Ping transmits first packet, fails to rereceive

Similar Messages

• Getting "IPSEC(epa_des_crypt): decrypted packet failed SA identity check" messages on packets from only one of two far-end sources sharing the same tunnel, the other source works fine. What exactly does this error mean?

  One computer at COMPANY-A is attempting to communicate with two
  computers located at COMPANY-B, via an IPsec tunnel between the
  two companies.
  All communications are via TCP protocol.
  All devices present public IP addresses to one another, although they
  may have RFC 1918 addresses on other interfaces, and NAT may be in use
  on the COMPANY-B side.  (NAT is not being used on the COMPANY-A side.)
  The players:(Note: first three octets have been changed for security reasons)
  COMPANY-A computer      1.2.3.161
  COMPANY-A router        1.2.3.8 (also IPsec peer)
  COMPANY-A has 1.2.3.0/24 with no subnetting.
  COMPANY-B router        4.5.6.228 (also IPsec peer)
  COMPANY-B computer #1   4.5.7.94 (this one has no issues)
  COMPANY-B computer #2   4.5.7.29 (this one fails)
  COMPANY-B has 4.5.6.0/23 subnetted in various ways.
  COMPANY-B also has 9.10.11.0/24, but it is not involved in the issue.
  What works:
  The COMPANY-A computer 1.2.3.161 can communicate via the single IPsec
  tunnel to COMPANY-B computer #1 4.5.7.94 without problems.
  The "show crypto session detail" command shows Inbound/Outbound packets
  flowing in the dec'ed and enc'ed positions.
  What doesn't:
  When the COMPANY-A computer 1.2.3.161 attempts to communicate
  via the single IPsec tunnel with the COMPANY-B computer #2 4.5.7.29,
  the COMPANY-A router eventually reports five of these messages:
  Oct  9 15:24:54.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:24:57.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:25:03.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:25:15.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:25:39.329: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:26:27.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  and the "show crypto session detail" shows inbound packets being dropped.
  The COMPANY-A computer that opens the TCP connection never gets past the
  SYN_SENT phase of the TCP connection whan trying to communicate with the
  COMPANY-B computer #2, and the repeated error messages are the retries of
  the SYN packet.
  On the COMPANY-A side, this IPsec configuration has been set up on a 3745,
  a 3725, and some 76xx routers were tried, all with similar behavior,
  with packets from one far-end computer passing fine, and packets from
  another far-end computer in the same netblock passing through the same
  IPsec tunnel failing with the "failed SA identity" error.
  The COMPANY-A computer directs all packets headed to COMPANY-B via the
  COMPANY-A router at 1.2.3.8 with this set of route settings:
  netstat -r -n
  Kernel IP routing table
  Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
  4.5.7.0         1.2.3.8         255.255.255.0   UG        0 0          0 eth3
  1.2.3.8.0       0.0.0.0         255.255.255.0   U         0 0          0 eth3
  10.1.0.0        0.0.0.0         255.255.240.0   U         0 0          0 eth0
  169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth3
  10.0.0.0        10.1.1.1        255.0.0.0       UG        0 0          0 eth0
  0.0.0.0         1.2.3.1         0.0.0.0         UG        0 0          0 eth3
  The first route line shown is selected for access to both COMPANY-B computers.
  The COMPANY-A router (IPsec tunnel endpoint, 1.2.3.8) has this
  configuration:
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 4.5.6.228
  crypto ipsec security-association lifetime seconds 86400
  crypto ipsec transform-set COMPANY-B01 esp-3des esp-sha-hmac
  crypto map COMPANY-BMAP1 10 ipsec-isakmp
  description COMPANY-B VPN
  set peer 4.5.6.228
  set transform-set COMPANY-B01
  set pfs group2
  match address 190
  interface FastEthernet0/0
  ip address 1.2.3.8 255.255.255.0
  no ip redirects
  ip virtual-reassembly
  duplex auto
  speed auto
  no cdp enable
  crypto map COMPANY-BMAP1
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 1.2.3.1
  ip route 10.0.0.0 255.0.0.0 10.1.1.1
  ip route 1.2.3.8.0 255.255.255.0 FastEthernet0/0
  access-list 190 permit ip host 1.2.3.161 4.5.7.0 0.0.0.255
  access-list 190 permit ip host 1.2.3.161 9.10.11.0 0.0.0.255
  bridge 1 protocol ieee
  One of the routers tried had this IOS/hardware configuration:
  Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(25c),
  RELEASE SOFTWARE (fc2)
  isco 3725 (R7000) processor (revision 0.1) with 115712K/15360K bytes of memory.
  Processor board ID XXXXXXXXXXXXXXX
  R7000 CPU at 240MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
  2 FastEthernet interfaces
  4 ATM interfaces
  DRAM configuration is 64 bits wide with parity disabled.
  55K bytes of NVRAM.
  31296K bytes of ATA System CompactFlash (Read/Write)
  250368K bytes of ATA Slot0 CompactFlash (Read/Write)
  Configuration register is 0x2102
  #show crypto sess
  Crypto session current status
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
    IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
          Active SAs: 0, origin: crypto map
  #show crypto sess det
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.5.6.228
        Desc: (none)
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
            Capabilities:(none) connid:1 lifetime:06:26:27
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 651 drop 16 life (KB/Sec) 4496182/23178
          Outbound: #pkts enc'ed 574 drop 2 life (KB/Sec) 4496279/23178
    IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  The COMPANY-B device on their end of the IPsec VPN is a Juniper SSG1000
  Version 6.1 (ScreenOS)
  We only have a limited view into the Juniper device configuration.
  What we were allowed to see was:
  COMPANY-B-ROUTER(M)-> sh config | incl COMPANY-A
  set address "Untrust" "oss-COMPANY-A-1.2.3.161" 1.2.3.161 255.255.255.255
  set ike gateway "COMPANY-A-1-GW" address 1.2.3.8 Main outgoing-interface "ethernet2/1" preshare xxxxxxxxxxxxxxxxxxxxxx  proposal "pre-g2-3des-sha"
  set vpn "COMPANY-A-1-IKE" gateway "COMPANY-A-1-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha-28800"
  set policy id 2539 from "Untrust" to "Trust"  "oss-COMPANY-A-1.2.3.161" "9.10.11.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2500
  set policy id 2500 from "Trust" to "Untrust"  "9.10.11.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2539
  set policy id 2541 from "Trust" to "Untrust"  "4.5.7.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2540
  set policy id 2540 from "Untrust" to "Trust"  "oss-COMPANY-A-1.2.3.161" "4.5.7.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2541
  COMPANY-B-ROUTER(M)->
  I suspect that this curious issue is due to a configuration setting on the
  Juniper device, but neither party has seen this error before.  COMPANY-B
  operates thousands of IPsec VPNs and they report that this is a new error
  for them too.  The behavior that allows traffic from one IP address to
  work and traffic from another to end up getting this error is also unique.
  As only the Cisco side emits any error message at all, this is the only
  clue we have as to what is going on, even if this isn't actually an IOS
  problem.
  What we are looking for is a description of exactly what the Cisco
  IOS error message:
  IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  is complaining about, and if there are any known causes of the behavior
  described that occur when running IPsec between Cisco IOS and a Juniper
  SSG device.  Google reports many other incidents of the same error
  message (but not the "I like that IP address but hate this one" behavior),
  and not just with a Juniper device on the COMPANY-B end, but for those cases,
  not one was found where the solution was described.
  It is hoped that with a better explanation of the error message
  and any known issues with Juniper configuration settings causing
  this error, we can have COMPANY-B make adjustments to their device.
  Or, if there is a setting change needed on the COMPANY-A router,
  that can also be implemented.
  Thanks in advance for your time in reading this, and any ideas.

