Managing VPN HW Client 3002.

Similar Messages

• SNMP and VPN HW Client 3002.

  Hello.
  Can I contact my hw client, running software version 4.7.2.L, on public interface using SNMP?
  Thanks.
  Regards.
  Andrea

  Hi Andrea,
       The VPN3002 is suppported in RME 4.0.6 (LMS 2.6) - http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_resource_manager_essentials/4.0.5/device_support/table/RME405.html#wp231589
      For Config Fethc however, the only supported protocol for the VPN3002 is HTTPS - http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_resource_manager_essentials/4.0.5/device_support/table/RME405CM.html#SecurityandVPN
      You'll need to do the following 3 things in order to get this to work :
  1. Add HTTPS credentials to DCR for your VPN3002 (Common Services -> Device and Credentials -> Device Management then Edit Credentials)
  2. Add HTTPS to the list of Transport Protocols to be used by Config Archive (RME -> Administration -> Config Mgmt -> Transport Settings then Add HTTPS to the 'Selected Protocol Order List'
  3. Enable HTTPS on the VPN3002 Concentrator http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_7/config/tunnel.htm#wp1309633
  Regards
  Derek Clothier

• LMS 4.0.1 unable to collect VPN hw client configuration.

  Hello.
  I'm using LMS 4.0.1 and VPN hw client 3002 with software 4.7.2.L.
  I'm not able to collect the first configuration and sync jobs end with these errors...
  *** Device Details for vpn-balbi ***
  Protocol ==> HTTPS
  Selected Protocols with order ==> SSH,HTTPS,Telnet,TFTP
  Execution Result:
  RUNNING
  CM0057 PRIMARY RUNNING Config fetch SUCCESS, archival failed for  vpn-balbi Cause: CM0210 Unable to generate processed config Action: Verify that  archive exists for device.
  Any ideas?
  Thanks.
  Regards.
  Andrea

  I have seen some issues with VPN device with ciscoworks. We have one of the old Bug for this as well # CSCsa35538.
  I would suggest to check a couple of things mentioned below:
  > Please check there are no specila characters '<,''>' in the configuration file.
  > Non UTF-8 characters are NOT visable through the WEB-Interface and hence i would again recommend to change the Port Forwarding Name to something normal like " application test", if there is some special characters as well, from Base groups-->web vpn.
  Then retry the configuration fetch.
  -Thanks

• VPN gate client- "Network cable unplugged"

  i have vpn gate client installed for a game that i wish to play. to do so i need to be able to use vpn gate client. it doesn't let me connect to any server but that's not why i'm here.
  the problem i believe is the issue is that it states that the VPN Client under network connections tells me that the network cable is unplgged. and when i trouble shoot it it states that i need to plug in my ethernet cable.
  i use a msi gaming 7 motherboard and it comes with it's own killer ethernet gigabyte controller. or "Killer e2200 Gigabit Ethernet Controller"
  this controller is in use so could it be that the vpn gate isn't working because killer e2200 is running as well? i'm confused because when i used this software on my laptop it worked perfectly fine.
  any suggestions as to how i could possible fix this issue or enable the vpn client adapter? thanks!

  I have a related problem with the e2200 NIC on a Z97 Gaming 3 motherboard:  I cannot make an IPSEC VPN connection with this NIC.  If I use an add-on NIC, I can connect just fine, as I can from dozens of other computers with a variety of NIC makes and models.

• SSL VPN with client, anyconnect.

