Site2Site Tunnel issue PSEC(epa_des_crypt): decrypted packet failed SA identity check
Hi,
I have a slight issue I'm having some problems resolving..
The scenario is as follows;
I have an external provider which connects to me via VPN to a Juniper SSG firewall, that works fine.
I then have an external site, which does NOT reside in my MPLS cloud, so I have to deploy IPSec via Internet to reach it.
That also works fine and I have multiple SA's running on that site with no issues or problems.
The external provider has a small network device deployed on the external site which monitor cooling values in one of our warehouses.
The external site which is connect via IPSEC has a Cisco 1921 and a numerous Cisco 3550 deployed.
The VLAN for the cooling provider is vlan 150 and is setup with 10.150.4.0/24 where .1 is the def gw and .10 is the cooling monitor device.
The external provider's servers are located within 192.168.220.0/24 subnet.
As of right now, we can reach the Cisco 1921 through the whole IPsec tunnel from 192.168.220.182 with all services, ping, telnet whatnot, but we are unable to ping the cooling device from 192.168.220.0/24.
However from the Cisco 1921, we can ping both 192.168.220.0/24 and the locally connected 10.150.4.10
So basicly it seems to be the last bit when the traffic goes through the 1921 and to the switch where it fails and I can't for the life of me figure out why.
Network diagram attached.. any ideas?
This is the 1921 config:
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname bergen-vpn-gw
boot-start-marker
boot system flash flash:c1841-adventerprisek9-mz.124-25d.bin
boot-end-marker
logging buffered 50000
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
aaa session-id common
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
no ipv6 cef
no ip source-route
ip cef
no ip bootp server
no ip domain lookup
ip domain name xxxxx
multilink bundle-name authenticated
license udi pid CISCO1921/K9 sn FCZ1508C1P4
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
vtp mode client
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key harakiri address 1.2.3.4
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto map VPN 10 ipsec-isakmp
set peer 1.2.3.4
set transform-set 3DES-SHA
match address VPN
interface GigabitEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
interface GigabitEthernet0/0.99
description *** Test VLAN To be removed ***
encapsulation dot1Q 99
ip address 10.90.90.1 255.255.255.0
no ip route-cache
interface GigabitEthernet0/0.112
encapsulation dot1Q 112
ip address 192.168.112.1 255.255.255.0
ip helper-address 172.30.1.223
no ip route-cache
interface GigabitEthernet0/0.150
encapsulation dot1Q 150
ip address 10.150.4.1 255.255.255.0
no ip redirects
no ip proxy-arp
no ip route-cache
interface GigabitEthernet0/0.178
encapsulation dot1Q 178
ip address 192.168.178.1 255.255.255.0
ip helper-address 172.30.1.223
no ip redirects
no ip proxy-arp
no ip route-cache
interface GigabitEthernet0/0.999
encapsulation dot1Q 999
no ip route-cache
interface GigabitEthernet0/1
ip address 1.2.3.4 255.255.255.252
no ip redirects
no ip proxy-arp
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map VPN
interface FastEthernet0/0/0
switchport access vlan 99
interface FastEthernet0/0/1
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface Vlan1
no ip address
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 85.200.203.29
ip access-list extended VPN
permit ip 10.90.90.0 0.0.0.255 172.30.1.0 0.0.0.255
permit ip 10.90.90.0 0.0.0.255 172.22.0.0 0.0.255.255
permit ip 10.90.90.0 0.0.0.255 172.18.5.0 0.0.0.255
permit ip 10.90.90.0 0.0.0.255 10.50.0.0 0.0.255.255
permit ip 192.168.112.0 0.0.0.255 172.30.1.0 0.0.0.255
permit ip 192.168.112.0 0.0.0.255 172.22.0.0 0.0.255.255
permit ip 192.168.112.0 0.0.0.255 172.18.5.0 0.0.0.255
permit ip 192.168.112.0 0.0.0.255 10.50.0.0 0.0.255.255
permit ip 192.168.178.0 0.0.0.255 172.30.1.0 0.0.0.255
permit ip 192.168.178.0 0.0.0.255 172.22.0.0 0.0.255.255
permit ip 192.168.178.0 0.0.0.255 172.18.5.0 0.0.0.255
permit ip 192.168.178.0 0.0.0.255 10.50.0.0 0.0.255.255
permit ip 192.168.112.0 0.0.0.255 172.30.240.0 0.0.0.255
permit ip 192.168.178.0 0.0.0.255 172.30.240.0 0.0.0.255
permit ip 192.168.112.0 0.0.0.255 10.70.0.0 0.0.0.255
permit ip 192.168.178.0 0.0.0.255 10.70.0.0 0.0.0.255
permit ip 10.150.4.0 0.0.0.255 192.168.220.0 0.0.0.255 log
ip sla 1
icmp-echo 172.30.1.223 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 1 start-time now
ip sla 2
icmp-echo 10.50.1.200 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 2 start-time now
ip sla 3
icmp-echo 172.18.5.121 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 3 start-time now
ip sla 4
icmp-echo 172.22.0.140 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 4 start-time now
ip sla 5
icmp-echo 172.30.240.40 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 5 start-time now
ip sla 6
icmp-echo 10.70.0.200 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 6 start-time now
cdp source-interface GigabitEthernet0/0.112
snmp-server community bamacomro RO
cdp source-interface GigabitEthernet0/0.112
snmp-server community bamacomro RO
snmp-server community bamacomrw RW
control-plane
banner motd ^CCC-----------------------------------------------------------------------------
This system is solely for the use of authorised users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all their activities monitored and recorded by system personell.
Use of this system evidence an express consent to such monitoring and
agreement that if such monitoring reveals evidence of possible abuse or
criminal activity, system personell may provide the result of such
monitoring to appropiate officials.
-----------------------------------------------------------------------------^C
line con 0
exec-timeout 5 0
logging synchronous
line aux 0
line vty 0 4
access-class telnet in
exec-timeout 180 0
logging synchronous
transport input telnet ssh
line vty 5 15
access-class telnet in
exec-timeout 180 0
password 7 094F471A1A0A
logging synchronous
transport input telnet ssh
scheduler allocate 20000 1000
end
I had that issue 1 year go
"decrypted packet failed SA identity check" means that we have decrypted a traffic that does not match the proxy ID negotiated
Juniper is violating RFC4301. there is nothing we can do against RFC violation
As mentioned in Section 4.4.1, "The Security Policy Database (SPD)",
the SPD (or associated caches) MUST be consulted during the
processing of all traffic that crosses the IPsec protection boundary,
including IPsec management traffic. If no policy is found in the SPD
that matches a packet (for either inbound or outbound traffic), the
packet MUST be discarded.
I know JNPR can do 2 vpn modes. There is one where we could use a VTI instead of a crypto map on the Cisco side. That was the solution to the problem we had.
Cheers,
Similar Messages
-
One computer at COMPANY-A is attempting to communicate with two
computers located at COMPANY-B, via an IPsec tunnel between the
two companies.
All communications are via TCP protocol.
All devices present public IP addresses to one another, although they
may have RFC 1918 addresses on other interfaces, and NAT may be in use
on the COMPANY-B side. (NAT is not being used on the COMPANY-A side.)
The players:(Note: first three octets have been changed for security reasons)
COMPANY-A computer 1.2.3.161
COMPANY-A router 1.2.3.8 (also IPsec peer)
COMPANY-A has 1.2.3.0/24 with no subnetting.
COMPANY-B router 4.5.6.228 (also IPsec peer)
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
COMPANY-B has 4.5.6.0/23 subnetted in various ways.
