SA 540 General VPN Question

Similar Messages

• VPN Question (match interesting traffic)

  Dear guys
  A vpn question  see below text diagram
  inside-------ASA-1-----CHINATELECOM------ASA-2---------CHINAUNICOM----------ASA-3------inside
                              ipsec vpn tunnel                          ipsec vpn tunnel
  we have configured interesting traffic on ASA-2 for each other on 2 side.
  we can ping asa-2 inside network from asa-3 and asa-1  but Why ASA-3 inside can not access ASA-1 inside network ?

  Hi Yun,
  Step 1: Create site-to-site vpn tunnel between ASA1 to ASA2 and ASA2 to ASA3, however there is NO direct tunnel between ASA1 and ASA3 you need.
  Step 2: Now include ASA3's inside network segment in the crypto ACL to between the tunnel ASA1 and ASA2 and do NOT include ASA3's and 1's inside network segment for no-nat on inside interface on ASA2
  Step 3: Now include ASA1 inside network segment in the crypto ACL to between the tunnel ASA2 and ASA3, and do NOT include ASA1's and 3's inside network segment for no-nat on inside interface on ASA2.
  Step 4: Create no-nat on ASA2 for outside interface and this no-nat must includes ASA1's inside network segment and ASA3's inside network segment.  See example below.
  only an example, you change it to fit your network segment.
  object-group network ASA1-inside
    network-object 192.168.100.0 255.255.255.0
  object-group network ASA3-inside
    network-object 192.168.200.0 255.255.255.0
  access-list nonat-outside extended permit ip object-group ASA1-inside object-group ASA3-inside
  access-list nonat-outside extended permit ip object-group ASA3-inside object-group ASA1-inside
  nat (outside) 0 access-list nonat-outside
  Please let me know, how this coming along.
  thanks
  Rizwan Rafeek

• General dreamwevaer question

  hello dreamweavers.
  im a newbie going to use dreamweaver from next week and beyond,so id like to ask the following:
  should i design the website in photoshop and then import it into dreamwevaer,in order to code it?
  is dreamwevaer flexible in design point of view,or is it mostly getting finished designs such as headers,footers,flash banners,
  and then building up the site where things so and such.
  thank you.

  Hello Nancy.
  seems like an informative website,i can see it is easy to understand the
  basics.
  Στις 23 Μαρτίου 2012 4:29 π.μ., ο χρήστης Nancy O. <[email protected]>έγραψε:
     Re: general dreamwevaer question  created by Nancy O.<http://forums.adobe.com/people/Nancy+O.>in
  Dreamweaver - View the full discussion<http://forums.adobe.com/message/4283588#4283588

