Pix6.3 can not initiate isakmp packet
Hi,
I have pix515E and 2 pix535(failover), both running on pix6.3, every time when I build up L2L vpn tunnel with the other end, I can not through ping, from my encrypto server to the other side encrypto server, to initiate phase 1 isakmp SA, instead the other side can ping my encrypto server to initiate the vpn tunnel.
I will very appreciate you can help me with this
yufeng
Your description of the symptoms sounds like there is some difference between the access list that you use to identify traffic for the VPN tunnel and the access list being used on the other end. Can you post your access list (and perhaps the other parts of the config) and the corresponding parts from the other end? This may help us to identify the cause of your issue.
HTH
Rick
Similar Messages
-
"computer can not initiate a multi-person video chat" ?
2 of us have MacBook Pros, third guy has new MacBook.
Our MacBook's have OS X 10.5.8,
The new MacBook has OS 10.6.1.
Me and the other person can iChat with 3 other ppl,
but when we added the new guy as a buddy, neither one of us could get him to come up.
He said When the call came in, two (2) video screens popped up and if he hit accept on
either one, it would decline on our end. (this happened no matter which MacBook Pro initiated the convo)
We then had the MacBook try to initiate the 3 way and it came up with an error that said
"computer can not initiate a multi-person video chat"
I've never even heard of that.
Is this a glitch, or a setting that needs to be changed?
Seems weird that the older models do it fine, but the new one is not configured right, but maybe we're missing something.
thxHi,
Welcome to the Discussions
You are saying that, no matter who Hosts, when they invite the 10.6.1 Buddy he gets two Invite windows ?
This sounds like he is connected to the Internet twice.
On Sending the Visible Invite iChat does not check the validity of the Return Message.
You can be logged in twice for Text Chatting so it is not an uncommon state to exist.
However in most cases this is either two apps or two computers.
When iChat gets past the Visible Invite stage as only one reply get returned for the Acceptance it moves into sending a SIP invite separately on a different port and part of this Process is to confirm where the Visible Invite went to is where the SIP return data is coming from.
If there are two connections to the Internet at his end (and there are several causes) you will get an Error 7 showing when the Video chat is ended by all parties.
Error 7 = Remote IP Invalid
The Message you are getting may point to another problem and that is he is not on an Internet connection fast enough to join a 3 or 4 way Video chat.
He needs to have at least 384 kbps as an Upload and not capping the iChat Bandwidth below the 500kbps mark. (iChat Preferences > Video Section > Bandwidth Limit drop down)
9:17 PM Friday; January 29, 2010
Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat" -
I can not initiate a video ichat with Lion.
I can not start a video iChat since I acquired my new iMac with Lion (10.7.2) in October 2011. Audio Chat works fine, and incoming video iChat also works normally. But on iChat there is no camera symbol, and no video available.
Connection Doctor advises me "Network Status: Router Type: Port Restricted. This computer's network setup includes one or more devises that are not fully compatible with audio and video chatting." This message arises although I have no other devices on my network!
My router was a HomeHub 2 (BT is my ISP) which worked well for iChat on my previous iMac (Snow Leopard) until I acquired my new iMac. I got a new router (HomeHub 3) today to try to rectify the problem. It did not.
Many discussions with my ISP (BT) and with Apple over the last two months have not solved the problem. If someone can help I would be extremely grateful.Tell us more about the file.
Is it on a CD? -
Below you can find the complete message (in Dutch) that I receive "Kan de beveiligingscomponent van de toepassing niet initialiseren. De meest waarschijnlijke oorzaak is problemen met bestanden in de profielmap van uw toepassing. Controleer of deze map geen lees-/schrijfbeperkingen heeft en uw harde schijf niet vol of bijna vol is. Het wordt aangeraden de toepassing af te sluiten en het probleem op te lossen. Als u doorgaat met deze sessie, is het mogelijk dat u onjuist gedrag van de toepassing ziet bij het aanspreken van de beveiligingsfuncties."I cannot open any website except my homepage. There is ample space on my hard disk
See also https://support.mozilla.org/kb/Could+not+initialize+the+browser+security+component
Rename secmod.db (secmod.db.old) in the Firefox Profile Folder in case there is a problem with the file.<br />
You may have to rename cert8.db (cert8.db.old) as well.
Firefox will create new files.
The "Application Data" folder in XP/Win2K and the "AppData" folder in Vista/Windows 7 are hidden folders.
*http://kb.mozillazine.org/Show_hidden_files_and_folders -
Can not initiate internal GPS on Treo Pro (850 Australia)
I am having trouble connecting GPS. Do you know why? or How?
I have tried with GOOGLE MAP and TOMTOM (ver. 6.030) and GPS signal doesn't seemed to be establish.
Post relates to: Treo Pro T850U (Unlocked)Hi.. Welcome to the Palm forums.. The Treo Pro according to the spec list found at this link, http://www.palm.com/us/support/handbooks/Pro_UL_Datasheet.pdf . (you may have to copy and paste it into your browser), shows Expansion MicroSDHC cards (up to 32GB supported). Now I have not used a sdhc card in a pro nor do I know of anyone that has but according to palms specs on the treo pro show this as what is compatible.
-
Hi, all.
The database is 2 node RAC database (10.2.0.2.0)
on 32-bit windows 2003 EE SP1.
I found "KJC: Wait for msg sends to complete" wait event in
"Top 5 Timed Event" Section from AWR report.
What is "KJC: Wait for msg sends to complete" wait event??
The following is from UDUMP. I am not sure that "KJC : Wait .." has
something to do with the following udump trace file.
There is no error message in both alert log files and
there is no bdump trace file.
Currently, the database seems to be normal.