  Hello Harish,
  It is believed that:
  COMPANY-B computer #1   4.5.7.94 (this one has no issues)
  COMPANY-B computer #2   4.5.7.29 (this one fails)
  both have at least two network interfaces, one with a public IP address
  (which we are supposedly conversing with) and one with a RFC 1918 type
  address.   COMPANY-B is reluctant to disclose details of their network or
  servers setup, so this is not 100% certain.
  Because of that uncertainty, it occurred to me that perhaps COMPANY-B
  computer #2 might be incorrectly routing via the RFC 1918 interface.
  In theory, such packets should have been blocked by the access-list on both
  COMPANY-A router, and should not have even made it into the IPsec VPN
  if the Juniper access settings work as it appears they should.  So I turned up
  debugging on COMPANY-A router so that I could see the encrypted and
  decrypted packet hex dumps.
  I then hand-disassembled the decoded ACK packet IP header received just
  prior to the "decrypted packet failed SA check" error being emitted and
  found the expected source and destination IP addresses (4.5.7.29 and 1.2.3.161),
  in the unecapsulated packet.  I also found the expected port numbers of the TCP
  conversation that was trying to be established in the TCP header.  So, it
  looks like COMPANY-B computer #2 is emitting the packets out the right
  interface.
  The IP packet header of the encrypted packet showed the IP addresses of the
  two routers at each terminus of the IPsec VPN, but since I don't know what triggers
  the "SA check" error message or what it is complaining about, I don't know what
  other clues to look for in the packet dumps.
  As to your second question, "can you check whether both encapsulation and
  decapsulation happening in 'show crypto ipsec sa'",   the enc'ed/dec'ed
  counters were both going up by the correct quantities.  When communicating
  with the uncooperative COMPANY-B computer #2, you would also see the
  received Drop increment for each packet decrypted.  When communicating
  with the working COMPANY-B computer #1, the Drop counters would not
  increment, and the enc'ed/dec'ed would both increment.
  #show crypto sess det
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.5.6.228
        Desc: (none)
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
            Capabilities:(none) connid:1 lifetime:07:59:54
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 376 drop 5 life (KB/Sec) 4458308/28784
          Outbound: #pkts enc'ed 401 drop 3 life (KB/Sec) 4458308/28784
  Attempt a TCP communication to COMPANY-B computer #2...
  show crypto sess det
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.5.6.228
        Desc: (none)
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
            Capabilities:(none) connid:1 lifetime:07:59:23
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 376 drop 6 life (KB/Sec) 4458307/28753
          Outbound: #pkts enc'ed 402 drop 3 life (KB/Sec) 4458307/28753
  Note Inbound "drop" changed from 5 to 6.  (I didn't let it sit for all
  the retries.)
  #show crypto ipsec sa
  interface: FastEthernet0/0
      Crypto map tag: COMPANY-BMAP1, local addr 1.2.3.8
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (1.2.3.161/255.255.255.255/0/0)
     remote ident (addr/mask/prot/port): (4.5.7.0/255.255.255.0/0/0)
     current_peer 4.5.6.228 port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 402, #pkts encrypt: 402, #pkts digest: 402
      #pkts decaps: 376, #pkts decrypt: 376, #pkts verify: 376
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 3, #recv errors 6
       local crypto endpt.: 1.2.3.8, remote crypto endpt.: 4.5.6.228
       path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
       current outbound spi: 0xDF2CC59C(3744253340)
    inbound esp sas:
        spi: 0xD9D2EBBB(3654478779)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 2004, flow_id: SW:4, crypto map: COMPANY-BMAP1
          sa timing: remaining key lifetime (k/sec): (4458307/28600)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0xDF2CC59C(3744253340)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 2003, flow_id: SW:3, crypto map: COMPANY-BMAP1
          sa timing: remaining key lifetime (k/sec): (4458307/28600)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:
  The "send" errors appear to be related to the tunnel reverting to a
  DOWN state after periods of inactivity, and you appear to get one
  each time the tunnel has to be re-negotiated and returned to
  an ACTIVE state.  There is no relationship between Send errors
  incrementing and working/non-working TCP conversations to the
  two COMPANY-B servers.
  Thanks for pondering this very odd behavior.

