PFS shown as disabled in 'show crypto ipsec sa' even tough configured
Hi,
I have PFS configured (at least I think) but when I do a 'show crypto ipsec sa', it says 'PFS: N' ...
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 163, #pkts encrypt: 163, #pkts digest: 163
#pkts decaps: 340, #pkts decrypt: 340, #pkts verify: 340
#pkts compressed: 5, #pkts decompressed: 8
#pkts not compressed: 157, #pkts compr. failed: 1
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtu idb Port-channel1.10
current outbound spi: 0x2093BFD5(546553813)
PFS (Y/N): N, DH group: none
Here's the relevant config:
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 20
lifetime 3600
crypto ipsec transform-set vpn-s2s-ts esp-aes 256 esp-sha256-hmac comp-lzs
mode transport require
crypto ipsec profile vpn-s2s
set transform-set vpn-s2s-ts
set pfs group20
interface Tunnel0
tunnel protection ipsec profile vpn-s2s
A 'show crypto map' shows it enabled AFAICT:
Crypto Map IPv4 "Tunnel0-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 2.2.2.2
Extended IP access list
access-list permit gre host 1.1.1.1 host 2.2.2.2
Current peer: 2.2.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group20
Transform sets={
vpn-s2s-ts: { esp-256-aes esp-sha256-hmac } , { comp-lzs } ,
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
Any idea ?
Cheers,
Sylvain
Hi,
I have the same problem with an ASR1001, running asr1001-universalk9.03.10.03.S.153-3.S3-ext.bin.
Im am using IKEv2 and IPSec with PFS group20. Here's the relevant config (lab):
crypto ikev2 proposal ikev2-prop_1
encryption aes-cbc-256
integrity sha512
group 20
crypto ikev2 policy ikev2-pol_1
match address local 10.10.0.1
proposal ikev2-prop_1
crypto ikev2 profile ikev2-prof_1
match address local interface GigabitEthernet0/0/1
match identity remote address 10.10.0.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local keyring_1
dpd 10 3 on-demand
crypto ipsec profile ipsec-prof_1
set transform-set tset_1
set pfs group20
set ikev2-profile ikev2-prof_1
interface Tunnel1
ip address 10.20.0.1 255.255.255.252
tunnel source GigabitEthernet0/0/1
tunnel destination 10.10.0.2
tunnel protection ipsec profile ipsec-prof_1
As soon as the IPSec SA is established, the "show crypto ipsec sa" command shows:
PFS (Y/N): N, DH group: none
But after the first rekeying (after default time of 3600 secs) it shows:
PFS (Y/N): Y, DH group: group20
I consider this a cosmetical problem only, since PFS is doing its job. This can be told from the debugs during the first rekeying:
000492: Jul 2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Checking for PFS configuration
000493: Jul 2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):PFS configured, DH group 20
000494: Jul 2 11:20:41.790 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 20
000495: Jul 2 11:20:41.798 CEST: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED
000496: Jul 2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Request queued for computation of DH secret
000497: Jul 2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Checking if IKE SA rekey
000498: Jul 2 11:20:41.798 CEST: IKEv2:(SESSION ID = 210,SA ID = 2):Load IPSEC key material
000499: Jul 2 11:20:41.798 CEST: IKEv2:(SA ID = 2):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
Similar Messages
-
Crypto ipsec gre tunels droped
Hi,
From time to time lots of tunnels drop down due to:
Feb 1 15:10:05 EET: CRYPTO_ENGINE: crypto_pak_coalesce: could not get buffer for new pak. requested size 24
Feb 1 15:10:05 EET: CRYPTO_ENGINE: crypto_pak_coalesce: could not get buffer for new pak. requested size 90
Can somebody help me ?
