Problem in Zone Based FW Config
Could anyone see why the below config is making http downloads/streaming hang. Cant watch any streaming as it hangs in various parts but also downloading MS service packs, it will sometimes not start at all or get a few percent then cut off.
Downloading off newsgroups though is not an issue.
It is deffo router in some way. Tried a bog standard one and no issues. Seems to be since I adjusted the FW config through the CCP wizard and might of selected the medium security option.
Any ideas please?
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any Incoming-XBL-Traffic
match access-group name XBOX-Live
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect Incoming-XBL-Policy
class type inspect Incoming-XBL-Traffic
pass
class class-default
drop
zone security in-zone
zone security out-zone
zone security private-in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-private-in-out source private-in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-private-in source out-zone destination private-in-zone
service-policy type inspect Incoming-XBL-Policy
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any Incoming-XBL-Traffic
match access-group name XBOX-Live
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect Incoming-XBL-Policy
class type inspect Incoming-XBL-Traffic
pass
class class-default
drop
zone security in-zone
zone security out-zone
zone security private-in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-private-in-out source private-in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-private-in source out-zone destination private-in-zone
service-policy type inspect Incoming-XBL-Policy
This is the current running config:
HOME_RTR#sho term len 0
HOME_RTR#show run
Building configuration...
Current configuration : 8216 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname
logging message-counter syslog
enable secret 5
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-2045468537
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2045468537
revocation-check none
rsakeypair TP-self-signed-2045468537
crypto pki certificate chain TP-self-signed
certificate self-signed 01
quit
dot11 syslog
ip source-route
ip dhcp pool PRIVATE
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
ip dhcp pool WORK
import all
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
ip dhcp pool SERVER
host 192.168.10.200 255.255.255.0
client-identifier 0100.248c.3fdb.a9
client-name SERVER
ip dhcp pool XBOX
host 192.168.10.210 255.255.255.0
client-identifier 0100.25ae.eae4.88
client-name XBOX
ip cef
ip domain name home.local
no ipv6 cef
multilink bundle-name authenticated
archive
log config
hidekeys
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any Incoming-XBL-Traffic
match access-group name XBOX-Live
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect Incoming-XBL-Policy
class type inspect Incoming-XBL-Traffic
pass
class class-default
drop
zone security in-zone
zone security out-zone
zone security private-in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-private-in-out source private-in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-private-in source out-zone destination private-in-zone
service-policy type inspect Incoming-XBL-Policy
interface ATM0
no ip address
no ip redirects
no ip proxy-arp
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface ATM0.1 point-to-point
description WAN via ADSL
pvc 0/35
pppoe-client dial-pool-number 1
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
shutdown
interface FastEthernet2
shutdown
interface FastEthernet3
shutdown
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security private-in-zone
ip tcp adjust-mss 1412
interface Vlan10
description $FW_INSIDE$
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security private-in-zone
ip tcp adjust-mss 1412
interface Vlan20
description $FW_INSIDE$
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
interface Dialer0
description ADSL Dialup
ip address negotiated
no ip redirects
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
ppp ipcp dns request
ppp ipcp address accept
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.10.210 88 interface Dialer0 88
ip nat inside source static udp 192.168.10.210 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.10.210 3074 interface Dialer0 3074
ip access-list extended XBOX-Live
permit udp any host 192.168.10.210 eq 88
permit udp any host 192.168.10.210 eq 3074
permit tcp any host 192.168.10.210 eq 3074
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
snmp-server community public RO
control-plane
banner login ^CHOME
^C
line con 0
no modem enable
line aux 0
line vty 0 4
transport input ssh
scheduler max-task-time 5000
end
HOME_RTR#exit
Similar Messages
-
Problems with Zone based Firewall and mtr (mytraceroute)
We are using ZFW on an ASR1001 and have experienced a problem: when I try to use mtr (mytraceroute, see
http://en.wikipedia.org/wiki/MTR_%28software%29), I am getting packetloss on all hops between the source and the destination. e.g.:
<code>
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. Stuttgart-I28-1.belwue.de 100.0 8 0.0 0.0 0.0 0.0 0.0
2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
4. Karlsruhe1-10GE-4-0-0.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
5. Mannheim1-10GE-3-0-0.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
7. de-cix20.net.google.com 100.0 7 0.0 0.0 0.0 0.0 0.0
8. 72.14.238.230 100.0 7 0.0 0.0 0.0 0.0 0.0
9. 72.14.239.62 100.0 7 0.0 0.0 0.0 0.0 0.0
10. 209.85.242.187 100.0 7 0.0 0.0 0.0 0.0 0.0
11. ???