• Site2Site Tunnel issue PSEC(epa_des_crypt): decrypted packet failed SA identity check

  Hi,
  I have a slight issue I'm having some problems resolving..
  The scenario is as follows;
  I have an external provider which connects to me via VPN to a Juniper SSG firewall, that works fine.
  I then have an external site, which does NOT reside in my MPLS cloud, so I have to deploy IPSec via Internet to reach it.
  That also works fine and I have multiple SA's running on that site with no issues or problems.
  The external provider has a small network device deployed on the external site which monitor cooling values in one of our warehouses.
  The external site which is connect via IPSEC has a Cisco 1921 and a numerous Cisco 3550 deployed.
  The VLAN for the cooling provider is vlan 150 and is setup with 10.150.4.0/24 where .1 is the def gw and .10 is the cooling monitor device.
  The external provider's servers are located within 192.168.220.0/24 subnet.
  As of right now, we can reach the Cisco 1921 through the whole IPsec tunnel from 192.168.220.182 with all services, ping, telnet whatnot, but we are unable to ping the cooling device from 192.168.220.0/24.
  However from the Cisco 1921, we can ping both 192.168.220.0/24 and the locally connected 10.150.4.10
  So basicly it seems to be the last bit when the traffic goes through the 1921 and to the switch where it fails and I can't for the life of me figure out why.
  Network diagram attached.. any ideas?
  This is the 1921 config:
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime
  service timestamps log datetime msec localtime
  service password-encryption
  hostname bergen-vpn-gw
  boot-start-marker
  boot system flash flash:c1841-adventerprisek9-mz.124-25d.bin
  boot-end-marker
  logging buffered 50000
  aaa new-model
  aaa authentication login default local
  aaa authentication enable default enable
  aaa session-id common
  clock timezone CET 1
  clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
  no ipv6 cef
  no ip source-route
  ip cef
  no ip bootp server
  no ip domain lookup
  ip domain name xxxxx
  multilink bundle-name authenticated
  license udi pid CISCO1921/K9 sn FCZ1508C1P4
  license boot module c1900 technology-package securityk9
  license boot module c1900 technology-package datak9
  vtp mode client
  redundancy
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key harakiri address 1.2.3.4
  crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
  crypto map VPN 10 ipsec-isakmp
  set peer 1.2.3.4
  set transform-set 3DES-SHA
  match address VPN
  interface GigabitEthernet0/0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip route-cache cef
  no ip route-cache
  duplex auto
  speed auto
  interface GigabitEthernet0/0.99
  description *** Test VLAN To be removed ***
  encapsulation dot1Q 99
  ip address 10.90.90.1 255.255.255.0
  no ip route-cache
  interface GigabitEthernet0/0.112
  encapsulation dot1Q 112
  ip address 192.168.112.1 255.255.255.0
  ip helper-address 172.30.1.223
  no ip route-cache
  interface GigabitEthernet0/0.150
  encapsulation dot1Q 150
  ip address 10.150.4.1 255.255.255.0
  no ip redirects
  no ip proxy-arp
  no ip route-cache
  interface GigabitEthernet0/0.178
  encapsulation dot1Q 178
  ip address 192.168.178.1 255.255.255.0
  ip helper-address 172.30.1.223
  no ip redirects
  no ip proxy-arp
  no ip route-cache
  interface GigabitEthernet0/0.999
  encapsulation dot1Q 999
  no ip route-cache
  interface GigabitEthernet0/1
  ip address 1.2.3.4 255.255.255.252
  no ip redirects
  no ip proxy-arp
  no ip route-cache cef
  no ip route-cache
  duplex auto
  speed auto
  crypto map VPN
  interface FastEthernet0/0/0
  switchport access vlan 99
  interface FastEthernet0/0/1
  interface FastEthernet0/0/2
  interface FastEthernet0/0/3
  interface Vlan1
  no ip address
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip route 0.0.0.0 0.0.0.0 85.200.203.29
  ip access-list extended VPN
  permit ip 10.90.90.0 0.0.0.255 172.30.1.0 0.0.0.255
  permit ip 10.90.90.0 0.0.0.255 172.22.0.0 0.0.255.255
  permit ip 10.90.90.0 0.0.0.255 172.18.5.0 0.0.0.255
  permit ip 10.90.90.0 0.0.0.255 10.50.0.0 0.0.255.255
  permit ip 192.168.112.0 0.0.0.255 172.30.1.0 0.0.0.255
  permit ip 192.168.112.0 0.0.0.255 172.22.0.0 0.0.255.255
  permit ip 192.168.112.0 0.0.0.255 172.18.5.0 0.0.0.255
  permit ip 192.168.112.0 0.0.0.255 10.50.0.0 0.0.255.255
  permit ip 192.168.178.0 0.0.0.255 172.30.1.0 0.0.0.255
  permit ip 192.168.178.0 0.0.0.255 172.22.0.0 0.0.255.255
  permit ip 192.168.178.0 0.0.0.255 172.18.5.0 0.0.0.255
  permit ip 192.168.178.0 0.0.0.255 10.50.0.0 0.0.255.255
  permit ip 192.168.112.0 0.0.0.255 172.30.240.0 0.0.0.255
  permit ip 192.168.178.0 0.0.0.255 172.30.240.0 0.0.0.255
  permit ip 192.168.112.0 0.0.0.255 10.70.0.0 0.0.0.255
  permit ip 192.168.178.0 0.0.0.255 10.70.0.0 0.0.0.255
  permit ip 10.150.4.0 0.0.0.255 192.168.220.0 0.0.0.255 log
  ip sla 1
  icmp-echo 172.30.1.223 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 1 start-time now
  ip sla 2
  icmp-echo 10.50.1.200 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 2 start-time now
  ip sla 3
  icmp-echo 172.18.5.121 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 3 start-time now
  ip sla 4
  icmp-echo 172.22.0.140 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 4 start-time now
  ip sla 5
  icmp-echo 172.30.240.40 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 5 start-time now
  ip sla 6
  icmp-echo 10.70.0.200 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 6 start-time now
  cdp source-interface GigabitEthernet0/0.112
  snmp-server community bamacomro RO
  cdp source-interface GigabitEthernet0/0.112
  snmp-server community bamacomro RO
  snmp-server community bamacomrw RW
  control-plane
  banner motd ^CCC-----------------------------------------------------------------------------
  This system is solely for the use of authorised users for official purposes.
  You have no expectation of privacy in its use and to ensure that the system
  is functioning properly, individuals using this computer system are subject
  to having all their activities monitored and recorded by system personell.
  Use of this system evidence an express consent to such monitoring and
  agreement that if such monitoring reveals evidence of possible abuse or
  criminal activity, system personell may provide the result of such
  monitoring to appropiate officials.
  -----------------------------------------------------------------------------^C
  line con 0
  exec-timeout 5 0
  logging synchronous
  line aux 0
  line vty 0 4
  access-class telnet in
  exec-timeout 180 0
  logging synchronous
  transport input telnet ssh
  line vty 5 15
  access-class telnet in
  exec-timeout 180 0
  password 7 094F471A1A0A
  logging synchronous
  transport input telnet ssh
  scheduler allocate 20000 1000
  end

