RMI over different subnets causing TCP BAD CHECKSUM

I have a customer that is trying to run my system over different subnets and is getting large performance hits due to a TCP BAD CHECKSUM error that they have been able to monitor when they have the RMI server on one subnet and the RMI client on another.
We don't see the problem on our systems (because we run on the same subnets) as do all of our other customers.
We've written a little program that just does some simple RMI calls over the different subnets and are still seeing the TCP BAD CHECKSUM errors.
Is there some reason that they are seeing these errors when the two are on different subnets? Is there any way to solve this problem (as it is causing a big hit in our performance)?

It is certainly nothing to do with RMI. The most probable culprit is bad hardware between the two subnets.

Similar Messages

IP-3-TCP_BADCKSUM:TCP bad checksum error

On my Catalyst 6509 switch with MSFC cards I'm receiving the following error:-
2005 Aug 24 12:28:12 gmt +02:00 %IP-3-TCP_BADCKSUM:TCP bad checksum
Any reason why? I have attached the show version of the switch.
TEXT6500-S-SQP (enable) sh ver
WS-C6509 Software, Version NmpSW: 6.3(9)
Copyright (c) 1995-2002 by Cisco Systems
NMP S/W compiled on Sep 23 2002, 17:51:19
System Bootstrap Version: 5.3(1)
Hardware Version: 2.0 Model: WS-C6509 Serial #: SCA0423032D
PS1 Module: WS-CAC-1300W Serial #: SON04180245
PS2 Module: WS-CAC-1300W Serial #: SON04172006
Mod Port Model Serial # Versions
1 2 WS-X6K-SUP1A-2GE SAD04220A77 Hw : 3.1
Fw : 5.3(1)
Fw1: 5.1(1)CSX
Sw : 6.3(9)
Sw1: 6.3(9)
WS-F6K-PFC SAD042302ZZ Hw : 1.1
2 2 WS-X6K-SUP1A-2GE SAD04220B2H Hw : 3.1
Fw : 5.3(1)
Fw1: 5.1(1)CSX
Sw : 6.3(9)
Sw1: 6.3(9)
WS-F6K-PFC SAD042206UG Hw : 1.1
3 8 WS-X6408A-GBIC SAD042102X8 Hw : 1.1
Fw : 5.1(1)CSX
Sw : 6.3(9)
4 48 WS-X6348-RJ-45 SAD04190CRC Hw : 1.1
Fw : 5.3(1)
Sw : 6.3(9)
5 8 WS-X6408A-GBIC SAL08486F97 Hw : 3.1
Fw : 5.4(2)
Sw : 6.3(9)
15 1 WS-F6K-MSFC SAD042202F4 Hw : 1.4
Fw : 12.1(8b)E13
Sw : 12.1(8b)E13
16 1 WS-F6K-MSFC SAD042202WH Hw : 1.4
Fw : 12.1(8b)E13
Sw : 12.1(8b)E13
DRAM FLASH NVRAM
Module Total Used Free Total Used Free Total Used Free
1 65408K 47468K 17940K 16384K 9514K 6870K 512K 276K 236K

IP-3-TCP_BADCKSUM:TCP bad checksum
This message is informative only. The problem is caused by a device in the network that is sending bad packets to the switch.
IP-3-TCP_BADCKSUM:TCP bad checksum
Explanation: This message indicates that the system has received a TCP packet with a bad checksum from another device on the administrative VLAN. The packet will be discarded.
Action: This message is provided for information only.
Also, if you have Cisco ACS, check out the following bug
http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCeh32487

TCP bad checksum

Hi
Could someone inform me how a CSS 11500 handles a packet with TCP invalid checksum. I have two loadbalanced svrs behind a CSS and im seeing the and ACK with a bad checksum hitting the server VLAN interface of the CSS which appears to send RST 200 micro seconds later to the server but not to the client, Is this normal behaviour ?.
Thanks in advance

Stephen,
don't look at the interval with just the last packet.
The CSS will mark a flow idle if the interval between 2 consecutives packet is bigger than the idle timeout.
At that time, no reset will be sent.
But during the garbage collection process, the CS may reclaim resources hold by connections that were marked idle.
Even if the connection was not idle anymore, the CSS will destroy it if it was marked idle anytime in the past.
Moreover, for http connection, the idle timeout is 8 sec and not 16.
Finally, you can also check with 'show dos' to see if the css consider the connection as illegal - which would trigger a reset as well.
Gilles.