12. ???
13. ???
14. bk-in-f94.1e100.net 0.0% 7 20.0 20.6 20.0 21.2 0.4
</code>
So it seems that the Firewall on my asr1001 is throwing away all packets with ttl-exceeded coming back from hops in between, they have another destination address.
At the moment I am inspecting all kind of traffic from my network outgoing:
ip access-list extended 101
permit ip any any
class-map type inspect match-all cmap1
match access-group name 101
policy-map type inspect pmap1
class type inspect cmap1
inspect
etc... (zones, zone-pair in-out with policies applied)
So I tried to let pass all icmp-traffic from the outside to my network:
class-map type inspect match-all cmap_icmp
match protocol icmp
policy-map type inspect pmap2
class type inspect cmap_icmp
pass
etc... (zones, zone-pair out-in with policies applied)
So this has no effect, but I tested and I could figure out, that when I pass all icmp-traffic from my network to the outside, THEN mtr does work.
BUT then normal ping does not work anymore, because it will not be inspected any more.
But I want to have a secure Firewall with inspecting echo-replys and working mtr anyway.
Has anyone the same problem or can even solve this issue?
Thanks in advance,
StefanHi Andrew, thanks for Your answer...
So I have now:
class-map type inspect match-any cmap_icmp
match access-group name icmp_types
ip access-list extended icmp_types
permit icmp any any ttl-exceeded
PMAP IN--> OUT
(don't be confused, my "vlanxxx_pmap_in" is the pmap FROM my network TO the outside...)
policy-map type inspect vlan664_pmap_in
class type inspect vlan664_cmap_in (this is an extended ACL "permit ip x.x.x.x any")
inspect
class type inspect ipsec_cmap_in (this is because I have problems with VPN when inspected, another problem...)
pass log
class class-default
drop log
PMAP OUT-->IN
policy-map type inspect vlan664_pmap_out
class type inspect cmap_icmp (here comes the "ttl-exceeded"-ACL)
pass log
class type inspect vlan664_cmap_out (some open ports for some clients)
inspect
class type inspect ipsec_cmap_out (same problem with VPN when inspected)
pass log
class class-default
drop log
But unfortunately, the same problem occurs. Curiously, the first two packets seem to go "through" the firewall, but with 3rd packet the packetloss comes up:
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. Stuttgart-I28-1.belwue.de 50.0% 3 0.3 0.3 0.3 0.3 0.0
2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net 50.0% 3 0.9 0.9 0.9 0.9 0.0
3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net 0.0% 2 2.7 2.7 2.7 2.7 0.0
4. Karlsruhe1-10GE-4-0-0.belwue.net 0.0% 2 1.5 1.5 1.5 1.5 0.0
5. Mannheim1-10GE-3-0-0.belwue.net 0.0% 2 2.5 2.5 2.5 2.5 0.0
6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net 0.0% 2 4.1 4.1 4.1 4.1 0.0
7. de-cix20.net.google.com 0.0% 2 5.0 5.0 5.0 5.0 0.0
8. 72.14.238.44 0.0% 2 39.2 39.2 39.2 39.2 0.0
9. 72.14.236.68 0.0% 2 5.4 5.4 5.4 5.4 0.0
10. 209.85.254.118 0.0% 2 5.4 5.4 5.4 5.4 0.0
11. ???
