Probe DNS
Dear
I have a probe DNS , but by someone reason, in spite that the service DNS is up, the probe show that down. I tried putting domain and expect, but the results are the same. The process is the next:
a) First time detect service up.
b) Service is down, the probe detect the fail.Rserver is down.
c) The service is put up. But the probe never detect the service up.
See the next picture:
ACE4710-1/IIS# show probe DNS detail
probe : DNS
type : DNS
state : ACTIVE
description : "test de DNS"
port : 53 address : 0.0.0.0 addr type : -
interval : 30 pass intvl : 300 pass count : 3
fail count: 3 recv timeout: 10
dns domain : www.cisco.com
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
rserver : DNS1-G
10.1.5.20 17 5 12 FAILED
Socket state : CLOSED
No. Passed states : 1 No. Failed states : 1
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Connection refused by server
Last probe time : Wed Feb 11 20:17:12 2009
Last fail time : Wed Feb 11 20:16:42 2009
Last active time : Wed Feb 11 19:57:12 2009
rserver : DNS1-N
10.1.5.12 29 5 24 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Connection refused by server
Last probe time : Wed Feb 11 20:21:17 2009
Last fail time : Wed Feb 11 20:20:47 2009
Last active time : Tue Feb 10 22:03:17 2009
admin dns DNS
DOMAIN WWW.CISCO.COM
expect 198.133.219.25
Best Regards
It does response to your pc, but not to ACE.
Or the response never makes it to ACE.
Either because of routing issue.
Or because it is dropped by an ACL.
Could even be an ACL on ACE itself.
Again, a sniffer trace to confirm that the response makes it to ACE.
G.
Similar Messages
-
Hi,
We have two ACS boxes with the same software version (5.4.0.46.0a), we were able to join domain one ACS only and other ACS is given the attached error.
When we checked "main-acs-01/admin# acs troubleshoot adcheck <domain-name>, it gave the same error for both ACS, however one ACS successfully joined to the domain and still other one failed.
main-acs-01/admin# acs troubleshoot adcheck <domain-name
This command is only for advanced troubleshooting and may incur a lot of network traffic
Do you want to continue? (yes/no) yes
OSCHK : Verify that this is a supported OS : Pass
PATCH : Linux patch check : Pass
PERL : Verify perl is present and is a good version : Pass
SAMBA : Inspecting Samba installation : Pass
SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass
HOSTNAME : Verify hostname setting : Pass
NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
DNSPROBE : Probe DNS server 172.24.1.1 : Pass
DNSPROBE : Probe DNS server 172.24.1.2 : Pass
DNSCHECK : Analyze basic health of DNS servers : Pass
WHATSSH : Is this an SSH that DirectControl works well with : Pass
SSH : SSHD version and configuration : Note
: You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.
DOMNAME : Check that the domain name is reasonable : Pass
ADDC : Find domain controllers in DNS : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Failed
: Cannot resolve the IP address for xxxx.hmc.org.qa.
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Warning
: One or more ports failed to respond correctly. Either:
: a) the DC is offline
: b) a firewall is preventing access to a port
: The following is a list of failed ports:
: ldap(389)/udp - timeout
: smb(445)/tcp - refused
: ldap(389)/tcp - refused
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Failed
: Cannot resolve the IP address for airportdc1.<domain-name>.
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Warning
: One or more ports failed to respond correctly. Either:
: a) the GC is offline
: b) a firewall is preventing access to a port
: The following is a list of failed ports:
: gc(3268)/tcp - refused
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADGC : Check Global Catalog servers : Pass
DCUP : Check for operational DCs in <domain-name> : Pass
SITEUP : Check DCs for <domain-name>in our site : Pass
DNSSYM : Check DNS server symmetry : Pass
ADSITE : Check that this machine's subnet is in a site known by AD : Pass
GSITE : See if we think this is the correct site : Pass
TIME : Check clock synchronization : Pass
2 serious issues were encountered during check. These must be fixed before proceeding
2 warnings were encountered during check. We recommend checking these before proceeding
main-acs-01/admin#
Has any one face this issue before and appreciate if someone can advise how to fix this.This was a known issue with ACS 5.3 however, we got this fixed in ACS 5.3 patch 7 and ACS 5.4
Since you're running ACS 5.4, it should not trigger.
