ISA 2006 with IPSEC and NAT - Publishing Outlook Anywhere - TCP Checksum Dropped 0xc0040031 problem

Similar Messages

• Problems with reports and XML-publisher - No XML

  Hi!
  I'm having a problem with Apps and XML-publisher. I made a report file, which queries some views. When executing in reports, I get all the data I expect.
  Now, when I upload the reportfile to Apps and let it generate XML, my xml-file is empty (well, almost empty)
  <?xml version="1.0" ?>
  <!-- Generated by Oracle Reports version 6.0.8.27.0 -->
  <T03501684>
  <LIST_G_PERSOON>
  <LIST_G_PERSOON />
  </T03501684>
  Anyone who can shed any light upon this problem?

  OK, finally solved the problem... A good night's sleep always helps ;).
  After just trying each queried table one after an other, I found the problem:
  The difference between Oracle Apps (Dutch locale) and the reports builder (English) is the language... And our functional people have changed some names, but the Dutch ones, leaving the english names in place and one of the tables I query has language specific data, which is also appears in a where clause.

• Overlapping Networks with Tunnel GRE/IPsec and NAT

  Has anyone experience with NATing on a GRE tunnel interface? I need to NAT between two private networks because they are overlapping. I tried to NAT directly on the tunnel interface.
  e.g.
  Ethernet 0/0
  ip nat inside
  Tunnel0 (GRE with CryptoMap)
  ip nat outside
  However I didn't succeed this way. What's the best way to achive my goal?

  Thanks. I already checked this paper. The problem is that it only talks about IPsec and not about GRE/Ipsec and nating on a Tunnel interface.
  However I made some tests in the lab and it worked fine. So I went back to the customer-site and I had to reboot the small 836 to get it working.
  What I learnedis : "ip nat outside" on a tunnel interface on a Cisco 836 is no problem. This is good news if you have to add partners companies with GRE/IPsec and they don't have IP ranges you like, so you just NAT them and give them IP addresses of your choice.

• Am I allowed to video-capture my work with LR4 and then publish it?

  Hi,
  I could not find any relieable information on this, so I'm asking it here.
  I want to capture my screen while working with LR4 and later dub it with  my voice to produce video-tutorials. I want these tutorials to be published on my Blog and YouTube or Vimeo. I know that a lot of people do this but I'm not shure if I am allowed to do this. What makes me so uncertain about this is that with Games you normally are not allowed to do this without permission because of copyright-claims of the content shown.
  Any help is appreciated and thanks in advance

  Moving this discussion to the Adobe Acrobat.com Services forum.

• Answers to Problems With Icloud and Office 2007 Outlook?

  My computer has a Windows 7, 64 bit operating system and Microsoft 2007 Office, which includes Outlook 2007 where I do most of my mail and keep my daily calendar and all my contacts. I wanted to sync my iphone 5 calendar with Microsoft's Office 2007 Outlook Calendar. I followed the instructions but it has never worked and Icloud put my original Outlook Calendar and Contacts in the deleted folder for Outlook and substituted folders called Contacts1 and Calendar1. Unfortunately, the sync with my iphone does not work properly. It did the very first time after installing icloud and itunes but thereafter all it does is upload stuff to icloud and additions made in my Office 2007 Outlook calendar since the first sync do not get transferred to my iphone calendar. After numerous attempts to make this work I decided to just forget about trying to sync with icloud so I deleted it from my system along with itunes and now i am left with the icloud calendar1 and contacts1 in Outlook 2007. I am unable to transfer my icloud calendar entries back to the original Outlook 2007 calendar the same for contacts. Can anyone tell me how to do this so I can delete the icloud folders contacts1 and calendar1 from Outlook 2007?  Thanks.

  Try to export them as .pst files from within Outlook (http://office.microsoft.com/en-us/outlook-help/export-contacts-HA102919759.aspx).  Then disable iCloud syncing and import the .pst backups back to Outlook.