Satellite Pro U200 - Bad Checksum (ROM (Data Block) ) error

Hello when i start my Toahiba Satellite Pro U200
I have a Error
Bad Checksum (ROM (Data Block) )
PRESS ANY KEY TO CONINUE.
Pleas Help

The most common cause for "Bad Checksum" errors is the CMOS battery malfunction on the motherboard.
The battery could be empty or could simply be dead. But its really not easy to say whats wrong exactly!
Therefore I would recommend firstly to access the BIOS and to set it to default settings. Dont forget to save the changes.
Furthermore you should connect the AC adaptor and should let it connected for about 24hours to recharge the CMOS battery.
Maybe it helps to get rid of this error message.
If it doesnt help, then you should contact a notebook technician!

Is it OK to have two SBS Servers with same name, on different subnets but connected over a VPN?

Hi Everyone,
I'm just about to connect up two SBS 2011 Servers with the same server name but on different subnets & domains over a VPN.
So for example both servers will have the name Server01, one would have an ip address of 192.168.85.5, the other 192.168.86.5, they both then would be connected over a VPN.
Can anyone foresee any issues with this configuration, like DNS & DHCP requests, adding new machines to the domain, mapping drives etc.
Many thanks,
Nick

Hi Larry & Strike First,
Thank you for your responses. I understand that this is an unusual situation. Basically I've recently taken over the IT support for this client. The client has just had a new phone system installed
& are asking if they can speak to each office internally, which can easily be done once I setup the VPN.
However I noticed whilst looking at this further that the Server names are the same, hence my question?
Am I right in saying that providing the workstations have a trust relationship with their own domain controllers through their individual domains on separate subnets, that hopefully there shouldn't be any DNS issues between the two domains and Servers?
I could build a new VM if you feel it would be better practice to do so?
Many thanks for your assistance,
Nick

ASA 5505: VPN Access to Different Subnets

Hi All-
I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN). Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24). Is this even possible? Below is the configurations on our ASA,
Thanks in advance:
ASA Version 8.2(5)
names
name 10.0.1.0 Net-10
name 20.0.1.0 Net-20
name 192.168.254.0 phones
name 192.168.254.250 PBX
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.139.79 255.255.255.224
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
interface Vlan13
nameif phones
security-level 100
ip address 192.168.254.200 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ssh
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
global (phones) 20 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
nat (phones) 0 access-list phones_nat0_outbound
nat (phones) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh Mac 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PAS-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://X.X.139.79/PAS_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous

Hi Jouni-
Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0). The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
Per you recommendation, I removed the following configs from my ASA:
global (phones) 20 interface
... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
global (inside) 10 interface
nat (outside) 10 access-list vpn_nat_inside outside
.... removing these two configurations caused the inside LAN to be unreachable. The phone LAN was not reachable, either. So, I put the '10' configurations back.
The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
"portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
What do you think?
Thanks!

