Match different AAA Groups per source IP
Dear Colleagues,
The issue that Im facing right now is the following:
I have an external device that run auto-commissioning on my router and doesn't support "username" loggin, only "password" when attempt to loggin through telnet in order to access and run the script. In addition I have AAA TACACs running on the same router so this device is unable mow to access to the router as the first loggin request is the "username". I can not change the telnet command executed by the external device, its doing a single telnet to the destination IP of my router so I discard any option like adding a TCP port dedicated for this external device access. To be clear, what is expecting to receive after execute the telnet is:
c:/> telnet 1.1.1.1
Trying 1.1.1.1...
Connected to 1.1.1.1.
Escape character is '^]'.
User Access Verification
Password:
To fix this issue my idea is try to configure two different AAA groups, one AAA_GROUP that request normal authentication to TACACs for all telnet session and one EXCEPTION with authentication "none" and exec "local". The configuration should be something like this:
aaa new-model
aaa group server tacacs+ AAA_GROUP
server-private A.B.C.D key 7 ###################
ip tacacs source-interface Loopback0
aaa authentication login default group AAA_GROUP local
aaa authentication login EXCEPTION none
aaa authentication enable default group AAA_GROUP enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group AAA_GROUP local
aaa authorization exec EXCEPTION local
aaa authorization commands 15 default group AAA_GROUP none
aaa accounting exec default start-stop group AAA_GROUP
aaa accounting commands 15 default stop-only group AAA_GROUP
aaa accounting connection default stop-only group AAA_GROUP
aaa accounting system default start-stop group AAA_GROUP
aaa session-id common
Then match in some way all telnet session with source IP of the external device with the group EXCEPTION and the rest with AAA_GROUP. Finally, configure only a "password" in the VTY lines so when the device attempt to loggin in the group EXCEPTION with no authentication and loggin local will be just requested to set the "password".
The main issue is do this AAA groups discrimination between AAA_GROUP and EXCEPTION lists per source IP of the host originating the telnet session to my router. Is that possible?
Thanks in advance for your support.
Hi,
problem is in you config, both class are pointing to same VIP and PORT, so first class will be only HIT.
try this confgiuration
policy-map type loadbalance first-match NON_AUTHENT_PM
class NON_AUTHENT_CM --------for desired client source IP's
serverfarm PROXY_HTTP_SF
nat dynamic 6 vlan 1601 serverfarm primary
class class-default ------for rest of client IP's
serverfarm PROXY_HTTP_SF
nat dynamic 5 vlan 1601 serverfarm primary
and remove NAT from multi-match policy. use single class, so rest of config will be
serverfarm host PROXY_HTTP_SF
description Proxied Internet Connections
probe PROXY_HTTP_PROBE
fail-on-all
rserver ELFCPRXY1
inservice
rserver ELFCPRXY2
inservice
rserver ELFCPRXY3
inservice
class-map match-any NONAUTHENT_HTTP_VIP
3 match virtual-address 10.10.240.5 tcp eq 80
class-map type http loadbalance match-any NON_AUTHENT_CM
description Subnets from which Internet Authentication is not Required
3 match source-address 10.10.16.0 255.255.240.0
4 match source-address 10.10.32.0 255.255.240.0
5 match source-address 10.10.48.0 255.255.240.0
policy-map type loadbalance first-match NON_AUTHENT_PM
class NON_AUTHENT_CM
serverfarm PROXY_HTTP_SF
nat dynamic 6 vlan 1601 serverfarm primary
class class-default
serverfarm PROXY_HTTP_SF
nat dynamic 5 vlan 1601 serverfarm primary
policy-map multi-match LOAD_BAL
class NONAUTHENT_HTTP_VIP
loadbalance vip inservice
loadbalance policy NON_AUTHENT_PM
loadbalance vip icmp-reply
Hope this help
Similar Messages
-
Can you authenticate users from 2 different AAA-servers for one specific tunnel-group?
I need to authenticate users from two separate AD LDAP databases on the same tunnel-group. I would like them to use the same tunnel-group and thereby using the same group-alias. I tried creating a new aaa-server group and putting both LDAP servers into group but apparently the ASA does not roll through the separate servers in the aaa-server group and will stop if the first server states that the authentication failed.
I also tried assigning multiple aaa-server groups into the tunnel-group authentication-server-group but that also did not work. I finally tried to create a separate tunnel-group and assigning it the same group-alias but the ASA will not allow me to assign the same group-alias to different tunnel-group. What is the best way to accomplish this without having to create a new group-alias that will show up and possible confuse the dumb users requiring this access? Please help.If you don't want ANY drop down I believe you can do it in a kludgy sort of way.
