Issue with multiple crypto isakmp policies

Hey folks,
I'm having an issue setting up multiple crypto isakmp policies on my 1921 router. Whenever I have only one crypto isakmp policy set up like so:
crypto isakmp policy 1
encr aes 256
group 5
It works perfectly fine with my certificate tunnel group in my ASA. When I debug crypto ipsec & debug crypto isakmp and watch the connection, I see this:
ISAKMP transform 1 against priority 1 policy
*Oct 7 20:04:09.263: ISAKMP:      encryption AES-CBC
*Oct 7 20:04:09.263: ISAKMP:      keylength of 256
*Oct 7 20:04:09.263: ISAKMP:      hash SHA
*Oct 7 20:04:09.263: ISAKMP:      default group 5
*Oct 7 20:04:09.263: ISAKMP:      auth RSA sig
*Oct 7 20:04:09.263: ISAKMP:      life type in seconds
*Oct 7 20:04:09.263: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
*Oct 7 20:04:09.263: ISAKMP:(0):atts are acceptable. Next payload is 0
This is showing me that the handshake is verifying the policy with the "auth RSA sig" type, which is what I expected and is what I want.
Here is where my issue actually comes up. When I add another crypto isakmp policy (2) the "authorization pre-share" over rides the "authorization rsa-sig" of policy 1. Here is what I have set up:
crypto isakmp policy 1
encr aes 256
group 5
crypto isakmp policy 2
encr aes 256
authorization pre-share
group 5
This is showing me that crypto isakmp policy 1 is set with the default authorization type of rsa-sig (in fact if I manually enter that command under the policy 1 configuration mode and it doesn't print in the show run output), and the crypto isakmp policy 2 is set to authorization pre-share.
When I debug crypto ipsec & debug crypto isakmp with this configuration, this is what I'm getting:
56:46.259: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 199.46.128.5)
*Oct 7 19:56:46.263: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 7 19:56:46.263: ISAKMP:      encryption AES-CBC
*Oct 7 19:56:46.263: ISAKMP:      keylength of 256
*Oct 7 19:56:46.263: ISAKMP:      hash SHA
*Oct 7 19:56:46.263: ISAKMP:      default group 5
*Oct 7 19:56:46.263: ISAKMP:      auth pre-share
*Oct 7 19:56:46.263: ISAKMP:      life type in seconds
*Oct 7
19:56:46.263: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
*Oct 7 19:56:46.263: ISAKMP:(0):Authentication method offered does not match policy!
*Oct 7 19:56:46.263: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 7 19:56:46.263: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 7 19:56:46.263: ISAKMP:      encryption AES-CBC
*Oct 7 19:56:46.263: ISAKMP:      keylength of 256
*Oct 7 19:56:46.263: ISAKMP:      hash SHA
*Oct 7 19:56:46.263: ISAKMP:
default group 5
*Oct 7 19:56:46.263: ISAKMP:      auth pre-share
*Oct 7 19:56:46.263: ISAKMP:      life type in seconds
*Oct 7 19:56:46.263: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
It looks like the first policy is being verified against "auth pre-share" and fails because "Authentication method offered does not match policy!". My question is, does anyone know how to correct this so that the first policy is set to authenticate via rsa-sig and the second policy is authenticated via pre-shared keys? Is there a bug that will not differentiate the authorization types between the two policies?
Just an FYI, here is the version information of the router:
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 26-Feb-13 02:11 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
System returned to ROM by power-on
System image file is "usbflash0:c1900-universalk9-mz.SPA.152-4.M3.bin"
Last reload type: Normal Reload
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO1921/K9 (revision 1.0) with 491520K/32768K bytes of memory.
Processor board ID FTX171385L4
2 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
255K bytes of non-volatile configuration memory.
249840K bytes of USB Flash usbflash0 (Read/Write)
License Info:
License UDI:
Device#   PID                   SN
*0        CISCO1921/K9
Technology Package License Information for Module:'c1900'
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
ipbase        ipbasek9      Permanent      ipbasek9
security      securityk9    Permanent      securityk9
data          None          None           None
Configuration register is 0x2102

Thanks for the input Walter. That isn't it though. I have plenty of sites with crypto map <name> 1 which map to crypto isakmp policy 2 settings. The debug is showing that the behavior is to try to authenticate through policy 1 first, and then progress to any other policies until there is a match. Since there is a match with policy 2 settings, the tunnel comes up.
My real question is, why would it change from "auth RSA sig" in the first debug out put to the "auth pre-share" in the second debug output. Judging by the config on the router, it appears to me that the line for "authorization pre-share" under policy 2 SHOULD only apply to policy 2 and SHOULD NOT override the "authorization rsa-sig" of policy 1.
Again, when I debug crypto ipsec & debug crypto isakmp, it shows clearly that the first policy is being verified, however the "auth" is now "pre-share" and no longer "RSA sig":
56:46.259: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 199.46.128.5)
*Oct 7 19:56:46.263: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 7 19:56:46.263: ISAKMP: encryption AES-CBC
*Oct 7 19:56:46.263: ISAKMP: keylength of 256
*Oct 7 19:56:46.263: ISAKMP: hash SHA
*Oct 7 19:56:46.263: ISAKMP: default group 5
*Oct 7 19:56:46.263: ISAKMP: auth pre-share <---This should read "auth RSA sig"
*Oct 7 19:56:46.263: ISAKMP: life type in seconds
*Oct 7
19:56:46.263: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Oct 7 19:56:46.263: ISAKMP:(0):Authentication method offered does not match policy!
*Oct 7 19:56:46.263: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Oct 7 19:56:46.263: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
*Oct 7 19:56:46.263: ISAKMP: encryption AES-CBC
*Oct 7 19:56:46.263: ISAKMP: keylength of 256
*Oct 7 19:56:46.263: ISAKMP: hash SHA
*Oct 7 19:56:46.263: ISAKMP:
default group 5
*Oct 7 19:56:46.263: ISAKMP: auth pre-share
*Oct 7 19:56:46.263: ISAKMP: life type in seconds
*Oct 7 19:56:46.263: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

Similar Messages

Since I've installed Mountain Lion, I am having lock up issues with multiple programs. MS Outlook has crashed and I've lost all my folders. HELP?