Dump file d:\oracle\product\10.2.0\admin\rac\udump\rac2_ora_5656.trc
Mon Sep 24 00:04:40 2007
ORACLE V10.2.0.2.0 - Production vsnsta=0
vsnsql=14 vsnxtr=3
Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Production
With the Real Application Clusters, OLAP and Data Mining options
Windows Server 2003 Version V5.2 Service Pack 1
CPU : 4 - type 586, 2 Physical Cores
Process Affinity : 0x00000000
Memory (Avail/Total): Ph:5278M/8190M, Ph+PgF:6596M/10041M, VA:316M/2047M
Instance name: rac2
Redo thread mounted by this instance: 2
Oracle process number: 64
Windows thread id: 5656, image: ORACLE.EXE (SHAD)
*** 2007-09-24 00:04:40.156
*** ACTION NAME:() 2007-09-24 00:04:40.156
*** MODULE NAME:(OEM.SystemPool) 2007-09-24 00:04:40.156
*** SERVICE NAME:(RAC.world) 2007-09-24 00:04:40.156
*** CLIENT ID:() 2007-09-24 00:04:40.156
*** SESSION ID:(486.53) 2007-09-24 00:04:40.156
IPCSendMsg: could not initiate send on conn 0x5b0d3e98 to node [rac1 : 696 : 3996 : 359937], err 10054
IPCGetRequestInfo: failed a request rqh(0x5b060db8), type(6), status(2), bytes(0)
Any help will be greatly appriciated.
Thanks and Regards.
Message was edited by:
user507290Dear Chris.
Thanks for your reply.
Does "KJC: Wait for msg sends to complete" wait event
have something to do with the following udump trace file?
I do not know how to respond the following message in UDUMP.
There is no bdump trace file and there is no message in alert log files.
The following message in udump can be ignored??
Or, shoud I take an action??
-->IPCSendMsg: could not initiate send on conn 0x5b0d3e98 to node [rac1 : 696 : 3996 : 359937], err 10054
--> IPCGetRequestInfo: failed a request rqh(0x5b060db8), type(6), status(2), bytes(0)
Thanks and Regards.
Dump file d:\oracle\product\10.2.0\admin\rac\udump\rac2_ora_5656.trc
Mon Sep 24 00:04:40 2007
ORACLE V10.2.0.2.0 - Production vsnsta=0
vsnsql=14 vsnxtr=3
Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Production
With the Real Application Clusters, OLAP and Data Mining options
Windows Server 2003 Version V5.2 Service Pack 1
CPU : 4 - type 586, 2 Physical Cores
Process Affinity : 0x00000000
Memory (Avail/Total): Ph:5278M/8190M, Ph+PgF:6596M/10041M, VA:316M/2047M
Instance name: rac2
Redo thread mounted by this instance: 2
Oracle process number: 64
Windows thread id: 5656, image: ORACLE.EXE (SHAD)
*** 2007-09-24 00:04:40.156
*** ACTION NAME:() 2007-09-24 00:04:40.156
*** MODULE NAME:(OEM.SystemPool) 2007-09-24 00:04:40.156
*** SERVICE NAME:(RAC.world) 2007-09-24 00:04:40.156
*** CLIENT ID:() 2007-09-24 00:04:40.156
*** SESSION ID:(486.53) 2007-09-24 00:04:40.156
IPCSendMsg: could not initiate send on conn 0x5b0d3e98 to node [rac1 : 696 : 3996 : 359937], err 10054
IPCGetRequestInfo: failed a request rqh(0x5b060db8), type(6), status(2), bytes(0)
------------------------------------------------ -
Cisco ASA VPN question: %ASA-4-713903: IKE Receiver: Runt ISAKMP packet
Dear community,
quite frequently I am now receiving the following error message in my ASA 5502's log:
Oct 17 12:52:17 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
Oct 17 12:52:22 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
Oct 17 12:52:27 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
The VPN Clients (in the last case: A linux vpnc) disconnect with message
vpnc[7736]: connection terminated by dead peer detection
The ASA reports for that <some_ip> at around the same time:
Oct 17 12:52:32 <myASA> %ASA-4-113019: Group = blah, Username = johndoe, IP = <some_ip>, Session disconnected. Session Type: IPSecOverNatT, Duration: 2h:40m:35s, Bytes xmt: 2410431, Bytes rcv: 23386708, Reason: User Requested
A google search did not reveal any explanation to the "%ASA-4-713903: IKE Receiver: Runt ISAKMP packet..." message -- so my questions would be
1) What does the message exactly mean -- I know runts as a L2 problem so I d suppose it means the same: The ISAKMP packet is somehow
crippled (I d suppose this happens during rekeying) ?
2) Any idea where to look for the cause of this
WAN related (however I d assume no -- why does this happen in these regular time frames as show above)?
SW related (vpnc bug)?
Thanks in advance for any pointer...
JoachimYes. You need to eliminate the things I've said to eliminate with the other side. Ensure your configs are matching exactly. They probably are, whatever, just make sure of it because it's easy. You both need to run packet captures on your interfaces both in and out to even begin to have an idea of where to look.
The more info you can have just one person responsible for the better. What I mean by that is, it's typically a nice step for the 'bigger end' to have the 'smaller end's' config file to look at.
If you are seeing packets come in your inside, leave your outside, and never make it to his inside, then take it a step at a time.
If you're seeing them come in his interface and never come back out, you know where to look.
Set your caps to a single host to single host if need be, and generate traffic accordingly.
You need to narrow down where NOT to look so that you know where TO look. I would say then, and only then, do you get the ISP involved. Once you're sure the problem exists between his edge device and your edge device.