Eliminate all the group aliases (which are used to populate the dropdown) and make a local database of the users for the sole purpose of assigning / restricting them to a non-default tunnel-group which authenticates to the secondary LDAP server.
You can also send out a non-published URL that points to a second tunnel-group not in the dropdown.
Of course, we can accomplish this if the AAA server is ISE. ISE 1.3 can authenticate users to multiple AD domains (with or without trust relationships) or a single domain with multiple join points in the Forest.
The ISE answer makes me wonder - could you establish trust between the domains and authenticate users that way? -
I have setup ACS 4.2 and when I run
router# test aaa group tacacs+ myuser mypasswd [ legacy | new-code]
Both options work fine
But when I try and login, over telnet, the request reaches the aaa server, but returns fail !
My commands are :-
tacacs-server host xx.xx.xx.xx single-connection port 49
tacacs-server key xxxxxxxxxxx
aaa authentication banner ^CUnauthorized access forbidden^C
aaa authentication username-prompt "Enter Username: "
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
I dont see the banner NOR the "Enter Username:" prompt.
Also a debug aaa authentication and debug aaa subsys show that the request reaches AAA, but it simply returns fail
I had the same issue in 5.1, but that was due to the tacacs+ single-connection not being set or something similar, and the error
there was "shared secret does not match", on the AAA server logs
I am still new to 4.2, so am still trying to determine where the log files are etc, but since it works with the test command, I cant
seem to understand why it fails with telnet
Any idea why this may be happning ?
ThanksI tried both the sugestion.. no luck
Below are th eoutput of debug, with some lines in BOLD to help you
find interesting lines in the log output.
Thanks
fixeddemo#sh run | inc tacacs
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
ip tacacs source-interface FastEthernet0/1
tacacs-server host 10.1.7.15
tacacs-server key xxxxxxxxxx
fixeddemo#sh debugging
General OS:
TACACS+ events debugging is on
TACACS+ authentication debugging is on
TACACS+ packets debugging is on
AAA Authentication debugging is on
AAA Subsystem debugs debugging is on
fixeddemo#
Jun 17 14:15:54.666: AAA/BIND(00000072): Bind i/f
Jun 17 14:15:54.666: AAA/AUTHEN/LOGIN (00000072): Pick method list 'default'
Jun 17 14:15:54.666: AAA SRV(00000072): process authen req
Jun 17 14:15:54.670: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:15:54.670: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:15:54.670: TPLUS: processing authentication start request id 114
Jun 17 14:15:54.670: TPLUS: Authentication start packet created for 114()
Jun 17 14:15:54.670: TPLUS: Using server 10.1.7.15
Jun 17 14:15:54.670: TPLUS(00000072)/0/NB_WAIT/45585278: Started 5 sec timeout
Jun 17 14:15:54.674: TPLUS(00000072)/0/NB_WAIT: socket event 2
Jun 17 14:15:54.674: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Jun 17 14:15:54.674: T+: session_id 3123693045 (0xBA2FC5F5), dlen 24 (0x18)
Jun 17 14:15:54.674: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Jun 17 14:15:54.674: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:10 (0xA
) data_len:0
Jun 17 14:15:54.674: T+: user:
Jun 17 14:15:54.674: T+: port: tty515
Jun 17 14:15:54.674: T+: rem_addr: 10.1.1.216
Jun 17 14:15:54.674: T+: data:
Jun 17 14:15:54.674: T+: End Packet
Jun 17 14:15:54.674: TPLUS(00000072)/0/NB_WAIT: wrote entire 36 bytes request
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: Would block while reading
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
16 bytes data)
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:54.674: TPLUS(00000072)/0/READ: read entire 28 bytes response
Jun 17 14:15:54.674: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Jun 17 14:15:54.674: T+: session_id 3123693045 (0xBA2FC5F5), dlen 16 (0x10)
Jun 17 14:15:54.674: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
fixeddemo#
Jun 17 14:15:54.674: T+: msg: Username:
Jun 17 14:15:54.674: T+: data:
Jun 17 14:15:54.678: T+: End Packet
Jun 17 14:15:54.678: TPLUS(00000072)/0/45585278: Processing the reply packet
Jun 17 14:15:54.678: TPLUS: Received authen response status GET_USER (7)