#sho crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine VAM2+:1 details: state = Active
Capability : IPPCP, DES, 3DES, AES, RSA, IPv6
IKE-Session : 423 active, 5120 max, 0 failed
DH : 227 active, 5120 max, 0 failed
IPSec-Session : 746 active, 10230 max, 0 failed
Router:
Cisco 7206VXR (NPE-G1) processor (revision B) with 491520K/32768K bytes of memory.To configure Generic Routing Encapsulation (GRE) over an IPSec tunnel between two routers, perform these steps:
Create a tunnel interface (the IP address of tunnel interface on both routers must be in the same subnet), and configure a tunnel source and tunnel destination under tunnel interface configuration, as shown:
interface Tunnel0
ip address 192.168.16.1 255.255.255.0
tunnel source
tunnel destination
Configure isakmp policies, as shown:
crypto isakmp policy 1
authentication pre-share
Configure pre share keys, as shown:
crypto isakmp key cisco123 address (Remote outside interface IP with 32 bit subnet mask)
Configure transform set, as shown:
crypto ipsec transform-set strong esp-3des esp-md5-hmac
Creat crypto ACI that permits GRE traffic from the outside interface of the local router to the outside interface of the remote router, as shown:
access-list 120 permit gre host (local outside interface ip) host (Remote outside interface IP)
Configure crypto map and bind transform set and crypto Access Control List (ACL) to crypto map. Define peer IP address under crypto map, as shown:
crypto map vpn 10 ipsec-isakmp
set peer
set transform-set strong
match address 120
Bind crypto map to the physical (outside) interface if you are running Cisco IOS? Software Release 12.2.15 or later. If not, then the crypto map must be applied to the tunnel interface as well as the physical interace, as shown:
interface Ethernet0/0
ip address
half-duplex
crypto map vpn
Configure Network Address Traslation (NAT) bypass if needed, as shown:
access-list 175 deny ip (local private network) (subnet mask) (remote private network) (subnet mask)
access-list 175 permit ip (local private network) (subnet mask) any
route-map nonat permit 10
match ip address 175
exit
ip nat inside source route-map nonat interface (outside interface name) overload -
Do I need 'crypto ipsec df-bit clear'?
I have a VPN tunnel between an 871 and 877, the tunnel seems to be fine, but checking the tunnel using SDM shows an error.
Checking the tunnel status... Up
Encapsulation :330231
Decapsulation :393226
Send Error :7939
Received Error :0
A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not Fragmet' packets.
1)Contact your ISP/Administrator to resolve this issue. 2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation.
Are the send errors anything to worry about?
Do I need to issue the 'crypto ipsec df-bit clear' on the routers?
Any info would be much appreciated.
Thanks
GarethHi Rick
I've got a list of icmp types from typing 'permit icmp any any ?' in IOS... theres quite a list, 57!!
How should I decide which ones to allow and which ones to block, I don't even know what they mean :-) Do Cisco publish any recommendations?
bim7dsl(config-ext-nacl)#permit icmp any any ?
<0-255> ICMP message type
administratively-prohibited Administratively prohibited
alternate-address Alternate address
conversion-error Datagram conversion
dod-host-prohibited Host prohibited
dod-net-prohibited Net prohibited
echo Echo (ping)
echo-reply Echo reply
fragments Check non-initial fragments
general-parameter-problem Parameter problem
host-isolated Host isolated
host-precedence-unreachable Host unreachable for precedence
host-redirect Host redirect
host-tos-redirect Host redirect for TOS
host-tos-unreachable Host unreachable for TOS
host-unknown Host unknown
host-unreachable Host unreachable
information-reply Information replies
information-request Information requests
log Log matches against this entry
log-input Log matches against this entry, including input
interface
mask-reply Mask replies
mask-request Mask requests
mobile-redirect Mobile host redirect
net-redirect Network redirect
net-tos-redirect Net redirect for TOS
net-tos-unreachable Network unreachable for TOS
net-unreachable Net unreachable
network-unknown Network unknown
no-room-for-option Parameter required but no room
option Match packets with given IP Options value
option-missing Parameter required but not present
packet-too-big Fragmentation needed and DF set
parameter-problem All parameter problems
port-unreachable Port unreachable
precedence Match packets with given precedence value
precedence-unreachable Precedence cutoff
protocol-unreachable Protocol unreachable
reassembly-timeout Reassembly timeout
redirect All redirects
reflect Create reflexive access list entry
router-advertisement Router discovery advertisements
router-solicitation Router discovery solicitations
source-quench Source quenches
source-route-failed Source route failed
time-exceeded All time exceededs
time-range Specify a time-range
timestamp-reply Timestamp replies
timestamp-request Timestamp requests
tos Match packets with given TOS value
traceroute Traceroute
ttl-exceeded TTL exceeded
unreachable All unreachables
Would it be better to permit all icmp where the source is the other end of my VPN, a known fixed IP? And then deny icmp from elsewhere?
Thanks for all your help on this.
Gareth -
EasyVPN :crypto ipsec client ezvpn xauth
Hi
Everytime when I reboot a easyVPN client it is prompting for username and password by prompting following command "crypto ipsec client ezvpn xauth".