CSCtx53223 After upgrade ACS 5.3 fail to join AD domain - missing Centrify license
Symptom:
After upgrading from 5.2 to 5.3, ACS fails to join the domain. AD connection worked for a few days, until the services were restarted. After that ACS fails to join AD with the following error message in ACSADAgent.log:
Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Join to zone is only permitted with a licensed copy of DirectControl. Get a license or learn more about Centrify Suite at http://www.centrify.com/express
Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Without a license, you may connect to a domain through Auto Zone by specifying adjoin -w Test.Test
Conditions:
Upgrade from 5.2 to 5.3. Restart the services later on.
Workaround:
Backup the ACS db and re-image the box to 5.3
How did you upgrade to ACS 5.4
1.] Upgraded from 5.3 to 5.4 using upgrade package.
2.] reianged it with ACS 5.4 ISO and restored the ACS 5.3 database.
I would suggest you to open a TAC case on this. Most likely you need reimage the server and restore the database if you had gone through with option 1.]
~BR
Jatin Katyal
**Do rate helpful posts** -
Getting OS X Host Name from Cambia
We would like to configure our OS X workstations to return their hostnames when scanned with Cambia (network monitoring software). Cambia uses netbios, tcp probes, dns lookup and nmap to discover the identity of nodes on the network. Can anyone tell me how to configure OS X to return its host name when Cambia does a scan??
I know netbios is a no-go, but I manually set the host name in the /etc/hostconfig file in the hope that would do it. It doesn't.
Is there a setting or software that would return the hostname via an nmap probe????
Bob ReedWe would like to configure our OS X workstations to
return their hostnames when scanned with Cambia
(network monitoring software). Cambia uses netbios,
tcp probes, dns lookup and nmap to discover the
identity of nodes on the network. Can anyone tell me
how to configure OS X to return its host name when
Cambia does a scan??
If you run your own DNS servers, macs that use DHCP will set thier names in the DHCP request, so you should get it from there.
Are your Macs using DHCP ? Do you run your own internal name server ?
Is there a setting or software that would return the
hostname via an nmap probe????
Bob Reed -
CSM - inservice standby - question
10.176.56.113 and 10.176.56.114 are 2 x DNS servers in Site 1.
We are planning to put in 10.188.56.49 and 10.188.56.50 which are Site 2 DNS servers as standby realserver because there was a time when 2 of the Site 1 DNS servers went dead and there was no DNS server running in Site 1.
We do not want the DNS vip to route to Site 2 DNS unless both of the .113 and .114 are dead. Can you advice if 'inservice standby' can be used?
serverfarm DNS
nat server
nat client DNS
real 10.176.56.113
inservice
real 10.176.56.114
inservice
real 10.188.56.49
inservice standby
real 10.188.56.50
inservice standby
probe DNS
In Cisco documentation: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.1.x/4.1.2/configuration/guide/rsfarms.html#wp1038112
"If a client making a request is stuck to an out-of-service server (using a cookie, SSL ID, source IP, etc), this connection is balanced to an in-service server in the farm. If you want to be stuck to an out-of-service server, enter the inservice standby command. When you enter the inservice standby command, no connections are sent to the standby real server with the exception of those connections that are stuck to that server and those servers with existing connections. After the specified standby time, you can use the no inservice command to allow only existing sessions to be sent to that real server. Sticky connections are then sent to an in-service real server in the server farm. "
The explanation above is rather vague and confusing. Hence I would like to seek your advice whether the usage of 'inservice standby' can serve the purpose that we required, which is to failover to .49 and .50 when .113 and .114 became "out of service" in the CSM."no inservice" and "inservice standby" are used to gracefully shutdown the real servers. "Inservice standby" is used for shutting down (taking out of LB logic) a real server when stickiness is configured.
You can use Backup server farm for your requirement. A sample config
vserver DNS
virtual z.z.z.z tcp
serverfarm SITE1 backup SITE2
inservice
serverfarm SITE1
nat server
real x.x.x.1
inservice
real x.x.x.2
inservice
serverfarm SITE2
nat server
real y.y.y.1
inservice
real y.y.y.2
inservice
If all the servers in SITE1 goes down then the real of SITE2 will be used. If a single server of SITE1 comes back then all connections will go to that server in SITE1.
Hope it helps
Syed Iftekhar Ahmed -
Hi,
I think i have a very simple question.
I want to setup an HTTP probe to test for URL, like http://www.cnn.com/
When I specify such "request" command under probe confif menu, I would assume that ACE will need to perform name resolution for www.cnn.com, but I cannot find any reference on how to configure DNS servers on ACE....
Am I missing something, or maybe I cannot do HTTP probe request by name and it had to be in a format of
http://<ip address/?