  I've set up a simple test on SSL VPN with client on a 3800.
  It didnt work. I assume i have to turn on the IP http server so that the client can hit it.
  but when I turned it on, the client goes to SDM, nothing with ssl vpn happened. it tells me the pay is not available.
  The underlying routing is fine.
  Could you tell me where it is configured wrong?
  Config is copied below.
  thanks,
  Han
  =======
  Current configuration : 3340 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  enable password cisco
  aaa new-model
  aaa authentication login default local
  aaa session-id common
  no network-clock-participate slot 1
  crypto pki trustpoint TP-self-signed-3551041125
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3551041125
  revocation-check none
  rsakeypair TP-self-signed-3551041125
  crypto pki certificate chain TP-self-signed-3551041125
  certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33353531 30343131 3235301E 170D3131 31313135 31383238
  30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35353130
  34313132 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CFCF CFFAD76A 50DA82C9 8D4E3F90 64AD24EB 5409C5E2 43BC64F3 07F6C0E0
  29FF2D71 0DA0D897 2F814BD2 7F817503 429D4BC6 6AD6EEA4 DFA74BAD 0EAF84D5
  6ED55EC0 6C637178 BEEBCD1D 184BB90C CA84E974 48003885 87B53F2E 36A04661
  23DA2CBB DD8EEE1D 2F25AF9A E21DC288 BF76A17C C1F4BA07 95F09377 A12BE01A
  53750203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17526F75 7465722E 776E7362 6E6F632E 696E7465 726E616C
  301F0603 551D2304 18301680 14BE9E8F ED788928 560D7CA1 EED89B0D DE34D772
  5D301D06 03551D0E 04160414 BE9E8FED 78892856 0D7CA1EE D89B0DDE 34D7725D
  300D0609 2A864886 F70D0101 04050003 818100BC 4A2A3C47 7BF809AF 78EE0FD9
  73692913 F280765E BAFAECAB ED32C38D 3030810B C62C7F45 13C8A6EE AE96A891
  CDD4C78B 803299AD EB098B27 383CEF6F 0E2B811F 3ECFADBA 07CD0AC6 BBB8C5FE
  B2FC0FD8 562B7100 BB28036E 4575D1F5 B17687C6 8EACBD66 A9E52FEE A030E69A
  CAAE9F1B 618FA59D 02C25BC8 77D6CAC2 C7E56F
  quit
  dot11 syslog
  ip cef
  multilink bundle-name authenticated
  voice-card 0
  no dspfarm
  username cisco1 privilege 15 secret 5 $1$L2RA$Zqs6FLce5Ns5fny5aRL49/
  archive
  log config
  hidekeys
  interface GigabitEthernet0/0
  ip address dhcp
  duplex auto
  speed auto
  media-type rj45
  end
  interface Loopback1
  ip address 1.1.1.1 255.255.255.0
  interface GigabitEthernet0/0
  ip address dhcp
  duplex auto
  speed auto
  media-type rj45
  ip local pool svc-poll 1.1.1.50 1.1.1.100
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 192.168.1.254
  ip http server
  no ip http secure-server
  control-plane
  line con 0
  logging synchronous
  line aux 0
  line vty 0 4
  scheduler allocate 20000 1000
  webvpn gateway SSLVPN
  ip interface GigabitEthernet0/0 port 443
  ssl trustpoint local
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn context SSLVPN
  ssl authenticate verify all
  policy group default
     functions svc-required
     svc default-domain "test.org"
     svc keep-client-installed
     svc split dns "primary"
  default-group-policy default
  gateway SSLVPN
  inservice
  end

  Using the SDM follow the below config example
  http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml
  The text "cisco 3800 ssl vpn configuration" in my favorite search engine, identified the above.
  HTH>

• Why does SSL VPN require client for full functionality?So What's the point?

  I was interested in SSL VPN because I thought that I could have the same functionality I have when connecting via Cisco VPN 3000 concentrator (IPSec with AH and ESP enabled), but without the hassle to deploy and maintain client VPN's for thousands of users.
  However, to my disappointment, based on the information below from www.cisco.com (and I believe that it is the case from other vendors, right?) SSL VPN offers limited functionality if deployed clientless. Why is like that?
  Imagine I have a VPN (IPSec) solution functional today. If I deploy SSL VPN (clientless) what lack in functionality should I experience? Why a VPN client is required if SSL VPN can successfully establish the tunnel? I don't get it.
  "...SSL VPNs provide two different types of access: clientless access and full network access. Clientless access requires no specialized VPN software on the user desktop; all VPN traffic is transmitted and delivered through a standard Web browser. Because all applications and network resources are accessed through a browser, only Web-enabled and some client-server applications-such as intranets, applications with Web interfaces, e-mail, calendaring, and file servers-can be accessed using a clientless connection. This limited access is suitable for partners or contractors that should be provided access to a limited set of resources on the network. And because no special-purpose VPN software has to be delivered to the user desktop, provisioning and support concerns are minimized."