12. google-public-dns-a.google.com 0.0% 2 5.5 5.3 5.2 5.5 0.2
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. Stuttgart-I28-1.belwue.de 66.7% 4 0.3 0.3 0.3 0.3 0.0
2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net 66.7% 4 0.8 0.8 0.8 0.8 0.0
3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net 66.7% 4 2.1 2.1 2.1 2.1 0.0
4. Karlsruhe1-10GE-4-0-0.belwue.net 66.7% 4 1.5 1.5 1.5 1.5 0.0
5. Mannheim1-10GE-3-0-0.belwue.net 66.7% 4 2.6 2.6 2.6 2.6 0.0
6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net 66.7% 4 4.2 4.2 4.2 4.2 0.0
7. de-cix20.net.google.com 66.7% 4 5.3 5.3 5.3 5.3 0.0
8. 72.14.238.44 66.7% 4 70.3 70.3 70.3 70.3 0.0
9. 72.14.239.60 66.7% 4 5.8 5.8 5.8 5.8 0.0
10. 209.85.254.116 66.7% 4 5.8 5.8 5.8 5.8 0.0
11. ???
12. google-public-dns-a.google.com 0.0% 4 6.3 5.7 5.2 6.3 0.5
In the sessions on the routers, I see only this entry:
Session 206F66C (129.143.6.89:8)=>(8.8.8.8:0) icmp SIS_OPEN
Any other suggestions? -
Traditional ACL vs Zone Based FW
I have a 3845 ISR that I have been managing for a couple years that has a traditional ACL based config. We just purchased a new 3845 for redundancy and it arrived with the zone based config from Cisco. Any opinions on whether I should take the existing router to a zone based config or should I configure the new router with traditional ACL config that I am more comforatable with?
If there was the option to use a Zone based FW or just straight access lists then surely the Zone based FW would be considered a better option as it has more features than just permit or deny. The Zoned based FW will also inspect traffic and block any traffic with malicous code for example. I am not an expert in this arena, but based on Security exam topics and other publications, the FW approach seems to be gaining traction versus managing ACLs alone. Although, ACLs will always have their place in the network...
The choice is based on your comfort level, but both are viable options...
BR,
Cary
Sent from Cisco Technical Support iPad App -
CSS Zone based DNS solution question
I have a css at the main site configured as a stand alone unit at the moment.
I have the advanced feature set and want to use our second CSS for a dynamic failover sceanario in the DR site.
At the moment in the event of Internet access interruption of the Main site, the DR site is configured to advertise the main site Internet subnet out it's edge router to BGP.
The DR edge router receives updates from the Main site edge router through everything end to end and distributes this into BGP.
The DR PIX has static mappings to the main site servers.
But this is only if the link drops and everything else is up.
If the site gets wiped out, there is no failover plan.
I am thinking this will be a problem if I set up the Zone Based DNS scenario.
I have the CSS devices, is this a huge problem to work around?
Any thoughts?Anyone? Gilles, any words of advice?
I found this in the documentation for acl's, it states...
"If you configure a CSS with the dns-server command, and the CSS receives a
DNS query for a domain name that you configured on the CSS using the host
command, the DNS query will not match on an ACL that is configured with the
apply dns command.
However, if you configure a domain name on a content rule on a CSS using the
add dns domain_ name command, a DNS query for that domain name will match
on an ACL that is configured with the apply dns command."
The problem with this statement is I am not using the "host" command and I am also not using the "add dns" command. I am using the "dns-record a" command. -
CSS Zone based DNS for Site Redundancy?
I am in the process of changing from rules based dns to zone based dns. I had used the document below to provide redundancy between 2 sites.
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00801dcd75.shtml
The is an acl in the document which says
"If the primary site is up, then this ACL will tell requests landing on this site to prefer the Primary site.
clause 10 permit any any destination content owner_backup/WWW-backup prefer hacked_redirectt
clause 99 permit any any destination any
apply circuit-(VLAN1)
apply dns
Once I implemented a dns-server zone, this acl no longer has an effect. The requests are round robbining unless I set the dns-server zone to preferlocal. Unfortunately this does not solve my problem, if the main site is up both css's should prefer the main site.