• SA540 - IPSec and NAT

  Here's the scenario
  My LAN 10.10.10.0
  Local Host 10.10.10.6
  Remote LAN: 192.168.201.0
  Remote Host: 192.168.201.59
  Trying to setup a IPSec connection between two hosts.
  The other side wants to me to NAT 10.10.10.6 as 172.16.5.6
  The SA540 doesn't seem to have this feature.
  Is there a way to easily achieve that?
  Thank you

  Here is example, which might help you but you need to make sure you have the matching subnet (for bidirectional - one to one mapping)
  Configure the NAT.  Source address range of 10.9.0.0 / 24 and destinations of remote subnet (example 10.10.0.0/24)
  access-list 101 permit ip 10.9.0.0 0.0.0.255 10.10.0.0 0.0.0.255
  Create a route-map called 'static-nat' and match traffic to ACL 101:
  route-map static-nat
    match ip address 101
  Create a NAT-POOL for the public IP address (or range) you want to use to NAT to.  In this case, Im NAT'ing to 172.16.17.0:
  ip nat pool NAT-POOL 172.16.17.1 172.16.17.254 netmask 255.255.255.0
  Create a NAT rule to use the route-map 'static-nat'.  Upon a match to ACL 101, NAT that traffic to one of the NAT-POOL addresses:
  ip nat inside source route-map static-nat pool NAT-POOL Overload
  Once you have configured the NAT you need to modify the interesting traffic.  You need your 'interesting traffic' 
  access-list 121 permit ip 172.16.17.0 0.0.0.255 10.10.0.0 0.0.0.255
  Define your VPN peer, apply phase II and matching ACL for interesting traffic:
  crypto map VPN 5 ipsec-isakmp
   set peer <peer ip>
   set transform-set <transform set>
   match address 121
  Apply the crypto map to the public interface and NAT on the public side:
  interface GigabitEthernet0/0
   ip nat outside
  crypto map VPN
  Configure the inside interface NAT on internal side:
  interface GigabitEthernet0/1
   ip address 10.9.0.0 255.255.255.0
   ip nat inside
  HTH

• Exchange 2010. Trying to publish Outlook Anywhere. Weird config

  I currently have Outlook 2010 with OWA published behind TMG firewall. I want to not change any config on OWA (it is forms based authentication). I do not have another IP so I am not sure I can use another listener. I dont want to buy another cert. Want to
  use the OWA cert for Outlook Anywhere. Do not want to use Autodiscover (in fact I need internal clients to NEVER EVER EVER EVER find Outlook Anywhere). I want it to be on a need to know basis and only work if explciit settings are manually entered on the client.
  I do need to to work on external non domain joined computers (in fact that is the only place I want to use Outlook Anywhere). I did something in Powershell that basically removed Outlook Anywhere's config so thankfully my internal clients do not find it.
  So what folders would I need to publish in TMG to make Outlook anywhere work (without autodiscover)? 
  Any suggestions?

  Hi,
  We need to enable Outlook Anywhere on the Client Access server. If the OWA (mail.domain.com) has been published to the Internet, there should be a
  valid and trusted SSL certificate assigned with IIS service in your Exchange server.
  We can set the External Host Name to match the namespace used for External OWA URL (Https://mail.domain.com/owa):
  Enable-OutlookAnywhere -Server:Server01 -ExternalHostname:mail.contoso.com -ClientAuthenticationMethod:Ntlm -SSLOffloading:$true
  For more information about enable Outlook Anywhere in Exchange 2010, please refer to:
  http://technet.microsoft.com/en-us/library/bb123542(v=exchg.141).aspx
  Regards,
  Winnie Liang
  TechNet Community Support

• Can You Build a Website with iWeb and then publish it to another server?

  I am very new at this but like how easy iWeb makes it to build a website. A few questions for the newbie:
  1. I want to build a site but have another server I use who would host it. After watching the iWeb tutorials it looks as if you have to publish it on mobileme.com. But I already have hosting with another company. How do you do that?
  2. I also have a domain name I want to show up in the hyperlink bar not mobileme.com/____, is that possible to do with this program?
  3. Are their other templates for iWeb? I see about 12 or so they offer, can you search and download for new ones or is what's there all you have to choose from?
  I appreciate any help on these matters.
  Thanks!