  Hi,
  Clientless SSL VPN only able to access application through browser (i.e. HTTP and HTTPS). If you need to acces other application like RDC, you need full SSL client.
  Full SSL Client is deployed automatically depends on how you configure the SSL VPN box (temporary or permanently);
  1. From the SSL VPN box, you can configure it to download and be installed to user PC permanently (500KB+). When the user successfully authenticated by the SSL VNP box, it will download the client and install automatically/permanently without any help from the network administrator. The user need to login on his/her PC with administrator priviledge.
  2. From the SSL VPN box, you can configure it to download and be installed to user PC temporary (500KB+). When the user successfully authenticated by the SSL VPN box, it will download the client and install temporary without any help from the network administrator. The user need to login on his/her PC with administrator priviledge.
  In one of my deployment, I have 1000+ SSL VPN user. I just need to create a 10 page User Manual/Guide complete with troubleshooting on their own. I use the first option which is automatically download and permanently install in their PC. Patching the SSL VPN Full Client need to upload the new client in the SSL VPN box only and it will automatically patch the client in user PC.
  Dandy

• How to determine installed management studio is client or server

  How to determine installed management studio is client or server
  when I see in help it says 
  version 10.50.1600.1
  Neil

  Blog/thread:
  7 things to check to resolve  “A network-related or instance-specific error occurred while establishing a connection to SQL Server…” 
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/0628296e-939a-4700-b498-1c3c9ce90597/a-networkrelated-or-instancespecific-error-occurred-while-establishing-a-connection-to-sql-server?forum=sqlsecurity
  http://blogs.msdn.com/b/sql_protocols/archive/2007/05/13/sql-network-interfaces-error-26-error-locating-server-instance-specified.aspx
  http://stackoverflow.com/questions/18060667/connect-to-server-a-network-related-or-instance-specific-error
  Kalman Toth Database & OLAP Architect
  SQL Server 2014 Database Design
  New Book / Kindle: Beginner Database Design & SQL Programming Using Microsoft SQL Server 2014

• How Can We Change Batch Management Level From Client level to Plant Level?

  Hi all,
  I want to know whether it is possible to change the batch management level from client to plant level.Pls Help..

  Hi,
  Refer SAP Note 891902 - FAQ: Batch level

• DirectAccess2012 + SCCM2012 + ISATAP Manage Out DA Clients

  Good Day, have some trouble.
  1. We have deployed DA Server behind the TMG.
  2. DA Clients succesfully establish connection to work resources and could connect to internal resources
  3. The question is - how i can manage out DA clients, i could ping them only from DA server.
  First of all i need to manage DA Clients from SCCM server what i have already done (http://blogs.technet.com/b/jasonjones/archive/2013/04/19/limiting-isatap-services-to-directaccess-manage-out-clients.aspx):
  1. Created DNS A record daisatap.domain.com which points to ipv4 internal DA address
  2. Created GPO which enables isatap adapter and gives the router name daisatap.domain.com
  3. Applied this GPO to SCCM server successfuly.
  Now my SCCM server shows ISATAP - Enabled, it tooks ipv6 address: fe80::5efe:10.62.4.110%12 but still couldnot ping DA clients and DA server by IPv6 address... If i trying to ping ant ipv6 address i receive "transmit failed" failure
  Need some help with it...
  Some upgrade to post:
  My SCCM server have istatap ipv6 ISATAP address: fe80::5efe:10.62.4.110%12
  My DA have ipv6 LAN address: fd72:3d36:76b8:333::1/128
  My DA client have ipv6 fd72:3d36:76b8:1000:3077:665f:cdeb:2b00
  And i wonder SCCM receives Local Link ipv6, is it correct? From DA i could not ping ipv6 address of SCCM too...