Since I've installed Mountain Lion, I am having lock up issues with multiple programs. MS Outlook has crashed and I've lost all my folders. HELP?

okay I've finally been able to get tor and all the other programs to work according to my plan the only thing that's still making problems is that iptables doesn't work as I want it to, when I start chromium without proxy settings privoxy doesn't seem to forward the information to polipo.. do I need to add another rule to iptables.rules in order for the program to know it has to reroute the information again or how can I get this to work? and is there any way to run rtorrent with proxy support?
anyway, problem 2 and 3 are still to be solved.
and does anybody know where i can get a good dansguardian blacklist that was not designed for 6 year old children and for which I don't need to subscribe? I'm still getting these partypoker popups -.-
//e: with iptables it's the same thing as described in the first post. https works, http doesnt. I get the output "Invalid header received from client." on http sites. still no idea why though.. (and the https-version of torcheck.xenubite says i'm tor unprotected while starting the browser with iptables)
Last edited by deF291 (2011-04-23 16:16:31)

We run an iMac 3.4 GHz I7 for our church worship service; we haven't upgraded to Mavericks because we heard about issues with multiple screens crashing. Has this issue been resolved? Thank you!

We run an iMac 3.4 GHz I7 in our church worship service; we have front screens and a stage display monitor ; we haven't upgraded to Mavericks because we heard about issues with multiple screens crashing. Has this issue been resolved? Now that we are 2 upgrades behind, I'm getting little concerned. Thank you!

Oh, well that was a whole other kettle of fish:
Oh the G4 I attempted to install iLife '08 before Lepoard was available. About the only thing that installed cleanly was iPhoto. I ended up reinstalling everything back to iLife '06, and then upgrading back to the current stable version of the iLife '06 version. I didn't attempt a reinstall until after I upgraded to Leopard.
When I did reinstall, I made a iLife '06 folder, copied all iLife apps into it, and upgraded. Seemed to work, except for the part where iMovie gets left behind and iDVD is only mostly functional.
When I installed on the other 2 machines, it was after installing Leopard and all upgrades. On those 2 machines, I didn't bother with the copy, I just moved everything to the iLife '06 folder I created, and did a fresh install.
I didn't have to do anything with the iPhoto Libraries, that I can recall.
I always do an upgrade, never an archive and install. I've never had a problem with this back to 10.1 or 10.2.

SPEL in Extended VO - Issue with Multiple Rows

Hi,
I have extended a seeded VO by adding a new attribute *'Course_Flag'* with attribute type 'Boolean' and Query Column type 'VARCHAR2' and i wa successfully able to personalize and view the data of the new attribute *'Course_Flag'* in the page as ('true' / 'false') aacording to the query where clause.
Now after adding a new image with SPEL property as *${oa.LearnerCatalogCoursesVO.Course_Flag}* it will have an issue with multiple items.
I mean the SPEL will take the first row value 'true' / 'false' and will be corrected rendered according to the value of the first row and ignore other rows values.
Example: if the *'Course_Flag'* value of the first row is 'true' then all the images will be rendered and if the *'Course_Flag'* value of the first row is 'false' then all the images will be NOT rendered.
Please advise if I've missed any step.
Thanks in advance to all.
Regards....Ashraf

Dear Kali,
I have added a new function to the seeded VO SQL +('XXARMS_TRG_EVALUATION_PKG.XX_COURSE_GOT_EVAL')+,
SQL Statment :-
select av.activity_version_id, avtl.version_name, av.language_id, av.start_date,
av.end_date, av.version_code, i.category_usage_id, upper(avtl.version_name) AS SORTVERSIONNAME,
XXARMS_TRG_EVALUATION_PKG.XX_COURSE_GOT_EVAL(i.category_usage_id, av.activity_version_id) Course_Flag from
ota_act_cat_inclusions i, ota_activity_versions av, ota_activity_versions_tl avtl
where i.category_usage_id = :1 and i.activity_version_id = av.activity_version_id and
nvl(av.end_date, sysdate + 1) >= trunc(sysdate) and
av.business_group_id = ota_general.get_business_group_id and av.activity_version_id = avtl.activity_version_id and
avtl.language = userenv('LANG') and
ota_learner_access_util.learner_has_access_to_course(:2,:3,avtl.activity_version_id) = 'Y'
And it is retriving the correct data for each row and i did not write any code in the RowImpl.
Thanks for your help in advance.
Regards...Ashraf