  HilaryRusso wrote:
  1. After watching the iWeb tutorials it looks as if you have to publish it on mobileme.com.
  Hilary ~ Did you not watch till the end of this iWeb tutorial?...
  http://www.apple.com/ilife/tutorials/#iweb-design-52
  2. I also have a domain name I want to show up in the hyperlink bar not mobileme.com/____, is that possible to do with this program?
  See this article:
  http://iwebfaq.org/site/iWeb_Domains.html
  3. Are their other templates for iWeb? I see about 12 or so they offer, can you search and download for new ones or is what's there all you have to choose from?
  Yes, you can search — but let me Google that for you; click here.

• Problems with ipsec and crls

  Hello all
  I�d really appreciate it if you could provide me your comments regarding a problem I have when using CRLs (Certificate Revocation Lists) in a Solaris-10 IPSec connection. I establish an IPSec tunnel between two servers, Solaris-10 and MS Windows 2003, and it works fine. However, when I try to implement CRLs in the Solaris conf, I get some errors in the logs and the connection doesn�t work.
  At the end of the message I show you IPSec configuration I�m using. This conf works ok if I don�t use CRL. I changed the �etc/inet/ike/config� file to the following:
  #ignore crls
  use_http
  I used OpenSSL to generate the CRL and both the servers and the CA digital certificates. I put the distribution point �http://192.168.1.1/test-crl.crl� inside the CA certificate which is in the Solaris 10 server. This HTTP server is an IIS in the other MS Windows I mentioned. I also have generated the certificates in several ways including PEM and DER trying to see what the Solaris is expecting.
  I would appreciate your opinion about:
  (a)     Do you think the problem could be an incompatibility with the certificates and/or the CRL file formats?
  (b)     What is the format that Solaris supports for the certificates and CRLs?
  I am also attaching the logs I got from Solaris. I guess it shows that the server can not obtain the CRL, but I�m not sure.
  Thank you so much and I look forward to hearing from you at your earliest convenience,
  ***** IPSec conf *****
  - ID Type: Fully Qualified Domain Name (FQDN)
  - Phase 1 mode: Main Mode
  - Authentication method: RSA Signatures
  - Encryption algorithm � Phase 1: Triple DES
  - Hash - Phase 1: SHA-1
  - SA lifetime - Phase 1: 28800
  - Diffie-Hellman group � Phase 1: Group 2
  - SA lifetime - Phase 2: 1800
  - IP Compression: NO
  - Protocol - Phase 2: ESP
  - Encryption Algorithm - Phase 2: Triple DES
  - Hash - Phase 2: SHA-1
  - Encapsulation: Transport Mode
  - Diffie-Hellman group � Phase 2(PFS): Group 2
  ***** Solaris Logs *****
  lun 26 sep 05 14:59:30: in.iked: In ssh_policy_find_private_key.
  lun 26 sep 05 14:59:30: in.iked: Start ssh_policy_request_certificates
  lun 26 sep 05 14:59:30: in.iked: Requesting certs for 1 CA's
  lun 26 sep 05 14:59:31: in.iked: spsi: ike_udp_callback_common -1
  lun 26 sep 05 14:59:34: in.iked: spsi: ike_udp_callback_common -1
  lun 26 sep 05 14:59:38: in.iked: spsi: ike_udp_callback_common -1
  lun 26 sep 05 14:59:41: in.iked: Could not retrieve certificate list, ca=0.
  lun 26 sep 05 14:59:41: in.iked: spsi: ike_send_packet -1
  lun 26 sep 05 14:59:41: in.iked: ssh_policy_negotiation_done_isakmp:
  natt_state -1
  lun 26 sep 05 14:59:41: in.iked: Phase 1 negotiation error: code 24
  (Authentication failed).
  *****

  Jason,
  Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
  However, just looking at your configuration, I did see that your hashing algorithm on the YMCA side is using SHA and group 1 for isakmp policy 20 while on the Server side you are using 3des and group2 for policy 20.
  Good Luck,
  Bill