  Hello, thank you for your answer. My SCCM server could successfuly ping daisatap.domain.com by ICMPv4. Not sure about protocol 41, on my SCCM server firewall is disabled, on DA server - enabled and i could not find how to allow this protocol... there is
  no such protocol in predefined core networks...
  So i`ve disabled Windows Firewall on my SCCM and DA servers for all profiles and still my SCCM server receives fe80:: address... so there is some trouble not in firewal...
  And one more thing on DA server ISTSP adapter have only fe80:: address too...
  Ethernet adapter LAN:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
     Physical Address. . . . . . . . . : 00-50-56-87-6F-B9
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : fd72:3d36:76b8:3333::1(Preferred)
     Link-local IPv6 Address . . . . . : fe80::884c:fb2:838c:474e%12(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.62.4.55(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.252.0
     Default Gateway . . . . . . . . . : 10.62.7.254
     DHCPv6 IAID . . . . . . . . . . . : 302010454
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-19-0D-16-00-50-56-87-6F-B9
     DNS Servers . . . . . . . . . . . : 10.62.4.4
                                         10.62.4.44
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Tunnel adapter 6TO4 Adapter:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft 6to4 Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter IPHTTPSInterface:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : IPHTTPSInterface
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : fd72:3d36:76b8:1000::1(Preferred)
     IPv6 Address. . . . . . . . . . . : fd72:3d36:76b8:1000::2(Preferred)
     IPv6 Address. . . . . . . . . . . : fd72:3d36:76b8:1000:8dac:2df:c4bf:e891(Preferred)
     Link-local IPv6 Address . . . . . : fe80::8dac:2df:c4bf:e891%15(Preferred)
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 419430400
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-19-0D-16-00-50-56-87-6F-B9
     NetBIOS over Tcpip. . . . . . . . : Disabled
  Tunnel adapter isatap.{4E20B5D6-171C-4F5C-A90F-DED6C04D5D87}:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::5efe:10.62.4.55%16(Preferred)
     Default Gateway . . . . . . . . . :
     DHCPv6 IAID . . . . . . . . . . . : 436207616
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-19-0D-16-00-50-56-87-6F-B9
     DNS Servers . . . . . . . . . . . : 10.62.4.4
                                         10.62.4.44
     NetBIOS over Tcpip. . . . . . . . : Disabled

• Deploy Task Sequence to VPN based clients

  Can task sequences be deployed to VPN based clients? Its not an OSD task sequence, the task sequence in question has a couple of program installs and relatively small in size.
  The client machine(s) do receive the deployment although the status deployment remains on "Downloading", so I assume the device cannot locate the content on the DP within the VPN (configured Slow) boundary.
  The packages in the custom TS are located on the DP, so its either the boundary or a task sequence configuration.
  Just to note - Software updates are deploy successfully to VPN based clients within the same boundary, so I'm inclined to say it might be the task sequence?
  Any suggestions?
  Thanks
  Craig
  MCTS | MCITP | MCSA

  Thanks - although where is this configuration in the program/package(s):
  "Check the packages/programs called in the TS to ensure they are correctly set for slow-link behaviour."
  Oops, sorry, it's on the deployment;
  Step 10. here:
  http://technet.microsoft.com/en-us/library/gg682178.aspx
  On the Distribution Points page of the Wizard, specify the following information:
  Deployment options – Specify the actions that a client should take to run program content. You can specify behavior when the client is in a fast network boundary, or a slow or unreliable network boundary.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Managing 10.4 clients with 10.5 Server

  Before I jump in....any feedback on managing 10.4 clients with 10.5 server (will post the vice-versa in the 10.4 server forum) from those who are doing it currently?
  Thanks,
  k

  I checked out the link you mentioned. It's really dealing w/ managing the client. I'm have weird issues w/ clients logging in. Today I had a grade level try to log in. Ten of the computers would let that grade level in, two would not. Of the Ten computers approx 5 wouldn't let them log in the first time, but once they were restarted they were able to log in. All of the computers are on a wired network as well as a wireless backup. Of the two that would not let them login I had just restored one and set the settings up the same as the others.
  I'll be damned, this is the weirdest I have had with Apple client management.

• Manage billing of clients depending on usage.

  Hi,
  My requirement is like below:
  I have one Windows Azure Account and I want to host my client's websites within that azure account, there will be one or two websites per client. I want to allow each client to login and manage only his websites/databases and charge each client as per his
  site usage and I want to achieve this using Windows Azure web sites (requirement is like reseller plan on other hosting providers).  Is it possible on Azure? How?
  I know about the create subscription for each client and add client them as service administrator/co-administrator and manage their sites/services, but I want to manage all the clients under single subscription and chanrge them as per their site usage, so how
  can I achieve this with windows Azure websites? If its not possible in websites then is it possible in other like cloud service/VM? how?
  Thanks, Dilip

  hi Dilip,
  >>I have one Windows Azure Account and I want to host my client's websites within that azure account, there will be one or two websites per client.
  What's the meaning of client? According to your description, I understand your meaning is that you want to host your customer's website on one azure websites server. And each customer could access themselves host server. And they could manage their usage
  and billing. Am I right?
  If yes, I think you use Azure websites Service don't achieve to.  The reason is like following:
  1.Azure billing service didn't support to show the every sites costs. The billing service could show the entire website pricing tire costs. You could see this detail form new portal billing usage panel.
  2. Like the websites charged, the Database is charged by the service tire not shown the every database.
  3.Azure websites service didn't support each customer logon on for manage their websites . If the customer could be able to login on the Azure, he could see all the services on that subscription. 
  For your requirement, as you said, multiple subscriptions could resolve this issue.
  If you want to use Azure VM service, you could create the different VMs for each customer, and give them the permission (User name and password) to manage the VM using RDP.Each customer could login their VM and management their resource. But for Azure
  Database, if they used it, you can not control the billing of Azure database.
  Regards,
  Will
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• How to manage VPN clients in SCCM 2012