Thank you,
DavidHi,
My initial idea was to use the following command:
request method get url http://www.abc.com/
This is why I had my initial question about how will ACE resolve www.abc.com
Now thinking more about it I wonder if ACE even needs to resolve it at all.
I intend to apply the probe under rserver in serverfarm config, so ACE will know the IP address of where to send the probe from rserver configuration. If so, no DNS query is needed. ACE will just construct the packet and put relevant information in HTTP portion.... Am I correct?
If yes, what would be a difference is doing
header Host header-value "http://www.abc.com/"
vs
request method get url http://www.abc.com/
Thanks!
David -
Hi,
I'm trying to configure a DNS probe using IOS SLB, but it's not working.
I followed the manual on how to configure a DNS probe, but it just doesn't make any sense.
When using DNS probes on an ACE, you give a hostname which the DNS server should resolve to a configured IP Address.and configure an ip address, which makes sense.
On the IOS SLB, it is not the case. Two variables can be configured:
Router(config-slb-probe)# address ip-address]
(Optional) Configures an IP address to which to send the Domain Name System (DNS) probe.
Router(config-slb-probe)# lookup [ip-address]
(Optional) Configures an IP address of a real server that a Domain Name System (DNS) server should supply in response to a domain name resolve request.
What am I missing. Could someone please clearify??
Tnx!To verify that a probe is configured correctly, use the show ip slb probe command:
Router# show ip slb probe
It may help you in troubleshooting purpose
For the further description for configuration for the DNS Probe following guide may help you
http://www.cisco.com/en/US/docs/ios/12_2/12_2z/12_2za/feature/guide/slbza5.html#wp2434837 -
Jre 1.4.2 + child app socket/dns probs on win32
I have a java app that spawns a child using Runtime.exec() which checks out a license using flexlm.
In 1.4.1* it worked just fine ... but now with 1.4.2, the child app fails with errors from the flexlm code along the lines of "winsock could not obtain the ip addr of the lic server - dns error".
When called from a trivial test app, the same child exec does work ok.
What in the java parent app could cause sockets in the child to get messed up?
I'm presuming a java bug because it works fine in 1.4.0 and 1.4.1 on multiple platforms ... but now fails with 1.4.2 on win32
Any suggestions?
TIA
PMacAha! THANKS!
On a windows 2003 server box
System.getProperty("os.name")
1.4.1 returns "windows xp"
1.4.2 returns "windows 2003".
So a piece of code wasn't recognizing the OS in 1.4.2 and was not getting a good environment.
Given that you can SET the environment when execing a process (and often need to) what is the right way to GET the environment to begin with?
Thanks again
PMac -
Some websites are inaccesible. eg microsoft, trendmicro, adobe update, and many more
I noticed it first when I needed EFAT drivers from Microsoft.
I Could'nt access the site. Subsequently I have discovered other sites with similar problems.
two of my XP machines are exhibiting this problem. BUT one XP netbook is'nt.
my Linux Ubuntu 12.04 boxes are not affected.
The error I get is " Server not found at [insert url here] "
I can access google, ebay, facebook, my website, most other websites, both HTTP:// and HTTPS://
I cannot see what the difference between access and no access is.
My network is working fine and I can access these unobtainable websites using Linux running Firefox on this network but not on the XP machines with any web browser I have tried.
Its not AFICS a virus on the two machines.
I have isolated one machine from the network, and re-installed XP from CD, installed fresh Firefox, and while isolated from the rest of the intranet, connected to the internet Still problem exists.
I have tried different DNS servers,
I have changed the adsl router to a different manufacturers router and still the fault exists.
I am at my wits end here. Any help appreciated.
thanks -
Clients fail to resolve local DNS names, external names working fine
Hi there,
I've a strange issue with a couple of domain joined computers. Resolving internal and external host names works fine with nslookup. But clients loose AD connectivity because they can't resolve host names from the local DNS zones outside of nslookup.
Pinging IP addresses always works.
So far only notebook computers are affected. Desktop computers work fine. OS is Windows 7/8/8.1 for clients and Windows Server 2008 R2/2012 for AD DCs/DNS servers.
Example:
C:\>nslookup bl-sphv00
Server: bl-spdc01.bl.local
Address: 192.168.154.21
Name: bl-sphv00.bl.local
Address: 192.168.154.10
C:\>ping bl-sphv00
Ping request could not find host bl-sphv00. Please check the name and try again.
C:\>ping bl-sphv00.bl.local
Ping request could not find host bl-sphv00.bl.local. Please check the name and t
ry again.