COMPANY-B also has 9.10.11.0/24, but it is not involved in the issue.
What works:
The COMPANY-A computer 1.2.3.161 can communicate via the single IPsec
tunnel to COMPANY-B computer #1 4.5.7.94 without problems.
The "show crypto session detail" command shows Inbound/Outbound packets
flowing in the dec'ed and enc'ed positions.
What doesn't:
When the COMPANY-A computer 1.2.3.161 attempts to communicate
via the single IPsec tunnel with the COMPANY-B computer #2 4.5.7.29,
the COMPANY-A router eventually reports five of these messages:
Oct 9 15:24:54.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:24:57.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:03.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:15.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:39.329: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:26:27.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
and the "show crypto session detail" shows inbound packets being dropped.
The COMPANY-A computer that opens the TCP connection never gets past the
SYN_SENT phase of the TCP connection whan trying to communicate with the
COMPANY-B computer #2, and the repeated error messages are the retries of
the SYN packet.
On the COMPANY-A side, this IPsec configuration has been set up on a 3745,
a 3725, and some 76xx routers were tried, all with similar behavior,
with packets from one far-end computer passing fine, and packets from
another far-end computer in the same netblock passing through the same
IPsec tunnel failing with the "failed SA identity" error.
The COMPANY-A computer directs all packets headed to COMPANY-B via the
COMPANY-A router at 1.2.3.8 with this set of route settings:
netstat -r -n
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
4.5.7.0 1.2.3.8 255.255.255.0 UG 0 0 0 eth3
1.2.3.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
10.1.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth3
10.0.0.0 10.1.1.1 255.0.0.0 UG 0 0 0 eth0
0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth3
The first route line shown is selected for access to both COMPANY-B computers.
The COMPANY-A router (IPsec tunnel endpoint, 1.2.3.8) has this
configuration:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 4.5.6.228
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set COMPANY-B01 esp-3des esp-sha-hmac
crypto map COMPANY-BMAP1 10 ipsec-isakmp
description COMPANY-B VPN
set peer 4.5.6.228
set transform-set COMPANY-B01
set pfs group2
match address 190
interface FastEthernet0/0
ip address 1.2.3.8 255.255.255.0
no ip redirects
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map COMPANY-BMAP1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.2.3.1
ip route 10.0.0.0 255.0.0.0 10.1.1.1
ip route 1.2.3.8.0 255.255.255.0 FastEthernet0/0
access-list 190 permit ip host 1.2.3.161 4.5.7.0 0.0.0.255
access-list 190 permit ip host 1.2.3.161 9.10.11.0 0.0.0.255
bridge 1 protocol ieee
One of the routers tried had this IOS/hardware configuration:
Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(25c),
RELEASE SOFTWARE (fc2)
isco 3725 (R7000) processor (revision 0.1) with 115712K/15360K bytes of memory.
Processor board ID XXXXXXXXXXXXXXX
R7000 CPU at 240MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
2 FastEthernet interfaces
4 ATM interfaces
DRAM configuration is 64 bits wide with parity disabled.
55K bytes of NVRAM.
31296K bytes of ATA System CompactFlash (Read/Write)
250368K bytes of ATA Slot0 CompactFlash (Read/Write)
Configuration register is 0x2102
#show crypto sess
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:06:26:27
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 651 drop 16 life (KB/Sec) 4496182/23178
Outbound: #pkts enc'ed 574 drop 2 life (KB/Sec) 4496279/23178
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
The COMPANY-B device on their end of the IPsec VPN is a Juniper SSG1000
Version 6.1 (ScreenOS)
We only have a limited view into the Juniper device configuration.
What we were allowed to see was:
COMPANY-B-ROUTER(M)-> sh config | incl COMPANY-A
set address "Untrust" "oss-COMPANY-A-1.2.3.161" 1.2.3.161 255.255.255.255
set ike gateway "COMPANY-A-1-GW" address 1.2.3.8 Main outgoing-interface "ethernet2/1" preshare xxxxxxxxxxxxxxxxxxxxxx proposal "pre-g2-3des-sha"
set vpn "COMPANY-A-1-IKE" gateway "COMPANY-A-1-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha-28800"
set policy id 2539 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "9.10.11.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2500
set policy id 2500 from "Trust" to "Untrust" "9.10.11.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2539
set policy id 2541 from "Trust" to "Untrust" "4.5.7.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2540
set policy id 2540 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "4.5.7.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2541
COMPANY-B-ROUTER(M)->
I suspect that this curious issue is due to a configuration setting on the
Juniper device, but neither party has seen this error before. COMPANY-B
operates thousands of IPsec VPNs and they report that this is a new error
for them too. The behavior that allows traffic from one IP address to
work and traffic from another to end up getting this error is also unique.
As only the Cisco side emits any error message at all, this is the only
clue we have as to what is going on, even if this isn't actually an IOS
problem.
What we are looking for is a description of exactly what the Cisco
IOS error message:
IPSEC(epa_des_crypt): decrypted packet failed SA identity check
is complaining about, and if there are any known causes of the behavior
described that occur when running IPsec between Cisco IOS and a Juniper
SSG device. Google reports many other incidents of the same error
message (but not the "I like that IP address but hate this one" behavior),
and not just with a Juniper device on the COMPANY-B end, but for those cases,
not one was found where the solution was described.
It is hoped that with a better explanation of the error message
and any known issues with Juniper configuration settings causing
this error, we can have COMPANY-B make adjustments to their device.
Or, if there is a setting change needed on the COMPANY-A router,
that can also be implemented.
Thanks in advance for your time in reading this, and any ideas.Hello Harish,
It is believed that:
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
both have at least two network interfaces, one with a public IP address
(which we are supposedly conversing with) and one with a RFC 1918 type
address. COMPANY-B is reluctant to disclose details of their network or
servers setup, so this is not 100% certain.
Because of that uncertainty, it occurred to me that perhaps COMPANY-B
computer #2 might be incorrectly routing via the RFC 1918 interface.
In theory, such packets should have been blocked by the access-list on both
COMPANY-A router, and should not have even made it into the IPsec VPN
if the Juniper access settings work as it appears they should. So I turned up
debugging on COMPANY-A router so that I could see the encrypted and
decrypted packet hex dumps.
I then hand-disassembled the decoded ACK packet IP header received just
prior to the "decrypted packet failed SA check" error being emitted and
found the expected source and destination IP addresses (4.5.7.29 and 1.2.3.161),
in the unecapsulated packet. I also found the expected port numbers of the TCP
conversation that was trying to be established in the TCP header. So, it
looks like COMPANY-B computer #2 is emitting the packets out the right
interface.
The IP packet header of the encrypted packet showed the IP addresses of the
two routers at each terminus of the IPsec VPN, but since I don't know what triggers
the "SA check" error message or what it is complaining about, I don't know what
other clues to look for in the packet dumps.
As to your second question, "can you check whether both encapsulation and
decapsulation happening in 'show crypto ipsec sa'", the enc'ed/dec'ed
counters were both going up by the correct quantities. When communicating
with the uncooperative COMPANY-B computer #2, you would also see the
received Drop increment for each packet decrypted. When communicating
with the working COMPANY-B computer #1, the Drop counters would not
increment, and the enc'ed/dec'ed would both increment.
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:54
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 5 life (KB/Sec) 4458308/28784
Outbound: #pkts enc'ed 401 drop 3 life (KB/Sec) 4458308/28784
Attempt a TCP communication to COMPANY-B computer #2...
show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:23
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 6 life (KB/Sec) 4458307/28753
Outbound: #pkts enc'ed 402 drop 3 life (KB/Sec) 4458307/28753
Note Inbound "drop" changed from 5 to 6. (I didn't let it sit for all
the retries.)