ACS 5.0 having issues with different subnet AAA Clients

Dear All,
I am getting weird issue. My ACS 5.0 is in subnet 10.1.1.0/24. All the AAA clients which are in the same subnet can communicate with the ACS but different subnet cannot.
I have checked the firewall between them, Its allow any any with all services.
One more thing I have faced today is that now from only one switch (10.1.2.10) can access ACS but switches in the same subnet (10.1.2.0/24) cant access ACS as same previous issue.
Following are the logs of one switch(10.1.2.10) in different subnet can access ACS :
Working Switch with Same configuration:
SW-A#test aaa group tacacs+ test cisco legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
SW-A#
*Nov 17 00:05:52.041: AAA: parse name=<no string> idb type=-1 tty=-1
*Nov 17 00:05:52.041: AAA/MEMORY: create_user (0x1B1FD04) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
*Nov 17 00:05:52.041: TAC+: send AUTHEN/START packet ver=192 id=3237327729
*Nov 17 00:05:52.041: TAC+: Using default tacacs server-group "tacacs+" list.
*Nov 17 00:05:52.041: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
*Nov 17 00:05:52.041: TAC+: Opened TCP/IP handle 0x1B44D48 to 10.1.1.2/49
*Nov 17 00:05:52.041: TAC+: 10.1.1.2 (3237327729) AUTHEN/START/LOGIN/ASCII queued
SW-A#
*Nov 17 00:05:52.243: TAC+: (3237327729) AUTHEN/START/LOGIN/ASCII processed
*Nov 17 00:05:52.243: TAC+: ver=192 id=3237327729 received AUTHEN status = GETPASS
*Nov 17 00:05:52.243: TAC+: send AUTHEN/CONT packet id=3237327729
*Nov 17 00:05:52.243: TAC+: 10.1.1.2 (3237327729) AUTHEN/CONT queued
*Nov 17 00:05:52.444: TAC+: (3237327729) AUTHEN/CONT processed
*Nov 17 00:05:52.444: TAC+: ver=192 id=3237327729 received AUTHEN status = PASS
*Nov 17 00:05:52.444: AAA/MEMORY: free_user (0x1B1FD04) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
Logs from the same subnet switch (10.1.2.20) which cannot access ACS:
SW-B#test aaa group tacacs+ test cisco legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.
SW-B#
*Oct 20 00:54:12.834: AAA: parse name=<no string> idb type=-1 tty=-1
*Oct 20 00:54:12.842: AAA/MEMORY: create_user (0x1A6F3F0) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
*Oct 20 00:54:12.842: TAC+: send AUTHEN/START packet ver=192 id=3281146755
*Oct 20 00:54:12.842: TAC+: Using default tacacs server-group "tacacs+" list.
*Oct 20 00:54:12.842: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
*Oct 20 00:54:12.842: TAC+: Opened TCP/IP handle 0x1B1E888 to 10.1.1.2/49
*Oct 20 00:54:12.842: TAC+: 10.1.1.2 (3281146755) AUTHEN/START/LOGIN/ASCII queued
SW-B#
*Oct 20 00:54:12.943: TAC+: (3281146755) AUTHEN/START/LOGIN/ASCII processed
*Oct 20 00:54:12.943: TAC+: received bad AUTHEN packet: type = 0, expected 1
*Oct 20 00:54:12.943: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
*Oct 20 00:54:12.943: TAC+: Closing TCP/IP 0x1B1E888 connection to 10.1.1.2/49
*Oct 20 00:54:12.943: TAC+: Using default tacacs server-group "tacacs+" list.
*Oct 20 00:54:12.943: AAA/MEMORY: free_user (0x1A6F3F0) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
Waiting for your responses.
Regards,
Anser

Ok, cool,
So this usually means that the switch is sourcing the requests from a difernet interface that is configured on the ACS.
I would guess that the ACS is reporting unknown NAS...
Can you please use the "ip tacacs source-interface" command to make sure the switch will source the Tacacs+ packets from the interface with the IP address for which you have the ACS configured to?
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Slow file transfer between Mac & PC Network - bad checksums?

Howdy all. I've been having a persistent issue with transferring files from my Mac to my Win2003 server. The transfers are always much slower than they should be (compared to the PCs on the network with lesser connections), but even more puzzling, is that it will often go to 95% (or thereabouts) and then take twice as long to finish the remaining percentage as it did to transfer the vast majority of the file.
It's all gigabit from point to point and I've swapped patch cables, router ports, etc.. with a known good performing WinXP box to see if that would make a difference, but it didn't.
I've searched the forums and found some mention of mysteriously slow file transfers using SMB, but nothing conclusive.
I ran a LAN monitoring util on the Mac during a xfer and below is a snippet of the results from the log. No dropped packets, but lots of bad checksums?
Any help would be greatly appreciated.
Thanks,
Ed T.
Start: 6/14/06 4:36:26 PM
16:36:41.676157 localhost.1017 > localhost.1033: P 367145920:367145992(72) ack 93878562 win 65535 <nop,nop,timestamp 2029087960 2029087900> (DF) (ttl 64, id 56412, bad cksum 0!)
16:36:41.676189 localhost.1033 > localhost.1017: . ack 72 win 65535 <nop,nop,timestamp 2029087960 2029087960> (DF) (ttl 64, id 56413, bad cksum 0!)
16:36:41.676207 localhost.1033 > localhost.1017: P 1:61(60) ack 72 win 65535 <nop,nop,timestamp 2029087960 2029087960> (DF) (ttl 64, id 56414, bad cksum 0!)
16:36:41.676224 localhost.1017 > localhost.1033: . ack 61 win 65535 <nop,nop,timestamp 2029087960 2029087960> (DF) (ttl 64, id 56415, bad cksum 0!)
16:36:49.676576 192.168.1.111.50949 > 255.255.255.255.2222: udp 152 (ttl 64, id 2189)
<SNIP MORE OF THE SAME>
320 Packets Received
0 Packets dropped.
• Monitor Completed •

