SNMP: EJBPoolRuntimeTable  not working.

Similar Messages

• SNMP does not work

  The SNMP on my new TC does not work. I have enabled it disabled it at least 50 times. Rebooted the TC. Unplugged the TC. You name it. It worked once and only once for about 4 hours.
  Any suggestions?

  Assuming you can ping both firewalls, the problem is that the firewall pair shares the same config and therefore, the same SNMPv3 engineID. Some NMSs (e.g. WhatsUp Gold) do not support this and therefore only 1 firewall in the pair can be queried.
  Doesn't look like this has been fixed yet:
  Bug info: CSCtl88556 - ASA5520 failover pair has duplicate snmp v3 engine id

• LMS 3.2 with SNMP v3 not working

  Hi ,
  My network is currently running with SNMP v2 configured in easch devices. With snmp v2 our LMS 3.2 server is working fine. However we have planned to migrate our network to snmp v3 . I have configured my few devices for SNMP v3 and added them to my LMS server.
  Except DFM module these new SNMP v3 devices are working fine in all other modules. In DFM these devices are reflecting under "snmp timeout" group.
  I checked with device center -> management station to device; where the SNMP v3 connections are showing "okey"
  following are tyhe configuration i have done in my devices.
  snmp-server group v3g v3 priv read testr write testw
  snmp-server user v3u v3g v3 auth md5 test123
  snmp-server view testr iso in
  snmp-server view testw iso in
  snmp-server host 10.X.X.38 version 3 priv v3u
  snmp-server user v3u v3g v3 auth md5 test1234 priv des56 test4321
  snmp-server group v3g v3 priv read testr write testw
  snmp-server user v3u v3g v3 auth md5 test123
  snmp-server view testr iso in
  snmp-server view testw iso in
  snmp-server host 10.X.X.38 version 3 priv v3u
  snmp-server user v3u v3g v3 auth md5 test1234 priv des56 test4321
  followinfg are my module details.
  LMS      : 3.2
  CM        : 5.2
  CV          :6.1.9
  CS          :3.3.0
  DFM     : 3.2.0
  IPM     : 4.2.0
  RME     : 4.3.0 

  DFM behaves different than the other modules.
  DES56 is not a supported privacy algorithm for DFM. You can use DES or AES128.
  Supported Algorithms in DFM
  The details of the algorithms supported in DFM are:
  •AuthNoPriv Mode — Supported Auth Algorithm: MD5 and SHA
  •AuthPriv Mode
  –Supported Auth Algorithm: MD5 and SHA
  –Supported Privacy Algorithm: DES and AES128
  –Unsupported Privacy Algorithm: 3DES, AES192, and AES256
  For more details check :
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_device_fault_manager/3.2/user/guide/useDevMg.html#wp1483766
  -Thanks
  Vinod

• SNMP does not work on the standby ASA firewalls

  Hello Everyone,
  I have a pair of 5 pairs of active/standby ASA firewalls running 8.4.4(1)
  All the active firewall respond to the SNMP requests, but the standby firewalls do not. I'm using SNMP v3. The configuration of primary and secondary firewalls is replica of each other, apart from the ip addressess.
  I want the secondary firewall to respond to SNMP requests coming in from the monitoring server. Can someone please help ?
  Thanks,
  Rishi

  Assuming you can ping both firewalls, the problem is that the firewall pair shares the same config and therefore, the same SNMPv3 engineID. Some NMSs (e.g. WhatsUp Gold) do not support this and therefore only 1 firewall in the pair can be queried.
  Doesn't look like this has been fixed yet:
  Bug info: CSCtl88556 - ASA5520 failover pair has duplicate snmp v3 engine id

• LMS 4.2.3 and ASA SNMP v3 not working

  I have ASA running version 8.2.5 and using snmp v3 as below;
  snmp-server group Authentication&Encryption v3 priv
  snmp-server user SNMP_TEST Authentication&Encryption v3 encrypted auth md5 cisco123 priv aes 128 password123
  snmp-server host IN 10.10.10.110 version 3 SNMP_TEST
  LMS device credential is as per above SNMPv3 config
  Can't get this to work. Digging aroung but no avail. Any help is appreciated. I also try this on ASA 9.1 but same result.
  This is my LAB environment.
  Thanks. TS-Support

  Thank you for your reply.
  I can manually poll using SNMP v3 with the credentials (user, auth and priv).
  I have other devices switches and routers also using SNMPv3 and was able to see the device using chassisview.
  Since this is a LAB environment for now, I manually added each of these devices. See below; (ASA-VPN) is the device in question. Already tried increasing snmp timeout to 30 secs still no luck.
  As you said I try to export using CSV and was successful;
  10.10.1.50,10.10.1.50,,,10.10.1.50,1.3.6.1.4.1.9.1.950,0,281231715,CheckThisForSnmpset,,,,SNMP_TEST,cisco123,MD5,password123,AES128,80:0:0:9:3:0:c:85:25:1d:e2:1,,,,,,,,,,,,,,,,
  10.10.10.254,10.10.10.254,,,10.10.10.254,1.3.6.1.4.1.9.1.576,0,279120799,,,,,SNMP_TEST,cisco123,MD5,password123,AES128,80:0:0:9:3:0:10:8c:cf:e6:f4:f8,,,,,,,,,,,,,,,,
  10.10.100.88,vWLC,,,vWLC,1.3.6.1.4.1.9.1.1631,0,UNKNOWN,,,cisco321,cisco123,,,,,,,,,cisco,!NeverSl33p#,!NeverSl33p#,,,,,,,,,,,
  10.10.10.15,ASA-VPN,,,ASA-VPN,1.3.6.1.4.1.9.1.669,0,999990413,,,cisco123,cisco123,SNMP_TEST,cisco123,MD5,password123,AES128,,,,cisco,cisco,cisco,,,,,,,,,,,
  ;End of CSV file
  Thanks.

• The cisco snmp oids do not work, I can't get cpu or memory data.

  Hello. I want to monitor the cpu and memory usages on my cisco devices using snmp. I found the snmp oids related to cpu in the following page :
  http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094a94.shtml
  I just copy the table here:
  But the oids in the table do not work on my devices. For example, I have a cisco 3550 switch with the ip 192.168.1.211, version 12.2(25)when I want to get the informations about the oids up in the table, I got these results:
  It shows that the oids cisco given up in the table are not existed in my 3550 switch's MIB. More weird is that when i add a number "1" to
  the end of the oid cisco given, I can get some meaningless data for some unkonwn item names like "entreprises.x.x".
  For most mib items, the snmp oids work well on my switch. For example, the following graph shows the interface out rate of the swtich:
  I think the essence is when I executed the following command:
  in all the output results, there's not any item relevant with "cpu" or "memory", but most other items are ok, such as interfaces, as shown below:
  IF-MIB::ifDescr.47 = STRING: FastEthernet0/39
  IF-MIB::ifDescr.48 = STRING: FastEthernet0/40
  IF-MIB::ifDescr.49 = STRING: GigabitEthernet0/1
  IF-MIB::ifDescr.50 = STRING: GigabitEthernet0/2
  IF-MIB::ifDescr.51 = STRING: Null0
  IF-MIB::ifDescr.52 = STRING: Vlan1
  IF-MIB::ifType.1 = INTEGER: ethernetCsmacd(6)
  IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)
  IF-MIB::ifType.3 = INTEGER: ethernetCsmacd(6)
  IF-MIB::ifType.4 = INTEGER: ethernetCsmacd(6)
  IF-MIB::ifType.5 = INTEGER: ethernetCsmacd(6)
  So why the cisco given oids won't work on my cisco switch, and how can I get the datas I want? Anyone has some advices? Thanks in advance!
  In case the pictures I inserted missing, I attach my problem in the doc.

  Have you looked at this previous discussion:
  Can't Activate FaceTime

• EEM detector SNMP OID does not work

  i want to use EEM to detector policy-map class traffic rate, if class traffic is more than a number, trigger syslog message.
  below is my EEm script  on ASR1002 ( asr1000rp1-adventerprisek9.02.04.02.122-33.XND2.bin)
  event manager applet Rate-limit
   event snmp oid ".1.3.6.1.4.1.9.9.166.1.15.1.1.10.50.196608" get-type exact entry-op gt entry-val "100" poll-interval 10
   action 1.0 syslog msg "policy Rate-limit"
  but i did not see anything showing on syslog. from debug, i got below error msg :
  Jun  1 02:21:49.160 GMT: fh_fd_snmp_process_async
  Jun  1 02:21:49.160 GMT: fh_fd_snmp_process_poll_timer: re=0x3D144824, timer_type=POLL
  Jun  1 02:21:49.160 GMT: fh_fd_snmp_process_poll_timer: OID unavailable, value check skipped
  Jun  1 02:21:49.160 GMT: fh_fd_snmp_start_poll_timer: start_t=10000
  but i could get number from snmpwalk command :
  xchen-mac:~ xchen$ snmpwalk -v 2c -c <string> -m ALL stde1002a .1.3.6.1.4.1.9.9.166.1.15.1.1.10.50.196608
  SNMPv2-SMI::enterprises.9.9.166.1.15.1.1.10.50.196608 = Counter64: 112938
  please help me where is wrong ?

  Duplicate post. 
  Go here:  https://supportforums.cisco.com/discussion/12219976/eem-detect-snmp-event-not-working