  I had that issue 1 year go
  "decrypted packet failed SA identity check" means that we have decrypted a traffic that does not match the proxy ID negotiated
  Juniper is violating RFC4301. there is nothing we can do against RFC violation
  As mentioned in Section 4.4.1, "The Security Policy Database (SPD)",
  the SPD (or associated caches) MUST be consulted during the
  processing of all traffic that crosses the IPsec protection boundary,
  including IPsec management traffic.  If no policy is found in the SPD
  that matches a packet (for either inbound or outbound traffic), the
  packet MUST be discarded.
  I know JNPR can do 2 vpn modes. There is one where we could use a VTI instead of a crypto map on the Cisco side. That was the solution to the problem we had.
  Cheers,

• PB G4 to WRT54G Ping Times with Packet Loss!!???

  This morning when I woke up my PB G4, my Airport couldn't find my network. Found out that my father had turned off the modem and router because his Dell, which is wired to the router, had slow connection to the network (10 MB/ps or less, I think). I tried using Internet Connect using the assigned Network name and entering the WPA Personal password with no luck. So I then reset the router, configured to it's original settings and my fathers Dell got a better connection but my PB has gotten slower in connecting to sites and the page loading is considerably slower. Looked at iStumbler and it shows a lower signal and now it's showing noise, where before there was none. I ran a ping test to the router and got this.
  --- 192.168.1.1 ping statistics ---
  100 packets transmitted, 98 packets received, 2% packet loss
  round-trip min/avg/max/stddev = 1.536/2.495/26.476/3.414 ms
  The router is a WRT54G v5 with the latest firmware that I had just reflashed.