• ASA VPN QUESTION

  Hi All
  The question is pretty simple. I can successfully connect  to my ASA 5505  firewall via cisco vpn client 64 bit , i can ping any ip  address on the LAN behind ASA but none of the LAN computers can see or  ping the IP Address which is assigned to my vpn client from the ASA VPN  Pool.
  The LAN behind ASA is 192.168.0.0 and the VPN Pool for the cisco vpn client is 192.168.30.0
  I would appreciate some help pls
  Here is the config:
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password J7NxNd4NtVydfOsB encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.0.11 EXCHANGE
  name x.x.x.x WAN
  name 192.168.30.0 VPN_POOL2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address WAN 255.255.255.252
  interface Ethernet0/0
  switchport access vlan 2
  <--- More --->
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  boot system disk0:/asa724-k8.bin
  ftp mode passive
  clock timezone EEST 2
  clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list nk-acl extended permit tcp any interface outside eq smtp
  access-list nk-acl extended permit tcp any interface outside eq https
  access-list customerVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN_POOL2 255.255.255.0
  access-list inside_access_in extended permit ip any any
  access-list VPN_NAT extended permit ip VPN_POOL2 255.255.255.0 192.168.0.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN_POOL2 192.168.30.10-192.168.30.90 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (inside) 10 interface
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (outside) 10 access-list VPN_NAT outside
  static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
  static (inside,outside) tcp interface https EXCHANGE https netmask 255.255.255.255
  access-group inside_access_in in interface inside
  access-group nk-acl in interface outside
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa authentication enable console LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  aaa authorization command LOCAL
  http server enable
  http 192.168.0.0 255.255.255.0 inside
  snmp-server host inside 192.168.0.16 community public
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map outside_dyn_map 20 set pfs group1
  crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp nat-traversal  20
  telnet 192.168.0.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcp-client client-id interface outside
  dhcpd dns 217.27.32.196
  dhcpd address 192.168.0.100-192.168.0.200 inside
  dhcpd dns 192.168.0.10 interface inside
  dhcpd enable inside
  group-policy DfltGrpPolicy attributes
  banner none
  wins-server none
  dns-server none
  dhcp-network-scope none
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec l2tp-ipsec
  password-storage disable
  ip-comp disable
  re-xauth disable
  group-lock none
  pfs disable
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  default-domain none
  split-dns none
  intercept-dhcp 255.255.255.255 disable
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout 30
  ip-phone-bypass disable
  leap-bypass disable
  nem disable
  backup-servers keep-client-config
  msie-proxy server none
  msie-proxy method no-modify
  msie-proxy except-list none
  msie-proxy local-bypass disable
  nac disable
  nac-sq-period 300
  nac-reval-period 36000
  nac-default-acl none
  address-pools none
  smartcard-removal-disconnect enable
  client-firewall none
  client-access-rule none
  webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
  group-policy customerVPN internal
  group-policy customerVPN attributes
  dns-server value 192.168.0.10
  vpn-tunnel-protocol IPSec
  password-storage enable
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value customerVPN_splitTunnelAcl
  default-domain value customer.local
  username xxx password 8SYsAcRU4s6DpQP1 encrypted privilege 0
  username xxx attributes
  vpn-group-policy TUNNEL1
  username xxx password C6M4Xy7t0VOLU3bS encrypted privilege 0
  username xxx attributes
  vpn-group-policy PAPAGROUP
  username xxx password RU2zcsRqQAwCkglQ encrypted privilege 0
  username xxx attributes
  vpn-group-policy customerVPN
  username xxx password zfP8z5lE6WK/sSjY encrypted privilege 15
  tunnel-group customerVPN type ipsec-ra
  tunnel-group customerVPN general-attributes
  address-pool VPN_POOL2
  default-group-policy customerVPN
  tunnel-group customerVPN ipsec-attributes
  pre-shared-key *
  tunnel-group-map default-group DefaultL2LGroup
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:a4dfbb82008f78756fe4c7d029871ec1
  : end
  ciscoasa#                           

  Well lots of new features have been hinted at for ASA 9.2 but I've not seen anything as far as an Engineering Commit or Customer Commit for that feature.
  Site-site VPN in multiple context mode was added in 9.0(1) and I have customers have been asking for the remote access features as well.
  I will remember to ask about that at Cisco Live next month.

• Some Site to Site VPN questions

  When you have an ASA to ASA Site to Site VPN, you do have to configure the routes you want to transverse the tunnel in the routing table with a gateway of the device on the other side correct?
  Also does each side have to match the exact subnets within the crypto domain? For instance if I have defined two subnets 10.10.10.0/24 and 10.100.100.0/24, the other side should have those exact subnets, not just a 10.0.0.0/8 correct? If that makes sense?

  Hi,
  When we consider routing and L2L VPN connections then we generally can presume that they are built through the interface which has the default route. We can also presume that you are not configuring a L2L VPN for a remote network that overlaps with your LAN networks. Considering both of the mentioned things we can determine that naturally any network that is not in your local network will follow the default route when the ASA is making decision about where to forward the traffic.
  So generally you wont need to manually configure any additional routes on the ASA for any remote VPN networks. VPN Client connections adds routes automatically for the VPN Pool IP that is assigned to the VPN Client user. On L2L VPN connections you can configure the ASA to add the routes based on the L2L VPN connections ACL that tells the local and remote networks. In this case you will have to add the following configuration for a given L2L VPN connections
  crypto map set reverse-route
  This will add a route on the ASAs routing table though this wont show in the "route" configurations on the ASA.
  With regards to your questions about the local/remote subnets I actually have to say that I am not 100% sure. To my understanding your ACL can have lines/rules that dont match the other side but the ACL does have to have matching local/remote subnets. Any extra lines in the ACL to my understanding dont matter, just that there is a match between the VPN peers.
  I have personally never had the need to make very broad local/remote network definitions for the L2L VPN. I have always been for being as specific as I can be. Naturally a very large environment might dictate to follow another approach but I have not run into anything like that myself.
  - Jouni