• Basic Help with 1720 and NAT

  I have a Cisco 1720 router and I am able to log in to it via telnet and enable the advanced features. I want to match up one of our external IP addresses to an internal IP address. I guess that I use NAT to do this but I don't know any of the commands. How would I do this? There are already a few IPs doing this (our mailserver and firewall). I didn't configure the router but I have access to it. Thanks.
  -Matt

  Hi Matt,
  You need to take a free IP on the inside as well as the outside interface. after this, u need to do a static mapping on the router, as given below:
  config)#ip nat inside source static 10.10.10.1 202.1.1.1
  where 10.10.10.1 is the inside private IP and 202.1.1.1 is the ISP global IP.
  I think the nat inside/outside commands will already be there on ur interfaces, since u have told that there exists a nat already for mail server.. otherwise, just add these commands:
  interface ethernet0
  description CONNECTED TO LAN
  ip nat inside
  interface serial 0/0
  description CONNECTED TO INTERNET
  ip nat outside.
  hope this helps.. all the best.

• TS1638 Multi-day appointments not sync correctly with iPad and iPhone from Outlook 2007

  Single day appointments I have in Outlook 2007 will sync properly. Repeated appointments i.e. ones that  are several consecutive days sync 24 hours ahead or one day out. It can't be a time zone issue because single day appointment syncs correctly.

  Single day appointments I have in Outlook 2007 will sync properly. Repeated appointments i.e. ones that  are several consecutive days sync 24 hours ahead or one day out. It can't be a time zone issue because single day appointment syncs correctly.

• I have an nano 6th gen I think?  And the power button doesn't work?  I am very displeased with itunes:(  And there isn't anywhere that services them:(

  I tried to find somewhere that services them but?  That's itunes for you, and the ipod, itself?   I would never recomend ipods for anyone, because there isn't any place for you to get them fixed, I guess that they are just throw away cameras in the same sence, if it doesn't sharge any more, throw it out I guerss?

  What does iTunes have to do with it? And where do you live? Do you have any shops that do repairs on small electronics and/or smartphones?
  You can always go here: http://www.iresq.com
  Or you can do an out-of-warranty replacement with Apple: https://selfsolve.apple.com/agreementWarrantyDynamic.do

• Anyone using ISA 2006 to publish OWA, EWS, OA, EAS?

  Just curious, I am currently running Exchange 2007 and using ISA 2006 as a reverse proxy.  I am planning to upgrade to Exchange 2013 next year.  With Microsoft's discontinuation of TMG, I am curious if ISA 2006 is still capable of
  handling this with Exchange 2013.
  I have read a few articles but they are quite old now and the articles only mention getting OWA to work, but I need to publish OWA, OA, EAS, and EWS. 
  Has anyone used ISA 2006 to successfully publish Exchange 2013 HTTP services? 

  Hi mac1234,
  ISA is older firewall product. Now many users use TMG or UAG.
  Based on my research, there is no official document to explain whether we can use ISA 2006 to publish Exchange 2013.
  I have saw someone who think publish Exchange 2013 with ISA 2006 is the same way as Exchange 2010.
  However I still suggest publish Exchange 2013 with TMG.
  For more details on "ISA 2006 with Exchange 2013", I suggest contact MS Support directly to double confirm this concern.
  Thanks
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Mavis Huang
  TechNet Community Support

• Web Proxy sessions stop working after some time (ISA 2006)

  Hi guys,
  we have been using ISA 2006 with Web Publishing Rule to provide access for mobile phone to corporate Exchange via ActiveSync for years. The issue occurred roughly one month ago. 
  After some period of time (usually it happens once or twice daily) ISA stops to accept connections from the mobile phones. There are no errors on client devices (they don't get new mails). In Sessions tab I see that only SecureNAT sessions from phones remain,
  but no Web Proxy sessions any more. There are no errors in Event Viewer and I didn't find anything strange in diagnostic logs.
  I've created one more Web Publishing Rule with the same Web listener as for ActiveSync rule for OWA. The intersting thing that ISA still allows access to OWA when issue occurs. Looks like the problem with Web Proxy filter.
  After OS restart ISA starts working normally. 
  I have ISA 2006, sp1, version 5.0.5723.514 installed on VMWare VM with Windows 2003 SE sp2.  
  Do you have any ideas?