  I reset my router, changed the channel to 11 and disabled the SSID. That setting got a better but still iffy ping time with no noise.
  I tried your suggestion and got this, along with some noise.
  --- 192.168.1.1 ping statistics ---
  100 packets transmitted, 99 packets received, 1% packet loss
  round-trip min/avg/max/stddev = 1.596/4.201/33.784/6.652 ms
  Any other ideas?

• [C4005]: Get properties from packet failed killing my sessions

  I have a broker in a state where 6 messages are delivered which "kill" the first 6 sessions listening on a particular queue (round-robin delivery sorta situation)
  These exceptions are logged only to stderr and no indication is given to my program about them other than the affected sessions never receive another message again, others do.
  When the broker or consumer service is restarted, it happens again.
  If I start the broker with a -reset messages then the problem goes away. I saved the entire broker var folder to try to find a work around to this.
  This is OpenMQ 4.5B29
  I'll include the stack traces below, anyone seen something like this or have suggestions on how to deal with this without resorting to reset of the broker?
  Could not parse properties java.io.UTFDataFormatException: malformed input around byte 11
  Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ExceptionHandler logCaughtException
  WARNING: [I500]: Caught JVM Exception: java.lang.NullPointerException
  java.io.UTFDataFormatException: malformed input around byte 11
       at java.io.DataInputStream.readUTF(Unknown Source)
       at java.io.DataInputStream.readUTF(Unknown Source)
       at com.sun.messaging.jmq.io.PacketProperties.parseProperties(PacketProperties.java:178)
       at com.sun.messaging.jmq.io.PacketPayload.getProperties(PacketPayload.java:155)
       at com.sun.messaging.jmq.io.Packet.getProperties(Packet.java:644)
       at com.sun.messaging.jmq.io.ReadOnlyPacket.getProperties(ReadOnlyPacket.java:348)
       at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:601)
       at com.sun.messaging.jmq.jmsclient.ProtocolHandler.getJMSMessage(ProtocolHandler.java:2061)
       at com.sun.messaging.jmq.jmsclient.SessionReader.getJMSMessage(SessionReader.java:189)
       at com.sun.messaging.jmq.jmsclient.SessionReader.deliver(SessionReader.java:107)
       at com.sun.messaging.jmq.jmsclient.ConsumerReader.run(ConsumerReader.java:192)
       at java.lang.Thread.run(Unknown Source)
  Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ConsumerReader run
  WARNING: [C4005]: Get properties from packet failed. - cause: java.lang.NullPointerException
  com.sun.messaging.jms.JMSException: [C4005]: Get properties from packet failed. - cause: java.lang.NullPointerException
       at com.sun.messaging.jmq.jmsclient.ExceptionHandler.getJMSException(ExceptionHandler.java:386)
       at com.sun.messaging.jmq.jmsclient.ExceptionHandler.handleException(ExceptionHandler.java:337)
       at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:604)
       at com.sun.messaging.jmq.jmsclient.ProtocolHandler.getJMSMessage(ProtocolHandler.java:2061)
       at com.sun.messaging.jmq.jmsclient.SessionReader.getJMSMessage(SessionReader.java:189)
       at com.sun.messaging.jmq.jmsclient.SessionReader.deliver(SessionReader.java:107)
       at com.sun.messaging.jmq.jmsclient.ConsumerReader.run(ConsumerReader.java:192)
       at java.lang.Thread.run(Unknown Source)
  Caused by: java.lang.NullPointerException
       at java.util.Hashtable.put(Unknown Source)
       at com.sun.messaging.jmq.io.PacketProperties.parseProperties(PacketProperties.java:193)
       at com.sun.messaging.jmq.io.PacketPayload.getProperties(PacketPayload.java:155)
       at com.sun.messaging.jmq.io.Packet.getProperties(Packet.java:644)
       at com.sun.messaging.jmq.io.ReadOnlyPacket.getProperties(ReadOnlyPacket.java:348)
       at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:601)
       ... 5 more
  Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ExceptionHandler logCaughtException
  WARNING: [I500]: Caught JVM Exception: java.io.UTFDataFormatException: malformed input around byte 11
  Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ConsumerReader run
  WARNING: [C4005]: Get properties from packet failed. - cause: java.io.UTFDataFormatException: malformed input around byte 11
  com.sun.messaging.jms.JMSException: [C4005]: Get properties from packet failed. - cause: java.io.UTFDataFormatException: malformed input around byte 11
       at com.sun.messaging.jmq.jmsclient.ExceptionHandler.getJMSException(ExceptionHandler.java:386)
       at com.sun.messaging.jmq.jmsclient.ExceptionHandler.handleException(ExceptionHandler.java:337)
       at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:604)
       at com.sun.messaging.jmq.jmsclient.ProtocolHandler.getJMSMessage(ProtocolHandler.java:2061)
       at com.sun.messaging.jmq.jmsclient.SessionReader.getJMSMessage(SessionReader.java:189)
       at com.sun.messaging.jmq.jmsclient.SessionReader.deliver(SessionReader.java:107)
       at com.sun.messaging.jmq.jmsclient.ConsumerReader.run(ConsumerReader.java:192)
       at java.lang.Thread.run(Unknown Source)
  Caused by: java.io.UTFDataFormatException: malformed input around byte 11
       at java.io.DataInputStream.readUTF(Unknown Source)
       at java.io.DataInputStream.readUTF(Unknown Source)
       at com.sun.messaging.jmq.io.PacketProperties.parseProperties(PacketProperties.java:178)
       at com.sun.messaging.jmq.io.PacketPayload.getProperties(PacketPayload.java:155)
       at com.sun.messaging.jmq.io.Packet.getProperties(Packet.java:644)
       at com.sun.messaging.jmq.io.ReadOnlyPacket.getProperties(ReadOnlyPacket.java:348)
       at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:601)
       ... 5 more
  Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ExceptionHandler logCaughtException
  WARNING: [I500]: Caught JVM Exception: java.lang.NullPointerException
  Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ExceptionHandler logCaughtException
  WARNING: [I500]: Caught JVM Exception: java.io.StreamCorruptedException: invalid type code: 00
  Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ConsumerReader run
  WARNING: [C4005]: Get properties from packet failed. - cause: java.lang.NullPointerException
  com.sun.messaging.jms.JMSException: [C4005]: Get properties from packet failed. - cause: java.lang.NullPointerException
       at com.sun.messaging.jmq.jmsclient.ExceptionHandler.getJMSException(ExceptionHandler.java:386)
       at com.sun.messaging.jmq.jmsclient.ExceptionHandler.handleException(ExceptionHandler.java:337)
       at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:604)
       at com.sun.messaging.jmq.jmsclient.ProtocolHandler.getJMSMessage(ProtocolHandler.java:2061)
       at com.sun.messaging.jmq.jmsclient.SessionReader.getJMSMessage(SessionReader.java:189)
       at com.sun.messaging.jmq.jmsclient.SessionReader.deliver(SessionReader.java:107)
       at com.sun.messaging.jmq.jmsclient.ConsumerReader.run(ConsumerReader.java:192)
       at java.lang.Thread.run(Unknown Source)
  Caused by: java.lang.NullPointerException
       at java.util.Hashtable.put(Unknown Source)
       at com.sun.messaging.jmq.io.PacketProperties.parseProperties(PacketProperties.java:193)
       at com.sun.messaging.jmq.io.PacketPayload.getProperties(PacketPayload.java:155)
       at com.sun.messaging.jmq.io.Packet.getProperties(Packet.java:644)
       at com.sun.messaging.jmq.io.ReadOnlyPacket.getProperties(ReadOnlyPacket.java:348)
       at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:601)
       ... 5 more