How is this same thing accomplished with zone based dns, or is it even possible? Thanks.Anyone? Gilles, any words of advice?
I found this in the documentation for acl's, it states...
"If you configure a CSS with the dns-server command, and the CSS receives a
DNS query for a domain name that you configured on the CSS using the host
command, the DNS query will not match on an ACL that is configured with the
apply dns command.
However, if you configure a domain name on a content rule on a CSS using the
add dns domain_ name command, a DNS query for that domain name will match
on an ACL that is configured with the apply dns command."
The problem with this statement is I am not using the "host" command and I am also not using the "add dns" command. I am using the "dns-record a" command. -
Cisco Zone-based firewall issue/ not receiving return traffic
Hi,
I have created a Cisoc IOS Zone based firewall on my cisco 3945 router. I have an issue receiving any returning traffic. Here is a simplified version of my issue.
I have two zone pairs: Internal to Outside and Outside to Internal.
In the zone pair Out-to-Int I have a few rules allowing connections to specific servers on specific ports. The default class-map drops any non-matching packets.
In the zone pair Int-to-Out I have a rule saying internal PCs can access any destination on the internet over “any” service. When I put the action as “Inspect” I cannot connect to the internet. It’s as if my return traffic is not detected by the firewall and instead gets dropped by the default class map in the Out-to-Int pair.
To make it work I need to do two changes. I need to choose Allow instead of Inspect and I need to change the default class-map on the Out-to-Int pair to “allow” for unmatched traffic. But this is not good because I have a default allow on my out-to-int pair.
Am I misunderstanding something? Shouldn’t the inspect action on the Int-to-Out zone allow for return traffic no matter what rules I applied on the Out-to-Int pair? Thank you in advance for your help.Please share your config. Then we can see what's wrong there.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
The problem of function-based reuse
I read the quoted text as follows from a book authored by a Microsoft developer. I googled and found a lots of quotes of it, but did not find any explanation.
============
With languages like C, the basic unit of reuse is the function. The problem with function-based reuse is that the function is coupled to the data it manipulates. and if the data is global, a change to benefit one function in one reuse context damages another function used somewhere else.
============
C uses libraries widely,which is of function-based reuse. Can anybody kindly give me a scenario when this problem happens?
Java is typically object-based reuse, and I admit that my question is not a Java one. But I feel it would help to understand more about the concept or benefits of design of Java language. So, thank you to allow me to post this question here,
Edited by: 799160 on Sep 30, 2010 12:38 PM
Edited by: 799160 on Sep 30, 2010 12:57 PMThis is what I got out of reading the quote you posted:
I suppose something like the following could happen:
You (being a general person) have been given a class to modify. You look at the code for the first time and it has a bunch of methods and some class variables in it. Some of the methods use the class variables. How can you be sure if you change the functionality to change a class variable in one method won't affect the other methods when they are used? This problem can be solved by learning what everything does, how it interacts and the correct way to use it. But then again, if you don't think about it and just make changes...Oops!
Perhaps another abstract example would make sense:
Imagine a calculator that could be used by 2 people at the same time? I bet it'd come up with some funny answers :)
I wrote up a short example of this, hopefully it makes some sense:
public class SuperBigProgram
private int globalVar;
public static void main ( String[] args )
new SuperBigProgram();
public SuperBigProgram()
System.out.println("I'm a super big program.");
globalVar = 0;
//Let's pretend these series of events occur during the program:
doItHighChanceActivity(); //1
doItHighChanceActivity(); //2
doItHighChanceActivity(); //3
//Whoops super rare event occured!
doesNotHappenALot();
doItHighChanceActivity(); //4???? but is really 5.
* This happens A LOT!
private void doItHighChanceActivity ()
superUtilityMethod();
System.out.println("globalVar: " + globalVar);
* This utility method does some awesome utility stuff for our Super Big Program.