#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: COMPANY-BMAP1, local addr 1.2.3.8
protected vrf: (none)
local ident (addr/mask/prot/port): (1.2.3.161/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.5.7.0/255.255.255.0/0/0)
current_peer 4.5.6.228 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 402, #pkts encrypt: 402, #pkts digest: 402
#pkts decaps: 376, #pkts decrypt: 376, #pkts verify: 376
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 6
local crypto endpt.: 1.2.3.8, remote crypto endpt.: 4.5.6.228
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xDF2CC59C(3744253340)
inbound esp sas:
spi: 0xD9D2EBBB(3654478779)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDF2CC59C(3744253340)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
The "send" errors appear to be related to the tunnel reverting to a
DOWN state after periods of inactivity, and you appear to get one
each time the tunnel has to be re-negotiated and returned to
an ACTIVE state. There is no relationship between Send errors
incrementing and working/non-working TCP conversations to the
two COMPANY-B servers.
Thanks for pondering this very odd behavior. -
Jaas & Integrity check on decrypted field failed
I'm trying to do Kerberos authentication using JAAS and the jdk 1.4.1_02 under Mandrake 9.1. The Kerberos server is installed on a Redhat 9 machine. I'm using the login module com.sun.security.auth.module.Krb5LoginModule and the TextCallbackHandler class. The login fails with the error "Exception: krb_error 31 Integrity check on decrypted field failed (31) Integrity check on decrypted field failed". I get the same error if I use the kinit utility bundled with the jdk. Conversely all seems ok when I use the kinit utility bundled with the kerberos client programs of my Mandrake 9.1 distribution.
Anyone could help me?
MicheleI encountered the same problem--"Integrity check on decrypted field failed (31)" when trying to authenticate against a KDC (v5) running RedHat 8.0 (JASS and JDK 1.4.1_02)--but I was able to use Kerberized telnet and login from remote/local machines to get authenticated with this RedHat KDC. There is no problem authenticating against a KDC running Win2k AD/Kerberos with the same code. I am using the com.sun.security.auth.module.Krb5LoginModule.
Can anyone help me to resolve this issure? -
Tunnel comes up the syn packets denied on inbound interface
Hi all,
I have a issue with a ASA site to site VPN.
The Phase 1 and 2 negotiate fine but then when i see a syn initiated for the SFTP i see the syn denied in the logs even though it is allowed through.
I have changed the addresses in the config as a example the src is 1.1.1.1 and the dest 2.2.2.2. Config below:
access-list inside_access_in extended permit tcp host 1.1.1.1 host 2.2.2.2 eq 222
access-list SFTP extended permit tcp host 1.1.1.1 host 2.2.2.2
crypto map outside_map 50 match address SFTP
crypto map outside_map 50 set pfs group5
crypto map outside_map 50 set peer VPN_GW
crypto map outside_map 50 set transform-set ESP-AES-256-SHA
crypto map outside_map 50 set security-association lifetime seconds 3600
crypto map outside_map 50 set security-association lifetime kilobytes 4608000
crypto map outside_map 50 set nat-t-disable
The phase 1 and phase 2 seem to negotiate fine.
But i get no encryption/decryption on a sh crypto ipsec sa.
Also i see the syn on the inside interface being denied from source 1.1.1.1.
So what appears to be happening is the initial packets are allowed through to setup the tunnel but then the additional packets appear to be denied.
Any help appreciated.
Thanks
KevMorning Jennifer,
Thanks for your continued assistance with this.
Going through the config i see vpn-filter 10 applied under:
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter value 10
This is tied to ACL 10 which doesnt appear to have the public ip for this in.
This looks like a likey candidate to me.
Config below:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.07.31 12:56:34 =~=~=~=~=~=~=~=~=~=~=~=
sh run
: Saved
ASA Version 7.0(8)
hostname FW
domain-name default.domain.invalid
enable password Wh3rCbG41fzpd0M. encrypted
passwd YYrn5ri6t.SCggWC encrypted
names
name 195.11.205.145 EXT_IP1
name 80.169.148.99 EXT_IP3
name 80.169.148.98 EXT_IP2
name 155.136.89.20 Coutts_Gateway_VPN
name 80.169.148.112 S21_Test_VPN
name 155.136.150.115 Coutts_Host_VPN
name 80.169.148.114 EXT_IP5
name 80.168.148.96 S21_Range
name 80.169.148.100 EXT_IP6
name 59.154.30.158 EXT_IP7
name 195.166.102.62 EXT_IP4
name 193.8.50.231 Coutts_Gateway_VPN_Switz
dns-guard
interface Ethernet0/0
description Outside interface 0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 80.169.124.4 255.255.255.224
interface Ethernet0/1
description Inside interface 0/1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.0.0
interface Ethernet0/2
description DMZ interface 0/2
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
interface Ethernet0/3
description LAN/STATE Failover Interface
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
object-group service TCP_Port_Group tcp
port-object eq smtp
port-object range ftp-data ftp
port-object eq 123
port-object eq www
port-object eq https
port-object eq domain
port-object eq ftp-data
port-object eq ftp
port-object eq 3389
port-object eq ssh
object-group service UDP_Port_Group udp
port-object eq ntp
port-object eq 21
port-object eq 20
port-object eq domain
object-group network Trusted_Ext_Hosts
network-object EXT_IP1 255.255.255.255
network-object EXT_IP2 255.255.255.255
network-object EXT_IP3 255.255.255.255
network-object EXT_IP4 255.255.255.255
network-object EXT_IP5 255.255.255.255
network-object EXT_IP6 255.255.255.255
network-object EXT_IP7 255.255.255.255
object-group service www_services tcp
port-object eq www
port-object eq https
object-group service TCP_CSG tcp
port-object eq www
port-object eq domain
port-object eq https
port-object eq 1080
port-object eq citrix-ica
object-group network Trusted_Ext_Hosts_ref
network-object EXT_IP1 255.255.255.255
network-object EXT_IP2 255.255.255.255
network-object EXT_IP3 255.255.255.255
network-object EXT_IP4 255.255.255.255
network-object EXT_IP5 255.255.255.255
network-object EXT_IP6 255.255.255.255
object-group network S21_Range
network-object S21_Range 255.255.255.224
access-list inside_access_in extended permit tcp 192.168.100.0 255.255.255.0 any object-group TCP_Port_Group
access-list inside_access_in extended permit udp 192.168.100.0 255.255.255.0 any object-group UDP_Port_Group
access-list inside_access_in extended deny ip 192.168.0.0 255.255.0.0 any
access-list dmz_access_in extended permit tcp host 10.10.10.5 192.168.0.0 255.255.0.0 object-group TCP_CSG
access-list dmz_access_in extended permit tcp host 10.10.10.5 any object-group TCP_Port_Group
access-list dmz_access_in extended permit udp host 10.10.10.5 any object-group UDP_Port_Group
access-list dmz_access_in extended permit tcp host 10.10.10.7 192.168.0.0 255.255.0.0 object-group TCP_CSG
access-list dmz_access_in extended permit tcp host 10.10.10.7 any object-group TCP_Port_Group
access-list dmz_access_in extended permit udp host 10.10.10.7 any object-group UDP_Port_Group
access-list dmz_access_in extended deny ip 10.10.10.0 255.255.255.0 any
access-list outside_access_in extended permit tcp any host 80.169.124.36 eq www
access-list outside_access_in extended permit tcp object-group Trusted_Ext_Hosts host 80.169.124.35 object-group www_services