Issues with multiple subnets - ASA5510 to Vigor 2820 VPN

Hi there,
I am hoping someone here can help. I have been struggling for some time to sort out issues in a VPN we have between our main London office and the Edinburgh branch office. We have an ASA 5510 in London, talking to a Vigor 2820 in Edinburgh.
The London office has a 192.168.0.0/24 subnet, with the default gateway as a Cisco Catalyst at 192.168.0.254, and the Cisco ASA at 192.168.0.254 as the firewall.
The Edinburgh office has the subnet 192.168.2.0/24, with the Vigor running on 192.168.2.1, providing routing, DHCP and firewall services there.
I have the VPN working fine, correctly routing traffic between those two subnets over the IPsec tunnel. However, I have had much trouble adding additional subnets for our VLANs in London.
What I want to happen is traffic from 192.168.2.0/24 to be able to get to and from 192.168.50.0/24 and several similar networks.
Upon tracing it using the Cisco packet tracer, I can see that the packets for the 192.168.50.0/24 subnet are not making it over the tunnel, having being stopped by the VPN: subtype: encrypt rules. Looking at these rules though, I can't spot the problem. Multiple changes of order of the rules, and reloads have not sorted out the problem. When I run a packet trace on the main subnet it works fine. I have attached some of the configuration (below) as well as the output from the packet tracer, and the config of the Vigor router.
I apologise in advance for the length of the post, but I have tried to include all relevant information to see if anyone can help.
Firstly, here's the ASA config that seemed relevant. I tried to remove some since we have quite a few site-to-site tunnels set up, and these are probably not relevant (and are all working correctly).
access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip any 192.168.0.192 255.255.255.192 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 nat (inside) 0 access-list insideOutboundNonatAclnat (inside) 9 access-list vpnNatAclnat (inside) 10 192.168.30.5 255.255.255.255nat (inside) 10 192.168.0.0 255.255.255.0nat (inside) 10 192.168.20.0 255.255.255.0nat (inside) 10 192.168.30.0 255.255.255.0nat (inside) 10 192.168.50.0 255.255.255.0access-list inside_in extended permit ip 192.168.0.0 255.255.255.0 any access-list inside_in extended permit tcp host 192.168.5.2 host 192.168.0.2 eq domain access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.50.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.10.0 255.255.255.0 any access-list inside_in extended permit ip host 192.168.2.1 192.168.30.0 255.255.255.0 inactive access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.50.0 255.255.255.0 access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 access-group inside_in in interface insideaccess-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 route inside 192.168.20.0 255.255.255.0 192.168.0.254 1route inside 192.168.50.0 255.255.255.0 192.168.0.254 1route inside 192.168.30.0 255.255.255.0 192.168.0.254 1route inside 192.168.40.0 255.255.255.0 192.168.0.254 1crypto ipsec transform-set ESP_DES_MD5 esp-des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET mode transportcrypto ipsec transform-set TRANS_VPN_SET_2 esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_VPN_SET_2 mode transportcrypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec df-bit clear-df outsidecrypto dynamic-map core_vpn_dyn_map 20 set transform-set ESP_3DES_MD5 ESP_DES_MD5 TRANS_VPN_SET TRANS_VPN_SET_2crypto dynamic-map core_vpn_dyn_map 40 set pfs crypto dynamic-map core_vpn_dyn_map 40 set transform-set ESP_3DES_SHA ESP_DES_MD5crypto map outside_map 2 match address outside_2_cryptomapcrypto map outside_map 2 set pfs crypto map outside_map 2 set peer [branch peer ip]crypto map outside_map 2 set transform-set ESP_3DES_MD5crypto isakmp identity address crypto isakmp identity address crypto isakmp policy 25 authentication pre-share encryption 3des hash md5     group 1      lifetime 28800crypto isakmp nat-traversal 30crypto isakmp disconnect-notifygroup-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 100 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth enable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none smartcard-removal-disconnect enable client-firewall none client-access-rule nonetunnel-group [branch peer ip] type ipsec-l2ltunnel-group [branch peer ip] ipsec-attributes pre-shared-key *
Note: [branch peer ip] replaces any instances of the branch office outside IP address
I appreciate there may be some duplicated/redundant rules here - I have been playing with config to try to fix the problem. I'd really appreciate any suggestions on how to track this down.
Here's the vigor config:
So it looks to match ok to me at both ends, unless there is something I missed. The vigor routing table shows:
Key: C - connected, S - static, R - RIP, * - default, ~ - private*             0.0.0.0/         0.0.0.0 via [ISP gateway server],   WAN1S         [branch peer ip]/ 255.255.255.255 via [branch peer ip],   WAN1S~       192.168.40.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.50.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.10.0/   255.255.255.0 via [London office ip],    VPNS~        192.168.0.0/   255.255.255.0 via [London office ip],    VPNC~        192.168.2.0/   255.255.255.0 is directly connected,    LANS~        192.168.7.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.30.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.20.0/   255.255.255.0 via [London office ip],    VPN*     [ISP dns server]/ 255.255.255.255 via [ISP gateway server],   WAN1
I have replaced IPs here as is shown. You can see the vigor seems to want to route the appropriate traffic over the VPN.
Finally, here is the packet trace output:
ciscoasa# packet-trace input outside tcp 192.168.2.1 echo 192.168.50.10 echo d$Phase: 1Type: FLOW-LOOKUPSubtype: Result: ALLOWConfig:Additional Information:Found no matching flow, creating a new flowPhase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in   192.168.50.0    255.255.255.0   insidePhase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group outsideInAcl in interface outsideaccess-list outsideInAcl extended permit ip 192.168.2.0 255.255.255.0 any Additional Information: Forward Flow based lookup yields rule: in id=0x4529e48, priority=12, domain=permit, deny=false        hits=362922, user_data=0x4529e08, cs_id=0x0, flags=0x0, protocol=0        src ip=192.168.2.0, mask=255.255.255.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 4      Type: IP-OPTIONSSubtype:      Result: ALLOW Config:       Additional Information: Forward Flow based lookup yields rule: in id=0x44057f0, priority=0, domain=permit-ip-option, deny=true        hits=2693939, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0        src ip=0.0.0.0, mask=0.0.0.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 5      Type: NAT-EXEMPTSubtype: rpf-checkResult: ALLOW Config:       Additional Information: Forward Flow based lookup yields rule: in id=0x44fe9a0, priority=6, domain=nat-exempt-reverse, deny=false        hits=12, user_data=0x44fe800, cs_id=0x0, use_real_addr, flags=0x0, protocol=0        src ip=192.168.2.0, mask=255.255.255.0, port=0        dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 6      Type: NAT     Subtype: rpf-checkResult: ALLOW Config:       nat (inside) 10 192.168.50.0 255.255.255.0 match ip inside 192.168.50.0 255.255.255.0 outside any    dynamic translation to pool 10 (external [Interface PAT])    translate_hits = 2250, untranslate_hits = 17Additional Information: Forward Flow based lookup yields rule: out id=0x4b80e80, priority=1, domain=nat-reverse, deny=false hits=32, user_data=0x4b80ce0, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 7Type: NATSubtype: host-limitsResult: ALLOWConfig:nat (inside) 10 192.168.50.0 255.255.255.0 match ip inside 192.168.50.0 255.255.255.0 outside any    dynamic translation to pool 10 (external [Interface PAT])    translate_hits = 2250, untranslate_hits = 17Additional Information: Reverse Flow based lookup yields rule: in id=0x4b80fa0, priority=1, domain=host, deny=false hits=2811, user_data=0x4b80ce0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.50.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 8Type: IP-OPTIONSSubtype:      Result: ALLOW Config:       Additional Information: Reverse Flow based lookup yields rule: in id=0x4469ef8, priority=0, domain=permit-ip-option, deny=true        hits=2010804, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0        src ip=0.0.0.0, mask=0.0.0.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 9      Type: VPN     Subtype: encryptResult: DROP Config:       Additional Information: Reverse Flow based lookup yields rule: out id=0x4887aa8, priority=70, domain=encrypt, deny=false        hits=10, user_data=0x0, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0        src ip=192.168.50.0, mask=255.255.255.0, port=0        dst ip=192.168.2.0, mask=255.255.255.0, port=0Result:       input-interface: outsideinput-status: upinput-line-status: upoutput-interface: insideoutput-status: upoutput-line-status: upAction: drop Drop-reason: (acl-drop) Flow is denied by configured rule
So it seems to find the rule, which it ought to match, but then returns DENY. What's going on here? Perhaps this is misleading and the issue is elsewhere, but it isn't clear from the output here.
For further information, this is output for the WORKING subnet - I have just taken a small part here though:
Phase: 10     Type: VPN     Subtype: encryptResult: ALLOW Config:       Additional Information: Reverse Flow based lookup yields rule: out id=0x4b86418, priority=70, domain=encrypt, deny=false        hits=332214, user_data=0x7da5c, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0        src ip=192.168.0.0, mask=255.255.255.0, port=0        dst ip=192.168.2.0, mask=255.255.255.0, port=0
Thanks very much in advance for any help you can provide - I've been really stuck on this one!
Chris