• [SOLVED] SQLite not working with PHP

  For reasons unknown, I cannot get PHP to work properly with SQLite. I have uncommented the "extension=sqlite.so" in /etc/php/php.ini, ensured that PHP's configuration was being loaded from said file, and made sure PHP was working fine with my server of choice (lighttpd). Unfortunately, it doesn't seem to work, as evidenced by
  Fatal error: Call to undefined function sqlite_open() in test.php on line x
  Which is what PHP spits at me. I've checked lighty's logs and nothing's wrong. PHP's set to send to syslog, so I'm not sure where I could check on that. Here is a quick look at PHP's setup.
  My /etc/php/php.ini:
  [PHP]
  ; About php.ini ;
  ; This file controls many aspects of PHP's behavior. In order for PHP to
  ; read it, it must be named 'php.ini'. PHP looks for it in the current
  ; working directory, in the path designated by the environment variable
  ; PHPRC, and in the path that was defined in compile time (in that order).
  ; The path in which the php.ini file is looked for can be overridden using
  ; the -c argument in command line mode.
  ; The syntax of the file is extremely simple. Whitespace and Lines
  ; beginning with a semicolon are silently ignored (as you probably guessed).
  ; Section headers (e.g. [Foo]) are also silently ignored, even though
  ; they might mean something in the future.
  ; Directives are specified using the following syntax:
  ; directive = value
  ; Directive names are *case sensitive* - foo=bar is different from FOO=bar.
  ; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one
  ; of the INI constants (On, Off, True, False, Yes, No and None) or an expression
  ; (e.g. E_ALL & ~E_NOTICE), or a quoted string ("foo").
  ; Expressions in the INI file are limited to bitwise operators and parentheses:
  ; | bitwise OR
  ; & bitwise AND
  ; ~ bitwise NOT
  ; ! boolean NOT
  ; Boolean flags can be turned on using the values 1, On, True or Yes.
  ; They can be turned off using the values 0, Off, False or No.
  ; An empty string can be denoted by simply not writing anything after the equal
  ; sign, or by using the None keyword:
  ; foo = ; sets foo to an empty string
  ; foo = none ; sets foo to an empty string
  ; foo = "none" ; sets foo to the string 'none'
  ; If you use constants in your value, and these constants belong to a
  ; dynamically loaded extension (either a PHP extension or a Zend extension),
  ; you may only use these constants *after* the line that loads the extension.
  ; About this file ;
  ; This is the recommended, PHP 5-style version of the php.ini-dist file. It
  ; sets some non standard settings, that make PHP more efficient, more secure,
  ; and encourage cleaner coding.
  ; The price is that with these settings, PHP may be incompatible with some
  ; applications, and sometimes, more difficult to develop with. Using this
  ; file is warmly recommended for production sites. As all of the changes from
  ; the standard settings are thoroughly documented, you can go over each one,
  ; and decide whether you want to use it or not.
  ; For general information about the php.ini file, please consult the php.ini-dist
  ; file, included in your PHP distribution.
  ; This file is different from the php.ini-dist file in the fact that it features
  ; different values for several directives, in order to improve performance, while
  ; possibly breaking compatibility with the standard out-of-the-box behavior of
  ; PHP. Please make sure you read what's different, and modify your scripts
  ; accordingly, if you decide to use this file instead.
  ; - register_long_arrays = Off [Performance]
  ; Disables registration of the older (and deprecated) long predefined array
  ; variables ($HTTP_*_VARS). Instead, use the superglobals that were
  ; introduced in PHP 4.1.0
  ; - display_errors = Off [Security]
  ; With this directive set to off, errors that occur during the execution of
  ; scripts will no longer be displayed as a part of the script output, and thus,
  ; will no longer be exposed to remote users. With some errors, the error message
  ; content may expose information about your script, web server, or database
  ; server that may be exploitable for hacking. Production sites should have this
  ; directive set to off.
  ; - log_errors = On [Security]
  ; This directive complements the above one. Any errors that occur during the
  ; execution of your script will be logged (typically, to your server's error log,
  ; but can be configured in several ways). Along with setting display_errors to off,
  ; this setup gives you the ability to fully understand what may have gone wrong,
  ; without exposing any sensitive information to remote users.
  ; - output_buffering = 4096 [Performance]
  ; Set a 4KB output buffer. Enabling output buffering typically results in less
  ; writes, and sometimes less packets sent on the wire, which can often lead to
  ; better performance. The gain this directive actually yields greatly depends
  ; on which Web server you're working with, and what kind of scripts you're using.
  ; - register_argc_argv = Off [Performance]
  ; Disables registration of the somewhat redundant $argv and $argc global
  ; variables.
  ; - magic_quotes_gpc = Off [Performance]
  ; Input data is no longer escaped with slashes so that it can be sent into
  ; SQL databases without further manipulation. Instead, you should use the
  ; database vendor specific escape string function on each input element you
  ; wish to send to a database.
  ; - variables_order = "GPCS" [Performance]
  ; The environment variables are not hashed into the $_ENV. To access
  ; environment variables, you can use getenv() instead.
  ; - error_reporting = E_ALL [Code Cleanliness, Security(?)]
  ; By default, PHP suppresses errors of type E_NOTICE. These error messages
  ; are emitted for non-critical errors, but that could be a symptom of a bigger
  ; problem. Most notably, this will cause error messages about the use
  ; of uninitialized variables to be displayed.
  ; - allow_call_time_pass_reference = Off [Code cleanliness]
  ; It's not possible to decide to force a variable to be passed by reference
  ; when calling a function. The PHP 4 style to do this is by making the
  ; function require the relevant argument by reference.
  ; - short_open_tag = Off [Portability]
  ; Using short tags is discouraged when developing code meant for redistribution
  ; since short tags may not be supported on the target server.
  ; Language Options ;
  ; Enable the PHP scripting language engine under Apache.
  engine = On
  ; Enable compatibility mode with Zend Engine 1 (PHP 4.x)
  zend.ze1_compatibility_mode = Off
  ; Allow the <? tag. Otherwise, only <?php and <script> tags are recognized.
  ; NOTE: Using short tags should be avoided when developing applications or
  ; libraries that are meant for redistribution, or deployment on PHP
  ; servers which are not under your control, because short tags may not
  ; be supported on the target server. For portable, redistributable code,
  ; be sure not to use short tags.
  short_open_tag = Off
  ; Allow ASP-style <% %> tags.
  asp_tags = Off
  ; The number of significant digits displayed in floating point numbers.
  precision = 14
  ; Enforce year 2000 compliance (will cause problems with non-compliant browsers)
  y2k_compliance = On
  ; Output buffering allows you to send header lines (including cookies) even
  ; after you send body content, at the price of slowing PHP's output layer a
  ; bit. You can enable output buffering during runtime by calling the output
  ; buffering functions. You can also enable output buffering for all files by
  ; setting this directive to On. If you wish to limit the size of the buffer
  ; to a certain size - you can use a maximum number of bytes instead of 'On', as
  ; a value for this directive (e.g., output_buffering=4096).
  output_buffering = 4096
  ; You can redirect all of the output of your scripts to a function. For
  ; example, if you set output_handler to "mb_output_handler", character
  ; encoding will be transparently converted to the specified encoding.
  ; Setting any output handler automatically turns on output buffering.
  ; Note: People who wrote portable scripts should not depend on this ini
  ; directive. Instead, explicitly set the output handler using ob_start().
  ; Using this ini directive may cause problems unless you know what script
  ; is doing.
  ; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler"
  ; and you cannot use both "ob_gzhandler" and "zlib.output_compression".
  ; Note: output_handler must be empty if this is set 'On' !!!!
  ; Instead you must use zlib.output_handler.
  ;output_handler =
  ; Transparent output compression using the zlib library
  ; Valid values for this option are 'off', 'on', or a specific buffer size
  ; to be used for compression (default is 4KB)
  ; Note: Resulting chunk size may vary due to nature of compression. PHP
  ; outputs chunks that are few hundreds bytes each as a result of
  ; compression. If you prefer a larger chunk size for better
  ; performance, enable output_buffering in addition.
  ; Note: You need to use zlib.output_handler instead of the standard
  ; output_handler, or otherwise the output will be corrupted.
  zlib.output_compression = Off
  ;zlib.output_compression_level = -1
  ; You cannot specify additional output handlers if zlib.output_compression
  ; is activated here. This setting does the same as output_handler but in
  ; a different order.
  ;zlib.output_handler =
  ; Implicit flush tells PHP to tell the output layer to flush itself
  ; automatically after every output block. This is equivalent to calling the
  ; PHP function flush() after each and every call to print() or echo() and each
  ; and every HTML block. Turning this option on has serious performance
  ; implications and is generally recommended for debugging purposes only.
  implicit_flush = Off
  ; The unserialize callback function will be called (with the undefined class'
  ; name as parameter), if the unserializer finds an undefined class
  ; which should be instantiated.
  ; A warning appears if the specified function is not defined, or if the
  ; function doesn't include/implement the missing class.
  ; So only set this entry, if you really want to implement such a
  ; callback-function.
  unserialize_callback_func=
  ; When floats & doubles are serialized store serialize_precision significant
  ; digits after the floating point. The default value ensures that when floats
  ; are decoded with unserialize, the data will remain the same.
  serialize_precision = 100
  ; Whether to enable the ability to force arguments to be passed by reference
  ; at function call time. This method is deprecated and is likely to be
  ; unsupported in future versions of PHP/Zend. The encouraged method of
  ; specifying which arguments should be passed by reference is in the function
  ; declaration. You're encouraged to try and turn this option Off and make
  ; sure your scripts work properly with it in order to ensure they will work
  ; with future versions of the language (you will receive a warning each time
  ; you use this feature, and the argument will be passed by value instead of by
  ; reference).
  allow_call_time_pass_reference = Off
  ; Safe Mode
  safe_mode = Off
  ; By default, Safe Mode does a UID compare check when
  ; opening files. If you want to relax this to a GID compare,
  ; then turn on safe_mode_gid.
  safe_mode_gid = Off
  ; When safe_mode is on, UID/GID checks are bypassed when
  ; including files from this directory and its subdirectories.
  ; (directory must also be in include_path or full path must
  ; be used when including)
  safe_mode_include_dir =
  ; When safe_mode is on, only executables located in the safe_mode_exec_dir
  ; will be allowed to be executed via the exec family of functions.
  safe_mode_exec_dir =
  ; Setting certain environment variables may be a potential security breach.
  ; This directive contains a comma-delimited list of prefixes. In Safe Mode,
  ; the user may only alter environment variables whose names begin with the
  ; prefixes supplied here. By default, users will only be able to set
  ; environment variables that begin with PHP_ (e.g. PHP_FOO=BAR).
  ; Note: If this directive is empty, PHP will let the user modify ANY
  ; environment variable!
  safe_mode_allowed_env_vars = PHP_
  ; This directive contains a comma-delimited list of environment variables that
  ; the end user won't be able to change using putenv(). These variables will be
  ; protected even if safe_mode_allowed_env_vars is set to allow to change them.
  safe_mode_protected_env_vars = LD_LIBRARY_PATH
  ; open_basedir, if set, limits all file operations to the defined directory
  ; and below. This directive makes most sense if used in a per-directory
  ; or per-virtualhost web server configuration file. This directive is
  ; *NOT* affected by whether Safe Mode is turned On or Off.
  open_basedir = /srv/http/:/home/:/tmp/:/usr/share/pear/
  ; This directive allows you to disable certain functions for security reasons.
  ; It receives a comma-delimited list of function names. This directive is
  ; *NOT* affected by whether Safe Mode is turned On or Off.
  disable_functions =
  ; This directive allows you to disable certain classes for security reasons.
  ; It receives a comma-delimited list of class names. This directive is
  ; *NOT* affected by whether Safe Mode is turned On or Off.
  disable_classes =
  ; Colors for Syntax Highlighting mode. Anything that's acceptable in
  ; <span style="color: ???????"> would work.
  ;highlight.string = #DD0000
  ;highlight.comment = #FF9900
  ;highlight.keyword = #007700
  ;highlight.bg = #FFFFFF
  ;highlight.default = #0000BB
  ;highlight.html = #000000
  ; If enabled, the request will be allowed to complete even if the user aborts
  ; the request. Consider enabling it if executing long request, which may end up
  ; being interrupted by the user or a browser timing out.
  ; ignore_user_abort = On
  ; Determines the size of the realpath cache to be used by PHP. This value should
  ; be increased on systems where PHP opens many files to reflect the quantity of
  ; the file operations performed.
  ; realpath_cache_size=16k
  ; Duration of time, in seconds for which to cache realpath information for a given
  ; file or directory. For systems with rarely changing files, consider increasing this
  ; value.
  ; realpath_cache_ttl=120
  ; Misc
  ; Decides whether PHP may expose the fact that it is installed on the server
  ; (e.g. by adding its signature to the Web server header). It is no security
  ; threat in any way, but it makes it possible to determine whether you use PHP
  ; on your server or not.
  expose_php = Off
  ; Resource Limits ;
  max_execution_time = 30 ; Maximum execution time of each script, in seconds
  max_input_time = 60 ; Maximum amount of time each script may spend parsing request data
  ;max_input_nesting_level = 64 ; Maximum input variable nesting level
  memory_limit = 32M ; Maximum amount of memory a script may consume (32MB)
  ; Error handling and logging ;
  ; error_reporting is a bit-field. Or each number up to get desired error
  ; reporting level
  ; E_ALL - All errors and warnings (doesn't include E_STRICT)
  ; E_ERROR - fatal run-time errors
  ; E_RECOVERABLE_ERROR - almost fatal run-time errors
  ; E_WARNING - run-time warnings (non-fatal errors)
  ; E_PARSE - compile-time parse errors
  ; E_NOTICE - run-time notices (these are warnings which often result
  ; from a bug in your code, but it's possible that it was
  ; intentional (e.g., using an uninitialized variable and
  ; relying on the fact it's automatically initialized to an
  ; empty string)
  ; E_STRICT - run-time notices, enable to have PHP suggest changes
  ; to your code which will ensure the best interoperability
  ; and forward compatibility of your code
  ; E_CORE_ERROR - fatal errors that occur during PHP's initial startup
  ; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's