access-list outside_access_in extended permit tcp object-group Trusted_Ext_Hosts host 80.169.124.37 object-group www_services
access-list outside_access_in extended deny ip any any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host 193.8.50.180
access-list inside_access_out extended permit tcp object-group Trusted_Ext_Hosts_ref 192.168.0.0 255.255.0.0 eq 3389
access-list inside_access_out extended permit tcp any host 192.168.100.24 eq www
access-list inside_access_out extended permit tcp 10.10.10.0 255.255.255.0 192.168.0.0 255.255.0.0 object-group TCP_CSG
access-list inside_access_out extended deny ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list outside_cryptomap_30 extended permit ip host 80.169.124.35 155.136.30.0 255.255.254.0
access-list outside_cryptomap_30 extended permit ip host 80.169.124.37 155.136.30.0 255.255.254.0
access-list 10 extended permit tcp any host 80.169.124.35 object-group www_services
access-list 10 extended permit tcp any host 10.10.10.5 object-group www_services
access-list 10 extended permit tcp any host 80.169.124.37 object-group www_services
access-list 10 extended permit tcp any host 10.10.10.7 object-group www_services
access-list COUTTS_SWITZ_SFTP extended permit tcp 192.168.100.0 255.255.255.0 host 193.8.50.180 eq ssh
access-list outside_cryptomap_40 extended permit ip host 80.169.124.35 155.136.0.0 255.255.0.0
access-list outside_cryptomap_40 extended permit ip host 80.169.124.37 155.136.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface Failover Ethernet0/3
failover polltime interface 10
failover key *****
failover link Failover Ethernet0/3
failover interface ip Failover 172.16.31.249 255.255.255.248 standby 172.16.31.250
no monitor-interface management
icmp permit any outside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (outside) 20 80.169.124.32
global (dmz) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 20 192.168.0.0 255.255.0.0
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 20 10.10.10.0 255.255.255.0
nat (dmz) 10 0.0.0.0 0.0.0.0
static (inside,outside) 80.169.124.33 192.168.100.11 netmask 255.255.255.255
static (inside,outside) 80.169.124.34 192.168.100.21 netmask 255.255.255.255
static (dmz,outside) 80.169.124.35 10.10.10.5 netmask 255.255.255.255
static (inside,outside) 80.169.124.36 192.168.100.24 netmask 255.255.255.255
static (dmz,outside) 80.169.124.37 10.10.10.7 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 80.169.124.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter value 10
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions none
port-forward-name value Application Access
username Admin password 5VZ2yiLE0W2kEsod encrypted privilege 15
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer 155.136.17.70
crypto map outside_map 30 set transform-set ESP-AES-256-SHA
crypto map outside_map 30 set security-association lifetime seconds 28800
crypto map outside_map 30 set security-association lifetime kilobytes 4608000
crypto map outside_map 30 set nat-t-disable
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer Coutts_Gateway_VPN
crypto map outside_map 40 set transform-set ESP-AES-256-SHA
crypto map outside_map 40 set security-association lifetime seconds 3600
crypto map outside_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 40 set nat-t-disable
crypto map outside_map 50 match address COUTTS_SWITZ_SFTP
crypto map outside_map 50 set pfs group5
crypto map outside_map 50 set peer Coutts_Gateway_VPN_Switz
crypto map outside_map 50 set transform-set ESP-AES-256-SHA
crypto map outside_map 50 set security-association lifetime seconds 3600
crypto map outside_map 50 set security-association lifetime kilobytes 4608000
crypto map outside_map 50 set nat-t-disable
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
tunnel-group 155.136.17.70 type ipsec-l2l
tunnel-group 155.136.17.70 ipsec-attributes
pre-shared-key *
tunnel-group 155.136.89.20 type ipsec-l2l
tunnel-group 155.136.89.20 ipsec-attributes
pre-shared-key *
tunnel-group 193.8.50.231 type ipsec-l2l
tunnel-group 193.8.50.231 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 10
dhcpd lease 3600
dhcpd ping_timeout 50
ntp server 193.228.143.13 source outside
Cryptochecksum:87a0c89dced7eb36d9a9b2854eea3b95
: end
FW#
Cheers -
SSO using Kerberso receiving "Integrity check on decrypted field failed (31
I am trying to implement SSO for an application that is running on a WebLogic Server. I have flagged the AD Service user for DES encryption, added spn through setspn, created the keytab file, reset the password (to the same value), moved the keytab file, updated krb5.ini and krb5Login.conf accordingly, modified WebLogic startup command accordingly. When Users try to access the application, authentication fails, and I see Integrity check on decrypted field failed (31) error in the WebLogic logs. Any ideas ? I am attaching the related lines from the log below.
<Sep 29, 2008 9:46:50 AM MDT> <Debug> <SecurityDebug> <000000> <Found Negotiate with SPNEGO token>
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null KeyTab is devmax01.http.keytab2 refreshKrb5Config is false principal is HTTP/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
KeyTab: load() entry length: 60
KeyTabInputStream, readName(): DEV.DENVERWATER.ORG
KeyTabInputStream, readName(): HTTP
KeyTabInputStream, readName(): devmax01principal's key obtained from the keytab
principal is HTTP/[email protected]
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbAsReq etypes are: 3 1
KrbKdcReq send: kdc=dwdev01 UDP:88, timeout=30000, number of retries =3, #bytes=249
KDCCommunication: kdc=dwdev01 UDP:88, timeout=30000,Attempt =1, #bytes=249
KrbKdcReq send: #bytes read=1312
KrbKdcReq send: #bytes read=1312
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsRep cons in KrbAsReq.getReply HTTP/devmax01Added server's keyKerberos Principal HTTP/[email protected] Version 8key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: 2F 02 76 AB 7F 8C B0 6E
[Krb5LoginModule] added Krb5Principal HTTP/[email protected] to Subject
Commit Succeeded
Found key for HTTP/[email protected]
Entered Krb5Context.acceptSecContext with state=STATE_NEW
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType<Sep 29, 2008 9:46:50 AM MDT> <Debug> <SecurityDebug> <000000> <GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))FYI The fix for this was to chang the value for -Djava.security.krb5.realm to be all upper case
Once that change was made authentication passed
Edited by: IDL on Jan 2, 2008 9:25 AM -
Kerberos Authentication: "Integrity check on decrypted field failed"
Hi,
I have configured a portal (NW 7.0 SP13) for Kerberos Authentication. I have another portal with exactly the same configuration (same MS-ADS etc, just a different user) which is working fine. But this one is giving me the error "Integrity check on decrypted field failed" (and Kerberos Auth fails).
Any ideas?? I get the same error whether I use the keytab from the SPNEGO wizard, or the keytab from "ktpass -princ host/%HOST%@%DOMAIN% -pass %PASSWORD% -out keytab -mapUser %USER% +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL"
The only difference I can see between the ldifde outputs of the two users (the one that works and the one that doesn't) is the one that doesn't has an extra SPN "HTTP/" - would that cause this error??
Has anyone else had this error & what causes it?
Many thanks in advance.