Hi,
Can you issue the packet-tracer with the direction beeing your London office -> Remote office?
Also issue the command twice.
Personally I've used packet-tracer with some L2L VPNs to test if the remote end has the configurations correct. Also I've noticed that the first packet-tracer test never goes through. So issue that command twice and show how it goes.
Though I imagine you have tried to connect through the L2L VPN with real host machines and not just the firewalls packet-tracer?
Also I imagine the original info has a typo. You say your ASAs LAN gateway IP and the local L3 switches IP address is the same, 192.168.0.254.
Basically the hardest part regarding L2L VPNs should be the initial setup of the VPN connection. Even though it should be simple people still tend to mess up PSKs or Phase1/2 parameters. But as your L2L VPN is already in working order and you are just adding networks to it, it should be pretty simple.
When you add network and dont require any special NAT configurations, your NAT0 and Encryption domain access-list should look pretty much the same.
And looking at your configurations, it should be like this
access-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
Btw what is the network 192.168.7.0/24? It seems to have a VPN rule at the remote site but not at the HO site. Though there is a NAT0 rule for that traffic on the HO site.
EDIT: I imagine the VPN network rules should be an exact mirror image of eachother. Though it seems this doesnt stop devices from negotiating the VPN up but who knows if some other device type is picky about that one. Only thing in your situation that I see is the network 192.168.7.0/24 that is not included in the other ends configurations.
EDIT2: Also the reason your test for the already existing rule might be going through without a problem might be because the tunnel is up and working for the networks in question.
EDIT3: Does your Vigor device also have NAT0 rules configured for the new networks?
- Jouni

Issue with multiple application installation and server share

Hi,
SCCM 2007 SP2 R3 ICP2
All servers W2K8R2
I am having an issue with software installs. When using a variable for multiple applciation installs, I get access errors when the applications go to install. It appears to be a multiple connection issue, but I can't figure out why.
I am using server shares for my DPs. The proper permissions are set. The servers (DP) are W2K8R2. I think it has to do with the way R2 handles the conenctions. I want to know if this is a known issue or if anyone has come accross
it.
I am going to post in the software distribution forum as well, but thought this would be a config question.