  ; initial startup
  ; E_COMPILE_ERROR - fatal compile-time errors
  ; E_COMPILE_WARNING - compile-time warnings (non-fatal errors)
  ; E_USER_ERROR - user-generated error message
  ; E_USER_WARNING - user-generated warning message
  ; E_USER_NOTICE - user-generated notice message
  ; Examples:
  ; - Show all errors, except for notices and coding standards warnings
  ;error_reporting = E_ALL & ~E_NOTICE
  ; - Show all errors, except for notices
  ;error_reporting = E_ALL & ~E_NOTICE | E_STRICT
  ; - Show only errors
  ;error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR
  ; - Show all errors, except coding standards warnings
  error_reporting = E_ALL
  ; Print out errors (as a part of the output). For production web sites,
  ; you're strongly encouraged to turn this feature off, and use error logging
  ; instead (see below). Keeping display_errors enabled on a production web site
  ; may reveal security information to end users, such as file paths on your Web
  ; server, your database schema or other information.
  ; possible values for display_errors:
  ; Off - Do not display any errors
  ; stderr - Display errors to STDERR (affects only CGI/CLI binaries!)
  ; On or stdout - Display errors to STDOUT (default)
  ; To output errors to STDERR with CGI/CLI:
  ;display_errors = "stderr"
  ; Default
  display_errors = On
  ; Even when display_errors is on, errors that occur during PHP's startup
  ; sequence are not displayed. It's strongly recommended to keep
  ; display_startup_errors off, except for when debugging.
  display_startup_errors = Off
  ; Log errors into a log file (server-specific log, stderr, or error_log (below))
  ; As stated above, you're strongly advised to use error logging in place of
  ; error displaying on production web sites.
  log_errors = On
  ; Set maximum length of log_errors. In error_log information about the source is
  ; added. The default is 1024 and 0 allows to not apply any maximum length at all.
  log_errors_max_len = 1024
  ; Do not log repeated messages. Repeated errors must occur in same file on same
  ; line unless ignore_repeated_source is set true.
  ignore_repeated_errors = Off
  ; Ignore source of message when ignoring repeated messages. When this setting
  ; is On you will not log errors with repeated messages from different files or
  ; source lines.
  ignore_repeated_source = Off
  ; If this parameter is set to Off, then memory leaks will not be shown (on
  ; stdout or in the log). This has only effect in a debug compile, and if
  ; error reporting includes E_WARNING in the allowed list
  report_memleaks = Off
  ;report_zend_debug = 0
  ; Store the last error/warning message in $php_errormsg (boolean).
  track_errors = Off
  ; Turn off normal error reporting and emit XML-RPC error XML
  ;xmlrpc_errors = 0
  ; An XML-RPC faultCode
  ;xmlrpc_error_number = 0
  ; Disable the inclusion of HTML tags in error messages.
  ; Note: Never use this feature for production boxes.
  ;html_errors = Off
  ; If html_errors is set On PHP produces clickable error messages that direct
  ; to a page describing the error or function causing the error in detail.
  ; You can download a copy of the PHP manual from http://www.php.net/docs.php
  ; and change docref_root to the base URL of your local copy including the
  ; leading '/'. You must also specify the file extension being used including
  ; the dot.
  ; Note: Never use this feature for production boxes.
  ;docref_root = "/phpmanual/"
  ;docref_ext = .html
  ; String to output before an error message.
  ;error_prepend_string = "<font color=#ff0000>"
  ; String to output after an error message.
  ;error_append_string = "</font>"
  ; Log errors to specified file.
  ;error_log = filename
  ; Log errors to syslog.
  error_log = syslog
  ; Data Handling ;
  ; Note - track_vars is ALWAYS enabled as of PHP 4.0.3
  ; The separator used in PHP generated URLs to separate arguments.
  ; Default is "&".
  ;arg_separator.output = "&"
  ; List of separator(s) used by PHP to parse input URLs into variables.
  ; Default is "&".
  ; NOTE: Every character in this directive is considered as separator!
  ;arg_separator.input = ";&"
  ; This directive describes the order in which PHP registers GET, POST, Cookie,
  ; Environment and Built-in variables (G, P, C, E & S respectively, often
  ; referred to as EGPCS or GPC). Registration is done from left to right, newer
  ; values override older values.
  variables_order = "GPCS"
  ; Whether or not to register the EGPCS variables as global variables. You may
  ; want to turn this off if you don't want to clutter your scripts' global scope
  ; with user data. This makes most sense when coupled with track_vars - in which
  ; case you can access all of the GPC variables through the $HTTP_*_VARS[],
  ; variables.
  ; You should do your best to write your scripts so that they do not require
  ; register_globals to be on; Using form variables as globals can easily lead
  ; to possible security problems, if the code is not very well thought of.
  register_globals = Off
  ; Whether or not to register the old-style input arrays, HTTP_GET_VARS
  ; and friends. If you're not using them, it's recommended to turn them off,
  ; for performance reasons.
  register_long_arrays = Off
  ; This directive tells PHP whether to declare the argv&argc variables (that
  ; would contain the GET information). If you don't use these variables, you
  ; should turn it off for increased performance.
  register_argc_argv = Off
  ; When enabled, the SERVER and ENV variables are created when they're first
  ; used (Just In Time) instead of when the script starts. If these variables
  ; are not used within a script, having this directive on will result in a
  ; performance gain. The PHP directives register_globals, register_long_arrays,
  ; and register_argc_argv must be disabled for this directive to have any affect.
  auto_globals_jit = On
  ; Maximum size of POST data that PHP will accept.
  post_max_size = 8M
  ; Magic quotes
  ; Magic quotes for incoming GET/POST/Cookie data.
  magic_quotes_gpc = Off
  ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
  magic_quotes_runtime = Off
  ; Use Sybase-style magic quotes (escape ' with '' instead of \').
  magic_quotes_sybase = Off
  ; Automatically add files before or after any PHP document.
  auto_prepend_file =
  auto_append_file =
  ; As of 4.0b4, PHP always outputs a character encoding by default in
  ; the Content-type: header. To disable sending of the charset, simply
  ; set it to be empty.
  ; PHP's built-in default is text/html
  default_mimetype = "text/html"
  default_charset = "utf-8"
  ; Always populate the $HTTP_RAW_POST_DATA variable.
  ;always_populate_raw_post_data = On
  ; Paths and Directories ;
  ; UNIX: "/path1:/path2"
  include_path = ".:/usr/share/pear"
  ; The root of the PHP pages, used only if nonempty.
  ; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root
  ; if you are running php as a CGI under any web server (other than IIS)
  ; see documentation for security issues. The alternate is to use the
  ; cgi.force_redirect configuration below
  doc_root =
  ; The directory under which PHP opens the script using /~username used only
  ; if nonempty.
  user_dir =
  ; Directory in which the loadable extensions (modules) reside.
  extension_dir = "/usr/lib/php/20060613/"
  ; Whether or not to enable the dl() function. The dl() function does NOT work
  ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
  ; disabled on them.
  enable_dl = Off
  ; cgi.force_redirect is necessary to provide security running PHP as a CGI under
  ; most web servers. Left undefined, PHP turns this on by default. You can
  ; turn it off here AT YOUR OWN RISK
  ; **You CAN safely turn this off for IIS, in fact, you MUST.**
  ; cgi.force_redirect = 1
  ; if cgi.nph is enabled it will force cgi to always sent Status: 200 with
  ; every request.
  ; cgi.nph = 1
  ; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape
  ; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
  ; will look for to know it is OK to continue execution. Setting this variable MAY
  ; cause security issues, KNOW WHAT YOU ARE DOING FIRST.
  ; cgi.redirect_status_env = ;
  ; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's
  ; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
  ; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting
  ; this to 1 will cause PHP CGI to fix it's paths to conform to the spec. A setting
  ; of zero causes PHP to behave as before. Default is 1. You should fix your scripts
  ; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
  cgi.fix_pathinfo=1
  ; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate
  ; security tokens of the calling client. This allows IIS to define the
  ; security context that the request runs under. mod_fastcgi under Apache
  ; does not currently support this feature (03/17/2002)
  ; Set to 1 if running under IIS. Default is zero.
  ; fastcgi.impersonate = 1;
  ; Disable logging through FastCGI connection
  ; fastcgi.logging = 0
  ; cgi.rfc2616_headers configuration option tells PHP what type of headers to
  ; use when sending HTTP response code. If it's set 0 PHP sends Status: header that
  ; is supported by Apache. When this option is set to 1 PHP will send
  ; RFC2616 compliant header.
  ; Default is zero.
  ;cgi.rfc2616_headers = 0
  ; File Uploads ;
  ; Whether to allow HTTP file uploads.
  file_uploads = On
  ; Temporary directory for HTTP uploaded files (will use system default if not
  ; specified).
  ;upload_tmp_dir =
  ; Maximum allowed size for uploaded files.
  upload_max_filesize = 2M
  ; Fopen wrappers ;
  ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
  allow_url_fopen = Off
  ; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
  allow_url_include = Off
  ; Define the anonymous ftp password (your email address)
  ;from="[email protected]"
  ; Define the User-Agent string
  ; user_agent="PHP"
  ; Default timeout for socket based streams (seconds)
  default_socket_timeout = 60
  ; Dynamic Extensions ;
  ; If you wish to have an extension loaded automatically, use the following
  ; syntax:
  ; extension=modulename.extension
  ; For example, under UNIX:
  ; extension=msql.so
  ; Note that it should be the name of the module only; no directory information
  ; needs to go here. Specify the location of the extension with the
  ; extension_dir directive above.
  ; Module Settings ;
  [Date]
  ; Defines the default timezone used by the date functions
  ;date.timezone =
  ;date.default_latitude = 31.7667
  ;date.default_longitude = 35.2333
  ;date.sunrise_zenith = 90.583333
  ;date.sunset_zenith = 90.583333
  [filter]
  ;filter.default = unsafe_raw
  ;filter.default_flags =
  [iconv]
  ;iconv.input_encoding = ISO-8859-1
  ;iconv.internal_encoding = ISO-8859-1
  ;iconv.output_encoding = ISO-8859-1
  [sqlite]
  sqlite.assoc_case = 1
  [Pcre]
  ;PCRE library backtracking limit.
  ;pcre.backtrack_limit=100000
  ;PCRE library recursion limit.
  ;Please note that if you set this value to a high number you may consume all
  ;the available process stack and eventually crash PHP (due to reaching the
  ;stack size limit imposed by the Operating System).
  ;pcre.recursion_limit=100000
  [Syslog]
  ; Whether or not to define the various syslog variables (e.g. $LOG_PID,
  ; $LOG_CRON, etc.). Turning it off is a good idea performance-wise. In
  ; runtime, you can define these variables by calling define_syslog_variables().
  define_syslog_variables = Off
  [mail function]
  ; For Unix only. You may supply arguments as well (default: "sendmail -t -i").
  ;sendmail_path =
  ; Force the addition of the specified parameters to be passed as extra parameters
  ; to the sendmail binary. These parameters will always replace the value of
  ; the 5th parameter to mail(), even in safe mode.
  ;mail.force_extra_parameters =
  [SQL]
  sql.safe_mode = Off
  [ODBC]
  ;odbc.default_db = Not yet implemented
  ;odbc.default_user = Not yet implemented
  ;odbc.default_pw = Not yet implemented
  ; Allow or prevent persistent links.
  odbc.allow_persistent = On
  ; Check that a connection is still valid before reuse.
  odbc.check_persistent = On
  ; Maximum number of persistent links. -1 means no limit.
  odbc.max_persistent = -1
  ; Maximum number of links (persistent + non-persistent). -1 means no limit.
  odbc.max_links = -1
  ; Handling of LONG fields. Returns number of bytes to variables. 0 means
  ; passthru.
  odbc.defaultlrl = 4096
  ; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char.
  ; See the documentation on odbc_binmode and odbc_longreadlen for an explanation
  ; of uodbc.defaultlrl and uodbc.defaultbinmode
  odbc.defaultbinmode = 1
  [MySQL]
  ; Allow or prevent persistent links.
  mysql.allow_persistent = On
  ; Maximum number of persistent links. -1 means no limit.
  mysql.max_persistent = -1
  ; Maximum number of links (persistent + non-persistent). -1 means no limit.
  mysql.max_links = -1
  ; Default port number for mysql_connect(). If unset, mysql_connect() will use
  ; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the
  ; compile-time value defined MYSQL_PORT (in that order).
  mysql.default_port =
  ; Default socket name for local MySQL connects. If empty, uses the built-in
  ; MySQL defaults.
  mysql.default_socket =
  ; Default host for mysql_connect() (doesn't apply in safe mode).
  mysql.default_host =
  ; Default user for mysql_connect() (doesn't apply in safe mode).
  mysql.default_user =
  ; Default password for mysql_connect() (doesn't apply in safe mode).
  ; Note that this is generally a *bad* idea to store passwords in this file.
  ; *Any* user with PHP access can run 'echo get_cfg_var("mysql.default_password")
  ; and reveal this password! And of course, any users with read access to this
  ; file will be able to reveal the password as well.
  mysql.default_password =
  ; Maximum time (in seconds) for connect timeout. -1 means no limit
  mysql.connect_timeout = 60
  ; Trace mode. When trace_mode is active (=On), warnings for table/index scans and
  ; SQL-Errors will be displayed.
  mysql.trace_mode = Off
  [MySQLi]
  ; Maximum number of links. -1 means no limit.
  mysqli.max_links = -1
  ; Default port number for mysqli_connect(). If unset, mysqli_connect() will use
  ; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the
  ; compile-time value defined MYSQL_PORT (in that order).
  mysqli.default_port = 3306
  ; Default socket name for local MySQL connects. If empty, uses the built-in
  ; MySQL defaults.
  mysqli.default_socket =
  ; Default host for mysql_connect() (doesn't apply in safe mode).
  mysqli.default_host =
  ; Default user for mysql_connect() (doesn't apply in safe mode).
  mysqli.default_user =
  ; Default password for mysqli_connect() (doesn't apply in safe mode).
  ; Note that this is generally a *bad* idea to store passwords in this file.
  ; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw")
  ; and reveal this password! And of course, any users with read access to this
  ; file will be able to reveal the password as well.
  mysqli.default_pw =
  ; Allow or prevent reconnect
  mysqli.reconnect = Off
  [mSQL]
  ; Allow or prevent persistent links.
  msql.allow_persistent = On
  ; Maximum number of persistent links. -1 means no limit.
  msql.max_persistent = -1
  ; Maximum number of links (persistent+non persistent). -1 means no limit.
  msql.max_links = -1
  [OCI8]
  ; enables privileged connections using external credentials (OCI_SYSOPER, OCI_SYSDBA)
  ;oci8.privileged_connect = Off
  ; Connection: The maximum number of persistent OCI8 connections per
  ; process. Using -1 means no limit.
  ;oci8.max_persistent = -1
  ; Connection: The maximum number of seconds a process is allowed to
  ; maintain an idle persistent connection. Using -1 means idle
  ; persistent connections will be maintained forever.
  ;oci8.persistent_timeout = -1
  ; Connection: The number of seconds that must pass before issuing a
  ; ping during oci_pconnect() to check the connection validity. When