Regards
Jane
Full error text:
JGSS_DBG_CTX Creating context, initiator = no, input cred = not null
JGSS_DBG_CRED getCred: only one cred, returning it
JGSS_DBG_CRED getName found name: host/[email protected], mech=1.2.840.113554.1.2.2
JGSS_DBG_CRED Krb5 name type = 0
JGSS_DBG_CTX Creating context, cred usage = 2
GSS Context created
JGSS_DBG_UNMARSH Real token len 1641
JGSS_DBG_UNMARSH Token oid 1.2.840.113554.1.2.2
JGSS_DBG_UNMARSH inner token len 1630
JGSS_DBG_PROV getFactory: index = 0 found factory
JGSS_DBG_PROV getMechs: Mechanism(s) supported by provider IBMJGSSProvider
JGSS_DBG_PROV 1.2.840.113554.1.2.2
JGSS_DBG_PROV getMechs: 1 unique mechanism(s) found
JGSS_DBG_PROV [0]: 1.2.840.113554.1.2.2
JGSS_DBG_CTX Default list of negotiable mechs:
1.2.840.113554.1.2.2
JGSS_DBG_CTX ticket enc type = des-cbc-md5
com.ibm.security.krb5.internal.KrbException, status code: 31
message: Integrity check on decrypted field failed
at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:31)
at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:15)
at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:32)
at com.ibm.security.krb5.EncryptedData.decrypt(EncryptedData.java:106)
at com.ibm.security.jgss.mech.krb5.k.a(k.java:248)
at com.ibm.security.jgss.mech.krb5.k.b(k.java:188)
at com.ibm.security.jgss.mech.krb5.k.acceptSecContext(k.java:533)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:155)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:153)
at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:738)
at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:362)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:146)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:215)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
JGSS_DBG_CTX Error authenticating request. Reporting to client
Major code = 11, Minor code = 31
org.ietf.jgss.GSSException, major code: 11, minor code: 31
major string: General failure, unspecified at GSSAPI level
minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.KrbException, status code: 31
message: Integrity check on decrypted field failedHi Désirée,
Yes the service user has "Use DES encryption" set.
In the end, it was resolved by changing the password and running the SPNEGO wizard again to generate a new keytab with the new password.
Regards
Jane -
Decrypting FileVault Failed and User Account Not Allowing Login
So here is the scenario and my problem. I decided to do a clean install of Leopard on my PowerMac G5 and in doing so used Carbon Copy Cloner to copy all the content of my Macintosh HD drive to another internal DataDrive so that I could get my data later and be able to boot into that old installation of the OS for any reason. After the clone was complete I did a clean install of Leopard onto my Macintosh HD volume.
With the new installation running and updates run I decided to go and get my old data. Turns out I had FileVault protection on in the old installation and could not access my data through the new install. This was the very reason I kept the old installation. I rebooted into the old installation and went to remove FileVault protection. The computer logged out and started decrypting my user folder.
Two hours into the decryption it failed and prompted me to continue and be returned to my login and state before I started the decryption. Now I can't login to that user because when I attempt to it will say that FileVault needs to be repaired and give you the option to repair. The repair takes a while and then give you the error stating the repair didn't work.
So I need help figuring out how to get access to my data in that user folder or get that user folder to work so that I can get my info copied to my new installation. Any ideas would be very much appreciated as I feel like I have lost too much for comfort.
Thanks, BrandonFirst of all thank you for the help. In all my trying to figure it out I didn't try just double clicking on the sparse bundle.
Because this was my only user on the computer I had to enable the root user to be able to login. Once that was enable I was able to mount the sparsebundle and copy my data out. I didn't get all of it as something did truly get corrupted during the decryption but I did get 99% I think.
Now with my data coped to another location I can attempt some repairs and see if I am able to get that last percentage point. Thank again.
Brandon -
Error from sample JAAS: Integrity check on decrypted field failed (31)
I am trying to follow the tutorial for JAAS Authentication located here:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/AcnOnly.html
I am trying to run the sample JaasAcn.java but am getting a strange error when I try to log on to my Active Directory.
I am using Java version: jre1.6.0_03
I can login to Active Directory fine with the credentials I am providing, just not with this client, so I know the credentials are valid.
What could this mean?
The Error message is: [Krb5LoginModule] authentication failed
Integrity check on decrypted field failed (31)
Here is the full output:
C:\Progra~1\Java\jre1.6.0_03\bin\java -Dsun.security.krb5.debug=true -Djava.security.krb5.realm=PRSDev.local -Djava.security.krb5.kdc=192.168.40.72 -Djava.security.auth.login.config=jaas.conf JaasAcn
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa
lse principal is null tryFirstPass is false useFirstPass is false storePass is f
alse clearPass is false
Kerberos username [ILea]: sra
Kerberos password for sra:
[Krb5LoginModule] user entered username: sra
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Acquire TGT using AS Exchange
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=192.168.40.72 UDP:88, timeout=30000, number of retries =3, #bytes=144
KDCCommunication: kdc=192.168.40.72 UDP:88, timeout=30000,Attempt =1, #bytes=144
KrbKdcReq send: #bytes read=587
KrbKdcReq send: #bytes read=587
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType[Krb5LoginModule] authentication failed
Integrity check on decrypted field failed (31)
Authentication failed:
Integrity check on decrypted field failed (31)FYI The fix for this was to chang the value for -Djava.security.krb5.realm to be all upper case
Once that change was made authentication passed
Edited by: IDL on Jan 2, 2008 9:25 AM -
[C4005]: Get properties from packet failed killing my sessions
I have a broker in a state where 6 messages are delivered which "kill" the first 6 sessions listening on a particular queue (round-robin delivery sorta situation)
These exceptions are logged only to stderr and no indication is given to my program about them other than the affected sessions never receive another message again, others do.
When the broker or consumer service is restarted, it happens again.
If I start the broker with a -reset messages then the problem goes away. I saved the entire broker var folder to try to find a work around to this.
This is OpenMQ 4.5B29
I'll include the stack traces below, anyone seen something like this or have suggestions on how to deal with this without resorting to reset of the broker?