Hi! I'm waking up this dead thread but I've got a *very* similar problem!
I've got a SCCM 2007 SP2 R3 installation on Win2008. All clients are in the same ConfigMgr-site. Multiple package deploy in the same site-boundary as the CM-server works excellent. (We've got three DPs in the same site-boundary as the
CM-server itself.)
Now, we have a new site-boundary with it's own Protected DP where multiple package deploy fails
but the same packages, being run from the task-sequnce works! So then the client can download, install and run the packages from the proteced DP just fine. All "single" packages install fine before the "Multiple Appliaction"-step.
I've tripple checked that we're running the same packages when we're installing Multiple Packages as we do in the Task-Sequence. And
the same Task-sequence with the Multiple Package installation step
works fine in our site-boundary where the ConfigMgr-server is installed.
Here's the log from a client trying to access and install one of three packages through the the Install Multiple Packages task-sequence step.
<![LOG[Policy SMS10000-CEN000BD-25FE0E9B downloaded successfully]LOG]!><time="16:01:20.905+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="dsutils.cpp:597"> <![LOG[SMS PackageID = CEN000BD]LOG]!><time="16:01:20.905+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="dsutils.cpp:247"> <![LOG[Source version = 2]LOG]!><time="16:01:20.905+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="dsutils.cpp:296"> <![LOG[SMS Program Name = RESTORE]LOG]!><time="16:01:20.905+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="dsutils.cpp:317"> <![LOG[::CompressBuffer(65536,-1)]LOG]!><time="16:01:20.905+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="ccmzlib.cpp:695"> <![LOG[Compression (zlib) succeeded: original size 26608, compressed size 3254.]LOG]!><time="16:01:20.905+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="ccmzlib.cpp:484"> <![LOG[Policy for CEN000BD:"RESTORE" successfully stored in environment]LOG]!><time="16:01:20.905+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="dsutils.cpp:331"> <![LOG[Downloaded policies successfully]LOG]!><time="16:01:20.905+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="dsutils.cpp:725"> <![LOG[Installing pkg 'CEN000BD', program 'BACKUP']LOG]!><time="16:01:20.921+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="dsinstaller.cpp:290"> <![LOG[Resolving content for SMS Package CEN000BD]LOG]!><time="16:01:20.921+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="dsutils.cpp:768"> <![LOG[Getting local network information.]LOG]!><time="16:01:20.921+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="resolvesource.cpp:1846"> <![LOG[GetAdaptersAddressess entry point is supported.]LOG]!><time="16:01:20.921+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="ccmiputil.cpp:118"> <![LOG[DhcpGetOriginalSubnetMask entry point is supported.]LOG]!><time="16:01:20.937+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="ccmiputil.cpp:181"> <![LOG[Adapter {B3FC51BA-75F3-4C93-98D3-72ECE4B7A6A2} is DHCP enabled. Checking quarantine status.]LOG]!><time="16:01:21.124+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="ccmiputil.cpp:509"> <![LOG[Adapter {B3FC51BA-75F3-4C93-98D3-72ECE4B7A6A2} has 1 IPv4 address(es).]LOG]!><time="16:01:21.124+-60" date="12-12-2011" component="InstallSoftware" context="" type="2" thread="3040" file="ccmiputil.cpp:540"> <![LOG[Executing content location request for CEN000BD:2 as GUID:87F78866-5FCB-43FE-A2F7-07DA7F6863DF]LOG]!><time="16:01:21.124+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="resolvesource.cpp:1852"> <![LOG[Initializing CLibSMSMessageHeader with authenticator]LOG]!><time="16:01:21.295+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="libsmsmessaging.cpp:1103"> <![LOG[Sending RequestContentLocations]LOG]!><time="16:01:21.295+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="libsmsmessaging.cpp:3367"> <![LOG[Messaging Auth Using V4 Mode]LOG]!><time="16:01:21.295+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="libsmsmessaging.cpp:1400"> <![LOG[Formatted header:]LOG]!><time="16:01:21.295+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="libsmsmessaging.cpp:1500"> <![LOG[<Msg SchemaVersion="1.1" ReplyCompression="zlib"><ID/><SourceID>GUID:87F78866-5FCB-43FE-A2F7-07DA7F6863DF</SourceID><SourceHost/><TargetAddress>mp:[http]MP_LocationManager</TargetAddress><ReplyTo>direct:OSD</ReplyTo><Priority>3</Priority><Timeout>3600</Timeout><SentTime>2011-12-12T15:01:21Z</SentTime><Protocol>http</Protocol><Body Type="ByteRange" Offset="0" Length="618"/><Hooks><Hook2 Name="clientauth"><Property Name="Token"><![CDATA[CCMClientID: BBA60FFE-10D3-42AA-88BF-CBAC68CA4BB4 CCMClientIDSignature: 3F5C9150307B32713AB75C2BD3431AFCB0816854881F6450868D120ABA7FC4424EF3407E6BD2531E32EBF4A89D92440D3BD9E68078A8BB5B899905A765C4AC28B1D837A0D58EB02C55048B1BA97BF0319B02276D87846F4748C2FBAA887C8921989CB07E15BD6685BFC84792B1C9E91EE140DA03BA01FBBF7F6EF824F5FFAF15 CCMClientTimestamp: 2011-12-12T22:02:17Z CCMClientTimestampSignature: 4E28E6E6EEF71EB4A6FDE54155100F67610556C0E5F81DF82B6AB03608C1745485D65AB09F195D384903AB60DD9993118FCECCC3C9E85F5A9C0CB6E949A5F8DF305B7A5E64E0D98973AF12E034E468B6E7CC03FE23DC3DEB686CBA63FADD895F61D7034504C018F6F20561F40B47BC20509423C2385032A3AA6866F266409F1E]]></Property></Hook2></Hooks><Payload Type="inline"/><TargetHost/><TargetEndpoint>MP_LocationManager</TargetEndpoint><ReplyMode>Sync</ReplyMode><CorrelationID/></Msg> ]LOG]!><time="16:01:21.295+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="libsmsmessaging.cpp:1501"> <![LOG[CLibSMSMessageWinHttpTransport::Send: URL: STOSCCM02.INTERNT.SVT.SE:443 CCM_POST /ccm_system_AltAuth/request]LOG]!><time="16:01:21.295+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="libsmsmessaging.cpp:7446"> <![LOG[In SSL, but with no client cert]LOG]!><time="16:01:21.295+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="libsmsmessaging.cpp:7596"> <![LOG[In SSL, but with no media cert]LOG]!><time="16:01:21.295+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="libsmsmessaging.cpp:7602"> <![LOG[The request has succeeded. 200 OK]LOG]!><time="16:01:21.342+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="libsmsmessaging.cpp:7734"> <![LOG[Decompressing reply body.]LOG]!><time="16:01:21.342+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="libsmsmessaging.cpp:2395"> <![LOG[::DecompressBuffer(65536)]LOG]!><time="16:01:21.342+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="ccmzlib.cpp:735"> <![LOG[Filtering Content Locations.]LOG]!><time="16:01:21.342+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="resolvesource.cpp:1883"><![LOG[Decompression (zlib) succeeded: original size 522, uncompressed size 2128.]LOG]!><time="16:01:21.342+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="ccmzlib.cpp:646"><![LOG[ Adding \\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000BD\ to Local DP list.]LOG]!><time="16:01:21.342+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="resolvesource.cpp:1938">
 <![LOG[Found 0 DPs in subnet, 1 DPs in local site, 0 DPs in remote location and 0 Multicast DPs]LOG]!><time="16:01:21.389+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="resolvesource.cpp:1974">
<![LOG[Shuffling HTTP local DP list.]LOG]!><time="16:01:21.389+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="resolvesource.cpp:2012">
<![LOG[Shuffling Local DP list.]LOG]!><time="16:01:21.389+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="resolvesource.cpp:2087">
<![LOG[Attempting to connect to \\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000BD\]LOG]!><time="16:01:21.389+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="resolvesource.cpp:2151">
<![LOG[Deleting any existing network connections to "\\vaxcmdp01.domain.com\*".]LOG]!><time="16:01:21.389+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="tsconnection.cpp:407">
<![LOG[Attempting to connect to "\\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000BD".]LOG]!><time="16:01:21.389+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="tsconnection.cpp:501">
<![LOG[Retrying download...]LOG]!><time="16:01:34.974+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="tsconnection.cpp:508">
<![LOG[Attempting to connect to "\\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000BD".]LOG]!><time="16:01:37.985+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="tsconnection.cpp:501">
<![LOG[Retrying download...]LOG]!><time="16:01:42.711+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="tsconnection.cpp:508">
<![LOG[Attempting to connect to "\\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000BD".]LOG]!><time="16:01:45.721+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="tsconnection.cpp:501">
<![LOG[Retrying download...]LOG]!><time="16:01:50.400+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="tsconnection.cpp:508">
<![LOG[Attempting to connect to "\\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000BD".]LOG]!><time="16:01:53.411+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="tsconnection.cpp:501">
<![LOG[Retrying download...]LOG]!><time="16:01:58.090+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="tsconnection.cpp:508">
<![LOG[Attempting to connect to "\\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000BD".]LOG]!><time="16:02:01.100+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="tsconnection.cpp:501">
<![LOG[Retrying download...]LOG]!><time="16:02:05.780+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="tsconnection.cpp:508">
<![LOG[Attempting to connect to "\\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000BD".]LOG]!><time="16:02:08.790+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="tsconnection.cpp:501">
<![LOG[Retrying download...]LOG]!><time="16:02:13.469+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="tsconnection.cpp:508">
<![LOG[Attempting to connect to "\\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000BD".]LOG]!><time="16:02:16.480+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="tsconnection.cpp:501">
<![LOG[Retrying download...]LOG]!><time="16:02:21.174+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="tsconnection.cpp:508">
<![LOG[Attempting to connect to "\\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000BD".]LOG]!><time="16:02:24.185+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="tsconnection.cpp:501">
<![LOG[Retrying download...]LOG]!><time="16:02:28.911+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="tsconnection.cpp:508">
<![LOG[Attempting to connect to "\\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000BD".]LOG]!><time="16:02:31.921+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="tsconnection.cpp:501">
<![LOG[Retrying download...]LOG]!><time="16:02:36.600+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="tsconnection.cpp:508">
<![LOG[Attempting to connect to "\\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000BD".]LOG]!><time="16:02:39.611+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="tsconnection.cpp:501">
<![LOG[Retrying download...]LOG]!><time="16:02:44.290+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="tsconnection.cpp:508">
<![LOG[dwErr, HRESULT=800704c3 (e:\nts_sms_fre\sms\framework\tscore\tsconnection.cpp,517)]LOG]!><time="16:02:47.300+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="tsconnection.cpp:517">
<![LOG[Failed to connect to "\\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000BD" (1219)]LOG]!><time="16:02:47.300+-60" date="12-12-2011" component="InstallSoftware" context="" type="3" thread="3040" file="tsconnection.cpp:517">
<![LOG[!slistSMBPaths.empty(), HRESULT=80040103 (e:\nts_sms_fre\sms\framework\tscore\resolvesource.cpp,2163)]LOG]!><time="16:02:47.300+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="resolvesource.cpp:2163">
<![LOG[TS::Utility::GetContentLocations( pszPackageId, L"", lSourceVersion, m_sSiteCode, m_sManagementPoint, &m_oHttpTransport, sClientID, TRUE, sNetworkAccessAccount, sNetworkAccessPassword, TRUE, TRUE, slistSMBPaths, slistHttpPaths ), HRESULT=80040103 (e:\nts_sms_fre\sms\client\osdeployment\installsoftware\dsutils.cpp,843)]LOG]!><time="16:02:47.300+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="3040" file="dsutils.cpp:843">
<![LOG[Content location request for CEN000BD:2 failed, hr=0x80040103]LOG]!><time="16:02:47.300+-60" date="12-12-2011" component="InstallSoftware" context="" type="3" thread="3040" file="dsutils.cpp:843">
While installing a single package from the same DP (VAXCMDP01) looks like this:
![LOG[PackageID = 'CEN000D1']LOG]!><time="15:29:13.401+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="2768" file="main.cpp:332">
<![LOG[BaseVar = '', ContinueOnError='']LOG]!><time="15:29:13.401+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="2768" file="main.cpp:333">
<![LOG[SwdAction = '0002']LOG]!><time="15:29:13.401+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="2768" file="main.cpp:334">
<![LOG[GetExecRequestMgrInterface successful]LOG]!><time="15:29:13.417+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="2768" file="installsoftware.cpp:218">
<![LOG[Retrieving value from TSEnv for '_SMSTSPolicyCEN000D1_Install']LOG]!><time="15:29:13.417+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="2768" file="installsoftware.cpp:85">
<![LOG[::DecompressBuffer(65536)]LOG]!><time="15:29:13.417+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="2768" file="ccmzlib.cpp:735">
<![LOG[Decompression (zlib) succeeded: original size 2844, uncompressed size 22640.]LOG]!><time="15:29:13.417+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="2768" file="ccmzlib.cpp:646">
<![LOG[ADV_AdvertisementID=CEN20022]LOG]!><time="15:29:13.417+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="2768" file="installsoftware.cpp:1119">
<![LOG[PKG_PSF_ContainsSourceFiles=TRUE]LOG]!><time="15:29:13.417+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="2768" file="installsoftware.cpp:1138">
<![LOG[::DecompressBuffer(65536)]LOG]!><time="15:29:13.417+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="2768" file="ccmzlib.cpp:735">
<![LOG[Decompression (zlib) succeeded: original size 12, uncompressed size 4.]LOG]!><time="15:29:13.417+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="2768" file="ccmzlib.cpp:646">
<![LOG[SoftDist paused cookie = 16271]LOG]!><time="15:29:13.417+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="2768" file="installsoftware.cpp:181">
<![LOG[Found the location for the package _SMSTSCEN000D1. The location is on \\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000D1\]LOG]!><time="15:29:13.417+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="2768" file="resolvesource.cpp:3146">
<![LOG[nPos != CCM::Utility::String::npos, HRESULT=80004005 (e:\nts_sms_fre\sms\framework\tscore\resolvesource.cpp,253)]LOG]!><time="15:29:13.417+-60" date="12-12-2011" component="InstallSoftware" context="" type="0" thread="2768" file="resolvesource.cpp:253">
<![LOG[Creating a connection to \\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000D1\ with default account]LOG]!><time="15:29:13.417+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="2768" file="resolvesource.cpp:2243">
<![LOG[Connection request for "\\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000D1"]LOG]!><time="15:29:13.417+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="2768" file="tsconnection.cpp:208">
<![LOG[No credentials available for connecting to "\\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000D1". See whether the share has already been connected.]LOG]!><time="15:29:13.417+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="2768" file="tsconnection.cpp:233">
<![LOG[Connecting to "\\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000D1"]LOG]!><time="15:29:13.510+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="2768" file="tsconnection.cpp:268">
<![LOG[Successfully connected to "\\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000D1"]LOG]!><time="15:29:13.588+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="2768" file="tsconnection.cpp:287">
<![LOG[SMS PkgID 'CEN000D1' resolved to location '\\vaxcmdp01.domain.com\SMS_DP$\SMSPKG\CEN000D1\']LOG]!><time="15:29:13.635+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="2768" file="installsoftware.cpp:145">
Notice that it never checks for DPs in the same way as the multiple package install:
<![LOG[Found 0 DPs in subnet, 1 DPs in local site, 0 DPs in remote location and 0 Multicast DPs]LOG]!><time="16:01:21.389+-60" date="12-12-2011" component="InstallSoftware" context="" type="1" thread="3040" file="resolvesource.cpp:1974">
I know that the TS checks package dependencies before executing the TS. That's not possible with Multiple packages since they are variable dependant. I think this is somehow related although it doesn't explain why my client can't authenticate properly.
The Network Access Account is a member of Domain Users and Domain Users have Read Access on the share and on the folder of the VAXCMDP01 DP - which should be identically configured to our other DPs closest to our ConfigMgr Server.
Any ideas?
Kind regards,
Mathias