While I have never tried it, Mac supports Firewire networking (TCP/IP over FW) and I know that some PCs do likewise. Mine does.
That being said, it's possible to link your Mac to your PC with a FW cable (both ends must be the large type of connector) and if so, you can transfer at 400 MB/s.
To enable FireWire networking on your Mac, in the Network preferences, at the bottom of the left pane, click the + sign and in the popup window, add Interface: Firewire.
As I said, I have never used it but in theory it would work. It's not at all like using the Target mode, this is a "hot" FW network link that can directly connect two computers.
IMO, it's worth a shot.

Can ARD 3 now share a screen across 2 different subnets

We have one central office. Clients access that office via a VPN. We can then share our screen with them as we work on a proof of a project.
It's a great solution, however, we can't with ARD 2.2 get it to work with two clients at once over the VPN.
An old Kbase article said that it wasn't possible to route screen sharing to two different subnets in the 2.2 version. But rather required all clients be on the same subnet.
Does anyone know or have the ability to test to see if this is different is 3.0. I'm hopeful that it is, as I can no longer find the old Kbase article saying that it wasn't possible.
Thanks,
Greg

Still no reply as to if this was resolved. I'm not so much worried about the move on the client side. As once we upgrade we have the luxury of upgrading everyone at once. I think that will be a smooth process.
However, our motivation to upgrade is dependant on wether or not the ability to route traffice over multiple subents is fixed or not. So we'll wait and see. If anyone can easily test this. I'd love to know. Sounds like a few other people are hoping to hear something as well.
Thanks in advance,
Greg

WRV200 IPSEC VPN to a remote site with 2 different subnets

Hi,
My old WRV54G had no problem with this! I'm trying to connect an IPSEC tunnel back to a router at my main office, there are two Subnets there 192.168.0.0/24 and 10.171.131.0/24. In my old router I would set up two tunnels to the same gateway with different subnets and everything would work fine.
When I do this with the WRV200 both tunnels come up but in the view of the VPN status they both have the remote network listed as 192.168.0.0 /24 and I can't seem to get them both to work. If I delete the 192.168.0.0/24 tunnel (tunnel #A) and just use the tunnel#B I can connect to the 10 network.
Anyone been able to get this working?

Hi,
Ok, so the first thing you will have to think about is the encryption domain of the existing L2L VPN. Since your aim is to publish a Web server from another site through a L2L VPN connections you have to consider what the source addresses for the Web server connections can be?
It might be that you would need to have the source address for the L2L VPN in DC1 as "any" and naturally on DC2 the destination would be "any".
Though in that case it would probably cause problems if the Web server would need to use the DC2 Internet connections for something. This is because we would have now defined that traffic from the Web server to "any" destination IP address should be tunneled to the L2L VPN.
One other option might be that you actually configure DC1 site so that all incoming traffic from the Internet towards the 111.111.111.111 will have their source address translated to a single IP address (to be decided) before entering the L2L VPN. This would eliminate the need to use the "any" in the L2L VPN configurations because the Web server would see all connections come from a single IP address and therefore would not cause problems for the DC2 Web server IF it needs to access or be accessed through the local DC2 Internet connection.
Judging by your examples it would seem that you are using a 8.2 or older software level. Would you be willing to share some current configurations (with masked public IP addresses) or should I just give you some example configurations?
Most important ones would naturally be current NAT configurations and configuration related to the L2L VPN connection.
- Jouni