C:\>ping 192.168.154.10
Pinging 192.168.154.10 with 32 bytes of data:
Reply from 192.168.154.10: bytes=32 time=52ms TTL=128
Reply from 192.168.154.10: bytes=32 time=51ms TTL=128
Reply from 192.168.154.10: bytes=32 time=52ms TTL=128
Any help appreciated.
Thanks a lot.
Te.Be.Hi there,
a Microsoft support guy send me a solution earlier posted under
http://social.technet.microsoft.com/Forums/windowsserver/en-US/f49b8398-d923-4e7e-86e7-78094113c091/problems-with-dns-and-ad?forum=winservergen
To get the client work again you just have to delete a few registry keys set by DirectAccess GPOs using this little batch:
@echo off
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Tcpip" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant\DTEs" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant\Probes" /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v SMB1NATCompatibilityLevel /f
Unfortunately this breaks the clients DirectAccess configuration and leaves me without a real solution. Found some hints here:
http://blogs.technet.com/b/tomshinder/archive/2010/03/13/uag-directaccess-group-policy-assignment-make-sure-the-right-policies-are-applied.aspx
So my question is now: How do i have to edit the wizard generated DirectAccess GPOs correctly?
Anyone any idea? -
DNS, Certificates, and Active Directory - School Setup Issues
Our school has been piloting a small iPad depolyment. I have been struggling with getting Profile Manager to work correctly since August of last year. Here's the setup:
1. Active Directory DNS/DHCP server (set as "school.local"--yes, I know .local is bad form, but it was set before I got here). I have changed the "Digest" to "Basic" setting
2. Mac Mini server that has its own external IP and hostname ("mac.school.org") and is also bound to the AD server for user authentication for services (Profile Manager, WebDAV, wiki, etc.). I have a self-signed SSL certificate installed under the name "mac.school.org"
3. About 90 iPads, and a handfull of Mac desktops
In a perfect world, users would be able to login (with their AD credentials) to the Profile Manager self-service portal using the external hostname of the mac server ("mac.school.org/mydevices"), install the Trust Profile, and enroll the device (iPad, Mac, etc).
However, this is not the case. The setup seems to work for awhile; quite perfectly in fact. But then for reasons unknown to me, everything just "breaks" and Profile Manager ceases to work like it should. Here are some of issues I am seeing:
a.) DNS service on the Mac server turns itself ON randomly. DNS should NOT be running this server, correct? All DNS lookups internally are done by the AD server. I've used changeip and everything matches (both say "mac.school.org")
b.) Whenever we use VPN, and at other seemingly random times, the server's hostname changes from "mac.school.org" to "mac.school.local" I would make the server external only, but it needs to have an internal IP to talk to the AD server.
c.) AD binding breaks randomly and I have to rebind the server to AD
d.) When enrolling devices, Profile Manager starts rejecting certificates (not a trusted source, etc.) and I have to destroy OD and PM and start all over again.
I know this is a lot and I'm not necessarily expecting anyone to answer all of these questions. I guess I'm wondering if anyone could point me in the right direction? I've looked for help with these issues all over the place, but none of the environments I read about are quite like the one I'm in.Yes, I am not giving the real domain name here.
No prob. just checking, sometimes people have weird domain names never know if they are real or they expect them to be real or they put domain names owned by someone else on their internal network eek.
Not really needed to use mac.school.org internally, that is in local LAN. The thing to understand about DNS is the scope for which a DNS zone is relevant WRT a client machine — inside LAN or on Internet, and which DNS server is authoritative for a domain. Authoritative in the sense of 'the final word'.
Go to Network Utility on your mac, type in your real domain name (whatever you are changing to school.org to hide it) what comes back. On my server I see the below (I have replaced my real, Internet legal domain, to 'example.com')
In my setup I have, on the LAN, setup the Mac server to be authoritative for domain 'example.com'. On the Internet however it is another external DNS server.
So you have set DNS forwarders on the Mac machine?
I really don't believe that the machine's hostname is changing, it is statically configured. What I believe is happening is that DNS name resolution is telling you different things at different times because you are using different DNS servers.
On mac machine terminal type $less /etc/resolv.conf and copy paste what it says. In server app Services | DNS right side does it say you have forwarders?
Still it is not good to have two DNS domains in your internal LAN, there is no need to have school.org on the mac DNS unless it is going to be fully setup to be authoritative in the internal LAN for the domain school.org. You can have school.org on the Internet (Internet scope of users point 1) and school.local on internal machine (LAN scope of users).