  From the stack trace, it looks like there is a problem with one of message's string properties. I can't obviously see what, but this might help you track down the cause of the problem.
  When you've found out what it is about your message that's causing this exception, please log this as a bug.
  Nigel

• I can copy and paste from mozilla to word in second attempt only first attempt fails and paste a zero sized dot on the word document

  i can copy and paste from Mozilla to word in second attempt only first attempt fails and paste a zero sized dot on the word document.more ever i can not drag fevicon from address bar to my desktop.

  Maybe:<br />
  Dafizilla Table2Clipboard: https://addons.mozilla.org/firefox/addon/1852

• First Aid Failed while trying to re-start mac, help??

  My Mac has been forzen to the loading page and I have put in the grey disk to try and re-boot it and I was told to repair the disk once the CD was in. After having gone through part of the repair process I get a message of First Aid Failed because "The underlying task reported failure on exit (-9972)" Any help on how to get my mac fixed?? And wil it involve losing all of my files on my Mac? Thanks!!

  The error you are getting means that Disk Utility cannot repair your hard drive. Apple has a note on this at http://docs.info.apple.com/article.html?artnum=302411 . Net, most people buy Disk Warrior to repair the drive, although TechTool Pro can also be bought to do that, and in most cases, Disk Warrior is able to fix the drive. There are situations, however, when they can't repair the drive. At that point, you can try and erase and install, and if that fails, you need to buy a new hard drive.
  If you can hook another mac up in target mode you may be able to back up your data, if you haven't done that recently.

• SNP - Heuristic -First Run Fails

  Dear All,
  I am Working on SCM 5.0 SNP..
  Working on Following ..
  1. Heuristic Run
  2. Deployment
  3.Trasport Load Builder (TLB)
  We are running Heuristic on Daily Basis.
  If i run Heuristic after loading new Tranportation Lane(Master Data) the FIRST run fails?
  Why?
  After loading the New Trasportation Lane..i always Check Low Level Code/Live Cache Consistency Check the also i am facing the above problem.
  Plz help me to resolve the same.
  Regards,
  Rajesh patil

  Hi Rajesh patil,
  From your observations, it is clear that there is timelag required by system to update the master data (TL) newly maintained and the start of heuristic run.
  1)  Once the new TL is maintained, run consistency check (F9) to check for any errors
  2)  After maintaining the lane, ensure that the same is available in the active model
  3)  Once after maintaining the lane, clear all inbound and outbound queues before start of heuristic run.
  4)  Also run low level code/cons checks before start of the heuristic run.
  Please confirm with your findings.
  Regards
  R. Senthil Mareeswaran.