I do exactly this for a living on a daily basis...day after day after day. I'm responsible for over 200 IPSec s2s connections and thousands of SSL VPN sessions. I always start the exact same way...from the very bottom. -
I can not to connect to nated address
Hi
I have server with real address 10.173.1.242, i created static nat to address 10.164.32.15, but I can not to connect to address 10.164.32.15 from IP 10.161.111.130, here is config of ASA:
Peter
ASA Version 8.0(5)
names
interface GigabitEthernet0/0
nameif intranet
security-level 30
ip address 10.164.241.1 255.255.255.0 standby 10.164.241.2
interface GigabitEthernet0/1
nameif cdi
security-level 80
ip address 10.173.241.1 255.255.255.0 standby 10.173.241.2
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
interface GigabitEthernet0/2.491
vlan 491
nameif service491
security-level 50
ip address 10.173.1.241 255.255.255.0 standby 10.173.1.240
interface GigabitEthernet0/2.492
vlan 492
nameif service492
security-level 50
ip address 10.173.2.241 255.255.255.0 standby 10.173.2.240
interface GigabitEthernet0/2.493
vlan 493
nameif service493
security-level 50
ip address 10.173.3.241 255.255.255.0 standby 10.173.3.240
interface GigabitEthernet0/2.500
vlan 500
nameif service500
security-level 50
ip address 10.173.0.241 255.255.255.0 standby 10.173.0.240
interface GigabitEthernet0/2.550
vlan 550
nameif service550
security-level 50
no ip address
interface GigabitEthernet0/3
description LAN Failover Interface
boot system disk0:/asa805-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name t-dc.sk
access-list cdi-in extended permit icmp any any log debugging
access-list cdi-in extended deny ip any any
access-list intranet-in extended permit ip 10.161.111.0 255.255.255.0 host 10.0.0.0 log debugging
access-list intranet-in extended permit ip 10.164.32.0 255.255.255.0 host 10.0.0.0 log debugging
access-list intranet-in extended deny ip any any
access-list service491-in extended permit icmp any any log debugging
access-list service491-in extended deny ip any any
access-list service492-in extended deny ip any any
access-list service493-in extended deny ip any any
access-list service500-in extended deny ip any any
access-list service550-in extended deny ip any any
access-list cap extended permit ip any any
pager lines 24
logging buffered debugging
logging trap debugging
logging asdm debugging
logging host service491 10.173.1.242
mtu intranet 1500
mtu cdi 1500
mtu service491 1500
mtu service492 1500
mtu service493 1500
mtu service500 1500
mtu service550 1500
mtu mngmt 1500
ip local pool pool1 10.31.250.129-10.31.250.255 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 172.16.10.1 255.255.255.252 standby 172.16.10.2
no monitor-interface intranet
no monitor-interface cdi
no monitor-interface mngmt
icmp unreachable rate-limit 1 burst-size 1
icmp permit any intranet
icmp permit any cdi
icmp permit any service491
icmp permit any service492
icmp permit any service493
icmp permit any service500
icmp permit any service550
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
access-group intranet-in in interface intranet
access-group cdi-in in interface cdi
access-group service491-in in interface service491
access-group service492-in in interface service492
access-group service493-in in interface service493
access-group service500-in in interface service500
access-group service550-in in interface service550
route intranet 0.0.0.0 0.0.0.0 10.164.241.5 1
route cdi 10.97.0.0 255.255.0.0 10.173.241.5 1
route cdi 10.168.0.0 255.255.0.0 10.173.241.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.t-dc.sk
keypair sslvpnkeypair
crl configure
crypto ca certificate chain localtrust
certificate c116474f
308201e7 30820150 a0030201 020204c1 16474f30 0d06092a 864886f7 0d010104
bce 90a3424e
f9f040e2 95c69b91 779b8a
quit
no crypto isakmp nat-traversal
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust intranet
webvpn
enable intranet
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
svc enable
group-policy GrpPolicy-ssl1 internal
group-policy GrpPolicy-ssl1 attributes
vpn-tunnel-protocol svc
tunnel-group ssl1 type remote-access
tunnel-group ssl1 general-attributes
address-pool pool1
default-group-policy GrpPolicy-ssl1
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:be82cd121bde8e5de3981453caa201f0
: endi corrected "packet-tracer..." there was mistake, 10.161.11.130 instead 10.161.111.130
pna-tdc1# packet-tracer input intranet tcp 10.161.111.130 1025 10.164.32.15 22
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
match ip service491 host 10.173.1.242 intranet any
static translation to 10.164.32.15
translate_hits = 0, untranslate_hits = 4
Additional Information:
NAT divert to egress interface service491
Untranslate 10.164.32.15/0 to 10.173.1.242/0 using netmask 255.255.255.255
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group intranet-in in interface intranet
access-list intranet-in extended permit ip 10.161.111.0 255.255.255.0 10.0.0.0 255.0.0.0 log debugging
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
match ip service491 host 10.173.1.242 intranet any
static translation to 10.164.32.15
translate_hits = 0, untranslate_hits = 4
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (service491,intranet) 10.164.32.15 10.173.1.242 netmask 255.255.255.255
match ip service491 host 10.173.1.242 intranet any
static translation to 10.164.32.15
translate_hits = 0, untranslate_hits = 4
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2956, packet dispatched to next module
Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.173.1.242 using egress ifc service491
adjacency Active
next-hop mac address 0014.4fed.bb6c hits 41
Result:
input-interface: intranet
input-status: up
input-line-status: up
output-interface: service491
output-status: up
output-line-status: up
Action: allow
pna-tdc1#
pna-tdc1# -
Can not ping internal network from ASA
I can not ping internal computer from ASA. Comp IP address 192.168.187.15, gateway is 192.168.187.14 which is ASA internal interface. I've got an IP Phone connected to the same ASA with Ip address 192.168.185.15 and internal ASA interface 192.168.185.14 and everything works fine. We are doing testing, do not be surprised of configuration.
ASA Version 8.2(1)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface GigabitEthernet0/0
nameif ouside3
security-level 0
ip address 10.254.17.25 255.255.255.248
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.254.17.9 255.255.255.248
interface GigabitEthernet0/2
nameif Lan
security-level 100
ip address 192.168.185.14 255.255.255.0
interface GigabitEthernet0/3
nameif comp
security-level 50
ip address 192.168.187.14 255.255.255.0
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list 110 extended permit ip any any
access-list nat extended permit ip any any
access-list allow_ping extended permit icmp any any echo-reply
access-list allow_ping extended permit icmp any any source-quench
access-list allow_ping extended permit icmp any any unreachable
access-list allow_ping extended permit icmp any any time-exceeded
access-list allow_ping extended permit udp any any eq isakmp
access-list allow_ping extended permit esp any any
access-list allow_ping extended permit ah any any
access-list allow_ping extended permit gre any any
access-list nonat extended permit ip any any
access-list nat2 extended permit ip any any
access-list nonat2 extended permit ip any any
pager lines 24
logging asdm informational
mtu ouside3 1500
mtu outside 1500
mtu Lan 1500
mtu comp 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (Lan) 0 access-list nonat
nat (Lan) 1 access-list nat
nat (comp) 0 access-list nonat
nat (comp) 1 access-list nat
access-group allow_ping in interface outside
router eigrp 2008
neighbor 10.254.17.10 interface outside
network 10.254.17.8 255.255.255.248
network 192.168.185.0 255.255.255.0
network 192.168.187.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.254.17.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 10.254.17.10
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
crypto map mymap2 20 match address 110
crypto map mymap2 20 set peer 10.254.17.18
crypto map mymap2 20 set transform-set myset
crypto map mymap2 interface comp
crypto map mymap3 30 match address 110
crypto map mymap3 30 set peer 10.254.17.26
crypto map mymap3 30 set transform-set myset
crypto map mymap3 interface ouside3
crypto isakmp identity address
crypto isakmp enable ouside3
crypto isakmp enable outside
crypto isakmp enable comp
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
priority-queue outside
threat-detection basic-threatThis is what I get, looks like ASA does not reply. Why?