• ASA 5520 site-to-site VPN question

  Hello,
  We have a Cisco 5520 ASA 8.2(1) connected to a Cisco RVS4000 router via an IPsec Site-to-Site VPN. The RVS4000 is located at a branch office. The tunnel works beautifully. When computers at the remote site are turned on the tunnel is established, and data is transferred back and forth.
  The only issue I'm having is being able to Remote Desktop to the branch office computers, or ping for that matter. I can ping and Remote Desktop from the branch office computers to computers at the main site where the ASA is located.
  After doing some research, I came across the this command;
  sysopt connection permit-vpn
  I haven't tried entering the command yet, but was wondering if this is something that I can try initially to see it it resolves the problem.
  Thanks,
  John

  What are your configs and network diagrams at each location?  What are you doing for DNS?  I can help quicker with that info.  Also, here are some basic site to site VPN examples if it helps.
  hostname cisco
  domain-name cisco.com
  enable password XXXXXXXX encrypted
  passwd XXXXXXXXXXX encrypted
  names
  dns-guard
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address XXX.XXX.XXX.XXX 255.255.255.248
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.0.0.2 255.255.255.0
  interface Ethernet0/2
  nameif backup
  security-level 0
  no ip address
  interface Ethernet0/3
  nameif outsidetwo
  security-level 0
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  dns server-group DefaultDNS
  domain-name cisco.com
  same-security-traffic permit intra-interface
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
  access-list nonat extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list split standard permit 10.0.0.0 255.255.255.0
  access-list split standard permit 10.90.238.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffer-size 1048576
  logging buffered errors
  logging trap notifications
  logging asdm informational
  logging class vpn buffered debugging
  mtu outside 1500
  mtu inside 1500
  mtu backup 1500
  mtu outsidetwo 1500
  mtu management 1500
  ip local pool vpnpool 10.0.10.100-10.0.10.200
  ip audit name Inbound-Attack attack action alarm drop
  ip audit name Inbound-Info info action alarm
  ip audit interface outside Inbound-Info
  ip audit interface outside Inbound-Attack
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inbound in interface outside
  route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map dynmap 10 set transform-set myset
  crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
  crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address XXX
  crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 1 set transform-set myset
  crypto map outside_map 1 set security-association lifetime seconds 28800
  crypto map outside_map 1 set security-association lifetime kilobytes 4608000
  crypto map outside_map 2 match address XXX2
  crypto map outside_map 2 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 2 set transform-set myset
  crypto map outside_map 2 set security-association lifetime seconds 28800
  crypto map outside_map 2 set security-association lifetime kilobytes 4608000
  crypto map outside_map 3 match address XXX3
  crypto map outside_map 3 set pfs
  crypto map outside_map 3 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 3 set transform-set myset
  crypto map outside_map 3 set security-association lifetime seconds 28800
  crypto map outside_map 3 set security-association lifetime kilobytes 4608000
  crypto map outside_map 65535 ipsec-isakmp dynamic dynmap
  crypto map outside_map interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 60
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy XXXgroup internal
  group-policy XXXgroup attributes
  dns-server value XXX.XXX.XXX.XXX
  vpn-idle-timeout 30
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split
  default-domain value domain.local
  username XXX24 password XXXX encrypted privilege 15
  username admin password XXXX encrypted
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  tunnel-group XXXgroup type remote-access
  tunnel-group XXXgroup general-attributes
  address-pool vpnpool
  default-group-policy rccgroup
  tunnel-group XXXgroup ipsec-attributes
  pre-shared-key XXXXXXXXXX
  isakmp ikev1-user-authentication none
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily

• Dual ISP on ASA VPN question.