Issues with multiple things since Mavericks update

I installed the Mavericks update and since, I have been having multiple problems with different things on my MacBook Pro 13"
1. Printer issues: I have an HP officejet 6500 wireless printer (Officejet 6500 E709n Series), and now it's having major issues with printing, yet was working perfect prior to update. It will either cut out pages when printing PDF documents, or printing so slow that it has to take a break in between printing each document (an issue that all never occurred until update), to print documents back to back, it will stop after one document as though I have no other documents in queue to print, and pauses for an extremely long time (nearly a full minute, no exaggeration here, literally almost a full 60 seconds), something it's never done before this update. My Apps update even did an update to the HP software that is inside the Mac already to use printing (in other words, the mac doesn't need to have the HP software manually installed for it to work, it automatically sees the printer because it is connected to my wireless network just as my Macbook Pro which is also connected wirelessly to my network).
2. Internet issues: am now unable to click on certain links in safari that I was able to use prior to the update, yet they will open fine inside of firefox with no issues, yet I cannot always switch between two different browsers to perform task online (literally have to start all over inside firefox while in the middle of something in safari). Also lots of websites no longer work correctly and I have to constantly clear history and cookies to attempt to use certain sites, at times it will help, other times it wont work period, yet the same exact site will work perfect in firefox (which I do not use, only on my system for use on certain sites for school because in safari prior to the update, I would have issues with only the class site and some links not working at all, no spinning wheel, no errors, just nothing, no response of any kind, basically worse than what it was before the update). Another issue, hit Ctrl+a to select inside Safari and it highlights, but then when you click out of the highlight, it comes back on it's own several times without you hitting anything, just click inside the screen on a blank space (no links, etc) with touchpad.
3. System issues: My system is way slower than what it was prior to the update, click on things and it wont respond at all, then minutes later will eventually respond or pops up the spinning color wheel, which it either never responds or takes an extremely long time to respond. And no matter how much I restart, it doesn't help anything. Even just to sit doing nothing, no clicking or usage on the system, and the color wheel pops up.
4. Mail issues: Mail is now popping up completely blank messages that I have sent out, the person receives it with no issues, yet I cannot look at the message I sent neither in the inbox or the sent items when I need to look at them again, an issue not present prior to update. Also I an now having issues when receiving mail, sometimes it will check for mail and sometimes I have to manually click to make it check the server for mail, an issue not present prior to update as well.
As of now, since I have had the chance to used the system since the update, these are the issues I have had, yet haven't had the chance to check other things, so there may be other issues that are occurring that I'm not aware of at the moment. I knew it would be a mistake to do this "free" update and did so anyway and now having one issue after the next with each application I open to use.
Mac general info:
Mac is one year old, purchased brand new, no shareware programs of any kind installed.
Use for school and basic web surfing use.
Do not install any programs onto system that I'm unsure are safe (basically programs for/from school/school websites only, or from the Mac Apps store only), not even programs like Skype, nor any windows based programs of any kind.
Lots of free memory avail because I save everything onto external hard drives (purchased brand new as well, only 4months old) in case system crash occurs, only things on the system is Itunes music or pics from photo stream that sync to the system when Iphone connected.
Mac system info:
- Processor 2.5 GHz Intel Core i5
- Memory 4 GB 1600 MHz DDR3
- Graphics Intel HD Graphics 4000 1024 MB
- Software OS X 10.9
- Number of Processors:          1
- Total Number of Cores:          2
- L2 Cache (per Core):          256 KB
- L3 Cache:          3 MB