* This changes some global data.
private void superUtilityMethod()
globalVar++;
* This does not happen a lot, if at all.
private void doesNotHappenALot()
//Hey I don't happen a lot but I'm reusing this really cool utility method that contains global data...
//Code reuse for the win!
superUtilityMethod();
}Here is the output:
I'm a super big program.
globalVar: 1
globalVar: 2
globalVar: 3
globalVar: 5
Edited by: kilosi on Sep 30, 2010 1:22 PM -
Problem with File Based replication in Weblogic Express 10
Hi,
We have Web application (exploded war) file deployed on Weblogic Express 10, to a Cluster of three Managed Servers (all three on different physical machines).
We are using File based session persistance in weblogic.xml
We have a shared location for all the three servers where we will be sharing the Session data.
When we start the application, its works fine and is very fast, but after sometime the application slows down.
Troubleshooting the Issue we found that its a problem with file based replication. By using File based replication every user session is stored in form of directory inside shared directory. So after sometime thousands of directories are created inside the shared directory where the session information is stored. So when we access the application, its waiting for lot of time with Message Session Monitor .... (this is because its browsing through the shared session storage directory for lot of time for session information as it has lot of directories) and finally after a long time like 10 mins we get the Application Home Page.
When we clean up all the saved sessions inside shared directory, the application works fine, But we will see the same sometime later may be after 3 or 4 hours when the shared session directory has lot of session information stored in it.
Is there a way to clean up the saved session information on file system as soon as that user session is closed by using file based replication.
We cannot used Inmemory replication as our Appl doesnt support it.
Please advice as it is a major show stopper in our Production Mirror env.
Weblogic ConsultantIt is possible to reduce number of live session by configuring very low timeout-secs weblogic.xml. Default is 60 minutes.
More details are here..
http://e-docs.bea.com/wls/docs100/webapp/weblogic_xml.html#wp1071982
Jayesh
Yagna Sys -
Problem Creating VirtualProviders Based on the DTP
Problem Creating VirtualProviders Based on the Data Transfer Process .
(1) I have created an Data Source(extract structure and extractor) on SYS1. Tested the extractor. It returns data as desired.
(2) Then I replicated this Data Source to SYS2.
(3) In SYS1 I created InfoCube(VirtualProvider based on data transfer process for direct access) .
Till this point I have no issues .
(4) But after that I am not able to "Create Data Transfer Process" for this Virtual Infoprovider . When I try to create DTP the DTP type available for selection is "Scheduled" where as per the documentation I need to create DTP of DTP type "DTP for Direct Access".This DTP type I donot see.
Is it a problem with the BW configuration or some user error.Any suggestions which may help would be realy appreciated.
Thanks & Regards,
priyadarshiCorrected some typo in my earlier update...
Problem Creating VirtualProviders Based on the Data Transfer Process .
(1) I have created an Data Source(extract structure and extractor) on SYS1. Tested the extractor. It returns data as desired.
(2) Then I replicated this Data Source to SYS2.
(3) In SYS2 I created InfoCube(VirtualProvider based on data transfer process for direct access) .
Till this point I have no issues .
(4) But after that I am not able to "Create Data Transfer Process" for this Virtual Infoprovider . When I try to create DTP the DTP type available for selection is "Standard(Scheduled)" where as per the documentation I need to create DTP of DTP type "DTP for Direct Access".This DTP type I donot see.
Is it a problem with the BW configuration or some user error.Any suggestions which may help would be realy appreciated.
Thanks & Regards,
priyadarshi -
Problem with replication based on materialized view
Problem with replication based on materialized view...
Given:
1. Source: S-1
2. Targets: T-1, T-2
3. DB links: from T-1 to S-1, from T-2 to S-1
Required replicate table TBL on S-1 to T-1, T-2 via db links.