How do I make connection persistent, so that it won't ask for username and password during next reboot.
I am using cisco 877 router as easyVPN server and Cisco 877 router as EasyVPN client.
My Easy VPN server configuration is as follows cisco 877
sh run
Building configuration...
Current configuration : 2306 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
dot11 syslog
ip cef
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
multilink bundle-name authenticated
username cisco password 5 121A0C0411045D5679
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group vpngrp
key cisco123
save-password
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface Loopback10
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password
crypto map clientmap
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip dns server
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
scheduler max-task-time 5000
ntp clock-period 17182092
ntp server 202.83.64.3
end
My cisco877 router client configuration...
sh run
Building configuration...
Current configuration : 1919 bytes
! No configuration change since last restart
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Goldcoast
boot-start-marker
boot-end-marker
no aaa new-model
dot11 syslog
ip cef
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
multilink bundle-name authenticated
crypto ipsec client ezvpn ez
connect auto
group vpngrp key cisco123
mode network-extension
peer 165.228.130.43
xauth userid mode interactive
archive
log config
hidekeys
interface Loopback0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn ez inside
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password
crypto ipsec client ezvpn ez
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
login
scheduler max-task-time 5000
ntp clock-period 17182119
ntp server 202.83.64.3
end
I am able to connect. But I want to make the connection dynamic rather than user interactive. Please help me.
Siva.Sorry for the late reply.
I am getting following error after removing xauth. Here is the error.
ay 14 12:43:47.020: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:47.020: EZVPN(ez): *** Logic Error ***
May 14 12:43:47.020: EZVPN(ez): Current State: READY
May 14 12:43:47.020: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:47.020: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:47.020: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:49.272: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:49.272: EZVPN(ez): *** Logic Error ***
May 14 12:43:49.272: EZVPN(ez): Current State: READY
May 14 12:43:49.272: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:49.272: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:49.272: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:51.620: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:51.620: EZVPN(ez): *** Logic Error ***
May 14 12:43:51.620: EZVPN(ez): Current State: READY
May 14 12:43:51.620: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:51.620: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:51.624: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:53.701: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:53.701: EZVPN(ez): *** Logic Error ***
May 14 12:43:53.701: EZVPN(ez): Current State: READY
May 14 12:43:53.701: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:53.701: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:53.701: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr= Server_public_addr=
May 14 12:43:55.989: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:55.989: EZVPN(ez): *** Logic Error ***
May 14 12:43:55.989: EZVPN(ez): Current State: READY
May 14 12:43:55.989: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:55.989: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:55.989: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
Goldcoast(config-crypto-ezvpn)#
May 14 12:43:58.009: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:58.009: EZVPN(ez): *** Logic Error ***
May 14 12:43:58.009: EZVPN(ez): Current State: READY
May 14 12:43:58.009: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:58.009: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:58.009: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
Thanks,
siva. -
Flex panel not shown as disabled.
I am creating a flex panel and a C++ plugin for Photoshop CS5 and CS6 on both Win and Mac. My C++ plugin captures events like layer selection change, document view change etc and dispatch events to flex. In flex I register these events and appropriate functions get called. All this works perfectly.
For example, when user selects another layer from Layer Palette of Photoshop my plugin dispatches an event. This event is captured in flex and a method is called. Inside this method i need to disable my panel, do some processing and then again enable my panel. This works fine on Win XP and on Photoshop CS5 but not on Mac and Win 7. And if I do a mouse over on my panel when some processing is going on then my panel is displayed as disable otherwise it is displayed as enabled. I am using the following code:
In C++ the layer selection change event is dispatched. In flex it is captured and a function "LayerChange" is called.
public function LayerChange(event:CSXSEvent):void { this.enabled = false; CursorManager.setBusyCursor(); //do some processing
this.enabled = true; CursorManager.removeBusyCursor(); }
Can someone tell me why the panel is not shown as disabled until and unless mouse moves over the panel?
ThanksPaul,
In the future, simplying your use case will improve your chances of getting an answer. I ran your app and ran into an infinite loop here:
while (true) {
trace("Calling draw()");
draw();
trace("Calling updateUniverse()");
updateUniverse();
The Flash Player is single-threaded. So it will not render anything while it is in the middle of a function stack. You need to truigger your updating logic with a Timer in order to see anything rendered.