Could not parse properties java.io.UTFDataFormatException: malformed input around byte 11
Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ExceptionHandler logCaughtException
WARNING: [I500]: Caught JVM Exception: java.lang.NullPointerException
java.io.UTFDataFormatException: malformed input around byte 11
at java.io.DataInputStream.readUTF(Unknown Source)
at java.io.DataInputStream.readUTF(Unknown Source)
at com.sun.messaging.jmq.io.PacketProperties.parseProperties(PacketProperties.java:178)
at com.sun.messaging.jmq.io.PacketPayload.getProperties(PacketPayload.java:155)
at com.sun.messaging.jmq.io.Packet.getProperties(Packet.java:644)
at com.sun.messaging.jmq.io.ReadOnlyPacket.getProperties(ReadOnlyPacket.java:348)
at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:601)
at com.sun.messaging.jmq.jmsclient.ProtocolHandler.getJMSMessage(ProtocolHandler.java:2061)
at com.sun.messaging.jmq.jmsclient.SessionReader.getJMSMessage(SessionReader.java:189)
at com.sun.messaging.jmq.jmsclient.SessionReader.deliver(SessionReader.java:107)
at com.sun.messaging.jmq.jmsclient.ConsumerReader.run(ConsumerReader.java:192)
at java.lang.Thread.run(Unknown Source)
Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ConsumerReader run
WARNING: [C4005]: Get properties from packet failed. - cause: java.lang.NullPointerException
com.sun.messaging.jms.JMSException: [C4005]: Get properties from packet failed. - cause: java.lang.NullPointerException
at com.sun.messaging.jmq.jmsclient.ExceptionHandler.getJMSException(ExceptionHandler.java:386)
at com.sun.messaging.jmq.jmsclient.ExceptionHandler.handleException(ExceptionHandler.java:337)
at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:604)
at com.sun.messaging.jmq.jmsclient.ProtocolHandler.getJMSMessage(ProtocolHandler.java:2061)
at com.sun.messaging.jmq.jmsclient.SessionReader.getJMSMessage(SessionReader.java:189)
at com.sun.messaging.jmq.jmsclient.SessionReader.deliver(SessionReader.java:107)
at com.sun.messaging.jmq.jmsclient.ConsumerReader.run(ConsumerReader.java:192)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NullPointerException
at java.util.Hashtable.put(Unknown Source)
at com.sun.messaging.jmq.io.PacketProperties.parseProperties(PacketProperties.java:193)
at com.sun.messaging.jmq.io.PacketPayload.getProperties(PacketPayload.java:155)
at com.sun.messaging.jmq.io.Packet.getProperties(Packet.java:644)
at com.sun.messaging.jmq.io.ReadOnlyPacket.getProperties(ReadOnlyPacket.java:348)
at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:601)
... 5 more
Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ExceptionHandler logCaughtException
WARNING: [I500]: Caught JVM Exception: java.io.UTFDataFormatException: malformed input around byte 11
Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ConsumerReader run
WARNING: [C4005]: Get properties from packet failed. - cause: java.io.UTFDataFormatException: malformed input around byte 11
com.sun.messaging.jms.JMSException: [C4005]: Get properties from packet failed. - cause: java.io.UTFDataFormatException: malformed input around byte 11
at com.sun.messaging.jmq.jmsclient.ExceptionHandler.getJMSException(ExceptionHandler.java:386)
at com.sun.messaging.jmq.jmsclient.ExceptionHandler.handleException(ExceptionHandler.java:337)
at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:604)
at com.sun.messaging.jmq.jmsclient.ProtocolHandler.getJMSMessage(ProtocolHandler.java:2061)
at com.sun.messaging.jmq.jmsclient.SessionReader.getJMSMessage(SessionReader.java:189)
at com.sun.messaging.jmq.jmsclient.SessionReader.deliver(SessionReader.java:107)
at com.sun.messaging.jmq.jmsclient.ConsumerReader.run(ConsumerReader.java:192)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.UTFDataFormatException: malformed input around byte 11
at java.io.DataInputStream.readUTF(Unknown Source)
at java.io.DataInputStream.readUTF(Unknown Source)
at com.sun.messaging.jmq.io.PacketProperties.parseProperties(PacketProperties.java:178)
at com.sun.messaging.jmq.io.PacketPayload.getProperties(PacketPayload.java:155)
at com.sun.messaging.jmq.io.Packet.getProperties(Packet.java:644)
at com.sun.messaging.jmq.io.ReadOnlyPacket.getProperties(ReadOnlyPacket.java:348)
at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:601)
... 5 more
Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ExceptionHandler logCaughtException
WARNING: [I500]: Caught JVM Exception: java.lang.NullPointerException
Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ExceptionHandler logCaughtException
WARNING: [I500]: Caught JVM Exception: java.io.StreamCorruptedException: invalid type code: 00
Mar 22, 2011 3:42:55 PM com.sun.messaging.jmq.jmsclient.ConsumerReader run
WARNING: [C4005]: Get properties from packet failed. - cause: java.lang.NullPointerException
com.sun.messaging.jms.JMSException: [C4005]: Get properties from packet failed. - cause: java.lang.NullPointerException
at com.sun.messaging.jmq.jmsclient.ExceptionHandler.getJMSException(ExceptionHandler.java:386)
at com.sun.messaging.jmq.jmsclient.ExceptionHandler.handleException(ExceptionHandler.java:337)
at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:604)
at com.sun.messaging.jmq.jmsclient.ProtocolHandler.getJMSMessage(ProtocolHandler.java:2061)
at com.sun.messaging.jmq.jmsclient.SessionReader.getJMSMessage(SessionReader.java:189)
at com.sun.messaging.jmq.jmsclient.SessionReader.deliver(SessionReader.java:107)
at com.sun.messaging.jmq.jmsclient.ConsumerReader.run(ConsumerReader.java:192)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NullPointerException
at java.util.Hashtable.put(Unknown Source)
at com.sun.messaging.jmq.io.PacketProperties.parseProperties(PacketProperties.java:193)
at com.sun.messaging.jmq.io.PacketPayload.getProperties(PacketPayload.java:155)
at com.sun.messaging.jmq.io.Packet.getProperties(Packet.java:644)
at com.sun.messaging.jmq.io.ReadOnlyPacket.getProperties(ReadOnlyPacket.java:348)
at com.sun.messaging.jmq.jmsclient.MessageImpl.getPropertiesFromPacket(MessageImpl.java:601)
... 5 moreFrom the stack trace, it looks like there is a problem with one of message's string properties. I can't obviously see what, but this might help you track down the cause of the problem.
When you've found out what it is about your message that's causing this exception, please log this as a bug.
Nigel -
Background job failing with license check error
Hi Experts
In our ERP 6.0 system ,all the background jobs are failing with license check error.
Have checked the license in SLICENSE and the license is fine.
There is no warning while users are loggign in ,but when any background job is runing its failing with error
Job started
Logon not possible (error in license check)
Job cancelled after system exception ERROR_MESSAGE
Also performed the license test which is failing
F:\usr\sap\XX1\SYS\exe\uc\NTAMD64>saplicense -test pf=F:\usr\sap\XX1\SYS\profile
\XX1_DVEBMGS00_host_xx
Protocol saplicense test:
Read sapsytem name
ok, sapsytem name = XX1
Read message server host
ok, host = hostname
Read message server service port
ok, service port = sapmsXX1
Connect to message server
ok, connect done
Read hardware key from message server
ok, got hardware key
Detach from message server
ok, detached
Check hardware key
ok, hardware key = T0343073854
Connect to database
ok, connected
Check license
ok, check done
Disconnect database
ok, database disconnected
test result: license test failed
LICENSE system: XX1 hardware key: T0343073854 expiration_date:
installation no: key:
userlimit: 0 productid: R3_BASIS
system-nr:
license expired ***
Please suggest how to troubleshoot.
Regards
Ajay@Michael
In SLICENSe the Hardware key field is not BLUE or BLACK and its showing the exact hardware key which i can see at OS level with saplicense -get command.
@Jagadish
Note is good refrence, i reiinstalled the Digitally signed license with saplikey command and it was successful.
But still the license test is failing at OS Level..below is the command prompt output.
===================================================================
F:\usr\sap\XX1\SYS\exe\uc\NTAMD64>saplikey -install C:\license_script_XX.txt pf
=F:\usr\sap\XX\SYS\profile\XX_DVEBMGS00_mngsez148079
SAP License Key Administration - Copyright (C) 2003 SAP AG
2 SAP license key(s) successfully installed.
F:\usr\sap\XX\SYS\exe\uc\NTAMD64>saplicense -test pf=F:\usr\sap\XX1\SYS\profile
\MD1_DVEBMGS00_mngsez148079
Protocol saplicense test:
Read sapsytem name
ok, sapsytem name = XX1
Read message server host
ok, host = host
Read message server service port
ok, service port = sapmsXX1
Connect to message server
ok, connect done
Read hardware key from message server
ok, got hardware key
Detach from message server
ok, detached
Check hardware key
ok, hardware key = T0343073854
Connect to database
ok, connected
Check license
ok, check done
Disconnect database
ok, database disconnected
test result: license test failed
LICENSE system: XX1 hardware key: T0343073854 expiration_date:
installation no: key:
userlimit: 0 productid: R3_BASIS
system-nr:
license expired ***
============================================================
@Juan
The hardware key was changed and we requested a new license with new hardware key,system was runing fine for couple of weeks with all background jiobs for SPAM./SAINT Ok .We performed EHP4 on this system.