Lookup has started…
Trying "example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53292
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;example.com. IN ANY
;; ANSWER SECTION:
example.com. 10800 IN SOA example.com. admin.example.com. 2013010907 3600 900 1209600 86400
example.com. 10800 IN NS server.example.com.
example.com. 10800 IN MX 10 server.example.com.
;; ADDITIONAL SECTION:
server.example.com. 10800 IN A 192.168.1.20
Received 145 bytes from 127.0.0.1#53 in 2 ms -
Hi!
I'm running arch64 on my Thinkpad x220 and have a strange problem here.
Sometimes DNS just stops working, to rule out a bad Server I tried it with the one of Google:
dig @8.8.8.8 archlinux.puzzle.ch
On Archlinux dig tells me that no servers could be reached, although I can successfully ping 8.8.8.8.
Running MacOSX on another machine in the same network, dig gives me back the matching a-record.
This usually lasts from a few minutes up to about two hours, only on archlinux. Does somebody have any idea on this?
Last edited by simt (2011-12-22 18:39:27)You are right, the manpage says 'dig @server query' but it seems to work either way. Maybe you can try 'tcptraceroute 8.8.8.8 53', it will probe tcp port 53 directly, although not the same as a "normal" dns query that will use udp [1] it will be quite close.
[1] http://en.wikipedia.org/wiki/Domain_Nam … ol_details -
Using the ACE 4710 for loadbalancing a Sharepoint site.
We currently have a HTTP probe setup to check the port 80 status of the rserver.
Is there anyway to get the HTTP probe to check a DNS entry for each of the application sites? For instance http://info vs http://site are two different web sites running on the same IP. One site could have a problem but the actual port 80 for the IP may be still alive.
Thanks for any information.Has anyone figure this out? I am tring to get healthchecks/probes setup in this same fashion. I have 2 servers with 1 IP but have many sites. I want to probe each side and ensure I get a 200 code. I also have to provide credentials to the site. It seems that if i open IE I can log in just fine to the site with the credentials. However there is an active x control box that is wanting to be installed. When I set this up on my ACE it seems I am getting a http 401 unauthorized error. I have done a wireshark capture while I was browsing and I see the 401 however it also reports a 200 code after that. Do you think this is a problem because of the active x control wanting to be downloaded? Or is this an issue with the first http code that is recieved by the probe, that being the 401 and then the 200? Below is my config (cleaned of course).
probe http HTTP-80-OUR.DOMAIN.COM
interval 15
passdetect interval 60
credentials
request method get url http://our.domain.com/default.aspx
expect status 200 200
header Host header-value "our.domain.com"
open 1
rserver host SERVER-A
ip address X.X.X.47
inservice
rserver host SERVER-B
ip address X.X.X.48
inservice
serverfarm host FARM-AB
predictor leastconns
probe HTTP-80-OUR.DOMAIN.COM
rserver SERVER-A
inservice
rserver SERVER-B
inservice
ACE4710# show probe HTTP-80-OUR.DOMAIN.COM detail
probe : HTTP-80-OUR.DOMAIN.COM
type : HTTP
state : ACTIVE
description :
port : 80 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 60 pass count : 3
fail count: 3 recv timeout: 10
http method : GET
http url : http://our.domain.com
conn termination : GRACEFUL
expect offset : 0 , open timeout : 1
expect regex : -
send data : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
serverfarm : OUR.DOMAIN.COM-10.25.4.12-L3-FARM
real : SERVER-A[0]
X.X.X.47 80 DEFAULT 414 406 8 FAILED
Socket state : CLOSED
No. Passed states : 1 No. Failed states : 2
No. Probes skipped : 0 Last status code : 401
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Received invalid status code
Last probe time : Wed Jun 2 17:44:18 2010
Last fail time : Wed Jun 2 13:37:04 2010
Last active time : Wed Jun 2 13:34:19 2010
real : SERVER-B[0]
X.X.X.48 80 DEFAULT 414 406 8 FAILED
Socket state : CLOSED
No. Passed states : 1 No. Failed states : 2
No. Probes skipped : 0 Last status code : 401
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Received invalid status code
Last probe time : Wed Jun 2 17:44:20 2010
Last fail time : Wed Jun 2 13:37:06 2010
Last active time : Wed Jun 2 13:34:21 2010 -
Ok, I am a Verizon customer and I am livid with the way Verizon Customer support treats me (us customers).