ciscoasa# sh capture cpi
5 packets captured
1: 05:20:14.494908 192.168.187.15 > 192.168.187.14: icmp: echo request
2: 05:20:19.526935 192.168.187.15 > 192.168.187.14: icmp: echo request
3: 05:20:25.026320 192.168.187.15 > 192.168.187.14: icmp: echo request
4: 05:20:30.525699 192.168.187.15 > 192.168.187.14: icmp: echo request
5: 05:20:36.025084 192.168.187.15 > 192.168.187.14: icmp: echo request -
An alert message pops up upon opening saying could not initiate application security component, and it says to check to see if profile has no read/write restrictions. Than when it opens all of my saved passwords are gone, I use a master password and its disabled. When I try to enter in a new on e it says can't change password. I can't even open yahoo e-mail says that my ssl security is down but when I check it its clicked. I'm just very confused as to whats going on.
== This happened ==
Every time Firefox opened
== 5/14/2010 ==
== User Agent ==
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1064 Safari/532.5See [[Could not initialize the browser security component]]
Rename (or delete) secmod.db (secmod.db.old) in the [http://kb.mozillazine.org/Profile_folder_-_Firefox Profile Folder] in case there is a problem with the file. -
Can not extract data into BW from SQL SERVER
Dear All,
I meet a problem to extract data from database(MS SQL Server 2000(sp3)) into BW now and can not extract data into BW ODS, even PSA, In the monitor, display yellow light(0 from 0 record), detail message just display message "data request arranged" "confirmed with: confirmation" in requests(message) step; "missing message: request received" in extract (message) step; "no data" in processing(data packet) step and so on. but in fact, there are two records in my database test table and DB connection is OK. Even I can extract data from another test oracle database into BW ODS successfully.
Our BW system has two BW applicaton server and use oracle database. the one application server locates on IBM AIX host. the another one locates on one NT server. the application server on NT server is used for data extration from MS SQL SERVER database into BW oracle database. and MS SQL SERVER and NT platform application server locate on same one host. DBSL was installed on the NT application server already. and DB connector also was created successfully for MS SQL SERVER and datasource also was generated. DBSL type is Kernel640-WIN-IA32bit-unicode. my BW system is ECC5.0/UNICODE/ORACLE. all table/view/field name of MS SQL server is upcase and have not any specific character. for example: ZDEMO etc.
wait your help.
Thanks in advance.
BillyHi Ravi,
Could you help me to get knowledge about the followings:
approximately how many records extracting and transfering from SAP R/3 to BIW in an organisation. for that how much time will take .
How to extract data from two are three source system to BIW. Kindly help me with step by step explanation .If any screen shots with documents pls fwd to my ID. "[email protected]"
Your help highly appreciated.
Thanks.
Hema -
Hi,
When I try to deploy a bpel process using JDeveloper I'm having the following xml parse error:
Error(21):
[Error ORABPEL-10900]: xml parser error
[Description]: in line 21 of "file:/C:/JDeveloper/jdev/mywork/NERGA/CriarProjectoSA/bpel/CriarProjectoSA.bpel", XML parsing failed because file:/C:/JDeveloper/jdev/mywork/NERGA/CriarProjectoSA/bpel/CriarProjectoSA.bpel<Line 21, Column 63>: XML-24538: (Error) Can not find definition for element 'process'.
[Potential fix]: Fix the invalid XML.
I don't understand why... Any idea?Ok.
This is my BPEL code. The sapattern tags are from a program that is generating part of the code. The JDeveloper doesn't show any error, I only get the error when I try to deploy.
<?xml version = "1.0" encoding = "UTF-8" ?>
<process name="CriarProjectoSA"
targetNamespace="http://xmlns.oracle.com/CriarProjectoSA"
suppressJoinFailure="no"
xmlns="http://xmlns.oracle.com/CriarProjectoSA"
xmlns:bpws="http://schemas.xmlsoap.org/ws/2003/03/business-process/"
xmlns:ns4="http://xmlns.oracle.com/CriarProjectoSA"
xmlns:ns7="http://xmlns.oracle.com/bpel/services/IdentityService/xpath"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:ns5="http://schemas.oracle.com/xpath/extension"
xmlns:ns6="http://xmlns.oracle.com/bpel/workflow/xpath"
xmlns:ns11="http://www.oracle.com/XSL/Transform/java/oracle.tip.esb.server.headers.ESBHeaderFunctions"
xmlns:ns9="http://www.oracle.com/XSL/Transform/java/oracle.tip.pc.services.functions.ExtFunc"
xmlns:ns1="http://xmlns.oracle.com/ValidacaoProjectos"
xmlns:ns3="http://www.nerga.pt" xmlns:ns2="http://tempuri.org/"
xmlns:bpelx="http://schemas.oracle.com/bpel/extension"
xmlns:ns10="http://www.oracle.com/XSL/Transform/java/oracle.tip.pc.services.functions.Xpath20"
xmlns:ns8="http://schemas.xmlsoap.org/ws/2003/03/business-process/">
<!--Generated by Telelogic System Architect on 05/01/2007 11:06:18 by easm-->
<sapattern>
<guid>41207640-d934-480f-902a-b3764f3d9c9f</guid>
</sapattern>
<partnerLinks>
<partnerLink name="client" partnerLinkType="ns4:CriarProjectoSA"
myRole="CriarProjectoSAProvider"/>
<partnerLink name="NergaIS" partnerLinkType="ns2:ServiceSoap_PL"
myRole="ServiceSoap_Role" partnerRole="ServiceSoap_Role"/>
<partnerLink name="ValidacaoProjectos"
partnerLinkType="ns1:ValidacaoProjectos"
myRole="ValidacaoProjectosRequester"
partnerRole="ValidacaoProjectosProvider"/>
<sapattern>
<!--The System Architect objects used in the pattern. To ensure traceability to System Architect DO NOT REMOVE-->
<guid>e728e550-f404-47bf-aa13-72429480cbc6</guid>
<guid>3111d1af-0b31-4d02-b3fc-73d14ce95405</guid>
<guid>e9cdca59-888a-4e67-af54-a63ce2347ad3</guid>
</sapattern>