  ; set to 0, each oci_pconnect() will cause a ping. Using -1 disables
  ; pings completely.
  ;oci8.ping_interval = 60
  ; Tuning: This option enables statement caching, and specifies how
  ; many statements to cache. Using 0 disables statement caching.
  ;oci8.statement_cache_size = 20
  ; Tuning: Enables statement prefetching and sets the default number of
  ; rows that will be fetched automatically after statement execution.
  ;oci8.default_prefetch = 10
  ; Compatibility. Using On means oci_close() will not close
  ; oci_connect() and oci_new_connect() connections.
  ;oci8.old_oci_close_semantics = Off
  [PostgresSQL]
  ; Allow or prevent persistent links.
  pgsql.allow_persistent = On
  ; Detect broken persistent links always with pg_pconnect().
  ; Auto reset feature requires a little overheads.
  pgsql.auto_reset_persistent = Off
  ; Maximum number of persistent links. -1 means no limit.
  pgsql.max_persistent = -1
  ; Maximum number of links (persistent+non persistent). -1 means no limit.
  pgsql.max_links = -1
  ; Ignore PostgreSQL backends Notice message or not.
  ; Notice message logging require a little overheads.
  pgsql.ignore_notice = 0
  ; Log PostgreSQL backends Notice message or not.
  ; Unless pgsql.ignore_notice=0, module cannot log notice message.
  pgsql.log_notice = 0
  [Sybase]
  ; Allow or prevent persistent links.
  sybase.allow_persistent = On
  ; Maximum number of persistent links. -1 means no limit.
  sybase.max_persistent = -1
  ; Maximum number of links (persistent + non-persistent). -1 means no limit.
  sybase.max_links = -1
  ;sybase.interface_file = "/usr/sybase/interfaces"
  ; Minimum error severity to display.
  sybase.min_error_severity = 10
  ; Minimum message severity to display.
  sybase.min_message_severity = 10
  ; Compatibility mode with old versions of PHP 3.0.
  ; If on, this will cause PHP to automatically assign types to results according
  ; to their Sybase type, instead of treating them all as strings. This
  ; compatibility mode will probably not stay around forever, so try applying
  ; whatever necessary changes to your code, and turn it off.
  sybase.compatability_mode = Off
  [Sybase-CT]
  ; Allow or prevent persistent links.
  sybct.allow_persistent = On
  ; Maximum number of persistent links. -1 means no limit.
  sybct.max_persistent = -1
  ; Maximum number of links (persistent + non-persistent). -1 means no limit.
  sybct.max_links = -1
  ; Minimum server message severity to display.
  sybct.min_server_severity = 10
  ; Minimum client message severity to display.
  sybct.min_client_severity = 10
  [bcmath]
  ; Number of decimal digits for all bcmath functions.
  bcmath.scale = 0
  [browscap]
  ;browscap = extra/browscap.ini
  [Informix]
  ; Default host for ifx_connect() (doesn't apply in safe mode).
  ifx.default_host =
  ; Default user for ifx_connect() (doesn't apply in safe mode).
  ifx.default_user =
  ; Default password for ifx_connect() (doesn't apply in safe mode).
  ifx.default_password =
  ; Allow or prevent persistent links.
  ifx.allow_persistent = On
  ; Maximum number of persistent links. -1 means no limit.
  ifx.max_persistent = -1
  ; Maximum number of links (persistent + non-persistent). -1 means no limit.
  ifx.max_links = -1
  ; If on, select statements return the contents of a text blob instead of its id.
  ifx.textasvarchar = 0
  ; If on, select statements return the contents of a byte blob instead of its id.
  ifx.byteasvarchar = 0
  ; Trailing blanks are stripped from fixed-length char columns. May help the
  ; life of Informix SE users.
  ifx.charasvarchar = 0
  ; If on, the contents of text and byte blobs are dumped to a file instead of
  ; keeping them in memory.
  ifx.blobinfile = 0
  ; NULL's are returned as empty strings, unless this is set to 1. In that case,
  ; NULL's are returned as string 'NULL'.
  ifx.nullformat = 0
  [Session]
  ; Handler used to store/retrieve data.
  session.save_handler = files
  ; Argument passed to save_handler. In the case of files, this is the path
  ; where data files are stored.
  ; As of PHP 4.0.1, you can define the path as:
  ; session.save_path = "N;/path"
  ; where N is an integer. Instead of storing all the session files in
  ; /path, what this will do is use subdirectories N-levels deep, and
  ; store the session data in those directories. This is useful if you
  ; or your OS have problems with lots of files in one directory, and is
  ; a more efficient layout for servers that handle lots of sessions.
  ; NOTE 1: PHP will not create this directory structure automatically.
  ; You can use the script in the ext/session dir for that purpose.
  ; NOTE 2: See the section on garbage collection below if you choose to
  ; use subdirectories for session storage
  ; The file storage module creates files using mode 600 by default.
  ; You can change that by using
  ; session.save_path = "N;MODE;/path"
  ; where MODE is the octal representation of the mode. Note that this
  ; does not overwrite the process's umask.
  session.save_path = "/tmp"
  ; Whether to use cookies.
  session.use_cookies = 1
  ;session.cookie_secure =
  ; This option enables administrators to make their users invulnerable to
  ; attacks which involve passing session ids in URLs; defaults to 0.
  ; session.use_only_cookies = 1
  ; Name of the session (used as cookie name).
  session.name = PHPSESSID
  ; Initialize session on request startup.
  session.auto_start = 0
  ; Lifetime in seconds of cookie or, if 0, until browser is restarted.
  session.cookie_lifetime = 0
  ; The path for which the cookie is valid.
  session.cookie_path = /
  ; The domain for which the cookie is valid.
  session.cookie_domain =
  ; Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript.
  session.cookie_httponly =
  ; Handler used to serialize data. php is the standard serializer of PHP.
  session.serialize_handler = php
  ; Define the probability that the 'garbage collection' process is started
  ; on every session initialization.
  ; The probability is calculated by using gc_probability/gc_divisor,
  ; e.g. 1/100 means there is a 1% chance that the GC process starts
  ; on each request.
  session.gc_probability = 1
  session.gc_divisor = 1000
  ; After this number of seconds, stored data will be seen as 'garbage' and
  ; cleaned up by the garbage collection process.
  session.gc_maxlifetime = 1440
  ; NOTE: If you are using the subdirectory option for storing session files
  ; (see session.save_path above), then garbage collection does *not*
  ; happen automatically. You will need to do your own garbage
  ; collection through a shell script, cron entry, or some other method.
  ; For example, the following script would is the equivalent of
  ; setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):
  ; cd /path/to/sessions; find -cmin +24 | xargs rm
  ; PHP 4.2 and less have an undocumented feature/bug that allows you to
  ; to initialize a session variable in the global scope, albeit register_globals
  ; is disabled. PHP 4.3 and later will warn you, if this feature is used.
  ; You can disable the feature and the warning separately. At this time,
  ; the warning is only displayed, if bug_compat_42 is enabled.
  session.bug_compat_42 = 0
  session.bug_compat_warn = 1
  ; Check HTTP Referer to invalidate externally stored URLs containing ids.
  ; HTTP_REFERER has to contain this substring for the session to be
  ; considered as valid.
  session.referer_check =
  ; How many bytes to read from the file.
  session.entropy_length = 0
  ; Specified here to create the session id.
  session.entropy_file =
  ;session.entropy_length = 16
  ;session.entropy_file = /dev/urandom
  ; Set to {nocache,private,public,} to determine HTTP caching aspects
  ; or leave this empty to avoid sending anti-caching headers.
  session.cache_limiter = nocache
  ; Document expires after n minutes.
  session.cache_expire = 180
  ; trans sid support is disabled by default.
  ; Use of trans sid may risk your users security.
  ; Use this option with caution.
  ; - User may send URL contains active session ID
  ; to other person via. email/irc/etc.
  ; - URL that contains active session ID may be stored
  ; in publically accessible computer.
  ; - User may access your site with the same session ID
  ; always using URL stored in browser's history or bookmarks.
  session.use_trans_sid = 0
  ; Select a hash function
  ; 0: MD5 (128 bits)
  ; 1: SHA-1 (160 bits)
  session.hash_function = 0
  ; Define how many bits are stored in each character when converting
  ; the binary hash data to something readable.
  ; 4 bits: 0-9, a-f
  ; 5 bits: 0-9, a-v
  ; 6 bits: 0-9, a-z, A-Z, "-", ","
  session.hash_bits_per_character = 5
  ; The URL rewriter will look for URLs in a defined set of HTML tags.
  ; form/fieldset are special; if you include them here, the rewriter will
  ; add a hidden <input> field with the info which is otherwise appended
  ; to URLs. If you want XHTML conformity, remove the form entry.
  ; Note that all valid entries require a "=", even if no value follows.
  url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
  [MSSQL]
  ; Allow or prevent persistent links.
  mssql.allow_persistent = On
  ; Maximum number of persistent links. -1 means no limit.
  mssql.max_persistent = -1
  ; Maximum number of links (persistent+non persistent). -1 means no limit.
  mssql.max_links = -1
  ; Minimum error severity to display.
  mssql.min_error_severity = 10
  ; Minimum message severity to display.
  mssql.min_message_severity = 10
  ; Compatibility mode with old versions of PHP 3.0.
  mssql.compatability_mode = Off
  ; Connect timeout
  ;mssql.connect_timeout = 5
  ; Query timeout
  ;mssql.timeout = 60
  ; Valid range 0 - 2147483647. Default = 4096.
  ;mssql.textlimit = 4096
  ; Valid range 0 - 2147483647. Default = 4096.
  ;mssql.textsize = 4096
  ; Limits the number of records in each batch. 0 = all records in one batch.
  ;mssql.batchsize = 0
  ; Specify how datetime and datetim4 columns are returned
  ; On => Returns data converted to SQL server settings
  ; Off => Returns values as YYYY-MM-DD hh:mm:ss
  ;mssql.datetimeconvert = On
  ; Use NT authentication when connecting to the server
  mssql.secure_connection = Off
  ; Specify max number of processes. -1 = library default
  ; msdlib defaults to 25
  ; FreeTDS defaults to 4096
  ;mssql.max_procs = -1
  ; Specify client character set.
  ; If empty or not set the client charset from freetds.comf is used
  ; This is only used when compiled with FreeTDS
  ;mssql.charset = "ISO-8859-1"
  [Assertion]
  ; Assert(expr); active by default.
  ;assert.active = On
  ; Issue a PHP warning for each failed assertion.
  ;assert.warning = On
  ; Don't bail out by default.
  ;assert.bail = Off
  ; User-function to be called if an assertion fails.
  ;assert.callback = 0
  ; Eval the expression with current error_reporting(). Set to true if you want
  ; error_reporting(0) around the eval().
  ;assert.quiet_eval = 0
  [COM]
  ; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs
  ;com.typelib_file =
  ; allow Distributed-COM calls
  ;com.allow_dcom = true
  ; autoregister constants of a components typlib on com_load()
  ;com.autoregister_typelib = true
  ; register constants casesensitive
  ;com.autoregister_casesensitive = false
  ; show warnings on duplicate constant registrations
  ;com.autoregister_verbose = true
  [mbstring]
  ; language for internal character representation.
  ;mbstring.language = Japanese
  ; internal/script encoding.
  ; Some encoding cannot work as internal encoding.
  ; (e.g. SJIS, BIG5, ISO-2022-*)
  ;mbstring.internal_encoding = EUC-JP
  ; http input encoding.
  ;mbstring.http_input = auto
  ; http output encoding. mb_output_handler must be
  ; registered as output buffer to function
  ;mbstring.http_output = SJIS
  ; enable automatic encoding translation according to
  ; mbstring.internal_encoding setting. Input chars are
  ; converted to internal encoding by setting this to On.
  ; Note: Do _not_ use automatic encoding translation for
  ; portable libs/applications.
  ;mbstring.encoding_translation = Off
  ; automatic encoding detection order.
  ; auto means
  ;mbstring.detect_order = auto
  ; substitute_character used when character cannot be converted
  ; one from another
  ;mbstring.substitute_character = none;
  ; overload(replace) single byte functions by mbstring functions.
  ; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(),
  ; etc. Possible values are 0,1,2,4 or combination of them.
  ; For example, 7 for overload everything.
  ; 0: No overload
  ; 1: Overload mail() function
  ; 2: Overload str*() functions
  ; 4: Overload ereg*() functions
  ;mbstring.func_overload = 0
  ; enable strict encoding detection.
  ;mbstring.strict_encoding = Off
  [FrontBase]
  ;fbsql.allow_persistent = On
  ;fbsql.autocommit = On
  ;fbsql.show_timestamp_decimals = Off
  ;fbsql.default_database =
  ;fbsql.default_database_password =
  ;fbsql.default_host =
  ;fbsql.default_password =
  ;fbsql.default_user = "_SYSTEM"
  ;fbsql.generate_warnings = Off
  ;fbsql.max_connections = 128
  ;fbsql.max_links = 128
  ;fbsql.max_persistent = -1
  ;fbsql.max_results = 128
  [gd]
  ; Tell the jpeg decode to libjpeg warnings and try to create
  ; a gd image. The warning will then be displayed as notices
  ; disabled by default
  ;gd.jpeg_ignore_warning = 0
  [exif]
  ; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS.
  ; With mbstring support this will automatically be converted into the encoding
  ; given by corresponding encode setting. When empty mbstring.internal_encoding
  ; is used. For the decode settings you can distinguish between motorola and
  ; intel byte order. A decode setting cannot be empty.
  ;exif.encode_unicode = ISO-8859-15
  ;exif.decode_unicode_motorola = UCS-2BE
  ;exif.decode_unicode_intel = UCS-2LE
  ;exif.encode_jis =
  ;exif.decode_jis_motorola = JIS
  ;exif.decode_jis_intel = JIS
  [Tidy]
  ; The path to a default tidy configuration file to use when using tidy
  ;tidy.default_config = /usr/local/lib/php/default.tcfg
  ; Should tidy clean and repair output automatically?
  ; WARNING: Do not use this option if you are generating non-html content
  ; such as dynamic images
  tidy.clean_output = Off
  [soap]
  ; Enables or disables WSDL caching feature.
  soap.wsdl_cache_enabled=1
  ; Sets the directory name where SOAP extension will put cache files.
  soap.wsdl_cache_dir="/tmp"
  ; (time to live) Sets the number of second while cached file will be used
  ; instead of original one.
  soap.wsdl_cache_ttl=86400
  ; available extensions
  ;extension=bcmath.so
  ;extension=bz2.so
  ;extension=calendar.so
  ;extension=curl.so
  ;extension=dba.so
  ;extension=dbase.so
  ;extension=exif.so
  ;extension=ftp.so
  ;extension=gd.so
  extension=gettext.so
  ;extension=gmp.so
  ;extension=iconv.so
  ;extension=imap.so
  ;extension=json.so
  ;extension=ldap.so
  ;extension=mcrypt.so
  ;extension=mhash.so
  ;extension=mime_magic.so
  ;extension=mysql.so
  ;extension=mysqli.so
  ;extension=ncurses.so
  ;extension=odbc.so
  ;extension=openssl.so
  ;extension=pdo.so
  ;extension=pdo_mysql.so
  ;extension=pdo_odbc.so
  ;extension=pdo_pgsql.so
  ;extension=pdo_sqlite.so
  ;extension=pgsql.so
  ;extension=posix.so
  ;extension=pspell.so
  extension=session.so
  ;extension=shmop.so
  ;extension=snmp.so
  ;extension=soap.so
  extension=sockets.so
  extension=sqlite.so
  ;extension=sysvmsg.so
  ;extension=sysvsem.so
  ;extension=sysvshm.so
  ;extension=tidy.so
  ;extension=xmlrpc.so
  ;extension=xsl.so
  ;extension=zip.so
  extension=zlib.so
  ; Local Variables:
  ; tab-width: 4
  ; End:
  I've attempted enabling pdo.so and pdo_sqlite.so as well, with no results, making sure to stop lighty and flush all of its processes before checking again.
  `php-cgi -m | grep sqlite` does not return anything, either.
  The extensions directory (/usr/lib/php/20060613) exists on my system and contains sqlite.so, as expected.
  I have no clue what's going on here and would greatly appreciate any help offered.
  Last edited by xelados (2009-09-23 04:02:22)

  After the last update which installed PHP 5.3.0, I'm having a similar problem. PHP fails to recognize any extensions which I've defined in php.ini. PHP itself works just fine, so I'm sure this problem is related to the update of PHP.
  Here's my php.ini:
  [PHP]
  ; About php.ini ;
  ; This file controls many aspects of PHP's behavior. In order for PHP to
  ; read it, it must be named 'php.ini'. PHP looks for it in the current
  ; working directory, in the path designated by the environment variable
  ; PHPRC, and in the path that was defined in compile time (in that order).
  ; The path in which the php.ini file is looked for can be overridden using
  ; the -c argument in command line mode.
  ; The syntax of the file is extremely simple. Whitespace and Lines
  ; beginning with a semicolon are silently ignored (as you probably guessed).
  ; Section headers (e.g. [Foo]) are also silently ignored, even though
  ; they might mean something in the future.
  ; Directives are specified using the following syntax:
  ; directive = value
  ; Directive names are *case sensitive* - foo=bar is different from FOO=bar.
  ; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one
  ; of the INI constants (On, Off, True, False, Yes, No and None) or an expression
  ; (e.g. E_ALL & ~E_NOTICE), or a quoted string ("foo").
  ; Expressions in the INI file are limited to bitwise operators and parentheses:
  ; | bitwise OR
  ; & bitwise AND
  ; ~ bitwise NOT
  ; ! boolean NOT
  ; Boolean flags can be turned on using the values 1, On, True or Yes.
  ; They can be turned off using the values 0, Off, False or No.
  ; An empty string can be denoted by simply not writing anything after the equal
  ; sign, or by using the None keyword:
  ; foo = ; sets foo to an empty string
  ; foo = none ; sets foo to an empty string
  ; foo = "none" ; sets foo to the string 'none'
  ; If you use constants in your value, and these constants belong to a
  ; dynamically loaded extension (either a PHP extension or a Zend extension),
  ; you may only use these constants *after* the line that loads the extension.
  ; About this file ;
  ; This is the recommended, PHP 5-style version of the php.ini-dist file. It
  ; sets some non standard settings, that make PHP more efficient, more secure,
  ; and encourage cleaner coding.
  ; The price is that with these settings, PHP may be incompatible with some
  ; applications, and sometimes, more difficult to develop with. Using this
  ; file is warmly recommended for production sites. As all of the changes from
  ; the standard settings are thoroughly documented, you can go over each one,
  ; and decide whether you want to use it or not.
  ; For general information about the php.ini file, please consult the php.ini-dist
  ; file, included in your PHP distribution.
  ; This file is different from the php.ini-dist file in the fact that it features
  ; different values for several directives, in order to improve performance, while
  ; possibly breaking compatibility with the standard out-of-the-box behavior of
  ; PHP. Please make sure you read what's different, and modify your scripts
  ; accordingly, if you decide to use this file instead.
  ; - register_long_arrays = Off [Performance]
  ; Disables registration of the older (and deprecated) long predefined array
  ; variables ($HTTP_*_VARS). Instead, use the superglobals that were
  ; introduced in PHP 4.1.0
  ; - display_errors = Off [Security]
  ; With this directive set to off, errors that occur during the execution of
  ; scripts will no longer be displayed as a part of the script output, and thus,
  ; will no longer be exposed to remote users. With some errors, the error message
  ; content may expose information about your script, web server, or database
  ; server that may be exploitable for hacking. Production sites should have this
  ; directive set to off.
  ; - log_errors = On [Security]
  ; This directive complements the above one. Any errors that occur during the
  ; execution of your script will be logged (typically, to your server's error log,
  ; but can be configured in several ways). Along with setting display_errors to off,
  ; this setup gives you the ability to fully understand what may have gone wrong,
  ; without exposing any sensitive information to remote users.
  ; - output_buffering = 4096 [Performance]
  ; Set a 4KB output buffer. Enabling output buffering typically results in less
  ; writes, and sometimes less packets sent on the wire, which can often lead to
  ; better performance. The gain this directive actually yields greatly depends
  ; on which Web server you're working with, and what kind of scripts you're using.
  ; - register_argc_argv = Off [Performance]
  ; Disables registration of the somewhat redundant $argv and $argc global
  ; variables.
  ; - magic_quotes_gpc = Off [Performance]
  ; Input data is no longer escaped with slashes so that it can be sent into
  ; SQL databases without further manipulation. Instead, you should use the
  ; function addslashes() on each input element you wish to send to a database.
  ; - variables_order = "GPCS" [Performance]
  ; The environment variables are not hashed into the $_ENV. To access
  ; environment variables, you can use getenv() instead.
  ; - error_reporting = E_ALL [Code Cleanliness, Security(?)]
  ; By default, PHP suppresses errors of type E_NOTICE. These error messages
  ; are emitted for non-critical errors, but that could be a symptom of a bigger
  ; problem. Most notably, this will cause error messages about the use
  ; of uninitialized variables to be displayed.
  ; - allow_call_time_pass_reference = Off [Code cleanliness]
  ; It's not possible to decide to force a variable to be passed by reference
  ; when calling a function. The PHP 4 style to do this is by making the
  ; function require the relevant argument by reference.
  ; - short_open_tag = Off [Portability]
  ; Using short tags is discouraged when developing code meant for redistribution
  ; since short tags may not be supported on the target server.
  ; Language Options ;
  ; Enable the PHP scripting language engine under Apache.
  engine = On
  ; Enable compatibility mode with Zend Engine 1 (PHP 4.x)
  zend.ze1_compatibility_mode = Off
  ; Allow the <? tag. Otherwise, only <?php and <script> tags are recognized.
  ; NOTE: Using short tags should be avoided when developing applications or
  ; libraries that are meant for redistribution, or deployment on PHP
  ; servers which are not under your control, because short tags may not
  ; be supported on the target server. For portable, redistributable code,
  ; be sure not to use short tags.
  short_open_tag = Off
  ; Allow ASP-style <% %> tags.
  asp_tags = Off
  ; The number of significant digits displayed in floating point numbers.
  precision = 14
  ; Enforce year 2000 compliance (will cause problems with non-compliant browsers)
  y2k_compliance = On
  ; Output buffering allows you to send header lines (including cookies) even
  ; after you send body content, at the price of slowing PHP's output layer a
  ; bit. You can enable output buffering during runtime by calling the output
  ; buffering functions. You can also enable output buffering for all files by
  ; setting this directive to On. If you wish to limit the size of the buffer
  ; to a certain size - you can use a maximum number of bytes instead of 'On', as
  ; a value for this directive (e.g., output_buffering=4096).
  output_buffering = Off
  ; You can redirect all of the output of your scripts to a function. For
  ; example, if you set output_handler to "mb_output_handler", character
  ; encoding will be transparently converted to the specified encoding.
  ; Setting any output handler automatically turns on output buffering.
  ; Note: People who wrote portable scripts should not depend on this ini
  ; directive. Instead, explicitly set the output handler using ob_start().
  ; Using this ini directive may cause problems unless you know what script
  ; is doing.
  ; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler"
  ; and you cannot use both "ob_gzhandler" and "zlib.output_compression".
  ; Note: output_handler must be empty if this is set 'On' !!!!
  ; Instead you must use zlib.output_handler.
  ;output_handler =
  ; Transparent output compression using the zlib library
  ; Valid values for this option are 'off', 'on', or a specific buffer size
  ; to be used for compression (default is 4KB)
  ; Note: Resulting chunk size may vary due to nature of compression. PHP
  ; outputs chunks that are few hundreds bytes each as a result of
  ; compression. If you prefer a larger chunk size for better
  ; performance, enable output_buffering in addition.
  ; Note: You need to use zlib.output_handler instead of the standard
  ; output_handler, or otherwise the output will be corrupted.
  zlib.output_compression = Off
  ;zlib.output_compression_level = -1
  ; You cannot specify additional output handlers if zlib.output_compression
  ; is activated here. This setting does the same as output_handler but in
  ; a different order.
  ;zlib.output_handler =
  ; Implicit flush tells PHP to tell the output layer to flush itself
  ; automatically after every output block. This is equivalent to calling the
  ; PHP function flush() after each and every call to print() or echo() and each
  ; and every HTML block. Turning this option on has serious performance
  ; implications and is generally recommended for debugging purposes only.
  implicit_flush = Off
  ; The unserialize callback function will be called (with the undefined class'
  ; name as parameter), if the unserializer finds an undefined class
  ; which should be instantiated.
  ; A warning appears if the specified function is not defined, or if the
  ; function doesn't include/implement the missing class.
  ; So only set this entry, if you really want to implement such a
  ; callback-function.
  unserialize_callback_func=
  ; When floats & doubles are serialized store serialize_precision significant
  ; digits after the floating point. The default value ensures that when floats
  ; are decoded with unserialize, the data will remain the same.
  serialize_precision = 100
  ; Whether to enable the ability to force arguments to be passed by reference
  ; at function call time. This method is deprecated and is likely to be
  ; unsupported in future versions of PHP/Zend. The encouraged method of
  ; specifying which arguments should be passed by reference is in the function
  ; declaration. You're encouraged to try and turn this option Off and make
  ; sure your scripts work properly with it in order to ensure they will work
  ; with future versions of the language (you will receive a warning each time
  ; you use this feature, and the argument will be passed by value instead of by
  ; reference).
  allow_call_time_pass_reference = Off
  ; Safe Mode
  safe_mode = Off
  ; By default, Safe Mode does a UID compare check when
  ; opening files. If you want to relax this to a GID compare,
  ; then turn on safe_mode_gid.
  safe_mode_gid = Off
  ; When safe_mode is on, UID/GID checks are bypassed when
  ; including files from this directory and its subdirectories.
  ; (directory must also be in include_path or full path must
  ; be used when including)
  safe_mode_include_dir =
  ; When safe_mode is on, only executables located in the safe_mode_exec_dir
  ; will be allowed to be executed via the exec family of functions.
  safe_mode_exec_dir =
  ; Setting certain environment variables may be a potential security breach.
  ; This directive contains a comma-delimited list of prefixes. In Safe Mode,
  ; the user may only alter environment variables whose names begin with the
  ; prefixes supplied here. By default, users will only be able to set
  ; environment variables that begin with PHP_ (e.g. PHP_FOO=BAR).
  ; Note: If this directive is empty, PHP will let the user modify ANY
  ; environment variable!
  safe_mode_allowed_env_vars = PHP_
  ; This directive contains a comma-delimited list of environment variables that
  ; the end user won't be able to change using putenv(). These variables will be
  ; protected even if safe_mode_allowed_env_vars is set to allow to change them.
  safe_mode_protected_env_vars = LD_LIBRARY_PATH
  ; open_basedir, if set, limits all file operations to the defined directory
  ; and below. This directive makes most sense if used in a per-directory
  ; or per-virtualhost web server configuration file. This directive is
  ; *NOT* affected by whether Safe Mode is turned On or Off.
  ; open_basedir = /srv/http/:/home/:/tmp/:/usr/share/pear/
  ; This directive allows you to disable certain functions for security reasons.
  ; It receives a comma-delimited list of function names. This directive is
  ; *NOT* affected by whether Safe Mode is turned On or Off.
  disable_functions =
  ; This directive allows you to disable certain classes for security reasons.
  ; It receives a comma-delimited list of class names. This directive is
  ; *NOT* affected by whether Safe Mode is turned On or Off.
  disable_classes =
  ; Colors for Syntax Highlighting mode. Anything that's acceptable in
  ; <span style="color: ???????"> would work.
  ;highlight.string = #DD0000
  ;highlight.comment = #FF9900
  ;highlight.keyword = #007700
  ;highlight.bg = #FFFFFF
  ;highlight.default = #0000BB
  ;highlight.html = #000000
  ; If enabled, the request will be allowed to complete even if the user aborts
  ; the request. Consider enabling it if executing long request, which may end up
  ; being interrupted by the user or a browser timing out.
  ; ignore_user_abort = On
  ; Determines the size of the realpath cache to be used by PHP. This value should
  ; be increased on systems where PHP opens many files to reflect the quantity of
  ; the file operations performed.
  ; realpath_cache_size=16k
  ; Duration of time, in seconds for which to cache realpath information for a given
  ; file or directory. For systems with rarely changing files, consider increasing this
  ; value.
  ; realpath_cache_ttl=120
  ; Misc
  ; Decides whether PHP may expose the fact that it is installed on the server
  ; (e.g. by adding its signature to the Web server header). It is no security
  ; threat in any way, but it makes it possible to determine whether you use PHP
  ; on your server or not.
  expose_php = Off
  ; Resource Limits ;
  max_execution_time = 120 ; Maximum execution time of each script, in seconds
  max_input_time = 120 ; Maximum amount of time each script may spend parsing request data
  ;max_input_nesting_level = 64 ; Maximum input variable nesting level
  memory_limit = 128M ; Maximum amount of memory a script may consume (32MB)
  ; Error handling and logging ;
  ; error_reporting is a bit-field. Or each number up to get desired error
  ; reporting level
  ; E_ALL - All errors and warnings (doesn't include E_STRICT)
  ; E_ERROR - fatal run-time errors
  ; E_RECOVERABLE_ERROR - almost fatal run-time errors
  ; E_WARNING - run-time warnings (non-fatal errors)
  ; E_PARSE - compile-time parse errors
  ; E_NOTICE - run-time notices (these are warnings which often result
  ; from a bug in your code, but it's possible that it was
  ; intentional (e.g., using an uninitialized variable and
  ; relying on the fact it's automatically initialized to an
  ; empty string)
  ; E_STRICT - run-time notices, enable to have PHP suggest changes
  ; to your code which will ensure the best interoperability
  ; and forward compatibility of your code
  ; E_CORE_ERROR - fatal errors that occur during PHP's initial startup
  ; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's
  ; initial startup
  ; E_COMPILE_ERROR - fatal compile-time errors
  ; E_COMPILE_WARNING - compile-time warnings (non-fatal errors)
  ; E_USER_ERROR - user-generated error message
  ; E_USER_WARNING - user-generated warning message
  ; E_USER_NOTICE - user-generated notice message
  ; Examples:
  ; - Show all errors, except for notices and coding standards warnings
  ;error_reporting = E_ALL & ~E_NOTICE
  ; - Show all errors, except for notices
  ;error_reporting = E_ALL & ~E_NOTICE | E_STRICT
  ; - Show only errors
  ;error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR
  ; - Show all errors, except coding standards warnings
  error_reporting = E_ALL
  ; Print out errors (as a part of the output). For production web sites,
  ; you're strongly encouraged to turn this feature off, and use error logging
  ; instead (see below). Keeping display_errors enabled on a production web site
  ; may reveal security information to end users, such as file paths on your Web
  ; server, your database schema or other information.
  ; possible values for display_errors:
  ; Off - Do not display any errors
  ; stderr - Display errors to STDERR (affects only CGI/CLI binaries!)
  ; On or stdout - Display errors to STDOUT (default)
  ; To output errors to STDERR with CGI/CLI:
  ;display_errors = "stderr"
  ; Default
  display_errors = On
  ; Even when display_errors is on, errors that occur during PHP's startup
  ; sequence are not displayed. It's strongly recommended to keep
  ; display_startup_errors off, except for when debugging.
  display_startup_errors = Off
  ; Log errors into a log file (server-specific log, stderr, or error_log (below))
  ; As stated above, you're strongly advised to use error logging in place of
  ; error displaying on production web sites.
  log_errors = Off
  ; Set maximum length of log_errors. In error_log information about the source is
  ; added. The default is 1024 and 0 allows to not apply any maximum length at all.
  log_errors_max_len = 1024
  ; Do not log repeated messages. Repeated errors must occur in same file on same
  ; line until ignore_repeated_source is set true.
  ignore_repeated_errors = Off
  ; Ignore source of message when ignoring repeated messages. When this setting
  ; is On you will not log errors with repeated messages from different files or
  ; source lines.
  ignore_repeated_source = Off
  ; If this parameter is set to Off, then memory leaks will not be shown (on
  ; stdout or in the log). This has only effect in a debug compile, and if
  ; error reporting includes E_WARNING in the allowed list
  report_memleaks = Off
  ;report_zend_debug = 0
  ; Store the last error/warning message in $php_errormsg (boolean).
  track_errors = Off
  ; Disable the inclusion of HTML tags in error messages.
  ; Note: Never use this feature for production boxes.
  ;html_errors = Off
  ; If html_errors is set On PHP produces clickable error messages that direct
  ; to a page describing the error or function causing the error in detail.
  ; You can download a copy of the PHP manual from http://www.php.net/docs.php
  ; and change docref_root to the base URL of your local copy including the
  ; leading '/'. You must also specify the file extension being used including
  ; the dot.
  ; Note: Never use this feature for production boxes.
  ;docref_root = "/phpmanual/"
  ;docref_ext = .html
  ; String to output before an error message.
  ;error_prepend_string = "<font color=ff0000>"
  ; String to output after an error message.
  ;error_append_string = "</font>"
  ; Log errors to specified file.
  ;error_log = filename
  ; Log errors to syslog.
  error_log = syslog
  ; Data Handling ;
  ; Note - track_vars is ALWAYS enabled as of PHP 4.0.3
  ; The separator used in PHP generated URLs to separate arguments.
  ; Default is "&".
  ;arg_separator.output = "&"
  ; List of separator(s) used by PHP to parse input URLs into variables.
  ; Default is "&".
  ; NOTE: Every character in this directive is considered as separator!
  ;arg_separator.input = ";&"
  ; This directive describes the order in which PHP registers GET, POST, Cookie,
  ; Environment and Built-in variables (G, P, C, E & S respectively, often
  ; referred to as EGPCS or GPC). Registration is done from left to right, newer
  ; values override older values.
  variables_order = "GPCS"
  ; Whether or not to register the EGPCS variables as global variables. You may
  ; want to turn this off if you don't want to clutter your scripts' global scope
  ; with user data. This makes most sense when coupled with track_vars - in which
  ; case you can access all of the GPC variables through the $HTTP_*_VARS[],
  ; variables.
  ; You should do your best to write your scripts so that they do not require
  ; register_globals to be on; Using form variables as globals can easily lead
  ; to possible security problems, if the code is not very well thought of.
  register_globals = Off
  ; Whether or not to register the old-style input arrays, HTTP_GET_VARS
  ; and friends. If you're not using them, it's recommended to turn them off,
  ; for performance reasons.
  register_long_arrays = Off
  ; This directive tells PHP whether to declare the argv&argc variables (that
  ; would contain the GET information). If you don't use these variables, you
  ; should turn it off for increased performance.
  register_argc_argv = Off
  ; When enabled, the SERVER and ENV variables are created when they're first
  ; used (Just In Time) instead of when the script starts. If these variables
  ; are not used within a script, having this directive on will result in a
  ; performance gain. The PHP directives register_globals, register_long_arrays,
  ; and register_argc_argv must be disabled for this directive to have any affect.
  auto_globals_jit = On
  ; Maximum size of POST data that PHP will accept.
  post_max_size = 128M
  ; Magic quotes
  ; Magic quotes for incoming GET/POST/Cookie data.
  magic_quotes_gpc = Off
  ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
  magic_quotes_runtime = Off
  ; Use Sybase-style magic quotes (escape ' with '' instead of \').
  magic_quotes_sybase = Off
  ; Automatically add files before or after any PHP document.
  auto_prepend_file =
  auto_append_file =
  ; As of 4.0b4, PHP always outputs a character encoding by default in
  ; the Content-type: header. To disable sending of the charset, simply
  ; set it to be empty.
  ; PHP's built-in default is text/html
  default_mimetype = "text/html"
  ;default_charset = "iso-8859-1"
  ; Always populate the $HTTP_RAW_POST_DATA variable.
  ;always_populate_raw_post_data = On
  ; Paths and Directories ;
  ; UNIX: "/path1:/path2"
  ;include_path = ".:/usr/share/pear"
  ; The root of the PHP pages, used only if nonempty.
  ; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root
  ; if you are running php as a CGI under any web server (other than IIS)
  ; see documentation for security issues. The alternate is to use the
  ; cgi.force_redirect configuration below
  doc_root =
  ; The directory under which PHP opens the script using /~username used only
  ; if nonempty.
  user_dir =
  ; Directory in which the loadable extensions (modules) reside.
  extension_dir = "/usr/lib/php/modules/"
  ; Whether or not to enable the dl() function. The dl() function does NOT work
  ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
  ; disabled on them.
  enable_dl = Off
  ; cgi.force_redirect is necessary to provide security running PHP as a CGI under
  ; most web servers. Left undefined, PHP turns this on by default. You can
  ; turn it off here AT YOUR OWN RISK
  ; **You CAN safely turn this off for IIS, in fact, you MUST.**
  ; cgi.force_redirect = 1
  ; if cgi.nph is enabled it will force cgi to always sent Status: 200 with
  ; every request.
  ; cgi.nph = 1
  ; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape
  ; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
  ; will look for to know it is OK to continue execution. Setting this variable MAY
  ; cause security issues, KNOW WHAT YOU ARE DOING FIRST.
  ; cgi.redirect_status_env = ;
  ; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's
  ; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
  ; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting
  ; this to 1 will cause PHP CGI to fix it's paths to conform to the spec. A setting
  ; of zero causes PHP to behave as before. Default is 1. You should fix your scripts
  ; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
  ; cgi.fix_pathinfo=1
  ; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate
  ; security tokens of the calling client. This allows IIS to define the
  ; security context that the request runs under. mod_fastcgi under Apache
  ; does not currently support this feature (03/17/2002)
  ; Set to 1 if running under IIS. Default is zero.
  ; fastcgi.impersonate = 1;
  ; Disable logging through FastCGI connection
  ; fastcgi.logging = 0
  ; cgi.rfc2616_headers configuration option tells PHP what type of headers to
  ; use when sending HTTP response code. If it's set 0 PHP sends Status: header that
  ; is supported by Apache. When this option is set to 1 PHP will send
  ; RFC2616 compliant header.
  ; Default is zero.
  ;cgi.rfc2616_headers = 0
  ; File Uploads ;
  ; Whether to allow HTTP file uploads.
  file_uploads = On
  ; Temporary directory for HTTP uploaded files (will use system default if not
  ; specified).
  ;upload_tmp_dir =
  ; Maximum allowed size for uploaded files.
  upload_max_filesize = 128M
  ; Fopen wrappers ;
  ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
  allow_url_fopen = On
  ; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
  allow_url_include = Off
  ; Define the anonymous ftp password (your email address)
  ;from="[email protected]"
  ; Define the User-Agent string
  ; user_agent="PHP"
  ; Default timeout for socket based streams (seconds)
  default_socket_timeout = 10
  ; Dynamic Extensions ;
  ; If you wish to have an extension loaded automatically, use the following
  ; syntax:
  ; extension=modulename.extension
  ; For example, under UNIX:
  ; extension=msql.so
  ; Note that it should be the name of the module only; no directory information
  ; needs to go here. Specify the location of the extension with the
  ; extension_dir directive above.
  ; Module Settings ;
  [Date]
  ; Defines the default timezone used by the date functions
  ;date.timezone =
  ;date.default_latitude = 31.7667
  ;date.default_longitude = 35.2333
  ;date.sunrise_zenith = 90.583333
  ;date.sunset_zenith = 90.583333
  [filter]
  ;filter.default = unsafe_raw
  ;filter.default_flags =
  [iconv]
  ;iconv.input_encoding = ISO-8859-1
  ;iconv.internal_encoding = ISO-8859-1
  ;iconv.output_encoding = ISO-8859-1
  [sqlite]
  ;sqlite.assoc_case = 0
  [xmlrpc]
  ;xmlrpc_error_number = 0
  ;xmlrpc_errors = 0
  [Pcre]
  ;PCRE library backtracking limit.
  ;pcre.backtrack_limit=100000
  ;PCRE library recursion limit.
  ;Please note that if you set this value to a high number you may consume all
  ;the available process stack and eventually crash PHP (due to reaching the
  ;stack size limit imposed by the Operating System).
  ;pcre.recursion_limit=100000
  [Syslog]
  ; Whether or not to define the various syslog variables (e.g. $LOG_PID,
  ; $LOG_CRON, etc.). Turning it off is a good idea performance-wise. In
  ; runtime, you can define these variables by calling define_syslog_variables().
  define_syslog_variables = Off
  [mail function]
  ; For Unix only. You may supply arguments as well (default: "sendmail -t -i").
  ;sendmail_path =
  ; Force the addition of the specified parameters to be passed as extra parameters
  ; to the sendmail binary. These parameters will always replace the value of
  ; the 5th parameter to mail(), even in safe mode.
  ;mail.force_extra_parameters =
  [SQL]
  sql.safe_mode = Off
  [ODBC]
  ;odbc.default_db = Not yet implemented
  ;odbc.default_user = Not yet implemented
  ;odbc.default_pw = Not yet implemented
  ; Allow or prevent persistent links.
  odbc.allow_persistent = On
  ; Check that a connection is still valid before reuse.
  odbc.check_persistent = On
  ; Maximum number of persistent links. -1 means no limit.
  odbc.max_persistent = -1
  ; Maximum number of links (persistent + non-persistent). -1 means no limit.
  odbc.max_links = -1
  ; Handling of LONG fields. Returns number of bytes to variables. 0 means
  ; passthru.
  odbc.defaultlrl = 4096
  ; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char.
  ; See the documentation on odbc_binmode and odbc_longreadlen for an explanation
  ; of uodbc.defaultlrl and uodbc.defaultbinmode
  odbc.defaultbinmode = 1
  [MySQL]
  ; Allow or prevent persistent links.
  mysql.allow_persistent = On
  ; Maximum number of persistent links. -1 means no limit.
  mysql.max_persistent = -1
  ; Maximum number of links (persistent + non-persistent). -1 means no limit.
  mysql.max_links = -1
  ; Default port number for mysql_connect(). If unset, mysql_connect() will use
  ; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the
  ; compile-time value defined MYSQL_PORT (in that order).
  mysql.default_port =
  ; Default socket name for local MySQL connects. If empty, uses the built-in
  ; MySQL defaults.
  mysql.default_socket =
  ; Default host for mysql_connect() (doesn't apply in safe mode).
  mysql.default_host =
  ; Default user for mysql_connect() (doesn't apply in safe mode).
  mysql.default_user =
  ; Default password for mysql_connect() (doesn't apply in safe mode).
  ; Note that this is generally a *bad* idea to store passwords in this file.
  ; *Any* user with PHP access can run 'echo get_cfg_var("mysql.default_password")
  ; and reveal this password! And of course, any users with read access to this
  ; file will be able to reveal the password as well.
  mysql.default_password =
  ; Maximum time (in seconds) for connect timeout. -1 means no limit
  mysql.connect_timeout = 60
  ; Trace mode. When trace_mode is active (=On), warnings for table/index scans and
  ; SQL-Errors will be displayed.
  mysql.trace_mode = Off
  [MySQLi]
  ; Maximum number of links. -1 means no limit.
  mysqli.max_links = -1
  ; Default port number for mysqli_connect(). If unset, mysqli_connect() will use
  ; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the
  ; compile-time value defined MYSQL_PORT (in that order).
  mysqli.default_port = 3306
  ; Default socket name for local MySQL connects. If empty, uses the built-in
  ; MySQL defaults.
  mysqli.default_socket =
  ; Default host for mysql_connect() (doesn't apply in safe mode).
  mysqli.default_host =
  ; Default user for mysql_connect() (doesn't apply in safe mode).
  mysqli.default_user =
  ; Default password for mysqli_connect() (doesn't apply in safe mode).
  ; Note that this is generally a *bad* idea to store passwords in this file.
  ; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw")
  ; and reveal this password! And of course, any users with read access to this
  ; file will be able to reveal the password as well.
  mysqli.default_pw =
  ; Allow or prevent reconnect
  mysqli.reconnect = Off
  [mSQL]
  ; Allow or prevent persistent links.
  msql.allow_persistent = On
  ; Maximum number of persistent links. -1 means no limit.
  msql.max_persistent = -1
  ; Maximum number of links (persistent+non persistent). -1 means no limit.
  msql.max_links = -1
  [OCI8]
  ; enables privileged connections using external credentials (OCI_SYSOPER, OCI_SYSDBA)
  ;oci8.privileged_connect = Off
  ; Connection: The maximum number of persistent OCI8 connections per
  ; process. Using -1 means no limit.
  ;oci8.max_persistent = -1
  ; Connection: The maximum number of seconds a process is allowed to
  ; maintain an idle persistent connection. Using -1 means idle
  ; persistent connections will be maintained forever.
  ;oci8.persistent_timeout = -1
  ; Connection: The number of seconds that must pass before issuing a
  ; ping during oci_pconnect() to check the connection validity. When
  ; set to 0, each oci_pconnect() will cause a ping. Using -1 disables
  ; pings completely.
  ;oci8.ping_interval = 60
  ; Tuning: This option enables statement caching, and specifies how
  ; many statements to cache. Using 0 disables statement caching.
  ;oci8.statement_cache_size = 20
  ; Tuning: Enables statement prefetching and sets the default number of
  ; rows that will be fetched automatically after statement execution.
  ;oci8.default_prefetch = 10
  ; Compatibility. Using On means oci_close() will not close
  ; oci_connect() and oci_new_connect() connections.
  ;oci8.old_oci_close_semantics = Off
  [PostgresSQL]
  ; Allow or prevent persistent links.
  pgsql.allow_persistent = On
  ; Detect broken persistent links always with pg_pconnect().
  ; Auto reset feature requires a little overheads.
  pgsql.auto_reset_persistent = Off
  ; Maximum number of persistent links. -1 means no limit.
  pgsql.max_persistent = -1
  ; Maximum number of links (persistent+non persistent). -1 means no limit.
  pgsql.max_links = -1
  ; Ignore PostgreSQL backends Notice message or not.
  ; Notice message logging require a little overheads.
  pgsql.ignore_notice = 0
  ; Log PostgreSQL backends Noitce message or not.
  ; Unless pgsql.ignore_notice=0, module cannot log notice message.
  pgsql.log_notice = 0
  [Sybase]
  ; Allow or prevent persistent links.
  sybase.allow_persistent = On
  ; Maximum number of persistent links. -1 means no limit.
  sybase.max_persistent = -1
  ; Maximum number of links (persistent + non-persistent). -1 means no limit.
  sybase.max_links = -1
  ;sybase.interface_file = "/usr/sybase/interfaces"
  ; Minimum error severity to display.
  sybase.min_error_severity = 10
  ; Minimum message severity to display.
  sybase.min_message_severity = 10
  ; Compatibility mode with old versions of PHP 3.0.
  ; If on, this will cause PHP to automatically assign types to results according
  ; to their Sybase type, instead of treating them all as strings. This
  ; compatibility mode will probably not stay around forever, so try applying
  ; whatever necessary changes to your code, and turn it off.
  sybase.compatability_mode = Off
  [Sybase-CT]
  ; Allow or prevent persistent links.
  sybct.allow_persistent = On
  ; Maximum number of persistent links. -1 means no limit.
  sybct.max_persistent = -1
  ; Maximum number of links (persistent + non-persistent). -1 means no limit.
  sybct.max_links = -1
  ; Minimum server message severity to display.
  sybct.min_server_severity = 10
  ; Minimum client message severity to display.
  sybct.min_client_severity = 10
  [bcmath]
  ; Number of decimal digits for all bcmath functions.
  bcmath.scale = 0
  [browscap]
  ;browscap = extra/browscap.ini
  [Informix]
  ; Default host for ifx_connect() (doesn't apply in safe mode).
  ifx.default_host =
  ; Default user for ifx_connect() (doesn't apply in safe mode).
  ifx.default_user =
  ; Default password for ifx_connect() (doesn't apply in safe mode).
  ifx.default_password =
  ; Allow or prevent persistent links.
  ifx.allow_persistent = On
  ; Maximum number of persistent links. -1 means no limit.
  ifx.max_persistent = -1
  ; Maximum number of links (persistent + non-persistent). -1 means no limit.
  ifx.max_links = -1
  ; If on, select statements return the contents of a text blob instead of its id.
  ifx.textasvarchar = 0
  ; If on, select statements return the contents of a byte blob instead of its id.
  ifx.byteasvarchar = 0
  ; Trailing blanks are stripped from fixed-length char columns. May help the
  ; life of Informix SE users.
  ifx.charasvarchar = 0
  ; If on, the contents of text and byte blobs are dumped to a file instead of
  ; keeping them in memory.
  ifx.blobinfile = 0
  ; NULL's are returned as empty strings, unless this is set to 1. In that case,
  ; NULL's are returned as string 'NULL'.
  ifx.nullformat = 0
  [Session]
  ; Handler used to store/retrieve data.
  session.save_handler = files
  ; Argument passed to save_handler. In the case of files, this is the path
  ; where data files are stored.
  ; As of PHP 4.0.1, you can define the path as:
  ; session.save_path = "N;/path"
  ; where N is an integer. Instead of storing all the session files in
  ; /path, what this will do is use subdirectories N-levels deep, and
  ; store the session data in those directories. This is useful if you
  ; or your OS have problems with lots of files in one directory, and is
  ; a more efficient layout for servers that handle lots of sessions.
  ; NOTE 1: PHP will not create this directory structure automatically.
  ; You can use the script in the ext/session dir for that purpose.
  ; NOTE 2: See the section on garbage collection below if you choose to
  ; use subdirectories for session storage
  ; The file storage module creates files using mode 600 by default.
  ; You can change that by using
  ; session.save_path = "N;MODE;/path"
  ; where MODE is the octal representation of the mode. Note that this
  ; does not overwrite the process's umask.
  session.save_path = "/www/sessions"
  ; Whether to use cookies.
  session.use_cookies = 1
  ;session.cookie_secure =
  ; This option enables administrators to make their users invulnerable to
  ; attacks which involve passing session ids in URLs; defaults to 0.
  session.use_only_cookies = 1
  ; Name of the session (used as cookie name).
  session.name = ServerSessionIdentifier
  ; Initialize session on request startup.
  session.auto_start = 0
  ; Lifetime in seconds of cookie or, if 0, until browser is restarted.
  session.cookie_lifetime = 0
  ; The path for which the cookie is valid.
  session.cookie_path = /
  ; The domain for which the cookie is valid.
  session.cookie_domain =
  ; Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript.
  session.cookie_httponly = 1
  ; Handler used to serialize data. php is the standard serializer of PHP.
  session.serialize_handler = php
  ; Define the probability that the 'garbage collection' process is started
  ; on every session initialization.
  ; The probability is calculated by using gc_probability/gc_divisor,
  ; e.g. 1/100 means there is a 1% chance that the GC process starts
  ; on each request.
  session.gc_probability = 1
  session.gc_divisor = 30
  ; After this number of seconds, stored data will be seen as 'garbage' and
  ; cleaned up by the garbage collection process.
  session.gc_maxlifetime = 3600
  ; NOTE: If you are using the subdirectory option for storing session files
  ; (see session.save_path above), then garbage collection does *not*
  ; happen automatically. You will need to do your own garbage
  ; collection through a shell script, cron entry, or some other method.
  ; For example, the following script would is the equivalent of
  ; setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):
  ; cd /path/to/sessions; find -cmin +24 | xargs rm
  ; PHP 4.2 and less have an undocumented feature/bug that allows you to
  ; to initialize a session variable in the global scope, albeit register_globals
  ; is disabled. PHP 4.3 and later will warn you, if this feature is used.
  ; You can disable the feature and the warning separately. At this time,
  ; the warning is only displayed, if bug_compat_42 is enabled.
  session.bug_compat_42 = 0
  session.bug_compat_warn = 1
  ; Check HTTP Referer to invalidate externally stored URLs containing ids.
  ; HTTP_REFERER has to contain this substring for the session to be
  ; considered as valid.
  session.referer_check =
  ; How many bytes to read from the file.
  session.entropy_length = 0
  ; Specified here to create the session id.
  session.entropy_file =
  ;session.entropy_length = 16
  ;session.entropy_file = /dev/urandom
  ; Set to {nocache,private,public,} to determine HTTP caching aspects
  ; or leave this empty to avoid sending anti-caching headers.
  session.cache_limiter = none
  ; Document expires after n minutes.
  session.cache_expire = 0
  ; trans sid support is disabled by default.
  ; Use of trans sid may risk your users security.
  ; Use this option with caution.
  ; - User may send URL contains active session ID
  ; to other person via. email/irc/etc.
  ; - URL that contains active session ID may be stored
  ; in publically accessible computer.
  ; - User may access your site with the same session ID
  ; always using URL stored in browser's history or bookmarks.
  session.use_trans_sid = 0
  ; Select a hash function
  ; 0: MD5 (128 bits)
  ; 1: SHA-1 (160 bits)
  session.hash_function = 1
  ; Define how many bits are stored in each character when converting
  ; the binary hash data to something readable.
  ; 4 bits: 0-9, a-f
  ; 5 bits: 0-9, a-v
  ; 6 bits: 0-9, a-z, A-Z, "-", ","
  session.hash_bits_per_character = 6
  ; The URL rewriter will look for URLs in a defined set of HTML tags.
  ; form/fieldset are special; if you include them here, the rewriter will
  ; add a hidden <input> field with the info which is otherwise appended
  ; to URLs. If you want XHTML conformity, remove the form entry.
  ; Note that all valid entries require a "=", even if no value follows.
  ;url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
  [MSSQL]
  ; Allow or prevent persistent links.
  mssql.allow_persistent = On
  ; Maximum number of persistent links. -1 means no limit.
  mssql.max_persistent = -1
  ; Maximum number of links (persistent+non persistent). -1 means no limit.
  mssql.max_links = -1
  ; Minimum error severity to display.
  mssql.min_error_severity = 10
  ; Minimum message severity to display.
  mssql.min_message_severity = 10
  ; Compatibility mode with old versions of PHP 3.0.
  mssql.compatability_mode = Off
  ; Connect timeout
  ;mssql.connect_timeout = 5
  ; Query timeout
  ;mssql.timeout = 60
  ; Valid range 0 - 2147483647. Default = 4096.
  ;mssql.textlimit = 4096
  ; Valid range 0 - 2147483647. Default = 4096.
  ;mssql.textsize = 4096
  ; Limits the number of records in each batch. 0 = all records in one batch.
  ;mssql.batchsize = 0
  ; Specify how datetime and datetim4 columns are returned
  ; On => Returns data converted to SQL server settings
  ; Off => Returns values as YYYY-MM-DD hh:mm:ss
  ;mssql.datetimeconvert = On
  ; Use NT authentication when connecting to the server
  mssql.secure_connection = Off
  ; Specify max number of processes. -1 = library default
  ; msdlib defaults to 25
  ; FreeTDS defaults to 4096
  ;mssql.max_procs = -1
  ; Specify client character set.
  ; If empty or not set the client charset from freetds.comf is used
  ; This is only used when compiled with FreeTDS
  ;mssql.charset = "ISO-8859-1"
  [Assertion]
  ; Assert(expr); active by default.
  ;assert.active = On
  ; Issue a PHP warning for each failed assertion.
  ;assert.warning = On
  ; Don't bail out by default.
  ;assert.bail = Off
  ; User-function to be called if an assertion fails.
  ;assert.callback = 0
  ; Eval the expression with current error_reporting(). Set to true if you want
  ; error_reporting(0) around the eval().
  ;assert.quiet_eval = 0
  [COM]
  ; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs
  ;com.typelib_file =
  ; allow Distributed-COM calls
  ;com.allow_dcom = true
  ; autoregister constants of a components typlib on com_load()
  ;com.autoregister_typelib = true
  ; register constants casesensitive
  ;com.autoregister_casesensitive = false
  ; show warnings on duplicate constant registrations
  ;com.autoregister_verbose = true
  [mbstring]
  ; language for internal character representation.
  ;mbstring.language = Japanese
  ; internal/script encoding.
  ; Some encoding cannot work as internal encoding.
  ; (e.g. SJIS, BIG5, ISO-2022-*)
  ;mbstring.internal_encoding = EUC-JP
  ; http input encoding.
  ;mbstring.http_input = auto
  ; http output encoding. mb_output_handler must be
  ; registered as output buffer to function
  ;mbstring.http_output = SJIS
  ; enable automatic encoding translation according to
  ; mbstring.internal_encoding setting. Input chars are
  ; converted to internal encoding by setting this to On.
  ; Note: Do _not_ use automatic encoding translation for
  ; portable libs/applications.
  ;mbstring.encoding_translation = Off
  ; automatic encoding detection order.
  ; auto means
  ;mbstring.detect_order = auto
  ; substitute_character used when character cannot be converted
  ; one from another
  ;mbstring.substitute_character = none;
  ; overload(replace) single byte functions by mbstring functions.
  ; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(),
  ; etc. Possible values are 0,1,2,4 or combination of them.
  ; For example, 7 for overload everything.
  ; 0: No overload
  ; 1: Overload mail() function
  ; 2: Overload str*() functions
  ; 4: Overload ereg*() functions
  ;mbstring.func_overload = 0
  ; enable strict encoding detection.
  ;mbstring.strict_encoding = Off
  [FrontBase]
  ;fbsql.allow_persistent = On
  ;fbsql.autocommit = On
  ;fbsql.show_timestamp_decimals = Off
  ;fbsql.default_database =
  ;fbsql.default_database_password =
  ;fbsql.default_host =
  ;fbsql.default_password =
  ;fbsql.default_user = "_SYSTEM"
  ;fbsql.generate_warnings = Off
  ;fbsql.max_connections = 128
  ;fbsql.max_links = 128
  ;fbsql.max_persistent = -1
  ;fbsql.max_results = 128
  [gd]
  ; Tell the jpeg decode to libjpeg warnings and try to create
  ; a gd image. The warning will then be displayed as notices
  ; disabled by default
  ;gd.jpeg_ignore_warning = 0
  [exif]
  ; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS.
  ; With mbstring support this will automatically be converted into the encoding
  ; given by corresponding encode setting. When empty mbstring.internal_encoding
  ; is used. For the decode settings you can distinguish between motorola and
  ; intel byte order. A decode setting cannot be empty.
  ;exif.encode_unicode = ISO-8859-15
  ;exif.decode_unicode_motorola = UCS-2BE
  ;exif.decode_unicode_intel = UCS-2LE
  ;exif.encode_jis =
  ;exif.decode_jis_motorola = JIS
  ;exif.decode_jis_intel = JIS
  [Tidy]
  ; The path to a default tidy configuration file to use when using tidy
  ;tidy.default_config = /usr/local/lib/php/default.tcfg
  ; Should tidy clean and repair output automatically?
  ; WARNING: Do not use this option if you are generating non-html content
  ; such as dynamic images
  tidy.clean_output = Off
  [soap]
  ; Enables or disables WSDL caching feature.
  soap.wsdl_cache_enabled=1
  ; Sets the directory name where SOAP extension will put cache files.
  soap.wsdl_cache_dir="/tmp"
  ; (time to live) Sets the number of second while cached file will be used
  ; instead of original one.
  soap.wsdl_cache_ttl=86400
  ; available extensions
  ;extension=bcmath.so
  ;extension=bz2.so
  ;extension=calendar.so
  ;extension=curl.so
  ;extension=dba.so
  ;extension=dbase.so
  ;extension=exif.so
  ;extension=ftp.so
  extension=gd.so
  extension=gettext.so
  ;extension=iconv.so
  ;extension=imap.so
  ;extension=json.so
  ;extension=ldap.so
  extension=mcrypt.so
  ;extension=mime_magic.so
  extension=mysql.so
  ;extension=mysqli.so
  ;extension=ncurses.so
  ;extension=odbc.so
  extension=openssl.so
  extension=pdo.so
  extension=pdo_mysql.so
  ;extension=pdo_odbc.so
  ;extension=pdo_pgsql.so
  ;extension=pdo_sqlite.so
  ;extension=pgsql.so
  ;extension=posix.so
  ;extension=pspell.so
  extension=session.so
  ;extension=shmop.so
  ;extension=snmp.so
  ;extension=soap.so
  extension=sockets.so
  ;extension=sqlite.so
  ;extension=sysvmsg.so
  ;extension=sysvsem.so
  ;extension=sysvshm.so
  ;extension=tidy.so
  ;extension=xmlrpc.so
  ;extension=xsl.so
  ;extension=zip.so
  extension=zlib.so
  ; Local Variables:
  ; tab-width: 4
  ; End:
  Some more info:
  [root@Taurine etc]# php-cgi -m
  [PHP Modules]
  cgi-fcgi
  Core
  ctype
  date
  dom
  ereg
  fileinfo
  filter
  gettext
  hash
  libxml
  mbstring
  mysql
  mysqlnd
  openssl
  pcre
  PDO
  pdo_mysql
  Reflection
  session
  SimpleXML
  sockets
  SPL
  standard
  tokenizer
  xml
  xmlreader
  xmlwriter
  zlib
  [Zend Modules]
  [root@Taurine etc]# php-cgi -v
  PHP 5.3.0 with Suhosin-Patch (cgi-fcgi) (built: Sep 16 2009 13:55:34)
  Copyright (c) 1997-2009 The PHP Group
  Zend Engine v2.3.0, Copyright (c) 1998-2009 Zend Technologies
  [root@Taurine etc]# cd /usr/lib/php/modules/
  [root@Taurine modules]# ls -alh
  totalt 3,2M
  drwxr-xr-x 2 root root 4,0K 16 sep 13.57 .
  drwxr-xr-x 4 root root 4,0K 16 sep 13.57 ..
  -rwxr-xr-x 1 root root 27K 16 sep 13.57 bcmath.so
  -rwxr-xr-x 1 root root 21K 16 sep 13.57 bz2.so
  -rwxr-xr-x 1 root root 25K 16 sep 13.57 calendar.so
  -rwxr-xr-x 1 root root 51K 16 sep 13.57 dba.so
  -rwxr-xr-x 1 root root 52K 16 sep 13.57 exif.so
  -rwxr-xr-x 1 root root 46K 16 sep 13.57 ftp.so
  -rwxr-xr-x 1 root root 11K 16 sep 13.57 gettext.so
  -rwxr-xr-x 1 root root 37K 16 sep 13.57 iconv.so
  -rwxr-xr-x 1 root root 1,2M 16 sep 13.57 imap.so
  -rwxr-xr-x 1 root root 35K 16 sep 13.57 json.so
  -rwxr-xr-x 1 root root 43K 16 sep 13.57 mysql.so
  -rwxr-xr-x 1 root root 109K 16 sep 13.57 mysqli.so
  -rwxr-xr-x 1 root root 110K 16 sep 13.57 openssl.so
  -rwxr-xr-x 1 root root 98K 16 sep 13.57 pdo.so
  -rwxr-xr-x 1 root root 24K 16 sep 13.57 pdo_mysql.so
  -rwxr-xr-x 1 root root 286K 16 sep 13.57 phar.so
  -rwxr-xr-x 1 root root 26K 16 sep 13.57 posix.so
  -rwxr-xr-x 1 root root 9,8K 16 sep 13.57 shmop.so
  -rwxr-xr-x 1 root root 356K 16 sep 13.57 soap.so
  -rwxr-xr-x 1 root root 46K 16 sep 13.57 sockets.so
  -rwxr-xr-x 1 root root 355K 16 sep 13.57 sqlite.so
  -rwxr-xr-x 1 root root 15K 16 sep 13.57 sysvmsg.so
  -rwxr-xr-x 1 root root 8,3K 16 sep 13.57 sysvsem.so
  -rwxr-xr-x 1 root root 11K 16 sep 13.57 sysvshm.so
  -rwxr-xr-x 1 root root 79K 16 sep 13.57 xmlrpc.so
  -rwxr-xr-x 1 root root 79K 16 sep 13.57 zip.so
  Last edited by nullvoid (2009-09-22 17:39:47)