But now this issue is here,so i guess we should troubleshoot.
Please let me know any other pointers.
Regards
Ajay
PS In SLICENSE new installed license is fine and all users can login. -
Nodemanager fails hostname verification check
does anyone know how i might resolve this issue?
[[NodeManager:300033]Could not execute command ping on the node manager. Reason: weblogic.nodemanager.NodeManagerException: [CommandInvoker: Failed to send command: 'ping to server 'null' to NodeManager at host: '10.32.33.2:5555' with exception [Security:090504]Certificate chain received from 10.32.33.2 - 10.32.33.2 failed hostname verification check. Certificate contained qa153 but check expected 10.32.33.2. Please ensure that the NodeManager is active on the target machine].]Matthew Sacks <> wrote:
does anyone know how i might resolve this issue?
[[NodeManager:300033]Could not execute command ping on the node manager.
[[Reason: weblogic.nodemanager.NodeManagerException: [CommandInvoker:
[[Failed to send command: 'ping to server 'null' to NodeManager at host:
[['10.32.33.2:5555' with exception [Security:090504]Certificate chain
[[received from 10.32.33.2 - 10.32.33.2 failed hostname verification
[[check. Certificate contained qa153 but check expected 10.32.33.2.
[[Please ensure that the NodeManager is active on the target machine].]Hi,
- If you are using scripts:
you can use the following options in your
scripts: -Dweblogic.security.SSL.ignoreHostnameVerification=true
- If you want to use it from the adminserver:
Go to the adminserver in the console
Go to 'SSL'
Select 'Advanced'
Set 'Hostname Verification' to 'none'
And restart the adminserver.
cheers,
Bart
Schelstraete Bart
[email protected]
http://www.schelstraete.org -
Rapidwiz fails host/domain check
Hello all,
I started rapidwiz to install R12.1 on windows 2003.
He did al the checks, but fails on the check off host/domain.
The following error occurs:
Host/Domain
command: ping -n 1 incoredemo
Pinging IncoreDemo [172.30.26.159] with 32 bytes of data:
Reply from 172.30.26.159: bytes=32 time<1ms TTL=128
Ping statistics for 172.30.26.159:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
host ping has succeeded
command: ping -n 1 incoredemo.officevision
Ping request could not find host incoredemo.officevision. Please check the name and try again.
RW-50011: Error: - host.domain ping has returned an error: 1 System variable PATH set to:
C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\cygwin\bin;c:\Program Files\Microsoft SQL Server\90\Tools\binn\
So I guess the domain name is not correct.. But I am even not in a domain, I am in a workgroup, which is called officevision.
Can anyone tell me what I can use for domain???
Or can I just continue?
Thanks in advance!
Remc0Hi,
command: ping -n 1 incoredemo.officevision
Ping request could not find host incoredemo.officevision. Please check the name and try again.
RW-50011: Error: - host.domain ping has returned an error: 1 System variable PATH set to:
C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\cygwin\bin;c:\Program Files\Microsoft SQL Server\90\Tools\binn\Make sure you have valid entry in the hosts file.
So I guess the domain name is not correct.. But I am even not in a domain, I am in a workgroup, which is called officevision.
Can anyone tell me what I can use for domain???
Or can I just continue?Set the domain name as follows:
- Right click on 'My Computer' > Properties > 'Computer Name' > Change
- Set 'Computer Name' to <hostname>
- Click on More
- Set a 'Primary DNS Suffix of this Computer' to <domainname>
Regards,
Hussein -
Initial load failing between identical tables. DEFGEN skewed and fixable?
Initial load failing between identical tables. DEFGEN skewed and fixable?
Error seen:
2013-01-28 15:23:46 WARNING OGG-00869 [SQL error 0 (0x0)][HP][ODBC/MX Driver] DATETIME FIELD OVERFLOW. Incorrect Format or Data. Row: 1 Column: 11.
Then compared the discard record against a select * on the key column.
Mapping problem with insert record (target format)...
**** Comparing Discard contents to Select * display
ABCHID = 3431100001357760616974974003012 = 3431100001357760616974974003012
*!!! ABCHSTEPCD = 909129785 <> 9 ???*
ABCHCREATEDDATE = 2013-01-09 13:43:36 = 2013-01-09 13:43:36
ABCHMODIFIEDDATE = 2013-01-09 13:43:36 =2013-01-09 13:43:36
ABCHNRTPUSHED = 0 = 0
ABCHPRISMRESULTISEVALUATED = 0 = 0
SABCHPSEUDOTERM = 005340 = 005340
ABCHTERMID = TERM05 = TERM05
ABCHTXNSEQNUM = 300911112224 = 300911112224
ABCHTIMERQSTRECVFROMACQR = 1357799914310 = 1357799914310
*!!! ABCTHDATE = 1357-61-24 00:43:34 <> 2013-01-09 13:43:34*
ABCHABCDATETIME = 2013-01-09 13:43:34.310000 = 2013-01-09 13:43:34.310000
ABCHACCOUNTABCBER =123ABC = 123ABC
ABCHMESSAGETYPECODE = 1210 = 1210
ABCHPROCCDETRANTYPE = 00 = 00
ABCHPROCCDEFROMACCT = 00 = 00
ABCHPROCCDETOACCT = 00 = 00
ABCHRESPONSECODE = 00 = 00
…. <snipped>
Defgen comes out same when run against either table.
Also have copied over and tried both outputs from DEFGEN.
