function `Java_net_java_dev_jssm_MulticastSSM_join2':
src_c/net_java_dev_jssm_MulticastSSM.c:307: error: number of arguments doesn't match prototype
src_c/net_java_dev_jssm_MulticastSSM.h:56: error: prototype declaration
make: *** [all] Error 1
C compiler: mingw32-gcc.exe
JNI: jdk1.6.0
Any help would be really appreciated.Hi radone,
I just read your posting and suddently got an idea why your compiler was complaining about the period. In most C environment, there is a definition
#define s_addr S_un.S_addr
in some socket-related header file! Now you know where the dot is coming from.
Maybe you are looking for
-
Hi there this is my first question here! I connected my external hard drive originally formatted on PC on my new Macbook. The first time I connected it I could see all my files but today I connected it and after I couldn't see any file nor even on my
-
Mapping physical file name to logical file name
Hi All, Can anybody let me know wht is the procedure to map a logical file name to physical file name. wht is the use of logical file name when there exists physical file name? Thanx in Advance
-
Hello, Please could anyone tell me if it is possible to look for "product ID" in the knowledge search (SDB)? And how could I get it? it is CRM 4.0 winclient Thanks in advance
-
Some of the most annoying SJC issues:
As I promised I will post some bugs I found. Will start from the most annoying for me: 1. Visual designer does not show JSPF fragment components inside GridPanel or GroupPanel. This is just a terrible issue. 2. CSS cannot be be assigned to JSPF durin
-
PDF pinch and zoom, panning bug with latest version?
I have found stumbled upon something strange with PDF folios with Zoom enabled with the latest version. When you zoom in and pan around if you pan left<->right and then try to pan up<->down without releasing the pan, it is locked in a left<->right pa