  Hi all.
  My question is very simple is there any way or feature that could allow us to have a backup VPN tunnel on at the secondary ISP at the asa 5520?
  Lets assume if the primary isp goes down is there any way for  the VPN tunnel come online at the backup isp ?
  Config:
  crypto isakmp enable outside
  crypto isakmp enable backup
  tunnel-group 200.200.2.1 type ipsec-l2l
  tunnel-group 200.200.2.1 ipsec-attributes
  pre-shared-key CISCO
  tunnel-group 200.200.1.1 type ipsec-l2l
  tunnel-group 200.200.1.1 ipsec-attributes
  pre-shared-key CISCO
  crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
  crypto map VPN 10 match address VLAN121_TO_VLAN23
  crypto map VPN 10 set peer 200.200.1.1
  crypto map VPN 10 set transform-set 3DES_MD5
  crypto map VPN 20 match address VLAN121_TO_VLAN23
  crypto map VPN 20 set peer 200.200.2.1
  crypto map VPN 20 set transform-set 3DES_MD5
  ! Apply crypto-map and enable VPN traffic to bypass ACLs
  crypto map VPN interface outside
  crypto map VPN interface backup
  sysopt connection permit-vpn
  Thank you.

  We are not abble to make a loop back on the ASA.
  The routing with SLA is working fine the problem is when local network goes to remote network always try to get at the first tunnel with was setup for  first isp ip adddrs.

• Cisco ASA VPN question: %ASA-4-713903: IKE Receiver: Runt ISAKMP packet

  Dear community,
  quite frequently I am now receiving the following error message in my ASA 5502's log:
  Oct 17 12:52:17 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
  Oct 17 12:52:22 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
  Oct 17 12:52:27 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
  The VPN Clients (in the last case: A linux vpnc) disconnect with message
     vpnc[7736]: connection terminated by dead peer detection
  The ASA reports for that <some_ip> at around the same time:
  Oct 17 12:52:32 <myASA> %ASA-4-113019: Group = blah, Username = johndoe, IP = <some_ip>, Session disconnected. Session Type: IPSecOverNatT, Duration: 2h:40m:35s, Bytes xmt: 2410431, Bytes rcv: 23386708, Reason: User Requested    
  A google search did not reveal any explanation to the "%ASA-4-713903: IKE Receiver: Runt ISAKMP packet..." message -- so my questions would be
     1) What does the message exactly mean -- I know runts as a L2 problem so I d suppose it means the same: The ISAKMP packet is somehow
         crippled (I d suppose this happens during rekeying) ?
     2) Any idea where to look for the cause of this
            WAN related (however I d assume no -- why does this happen in these regular time frames as show above)?
            SW related (vpnc bug)?
  Thanks in advance for any pointer...
  Joachim

  Yes.  You need to eliminate the things I've said to eliminate with the other side.  Ensure your configs are matching exactly.  They probably are, whatever, just make sure of it because it's easy.  You both need to run packet captures on your interfaces both in and out to even begin to have an idea of where to look.
  The more info you can have just one person responsible for the better.  What I mean by that is, it's typically a nice step for the 'bigger end' to have the 'smaller end's' config file to look at.
  If you are seeing packets come in your inside, leave your outside, and never make it to his inside, then take it a step at a time.
  If you're seeing them come in his interface and never come back out, you know where to look.
  Set your caps to a single host to single host if need be, and generate traffic accordingly.
  You need to narrow down where NOT to look so that you know where TO look.  I would say then, and only then, do you get the ISP involved.  Once you're sure the problem exists between his edge device and your edge device.
  I do exactly this for a living on a daily basis...day after day after day.  I'm responsible for over 200 IPSec s2s connections and thousands of SSL VPN sessions.  I always start the exact same way...from the very bottom.

• A few general agent questions

  We've been asked some general questions by our agents that I have been unable to find answers for, (although 4 and 5 are likely working as designed). We are running IPCC Express 7.0(1)SR05_Build504 and these are all phone agents. We do not run the agent desktop client. Any assistance in answering these questions would be greatly appreciated.
  1. TransfertoVM softkey "grayed out" while on a CSQ call. Can it be enabled?
  2. While logged in to CSQ, is there a way to start dialing prior to
  lifting the receiver?
  3. Is it possible to handle more than one CSQ call at a time, e.g. put a call on hold and answer
  another CSQ call.
  4. Upon selecting Agent Login (single-button login), can the agent automatically be put into Ready?
  5. Upon Logout, can the phone be returned to the main screen, rather than getting the manual agent login screen?
  Again, any assistance in answering these questions would be greatly appreciated.
  Thanks,
  Roger