I own my server (Windows Server 2003). I have over 100 clients and starting last month no one on my server could receive emails from anyone sending an email using a Verizon account. For example. My mother, brother, neighbors and others would send their email using a Verizon email account and send to my personal email account on my server. They’d receive a notice back undeliverable and the reason listed: IP Blacklisted. Then if a person that has Verizon internet and uses their email on my server would send from their Outlook, it would show sent, but where it went no one knew. I’d send an email, watch the mail exchange on my server and it would never show going through.
So, after seeing the return notice about the blacklisted IP address. I did some checking and first I thought my server IP was on the DNS Black list.
Well it’s not my IP blacklisted.
Turned out the DNS Blacklists I have on my server have a ton of Verizon IP blacklisted. So, when someone would send an email using Verizon Internet, the email would be checked against the DNS blacklist on my server, read as spam and kick it back to the person undeliverable with the blacklist notice. Then, I found out if a person that has Verizon internet (like myself)would send an email using their email account on my server, the email would show sent (in their Outlooks) but never go through my server. Again, the DNS blacklist would block the Verizon IP address associated with email and not let it through.
Here is the message they all got back. (My email address and server IP was removed for protection).
Recipient address: [email protected]
Reason: Remote SMTP server has rejected address
Diagnostic code: The IP Address of the sender (206.46.173.7) was
found in a DNS blacklist database and was therefore refused.
Remote system: dns;xxxxxxx.com (TCP|206.46.173.7|9314|XX.XXX.XXX.XX|25)
(mail.xxxx.com ESMTP, Version: 1.986-- ready at 12/10/09 19:05:52)
Now run the IP 206.46.173.7 from the message above (which is a Verizon IP address see below) against a DNS blacklist lookup. This is just one of the Verizon IP addresses I ran.
PTR
206.46.173.7
vms173007pub.verizon.net
24 hrs
Here is what you get:
Blacklist
Status
Reason
Backscatter.org
LISTED
Sorry 206.46.173.7 is blacklisted at Detail
Return codes were: 127.0.0.2
LASHBACK
LISTED
Sender has sent to LashBack Unsubscribe Probe accounts
Return codes were: 127.0.0.2
SORBS-SPAM
LISTED
Spam Received See: Detail
Return codes were: 127.0.0.6
Here are some of the DNS Blacklist checks I use on my server that consider Verizon unsafe and if on a server’s mail exchange will not allow email through or send:
sbl.spamhaus.org
zen.spamhaus.org
spam.dnsbl.sorbs.net - Sorbs is one of the best to use too!
smtp.dnsbl.sorbs.net
spam.abuse.ch
Now the reason I am here on this forum and the reason I wrote all that. I had to turn off the spam checkers and all my clients, including myself and getting creamed with junk mail/spam. It was never, and I mean ever this bad. I used to get maybe one a week.
I have a fair amount of clients that have Verizon as their Internet provider. And, as long as I have the spam checkers enabled they (and I) are screwed. Turn them off (like now) and we are all screwed with unwanted email.
Does anyone know any DNS Black Lists I can add to my server that won’t interfere with Verizon and all their IP Blacklisted?
Oh, before I forget. Why I am livid with Customer Support. These people are complete @#^$%’s. For example: I announced I am a customer and that I am the ADMINISTRATOR. I had these supposed “Techs” tell me 4 times….”Sir, you need to contact your server Administrator!” I spent hours and hours over almost a week trying to get help. NOTHING! Oh, then try to explain that the company you work for has a crap load of IP addresses blocked and they have no idea what you are talking about. I even emailed them the blacklist/abuse department a copy similar to what I wrote above. Never heard a word back.Hello Scottye...sorry for the tough time, unfortunately this isn't a Verizon issue being as though the blacklisting isn't in house. We aren't blacklisting your IPs...This companies blacklisted your ips. We suggest you contact Sorbs, Backscatter and Lashback directly. You may find this website helpful for SORBS http://www.au.sorbs.net/cgi-bin/support and another SpamHaus http://www.spamhaus.org/lookup.lasso maybe helpful as well.
Constance
Verizon Telecom
Fiber Solution Center
Notice: Content posted by Verizon employees is meant to be informational and does not supercede or change the Verizon Forums User Guidelines or Terms or Service, or your Customer Agreement Terms and Conditions or Plan. Follow us on Twitter™! -
How to properly setup LB probe for ADFS 3.0 servers
We are facing a problem during ADFS 3.0 (Windows Server 2012 R2), because we do not find a suitable URL for hardware Load Balancer probe to test ADFS nodes.