</partnerLinks>
<variables>
<variable name="outputVariable"
messageType="ns4:CriarProjectoSAResponseMessage"/>
<variable name="inputVariable"
messageType="ns4:CriarProjectoSARequestMessage"/>
<sapattern>
<!--The System Architect objects used in the pattern. To ensure traceability to System Architect DO NOT REMOVE-->
<guid>2503e820-3add-4cd1-bbc5-5cc5fff57090</guid>
<guid>8bcc3532-46b7-4e88-816f-72ecdaee76ab</guid>
</sapattern>
<variable name="invocaVP_initiate_InputVariable"
messageType="ns1:ValidacaoProjectosRequestMessage"/>
<variable name="recebeVP_onResult_InputVariable"
messageType="ns1:ValidacaoProjectosResponseMessage"/>
<variable name="InvocaAdicionarProjecto_InputVariable"
messageType="ns2:AdicionarProjectoSoapIn"/>
<variable name="InvocaAdicionarProjecto_OutputVariable"
messageType="ns2:AdicionarProjectoSoapOut"/>
</variables>
<sequence>
<receive name="recebeTemplate" joinCondition="False" partnerLink="client"
portType="ns4:CriarProjectoSA" operation="process"
variable="inputVariable" createInstance="yes">
<sapattern>
<!--The System Architect objects used in the pattern. To ensure traceability to System Architect DO NOT REMOVE-->
<guid>e728e550-f404-47bf-aa13-72429480cbc6</guid>
<guid>68e62379-55ac-48eb-b681-aee8f5a7696d</guid>
</sapattern>
</receive>
<scope variableAccessSerializable="no" name="ValidarExigências"
joinCondition="False">
<faultHandlers>
<catchAll>
<assign name="assignInvalid">
<bpelx:append>
<bpelx:from expression="concat(ns8:getVariableData('inputVariable','payload','/ns3:Template/ns3:Projecto/ns3:Observacoes'), string('Projecto inválido!!'))"/>
<bpelx:to variable="inputVariable" part="payload"
query="/ns3:Template/ns3:Projecto/ns3:Observacoes"/>
</bpelx:append>
</assign>
</catchAll>
</faultHandlers>
<sapattern>
<!--The System Architect objects used in the pattern. To ensure traceability to System Architect DO NOT REMOVE-->
<guid>2e56af66-6622-43e0-9adc-6d5f109cf374</guid>
</sapattern>
<sequence name="ValidarExigências" joinCondition="False">
<assign name="assignVPIn">
<copy>
<from variable="inputVariable" part="payload"/>
<to variable="invocaVP_initiate_InputVariable" part="payload"/>
</copy>
</assign>
<sapattern>
<!--The System Architect objects used in the pattern. To ensure traceability to System Architect DO NOT REMOVE-->
<guid>2e56af66-6622-43e0-9adc-6d5f109cf374</guid>
</sapattern>
<invoke name="invocaVP" joinCondition="False"
partnerLink="ValidacaoProjectos" portType="ns1:ValidacaoProjectos"
operation="initiate"
inputVariable="invocaVP_initiate_InputVariable">
<sapattern>
<!--The System Architect objects used in the pattern. To ensure traceability to System Architect DO NOT REMOVE-->
<guid>f3bc9c04-f4d2-4e96-acc8-7a6c88a8ced5</guid>
</sapattern>
</invoke>
<receive name="recebeVP" joinCondition="False"
partnerLink="ValidacaoProjectos"
portType="ns1:ValidacaoProjectosCallback" operation="onResult"
createInstance="no" variable="recebeVP_onResult_InputVariable">
<sapattern>
<!--The System Architect objects used in the pattern. To ensure traceability to System Architect DO NOT REMOVE-->
<guid>e9cdca59-888a-4e67-af54-a63ce2347ad3</guid>
<guid>1eba96a8-330a-4e4d-a14b-cdf6641fa614</guid>
</sapattern>
</receive>
<assign name="assignVPOut">
<copy>
<from variable="recebeVP_onResult_InputVariable" part="payload"/>
<to variable="inputVariable" part="payload"/>
</copy>
</assign>
</sequence>
</scope>
<scope variableAccessSerializable="no" name="AdicionarProjecto"
joinCondition="False">
<sapattern>
<!--The System Architect objects used in the pattern. To ensure traceability to System Architect DO NOT REMOVE-->
<guid>89c02eae-7788-4892-a616-e46b65ef1b50</guid>
</sapattern>
<sequence name="InvocarISAdicionarProjecto" joinCondition="False">
<assign name="assignIS">
<copy>
<from variable="inputVariable" part="payload"
query="/ns3:Template/ns3:Projecto/ns3:NomeProjecto"/>
<to variable="InvocaAdicionarProjecto_InputVariable" part="parameters"
query="/ns2:AdicionarProjecto/ns2:nome"/>
</copy>
<copy>
<from variable="inputVariable" part="payload"
query="/ns3:Template/ns3:Projecto/ns3:TipoProjecto"/>
<to variable="InvocaAdicionarProjecto_InputVariable" part="parameters"
query="/ns2:AdicionarProjecto/ns2:tipo"/>
</copy>
</assign>
<sapattern>
<!--The System Architect objects used in the pattern. To ensure traceability to System Architect DO NOT REMOVE-->
<guid>89c02eae-7788-4892-a616-e46b65ef1b50</guid>
</sapattern>
<invoke name="InvocaAdicionarProjecto" joinCondition="False"
partnerLink="NergaIS" portType="ns2:ServiceSoap"
operation="AdicionarProjecto"
inputVariable="InvocaAdicionarProjecto_InputVariable"
outputVariable="InvocaAdicionarProjecto_OutputVariable">
<sapattern>
<!--The System Architect objects used in the pattern. To ensure traceability to System Architect DO NOT REMOVE-->
<guid>76519bd3-c506-4c79-8190-8ff09abdd27d</guid>
</sapattern>
</invoke>
</sequence>
</scope>
<assign name="assignOutput">
<copy>
<from variable="inputVariable" part="payload"
query="/ns3:Template/ns3:Projecto"/>
<to variable="outputVariable" part="payload"/>
</copy>
</assign>
<reply name="devolveProjecto" joinCondition="False" partnerLink="client"
portType="ns4:CriarProjectoSA" operation="process"
variable="outputVariable">
<sapattern>
<!--The System Architect objects used in the pattern. To ensure traceability to System Architect DO NOT REMOVE-->
<guid>e728e550-f404-47bf-aa13-72429480cbc6</guid>
<guid>0dbefef0-3d04-4356-abbc-b291ea40d256</guid>
</sapattern>
</reply>
</sequence>
</process> -
Jabber can not enter the PIN for voice mail
I installed Cisco Jabber 8.6 on the android mobile,And registered jabber to CUCM8.0. In the same time, CUCM8.0 integrated with Unity Connection8.0 via SCCP, Everything is normal.