  Hi
  1) Isn't that an IPMA softkey? Never tried it, but whilst it's not in the 'unsupported' list, I wouldn't expect using any IPMA features in conjunction with CAD would get you good results. If it doesn't cause you stuck/ghost calls, I would expect erroneous reports...
  2) Being logged into a CSQ doesn't affect the way the phone works.
  - You can dial the number then either lift the handset or hit dial (for speakerphone)
  - You can press speakerphone or headset then dial
  I guess what you are referring to is if you are using the IP Phone Agent in conjunction with a headset? If you are, then the IPPA usually obscures the 'new call' and 'end call' softkeys that you might use if you leave the headset button lit. I guess this isn't the case, as you refer to lifting the receiver? Unless you have motorized lifters.. If that's what you have, you can try getting users to either :
  - Manage their onhook/offhook state using the headset key as if it was the speakerphone key (i.e. press it to hang up or pickup)
  - Use a headset/phone combination that supports HHC
  - Switch to CAD, or CAD-BE if you can't install PC software for some reason.
  3) No. The system is designed specifically so that this should never happen.
  4) No.
  5) Again, no... you can't customize the BIPPA service... If you use CAD or CAD-BE this wouldn't be an issue.
  Regards
  Aaron
  Please rate helpful posts...

• Workflow and General Use Questions

  Hello,
  I'll apologize right off the bat for these novice question because I'm sure the information is probably somewhere in the forum, I just haven't been able to find it. I just purchased Aperture after completing the demo as my library is getting too large to manage using standard file folders. I'm now trying to figure out the best practices for workflow and general use before I invest some serious time into importing and keywording all my pictures.
  1) Store files in the there current location, or in the Aperture Library? It seems to me that once they are moved to the Aperture library, you can only access them from within Aperture. I'm thinking I would be better off leaving them in their current location. For one, if I want to quickly grab a picture as an attachment to an email or something it seems easier to grab it from the standard folders. Second (and more important) I do not have room to keep all my pictures on my Macbook, thus most of them are stored on the Time Capsule.
  So... Keeping photos in their current location appears to be the best choice for me even though it adds an additional step every time I bring in new photos from my camera. Does this sound right?
  2) Is there a way to mark the photos that I have uploaded to my website (Smugmug)? Ideally, I would like to badge photos that have already been uploaded so I can quickly recognize them and ensure I'm not duplicating. I've considered using the rating, or keywords to indicate that a photo has been uploaded but both methods have disadvantages.
  3) Any suggestions for general workflow and organization resources (tutorials, books, websites, etc.)? I've looked at the videos on Apple's site but they obviously didn't get that detailed.
  Thanks for the help, sorry for the length.

  I recommend to Manage by Reference with Master image files stored on external hard drives (note that Aperture defaults to a Managed-Library configuration rather than a Referenced-Masters Library). Especially important for iMacs and laptops with a single internal drive. The workflow as described below in an earlier post of mine uses a Referenced-Masters Library.
  I feel pretty strongly that card-to-Aperture or camera-to-Aperture handling of original images puts originals at unnecessary risk. I suggest this workflow, first using the Finder (not Aperture) to copy images from CF card to computer hard drive:
  • Remove the memory card from the camera and insert it into a memory card reader. Faster readers and faster cards are preferable.
  • Finder-copy images from memory card to a labeled folder on the intended permanent Masters location hard drive.
  • Eject memory card.
  • Burn backup hard drive or DVD copies of the original images (optional strongly recommended recommended backup step).
  • Eject backup hard drive(s) or DVDs.
  • From within Aperture, import images from the hard drive folder into Aperture selecting "Store files in their current location." This is called "referenced images." During import is the best time to also add keywords, but that is another discussion.
  • Review pix for completeness (e.g. a 500-pic shoot has 500 valid images showing in Aperture).
  • Reformat memory card in camera, and archive originals off site on hard drives and/or on DVDs.
  Note that the "eject" steps above are important in order to avoid mistakenly working on removable media/backups.
  Also note with a Referenced-Masters Library that use of the "Vault" backup routine backs up the Library only, not the Masters. Masters should be separately backed up, IMO a good thing from a workflow and data security standpoint.
  Max out RAM in your MB and keep the internal drive less than 70% full.
  Good luck!
  -Allen Wicks

• General BADi question:Call BADi in background job/batch input. Possible?

  Hi out there,
  i'm using thoe following BADi: /SAPSLL/CTRL_SD0C_R3 (Global Trade Service).
  But also, this question is a general question.
  If we are calling on screen the transaction VF01, the BADi is called correctly.
  But unfortunately it seemes that the BADi is NOT called (im not really sure, cause i can't debug the background task) when we are calling a batch input sequence wth f.e. form bdc_transaction VF01 nothing happens.
  Maybe BADi cannot be called in a background task? If it's possible, how could it be monitored. Thare isw no spool entry or anything like that!
  Any answer can help.
  Thank you in advance!
  Regards,
  Timo
  Edited by: Timo Ehl on Apr 14, 2009 7:27 PM

  Hi,
  generally BADIs are called in background mode. You can use the following trick to debug your BADI. You just need to create an infinite loop in your BADI implementation. Something like this.
  DATA: l_a TYPE c.
  WHILE l_a IS INITIAL.
  ENDWHILE.
  Obviously when your BADI is called in background mode then program will get into infinite loop. You can easily connect and debug running programs from transaction SM50. You need to select your background process and go to Program/Session -> Program -> Debugging. You will jump directly into your BADI methos with infinite loop. Then you will just set value to l_a and you will start debugging your BADI. If you can not find any process then your BADI is not called in background mode.
  Cheers

• A general OOP question

  Hi
  I have a general OOP design question, and am wondering if someone could relate an answer to the following design?
  I have a class called MediaFolderImport(); - it's designed to build a window with various editing tools in it.
  Within it's constructor, I'm calling a bunch of functions to build the window...
     createTitle();
     createInstructions();
     createToolPanel();
     createDataGrid ();
     createOpen();
     createSave();
  In my document class, I instantiate it...
  public var File_Folder_Import:MediaFolderImport=new MediaFolderImport();
  and then...
  addChild(File_Folder_Import);
  Voila! - the window appears. I WAS very proud of myself.
  Now I want to access something inside the window.  Specifically, there's a radio button that was created in createToolPanel(); - I want to update it to be selected or not selected when I receieve the user's preference from an xml settings file at start up (xml is loaded into the doc class).
  General question:
  What is the best practice, smart way to have designed this?
  - call createToolPanel(); from the doc class instead of within MediaFolderImport();, and somehow (magically) have access to the radio button?
  - leave the design as is, but add some sort of listener within MediaFolderImport that listens for changes to the xml in the doc class, and updates accordingly?
  - do it the way I'm trying to, ie try to access the radio button directly from the doc class (which isn't working):
  File_Folder_Import.myRadioButton.selected = true;
  - a better way someone can briefly explain the concept of?
  Another way to explain my design is...
  - a bunch of different windows, each created by a different class
  - xml file loads preferences, which need to be applied to different tools (radio buttons, check boxes, text fields etc) in the different windows
  I read a lot of posts that talk about how public vars are mostly bad practice.  So if you are making your class vars private, what is the best way to do the kind of inter-class communicating I'm talking about here?
  I think someone throwing light on this will help me solidify my understanding of OOP.
  Thank you for your time and help.

  You're already very used to using properties for the built-in AS classes and that's the best practice means of configuring your class. It's a "state" that you want to simply expose. The get/set method moccamaximum mentioned is the ideal route.
  The main reason you want to use get/set functions is validation. You want your class to act properly if you send an invalid value. Especially if anyone else besides yourself is going to use the class. Plan for the worst.
  The general concept is, make a private variable for any 'state' you want to remember using an underscore in the variable name to easily identify it as a private var, then make get/set functions with the same name with any required validation without the underscore.
  e.g.
  package
       public class MyClass
            // property called 'mode' to track something with an int
             private var _mode:int = 0;
            public function MyClass() {} // empty constructor
            // get (type enforced)
            public function get mode():int { return mode; }
            // set, requiring a value
            public function set isChecked(modeVal:int):void
                 // if no value is sent, ignore
                 if (!modeVal) { return; }
                 _mode = modeVal;
  Your validation will go a long way to easily debugging your classes as they grow in size. Eventually they should throw exceptions and errors if they're not valid. Then you will be best practice. Do note that if your validation requires quite a bit of logic it's common to upgrade the property to a public method. get/set should be reserved for simple properties.