Jason -
ACE4710 Show crypto files displays file size mismatch
For some reason when I compare backup and active ACE4710 certs size I have a size mismatch on 2 certs. I have done everything I can think of to elimanate this mismatch in size. I start off on the active with crypto import terminal xyz.pem which then a show crypto files displays as say 1800 then through a console session with putty I attach to the backup where i use the export from the master and run the same import command then show crypto file again where there is a significant file size difference. Could this be as a result of the serial connection versus the telnet session otherwise on the master? I know that the master is using the correct file size cert as it is up and tested where unless I do a failover to the backup I do not know the cert will work and as well crypto verify shows both sets match on active and backup? Right now I am in a warm standby state for ft as a result. Thanks.
Hi,
Figured out a fix. What I later came to realize is that I had originally uploaded through FTP the key and cert pem as one file which then the system seperated (with an ultimate file size based on this procedure) did not later match my copy and paste import file size for the two already seperate files. As well I was very carefull about white space and verify was done on both active and backup ACEs and the key pair in question. I was able to fix the problem by exporting from the copy and paste version and then re importing to the other device also through the terminal then use the new ones in the SSL proxy config for the pair in question. Then delete the FTP uploaded cert and key.Thanks for your help. -
Understanding output of sh crypto ipsec sa peer
Hi All,
I a bit puzzled by why the remote indent and remote crypto endpointpt ID is different. I also noticed that the remote ident address matches the remote NBMA address, but just not the remote crypto endpt address. I really expected the remote crypto endpt address to be the same as the remote indent address and remote NBMA address (remote tunnel source address). Tunnel1 is an mGRE tunnel protected by IPSec.
Could anyone shed light on this?
Thanks,
David
Router#sh crypto ipsec sa peer 1.1.1.1
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 2.2.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0)
current_peer 1.1.1.1 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7978837, #pkts encrypt: 7978837, #pkts digest: 7978837
#pkts decaps: 7286115, #pkts decrypt: 7286115, #pkts verify: 7286115
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 14644
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1514, ip mtu 1514, ip mtu idb Loopback2
current outbound spi: 0xB96E4FB1(3111014321)
inbound esp sas:
spi: 0xB1D02649(2983208521)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3002, flow_id: Onboard VPN:2, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4501742/22874)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB96E4FB1(3111014321)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3001, flow_id: Onboard VPN:1, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4445656/22873)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:The output suggests you have NAT-T in the network and IPSEC tunnel mode turned on. If the transform-set is set to transport mode, clear the crypto sessions then remote ident and crypto endpoint will be the same address.
HTH,
Dan -
I am using a mac book pro version 10.7.5..I am not able to authorize my digital signature.It is showing crypto service provider is missing. I am in a big problem . plzzzz help me out. Thanks
You have 10.6 on that machine, I suggest you stick with it for performance, third party hardware and software reasons as long as possible.
Consider 10.8 (not 10.7) when it's released, because 10.7 and 10.8 will require a new investment in software and newer third party hardware as it requires newer drivers the old machines won't have. (forced upgrade because of software, really nice of them)
http://roaringapps.com/apps:table
Far as your Safari problem do these things until it's resolved:
1: Software Update fully under the Apple menu.
2: Check the status of your plug-ins and update (works for all browsers) also install Firefox and see if your problems continue. You should always have at least two browsers on the machine just in case one fails.
https://www.mozilla.org/en-US/plugincheck/
Flash install instructions/problem resolution here if you need it.
How to install Flash, fix problems
3: Install Safari again from Apple's web site
https://www.apple.com/safari/
4: Run through this list of fixes, stopping with #16 and report back before doing #17
Step by Step to fix your Mac -
Privilege mode disable the show logging command
any one pls advice how to disable the show logging command through the privilege
Pls see this link,
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
Regards,
~JG
Do rate helpful posts -
Disable auto show tool options
Hi -
I'm a new user of PE11, just upgraded from PE7. I've read in the forum where users say they've disabled Auto Show Tool Options (Keyboard Shortcuts post on 10/15/12). I would like to disable auto show but haven't been able to figure out how. Can someone please enlighten me? Sorry if this question has been asked before, but there were no results when I did a forum search for "Disable Auto Show Tool Options."
I also read in that same post that users who disabled auto show use the F4 key to open Tool Options and F5 to open Photo Bin. That leads me to believe that the window at the bottom of the screen - the one with icons for Photo Bin, Tool Options, Undo, Redo, etc - no longer appears at the bottom of the screen after auto show is disabled. But if that window doesn't disappear, then why press F4 to open Tool Options or F5 to open the Photo Bin when you can just click on the appropriate icon at the bottom of the screen?