Tested using any of a telephone call Jabber, it can received voice mail, and shows have a voice mail on the android mobile. then, Hear the tone of the Connection system :"please enter your PIN." However, in any case the PIN can not be submit to the Unity Connection, System reminded over and over again:please enter your PIN.......
I guess the mobile's dial pad can not be supported by Unity Connection, Or other reasons.
help!!!The Android client is a SIP device and uses RFC2833 for DTMF relay. Unity Connection supports RFC2833 when integrated with either SCCP or SIP. The first question that comes to mind: is the call invoking a transocder/MTP that would be in the media path? For example, if Jabber is using G.729 and you haven't enabled that on CXN or you're requiring a TRP.
I would start with a Wireshark capture from the CXN server to see: a) what the far-end IP address is for the RTP packets; and, b) whether you see the RFC2833 packets arrive. If the sender IP isn't the Jabber client a media resource got invoked which may be dropping the RFC2833 packets. If the IP is correct but you don't see the RFC2833 packets arrive you could then run a Wireshark or collect SDI logs with SIP stack trace enabled from the CUCM node that Jabber is registered to. That would allow you to see the SDP negotiation at call setup to see if RFC2833 even gets negotiated.
Please remember to rate helpful responses and identify helpful or correct answers. -
I can Ping FW inside interface but can not connect to remote resources
dear all
i configer my asa 5520 through ASDM to enable VPN Connection , i follow the cisco steps and it works fine and the anyconnect version 3.1 in Windows 8 - one day troubleshoot for this point only - can connect and have an IP address from the range , but i have something wrong in NAT may be because all guides talking about old ASDM ( NAT Exempt) but i am confeused to apply it on the new ASDM.
i can ping the inside interface from my labtop which using anyconnect , but i can not access anything else inside my network
Please anyone has a solution , please describe it using ASDM , thanks for help
This is my configuration
interface GigabitEthernet0/1
description
nameif SRV_ZONE
security-level 50
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/2
description
nameif TRUST_ZONE
security-level 100
ip address 172.17.200.1 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif MGMT
security-level 0
ip address 10.10.10.1 255.255.255.0
dns server-group DefaultDNS
domain-name xxx.xxx.xxx
object network obj-192.168.1.11
host 192.168.1.11
object network obj-xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object service obj-tcp-source-eq-25
service tcp source eq smtp
object network obj-192.168.1.12
host 192.168.1.12
object network obj-xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object service obj-tcp-eq-25
service tcp destination eq smtp
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-172.17.8.8
host 172.17.8.8
object network obj-172.17.0.0
subnet 172.17.0.0 255.255.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
object network obj_any-06
subnet 0.0.0.0 0.0.0.0
object network obj.172.17.8.115
host 172.17.8.115
object network obj.xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object service http
service tcp source eq www destination eq www
object network obj.xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object service https
service tcp source eq https destination eq https
object service newservice
service tcp source eq pop3 destination eq pop3
object network mail
host 172.17.8.8
description mail
object network 192.168.1.11
host 192.168.1.11
description smtp
object service smtpnew
service tcp source eq 587 destination eq 587
object network VPN_RANGE
description VPN ACCESS RANGE
object network VPN_PoOL
subnet 172.17.16.0 255.255.255.0
description vpn
object-group network DM_INLINE_NETWORK_1
network-object host 192.168.1.11
network-object host 192.168.1.12
object-group network Eighth_Floor
network-object 172.17.8.0 255.255.255.0
object-group service WEB_SERVICES
service-object tcp destination eq www
object-group network ENT_SERVERS
network-object host 192.168.1.11
network-object host 192.168.1.1
object-group network DM_INLINE_NETWORK_2
network-object 172.17.200.0 255.255.255.0
network-object 172.17.8.0 255.255.255.0
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group service web tcp
port-object eq www
port-object eq xxx
port-object eq ftp
port-object eq xxx
port-object eq xxx
object-group service xxx_Web_and_Email
service-object object http
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
access-list DMZ_access_in extended permit ip 192.168.1.0 255.255.255.0 172.17.0.0 255.255.0.0
access-list DMZ_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list justice_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
access-list xxx-VPN_splitTunnelAcl remark vpn
access-list xxx-VPN_splitTunnelAcl standard permit 172.17.16.0 255.255.255.0
access-list xxx-VPN_splitTunnelAcl standard permit any
access-list cap extended permit tcp any host xxx.xxx.xxx.xxx eq smtp log
access-list cap1 extended permit tcp host 192.168.1.11 any eq smtp
access-list SRV_ZONE_nat_outbound extended permit tcp 192.168.1.0 255.255.255.0 any eq smtp
access-list SRV_ZONE_nat_outbound extended permit ip host 192.168.1.11 any
access-list TRUST_ZONE_access_in extended permit ip host 172.17.88.108 any
access-list TRUST_ZONE_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.10.3.0 255.255.255.0 any
access-list TRUST_ZONE_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.10.50.0 255.255.255.0 any
access-list TRUST_ZONE_access_in extended permit ip 172.17.8.0 255.255.255.0 any
access-list TRUST_ZONE_access_in extended permit ip 172.17.200.0 255.255.255.0 any
access-list TRUST_ZONE_access_in extended permit ip 172.17.0.0 255.255.0.0 host 192.168.1.12
access-list TRUST_ZONE_cryptomap extended permit ip xxx.xxx.xxx.xxx 255.255.255.248 any
access-list outside_access_in extended permit tcp any host 192.168.1.11 eq smtp