When tried with IE browser, the URL
https://sts.adfs1.ad/adfs/ls/IdpInitiatedSignon.aspx properly results in ADFS login page but, when tried the same URL with HW LB probe, the probe gets no answer from ADFS server at all.
We compared incoming traffic with network monitor in that ADFS server node (https temporary changed to http to see the traffic), a somewhat similar HTTP GET query did exist:
GET /adfs/ls/IdpInitiatedSignon.aspx HTTP/1.1..Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*..Accept-Language: fi-FI..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows
NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)..Accept-Encoding: gzip, deflate..Host: sts.adfs1.ad
.PV??ìà_¹«.ç..E..ð'@.ÿ.%Ƭ..ü¬..Lî¢.PL?Ëf\Mæ?...?Ä.......f;[.4..GET /adfs/ls/IdpInitiatedSignon.aspx HTTP/1.1..Connection: Close..Host: sts.adfs1.ad
How to properly monitor the ADFS 3.0 server nodes?
Br, Kari Oikkonen
MCITP/2008
Fujitsu FinlandPlease note that using dns name in the url opens the metadata OK, but using IP address fails, not opposite as you mentioned.
The netsh http show sslcert lists the following:
SSL Certificate bindings:
Hostname:port : sts.mydomain.com:443
Certificate Hash : 12b510eead093f8d29db950a42ecf4940c933533
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Hostname:port : localhost:443
Certificate Hash : 12b510eead093f8d29db950a42ecf4940c933533
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Hostname:port : sts.mydomain.com:49443
Certificate Hash : 12b510eead093f8d29db950a42ecf4940c933533
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
The netsh http show urlacl shows the following:
URL Reservations:
Reserved URL :
http://+:80/Temporary_Listen_Addresses/
User: \Everyone
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;WD)
Reserved URL :
https://+:5986/wsman/
User: NT SERVICE\WinRM
Listen: Yes
Delegate: No
User: NT SERVICE\Wecsvc
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
Reserved URL :
http://+:5985/wsman/
User: NT SERVICE\WinRM
Listen: Yes
Delegate: No
User: NT SERVICE\Wecsvc
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
Reserved URL :
http://+:47001/wsman/
User: NT SERVICE\WinRM
Listen: Yes
Delegate: No
User: NT SERVICE\Wecsvc
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
Reserved URL :
http://*:2869/
User: NT AUTHORITY\LOCAL SERVICE
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;LS)
Reserved URL :
http://*:5357/
User: BUILTIN\Users
Listen: Yes
Delegate: No
User: NT AUTHORITY\LOCAL SERVICE
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;BU)(A;;GX;;;LS)
Reserved URL :
https://*:5358/
User: BUILTIN\Users
Listen: Yes
Delegate: No
User: NT AUTHORITY\LOCAL SERVICE
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;BU)(A;;GX;;;LS)
Reserved URL :
https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
User: NT SERVICE\SstpSvc
Listen: Yes
Delegate: Yes
User: BUILTIN\Administrators
Listen: No
Delegate: No
User: NT AUTHORITY\SYSTEM
Listen: Yes
Delegate: Yes
SDDL: D:(A;;GA;;;S-1-5-80-3435701886-799518250-3791383489-3228296122-2938884314)(A;;GR;;;BA)(A;;GA;;;SY)
Reserved URL :
http://+:80/adfs/
User: NT SERVICE\adfssrv
Listen: Yes
Delegate: Yes
SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)
Reserved URL :
https://+:443/adfs/
User: NT SERVICE\adfssrv
Listen: Yes
Delegate: Yes
SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)
Reserved URL :
https://+:49443/adfs/
User: NT SERVICE\adfssrv
Listen: Yes
Delegate: Yes
SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)
Reserved URL :
https://+:443/FederationMetadata/2007-06/
User: NT SERVICE\adfssrv
Listen: Yes
Delegate: Yes
SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)
Any idea of how to build a probe rule with IP address? -
Event Manager question. Monitoring DNS entry.
Hello everybody,
I want to use Cisco Embedded Event Manager in a router for monitoring a DNS entry that normally resolves 1.1.1.1 but if it changes to 2.2.2.2 the router has to change some access list automatically in order to permit different routes.
I know how to configure de "action" sentences for change the ACLs but I dont know how to configure a track or a SLA in order to check the DNS entry and react if it changes.
Someone knows how to do that?
event manager applet ChangeRoutesWhenDNSEntryChanges
event track 21 state ??????????????????????????????????????????????????<----------
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "ip access...