Jun 17 14:15:54.678: AAA SRV(00000072): protocol reply GET_USER for Authenticati
on
Jun 17 14:15:54.678: AAA SRV(00000072): Return Authentication status=GET_USER
fixeddemo#
Jun 17 14:15:58.794: AAA SRV(00000072): process authen req
Jun 17 14:15:58.794: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:15:58.794: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:15:58.794: TPLUS: processing authentication continue request id 114
Jun 17 14:15:58.794: TPLUS: Authentication continue packet generated for 114
Jun 17 14:15:58.794: TPLUS(00000072)/0/WRITE/47194394: Started 5 sec timeout
Jun 17 14:15:58.794: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
Jun 17 14:15:58.794: T+: session_id 3123693045 (0xBA2FC5F5), dlen 10 (0xA)
Jun 17 14:15:58.794: T+: AUTHEN/CONT msg_len:5 (0x5), data_len:0 (0x0) flags:0x0
Jun 17 14:15:58.794: T+: User msg:
Jun 17 14:15:58.794: T+: User data:
Jun 17 14:15:58.794: T+: End Packet
Jun 17 14:15:58.794: TPLUS(00000072)/0/WRITE: wrote entire 22 bytes request
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
16 bytes data)
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:15:58.798: TPLUS(00000072)/0/READ: read entire 28 bytes response
Jun 17 14:15:58.798: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
Jun 17 14:15:58.798: T+: session_id 3123693045 (0xBA2FC5F5), dlen 16 (0x10)
fixeddemo#
Jun 17 14:15:58.798: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Jun 17 14:15:58.798: T+: msg: Password:
Jun 17 14:15:58.798: T+: data:
Jun 17 14:15:58.798: T+: End Packet
Jun 17 14:15:58.798: TPLUS(00000072)/0/47194394: Processing the reply packet
Jun 17 14:15:58.798: TPLUS: Received authen response status GET_PASSWORD (8)
Jun 17 14:15:58.798: AAA SRV(00000072): protocol reply GET_PASSWORD for Authenti
cation
Jun 17 14:15:58.798: AAA SRV(00000072): Return Authentication status=GET_PASSWOR
D
fixeddemo#
Jun 17 14:16:02.502: AAA SRV(00000072): process authen req
Jun 17 14:16:02.502: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:16:02.502: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:16:02.502: TPLUS: processing authentication continue request id 114
Jun 17 14:16:02.502: TPLUS: Authentication continue packet generated for 114
Jun 17 14:16:02.502: TPLUS(00000072)/0/WRITE/47194394: Started 5 sec timeout
Jun 17 14:16:02.502: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
Jun 17 14:16:02.502: T+: session_id 3123693045 (0xBA2FC5F5), dlen 14 (0xE)
Jun 17 14:16:02.502: T+: AUTHEN/CONT msg_len:9 (0x9), data_len:0 (0x0) flags:0x0
Jun 17 14:16:02.502: T+: User msg:
Jun 17 14:16:02.502: T+: User data:
Jun 17 14:16:02.502: T+: End Packet
Jun 17 14:16:02.506: TPLUS(00000072)/0/WRITE: wrote entire 26 bytes request
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
6 bytes data)
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:02.550: TPLUS(00000072)/0/READ: read entire 18 bytes response
Jun 17 14:16:02.550: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
Jun 17 14:16:02.554: T+: session_id 3123693045 (0xBA2FC5F5), dlen 6 (0x6)
fixeddemo#
Jun 17 14:16:02.554: T+: AUTHEN/REPLY status:2 flags:0x0 msg_len:0, data_len:0
Jun 17 14:16:02.554: T+: msg:
Jun 17 14:16:02.554: T+: data:
Jun 17 14:16:02.554: T+: End Packet
Jun 17 14:16:02.554: TPLUS(00000072)/0/47194394: Processing the reply packet
Jun 17 14:16:02.554: TPLUS: Received authen response status FAIL (3)
Jun 17 14:16:02.554: AAA SRV(00000072): protocol reply FAIL for Authentication
Jun 17 14:16:02.554: AAA SRV(00000072): Return Authentication status=FAIL
fixeddemo#
[ The output below is for the next Username: prompt I believe]Jun 17 14:16:04.554: AAA/AUTHEN/LOGIN (00000072): Pick method list 'default'
Jun 17 14:16:04.554: AAA SRV(00000072): process authen req
Jun 17 14:16:04.554: AAA SRV(00000072): Authen method=SERVER_GROUP tacacs+
Jun 17 14:16:04.554: TPLUS: Queuing AAA Authentication request 114 for processin
g
Jun 17 14:16:04.554: TPLUS: processing authentication start request id 114
Jun 17 14:16:04.554: TPLUS: Authentication start packet created for 114()
Jun 17 14:16:04.554: TPLUS: Using server 10.1.7.15
Jun 17 14:16:04.554: TPLUS(00000072)/0/NB_WAIT/47194394: Started 5 sec timeout
Jun 17 14:16:04.558: TPLUS(00000072)/0/NB_WAIT: socket event 2
Jun 17 14:16:04.558: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Jun 17 14:16:04.558: T+: session_id 2365877689 (0x8D046DB9), dlen 24 (0x18)