How to map two different subnets to one SSID

Hi Experts ,
we have two offices in same city at different location however we are planning to bring both the office at same location.
Now lets say site A has controller 5508 configured with 24 AP's with 10.10.10.x subnet for internal SSID and Site B which is shifting to Site A campus has different subnet ( 10.10.20.x ) for same SSID.
Site B has no controller since they had connection with H-reap and they were using different subnet for internal SSID ( 10.10.20.x ) .....
Now i need to add their AP's in Site A controller which will be extended wireless LAN however we would like to keep same subnet ( 10.10.20.x ) what Site B has for wireless clients which is really confusing me ....
I have already client subnet for site A with 10.10.10.x /24 subnet and nearly 200 users are already using this wireless client subnet....
How do i add their ( Site B ) subnet / 10.10.20.x with same SSID configured which is globally only one SSID ?
limitations :
I can not create new SSID for site B since same will be broadcasting even in Site A AP's
Is this possible to map one more subnet of site B to existing SSID with already different subnet ( 10.10.10.x ) ?
Your suggestions will be really helpful for me to go ahead and understand in better manner ...

Well first off, you need to bring that subnet over to site a without breaking any routing. Once you do that then sites B subnet will have a different vlan than site A of course. Now with both subnets working in site A, you create a dynamic interface on the WLC for that new subnet. Create an AP group for both sites, you can name it by vlan or by any name you want. Now in the ap group for site A, you define what SSID's you want and map the vlan to that ap groups. Then add sites A AP's to that group. You do this also for site B's AP's and map the SSID to the new subnet you brought over and move the AP's to that group. The APs from site B would have to be setup in local mode not hreap.
Makes sense
Sent from Cisco Technical Support iPhone App

ACE load balancing servers on different subnets...

Hello,
I have the following issue.... need to load balance traffic between two servers already working in two different subnets (vlans), at this point is highly desirable to avoid changing IP addresses. Is it possible to accomplish this goal using ACE? routed or bridged mode? is it strictly necessary to have all servers belonging to a serverfarm in the same subnet?
Thanks in advanced for your support.

Hi,
You can do this, but you have to use client-NAT (Source-NAT) to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server. PBR is an alternative approach but I have not implemented that in a live network. The important thing is that the ACE sees both sides of the conversation.
The following extract from a configuration shows the basic principle:
rserver host master
ip address 10.199.95.2
inservice
rserver host slave
ip address 10.199.38.68
inservice
serverfarm host FARM-web2-Master
description Serverfarm Master
probe PROBE-web2
rserver master
inservice
serverfarm host FARM-web2-Slave
description Serverfarm Slave
probe PROBE-web2
rserver slave
inservice
class-map match-any L4VIPCLASS
2 match virtual-address 10.199.80.12 tcp eq www
3 match virtual-address 10.199.80.12 tcp eq https
policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY
class REMOTE-ACCESS
permit
policy-map type loadbalance first-match LB-POLICY
class class-default
serverfarm FARM-web2-Master backup FARM-web2-Slave
policy-map multi-match L4POLICY
class L4VIPCLASS
loadbalance vip inservice
loadbalance policy LB-POLICY
loadbalance vip icmp-reply active
loadbalance vip advertise
nat dynamic 1 vlan 384
service-policy input L4POLICY
interface vlan 383
description ACE-web2-Clientside
ip address 10.199.80.13 255.255.255.248
alias 10.199.80.12 255.255.255.248
peer ip address 10.199.80.14 255.255.255.248
access-group input ACL-IN
access-group output PERMIT-ALL
no shutdown
interface vlan 384
description ACE-web2-Serverside
ip address 10.199.80.18 255.255.255.240
alias 10.199.80.17 255.255.255.240
peer ip address 10.199.80.19 255.255.255.240
access-group input PERMIT-ALL
access-group output PERMIT-ALL
nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 10.199.80.9
ip route 10.199.95.2 255.255.255.255 10.199.80.21
ip route 10.199.38.68 255.255.255.255 10.199.80.21
HTH
Cathy

Rmi over ssl in jdk1.5.0

hi,
i am trying to connect a remote machine with rmi over ssl. but i got the following exceptions;
java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
Caused by: javax.net.ssl.SSLKeyException: RSA premaster secret error
Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/PKCS1Padding
Caused by: java.lang.IllegalArgumentException: can't support mode ECB
i am using jdk1.5.0. i have tried many samples but i have not run them successfully however they were running successfully in j2sdk1.4.2.
also i downloaded the bouncycastle provider but it did not work.
is there anybody who knows about a running sample about rmi and ssl in jdk1.5.0? please send me....
email: [email protected]