• TCP packet out of state: First packet isn't SYN & Outlook is trying to retrieve data from the Microsoft Exchange Server [CAS-ARray]

  We are transitioning from Exchange 2003 to Exchange 2010.  We found Outlook online mode (non-cached mode) have many warning "Outlook is trying to retrieve data from the Microsoft Exchange Server [CAS-ARray]", usually happen when users tried to open
  address book but sometimes even normal operation like click the Send button.  The problem does not affect OWA and extremely rare when Outlook is running in cached mode.  Check the firewall logs, we notice a lot of "TCP Packet Out of State" drops.
  We have a lot from the CAS/HT to DC/GC on TCP_3268 and LDAP.  And the errors are "TCP packet out of state: First packet isn't SYN" with tcp_flags FIN-ACK, PUSH-ACK.
  We also have a lot from CAS/HT to the Outlook Clients on the static RPC port (TCP_59933).   And the errors are "TCP packet out of state: First packet isn't SYN" with tcp_flags FIN-ACK, PUSH-ACK and RST-ACK, ACK.
  This happens even on Outlook 2010 which I though it has TCP Keep Alive implmented to keep the session active within 1 hour. 
  Can somebody tell me if these out-of-state are the cause of our problem?  And how to fix it?
  THANK 1,000,000

  Hello AndyHWC,
  I did some consulting with our CAS team and received the following feedback to your post:
  It is difficult to determine what is causing resets without seeing the captures first hand however, the concern is that you are seeing dropped packets on the firewall logs.  Where is this firewall located?
  Based on the description "Check the firewall logs, we notice a lot of "TCP Packet Out of State" drops." and "We have a lot from the CAS/HT to DC/GC on TCP_3268 and
  LDAP." indicates to me that the firewall is between CAS and GC.  This not supported under any circumstances and would explain the issue they are seeing with clients trying to "retrieve data from the GC".
  If there is not a firewall between the GC and CAS then a Microsoft support engineer would need to have concurrent Netmon Captures from client, CAS, GC during the
  issue to analyze.  If only one GC exists consider adding another GC to handle the client requests and for fault tolerance.
  Also verify that all NIC card drivers are updated to the latest driver version
  More information about firewalls with Exchange 2007/2010
  http://msexchangeteam.com/archive/2009/10/21/452929.aspx
  http://technet.microsoft.com/en-us/library/bb232184(EXCHG.80).aspx
  You can install the Client Access server role on an Exchange 2007 computer that is running any other server roles except for the Edge Transport server role. You
  cannot install the Client Access server role on a computer that is installed in a cluster. Installation of a Client Access server in a perimeter network is not supported.
  http://technet.microsoft.com/en-us/library/dd577077(EXCHG.80).aspx
  “The Installation of a Client Access Server in a Perimeter Network Is Not Supported
  Issue You may want to install an Exchange 2007 Client Access server in a perimeter network. However, this type of installation is not supported in Exchange
  2007.
  Cause The Exchange 2007 Client Access server role is not supported in any configuration in which a firewall is located between the Client Access server
  and a Mailbox server or a domain controller. This includes firewall devices, firewall programs, or any program or device that is designed to restrict traffic between two network locations.
  For correct operation, Client Access servers require typical domain connectivity to domain controllers and global catalog servers. Because any devices
  or programs that restrict or reduce access to domain controllers or global catalog servers may affect the correct operation of the Client Access server, we do not support this type of configuration.
  Resolution To resolve this issue, move the Client Access servers to the internal network. For more information about the ports that Exchange 2007 uses
  for various services, see Data Path Security Reference.”
  Thanks,
  Kevin Ca - MSFT
  Kevin Ca - MSFT

• First Request fails with Error 500.00

  Good morning Pro's!
  Although I have allready installed many ColdFusion release's, I'm running in a very strange problem with my ColdFusion 8.01 32bit on my Windws 2008 R2 64bit (IIS7) server:
  When I'm trying to connect to any ColdFusion Website, the FIRST request fails with an 500.00 Error -> IsapiModule - ExecuteRequestHandler - AboMapperCustom-18532 - ErrorCode: 0x800703e9. When I reload the page, the Website is running until I restart IIS and the same problem starts again.
  AppPools are configured to 32-bit Apps
  Thanks for your help!
  Mätu

  I solved the Problem
  I had to set the UserRights of the IIS_IUSRS to FullAccess for the ColdFusion Dir

• Help First Aid Fails From Install Disk

  My I-Mac G-5 crashed and on restart is displaying the grey screen with the question mark instead of finding the os / hard drive. I rebooted again from the install disk holding down C and when I went to verify and repair the disk... the repair option wasn't selectable and when I select verify i get this message
  "First Aid failed
  "Disk Utility stopped repairing permissions on '(volume name)' because the following error was encountered: No valid packages"
  The Apple support on this topic here
  http://docs.info.apple.com/article.html?artnum=25704
  only covers when the application disk utility fails from your OS... But its failing for me from my INSTALL Disk.
  Thanks in advance!