access-list outside_access_in extended permit tcp any host 172.17.8.8 eq www
access-list outside_access_in extended permit tcp any host 192.168.1.12 object-group web
access-list outside_access_in extended permit tcp any host 172.17.8.8 eq pop3
access-list outside_access_in extended permit ip 172.17.16.0 255.255.255.0 any inactive
access-list vpn remark vpn
access-list vpn standard permit 172.17.16.0 255.255.255.0
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging host TRUST_ZONE 172.17.8.100
mtu INT_ZONE 1500
mtu SRV_ZONE 1500
mtu TRUST_ZONE 1500
mtu MGMT 1500
ip local pool VPN_POOL 172.17.16.100-172.17.16.254 mask 255.255.255.0
ip verify reverse-path interface INT_ZONE
ip verify reverse-path interface SRV_ZONE
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any SRV_ZONE
icmp permit any TRUST_ZONE
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (SRV_ZONE,INT_ZONE) source static obj-192.168.1.11 obj-xxx.xxx.xxx.xxx service any obj-tcp-source-eq-25
nat (SRV_ZONE,INT_ZONE) source static obj-192.168.1.12 obj-xxx.xxx.xxx.xxx
nat (SRV_ZONE,INT_ZONE) source dynamic obj-192.168.1.0 interface service obj-tcp-eq-25 obj-tcp-eq-25
nat (INT_ZONE,SRV_ZONE) source static any any destination static 192.168.1.11 obj-172.17.8.8 service obj-tcp-source-eq-25 obj-tcp-source-eq-25
nat (TRUST_ZONE,INT_ZONE) source static VPN_PoOL VPN_PoOL destination static VPN_PoOL VPN_PoOL
object network obj_any
nat (SRV_ZONE,INT_ZONE) dynamic obj-0.0.0.0
object network obj_any-01
nat (SRV_ZONE,MGMT) dynamic obj-0.0.0.0
object network obj-172.17.8.8
nat (TRUST_ZONE,INT_ZONE) static xxx.xxx.xxx.xxx service tcp www www
object network obj-172.17.0.0
nat (TRUST_ZONE,SRV_ZONE) static 172.17.0.0
object network obj_any-02
nat (TRUST_ZONE,INT_ZONE) dynamic interface
object network obj_any-03
nat (TRUST_ZONE,SRV_ZONE) dynamic interface
object network obj_any-04
nat (TRUST_ZONE,INT_ZONE) dynamic obj-0.0.0.0
object network obj_any-05
nat (TRUST_ZONE,SRV_ZONE) dynamic obj-0.0.0.0
object network obj_any-06
nat (TRUST_ZONE,MGMT) dynamic obj-0.0.0.0
object network obj.172.17.8.115
nat (TRUST_ZONE,INT_ZONE) static obj.xxx.xxx.xxx.xxx service tcp www www
object network mail
nat (TRUST_ZONE,INT_ZONE) static obj-xxx.xxx.xxx.xxx service tcp pop3 pop3
nat (TRUST_ZONE,INT_ZONE) after-auto source static obj-172.17.8.8 obj-xxx.xxx.xxx.xxx service https https
access-group outside_access_in in interface INT_ZONE
access-group DMZ_access_in in interface SRV_ZONE
access-group TRUST_ZONE_access_in in interface TRUST_ZONE
route INT_ZONE 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route TRUST_ZONE 10.10.0.0 255.255.0.0 172.17.200.254 1
route TRUST_ZONE 10.11.0.0 255.255.0.0 172.17.200.254 1
route TRUST_ZONE 10.12.0.0 255.255.0.0 172.17.200.254 1
route TRUST_ZONE 10.13.0.0 255.255.0.0 172.17.200.254 1
route TRUST_ZONE 172.17.0.0 255.255.0.0 172.17.200.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http 172.17.8.0 255.255.255.0 TRUST_ZONE
http 172.17.8.155 255.255.255.255 TRUST_ZONE
http 172.17.8.45 255.255.255.255 TRUST_ZONE
http 10.10.10.2 255.255.255.255 MGMT
http 192.168.1.12 255.255.255.255 SRV_ZONE
http 0.0.0.0 0.0.0.0 INT_ZONE
http 172.17.200.0 255.255.255.0 TRUST_ZONE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map pol 1 match address TRUST_ZONE_cryptomap
crypto dynamic-map pol 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map INT_ZONE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map TRUST_ZONE_map0 1 ipsec-isakmp dynamic pol
crypto map TRUST_ZONE_map0 interface TRUST_ZONE
crypto map INT_ZONE_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map INT_ZONE_map0 interface INT_ZONE
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn SEC-xxx-FW1
subject-name CN=SEC-xxx-FW1
no client-types
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=SEC-xxx-FW1
keypair sslvpnkeypair
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
57f4e52e 6b851966 77515d62 c209a0df 1c32ce94 bb90cbce 497cfd04 6745ea85
efb75f85 2ae1ad35 344d94ab 915e01ab d3292626 ac697a52 b4ed6632 d3ed2332 ae
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate e6054352
c64f3661 30f14c3d 06b5f039 9f14560d 3b154fd1 42782268 7531689e 8e547d91
85e88415 e326f653 74733a6c a3f5c935 f7e83f56 f6
quit
crypto isakmp enable INT_ZONE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 INT_ZONE
ssh 172.17.8.0 255.255.255.0 TRUST_ZONE
ssh 10.10.10.2 255.255.255.255 MGMT
ssh timeout 5
console timeout 0
management-access TRUST_ZONE
vpn load-balancing
interface lbpublic INT_ZONE
interface lbprivate INT_ZONE
priority-queue INT_ZONE
tx-ring-limit 256
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 INT_ZONE
webvpn
enable INT_ZONE
svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy xxx-VPN internal
group-policy xxx-VPN attributes
dns-server value xx.xx.xx.xx xx.xx.xx.xx
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value xxx-VPN_splitTunnelAcl
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol webvpn
group-policy GPNEW internal
group-policy GPNEW attributes
dns-server value 172.17.8.41
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value xxx.xxx.xxx
address-pools value VPN_POOL
username VPNAM password xxx encrypted
username VPNAM attributes
service-type remote-access
vpn-group-policy xxx-VPN
tunnel-group xxx-VPN type remote-access
tunnel-group xxx-VPN general-attributes
dhcp-server 172.17.8.41
tunnel-group xxx-VPN ipsec-attributes
pre-shared-key *****
tunnel-group pol type ipsec-l2l
tunnel-group pol ipsec-attributes
pre-shared-key *****
trust-point ASDM_TrustPoint0
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
address-pool VPN_POOL
default-group-policy GPNEW
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect pptp
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:78a941e3f509dec8f3570c60061eedaa
: endthanks god
i solve the problem
the problem is in NAT
i creat an object with the ip address host from VPN pool and name it vpn
then i do the nat from inside to that host as the following picture...