Jun 17 14:16:04.558: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Jun 17 14:16:04.558: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:10 (0xA
) data_len:0
Jun 17 14:16:04.558: T+: user:
Jun 17 14:16:04.558: T+: port: tty515
Jun 17 14:16:04.558: T+: rem_addr: 10.1.1.216
Jun 17 14:16:04.558: T+: data:
Jun 17 14:16:04.558: T+: End Packet
Jun 17 14:16:04.558: TPLUS(00000072)/0/NB_WAIT: wrote entire 36 bytes request
Jun 17 14:16:04.558: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:04.558: TPLUS(00000072)/0/READ: Would block while reading
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: read entire 12 header bytes (expect
43 bytes data)
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: socket event 1
Jun 17 14:16:04.562: TPLUS(00000072)/0/READ: read entire 55 bytes response
Jun 17 14:16:04.562: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Jun 17 14:16:04.562: T+: session_id 2365877689 (0x8D046DB9), dlen 43 (0x2B)
Jun 17 14:16:04.562: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
Jun 17 14:16:04.562: T+: msg: 0x0A User Access Verification 0x0A 0x0A Usernam
e:
fixeddemo#
Jun 17 14:16:04.562: T+: data:
Jun 17 14:16:04.562: T+: End Packet
Jun 17 14:16:04.562: TPLUS(00000072)/0/47194394: Processing the reply packet
Jun 17 14:16:04.562: TPLUS: Received authen response status GET_USER (7)
Jun 17 14:16:04.562: AAA SRV(00000072): protocol reply GET_USER for Authenticati
on
Jun 17 14:16:04.562: AAA SRV(00000072): Return Authentication status=GET_USER
fixeddemo# -
Same number range for two different series groups?
Dear all,
There are two scenarios
1.Normal export under bond case, series group is 20 and number range maintained,running number is 300016
2.Another scenario,where ARE1 document generation for Deemed exp customer(already customised) , series group is 30.
But, client requirement is , for this second scenario also, system should pickup running number range of series group 20(under bond case) as per excise legal requirement
Ie running number is for series group 20 is 300016
For the above deemed exp case (second scenario)it should pickup 300017
And again when they do under bond case(first scenario), it should pick up 300018 like that
Is it possible to maintain the same number range for two different series groups(20 and 30)?
Even if you maintain the same number range for 30, as per running number range of 20
Will the system update simultaneously the same number range for 20 and 30 series groups?
Please suggest the way.With two different series groups, it is not possible to have the same number range. Even if you maintain it, they will be treated independently.
Normally, you should not use different series groups if the same number range has to be used. In fact, the concept of series group has been developed to ensure that number ranges can be maintained separately.
Regards,
Aroop -
N+1 redundancy and different mobility groups
Is it possible to backup 2 controllers with 2 different mobility groups (for example GROUP1 and GROUP2) to the same backup controller (running HA SKU N+1 (7.4)) ?
Since a controller can only be configured in 1 mobility group, this doesn't seem to be possible. Can someone confirm ?
regards,
GeertHello,
As per your query i can suggest you the following solution-
In all Wireless LAN Controller (WLC) versions earlier than 4.2.61.0, when a WLC goes "down," the LAP registered to this WLC can failover only to another WLC of the same Mobility Group, if the LAP is configured for failover. From Cisco WLC version 4.2.61.0 and later, a new feature called Backup Controller Support is introduced for access points to failover to controllers even outside the Mobility Group. Refer to Wireless LAN Controller and Light Weight Access Points Failover Outside the Mobility Group Configuration Example for more information.
Hope this will help you. -
WRP1 considering Articles with different Purchase group
Hi
Gurus,
We
are facing issue in WRP1 program, in production system one STO is created
for many articles with different purchase group with same site,
But
My understanding is that when replenishment happens, different STOs will
be created for different purchase group for same site and client is also
expecting same thing...
Issue
- In STO articles are belongs to same site but different purchase
group, in PO header its updated purchase group as 002 but if check line items
Articles are from many purchase group like, 001 , 002 , 003 etc....
When
in header its showing purchase group as 002 it should consider articles
with same purchase group but its combining all articles belongs to same site
irrespective of purchase group.
Kindly advise
Regards,
VinayHi Vinay,
It's standard system behaviour. PO group on header level is for reporting purposes, it's not scoping the allowed articles on the item lines. Therefore, WRP1 creates the STO with a mixture of articles of several purchase groups.
Perhaps this apporach might be feasible for your challenge:
- In stead of creating STO, create purchase requisition as follow on document from WRP1 processing (see Store Order Control in SPRO);
- after WRP1 processing, run ME59N (also possible in background) for the purch. reqs. created in WRP1 with the parameter 'Per purchasing group' (and perhaps also 'Per site'). This should result in STO's per site/purchase group.
Regards,
Johan -
Rehire contingent worker to employee into a different business group
How to rehire contingent worker as an employee to a different business group programatically. I used hr_employee_api.hire_into_job to rehire into the same BG.
Can any one suggest a solution ?
Regards
ThomasHi,
I got the answer to my question. We can use the party_id of the existing record in per_all_people_f in the create_person API and pass all the values like business_group_id and other details and the CWK will be rehired as an employee in a different BG.
From PUI, we can hire the CWK into a different BG by entering his last name national_identifier and enter the employee type and save, then there will be a popup showing the EMP/CWk matching the criteria in different BGs and select the appropriate emp/cwk and you can rehire them
Regards
Thomas -
Design: different AP Groups for different SSIDs?!
Imagine I have different requirements for the AP Groups for different SSIDs
I suppose I can't have different AP Groups for different SSIDs?!
Imagine I have to many Clients to use one single VLAN for one SSID. So I will use AP Groups.
For SSIDâXâ
Let's say I have 5 buildings with 800 Users, so I make a AP Group per Building and tell those APs that they are in that group.
For SSIDâYâ
All though I have this SSID also in all 5 buildings, I only have very view Users, so I could make one single VLAN which makes everything easier.
Am I obligated now to create 5 VLANs for SSIDâYâ too?!
*This is a made up example. In reality I would make different numbers of AP Groups for different SSIDs because I have significantly different number of Clients⦠and traffic characteristics (more or less broadcast).
But it's also about the size of the VLANs, do I make a view large Broadcast Domains (VLANs) or more small ones.
Greetings, AndiYou can have a setup like this if you want:
AP Group 1
SSID X Vlan 10
SSID Y Vlan 21
SSID Z Vlan 31
AP Group 2
SSID X Vlan 10
SSID Y Vlan 22
SSID Z Vlan 31
AP Group 3
SSID X Vlan 10
SSID Y Vlan 23
SSID Z Vlan 32
AP Group 4
SSID X Vlan 10
SSID Y Vlan 24
SSID Z Vlan 32
AP Group 5
SSID X Vlan 10
SSID Y Vlan 25
SSID Z Vlan 33
AP Group 6
SSID X Vlan 10
SSID Y Vlan 26
SSID Z Vlan 33
Here is a link, which you probably already saw.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml -
Receive connector 'Connector Name' rejected an incoming connection from IP address "IP of our load balancer". The maximum number of connections per source ('20') for this connector has been reached by this source IP address.
I understand that I can up the limit - however, I'm wondering if there is a way to up the limit for ONE specific IP (our load balancer)
TAGIt does not look like you can up the limit for a specific IP but you might be able to create a separate receive connector for that IP address (and then change the limit).
That is just a thought. Others may have more input on why you may or may not want to do that in practice.
What SMTP traffic would not be coming from the load balancer?
Is the objective to *not* allow some other (possibly malicious) source from creating excessive connections to the server?
Otherwise, this is a good discussion about the different parameters that must be considered if you do decide to adjust the values (changing one may not suffice):
http://letsexchange.blogspot.com/2012/04/receive-connector-rejected-incoming.html
Nuno Mota's blog (MVP)
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. -
Copying a query from different user group
masters,
is it possible to copy a query from different user group?
if so please tell me how
thnks!The query made from SQVI is only intended for individual use. It cannot be transported and there is no concept of Global/Standard area. To be able to transport or share the query to other users is by converting it to SAP Query wherein the source of data will also be converted to an Infoset. Remember that is done in the Standard query area. To do this, go to SQVI-> click SAP Query then go to menu Query -> Convert Quickviews... Select your Quickview queries and provide and infoset name.
-
Two different HASH GROUP BY in execution plan
Hi ALL;
Oracle version
select *From v$version;
BANNER
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
PL/SQL Release 11.1.0.7.0 - Production
CORE 11.1.0.7.0 Production
TNS for Linux: Version 11.1.0.7.0 - Production
NLSRTL Version 11.1.0.7.0 - ProductionSQL
select company_code, account_number, transaction_id,
decode(transaction_id_type, 'CollectionID', 'SettlementGroupID', transaction_id_type) transaction_id_type,
(last_day(to_date('04/21/2010','MM/DD/YYYY')) - min(z.accounting_date) ) age,sum(z.amount)
from
select /*+ PARALLEL(use, 2) */ company_code,substr(account_number, 1, 5) account_number,transaction_id,
decode(transaction_id_type, 'CollectionID', 'SettlementGroupID', transaction_id_type) transaction_id_type,use.amount,use.accounting_date
from financials.unbalanced_subledger_entries use
where use.accounting_date >= to_date('04/21/2010','MM/DD/YYYY')
and use.accounting_date < to_date('04/21/2010','MM/DD/YYYY') + 1
UNION ALL
select /*+ PARALLEL(se, 2) */ company_code, substr(se.account_number, 1, 5) account_number,transaction_id,
decode(transaction_id_type, 'CollectionID', 'SettlementGroupID', transaction_id_type) transaction_id_type,se.amount,se.accounting_date
from financials.temp2_sl_snapshot_entries se,financials.account_numbers an
where se.account_number = an.account_number
and an.subledger_type in ('C', 'AC')
) z
group by company_code,account_number,transaction_id,decode(transaction_id_type, 'CollectionID', 'SettlementGroupID', transaction_id_type)
having abs(sum(z.amount)) >= 0.01explain plan
Plan hash value: 1993777817
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time | TQ |IN-OUT| PQ Distrib |
| 0 | SELECT STATEMENT | | | | 76718 (100)| | | | |
| 1 | PX COORDINATOR | | | | | | | | |
| 2 | PX SEND QC (RANDOM) | :TQ10002 | 15M| 2055M| 76718 (2)| 00:15:21 | Q1,02 | P->S | QC (RAND) |
|* 3 | FILTER | | | | | | Q1,02 | PCWC | |
| 4 | HASH GROUP BY | | 15M| 2055M| 76718 (2)| 00:15:21 | Q1,02 | PCWP | |
| 5 | PX RECEIVE | | 15M| 2055M| 76718 (2)| 00:15:21 | Q1,02 | PCWP | |
| 6 | PX SEND HASH | :TQ10001 | 15M| 2055M| 76718 (2)| 00:15:21 | Q1,01 | P->P | HASH |
| 7 | HASH GROUP BY | | 15M| 2055M| 76718 (2)| 00:15:21 | Q1,01 | PCWP | |
| 8 | VIEW | | 15M| 2055M| 76116 (1)| 00:15:14 | Q1,01 | PCWP | |
| 9 | UNION-ALL | | | | | | Q1,01 | PCWP | |
| 10 | PX BLOCK ITERATOR | | 11 | 539 | 1845 (1)| 00:00:23 | Q1,01 | PCWC | |
|* 11 | TABLE ACCESS FULL | UNBALANCED_SUBLEDGER_ENTRIES | 11 | 539 | 1845 (1)| 00:00:23 | Q1,01 | PCWP | |
|* 12 | HASH JOIN | | 15M| 928M| 74270 (1)| 00:14:52 | Q1,01 | PCWP | |
| 13 | BUFFER SORT | | | | | | Q1,01 | PCWC | |
| 14 | PX RECEIVE | | 21 | 210 | 2 (0)| 00:00:01 | Q1,01 | PCWP | |
| 15 | PX SEND BROADCAST | :TQ10000 | 21 | 210 | 2 (0)| 00:00:01 | | S->P | BROADCAST |
|* 16 | TABLE ACCESS FULL| ACCOUNT_NUMBERS | 21 | 210 | 2 (0)| 00:00:01 | | | |
| 17 | PX BLOCK ITERATOR | | 25M| 1250M| 74183 (1)| 00:14:51 | Q1,01 | PCWC | |
|* 18 | TABLE ACCESS FULL | TEMP2_SL_SNAPSHOT_ENTRIES | 25M| 1250M| 74183 (1)| 00:14:51 | Q1,01 | PCWP | |
Predicate Information (identified by operation id):
3 - filter(ABS(SUM(SYS_OP_CSR(SYS_OP_MSR(SUM("Z"."AMOUNT"),MIN("Z"."ACCOUNTING_DATE")),0)))>=.01)
11 - access(:Z>=:Z AND :Z<=:Z)
filter(("USE"."ACCOUNTING_DATE"<TO_DATE(' 2010-04-22 00:00:00', 'syyyy-mm-dd hh24:mi:ss') AND
"USE"."ACCOUNTING_DATE">=TO_DATE(' 2010-04-21 00:00:00', 'syyyy-mm-dd hh24:mi:ss')))
12 - access("SE"."ACCOUNT_NUMBER"="AN"."ACCOUNT_NUMBER")
16 - filter(("AN"."SUBLEDGER_TYPE"='AC' OR "AN"."SUBLEDGER_TYPE"='C'))
18 - access(:Z>=:Z AND :Z<=:Z)I have few doubts regarding this execution plan and i am sure my questions would get answered here.
Q-1: Why am i getting two different HASH GROUP BY operations (Operation id 4 & 7) even though there is only a single GROUP BY clause ? Is that due to UNION ALL operator that is merging two different row sources and HASH GROUP BY is being applied on both of them individually ?
Q-2: What does 'BUFFER SORT' (Operation id 13) indicate ? Some time i got this operation and sometime i am not. For some other queries, i have observing around 10GB TEMP space and high cost against this operation. So just curious about whether it is really helpful ? if no, how to avoid that ?
Q-3: Under PREDICATE Section, what does step 18 suggest ? I am not using any filter like this ? access(:Z>=:Z AND :Z<=:Z)aychin wrote:
Hi,
About BUFFER SORT, first of all it is not specific for Parallel Executions. This step in the plan indicates that internal sorting have a place. It doesn't mean that rows will be returned sorted, in other words it doesn't guaranty that rows will be sorted in resulting row set, because it is not the main purpose of this operation. I've previously suggested that the "buffer sort" should really simply say "buffering", but that it hijacks the buffering mechanism of sorting and therefore gets reported completely spuriously as a sort. (see http://jonathanlewis.wordpress.com/2006/12/17/buffer-sorts/ ).
In this case, I think the buffer sort may be a consequence of the broadcast distribution - and tells us that the entire broadcast is being buffered before the hash join starts. It's interesting to note that in the recent of the two plans with a buffer sort the second (probe) table in the hash join seems to be accessed first and broadcast before the first table is scanned to allow the join to occur.
Regards
Jonathan Lewis
http://jonathanlewis.wordpress.com
http://www.jlcomp.demon.co.uk
To post code, statspack/AWR report, execution plans or trace files, start and end the section with the tag {noformat}{noformat} (lowercase, curly brackets, no spaces) so that the text appears in fixed format.
There is a +"Preview"+ tab at the top of the text entry panel. Use this to check what your message will look like before you post the message. If it looks a complete mess you're unlikely to get a response. (Click on the +"Plain text"+ tab if you want to edit the text to tidy it up.)
+"Science is more than a body of knowledge; it is a way of thinking"+
+Carl Sagan+ -
Table V_T500P- define different country grouping to the same company code
Hello Gurus,
When I try to update table V_T500P with different country grouping to two personnel areas that have same company code I get the following message:
"The country grpg of company code xxx has been changed. This company code is used in other pers. areas. The country grouping will also be changed. Make changes?"
How can I define two different countries to the same company code in this table?
For example-
Personnel Area DE09 (Germany), Company Code 0234 (KPG EAMER)- country grouping 01
Personnel Area DK05 (Denmark), Company Code 0234 (KPG EAMER)- country grouping 09
when I try to change the country grouping of one of the countries it changes them both with the massage I wrote above.
Thanks for your help,
Ronit.Thanks for your answer!
Actually, I know that there is a way because the initial definition in my system was: different country groupings to different company code (can I attach here a screen shot?)
But when I try to change one of the country grouping it chnages all the countries from the same company code.
Example:
In the begining it was:
Pers. Area SE01 Company code 0234, country grouping 06
Pers. Area IL03 Company code 0234, country grouping IL
Pers. Area DE03 Company code 0234, country grouping 01
Now if I'm trying to chage the country grouping of Pers. Area IL03 from IL to 05 (for example), it changes everything. I know there is a way to change it without changing them all. I just don't know what is the way...
I will appriciate if someone can help!
Thanks,
Ronit. -
HT4914 How is ITunes Match different than simply being a iCloud user?
I have an iCloud account which seems to get my music to all my devices. How is iTunes Match different aside from storage in the cloud?
iCloud only allows you to redownload your music purchases whilst it remains in your country's store. With iTunes Match you can also upload your music from other sources (e.g. copied from CDs) and have it available in the cloud on your other devices/computers.
About iTunes Match : http://www.apple.com/itunes/itunes-match/ -
Stock report for single material contains different material groups
Hi Experts,
I have a scenario.I want to maintain material group for a material at the time of po creation.In next time i will maintain different material group for the same material.
But I want to view the the stocks for material group wise which i entered in po.Is it possible to achieve this?
Please suggest solution.
Thanks & Regards,
Deepika.Please read the KBA document 2012912 - Changeablility of the field "material group" in purchasing documents
It clearly says that material group can't be changed in case you will use material master in purchase order.
So, it is clear that you can't use different material group for material master in purchase order.
For stock report, system will only show you the material group which is assigned to the material master (MARA-MATKL). System will not look into the purchase order section (like EKPO). -
Encountering error End tag does not match start tag 'group'
Hi guys,
am a newbee to XML Publisher.
I am encountering the below error:
Creating XDO Report at: Wed May 25 16:38:14 GMT+05:30 2011
sql = select 'TEST' from dual;
description = Learning XML Reporting
port = 1561
user = apps
host = e2dscorhrmdba01.cendant.com
sid = ABGHRDEV
ReportParameters = {}
path = D:\lanosrep\XML\Output\FirstXMLReport
data_source_name = ABGHRDEV
name = FirstXMLReport
oracle.xml.parser.v2.XMLParseException: End tag does not match start tag 'group'.
at oracle.xml.parser.v2.XMLError.flushErrors1(XMLError.java:205)
at oracle.xml.parser.v2.XMLReader.popXMLReader(XMLReader.java:516)
at oracle.xml.parser.v2.NonValidatingParser.parseElement(NonValidatingParser.java:1242)
at oracle.xml.parser.v2.NonValidatingParser.parseRootElement(NonValidatingParser.java:301)
at oracle.xml.parser.v2.NonValidatingParser.parseDocument(NonValidatingParser.java:268)
at oracle.xml.parser.v2.XMLParser.parse(XMLParser.java:227)
at oracle.apps.xdo.dataengine.DataProcessor.getSQLSchema(DataProcessor.java:528)
at oracle.apps.xdo.dataengine.DataProcessor.writeXMLSchema(DataProcessor.java:476)
at CreateXDOReport.createXDOReport(CreateXDOReport.java:164)
at CreateXDOReport.process(CreateXDOReport.java:108)
at CreateXDOReport.main(CreateXDOReport.java:298)
I have tried reinstalling the patch but of no use.
Please guide me.I changed the sql query
select 'TEST' from dual;
to select 'TEST' from dual
It is working fine now :)
Maybe you are looking for
-
Adobe Photoshop CS4 Extreme Lag?
Hello everyone! I've been a fan of Adobe for quite some time and started using it the first day in my new school. (We were given laptops with CS4 installed for free.) Now the thing is, 2 years has gone and I've recently gotten a new computer and I re
-
External Monitor Viewing - ALL FRAMES Unchecked
Hello FCP gurus I cannot get a video signal on my external monitor. For some reason I have lost the ability to check the ALL FRAMES option in the View Menu under External Video. Each time I click ALL FRAMES it stays in the OFF mode. I think this may
-
External Table error in Oracle9i Database
Hi List, Please see the following errors and guide me that how can I resolve these errors? SQL> CREATE OR REPLACE DIRECTORY EXT_TABLE 2 AS 'G:\'; Directory created. 1 CREATE TABLE ORDER_ITEM_EXT 2 ( ORDER_ID NUMBER(12), LINE_ITEM_ID NUMBER(3), PRODUC
-
Create pool ....... weblogic.Admin
Hi Weblogic 8.1 sp2 I am trying to create connection pool through weblogic.Admin command and i m getting error message. Command java weblogic.Admin -username system -password XXXX -url t3://myserevr:9002 CREATE_POOL -poolName rConnectionPool url=jdbc
-
acabo de adquirir mi nuevo macbook pro y cuando he instalado mi logic express 9 me dice que mi versión no es compatible con mi mac os, que puedo hacer?