Finally, if the window at the bottom of the screen does disappear when auto show is disabled, how does one engage Undo and Redo?
Thanks very much.When the tool options panel is visible click the four-lined square at the far right and choose it from the menu there:
-
Hi all,
Is there a way to disable slide shows in iPhoto '09. I ask as I never EVER use this feature. But whenever I'm using iPhoto while running iTunes or Quicktime I always seem to accidentally start a slideshow when trying to pause/play my music or movies. This hangs iPhoto while it thinks about what it needs to do and is very frustrating.
Cheers,
ChrisYes, this nonsensical media key conflict in all versions of iPhoto I've used has driven me crazy for a long time.
The best compromise I have come up with is to switch iTunes to Mini Player view (click the green + button on the iTunes Window, select Mini Player from the View Menu, or press Command-Shift-M) and under iTunes>Preferences...>Advanced, select Keep Mini Player on Top of All Other Windows. At least then you can be in iPhoto and easily mouse-click the play/pause and other iTunes control keys without having to switch windows around. Thy only problem is that the Mini Player will not be visible if you are in fulll screen mode in iPhoto. -
It says the ipod is disabled and shows try again in 22 752 784 minutes
it says the ipod is disabled and shows try again in 22<752<784 minutes
Place the iOS device in Recovery Mode and then connect to your computer and restore via iTunes. The iPod will be erased.
iOS: Wrong passcode results in red disabled screen
If recovery mode does not work try DFU mode.
How to put iPod touch / iPhone into DFU mode « Karthik's scribblings
For how to restore:
iTunes: Restoring iOS software
To restore from backup see:
iOS: How to back up
If you restore from iCloud backup the apps will be automatically downloaded. If you restore from iTunes backup the apps and music have to be in the iTunes library since synced media like apps and music are not included in the backup of the iOS device that iTunes makes.
You can redownload iTunes purchases by:
Downloading past purchases from the App Store, iBookstore, and iTunes Store -
Where did my "show crypto" go?
I'm perplexed. My "show crypto" command tree seems to have disappeared from my ACE.
I am running:
dc4pt-lb-01/tier1# sh ver
Cisco Application Control Software (ACSW)
<snip>
Software
loader: Version 12.2[120]
system: Version A2(1.6a) [build 3.0(0)A2(1.6a) adbuild_08:46:04-2009/10/16_/auto/adbu-rel4/rel_a2_1_6_throttle/REL_3_0_0_A2_1_6A]
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_1_6a.bin
installed license: ACE-VIRT-020 ACE-SEC-LIC-K9
Hardware
Cisco ACE (slot: 6)
But when I went in to check my certificates, I get:
dc4pt-lb-01/tier1# show crypto
^
% invalid command detected at '^' marker.
This is strange. The same commands work fine on another ACE running the same level of software and logged in enable mode in the same context.
The certificates are installed and working - I can browse to the VIP and verify the installed certificate from my browser.Ah, excellent catch. That's it. We recently enabled TACACS authentication on the non-working device and apparently we need to tweak the roles. I am only in as "Network Monitor":
dc4pt-lb-01/Admin# sh role
Role: Network-Monitor (System-defined)
Description: Monitoring for all features
Number of rules: 5
Rule Type Permission Feature
1. Permit Monitor all
2. Permit Monitor changeto
3. Deny Create exec-commands
4. Deny Create fault-tolerance
5. Deny Create pki
dc4pt-lb-01/Admin#
In my other devices I have all permissions:
dc4-lb-01/Admin# sh role
Role: Admin (System-defined)
Description: Administrator
Number of rules: 5
Rule Type Permission Feature
1. Permit Create all
2. Permit Create user access
3. Permit Create system
4. Permit Create changeto
5. Permit Create exec-commands
Role: Network-Admin (System-defined)
Description: Admin for L3 (IP and Routes) and L4 VIPs
Number of rules: 8
Rule Type Permission Feature
1. Permit Create interface
2. Permit Create routing
3. Permit Create connection
4. Permit Create nat
5. Permit Create vip
6. Permit Create config_copy
7. Permit Create changeto
8. Permit Create exec-commands
Role: Server-Maintenance (System-defined)
Description: Server maintenance, monitoring and debugging
Number of rules: 7
Rule Type Permission Feature
1. Permit Modify real
2. Permit Debug serverfarm
3. Permit Debug vip
4. Permit Debug probe
5. Permit Debug loadbalance
6. Permit Create changeto
7. Permit Create exec-commands
Role: Server-Appln-Maintenance (System-defined)
Description: Server maintenance and L7 policy application
Number of rules: 7
Rule Type Permission Feature