Thank you in advance!!
Marcos.Indeed, I just provided the above example to demonstrate how we can force a DNS lookup and parse the IP address...
I was actually thinking about using the IP SLA DNS probe, but I could not find a way to get the IP address from the results... It just shows the response time.
In order to make the script work, we would most likely need to use some timer to trigger it periodically.
This is an adaptation of my previous example to actually accomplish a periodic check:
event manager applet CHECK-DNS
event timer watchdog time 60
action 1.0 cli command "ena"
action 1.1 cli command "ping host1 repeat 1 timeout 0"
action 2.0 regexp "ICMP Echos to (.*), timeout is 0 seconds:" "$_cli_result" _match _ip
action 3.0 if $_ip ne 1.1.1.1
action 4.0 syslog msg "host1 is now $_ip"
action 5.0 end
If you want to do something as a reaction to detecting the change, that would have to go into the "4.0" block (you can use 4.1, 4.2 etc)
Another thing to consider is that this script would run every minute, so as long as the DNS query resolves to anything but 1.1.1.1 we would re-apply the config changes, which is not that good...
A way to solve this can be seen in the next example:
event manager applet HOST1-NOT-1.1.1.1
event timer watchdog time 60
action 1.0 cli command "ena"
action 1.1 cli command "ping host1 repeat 1 timeout 0"
action 2.0 regexp "ICMP Echos to (.*), timeout is 0 seconds:" "$_cli_result" _match _ip
action 2.1 track read 100
action 3.0 if $_ip eq 1.1.1.1
action 4.0 if $_track_state eq down
action 4.1 track set 100 state up
action 4.2 syslog msg "host1 is now 1.1.1.1 again"
action 4.9 end
action 5.0 else
action 6.1 if $_track_state eq up
action 6.2 track set 100 state down
action 6.3 syslog msg "host1 is not 1.1.1.1, new ip is $_ip"
action 6.9 end
action 7.0 end
Basically we are using a stub tracking object to maintain state. Track object 100 would be up if we know host1=1.1.1.1, but if we detect it is something else we change it to down. Only after we detect that host1=1.1.1.1 again we change the track object back to up, which would enabled detecting another change...
Any actions you want to take should go into section "6" and any clean up (when host1=1.1.1.1 again) has to go into section "4".
It is possible to make this detect any change and not just have a static 1.1.1.1 value by assigning the newly detected value to a variable and basically look for a change... Not sure what is your requirement.
The output below shows how this works...
Router#show run | inc ip host
ip host host1 1.1.1.1
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip hos
Router(config)#ip host host1 2.2.2.2
Router(config)#^Z
Router#
*Nov 9 18:23:18.009: %TRACKING-5-STATE: 100 stub Up->Down
*Nov 9 18:23:18.021: %HA_EM-6-LOG: HOST1-NOT-1.1.1.1: host1 is not 1.1.1.1, new ip is 2.2.2.2
Router#
*Nov 9 18:23:18.065: %SYS-5-CONFIG_I: Configured from console by console
Router#
Router#
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip host host1 1.1.1.1
Router(config)#^Z
Router#
*Nov 9 18:23:42.805: %SYS-5-CONFIG_I: Configured from console by console
Router#
*Nov 9 18:24:18.025: %TRACKING-5-STATE: 100 stub Down->Up
Router#
*Nov 9 18:24:18.033: %HA_EM-6-LOG: HOST1-NOT-1.1.1.1: host1 is now 1.1.1.1 again
Maybe you are looking for
-
I purchased a film but it won't play because iTunes says I need to authorize the computer, but when I do that it says the computer is already authorized. Huh - some system. Any ideas? Using Windows 7
-
I am having a lot of difficulty understanding how the html:select works - especially if you're working with different ypes of containers e.g. hashmaps, lists, collections. I'm especially having trouble with lists. Here's what I have (I'm building a s
-
22DL704B screen black and white but setting guide in colour?
The screen has turned completely black and white even when I try the dvd option but when I click the settings up they come up in colour what could be wrong?
-
Hi am attempting a previous exam question and would appreciate some advice: I have been given a class that has been partly implemented. The class called Document that determines how many words are in the document, and how many certain specified words
-
Should I wait after sending a remote device wipe command before removing an ActiveSync partnership?
The process for terminating users at the company I'm presently working for includes remotely wiping any ActiveSync devices and then removing the ActiveSync relationship. I'm writing a PowerShell script to automate the process and, when I send the rem