  Hi,
  Does this issue still exist? If so, you could try to collect logs from devices to find more information.
  http://support.microsoft.com/kb/2461792
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Problem with QVpn and RV042

  Hi i have a RV042 vpn router. I want to connect to it through Quick VPN.
  I made an account under "VPN Client Access" tab and activated it.
  I Unblocked the WAN Requests. My port 500 isnt blocked. Ping requests are ok. When i try to connect from my Windows machine then for several seconds the field "status" in vpn summary under my account is "Active"(the quickvpn is veryfying network) and the I am getting a error "The remote gateway is not responding. Do you want to wait?" and the status in vpn summary is chaning to "offline".
  LOGS:
  Nov 15 03:13:06 2013     VPN Log     (qknips0) #17: responding to Quick Mode
  Nov 15 03:13:06 2013     VPN Log     (qknips0) #17: [Tunnel Negotiation Info] Inbound SPI value = 97ad6623
  Nov 15 03:13:06 2013     VPN Log     (qknips0) #17: [Tunnel Negotiation Info] Inbound SPI value = 97ad6623
  Nov 15 03:13:06 2013     VPN Log     (qknips0) #17: [Tunnel Negotiation Info] Outbound SPI value = 35da922e
  Nov 15 03:13:06 2013     VPN Log     (qknips0) #17: [Tunnel Negotiation Info] Outbound SPI value = 35da922e
  Nov 15 03:13:06 2013     VPN Log     (qknips0) #17: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
  Nov 15 03:13:06 2013     VPN Log     (qknips0) #17: [Tunnel Negotiation Info] >>> Responder send Quick Mode 2nd packet
  Nov 15 03:13:06 2013     VPN Log     (qknips0) #17: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
  Nov 15 03:13:06 2013     VPN Log     (qknips0) #17: [Tunnel Negotiation Info] <<< Responder Received Quick Mode 3rd packet
  Nov 15 03:13:06 2013     VPN Log     (qknips0) #17: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
  Nov 15 03:13:06 2013     VPN Log     (qknips0) #17: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
  Nov 15 03:13:06 2013     VPN Log     (qknips0) #17: IPsec SA established {ESP=>0x35da922e <0x97ad6623
  Nov 15 03:16:57 2013     VPN Log     | NAT-T: new mapping my23701/23714)
  Nov 15 03:16:57 2013     VPN Log     (qknips0) #17: ERROR: netlink response for Add SA esp.97ad6623@routerip included errno 22: Invalid argument
  Nov 15 03:16:57 2013     VPN Log     (qknips0) #17: ERROR: netlink response for Add SA esp.97ad6623@routerip included errno 22: Invalid argument
  Nov 15 03:16:57 2013     VPN Log     (qknips0) #16: received Delete SA(0x35da922e) payload: deleting IPSEC State #17
  Nov 15 03:16:57 2013     VPN Log     (qknips0) #16: received Delete SA(0x35da922e) payload: deleting IPSEC State #17
  Nov 15 03:16:57 2013     VPN Log     (qknips0) #17: deleting state (STATE_QUICK_R2)
  Nov 15 03:16:58 2013     VPN Log     (qknips0) #16: deleting state (STATE_MAIN_R3)
  Nov 15 03:16:58 2013     VPN Log     packet from myip:23714: Informational Exchange is for an unknown (expired?) SA
  Nov 15 03:16:58 2013     VPN Log     (qknips0): deleting connection
  Thanks in Advance, cheers

  I got Vista to work with QuickVPN 1.4.1.2 and my RV120W. The problem had to do with Microsoft's implementation of IPSec and NAT devices. Vista's default behavior will not allow IPSec tunneling when NAT devices are involved. You can override that behavior with a registry change. The Microsoft position and change can be found here:
  http://support.microsoft.com/kb/926179
  I used a value of 2 for AssumeUDPEncapsulationContextOnSendRule. Everything else was a default install.
  Mark
  http://www.mtg-highflyer.com