  Hi,
  In my environment, I have multiple clients over VPN in multiple sites, 
  now I have problem, I how can I manage those clients for VPN, coz n CM 2012 I have to give boundary group and n boundary group  have to give the site server references, and I have only one IP subnet in whole environment, but from that subnet, some clients
  are from A site, B site and C site, now can you tell me how to manage them, 
  How to configure DP for them??
  How they can get correct MP?  
  Sharad Singh | My blogs: SharadTech | Twitter:
  @SinghSharaad | | Please remember to click “Mark as Answer” on the post that helps you.This can be beneficial to other community members reading the thread.

  Jason, 
  I have only one IP subnet means I have only one IP subnet for VPN clients n all environment, all clients from all sites which are connecting with VPN they will fall on that VPN IP subnet.
  other than  have LAN/WAN link for all sites, which I have already configured according to Sites/DP and there s no problem, every thing is working fine.
  but for VPN i have only one network which is worldwide, and that network used by all sites, this is the problem, How can I manage that network, and where should I add for boundary/DP for site references??? 
  Sharad Singh | My blogs: SharadTech | Twitter:
  @SinghSharaad | | Please remember to click “Mark as Answer” on the post that helps you.This can be beneficial to other community members reading the thread.

• VPN 3005 with 3002 Hardware Client

  I have a VPN3002 Hardware Client (172.16.1.x) that is accessing a VPN3005 Concentrator (192.168.x.x) in Network Extension Mode. On the VPN3005, I have a LAN-to-LAN connection to another VPN device. I can access addresses in all scenarios except for from devices behind the Hardware Client through the LAN-to-LAN tunnel. In other words, addresses behind the Hardware Client (172.16.1.x) cannot access addresses through the LAN-to-LAN.
  Devices on the network behind the Concentrator (192.168.x.x) CAN access addresses through the LAN-to-LAN and there is bi-directional communication between the network behind the 3005 and behind the 3002 client.
  Can anyone help? Thank you.

  The 3000 is only going to send traffic over the L2L tunnel that is sourced from the Local Network and going to the Remote Network. Trafic from behind the 3002 is NOT going to match this based on the fact you're NAT'ing all the locla traffic to some other address.
  I presume you have done this NAT'ing on some device before the 3000, in wihch case there's no way to get the 3002 traffic to also be NAT'd since it is going to come in and go straight back out the Public interface of the 3000.
  You will have to add another line to your Local Network list that defines the traffic behind the 3002. Similarly, the remote end is going to have to add this same network to their Remote network list. Unless you do that, or find some way to NAT the 3002 traffic to the same address, the 3005 is NOT going to send it over the tunnel because you haven't told it to.

• Managing internet based clients

  Using SCCM 2012 SP1, I have built a second management point in a DMZ and used an install script to point after grabbing the pfx file for the local client (pc's aren't on the domain and I used this to generate certs for them).
  @echo off
  @echo Adding Trusted Root Certificate
  Certutil -addstore -f "ROOT" "%~dp0MyTrustedRoot.cer"
  @echo Import Client Certificate
  Certutil -p "agoodpassword" -importpfx "%~dp0clientcerts\%computername%.pfx"
  @echo Install ConfigMgr Client
  "%~dp0\client\ccmsetup.exe" /source:%~dp0clientcerts\client /mp:https://mp.acme.com /usePKICert /NOCRLCheck SMSSITECODE=GDC CCMHOSTNAME=mp.acme.com
  The script works and the client gets installed and talks to the management point.
  My question is - when these clients are on the LAN or over VPN, will they revert back to the internal MP and use the DMZ MP when they are on the WAN? 
  Thanks

  Hi,
  Glad to hear the issue resolved. Thank you for your reply.
  You two are the same person?
  Best Regards,
  Joyce Li
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.