Hi!
I know it's not the exactly right topic, but I've nearly the same problem with a https connection for a webService. I'm not using turkish locale, I'm using BouncyCastle and the "Unlimited Strength" policy files. I've no problems if i start my application with eclipse, starting it with jdk1.5.0_03\jre\bin\java or jre1.5.0_03\bin\java form commandline i get the same stacktrace:
javax.net.ssl.SSLKeyException: RSA premaster secret error
Caused by: javax.net.ssl.SSLKeyException: RSA premaster secret error
Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/PKCS1Padding
Caused by: java.lang.IllegalArgumentException: can't support mode ECB
if i try to get the cipher with
Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding");
I'll get the same stacktrace, with
Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding", "BC");
i works fine, but I've no idea how to run this code out of axis...
Thanks & Regards
Helmut

TNS:operation timed out - on different subnets

I am having a problem with Oracle on a companys local network. The problem is manifested by
TNS-12535: TNS:operation timed out
error which happens when client repetitively makes connection to Oracle instance located on a different subnet (going via the network backbone). To illustrate this problem I wrote a simple batch file using SQLPLUS. The attached files:
pingconnect.cmd, this command file executes a single SQL query in an infinite loop :
@echo off
:a
sqlplus -S scott/tiger@oratns @seldual.sql
goto a:
seldual.sql - simple query that gets executed in the loop:
select * from dual;
exit
sqlnet.log error
Fatal NI connect error 12535, connecting to:
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=host)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=svcname)(CID=(PROGRAM=C:\oracle\ora92\bin\SQLPLUS.EXE)(HOST=ADMITRIYLTW2K)(USER=user))))
VERSION INFORMATION:
TNS for 32-bit Windows: Version 9.2.0.5.0 - Production
Windows NT TCP/IP NT Protocol Adapter for 32-bit Windows: Version 9.2.0.5.0 - Production
Time: 29-APR-2004 10:21:07
Tracing not turned on.
Tns error struct:
nr err code: 0
ns main err code: 12535
TNS-12535: TNS:operation timed out
ns secondary err code: 12560
nt main err code: 505
TNS-00505: Operation timed out
nt secondary err code: 60
nt OS err code: 0
When I ran several (for example 7) instances of pingconnect.cmd, it runs for about 3-5 minutes and then fails with error TNS-12535 (see sqlnet.log). This happens with both Oracle 9i and 8i. This only happens when the client and server are located on the different subnets. This is confirmed by a network engineer who worked with me while I was performing tests on various network configurations.
I am looking for the Oracle network tuning parameters to eliminate this problem. Any suggestions?

Is it related?I can not say it is related with 100% certainty.
You can conclude I had a REALLY lucky guess or there is high correlation between VM & having TNS-12535 error.
It is your system & you are free to (ab)use it any way you choose to do so.
We both know SQL*Net can & does work as advertised, but requires a properly configured OS & Network underneath it.

Windows Client Binding Failure in a different subnet - Snow Leopard Server

hi all,
We are running SL 10.6.6 mini mac on a subnetted domain - The svr subnet is 10.20.10.xxx
Clients (mac & win xp) are in subnets 10.20.12.xxx & 10.20.13.xxx
Linux Firewalls separate the subnets although for the purposes of this topic and setup i have set the default policy to accept with no drop rules prior.
The issue is that a win xp client cannot see the SL server. The win XP client does a NETLOGON broadcast i.e. (10.20.13.255 UDP 137) which does not make it to the netlogon service being advertised by the SL Server.
If i put the win xp client in the 10.20.10.xxx (the SL Svr subnet) all works fine and the win xp client authenticates correctly.
Is anyone out there running a similar setup (different subnets with Win XP Clients) I'm interested in how you got the binding/auth process working.
Some side info on the SL Svr - Its a PDC domain master which has 2 replica's attached. All instructions appear to have been followed correctly as per 10.6 OD admin guide. I have all the Mac OS server essentials book and have been trolling through them for answers.
I have setup SMB and configured it as per a previous thread http://discussions.apple.com/thread.jspa?threadID=2014572&tstart=0
Any help/thoughts/ pearls of wisdom would be appreciated.
Cheers
Cowan

Problem Fixed. Windows XP client did not have WINS server IP address is TCP/IP properties.

RMI over different subnets causing TCP BAD CHECKSUM

Similar Messages

Maybe you are looking for