On S-1 was created materialized view log with PK on TBL. On T-1, T-2 were created mat.views as "on prebuilt table refresh fast on demand". In case of get "ORA-12034: materialized view log younger than last refresh" or initial load - perform complete refresh. Initial load on T-1 takes about 1 hour, on T-2 - about 12 hours. Refresh is executed via job with minutely interval. If refresh is running then it is not performed.
Problem: after initial load on T-1 performs fast refresh, but on T-2 raised ORA-12034 and complete performs again.
What's wrong?34MCA2K2, Google lover?
I confess perhaps I gave a little info.
View log was created before MV.
It was the first initial load.
No refresh failed.
No DDL.
No purge log.
Not warehouse.
There is no such behavior for MVs on another sites.
P.S. I ask help someone who knows what's wrong or who faced with it or can me follow by usefull link.
P.P.S. It's a pity that there is no button "Useless answer" -
Problem in form based authentication
Hi,
I am encountering some problem in form based authentication.
When I try to login for the first time. It reoute me to the image
directory and not to the request page.
When I try it for the second time, it shows
"Form based authentication failed. Could not find session."
And it always show this message no matter how many time I try.
I am not sure is it something that I did not set ...
Thanks for any advice.
EricHi Eric,
It may be a problem in your web.xml, I missed the "/" slash character
in the web.xml's in <form-login-page> element. So your web.xml
must look like -
Nearest time zones based on user time zone
Hi,
In my application, user accesses the applet in the browser and based on the user time zone I need to display the list of available server which are near to his time zone.
Please provide me some hints on how to sort the time zones based on the time zone offset.
Thanks
AravindHi,
In my application, user accesses the applet in the browser and based on the user time zone I need to display the list of available server which are near to his time zone.
Please provide me some hints on how to sort the time zones based on the time zone offset.
Thanks
Aravind -
Look-up java time zone based on location?
I have a test app where I can assign a java timezone and return time info - However, I don't see a way to look-up a java time zone based on location (combination of city/province/state/country).
Is this possible?Has any one found a way to lookup a timezone based on a city/region in the world? So one could be able to type any city and state/province and country combination and get the corresponding timezone for that region. Is there a place where one can buy this data?
Thank you -
Characterstics Assignment in Accounting Based COPA Config.
HI,
How to give Characterstics in Accounting Based COPA Config. and what is the TCode....
regards
JKHi
It is strongly recommended, however, that you do not activate both types of CO-PA. The
major reason being is that you will have significant table size impacts. You must be careful
with account based CO-PA as this creates additional line items in the existing CO tables of
COEP (actual), COEJ (plan), COSP & COSS (summary records). Hence if you want to do any
cost center reporting, say, from any of these existing tables you will run the risk that
performance will be degraded by these additional and unnecessary records.
The only advantage of account based over costing based CO-PA is it's ability to
automatically reconcile back to FI, in much the same manner as you would reconcile
cost center accounting back to FI. However you don't have the flexibility in account
based CO-PA to perform valuations using product cost estimates etc. as you do in
costing based CO-PA. If the reason you were advised to turn on account based CO-PA
as well as costing based was to facilitate reconciliation, it is suggested that you look
at alternatives that won't have the same negative impacts that turning on account
based would have. In addition to the serious table space issues, it is not that easy to
turn on and off account based at will (especially in production).
Instead what you should look at doing is creating a series of reports that enable you to
reconcile costing based CO-PA back to CCA/PCA and FI, if this is required. The complexity
of the costing based functionality you have used will determine the complexity of the
reports that will be needed to reconcile back, but it can be done without turning on
account based CO-PA.
Regards -
GSLB Zone-Based DNS Payment Gw - Config Active-Active: Not Failing Over
Hello All:
Currently having a bit of a problem, have exhausted all resources and brain power dwindling.
Brief:
Two geographically diverse sites. Different AS's, different front ends. Migrated from one site with two CSS 11506's to two sites with one 11506 each.
Flow of connection is as follows:
Client --> FW Public Destination NAT --> CSS Private content VIP/destination NAT --> server/service --> CSS Source VIP/NAT --> FW Public Source NAT --> client.