For those needing help fixing their system and putting it back to Lion or Mountain Lion, this is what I have done to eliminate all my issues in about an hour (depending on your internet connection).
Amazing thing, I just restored my computer back to Mountain Lion, and she's working perfect again, as I knew she would. E-mail popping into mailbox instantly as it should and did before the update, printer working fast as it was before update, no more freezing or glitches of any kind thankfully and finally. Here is the link that is through the Apple site to direct you on how to put your system back and get rid of Maverick's, that is assuming that is what you would like to do and also includes link for those wanting to try fixing the issue if that is your preference (most of this info is for those with mountain lion and some with the previousverisoin of OS X lion).
If you want to keep Maverick's here is a good post on the apple discussion board to help you out:
https://discussions.apple.com/docs/DOC-6161
If you just want to totally get rid of it and put back what you had before, this is the short version of how to do so:
https://discussions.apple.com/docs/DOC-3353
NOTE: This particular link has a lot of info on what to do for different situations, it is a bit lengthy, yet still very helpful.
OS X Mountain Lion: Reinstall OS X (direct from Apple support site, not someone else):
http://support.apple.com/kb/PH10763?viewlocale=en_US
OS X: About OS X Recovery (also from apple support directly and includes some instructions just the same as previous links above):
http://support.apple.com/kb/HT4718
Just in case you aren't sure what it will all look like as you are doing things, this is a link to show you a few pics of what you will see as you as you are going through the process, it can be helpful for those who aren't sure what they are doing or how to do things at all:
http://www.apple.com/osx/recovery/
This is a way to download the Mountain Lion disk info from the server
http://support.apple.com/kb/DL1433
I hope this helps someone, it was amazing for me and my system is working perfect again like it was, battery life is way better went from like 3 hours to like 5 (not on full charge by the way, after it sat for a while doing the online update which took a while so that's saying something alone, huge improvement). I plan to wait a while before attempting to reinstall Maverick's, long enough for them to fix the bugs.

Firefox issues with multiple users on a single computer.

I have an issue with Firefox and multiple users on my computer. There are two users setup and I'm running Win7 Ultimate x64. When the other user logs in, my settings in Firefox get screwed up somehow. Even if that user does not open Firefox.
Examples of problems this causes:
Gmail - Cannot load the standard interface, however it will load the HTML only interface.
Facebook - Cannot post anything.
vBulletin Forums - Some forums will no longer normally load - a text-only version loads as if I was browsing from a mobile device.
There may be other issues, but these are the main ones. If I clear my cookies, cache and browsing and download history, then restart Firefox, everything works again.
This seems to happen most often when the other user logs in, and uses Firefox to log on to their Gmail account.
How can I fix this?

Create a new profile as a test to check if your current profile is causing the problems. 
See [[Basic Troubleshooting#Make_a_new_profile|Basic Troubleshooting: Make a new profile]]
There may be extensions and plugins installed by default in a new profile, so check that in "Tools > Add-ons > Extensions & Plugins"
If that new profile works then you can transfer some files from the old profile to that new profile (be careful not to copy corrupted files)
See http://kb.mozillazine.org/Transferring_data_to_a_new_profile_-_Firefox

Playback Issues with multiple framerates and Blackmagic Decklink 4K Extreme

I recently swapped by AJA Kona Card for a Blackmagic Decklink 4K Extreme in order to get external monitoring in DaVinci Resolve.
I'm working in a 1080p 23.976 project that includes some 29.97 SD and HD footage. When loading this 29.97fps footage into my source footage, I periodically encounter frozen playback (The play triangle in my toolbar becomes a square symbol and remains that way). From there I am unable to playback any footage in any timeline, and requires a full system shutdown to return to normal! The problem is seemingly intermitent, with successful playback happening sometimes.
The 29.97 footage was DVCPRO, I attempted to transcode to Prores to troubleshoot. No dice. I believe it to be an issue related to the Decklink's inability to handle multiple framerates on-the-fly but wanted to submit here, too. I've also experienced intermittent sync delays on my broadcast monitor.
Decklink Driver 10.0
Premiere CC 7.2.1
Mac OSX 10.9.2 (same problem pre-mavericks)

Hi Andy,
You should not have any issues with Blackmagic handling multiple formats on the fly. However, I believe the frozen playback issues your describing is related to the Desktop Video 10 driver. I suggest rolling back to 9.3.3 for the time being. Blackmagic is looking into this issue now.
Best,
Peter Garaway
Adobe
Premiere Pro

Issue with multiple digital signatues in form

Hello all-
I'm having an issue with a form that has multiple digital signatures. The form additionally has a listbox in which the user can select recipients to email the form to. My objective is to be able to send a form to various users by email to sign digitally. After extending the features for Reader, I inserted a standard Livecycle digital signature by clicking on one of the digital signature fields. However, after inserting the digital signature, I can't perform any other actions (email the form by selecting recipients from the listbox, clicking a different digital signature field for signature insertion, etc.) It is as if the digital signature instertion made an uneditable snapshot of the form, which I do not want to do. What can I do to rectify this process?
Will upload the form if necessary.
Thank you and happy holidays.
masber2000