+- Defgen version 2.0, Encoding ISO-8859-1
* Definitions created/modified 2013-01-28 15:00
* Field descriptions for each column entry:
* 1 Name
* 2 Data Type
* 3 External Length
* 4 Fetch Offset
* 5 Scale
* 6 Level
* 7 Null
* 8 Bump if Odd
* 9 Internal Length
* 10 Binary Length
* 11 Table Length
* 12 Most Significant DT
* 13 Least Significant DT
* 14 High Precision
* 15 Low Precision
* 16 Elementary Item
* 17 Occurs
* 18 Key Column
* 19 Sub Data Type
Database type: SQLMX
Character set ID: ISO-8859-1
National character set ID: UTF-16
Locale: en_EN_US
Case sensitivity: 14 14 14 14 14 14 14 14 14 14 14 14 11 14 14 14
Definition for table RT.ABC
Record length: 1311
Syskey: 0
Columns: 106
ABCHID 64 34 0 0 0 0 0 34 34 34 0 0 32 32 1 0 1 3
ABCHSTEPCD 132 4 39 0 0 0 0 4 4 4 0 0 0 0 1 0 0 0
ABCHCREATEDDATE 192 19 46 0 0 0 0 19 19 19 0 5 0 0 1 0 0 0
ABCHMODIFIEDDATE 192 19 68 0 0 0 0 19 19 19 0 5 0 0 1 0 0 0
ABCHNRTPUSHED 130 2 90 0 0 0 0 2 2 2 0 0 0 0 1 0 0 0
ABCHPRISMRESULTISEVALUATED 130 2 95 0 0 0 0 2 2 2 0 0 0 0 1 0 0 0
ABCHPSEUDOTERM 0 8 100 0 0 0 0 8 8 8 0 0 0 0 1 0 0 0
ABCTERMID 0 16 111 0 0 0 0 16 16 16 0 0 0 0 1 0 0 0
ABCHTXNSEQNUM 0 12 130 0 0 0 0 12 12 12 0 0 0 0 1 0 0 0
ABCHTIMERQSTRECVFROMACQR 64 24 145 0 0 0 0 24 24 24 0 0 22 22 1 0 0 3
ABCTHDATE 192 19 174 0 0 0 0 19 19 19 0 5 0 0 1 0 0 0
ABCHABCDATETIME 192 26 196 0 0 1 0 26 26 26 0 6 0 0 1 0 0 0
ABCHACCOUNTABCER 0 19 225 0 0 1 0 19 19 19 0 0 0 0 1 0 0 0
ABCHMESSAGETYPECODE 0 4 247 0 0 1 0 4 4 4 0 0 0 0 1 0 0 0
ABCHPROCCDETRANTYPE 0 2 254 0 0 1 0 2 2 2 0 0 0 0 1 0 0 0
ABCHPROCCDEFROMACCT 0 2 259 0 0 1 0 2 2 2 0 0 0 0 1 0 0 0
ABCHPROCCDETOACCT 0 2 264 0 0 1 0 2 2 2 0 0 0 0 1 0 0 0
ABCHRESPONSECODE 0 5 269 0 0 1 0 5 5 5 0 0 0 0 1 0 0 0
… <snipped>
The physical table shows a PACKED REC 1078
And table invoke is:
-- Definition of table ABC3.RT.ABC
-- Definition current Mon Jan 28 18:20:02 2013
ABCHID NUMERIC(32, 0) NO DEFAULT HEADING '' NOT
NULL NOT DROPPABLE
, ABCHSTEPCD INT NO DEFAULT HEADING '' NOT NULL NOT
DROPPABLE
, ABCHCREATEDDATE TIMESTAMP(0) NO DEFAULT HEADING '' NOT
NULL NOT DROPPABLE
, ABCHMODIFIEDDATE TIMESTAMP(0) NO DEFAULT HEADING '' NOT
NULL NOT DROPPABLE
, ABCHNRTPUSHED SMALLINT DEFAULT 0 HEADING '' NOT NULL NOT
DROPPABLE
, ABCHPRISMRESULTISEVALUATED SMALLINT DEFAULT 0 HEADING '' NOT NULL NOT
DROPPABLE
, ABCHPSEUDOTERM CHAR(8) CHARACTER SET ISO88591 COLLATE
DEFAULT NO DEFAULT HEADING '' NOT NULL NOT DROPPABLE
, ABCHTERMID CHAR(16) CHARACTER SET ISO88591 COLLATE
DEFAULT NO DEFAULT HEADING '' NOT NULL NOT DROPPABLE
, ABCHTXNSEQNUM CHAR(12) CHARACTER SET ISO88591 COLLATE
DEFAULT NO DEFAULT HEADING '' NOT NULL NOT DROPPABLE
, ABCHTIMERQSTRECVFROMACQR NUMERIC(22, 0) NO DEFAULT HEADING '' NOT
NULL NOT DROPPABLE
, ABCTHDATE TIMESTAMP(0) NO DEFAULT HEADING '' NOT
NULL NOT DROPPABLE
, ABCHABCDATETIME TIMESTAMP(6) DEFAULT NULL HEADING ''
, ABCHACCOUNTNABCBER CHAR(19) CHARACTER SET ISO88591 COLLATE
DEFAULT DEFAULT NULL HEADING ''
, ABCHMESSAGETYPECODE CHAR(4) CHARACTER SET ISO88591 COLLATE
DEFAULT DEFAULT NULL HEADING ''
, ABCHPROCCDETRANTYPE CHAR(2) CHARACTER SET ISO88591 COLLATE
DEFAULT DEFAULT NULL HEADING ''
, ABCHPROCCDEFROMACCT CHAR(2) CHARACTER SET ISO88591 COLLATE
DEFAULT DEFAULT NULL HEADING ''
, ABCHPROCCDETOACCT CHAR(2) CHARACTER SET ISO88591 COLLATE
DEFAULT DEFAULT NULL HEADING ''
, ABCHRESPONSECODE CHAR(5) CHARACTER SET ISO88591 COLLATE
DEFAULT DEFAULT NULL HEADING ''
…. Snipped
I suspect that the fields having subtype 3 just before the garbled columns is a clue, but not sure what to replace with or adjust.
Any and all help mighty appreciated.Worthwhile suggestion, just having difficulty applying.
I will tinker with it more. But still open to more suggestions.
=-=-=-=-
Oracle GoldenGate Delivery for SQL/MX
Version 11.2.1.0.1 14305084
NonStop H06 on Jul 11 2012 14:11:30
Copyright (C) 1995, 2012, Oracle and/or its affiliates. All rights reserved.
Starting at 2013-01-31 15:19:35
Operating System Version:
NONSTOP_KERNEL
Version 12, Release J06
Node: abc3
Machine: NSE-AB
Process id: 67895711
Description:
** Running with the following parameters **
2013-01-31 15:19:40 INFO OGG-03035 Operating system character set identified as ISO-8859-1. Locale: en_US_POSIX, LC_ALL:.
Comment
Comment
REPLICAT lodrepx
ASSUMETARGETDEFS
Source Context :
SourceModule : [er.init]
SourceID : [home/ecloud/sqlmx_mlr14305084/src/app/er/init.cpp]
SourceFunction : [get_infile_params]
SourceLine : [2418]
2013-01-31 15:19:40 ERROR OGG-00184 ASSUMETARGETDEFS is not supported for SQL/MX ODBC replicat.
2013-01-31 15:19:45 ERROR OGG-01668 PROCESS ABENDING. -
My ITunes library failed to start after an upgrade, now I'm unable to open or re-install. Receive an error message stating that "apple mobile device failed to start, check to see that you have sufficient priveleges to run system". Any help with this? I've tried un-installing and downloading only to get the same message again.
Thank you to "turingtest2", solution for someone else worked for me as well!
-
Java execution failed. Please check the Java Option in the option dialog.
I recently installed BI Publisher MS Word Add-In.
After installing I get the error "Java execution failed. Please check the Java Option in the option dialog" when trying to preview a template in (pdf, word, excel...).
I tried changing a java parameter as suggested by the following thread but it did not get past the error.
Java execution failed. Please check the Java Option in the option dialog.
Here are my settings to the Word Add-In under "Oracle Bi Publisher > Options... > Preview (tab)
Java Home = C:\Program Files\Java\jre6
Java Option = -Xmx512M
Any help would be appreciated.
ToddIs there a log I can see more about this Java error? I've looked for a log but can't see one.
TIA,
Todd
Maybe you are looking for
-
Acrobat_com update error message
I have Windows XP Professional. I went into START > PROGRAMS > ACROBAT_COM. When I double clicking ACROBAT_COM, I get the following window. When I try to download, I get the following window. With error 16820. What does it mean and what should I
-
How can I figure out where are the heaviest volumes in order to get rid of the useless stuff?.
-
Load Balancing / performance ( just a little question )
Hi, I hope this is the right place to post a question on ZFS. If I have understood well "storage pool" is a layer that manege all storage drive. I have read somewhere that ZFS work better with jbods. If I have 2 jbod: 1st slow (sata 7200 rpm disck ar
-
OSB 11g - FTP Transport - Active or Passive connections?
Hi, When we create a Proxy Service in OSB to use FTP transport, which type of connection OSB establishes with the server? Is it active FTP or passive FTP conecction? Thanks, Sanjay Edited by: Sanjay Bharatiya on 20-Dec-2010 11:46 AM
-
JSF How to produce HTML pages without any Javascript.
Hi all Is there any way to configure an ADF-BC/JSF project so that the resulting JSF pages contain no JavaScript at all ? I have tried adding <client-validation-disabled>true</client-validation-disabled>in my adf-faces-config.xml file but I I still s