Using Load Balancers as DNS servers, authoritative for zones due to the requirement for second level Domain DNS load balancing (i.e xxxx.com, AND FQDNs http://www.xxxx.com). Thus, CSS is configured to respond as authoritative for xxxx.com, http://www.xxxx.com, postxx.xxxx.com, tmx.xxxx.com, etc..., but of course cannot do MX records, so is also configured with dns-forwarders which consequently were the original DNS servers for the domains. Those DNS servers have had their zone files changed to reflect that the new DNS servers are in fact the CSS'. Domain records (i.e. NS records in the zone file), and the records at the registrar (i.e. tucows, which I believe resells .com, .net and .org for netsol) have been changed to reflect the same. That part of the equation has already been tested and is true to DNS Workings. The reason for the forwarders is of course for things such as non load balanced Domain Names, as well as MX records, etc...
Due to design, which unfortunately cannot be changed, dns-record configuration uses kal-ap, example:
dns-record a http://www.xxxx.com 0 111.222.333.444 multiple kal-ap 10.xx.1.xx 254 sticky-enabled weightedrr 10
So, to explain so we're absolutely clear:
- 111.222.333.444 is the public address returned to the client.
- multiple is configured so we return both site addresses for redundancy (unless I'm misunderstanding that configuration option)
- kal-ap and the 10.xx.1.xx address because due to the configuration we have no other way of knowing the content rule/service is down and to stop advertising the address for said server/rule
- sticky-enabled because we don't want to lose a payment and have it go through twice or something crazy like that
- weighterr 10 (and on the other side weightedrr 1) because we want to keep most of the traffic on the site that is closer to where the bulk of the clients are
So, now, the problem becomes, that the clients (i.e. something like an interac machine, RFID tags...) need to be able to fail over almost instantly to either of the sites should one lose connectivity and/or servers/services. However, this does not happen. The CSS changes it's advertisement, and this has been confirmed by running "nslookups/digs" directly against the CSSs... however, the client does not recognize this and ends up returning a "DNS Error/Page not found".
Thinking this may have something to do with the "sticky-enabled" and/or the fact that DNS doesn't necessarily react very well to a TTL of "0".
Any thoughts... comments... suggestions... experiences???
Much appreciated in advance for any responses!!!
Oh... should probably add:
nslookups to some DNS servers consistently - ALWAYS the same ones - take 3 lookups before getting a reply. Other DNS servers are instant....
Cheers,
Ben Shellrude
Sr. Network Analyst
MTS AllStream IncHi Ben,
if I got your posting right the CSSes are doing their job and do advertise the correct IP for a DNS-query right?
If some of your clients are having a problem this might be related to DNS-caching. Some clients are caching the DNS-response and do not do a refresh until they fail or this timeout is gone.
Even worse if the request fails you sometimes have to reset the clients DNS-demon so that they are requesting IP-addresses from scratch. I had this issue with some Unixboxes. If I remeber it corretly you can configure the DNS behaviour for unix boxes and can forbidd them to cache DNS responsed.
Kind Regards,
joerg
Maybe you are looking for
-
sorry, other apps are working fine and finding the new printer. HP Officejet 8620.
-
I placed an upgrade order for two phones, an iPhone 6 and 6plus. I was in the Verizon shopping cart at 11:55 and checked out by 12:01 AM pacific time. I do have my email confirmation for both phones with ship date 9/19 The iPhone 6 has shipped with t
-
Tables for additions/write-off/transfer of assets
Hi, What are the tables for getting values reg asset additions/write-off/transfer during year/period. Regards Ankur
-
English Site for SBL51XPU.
does anyone have a english site for SBL5XPU.EXE
-
Windows equivalent "Home" and "End" keys?
Okay, if there was one keyboard shortcut I used in Windows all the time, it was Shift-Home or Shift-End to highlight an entire line quickly. Control-A and Control-B do something like that, but I can't use Shift at the same time to highlight. Is there