1. Permit Create real
2. Permit Create serverfarm
3. Permit Create loadbalance
4. Permit Create config_copy
5. Permit Create real-inservice
6. Permit Create exec-commands
7. Permit Create changeto
Role: SLB-Admin (System-defined)
Description: Administrator for all load-balancing features
Number of rules: 11
Rule Type Permission Feature
1. Permit Create real
2. Permit Create serverfarm
3. Permit Create vip
4. Permit Create probe
5. Permit Create loadbalance
6. Permit Create nat
7. Permit Modify interface
8. Permit Create config_copy
9. Permit Create exec-commands
10. Permit Create real-inservice
11. Permit Create changeto
Role: Security-Admin (System-defined)
Description: Administrator for all security features
Number of rules: 9
Rule Type Permission Feature
1. Permit Create access-list
2. Permit Create inspect
3. Permit Create connection
4. Permit Modify interface
5. Permit Create AAA
6. Permit Create nat
7. Permit Create config_copy
8. Permit Create changeto
9. Permit Create exec-commands
Role: SSL-Admin (System-defined)
Description: Administrator for all SSL features
Number of rules: 6
Rule Type Permission Feature
1. Permit Create ssl
2. Permit Create pki
3. Permit Modify interface
4. Permit Create config_copy
5. Permit Create changeto
6. Permit Create exec-commands
Role: Network-Monitor (System-defined)
Description: Monitoring for all features
Number of rules: 5
Rule Type Permission Feature
1. Permit Monitor all
2. Permit Monitor changeto
3. Deny Create exec-commands
4. Deny Create fault-tolerance
5. Deny Create pki
dc4-lb-01/Admin# -
Clq status shows quorum server offline even though the clq service is runni
Hi,
In a 2 Node + 1 QS sun cluster 3.2 cluster, clq status is showing quorum sever offline even though the clq process is running on the quorum server. to make the quorum server online, i have to either remove and add the quorum server from cluster, or incase if there is a failure on any one of the node's both th nodes will reboot and once both joined to the cluster, I can see clq status showing quorum server online!!!
Why is the quorum server going offline automatically?
Any help would be highly appreciated
Many thanks in advance
Ushas SymonHi,
I asssume you mean the scqsd process is running on the QS, right?
A QS is shown as offline, it the monitor could not reach it when it last tried. This is usually due to a networking problem.
If you issue a clq status, the monitor checks again and if it can reach the QS will change its status back to online.
If this does not happen, check your logs, what kind of error message showed up.
Does clqs show on the QS show the correct information?
It is obvious, that if a node dies and the QS has been offline prior to the node death, that the other node will die as well due to lack of quorum, i.e. it has less votes than needed. You seem to have a basic networking problem or something is really wrong with your QS.
Regards
Hartmut -
Adobe Bridge will not show items in subfolder even when this option is checked.
Adobe Bridge will not show items in subfolder even when this option is checked. It works on one computer but not the other-both working on the same system/ version of adobe cc.
How can I fix this bug?Check to see what is different between setups. You may want to reset prefences in the balky computer.
Maybe you are looking for
-
So i had an old apple id i had created to use with my ipod but never ended up syncing them. So when i got my iPhone i created a new apple ID with my new email address. Well i went to log into itunes store on my computer (PC) and it wont let me log
-
Hi, I just turned 18 and I have my own iPhone 4s and a laptop. I would like to create my own ITunes account and my own Apple ID on my computer, while keeping the cellphone billing on my parents plan. Is this possible? And if so, how? I also wonder if
-
O\Does irport come in the software bundled with the 24" IMac? Just got a new I mac in Dec and had to get a new printer tha was apple compatible, but I can't add the printer since it's not on the list.Do I need to buy Airport to use this wirelessl? I
-
How to restore my iphone 5 that won't turn on after updating to iOS 7.0.2
I have my iphone 5 and recently tried to update to the new iOS 7.0.2 but it appears to have frozen with a black screen as the background and an apple with a little progress bar. My lock screen is broken and so there is no way to hold the home button
-
Assign transport request to translations in smartforms
hi all, i have created a smart form in eight different languages and trying to assign it to one transport request. how can i assign different translations of the same smart forms to only one request. Regards, Rajat magoo