trust zone is the inside zone
vpn is the outside vpn host...
thanks and hope it helps anyone else... -
ASA 5505 VPN Can not connect clients
Hi,
I tried to search for an answer to this question but I couldn't find the answer.
I configured the VPN on the ASA, I can not get a client to connect to the ASA I've tried and search for an answer and I really need som help!
Any help is greatly appreciated.
: Saved
ASA Version 7.2(2)
hostname
domain-name
enable password
names
ddns update method
ddns both
interface Vlan1
nameif inside
security-level 100
ddns update hostname
ddns update
dhcp client update dns
ip address 192.168.1.1 255.255.255.0
ospf cost 10
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
ospf cost 10
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server
name-server
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list EasyVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list OUTSIDE_IN_ACL extended permit ip any any
access-list OUTSIDE_IN_ACL extended permit icmp any interface outside
access-list Remote-VPN_splitTunnelAcl standard permit any
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list Bild_splitTunnelAcl standard permit any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool TKK 192.168.1.200-192.168.1.220 mask 255.255.255.224
ip local pool VPN-Pool 192.168.254.1-192.168.254.10 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
static (inside,inside) tcp interface 3389 access-list inside_nat_static
static (inside,inside) tcp interface ftp access-list inside_nat_static_2
static (outside,inside) x.x.x.x 192.168.1.0 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 192.168.1.253
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission
to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy EasyVPN internal
group-policy EasyVPN attributes
dns-server value 192.168.1.253
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EasyVPN_splitTunnelAcl
default-domain value xxx.se
group-policy Remote-VPN internal
group-policy Remote-VPN attributes
dns-server value 192.168.1.253
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote-VPN_splitTunnelAcl
default-domain value xxx.se
group-policy CiscoASA internal
group-policy CiscoASA attributes
dns-server value 192.168.1.253 x.x.x.x
vpn-tunnel-protocol IPSec webvpn
group-policy Bild internal
group-policy Bild attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Bild_splitTunnelAcl
username User attributes
vpn-group-policy DfltGrpPolicy
username Bild password encrypted privilege 0
username Bild attributes
vpn-group-policy Bild
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 180 set pfs
crypto dynamic-map outside_dyn_map 180 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map 200 set pfs
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 220 set pfs
crypto dynamic-map outside_dyn_map 220 set transform-set ESP-DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
tunnel-group DefaultRAGroup general-attributes
address-pool vpn
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group Bild type ipsec-ra
tunnel-group Bild general-attributes
address-pool TKK
default-group-policy Bild
tunnel-group Bild ipsec-attributes
pre-shared-key *
tunnel-group CiscoASA type ipsec-ra
tunnel-group CiscoASA general-attributes
address-pool vpn
default-group-policy CiscoASA
tunnel-group CiscoASA ipsec-attributes
pre-shared-key *
tunnel-group EasyVPN type ipsec-ra
tunnel-group EasyVPN general-attributes
address-pool vpn
default-group-policy EasyVPN
tunnel-group EasyVPN ipsec-attributes
pre-shared-key *
tunnel-group Remote-VPN type ipsec-ra
tunnel-group Remote-VPN general-attributes
address-pool VPN-Pool
default-group-policy Remote-VPN
tunnel-group Remote-VPN ipsec-attributes
pre-shared-key *
class-map global-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect ftp
inspect icmp
inspect pptp
service-policy global-policy global
prompt hostname context
Cryptochecksum:8cdda33b1993ba7bb33db88d996e939c
: endHi Fredrik,
I see your acl "outside_nat0_outbound" set on inside interface for no nat, but I do not see, the acl is being defined anywhere on your config.
I also strongly recommand create your vpn-pool to be different subnet rather being as same as your inside ip of your ASA.
so, let assume your vpn pool is 192.168.255.1-254/24
so, your no-nat for inside will look like this below.
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.255.0 255.255.255.0
Let me know, if this helps.
thanks
Maybe you are looking for
-
How do I hide the app names on the Dock?
I want to turn off the app names that display on the Dock. If it doesn't exist, I think it should be done. We (most people, I guess) already know most of the apps on their Dock. So hiding it will help making the interface more sleek.
-
Is there any workaround at all to run PM7 on a Intel-based Mac?
Dear friends: I have recently purchased a MacBook Pro and, before I did, I asked some questions to Apple about the possibility of having the software pre-installed, specifically, BootCamp and Classic, receiving the computer with a partition already m
-
In need of a pushbutton event handler for a cl_gui_custom_container
Greetings Experts: Here is the situation... I have two cl_gui_custom_containers. Container1 has a double click event reciever that when fired displays longtext using the READ_TEXT function module displaying in Container2. I am trying to add a pushbu
-
Bug? using MAX() function on char(1) column returns something larger
details: -- we have a complex nested query, where we are essentially returning the max() value into a variable -- the max() function is being used on a char(1) column -- where MAX() is part of an inner select, we have started getting ORA-06502: PL/SQ
-
ABAP Classes for date & day computation
<<Date questions have been asked so many times that they are not permitted in the ABAP forums>> Hello, I have a requirement to get the date of last 2 thursdays. Can somebody please help with the class I should use for the purpose? Thanks! Edited by: