Site2Site Tunnel issue PSEC(epa_des_crypt): decrypted packet failed SA identity check

Similar Messages

• Getting "IPSEC(epa_des_crypt): decrypted packet failed SA identity check" messages on packets from only one of two far-end sources sharing the same tunnel, the other source works fine. What exactly does this error mean?

  One computer at COMPANY-A is attempting to communicate with two
  computers located at COMPANY-B, via an IPsec tunnel between the
  two companies.
  All communications are via TCP protocol.
  All devices present public IP addresses to one another, although they
  may have RFC 1918 addresses on other interfaces, and NAT may be in use
  on the COMPANY-B side.  (NAT is not being used on the COMPANY-A side.)
  The players:(Note: first three octets have been changed for security reasons)
  COMPANY-A computer      1.2.3.161
  COMPANY-A router        1.2.3.8 (also IPsec peer)
  COMPANY-A has 1.2.3.0/24 with no subnetting.
  COMPANY-B router        4.5.6.228 (also IPsec peer)
  COMPANY-B computer #1   4.5.7.94 (this one has no issues)
  COMPANY-B computer #2   4.5.7.29 (this one fails)
  COMPANY-B has 4.5.6.0/23 subnetted in various ways.
  COMPANY-B also has 9.10.11.0/24, but it is not involved in the issue.
  What works:
  The COMPANY-A computer 1.2.3.161 can communicate via the single IPsec
  tunnel to COMPANY-B computer #1 4.5.7.94 without problems.
  The "show crypto session detail" command shows Inbound/Outbound packets
  flowing in the dec'ed and enc'ed positions.
  What doesn't:
  When the COMPANY-A computer 1.2.3.161 attempts to communicate
  via the single IPsec tunnel with the COMPANY-B computer #2 4.5.7.29,
  the COMPANY-A router eventually reports five of these messages:
  Oct  9 15:24:54.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:24:57.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:25:03.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:25:15.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:25:39.329: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:26:27.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  and the "show crypto session detail" shows inbound packets being dropped.
  The COMPANY-A computer that opens the TCP connection never gets past the
  SYN_SENT phase of the TCP connection whan trying to communicate with the
  COMPANY-B computer #2, and the repeated error messages are the retries of
  the SYN packet.
  On the COMPANY-A side, this IPsec configuration has been set up on a 3745,
  a 3725, and some 76xx routers were tried, all with similar behavior,
  with packets from one far-end computer passing fine, and packets from
  another far-end computer in the same netblock passing through the same
  IPsec tunnel failing with the "failed SA identity" error.
  The COMPANY-A computer directs all packets headed to COMPANY-B via the
  COMPANY-A router at 1.2.3.8 with this set of route settings:
  netstat -r -n
  Kernel IP routing table
  Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
  4.5.7.0         1.2.3.8         255.255.255.0   UG        0 0          0 eth3
  1.2.3.8.0       0.0.0.0         255.255.255.0   U         0 0          0 eth3
  10.1.0.0        0.0.0.0         255.255.240.0   U         0 0          0 eth0
  169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth3
  10.0.0.0        10.1.1.1        255.0.0.0       UG        0 0          0 eth0
  0.0.0.0         1.2.3.1         0.0.0.0         UG        0 0          0 eth3
  The first route line shown is selected for access to both COMPANY-B computers.
  The COMPANY-A router (IPsec tunnel endpoint, 1.2.3.8) has this
  configuration:
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 4.5.6.228
  crypto ipsec security-association lifetime seconds 86400
  crypto ipsec transform-set COMPANY-B01 esp-3des esp-sha-hmac
  crypto map COMPANY-BMAP1 10 ipsec-isakmp
  description COMPANY-B VPN
  set peer 4.5.6.228
  set transform-set COMPANY-B01
  set pfs group2
  match address 190
  interface FastEthernet0/0
  ip address 1.2.3.8 255.255.255.0
  no ip redirects
  ip virtual-reassembly
  duplex auto
  speed auto
  no cdp enable
  crypto map COMPANY-BMAP1
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 1.2.3.1
  ip route 10.0.0.0 255.0.0.0 10.1.1.1
  ip route 1.2.3.8.0 255.255.255.0 FastEthernet0/0
  access-list 190 permit ip host 1.2.3.161 4.5.7.0 0.0.0.255
  access-list 190 permit ip host 1.2.3.161 9.10.11.0 0.0.0.255
  bridge 1 protocol ieee
  One of the routers tried had this IOS/hardware configuration:
  Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(25c),
  RELEASE SOFTWARE (fc2)
  isco 3725 (R7000) processor (revision 0.1) with 115712K/15360K bytes of memory.
  Processor board ID XXXXXXXXXXXXXXX
  R7000 CPU at 240MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
  2 FastEthernet interfaces
  4 ATM interfaces
  DRAM configuration is 64 bits wide with parity disabled.
  55K bytes of NVRAM.
  31296K bytes of ATA System CompactFlash (Read/Write)
  250368K bytes of ATA Slot0 CompactFlash (Read/Write)
  Configuration register is 0x2102
  #show crypto sess
  Crypto session current status
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
    IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
          Active SAs: 0, origin: crypto map
  #show crypto sess det
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.5.6.228
        Desc: (none)
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
            Capabilities:(none) connid:1 lifetime:06:26:27
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 651 drop 16 life (KB/Sec) 4496182/23178
          Outbound: #pkts enc'ed 574 drop 2 life (KB/Sec) 4496279/23178
    IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  The COMPANY-B device on their end of the IPsec VPN is a Juniper SSG1000
  Version 6.1 (ScreenOS)
  We only have a limited view into the Juniper device configuration.
  What we were allowed to see was:
  COMPANY-B-ROUTER(M)-> sh config | incl COMPANY-A
  set address "Untrust" "oss-COMPANY-A-1.2.3.161" 1.2.3.161 255.255.255.255
  set ike gateway "COMPANY-A-1-GW" address 1.2.3.8 Main outgoing-interface "ethernet2/1" preshare xxxxxxxxxxxxxxxxxxxxxx  proposal "pre-g2-3des-sha"
  set vpn "COMPANY-A-1-IKE" gateway "COMPANY-A-1-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha-28800"
  set policy id 2539 from "Untrust" to "Trust"  "oss-COMPANY-A-1.2.3.161" "9.10.11.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2500
  set policy id 2500 from "Trust" to "Untrust"  "9.10.11.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2539
  set policy id 2541 from "Trust" to "Untrust"  "4.5.7.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2540
  set policy id 2540 from "Untrust" to "Trust"  "oss-COMPANY-A-1.2.3.161" "4.5.7.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2541
  COMPANY-B-ROUTER(M)->
  I suspect that this curious issue is due to a configuration setting on the
  Juniper device, but neither party has seen this error before.  COMPANY-B
  operates thousands of IPsec VPNs and they report that this is a new error
  for them too.  The behavior that allows traffic from one IP address to
  work and traffic from another to end up getting this error is also unique.
  As only the Cisco side emits any error message at all, this is the only
  clue we have as to what is going on, even if this isn't actually an IOS
  problem.
  What we are looking for is a description of exactly what the Cisco
  IOS error message:
  IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  is complaining about, and if there are any known causes of the behavior
  described that occur when running IPsec between Cisco IOS and a Juniper
  SSG device.  Google reports many other incidents of the same error
  message (but not the "I like that IP address but hate this one" behavior),
  and not just with a Juniper device on the COMPANY-B end, but for those cases,
  not one was found where the solution was described.
  It is hoped that with a better explanation of the error message
  and any known issues with Juniper configuration settings causing
  this error, we can have COMPANY-B make adjustments to their device.
  Or, if there is a setting change needed on the COMPANY-A router,
  that can also be implemented.
  Thanks in advance for your time in reading this, and any ideas.

  Hello Harish,
  It is believed that:
  COMPANY-B computer #1   4.5.7.94 (this one has no issues)
  COMPANY-B computer #2   4.5.7.29 (this one fails)
  both have at least two network interfaces, one with a public IP address
  (which we are supposedly conversing with) and one with a RFC 1918 type
  address.   COMPANY-B is reluctant to disclose details of their network or
  servers setup, so this is not 100% certain.
  Because of that uncertainty, it occurred to me that perhaps COMPANY-B
  computer #2 might be incorrectly routing via the RFC 1918 interface.
  In theory, such packets should have been blocked by the access-list on both
  COMPANY-A router, and should not have even made it into the IPsec VPN
  if the Juniper access settings work as it appears they should.  So I turned up
  debugging on COMPANY-A router so that I could see the encrypted and
  decrypted packet hex dumps.
  I then hand-disassembled the decoded ACK packet IP header received just
  prior to the "decrypted packet failed SA check" error being emitted and
  found the expected source and destination IP addresses (4.5.7.29 and 1.2.3.161),
  in the unecapsulated packet.  I also found the expected port numbers of the TCP
  conversation that was trying to be established in the TCP header.  So, it
  looks like COMPANY-B computer #2 is emitting the packets out the right
  interface.
  The IP packet header of the encrypted packet showed the IP addresses of the
  two routers at each terminus of the IPsec VPN, but since I don't know what triggers
  the "SA check" error message or what it is complaining about, I don't know what
  other clues to look for in the packet dumps.
  As to your second question, "can you check whether both encapsulation and
  decapsulation happening in 'show crypto ipsec sa'",   the enc'ed/dec'ed
  counters were both going up by the correct quantities.  When communicating
  with the uncooperative COMPANY-B computer #2, you would also see the
  received Drop increment for each packet decrypted.  When communicating
  with the working COMPANY-B computer #1, the Drop counters would not
  increment, and the enc'ed/dec'ed would both increment.
  #show crypto sess det
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.5.6.228
        Desc: (none)
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
            Capabilities:(none) connid:1 lifetime:07:59:54
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 376 drop 5 life (KB/Sec) 4458308/28784
          Outbound: #pkts enc'ed 401 drop 3 life (KB/Sec) 4458308/28784
  Attempt a TCP communication to COMPANY-B computer #2...
  show crypto sess det
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.5.6.228
        Desc: (none)
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
            Capabilities:(none) connid:1 lifetime:07:59:23
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 376 drop 6 life (KB/Sec) 4458307/28753
          Outbound: #pkts enc'ed 402 drop 3 life (KB/Sec) 4458307/28753
  Note Inbound "drop" changed from 5 to 6.  (I didn't let it sit for all
  the retries.)
  #show crypto ipsec sa
  interface: FastEthernet0/0
      Crypto map tag: COMPANY-BMAP1, local addr 1.2.3.8
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (1.2.3.161/255.255.255.255/0/0)
     remote ident (addr/mask/prot/port): (4.5.7.0/255.255.255.0/0/0)
     current_peer 4.5.6.228 port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 402, #pkts encrypt: 402, #pkts digest: 402
      #pkts decaps: 376, #pkts decrypt: 376, #pkts verify: 376
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 3, #recv errors 6
       local crypto endpt.: 1.2.3.8, remote crypto endpt.: 4.5.6.228
       path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
       current outbound spi: 0xDF2CC59C(3744253340)
    inbound esp sas:
        spi: 0xD9D2EBBB(3654478779)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 2004, flow_id: SW:4, crypto map: COMPANY-BMAP1
          sa timing: remaining key lifetime (k/sec): (4458307/28600)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0xDF2CC59C(3744253340)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 2003, flow_id: SW:3, crypto map: COMPANY-BMAP1
          sa timing: remaining key lifetime (k/sec): (4458307/28600)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:
  The "send" errors appear to be related to the tunnel reverting to a
  DOWN state after periods of inactivity, and you appear to get one
  each time the tunnel has to be re-negotiated and returned to
  an ACTIVE state.  There is no relationship between Send errors
  incrementing and working/non-working TCP conversations to the
  two COMPANY-B servers.
  Thanks for pondering this very odd behavior.

• Jaas & Integrity check on decrypted field failed

  I'm trying to do Kerberos authentication using JAAS and the jdk 1.4.1_02 under Mandrake 9.1. The Kerberos server is installed on a Redhat 9 machine. I'm using the login module com.sun.security.auth.module.Krb5LoginModule and the TextCallbackHandler class. The login fails with the error "Exception: krb_error 31 Integrity check on decrypted field failed (31) Integrity check on decrypted field failed". I get the same error if I use the kinit utility bundled with the jdk. Conversely all seems ok when I use the kinit utility bundled with the kerberos client programs of my Mandrake 9.1 distribution.
  Anyone could help me?
  Michele

  I encountered the same problem--"Integrity check on decrypted field failed (31)" when trying to authenticate against a KDC (v5) running RedHat 8.0 (JASS and JDK 1.4.1_02)--but I was able to use Kerberized telnet and login from remote/local machines to get authenticated with this RedHat KDC. There is no problem authenticating against a KDC running Win2k AD/Kerberos with the same code. I am using the com.sun.security.auth.module.Krb5LoginModule.
  Can anyone help me to resolve this issure?

• Tunnel comes up the syn packets denied on inbound interface

  Hi all,
  I have a issue with a ASA site to site VPN.
  The Phase 1 and 2 negotiate fine but then when i see a syn initiated for the SFTP i see the syn denied in the logs even though it is allowed through.
  I have changed the addresses in the config as a example the src is 1.1.1.1 and the dest 2.2.2.2.  Config below:
  access-list inside_access_in extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 222
  access-list SFTP extended permit tcp host 1.1.1.1 host 2.2.2.2
  crypto map outside_map 50 match address SFTP
  crypto map outside_map 50 set pfs group5
  crypto map outside_map 50 set peer VPN_GW
  crypto map outside_map 50 set transform-set ESP-AES-256-SHA
  crypto map outside_map 50 set security-association lifetime seconds 3600
  crypto map outside_map 50 set security-association lifetime kilobytes 4608000
  crypto map outside_map 50 set nat-t-disable
  The phase 1 and phase 2 seem to negotiate fine.
  But i get no encryption/decryption on a sh crypto ipsec sa.
  Also i see the syn on the inside interface being denied from source 1.1.1.1.
  So what appears to be happening is the initial packets are allowed through to setup the tunnel but then the additional packets appear to be denied.
  Any help appreciated.
  Thanks
  Kev

  Morning Jennifer,
  Thanks for your continued assistance with this.
  Going through the config i see vpn-filter 10 applied under:
  group-policy DfltGrpPolicy attributes
  banner none
  wins-server none
  dns-server none
  dhcp-network-scope none
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter value 10
  This is tied to ACL 10 which doesnt appear to have the public ip for this in.
  This looks like a likey candidate to me.
  Config below:
  =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.07.31 12:56:34 =~=~=~=~=~=~=~=~=~=~=~=
  sh run
  : Saved
  ASA Version 7.0(8)
  hostname FW
  domain-name default.domain.invalid
  enable password Wh3rCbG41fzpd0M. encrypted
  passwd YYrn5ri6t.SCggWC encrypted
  names
  name 195.11.205.145 EXT_IP1
  name 80.169.148.99 EXT_IP3
  name 80.169.148.98 EXT_IP2
  name 155.136.89.20 Coutts_Gateway_VPN
  name 80.169.148.112 S21_Test_VPN
  name 155.136.150.115 Coutts_Host_VPN
  name 80.169.148.114 EXT_IP5
  name 80.168.148.96 S21_Range
  name 80.169.148.100 EXT_IP6
  name 59.154.30.158 EXT_IP7
  name 195.166.102.62 EXT_IP4
  name 193.8.50.231 Coutts_Gateway_VPN_Switz
  dns-guard
  interface Ethernet0/0
  description Outside interface 0/0
  speed 100
  duplex full
  nameif outside
  security-level 0
  ip address 80.169.124.4 255.255.255.224
  interface Ethernet0/1
  description Inside interface 0/1
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.0.0
  interface Ethernet0/2
  description DMZ interface 0/2
  nameif dmz
  security-level 50
  ip address 10.10.10.1 255.255.255.0
  interface Ethernet0/3
  description LAN/STATE Failover Interface
  interface Management0/0
  shutdown
  nameif management
  security-level 100
  no ip address
  ftp mode passive
  clock timezone GMT/BST 0
  clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  object-group service TCP_Port_Group tcp
  port-object eq smtp
  port-object range ftp-data ftp
  port-object eq 123
  port-object eq www
  port-object eq https
  port-object eq domain
  port-object eq ftp-data
  port-object eq ftp
  port-object eq 3389
  port-object eq ssh
  object-group service UDP_Port_Group udp
  port-object eq ntp
  port-object eq 21
  port-object eq 20
  port-object eq domain
  object-group network Trusted_Ext_Hosts
  network-object EXT_IP1 255.255.255.255
  network-object EXT_IP2 255.255.255.255
  network-object EXT_IP3 255.255.255.255
  network-object EXT_IP4 255.255.255.255
  network-object EXT_IP5 255.255.255.255
  network-object EXT_IP6 255.255.255.255
  network-object EXT_IP7 255.255.255.255
  object-group service www_services tcp
  port-object eq www
  port-object eq https
  object-group service TCP_CSG tcp
  port-object eq www
  port-object eq domain
  port-object eq https
  port-object eq 1080
  port-object eq citrix-ica
  object-group network Trusted_Ext_Hosts_ref
  network-object EXT_IP1 255.255.255.255
  network-object EXT_IP2 255.255.255.255
  network-object EXT_IP3 255.255.255.255
  network-object EXT_IP4 255.255.255.255
  network-object EXT_IP5 255.255.255.255
  network-object EXT_IP6 255.255.255.255
  object-group network S21_Range
  network-object S21_Range 255.255.255.224
  access-list inside_access_in extended permit tcp 192.168.100.0 255.255.255.0 any object-group TCP_Port_Group
  access-list inside_access_in extended permit udp 192.168.100.0 255.255.255.0 any object-group UDP_Port_Group
  access-list inside_access_in extended deny ip 192.168.0.0 255.255.0.0 any
  access-list dmz_access_in extended permit tcp host 10.10.10.5 192.168.0.0 255.255.0.0 object-group TCP_CSG
  access-list dmz_access_in extended permit tcp host 10.10.10.5 any object-group TCP_Port_Group
  access-list dmz_access_in extended permit udp host 10.10.10.5 any object-group UDP_Port_Group
  access-list dmz_access_in extended permit tcp host 10.10.10.7 192.168.0.0 255.255.0.0 object-group TCP_CSG
  access-list dmz_access_in extended permit tcp host 10.10.10.7 any object-group TCP_Port_Group
  access-list dmz_access_in extended permit udp host 10.10.10.7 any object-group UDP_Port_Group
  access-list dmz_access_in extended deny ip 10.10.10.0 255.255.255.0 any
  access-list outside_access_in extended permit tcp any host 80.169.124.36 eq www
  access-list outside_access_in extended permit tcp object-group Trusted_Ext_Hosts host 80.169.124.35 object-group www_services
  access-list outside_access_in extended permit tcp object-group Trusted_Ext_Hosts host 80.169.124.37 object-group www_services
  access-list outside_access_in extended deny ip any any
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.10.10.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host 193.8.50.180
  access-list inside_access_out extended permit tcp object-group Trusted_Ext_Hosts_ref 192.168.0.0 255.255.0.0 eq 3389
  access-list inside_access_out extended permit tcp any host 192.168.100.24 eq www
  access-list inside_access_out extended permit tcp 10.10.10.0 255.255.255.0 192.168.0.0 255.255.0.0 object-group TCP_CSG
  access-list inside_access_out extended deny ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.0.0
  access-list outside_cryptomap_30 extended permit ip host 80.169.124.35 155.136.30.0 255.255.254.0
  access-list outside_cryptomap_30 extended permit ip host 80.169.124.37 155.136.30.0 255.255.254.0
  access-list 10 extended permit tcp any host 80.169.124.35 object-group www_services
  access-list 10 extended permit tcp any host 10.10.10.5 object-group www_services
  access-list 10 extended permit tcp any host 80.169.124.37 object-group www_services
  access-list 10 extended permit tcp any host 10.10.10.7 object-group www_services
  access-list COUTTS_SWITZ_SFTP extended permit tcp 192.168.100.0 255.255.255.0 host 193.8.50.180 eq ssh
  access-list outside_cryptomap_40 extended permit ip host 80.169.124.35 155.136.0.0 255.255.0.0
  access-list outside_cryptomap_40 extended permit ip host 80.169.124.37 155.136.0.0 255.255.0.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu dmz 1500
  mtu management 1500
  failover
  failover lan unit primary
  failover lan interface Failover Ethernet0/3
  failover polltime interface 10
  failover key *****
  failover link Failover Ethernet0/3
  failover interface ip Failover 172.16.31.249 255.255.255.248 standby 172.16.31.250
  no monitor-interface management
  icmp permit any outside
  asdm image disk0:/asdm-508.bin
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 10 interface
  global (outside) 20 80.169.124.32
  global (dmz) 10 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 20 192.168.0.0 255.255.0.0
  nat (inside) 10 0.0.0.0 0.0.0.0
  nat (dmz) 20 10.10.10.0 255.255.255.0
  nat (dmz) 10 0.0.0.0 0.0.0.0
  static (inside,outside) 80.169.124.33 192.168.100.11 netmask 255.255.255.255
  static (inside,outside) 80.169.124.34 192.168.100.21 netmask 255.255.255.255
  static (dmz,outside) 80.169.124.35 10.10.10.5 netmask 255.255.255.255
  static (inside,outside) 80.169.124.36 192.168.100.24 netmask 255.255.255.255
  static (dmz,outside) 80.169.124.37 10.10.10.7 netmask 255.255.255.255
  access-group outside_access_in in interface outside
  access-group inside_access_in in interface inside
  access-group inside_access_out out interface inside
  access-group dmz_access_in in interface dmz
  route outside 0.0.0.0 0.0.0.0 80.169.124.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
  timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  group-policy DfltGrpPolicy attributes
  banner none
  wins-server none
  dns-server none
  dhcp-network-scope none
  vpn-access-hours none
  vpn-simultaneous-logins 3
  vpn-idle-timeout 30
  vpn-session-timeout none
  vpn-filter value 10
  vpn-tunnel-protocol IPSec
  password-storage disable
  ip-comp disable
  re-xauth disable
  group-lock none
  pfs disable
  ipsec-udp disable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  default-domain none
  split-dns none
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout 30
  ip-phone-bypass disable
  leap-bypass disable
  nem disable
  backup-servers keep-client-config
  client-firewall none
  client-access-rule none
  webvpn
    functions none
    port-forward-name value Application Access
  username Admin password 5VZ2yiLE0W2kEsod encrypted privilege 15
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.100.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 30 match address outside_cryptomap_30
  crypto map outside_map 30 set peer 155.136.17.70
  crypto map outside_map 30 set transform-set ESP-AES-256-SHA
  crypto map outside_map 30 set security-association lifetime seconds 28800
  crypto map outside_map 30 set security-association lifetime kilobytes 4608000
  crypto map outside_map 30 set nat-t-disable
  crypto map outside_map 40 match address outside_cryptomap_40
  crypto map outside_map 40 set peer Coutts_Gateway_VPN
  crypto map outside_map 40 set transform-set ESP-AES-256-SHA
  crypto map outside_map 40 set security-association lifetime seconds 3600
  crypto map outside_map 40 set security-association lifetime kilobytes 4608000
  crypto map outside_map 40 set nat-t-disable
  crypto map outside_map 50 match address COUTTS_SWITZ_SFTP
  crypto map outside_map 50 set pfs group5
  crypto map outside_map 50 set peer Coutts_Gateway_VPN_Switz
  crypto map outside_map 50 set transform-set ESP-AES-256-SHA
  crypto map outside_map 50 set security-association lifetime seconds 3600
  crypto map outside_map 50 set security-association lifetime kilobytes 4608000
  crypto map outside_map 50 set nat-t-disable
  crypto map outside_map interface outside
  isakmp enable outside
  isakmp policy 50 authentication pre-share
  isakmp policy 50 encryption aes-256
  isakmp policy 50 hash sha
  isakmp policy 50 group 2
  isakmp policy 50 lifetime 86400
  tunnel-group 155.136.17.70 type ipsec-l2l
  tunnel-group 155.136.17.70 ipsec-attributes
  pre-shared-key *
  tunnel-group 155.136.89.20 type ipsec-l2l
  tunnel-group 155.136.89.20 ipsec-attributes
  pre-shared-key *
  tunnel-group 193.8.50.231 type ipsec-l2l
  tunnel-group 193.8.50.231 ipsec-attributes
  pre-shared-key *
  telnet timeout 5
  ssh 192.168.100.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 10
  dhcpd lease 3600
  dhcpd ping_timeout 50
  ntp server 193.228.143.13 source outside
  Cryptochecksum:87a0c89dced7eb36d9a9b2854eea3b95
  : end
  FW#
  Cheers

• SSO using Kerberso receiving "Integrity check on decrypted field failed (31

  I am trying to implement SSO for an application that is running on a WebLogic Server. I have flagged the AD Service user for DES encryption, added spn through setspn, created the keytab file, reset the password (to the same value), moved the keytab file, updated krb5.ini and krb5Login.conf accordingly, modified WebLogic startup command accordingly. When Users try to access the application, authentication fails, and I see “Integrity check on decrypted field failed (31)” error in the WebLogic logs. Any ideas ? I am attaching the related lines from the log below.
  <Sep 29, 2008 9:46:50 AM MDT> <Debug> <SecurityDebug> <000000> <Found Negotiate with SPNEGO token>
  Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null KeyTab is devmax01.http.keytab2 refreshKrb5Config is false principal is HTTP/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  KeyTab: load() entry length: 60
  KeyTabInputStream, readName(): DEV.DENVERWATER.ORG
  KeyTabInputStream, readName(): HTTP
  KeyTabInputStream, readName(): devmax01principal's key obtained from the keytab
  principal is HTTP/[email protected]
  EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
  KrbAsReq calling createMessage
  KrbAsReq in createMessage
  KrbAsReq etypes are: 3 1
  KrbKdcReq send: kdc=dwdev01 UDP:88, timeout=30000, number of retries =3, #bytes=249
  KDCCommunication: kdc=dwdev01 UDP:88, timeout=30000,Attempt =1, #bytes=249
  KrbKdcReq send: #bytes read=1312
  KrbKdcReq send: #bytes read=1312
  EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
  KrbAsRep cons in KrbAsReq.getReply HTTP/devmax01Added server's keyKerberos Principal HTTP/[email protected] Version 8key EncryptionKey: keyType=3 keyBytes (hex dump)=
  0000: 2F 02 76 AB 7F 8C B0 6E
  [Krb5LoginModule] added Krb5Principal HTTP/[email protected] to Subject
  Commit Succeeded
  Found key for HTTP/[email protected]
  Entered Krb5Context.acceptSecContext with state=STATE_NEW
  EType: sun.security.krb5.internal.crypto.DesCbcMd5EType<Sep 29, 2008 9:46:50 AM MDT> <Debug> <SecurityDebug> <000000> <GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
  GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))

  FYI The fix for this was to chang the value for -Djava.security.krb5.realm to be all upper case
  Once that change was made authentication passed
  Edited by: IDL on Jan 2, 2008 9:25 AM

• Kerberos Authentication: "Integrity check on decrypted field failed"

  Hi,
  I have configured a portal (NW 7.0 SP13) for Kerberos Authentication. I have another portal with exactly the same configuration (same MS-ADS etc, just a different user) which is working fine. But this one is giving me the error "Integrity check on decrypted field failed" (and Kerberos Auth fails).
  Any ideas?? I get the same error whether I use the keytab from the SPNEGO wizard, or the keytab from "ktpass -princ host/%HOST%@%DOMAIN% -pass %PASSWORD% -out keytab -mapUser %USER% +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL"
  The only difference I can see between the ldifde outputs of the two users (the one that works and the one that doesn't) is the one that doesn't has an extra SPN "HTTP/" - would that cause this error??
  Has anyone else had this error & what causes it?
  Many thanks in advance.
  Regards
  Jane
  Full error text:
  JGSS_DBG_CTX Creating context, initiator = no, input cred = not null
  JGSS_DBG_CRED getCred: only one cred, returning it
  JGSS_DBG_CRED getName found name: host/[email protected], mech=1.2.840.113554.1.2.2
  JGSS_DBG_CRED Krb5 name type = 0
  JGSS_DBG_CTX Creating context, cred usage = 2
  GSS Context created
  JGSS_DBG_UNMARSH Real token len 1641
  JGSS_DBG_UNMARSH Token oid 1.2.840.113554.1.2.2
  JGSS_DBG_UNMARSH inner token len 1630
  JGSS_DBG_PROV getFactory: index = 0 found factory
  JGSS_DBG_PROV getMechs: Mechanism(s) supported by provider IBMJGSSProvider
  JGSS_DBG_PROV 1.2.840.113554.1.2.2
  JGSS_DBG_PROV getMechs: 1 unique mechanism(s) found
  JGSS_DBG_PROV [0]: 1.2.840.113554.1.2.2
  JGSS_DBG_CTX Default list of negotiable mechs:
  1.2.840.113554.1.2.2
  JGSS_DBG_CTX ticket enc type = des-cbc-md5
  com.ibm.security.krb5.internal.KrbException, status code: 31
  message: Integrity check on decrypted field failed
  at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:31)
  at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:15)
  at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:32)
  at com.ibm.security.krb5.EncryptedData.decrypt(EncryptedData.java:106)
  at com.ibm.security.jgss.mech.krb5.k.a(k.java:248)
  at com.ibm.security.jgss.mech.krb5.k.b(k.java:188)
  at com.ibm.security.jgss.mech.krb5.k.acceptSecContext(k.java:533)
  at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:155)
  at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:153)
  at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:738)
  at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:362)
  at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
  at java.security.AccessController.doPrivileged(AccessController.java:242)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
  at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
  at java.lang.reflect.Method.invoke(Method.java:391)
  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
  at java.security.AccessController.doPrivileged(AccessController.java:242)
  at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
  at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:146)
  at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
  at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
  at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
  at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
  at java.security.AccessController.doPrivileged(AccessController.java:242)
  at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
  at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(AccessController.java:215)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
  com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
  JGSS_DBG_CTX Error authenticating request. Reporting to client
  Major code = 11, Minor code = 31
  org.ietf.jgss.GSSException, major code: 11, minor code: 31
  major string: General failure, unspecified at GSSAPI level
  minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.KrbException, status code: 31
  message: Integrity check on decrypted field failed

  Hi Désirée,
  Yes the service user has "Use DES encryption" set.
  In the end, it was resolved by changing the password and running the SPNEGO wizard again to generate a new keytab with the new password.
  Regards
  Jane

• Decrypting FileVault Failed and User Account Not Allowing Login

  So here is the scenario and my problem. I decided to do a clean install of Leopard on my PowerMac G5 and in doing so used Carbon Copy Cloner to copy all the content of my Macintosh HD drive to another internal DataDrive so that I could get my data later and be able to boot into that old installation of the OS for any reason. After the clone was complete I did a clean install of Leopard onto my Macintosh HD volume.
  With the new installation running and updates run I decided to go and get my old data. Turns out I had FileVault protection on in the old installation and could not access my data through the new install. This was the very reason I kept the old installation. I rebooted into the old installation and went to remove FileVault protection. The computer logged out and started decrypting my user folder.
  Two hours into the decryption it failed and prompted me to continue and be returned to my login and state before I started the decryption. Now I can't login to that user because when I attempt to it will say that FileVault needs to be repaired and give you the option to repair. The repair takes a while and then give you the error stating the repair didn't work.
  So I need help figuring out how to get access to my data in that user folder or get that user folder to work so that I can get my info copied to my new installation. Any ideas would be very much appreciated as I feel like I have lost too much for comfort.
  Thanks, Brandon

  First of all thank you for the help. In all my trying to figure it out I didn't try just double clicking on the sparse bundle.
  Because this was my only user on the computer I had to enable the root user to be able to login. Once that was enable I was able to mount the sparsebundle and copy my data out. I didn't get all of it as something did truly get corrupted during the decryption but I did get 99% I think.
  Now with my data coped to another location I can attempt some repairs and see if I am able to get that last percentage point. Thank again.
  Brandon

• Error from sample JAAS: Integrity check on decrypted field failed (31)

  I am trying to follow the tutorial for JAAS Authentication located here:
  http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/AcnOnly.html
  I am trying to run the sample JaasAcn.java but am getting a strange error when I try to log on to my Active Directory.
  I am using Java version: jre1.6.0_03
  I can login to Active Directory fine with the credentials I am providing, just not with this client, so I know the credentials are valid.
  What could this mean?
  The Error message is: [Krb5LoginModule] authentication failed
  Integrity check on decrypted field failed (31)
  Here is the full output:
  C:\Progra~1\Java\jre1.6.0_03\bin\java -Dsun.security.krb5.debug=true -Djava.security.krb5.realm=PRSDev.local -Djava.security.krb5.kdc=192.168.40.72 -Djava.security.auth.login.config=jaas.conf JaasAcn
  Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
  alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa
  lse principal is null tryFirstPass is false useFirstPass is false storePass is f
  alse clearPass is false
  Kerberos username [ILea]: sra
  Kerberos password for sra:
  [Krb5LoginModule] user entered username: sra
  Using builtin default etypes for default_tkt_enctypes
  default etypes for default_tkt_enctypes: 3 1 23 16 17.
  Acquire TGT using AS Exchange
  Using builtin default etypes for default_tkt_enctypes
  default etypes for default_tkt_enctypes: 3 1 23 16 17.
  KrbAsReq calling createMessage
  KrbAsReq in createMessage
  KrbKdcReq send: kdc=192.168.40.72 UDP:88, timeout=30000, number of retries =3, #bytes=144
  KDCCommunication: kdc=192.168.40.72 UDP:88, timeout=30000,Attempt =1, #bytes=144
  KrbKdcReq send: #bytes read=587
  KrbKdcReq send: #bytes read=587
  EType: sun.security.krb5.internal.crypto.DesCbcMd5EType[Krb5LoginModule] authentication failed
  Integrity check on decrypted field failed (31)
  Authentication failed:
  Integrity check on decrypted field failed (31)

  FYI The fix for this was to chang the value for -Djava.security.krb5.realm to be all upper case
  Once that change was made authentication passed
  Edited by: IDL on Jan 2, 2008 9:25 AM

• [C4005]: Get properties from packet failed killing my sessions

  I have a broker in a state where 6 messages are delivered which "kill" the first 6 sessions listening on a particular queue (round-robin delivery sorta situation)
  These exceptions are logged only to stderr and no indication is given to my program about them other than the affected sessions never receive another message again, others do.
  When the broker or consumer service is restarted, it happens again.
  If I start the broker with a -reset messages then the problem goes away. I saved the entire broker var folder to try to find a work around to this.
  This is OpenMQ 4.5B29
  I'll include the stack traces below, anyone seen something like this or have suggestions on how to deal with this without resorting to reset of the broker?
  Could not parse properties java.io.UTFDataFormatException: malformed input around byte 11
  Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ExceptionHandler logCaughtException
  WARNING: [I500]: Caught JVM Exception: java.lang.NullPointerException
  java.io.UTFDataFormatException: malformed input around byte 11
       at java.io.DataInputStream.readUTF(Unknown Source)
       at java.io.DataInputStream.readUTF(Unknown Source)
       at com.sun.messaging.jmq.io.PacketProperties.parseProperties(PacketProperties.java:178)
       at com.sun.messaging.jmq.io.PacketPayload.getProperties(PacketPayload.java:155)
       at com.sun.messaging.jmq.io.Packet.getProperties(Packet.java:644)
       at com.sun.messaging.jmq.io.ReadOnlyPacket.getProperties(ReadOnlyPacket.java:348)
       at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:601)
       at com.sun.messaging.jmq.jmsclient.ProtocolHandler.getJMSMessage(ProtocolHandler.java:2061)
       at com.sun.messaging.jmq.jmsclient.SessionReader.getJMSMessage(SessionReader.java:189)
       at com.sun.messaging.jmq.jmsclient.SessionReader.deliver(SessionReader.java:107)
       at com.sun.messaging.jmq.jmsclient.ConsumerReader.run(ConsumerReader.java:192)
       at java.lang.Thread.run(Unknown Source)
  Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ConsumerReader run
  WARNING: [C4005]: Get properties from packet failed. - cause: java.lang.NullPointerException
  com.sun.messaging.jms.JMSException: [C4005]: Get properties from packet failed. - cause: java.lang.NullPointerException
       at com.sun.messaging.jmq.jmsclient.ExceptionHandler.getJMSException(ExceptionHandler.java:386)
       at com.sun.messaging.jmq.jmsclient.ExceptionHandler.handleException(ExceptionHandler.java:337)
       at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:604)
       at com.sun.messaging.jmq.jmsclient.ProtocolHandler.getJMSMessage(ProtocolHandler.java:2061)
       at com.sun.messaging.jmq.jmsclient.SessionReader.getJMSMessage(SessionReader.java:189)
       at com.sun.messaging.jmq.jmsclient.SessionReader.deliver(SessionReader.java:107)
       at com.sun.messaging.jmq.jmsclient.ConsumerReader.run(ConsumerReader.java:192)
       at java.lang.Thread.run(Unknown Source)
  Caused by: java.lang.NullPointerException
       at java.util.Hashtable.put(Unknown Source)
       at com.sun.messaging.jmq.io.PacketProperties.parseProperties(PacketProperties.java:193)
       at com.sun.messaging.jmq.io.PacketPayload.getProperties(PacketPayload.java:155)
       at com.sun.messaging.jmq.io.Packet.getProperties(Packet.java:644)
       at com.sun.messaging.jmq.io.ReadOnlyPacket.getProperties(ReadOnlyPacket.java:348)
       at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:601)
       ... 5 more
  Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ExceptionHandler logCaughtException
  WARNING: [I500]: Caught JVM Exception: java.io.UTFDataFormatException: malformed input around byte 11
  Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ConsumerReader run
  WARNING: [C4005]: Get properties from packet failed. - cause: java.io.UTFDataFormatException: malformed input around byte 11
  com.sun.messaging.jms.JMSException: [C4005]: Get properties from packet failed. - cause: java.io.UTFDataFormatException: malformed input around byte 11
       at com.sun.messaging.jmq.jmsclient.ExceptionHandler.getJMSException(ExceptionHandler.java:386)
       at com.sun.messaging.jmq.jmsclient.ExceptionHandler.handleException(ExceptionHandler.java:337)
       at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:604)
       at com.sun.messaging.jmq.jmsclient.ProtocolHandler.getJMSMessage(ProtocolHandler.java:2061)
       at com.sun.messaging.jmq.jmsclient.SessionReader.getJMSMessage(SessionReader.java:189)
       at com.sun.messaging.jmq.jmsclient.SessionReader.deliver(SessionReader.java:107)
       at com.sun.messaging.jmq.jmsclient.ConsumerReader.run(ConsumerReader.java:192)
       at java.lang.Thread.run(Unknown Source)
  Caused by: java.io.UTFDataFormatException: malformed input around byte 11
       at java.io.DataInputStream.readUTF(Unknown Source)
       at java.io.DataInputStream.readUTF(Unknown Source)
       at com.sun.messaging.jmq.io.PacketProperties.parseProperties(PacketProperties.java:178)
       at com.sun.messaging.jmq.io.PacketPayload.getProperties(PacketPayload.java:155)
       at com.sun.messaging.jmq.io.Packet.getProperties(Packet.java:644)
       at com.sun.messaging.jmq.io.ReadOnlyPacket.getProperties(ReadOnlyPacket.java:348)
       at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:601)
       ... 5 more
  Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ExceptionHandler logCaughtException
  WARNING: [I500]: Caught JVM Exception: java.lang.NullPointerException
  Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ExceptionHandler logCaughtException
  WARNING: [I500]: Caught JVM Exception: java.io.StreamCorruptedException: invalid type code: 00
  Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ConsumerReader run
  WARNING: [C4005]: Get properties from packet failed. - cause: java.lang.NullPointerException
  com.sun.messaging.jms.JMSException: [C4005]: Get properties from packet failed. - cause: java.lang.NullPointerException
       at com.sun.messaging.jmq.jmsclient.ExceptionHandler.getJMSException(ExceptionHandler.java:386)
       at com.sun.messaging.jmq.jmsclient.ExceptionHandler.handleException(ExceptionHandler.java:337)
       at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:604)
       at com.sun.messaging.jmq.jmsclient.ProtocolHandler.getJMSMessage(ProtocolHandler.java:2061)
       at com.sun.messaging.jmq.jmsclient.SessionReader.getJMSMessage(SessionReader.java:189)
       at com.sun.messaging.jmq.jmsclient.SessionReader.deliver(SessionReader.java:107)
       at com.sun.messaging.jmq.jmsclient.ConsumerReader.run(ConsumerReader.java:192)
       at java.lang.Thread.run(Unknown Source)
  Caused by: java.lang.NullPointerException
       at java.util.Hashtable.put(Unknown Source)
       at com.sun.messaging.jmq.io.PacketProperties.parseProperties(PacketProperties.java:193)
       at com.sun.messaging.jmq.io.PacketPayload.getProperties(PacketPayload.java:155)
       at com.sun.messaging.jmq.io.Packet.getProperties(Packet.java:644)
       at com.sun.messaging.jmq.io.ReadOnlyPacket.getProperties(ReadOnlyPacket.java:348)
       at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:601)
       ... 5 more

  From the stack trace, it looks like there is a problem with one of message's string properties. I can't obviously see what, but this might help you track down the cause of the problem.
  When you've found out what it is about your message that's causing this exception, please log this as a bug.
  Nigel

• Background job failing with license check error

  Hi Experts
  In our ERP 6.0 system ,all the background jobs are failing with license check error.
  Have checked the license in SLICENSE and the license is fine.
  There is no warning while users are loggign in ,but when any background job is runing its failing with error
  Job started
  Logon not possible (error in license check)
  Job cancelled after system exception ERROR_MESSAGE
  Also performed the license test which is failing
  F:\usr\sap\XX1\SYS\exe\uc\NTAMD64>saplicense -test pf=F:\usr\sap\XX1\SYS\profile
  \XX1_DVEBMGS00_host_xx
  Protocol saplicense test:
  Read sapsytem name
         ok, sapsytem name = XX1
  Read message server host
         ok, host = hostname
  Read message server service port
         ok, service port = sapmsXX1
  Connect to message server
         ok, connect done
  Read hardware key from message server
         ok, got hardware key
  Detach from message server
         ok, detached
  Check hardware key
         ok, hardware key = T0343073854
  Connect to database
         ok, connected
  Check license
         ok, check done
  Disconnect database
         ok, database disconnected
  test result: license test failed
  LICENSE system: XX1 hardware key: T0343073854 expiration_date:
          installation no:  key:
          userlimit: 0 productid: R3_BASIS
          system-nr:
  license expired ***
  Please suggest how to troubleshoot.
  Regards
  Ajay

  @Michael
  In SLICENSe the Hardware key field is not BLUE or BLACK and its showing the exact hardware key which i can see at OS level with saplicense -get command.
  @Jagadish
  Note is good refrence, i reiinstalled the Digitally signed license with saplikey command and it was successful.
  But still the license test is failing at OS Level..below is the command prompt output.
  ===================================================================
  F:\usr\sap\XX1\SYS\exe\uc\NTAMD64>saplikey -install C:\license_script_XX.txt pf
  =F:\usr\sap\XX\SYS\profile\XX_DVEBMGS00_mngsez148079
  SAP License Key Administration  -  Copyright (C) 2003 SAP AG
  2 SAP license key(s) successfully installed.
  F:\usr\sap\XX\SYS\exe\uc\NTAMD64>saplicense -test pf=F:\usr\sap\XX1\SYS\profile
  \MD1_DVEBMGS00_mngsez148079
  Protocol saplicense test:
  Read sapsytem name
         ok, sapsytem name = XX1
  Read message server host
         ok, host = host
  Read message server service port
         ok, service port = sapmsXX1
  Connect to message server
         ok, connect done
  Read hardware key from message server
         ok, got hardware key
  Detach from message server
         ok, detached
  Check hardware key
         ok, hardware key = T0343073854
  Connect to database
         ok, connected
  Check license
         ok, check done
  Disconnect database
         ok, database disconnected
  test result: license test failed
  LICENSE system: XX1 hardware key: T0343073854 expiration_date:
          installation no:  key:
          userlimit: 0 productid: R3_BASIS
          system-nr:
  license expired ***
  ============================================================
  @Juan
  The hardware key was changed and we requested a new license with new hardware key,system was runing fine for couple of weeks with all background jiobs for SPAM./SAINT Ok .We performed EHP4 on this system.
  But now this issue is here,so i guess we should troubleshoot.
  Please let me know any other pointers.
  Regards
  Ajay
  PS In SLICENSE new installed license is fine and all users can login.

• Nodemanager fails hostname verification check

  does anyone know how i might resolve this issue?
  [[NodeManager:300033]Could not execute command ping on the node manager. Reason: weblogic.nodemanager.NodeManagerException: [CommandInvoker: Failed to send command: 'ping to server 'null' to NodeManager at host: '10.32.33.2:5555' with exception [Security:090504]Certificate chain received from 10.32.33.2 - 10.32.33.2 failed hostname verification check. Certificate contained qa153 but check expected 10.32.33.2. Please ensure that the NodeManager is active on the target machine].]

  Matthew Sacks <> wrote:
  does anyone know how i might resolve this issue?
  [[NodeManager:300033]Could not execute command ping on the node manager.
  [[Reason: weblogic.nodemanager.NodeManagerException: [CommandInvoker:
  [[Failed to send command: 'ping to server 'null' to NodeManager at host:
  [['10.32.33.2:5555' with exception [Security:090504]Certificate chain
  [[received from 10.32.33.2 - 10.32.33.2 failed hostname verification
  [[check. Certificate contained qa153 but check expected 10.32.33.2.
  [[Please ensure that the NodeManager is active on the target machine].]Hi,
  - If you are using scripts:
  you can use the following options in your
  scripts: -Dweblogic.security.SSL.ignoreHostnameVerification=true
  - If you want to use it from the adminserver:
  Go to the adminserver in the console
  Go to 'SSL'
  Select 'Advanced'
  Set 'Hostname Verification' to 'none'
  And restart the adminserver.
  cheers,
  Bart
  Schelstraete Bart
  [email protected]
  http://www.schelstraete.org

• Rapidwiz fails host/domain check

  Hello all,
  I started rapidwiz to install R12.1 on windows 2003.
  He did al the checks, but fails on the check off host/domain.
  The following error occurs:
  Host/Domain
  command: ping -n 1 incoredemo
  Pinging IncoreDemo [172.30.26.159] with 32 bytes of data:
  Reply from 172.30.26.159: bytes=32 time<1ms TTL=128
  Ping statistics for 172.30.26.159:
  Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
  Minimum = 0ms, Maximum = 0ms, Average = 0ms
  host ping has succeeded
  command: ping -n 1 incoredemo.officevision
  Ping request could not find host incoredemo.officevision. Please check the name and try again.
  RW-50011: Error: - host.domain ping has returned an error: 1 System variable PATH set to:
  C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\cygwin\bin;c:\Program Files\Microsoft SQL Server\90\Tools\binn\
  So I guess the domain name is not correct.. But I am even not in a domain, I am in a workgroup, which is called officevision.
  Can anyone tell me what I can use for domain???
  Or can I just continue?
  Thanks in advance!
  Remc0

  Hi,
  command: ping -n 1 incoredemo.officevision
  Ping request could not find host incoredemo.officevision. Please check the name and try again.
  RW-50011: Error: - host.domain ping has returned an error: 1 System variable PATH set to:
  C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\cygwin\bin;c:\Program Files\Microsoft SQL Server\90\Tools\binn\Make sure you have valid entry in the hosts file.
  So I guess the domain name is not correct.. But I am even not in a domain, I am in a workgroup, which is called officevision.
  Can anyone tell me what I can use for domain???
  Or can I just continue?Set the domain name as follows:
  - Right click on 'My Computer' > Properties > 'Computer Name' > Change
  - Set 'Computer Name' to <hostname>
  - Click on More
  - Set a 'Primary DNS Suffix of this Computer' to <domainname>
  Regards,
  Hussein

• Initial load failing between identical tables. DEFGEN skewed and fixable?

  Initial load failing between identical tables. DEFGEN skewed and fixable?
  Error seen:
  2013-01-28 15:23:46 WARNING OGG-00869 [SQL error 0 (0x0)][HP][ODBC/MX Driver] DATETIME FIELD OVERFLOW. Incorrect Format or Data. Row: 1 Column: 11.
  Then compared the discard record against a select * on the key column.
  Mapping problem with insert record (target format)...
  **** Comparing Discard contents to Select * display
  ABCHID = 3431100001357760616974974003012 = 3431100001357760616974974003012
  *!!! ABCHSTEPCD = 909129785 <> 9 ???*
  ABCHCREATEDDATE = 2013-01-09 13:43:36 = 2013-01-09 13:43:36
  ABCHMODIFIEDDATE = 2013-01-09 13:43:36 =2013-01-09 13:43:36
  ABCHNRTPUSHED = 0 = 0
  ABCHPRISMRESULTISEVALUATED = 0 = 0
  SABCHPSEUDOTERM = 005340 = 005340
  ABCHTERMID = TERM05 = TERM05
  ABCHTXNSEQNUM = 300911112224 = 300911112224
  ABCHTIMERQSTRECVFROMACQR = 1357799914310 = 1357799914310
  *!!! ABCTHDATE = 1357-61-24 00:43:34 <> 2013-01-09 13:43:34*
  ABCHABCDATETIME = 2013-01-09 13:43:34.310000 = 2013-01-09 13:43:34.310000
  ABCHACCOUNTABCBER =123ABC = 123ABC
  ABCHMESSAGETYPECODE = 1210 = 1210
  ABCHPROCCDETRANTYPE = 00 = 00
  ABCHPROCCDEFROMACCT = 00 = 00
  ABCHPROCCDETOACCT = 00 = 00
  ABCHRESPONSECODE = 00 = 00
  …. <snipped>
  Defgen comes out same when run against either table.
  Also have copied over and tried both outputs from DEFGEN.
  +- Defgen version 2.0, Encoding ISO-8859-1
  * Definitions created/modified 2013-01-28 15:00
  * Field descriptions for each column entry:
  * 1 Name
  * 2 Data Type
  * 3 External Length
  * 4 Fetch Offset
  * 5 Scale
  * 6 Level
  * 7 Null
  * 8 Bump if Odd
  * 9 Internal Length
  * 10 Binary Length
  * 11 Table Length
  * 12 Most Significant DT
  * 13 Least Significant DT
  * 14 High Precision
  * 15 Low Precision
  * 16 Elementary Item
  * 17 Occurs
  * 18 Key Column
  * 19 Sub Data Type
  Database type: SQLMX
  Character set ID: ISO-8859-1
  National character set ID: UTF-16
  Locale: en_EN_US
  Case sensitivity: 14 14 14 14 14 14 14 14 14 14 14 14 11 14 14 14
  Definition for table RT.ABC
  Record length: 1311
  Syskey: 0
  Columns: 106
  ABCHID 64 34 0 0 0 0 0 34 34 34 0 0 32 32 1 0 1 3
  ABCHSTEPCD 132 4 39 0 0 0 0 4 4 4 0 0 0 0 1 0 0 0
  ABCHCREATEDDATE 192 19 46 0 0 0 0 19 19 19 0 5 0 0 1 0 0 0
  ABCHMODIFIEDDATE 192 19 68 0 0 0 0 19 19 19 0 5 0 0 1 0 0 0
  ABCHNRTPUSHED 130 2 90 0 0 0 0 2 2 2 0 0 0 0 1 0 0 0
  ABCHPRISMRESULTISEVALUATED 130 2 95 0 0 0 0 2 2 2 0 0 0 0 1 0 0 0
  ABCHPSEUDOTERM 0 8 100 0 0 0 0 8 8 8 0 0 0 0 1 0 0 0
  ABCTERMID 0 16 111 0 0 0 0 16 16 16 0 0 0 0 1 0 0 0
  ABCHTXNSEQNUM 0 12 130 0 0 0 0 12 12 12 0 0 0 0 1 0 0 0
  ABCHTIMERQSTRECVFROMACQR 64 24 145 0 0 0 0 24 24 24 0 0 22 22 1 0 0 3
  ABCTHDATE 192 19 174 0 0 0 0 19 19 19 0 5 0 0 1 0 0 0
  ABCHABCDATETIME 192 26 196 0 0 1 0 26 26 26 0 6 0 0 1 0 0 0
  ABCHACCOUNTABCER 0 19 225 0 0 1 0 19 19 19 0 0 0 0 1 0 0 0
  ABCHMESSAGETYPECODE 0 4 247 0 0 1 0 4 4 4 0 0 0 0 1 0 0 0
  ABCHPROCCDETRANTYPE 0 2 254 0 0 1 0 2 2 2 0 0 0 0 1 0 0 0
  ABCHPROCCDEFROMACCT 0 2 259 0 0 1 0 2 2 2 0 0 0 0 1 0 0 0
  ABCHPROCCDETOACCT 0 2 264 0 0 1 0 2 2 2 0 0 0 0 1 0 0 0
  ABCHRESPONSECODE 0 5 269 0 0 1 0 5 5 5 0 0 0 0 1 0 0 0
  … <snipped>
  The physical table shows a PACKED REC 1078
  And table invoke is:
  -- Definition of table ABC3.RT.ABC
  -- Definition current Mon Jan 28 18:20:02 2013
  ABCHID NUMERIC(32, 0) NO DEFAULT HEADING '' NOT
  NULL NOT DROPPABLE
  , ABCHSTEPCD INT NO DEFAULT HEADING '' NOT NULL NOT
  DROPPABLE
  , ABCHCREATEDDATE TIMESTAMP(0) NO DEFAULT HEADING '' NOT
  NULL NOT DROPPABLE
  , ABCHMODIFIEDDATE TIMESTAMP(0) NO DEFAULT HEADING '' NOT
  NULL NOT DROPPABLE
  , ABCHNRTPUSHED SMALLINT DEFAULT 0 HEADING '' NOT NULL NOT
  DROPPABLE
  , ABCHPRISMRESULTISEVALUATED SMALLINT DEFAULT 0 HEADING '' NOT NULL NOT
  DROPPABLE
  , ABCHPSEUDOTERM CHAR(8) CHARACTER SET ISO88591 COLLATE
  DEFAULT NO DEFAULT HEADING '' NOT NULL NOT DROPPABLE
  , ABCHTERMID CHAR(16) CHARACTER SET ISO88591 COLLATE
  DEFAULT NO DEFAULT HEADING '' NOT NULL NOT DROPPABLE
  , ABCHTXNSEQNUM CHAR(12) CHARACTER SET ISO88591 COLLATE
  DEFAULT NO DEFAULT HEADING '' NOT NULL NOT DROPPABLE
  , ABCHTIMERQSTRECVFROMACQR NUMERIC(22, 0) NO DEFAULT HEADING '' NOT
  NULL NOT DROPPABLE
  , ABCTHDATE TIMESTAMP(0) NO DEFAULT HEADING '' NOT
  NULL NOT DROPPABLE
  , ABCHABCDATETIME TIMESTAMP(6) DEFAULT NULL HEADING ''
  , ABCHACCOUNTNABCBER CHAR(19) CHARACTER SET ISO88591 COLLATE
  DEFAULT DEFAULT NULL HEADING ''
  , ABCHMESSAGETYPECODE CHAR(4) CHARACTER SET ISO88591 COLLATE
  DEFAULT DEFAULT NULL HEADING ''
  , ABCHPROCCDETRANTYPE CHAR(2) CHARACTER SET ISO88591 COLLATE
  DEFAULT DEFAULT NULL HEADING ''
  , ABCHPROCCDEFROMACCT CHAR(2) CHARACTER SET ISO88591 COLLATE
  DEFAULT DEFAULT NULL HEADING ''
  , ABCHPROCCDETOACCT CHAR(2) CHARACTER SET ISO88591 COLLATE
  DEFAULT DEFAULT NULL HEADING ''
  , ABCHRESPONSECODE CHAR(5) CHARACTER SET ISO88591 COLLATE
  DEFAULT DEFAULT NULL HEADING ''
  …. Snipped
  I suspect that the fields having subtype 3 just before the garbled columns is a clue, but not sure what to replace with or adjust.
  Any and all help mighty appreciated.

  Worthwhile suggestion, just having difficulty applying.
  I will tinker with it more. But still open to more suggestions.
  =-=-=-=-
  Oracle GoldenGate Delivery for SQL/MX
  Version 11.2.1.0.1 14305084
  NonStop H06 on Jul 11 2012 14:11:30
  Copyright (C) 1995, 2012, Oracle and/or its affiliates. All rights reserved.
  Starting at 2013-01-31 15:19:35
  Operating System Version:
  NONSTOP_KERNEL
  Version 12, Release J06
  Node: abc3
  Machine: NSE-AB
  Process id: 67895711
  Description:
  ** Running with the following parameters **
  2013-01-31 15:19:40 INFO OGG-03035 Operating system character set identified as ISO-8859-1. Locale: en_US_POSIX, LC_ALL:.
  Comment
  Comment
  REPLICAT lodrepx
  ASSUMETARGETDEFS
  Source Context :
  SourceModule : [er.init]
  SourceID : [home/ecloud/sqlmx_mlr14305084/src/app/er/init.cpp]
  SourceFunction : [get_infile_params]
  SourceLine : [2418]
  2013-01-31 15:19:40 ERROR OGG-00184 ASSUMETARGETDEFS is not supported for SQL/MX ODBC replicat.
  2013-01-31 15:19:45 ERROR OGG-01668 PROCESS ABENDING.

• HT1349 ITunes failed to start after an upgrade, won't allow me to re-install saying "Apple Mobile Device failed to start, check for sufficient priveleges"

  My ITunes library failed to start after an upgrade, now I'm unable to open or re-install.  Receive an error message stating that "apple mobile device failed to start, check to see that you have sufficient priveleges to run system".  Any help with this?  I've tried un-installing and downloading only to get the same message again.

  Thank you to "turingtest2", solution for someone else worked for me as well!

• Java execution failed.  Please check the Java Option in the option dialog.

  I recently installed BI Publisher MS Word Add-In.
  After installing I get the error "Java execution failed. Please check the Java Option in the option dialog" when trying to preview a template in (pdf, word, excel...).
  I tried changing a java parameter as suggested by the following thread but it did not get past the error.
  Java execution failed.  Please check the Java Option in the option dialog.
  Here are my settings to the Word Add-In under "Oracle Bi Publisher > Options... > Preview (tab)
  Java Home = C:\Program Files\Java\jre6
  Java Option = -Xmx512M
  Any help would be appreciated.
  Todd

  Is there a log I can see more about this Java error? I've looked for a log but can't see one.
  TIA,
  Todd