• General Eclipse Question (Not a NetBeans vs Eclipse Thread!)

  I am going to play around with Vaadin, and I am going to use Eclipse and the Vaadin plugin for this play.
  In reading the Book of Vaadin, the author actually recommend downloading Eclipse, unZIPping it, and running it from that unZIPped archive instead of "installing" it. The author mentions more control and less aggravation in the long run.
  Now, I don't use Eclipse much at all (I use NetBeans usually). What I have done in the past with BOTH NetBeans and Eclipse is:
  1) Install from repo, run as my account for work, run as root to do updates and install plugins.
  2) Install from repo, run as my account for work AND plugin installs/updates.
  I prefer #2 as it's less of an issue to just "blow away" all the plugins and start again if I need to.
  My bottom-line question is: "Does running Eclipse from my 'local' /home/xxx without actually 'installing' it really make that much difference compared to #2 above?"
  I'm hoping someone that has more experience with this can render an opinion. Also, if any of you have experience with Vaadin, do you have any tips for a noob?!?

  One consideration with running Eclipse from a local unzipped install is being able to create multiple instances, with a different mix plugins. I keep three core versions going for Java, Python, and Android development. I've found some plugins do not always play well with others in Eclipse. At least that was my experience with Ganymede and Helios. My Java instance is loaded up with a bunch of enterprise junk, like JBoss Drools and Spring plugins, so it can sometimes get bogged down at start up when connecting to remote resources over VPN.
  I've found that limiting the number of plugins I keep in any instance I use is helpful in keeping it stable. Note that you'll also need separate workspaces for each instance. Also, to keep your sanity, tarball a backup before installing or updating any plugins. Probably not for everyone, but it works for me.

• Best Font for Subtitles? and other General Subtitling questions?

  I've never had to use subtitles, until my current project, so I am looking for some general advice and suggestions.
  I will be using PPCS3 (on XPpro) as the subtitles (as in the kind that translate a foreign language) will be permanent.
  So here are my questions:
  1. What is the best font and or what is the most standard font for subtitles? (Font size and other characteristics may be worth mentioning here too.)
  2. Is it possible to have an outline around the text as opposed to shadow?
  3. What are some general rules of thumb for subtitles that apply to broadcast and cinematic productions?
  Thank you.

  See also:
  FAQ:Why are my titles blurry/wrong?
  Cheers
  Eddie
  PremiereProPedia   (
  RSS feed)
  - Over 300 frequently answered questions
  - Over 250 free tutorials
  - Maintained by editors like
  you
  Forum FAQ

• Writing games for US wireless carriers - general newbie question

  I am a newbie to kvm and j2me so excuse me if these question are very basic or if i'm asking the wrong questions.
  I have been asked to quickly research writing games in java for US wireless carriers. Ideally I'd like to pick a carrier (e.g. Verizonwireless) and find out more about writing for them. How should I go about researching this?
  My research so far has found:
  General j2me info:
  I did some initial searching in the forum and found that the following link will give me a basic guide to j2me:
  http://access1.sun.com/SRDs/access1_srds.html.
  If I look at the documentation for -
  - Java 2 Micro Edition (J2ME)
  - Mobile Information Device Profile 1.0.1 (MIDP)
  Is this still the best place to look at online?
  Specific wireless carrier info:
  I had no luck finding where I should look for information on specific
  wireless carriers. Any suggestions? Also am I approaching this the right way or should I be looking at the specific java enabled mobile phones rather than the wireless carrier? Or is it a combination of the two?
  Thanks for any help.

  If the games are going to be networked then you should find out what type of network the carrier has (TDMA,CDMA,GSM with or without GPRS, etc. what bandwidths.... WAP or I-Mode). Regardless, you should be also concerned with what are the phones available on the carrier and what is their Java support.
  shmoove