  That error occurs because either the /Library/Receipts/ folder has been deleted or its contents were deleted. Without that DU will not function. This is because when you repair permissions Disk Utility uses the Receipts folder on the OS X volume being repaired.
  However, it cannot fix your problem. Your problem results from damaged or corrupted system files required during startup. The only solution is to reinstall OS X. You may be able to do this without erasing the drive by doing an Archive and Install:
  How to Perform an Archive and Install
  1. Be sure to use Disk Utility first to repair the disk before performing the Archive and Install.
  Repairing the Hard Drive and Permissions
  Boot from your OS X Installer disc. After the installer loads select your language and click on the Continue button. When the menu bar appears select Disk Utility from the Installer menu (Utilities menu for Tiger.) After DU loads select your hard drive entry (mfgr.'s ID and drive size) from the the left side list. In the DU status area you will see an entry for the S.M.A.R.T. status of the hard drive. If it does not say "Verified" then the hard drive is failing or failed. (SMART status is not reported on external Firewire or USB drives.) If the drive is "Verified" then select your OS X volume from the list on the left (sub-entry below the drive entry,) click on the First Aid tab, then click on the Repair Disk button. If DU reports any errors that have been fixed, then re-run Repair Disk until no errors are reported. If no errors are reported, then quit DU and return to the installer.
  If DU reports errors it cannot fix, then you will need Disk Warrior (4.0 for Tiger) and/or TechTool Pro (4.5.2 for Tiger) to repair the drive. If you don't have either of them or if neither of them can fix the drive, then you will need to reformat the drive and reinstall OS X.
  2. Do not proceed with an Archive and Install if DU reports errors it cannot fix. In that case use Disk Warrior and/or TechTool Pro to repair the hard drive. If neither can repair the drive, then you will have to erase the drive and reinstall from scratch.
  3. Boot from your OS X Installer disc. After the installer loads select your language and click on the Continue button. When you reach the screen to select a destination drive click once on the destination drive then click on the Option button. Select the Archive and Install option. You have an option to preserve users and network preferences. Only select this option if you are sure you have no corrupted files in your user accounts. Otherwise leave this option unchecked. Click on the OK button and continue with the OS X Installation.
  4. Upon completion of the Archive and Install you will have a Previous System Folder in the root directory. You should retain the PSF until you are sure you do not need to manually transfer any items from the PSF to your newly installed system.
  5. After moving any items you want to keep from the PSF you should delete it. You can back it up if you prefer, but you must delete it from the hard drive.
  6. You can now download a Combo Updater directly from Apple's download site to update your new system to the desired version as well as install any security or other updates. You can also do this using Software Update.

• FIRST AID FAILED

  Was verifying and then repairing disk permissions then got this message:
  First Aid Failed
  Disk Utility stopped verifying Mac HD because...:
  Filesystem verify or repair failed.
  Should I be concerned?

  Start up in Safe mode - Hold Shift key at startup until halfway through the rotating gear. You will have to login. Then reboot the Mac to see if that fixed it.
  Safe boot will take 2-3 times as long as normal, so be patient.

• ACE module only inserting X-Forwarder Header on first packet

  Hi,
  As above, I have a strange problem where if I use my proxy server to access an LB VIP then it is inserting the X-forwarding header for Each GET request.
  However if I make the request direct from my PC (not via Proxy) it inserts the header on the first packet but no subsequent packets unless I restart the browser.
  Any ideas????
  Thanks
  Scott

  Hi Scott,
  In the ACE documentation, check out the section on Configuring the ACE to Modify Headers on Every HTTP Request or Response.
  I hope this helps,
  Sean

• Freeze-ups, problems, and "First Aid Failed"

  I've been experiencing some freeze-ups lately on my Macbook Pro. I verified and repaired disk permissions on Disk Utility, but when I went to verify the disk itself, it said "First Aid Failed". It did say "Volume Bit Map needs minor repair" and "Invalid volume free block count (It should be 815187 instead of 814946)" and "The volume Macintosh HD needs to be repaired."
  "Error: The underlying task reported failure on exit"
  "1 HFS volume checked
  Volume needs repair"
  What should I do to fix this problem? Thanks.

  Jaworski
  If you can't find anyone with the right install disks but (depending on the size of your startup volume) you can get your hands on an external drive of some kind you might want to try using CarbonCopyCloner to clone your basic system to it, selecting it as your boot volume in system preferences, booting from it, and then repairing your internal drive using Disk Utility from the cloned install.
  It's definitely not the most elegant solution, especially since you would essentially be attempting to fix a corrupted volume with a corrupted volume, but it might be worth a shot in your case due to the limited availability of your install disk.
  Just a thought.
  Max-

• VPN Client - Pings of 1500 bytes fail?

  I have a VPN client setup into a 1700 router. My customer is complaining that they can ping devices on the office LAN however, as they increase the ping size it starts to fail.
  Any thoughts?

  Andrew
  For TCP based traffic I have found a very effective solution with the ip tcp adjust-mss command which is configured on the LAN interface(s) of the router. This command will cause the end stations to negotiate a mss that is small enough that fragmentation will not be needed. It may take some experimentation to find the optimum value to set to eliminate fragmentation. (The amound of overhead will vary depending on some options within IPSec and whether you are doing GRE with IPSec or IPSec without GRE. I frequently use 1375 in environments using both GRE and IPSec and find that works for us.)
  For non-TCP traffic I have seen a solution which uses a route map to identify the IPSec traffic and to turn off the DF bit. This allows the packet to be fragmented as it passes through the IPSec tunnel. I have not used this solution so I can not speak to details of how it works.
  HTH
  Rick