Mr. Kumar,
The desired workflow is for
1)      Firefighter 1 to complete the top portion of the Agreement
section, sign in the Firefighter 1 signature field (which locks the top
portion of the Agreement Section), then select Firefighter 2 from the
e-mail drop down list and e-mail the PDF form to Firefighter 2;
2)      Firefighter 2 opens the e-mail and the PDF attachment,
completes the second portion of the Agreement Section, sign in the
Firefighter 2 signature field (which locks the bottom portion of the
Agreement Section), select Lieutenant 1 from the e-mail drop down list
and e-mail the PDF form to Lieutenant 1;
3)      Lieutenant 1 opens the e-mail and the PDF attachment, checks
the approved box, signs the Lieutenant 1 signature field, select
Lieutenant 2 from the e-mail drop down list and e-mail the PDF form to
Lieutenant 2;
4)      Step three continues through Lieutenant 2, Battalion Chief 1
and Battalion Chief 2
5)      Battalion Chief 2 sends the fully completed form back to
Firefighter 1 who copies the completed form to Firefighter 2
Note: if any of the officers disapprove the agreement the disapproved
form is immediately sent back to Firefighter 1
Jim Frazier, Deputy Chief
Villages Public Safety Department
3035 Morse Boulevard
The Villages, FL 32163
352-205-8280
Honor in Service

Form Size issue with multiple Digital Signatures

I have created a form (liveCycle 8) with multiple digital signatures required. When each user signs the form, that section of the form is locked using collections. The form is workflow through email after each user signs it. Each time the user signs and forwards the form, the form's size becomes too large.
How can the form be optimized to compress each time an users signs the form?
Thank you,
Lori

Steve,
After your request to post the form, I wanted to removal some company items like the Logo. Once I removed the Logo, I found the biggest issue was a Logo image size that was making the file so large. Once I reduced the image size, the signatures only added 46kb at each signature level.
Thank you for your help,
Lori

Script issue with multiple lines printing

Dear All,
I'm trying to print multiple lines of my internal table in a script.
But only the last line is being printed all the time in all the lines.
Attached is my code.
    CLEAR GS_REGUP.
    LOOP AT GT_REGUP INTO GS_REGUP.
* Start the Form
      CALL FUNCTION 'START_FORM'
        EXPORTING
          ARCHIVE_INDEX = TOA_DARA
          FORM          = 'ZFORM'                                    "T042E-ZFORN
          LANGUAGE      = SY-LANGU                          "T001-SPRAS
          STARTPAGE     = 'FIRST'
          PROGRAM       = 'ZPROG'.
* Net Amount
      CLEAR GV_NETWR.
      GV_NETWR = ( GS_REGUP-WRBTR - GS_REGUP-PSSKT ).
* Print the Content
      CALL FUNCTION 'WRITE_FORM'
        EXPORTING
          ELEMENT = '525'      "Header
          FUNCTION = 'APPEND'
          TYPE     = 'BODY'
          WINDOW   = 'MAIN'.
* End the Form
      CALL FUNCTION 'END_FORM'
        IMPORTING
          RESULT = ITCPP.
      IF ITCPP-TDPAGES EQ 0.       "Print via RDI
        ITCPP-TDPAGES = 1.
      ENDIF.
    ENDLOOP.
Please let me know the flaw in it.
Regards,
Deepu.K

Dear All,
As i Mentioned in my earlier post, the same coding working fine in Quality server --> Printing multiple lines in script output.
But now, I have the same reqt. in another window.
So, I did the same coding.
But, this time it's printing the last line of the internal table in all the lines.
This is happening in Quality Server only.
The only difference between the previous internal table and this int. table is:
1. The first int. table content is printing in MAIN Window. ---> working fine
2. The second int. table content is printing in VARIABLE window. ---> NOT WORKING.
Can any one tell me what's the issue with this ?
Regards,
Deepu.K

Session cleanup issue with multiple Application servers

Hi ,
I am facing a strange problem with multiple application servers. The java Webdynro session does not get cleaned up completely when user closes the browser ( without using logoff ). On re-login it gets handle of old session and then fails for consecutive view on other webdynpro iviews with an invalid session error. It again starts working with a refresh event.
Any ideas/suggestion if you have seen something similar before ?
Thanks and regards,
Amit.

Hi Amit
It seems that issues is not server related, but caused by your client browser. I know, for example, that IE8.0 keeps user session even if two separate browser instances opened on the same client machine. IE 7.0 and lower behave differently - they are separate user sessions per browser instance.
BR, Siarhei

Issues with multiple Files with multiple subdbs on a single environment.

I'm having an issue with Berkeley DB 4.2 on 32-bit platforms, regarding multiple physical files with multiple subdatabases in a single database environment. Specifically, when I open a subdatabase for a physical file, Berkeley DB thinks that it is using the same subdatabase in a different physical file.
I'm doing the following:
1. Create and open a db enviornment.
2. Move file1 to the common area.
3. Open, get and close the subdatabases in file1.
4. Move file2 to the common area.
5. Open, get and close the subdatabases in file2.
6. remove file2 from the common area
7. Move file3 to the common area.
8. Open a subdatabase from file3. About 1/2 the time, the fetches
return data from file2, not from file3.
It's possible that at some earlier time (i.e. before step 1 of this
test case), file1, file2 and file3 were the same file. I noticed
that there is something called env->fileid_reset, but that is not
in 4.2.52.
Any ideas?

Looks like I've resolved the issue

RSA1 Document - Issue with "multiple selection" Characteristic

Hi,
I have the following issue with a web template showing monthly reporting results (act/plan/var) for a specific cost center broken down following a cost element hierarchy.
My purpose is to attach each month some comments and these comments are made at the query level, not for each individual cost element.
However, as explained in note 501593, when creating my document, I have to restrict my cost elements since they are regarded as "multiple selections".
I could go and limit from 6 to one single value through table RSODADMIN but I never know for sure that this single cost element would always show up in my query.
In RSA1 > document > properties of the comment, is there any way for me to go and input a range for my cost elements, instead of having to enter cost element by cost element ?
Thx
Stéphane

Hi,
I have the following issue with a web template showing monthly reporting results (act/plan/var) for a specific cost center broken down following a cost element hierarchy.
My purpose is to attach each month some comments and these comments are made at the query level, not for each individual cost element.
However, as explained in note 501593, when creating my document, I have to restrict my cost elements since they are regarded as "multiple selections".
I could go and limit from 6 to one single value through table RSODADMIN but I never know for sure that this single cost element would always show up in my query.
In RSA1 > document > properties of the comment, is there any way for me to go and input a range for my cost elements, instead of having to enter cost element by cost element ?
Thx
Stéphane

Issue with multiple crypto isakmp policies

Similar Messages

Maybe you are looking for