• AIR-LAP1242G-E-K9 do not work with AIR-CT5508-K9 while AIR-LAP1142N-E-K9 do

  Hello,
  we do have a site where we need to deploy AIR-LAP1142N-E-K9 and AIR-LAP1242G-E-K9 APs. We have two AIR-CT5508-K9 controllers with SW version                  6.0.188.0.
  AIR-LAP1142N-E-K9s work okay, as expected, we do not have any problems with them.
  However AIR-LAP1242G-E-K9s do not, there is a problem with establishing CAPWAP tunnel with the controller.The AP is seen on the controller for a while, with 0 time up-time, cannot change any settings on the AP via controller, and after a while it disapears from the controller, apears again and this repeats.
  The APs and controllers are connected to the LAN campus.
  Controllers via two 1G links configured as Etherchannel to WS-C6506-E VSS switch with s72033-ipservicesk9_wan-vz.122-33.SXI1.bin on it.
  APs to WS-C3750G-48PS with c3750-ipbasek9-mz.122-50.SE2.bin on it. 3750 is connected to the C6505 via two 1G links configured as Etherchannel.
  Below I copied the log I captured on 1242 and the controller. Highlighted ones are the ones which I think might bring a clue.
  I performed some troubleshooting steps.
  - As we have some other controllers available over WAN, I  tested the 1242 AP  with 2100, 4400 and also with the same model AIR-CT5508-K9 with SW version                  6.0.188.0 over WAN and this worked always okay.
  - I wanted to be sure that I eliminate any kind of out of sequence packet issue, so I brought down all redundancy L2 links so that the L2 path from the AP to the controller was only through one leg links.
  - I also brought the second controller down to eliminate potential issue with having two of them up.
  - The AP gets its IP from DHCP configured on the C6506 switch, I am always able to ssh to AP, so the IP connectivity does not seem to be an issue.
  - I have more 1242s, all behave in the same way. I also connected them to some other 3750 switches we have in the campus, always the same.
  - As this seems to be maybe a kind of ssl issue, I tried to play with controller settings, like enabling Accept... options  under Security/AP Policy,but this did not help.
  - I also tried to reboot the controller, no improvement.
  - The APs came from the factory, so in the beginning everything was factory default in them. They were always able to download the image from the controller in the very initial phase. I still do have some of them untouched, so I can perform any troubleshooting steps with the fresh one.
  I can reproduce this, can also send debugging logs if needed.
  Any idea on what could be wrong is highly appreciated.
  Thank you.
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  This Discussion has been converted into document:- https://supportforums.cisco.com/docs/DOC-23054
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  AIR-LAP1242G-E-K9 10.0.13.28 log
  *Mar  1 00:00:05.922: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
  *Mar  1 00:00:07.536: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot1 1Radio 0
  *Mar  1 00:00:07.672: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 304 messages)
  *Mar  1 00:00:09.809: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
  *Mar  1 00:00:09.874: %SYS-5-RESTART: System restarted --
  Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.4(21a)JA2, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by Cisco Systems, Inc.
  Compiled Mon 02-Nov-09 18:42 by prod_rel_team
  *Mar  1 00:00:09.874: %SNMP-5-COLDSTART: SNMP agent on host wuen4028 is undergoing a cold start
  *Mar  1 00:00:09.964: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
  *Mar  1 00:00:09.967: bsnInitRcbSlot: slot 1 has NO radio
  *Mar  1 00:00:10.191: %SSH-5-ENABLED: SSH 2.0 has been enabled
  *Mar  1 00:00:10.191: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  *Mar  1 00:00:10.430: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Mar  1 00:00:10.818: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
  *Mar  1 00:00:11.212: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
  *Mar  1 00:00:18.315: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 10.0.13.28, mask 2 55.255.255.0, hostname wuen4028
  *Mar  1 00:00:28.988: Logging LWAPP message to 255.255.255.255.
  *Mar  1 00:00:31.456: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
  *Mar  1 00:00:31.495: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
  *Mar  1 00:00:32.457: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
  *Mar  1 00:00:32.457: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
  *Mar  1 00:00:38.810: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
  *Mar  1 00:00:47.811: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
  *Mar  1 00:00:56.812: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER
  *Mar  1 00:01:07.815: %CAPWAP-3-ERRORLOG: Selected MWAR 'wuen4001'(index 0).
  *Mar  1 00:01:07.815: %CAPWAP-3-ERRORLOG: Go join a capwap controller
  *Feb 11 07:52:24.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.13.5 peer_port: 5246
  *Feb 11 07:52:24.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
  *Feb 11 07:52:25.441: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.0.13.5 peer_port:  5246
  *Feb 11 07:52:25.443: %CAPWAP-5-SENDJOIN: sending Join Request to 10.0.13.5
  *Feb 11 07:52:25.443: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
  *Feb 11 07:52:25.445: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 10.0.13.5
  *Feb 11 07:52:25.445: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
  *Feb 11 07:52:25.445: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
  *Feb 11 07:52:25.445: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 10.0.13.5
  *Feb 11 07:52:30.441: %CAPWAP-5-SENDJOIN: sending Join Request to 10.0.13.5
  *Feb 11 07:52:30.442: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 10.0.13.5
  *Feb 11 07:52:30.443: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
  *Feb 11 07:52:30.443: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
  *Feb 11 07:52:30.443: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 10.0.13.5
  *Feb 11 07:52:47.644: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
  *Feb 11 07:53:23.999: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 10.0.13.5:5246
  *Feb 11 07:53:24.000: %CAPWAP-3-ERRORLOG: Selected MWAR 'wuen4001'(index 0).
  *Feb 11 07:53:24.000: %CAPWAP-3-ERRORLOG: Go join a capwap controller
  *Feb 11 07:52:24.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.13.5 peer_port: 5246
  *Feb 11 07:52:24.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
  *Feb 11 07:52:24.001: %DTLS-5-PEER_DISCONNECT: Peer 10.0.13.5 has closed connection.
  *Feb 11 07:52:24.001: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 10.0.13.5:5246
  *Feb 11 07:52:24.002: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
  *Feb 11 07:52:24.123: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is not established.
  wuen4028#
  AIR-CT5508-K9 10.0.13.5 log
  *Feb 11 09:00:54.824: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to c
  omplete DTLS handshake with peer 10.0.13.28
                                             *Feb 11 08:59:53.798: %DOT1X-3-MAX_EA
  P_RETRIES: 1x_auth_pae.c:2862 Max EAP identity request retries (3) exceeded for
  client 00:1f:3b:93:dd:4f
  *Feb 11 08:59:51.197: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2862 Max EAP ident
  ity request retries (3) exceeded for client 00:c0:a8:e1:b1:71
  --More-- or (q)uit
  *Feb 11 08:59:21.212: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:292 RRM LOG: Airewave Di
  rector: Could not find valid channel lists for 802.11bg
  *Feb 11 08:58:39.766: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to c
  omplete DTLS handshake with peer 10.0.13.28
                                             *Feb 11 08:57:06.131: %RRM-3-RRM_LOGM
  SG: rrmChanUtils.c:292 RRM LOG: Airewave Director: Could not find valid channel
  lists for 802.11bg
  *Feb 11 08:56:24.504: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2171 Failed to c
  omplete DTLS handshake with peer 10.0.13.28
                                             *Feb 11 08:55:09.693: %DOT1X-3-MAX_EA
  P_RETRIES: 1x_auth_pae.c:2862 Max EAP identity request retries (3) exceeded for
  client 00:1f:3b:93:dd:4f
  *Feb 11 08:54:51.040: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:292 RRM LOG: Airewave Di
  rector: Could not find valid channel lists for 802.11bg
  *Feb 11 08:53:56.493: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:426 Max EAP retransmis
  sions exceeded for client 00:1f:3b:93:dd:4f
  *Feb 11 08:53:34.497: %DTL-3-OSARP_DEL_FAILED: dtl_arp.c:1380 Unable to delete a
  n ARP entry for 10.0.13.28 from the operating system. ioctl operation failed
  *Feb 11 08:52:35.936: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:292 RRM LOG: Airewave Di
  rector: Could not find valid channel lists for 802.11bg
  *Feb 11 08:52:26.492: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:426 Max EAP retransmis
  sions exceeded for client 00:1f:3b:93:dd:4f
  *Feb 11 08:50:07.680: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:426 Max EAP retransmis
  sions exceeded for client 00:1f:3b:93:e6:57
  *Feb 11 08:48:37.458: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2862 Max EAP ident
  ity request retries (3) exceeded for client 00:1f:3b:93:e6:57
  *Feb 11 08:47:37.438: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:426 Max EAP retransmis
  sions exceeded for client 00:1f:3b:93:e6:57
  *Feb 11 08:47:34.438: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2862 Max EAP ident
  ity request retries (3) exceeded for client 00:16:44:1d:0f:53
  *Feb 11 08:46:32.422: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL-ke
  y M3 retransmissions exceeded for client 00:16:44:1d:0f:53
  *Feb 11 08:46:06.790: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2862 Max EAP ident
  ity request retries (3) exceeded for client 00:1f:3b:95:61:bd
  *Feb 11 08:46:06.789: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication abor
  ted for client 00:1f:3b:95:61:bd
  *Feb 11 08:46:06.210: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2862 Max EAP ident
  ity request retries (3) exceeded for client 00:1f:3b:93:e6:57
  *Feb 11 08:45:34.304: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2862 Max EAP ident
  ity request retries (3) exceeded for client 00:1f:3b:95:61:bd
  *Feb 11 08:45:34.303: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication abor
  ted for client 00:1f:3b:95:61:bd
  *Feb 11 08:45:01.298: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:292 RRM LOG: Airewave Di
  rector: Could not find valid channel lists for 802.11bg
  *Feb 11 08:44:38.076: %SIM-3-PORT_UP: sim.c:9547 Physical port 2 is up!.
  *Feb 11 08:44:38.037: %SIM-3-PORT_UP: sim.c:9547 Physical port 1 is up!.
  --More-- or (q)uit
  *Feb 11 08:44:38.009: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
  figuration file 'cliWebInitParms.cfg'
  *Feb 11 08:44:37.980: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
  figuration file 'rrcEngineInitParms.cfg'
  *Feb 11 08:44:37.980: %CNFGR-3-INV_COMP_ID: cnfgr.c:2105 Invalid Component Id :
  Unrecognized (81) in cfgConfiguratorInit.
  *Feb 11 08:44:37.928: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
  figuration file 'rfidInitParms.cfg'
  *Feb 11 08:44:37.915: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
  figuration file 'dhcpParms.cfg'
  *Feb 11 08:44:37.903: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
  figuration file 'bcastInitParms.cfg'
  *Feb 11 08:44:37.834: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
  figuration file 'rrmInitParms.cfg'
  *Feb 11 08:44:27.331: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
  figuration file 'apfInitParms.cfg'                                            
  *Feb 11 08:44:27.226: %MM-3-MEMBER_ADD_FAILED: mm_dir.c:903 Could not add Mobili
  ty Member. Reason: IP already assigned, Member-Count:1,MAC: 00:00:00:00:00:00, I
  P: 0.0.0.0
  *Feb 11 08:44:27.023: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
  figuration file 'mmInitParms.cfg'
  *Feb 11 08:44:27.013: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
  figuration file 'aaaapiInitParms.cfg'
  *Feb 11 08:44:27.011: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
  figuration file 'pemInitParms.cfg'
  *Feb 11 08:44:26.898: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
  figuration file 'dot1xInitParms.cfg'
  *Feb 11 08:44:26.868: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
  figuration file 'capwapInitParms.cfg'
  *Feb 11 08:44:26.718: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
  figuration file 'spamInitParms.cfg'
  *Feb 11 08:44:25.650: %SSHPM-3-FREAD_FAILED: sshpmlscscep.c:1395 Error reading f
  ile /mnt/application/lscca_pem.crt
  *Feb 11 08:44:06.435: %SYSTEM-3-FILE_READ_FAIL: nvstore.c:422 Failed to read con
  figuration file 'sshpmInitParms.cfg'  

  Thanks for such quick response and suggestions.
  Yes, I seem not to to be 100% perfect as for the list of troubleshooting steps I took.
  I had already tried the two commands you mentioned. I tried again, this time with some other 1242, but these do not help.
  Yes, I was already thinking that this could be in theory a licensing issue. The controller is bougth with 25 licenses.
  In the beginnign I had one 1142 on it and tried to enable 1242s which did not work. Now I have five 1142s on it, as this worked okay, I guess it could not be a licensing issue.
  I think that I can see in the log files that the machines communicate to each other, L2 or L3 paths seem to be working okay. I forgot to mention that I am using option 43 on the DHCP server, so the AP clearly finds its way to the controller. What's more both APs and the controllers are in the same VLAN, so they are in the same broadcast domain.
  Below is sho ver from the AP. The AP seems to have Certificate type - manufacture installed, so I guess there should not be a problem with the certificate, especially knowing that the AP works with other controllers over WAN.
  My guess these messages seen on AP especially "Invalid event 38 & state 3 combination" might tell us what's wrong.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  *Feb 11 07:52:24.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
  *Feb 11 07:52:24.001: %DTLS-5-PEER_DISCONNECT: Peer 10.0.13.5 has closed connection.
  *Feb 11 07:52:24.001: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 10.0.13.5:5246
  *Feb 11 07:52:24.002: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.
  *Feb 11 07:52:24.123: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is not established.
  Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.4(21a)JA2, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by Cisco Systems, Inc.
  Compiled Mon 02-Nov-09 18:42 by prod_rel_team
  ROM: Bootstrap program is C1240 boot loader
  BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.4(13d)JA, RELEASE SOFTWARE (fc2)
  AP9caf.ca00.1c78 uptime is 17 minutes
  System returned to ROM by power-on
  System image file is "flash:/c1240-k9w8-mx.124-21a.JA2/c1240-k9w8-mx.124-21a.JA2"
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  cisco AIR-LAP1242G-E-K9    (PowerPCElvis) processor (revision A0) with 24566K/8192K bytes of memory.
  Processor board ID FCZ135082GH
  PowerPCElvis CPU at 262Mhz, revision number 0x0950
  Last reset from power-on
  LWAPP image version 6.0.188.0
  1 FastEthernet interface
  1 802.11 Radio(s)
  32K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address: 9C:AF:CA:00:1C:78
  Part Number                          : 73-11479-01
  PCA Assembly Number                  : 800-30493-01
  PCA Revision Number                  : A0
  PCB Serial Number                    : FOC13484GYY
  Top Assembly Part Number             : 800-29589-03
  Top Assembly Serial Number           : FCZ135082GH
  Top Revision Number                  : A0
  Product/Model Number                 : AIR-LAP1242G-E-K9
  Configuration register is 0xF
  AP9caf.ca00.1c78#

• My Time Capsule does not work with existing WiFi

  Following a question solved on March 24 by LaPastenague, but gone bad again.
  Apple AirPort Time Capsule
  I felt the need for a physical backup of my data, as I would not completely trust the different clouds. I use, and have used Dropbox for 4-5 years and are very satisfied with that, but I am still not sure if or when a political lunatic will shut off the internet.
  I purchased the Apple AP Time Capsule 2T, because all my other stuff are Apple, and that it's wireless. My old backup is Maxtor 300 GB.
  Since we stay 2-3 weeks on two locations, one in Norway and one in Sweden (two different countries) we must use Mobile Broadband 4G, cables or fibre connections are useless for us, and we don't have it up to the houses. I have one mini router for each country, we bring with us iPhones, iPads, iMac, Apple TV, APExpress. When we pass the boarder I change the mini router, and the system continues working perfect on the WiFi, except the APExpress that needs to be reconfigured,  but then it works.
  The APTC was difficult to make working as it would not accept to be in an existing network, but with good help from the Apple Community, LaPastenague, with forcing the TC connect to the APE with Ethernet cable in bridge mode, ref "My Time Capsule does not work with existing WiFi" from March 24, the problem was solved and all gadgets worked together in a perfect harmony, until we changed location.
  Now, as I have my second WiFi network, and the APExspress is reconfigured, it's like the TC thinks, I am the base boss here, I am not taking orders from APE one more time, and it simply does not work, not only that, it fluctuates all the time.
  I have a slight feeling that the two WiFi bands are making the trouble as during the configuration of the TC sometime the last figure 6 and 7 pops up, and that has something two do with the two different 2,4 and 5 GHZ bands
  So, I am curious if you have any idea ?
  I am thinking of returning the TC if I don't make it work now, but how do I delete all the data that's on it?

  I can deal with the last question first and easily.
  I am thinking of returning the TC if I don't make it work now, but how do I delete all the data that's on it?
  Open the airport utility .. go to the disk tab and select erase.
  When you select erase you will get mulitiple options.
  Quick removes the file table but does not delete the files,, it takes 2min or less.
  A Zero out data is the secure way,, by writing 0 ie low level drive format.
  It can take several hours..
  7 pass will take a week.. not recommended..
  35 pass erase is ridiculous.. it would take a month.. put an ax through the TC. It is quick and better.
  Now, as I have my second WiFi network, and the APExspress is reconfigured, it's like the TC thinks, I am the base boss here, I am not taking orders from APE one more time, and it simply does not work, not only that, it fluctuates all the time.
  The fact that it did work and has now failed might point to faulty unit.
  The only way to tell is reset it properly to factory and start over.
  Universal Factory Reset.. any model TC or AE.
  Unplug your TC/AE from power or turn off at the power point.
  Hold in reset. and power the TC/AE back on..  all without releasing reset and keep holding in for about 10sec. (this is often difficult without a 2nd person or a 3rd arm).
  Release it when the status light flashes rapidly. If it doesn’t flash rapidly you have missed it and try again.
  Note..
  Be Gentle! Feel the switch click on. It has a positive feel..  add no more pressure after that.
  TC/AE will reboot after a couple of minutes with default factory settings and will wipe out previous configurations of the router.
  No files are deleted on the hard disk in a TC.. No reset of the TC deletes files.. to do that you use erase from the airport utility.
  Generally having multiple wireless AP should not cause problems.. but it is better to set channels manually.. so it doesn't go beserk rotating channels.
  Remember to keep all names short, no spaces and pure alphanumeric.
  Sadly though the Apple routers have no logging now and no SNMP and almost nothing to help diagnose a problem, so if it continues .. take it back to apple.. they have given you no other method of fixing it.

• ASA-5505 Site-to-Site Not Working

  I am somewhat new to Cisco but to do have some experience. I am trying to connect two ASA 5505's together via site-to-site VPN. They are configured with public IPs and all other services are working. I have used the VPN wizard on both boxes successfully but the tunnels are not working. The two devices are on the Comcast network. Any help would be appreacited.
  Site A: ASA 5505 w/50 User license
  Site B: ASA 5505 w/10 User license
  Site A Config:
  ASA Version 8.2(5)
  hostname *********************
  enable password 6.De4e7UzES9wBPg encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.100.10 Web_Server
  name 10.0.6.0 Ghost_Flower_Inside
  name 10.0.5.0 San_Mateo_Inside
  name 10.0.5.100 Any_Connect_100
  name 10.0.5.101 Any_Connect_101
  name 10.0.5.102 Any_Connect_102
  name 10.0.5.103 Any_Connect_103
  name 10.0.5.104 Any_Connect_104
  name 10.0.5.105 Any_Connect_105
  name 10.0.5.106 Any_Connect_106
  name 10.0.5.107 Any_Connect_107
  name 10.0.5.108 Any_Connect_108
  name 10.0.5.109 Any_Connect_109
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  switchport access vlan 12
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.5.201 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 173.10.XXX.XXX 255.255.255.252
  interface Vlan12
  no forward interface Vlan1
  nameif dmz
  security-level 50
  ip address 192.168.100.1 255.255.255.0
  ftp mode passive
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 75.75.75.75
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group network Any_Connect_DHCP
  network-object host Any_Connect_100
  network-object host Any_Connect_101
  network-object host Any_Connect_102
  network-object host Any_Connect_103
  network-object host Any_Connect_104
  network-object host Any_Connect_105
  network-object host Any_Connect_106
  network-object host Any_Connect_107
  network-object host Any_Connect_108
  network-object host Any_Connect_109
  access-list outside_access_in extended permit tcp any interface outside eq www
  access-list outside_access_in extended permit tcp any interface outside eq ssh
  access-list outside_1_cryptomap extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
  access-list inside_nat0_outbound extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
  access-list inside_nat0_outbound extended permit ip object-group Any_Connect_DHCP any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  ip local pool AnyConnectDHCPPool Any_Connect_100-10.0.5.110 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  global (dmz) 1 192.168.100.2 netmask 255.255.255.255
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (dmz,outside) tcp interface www Web_Server www netmask 255.255.255.255
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 173.10.XXX.XXX 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication http console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 10.0.1.0 255.255.255.0 inside
  http 10.1.10.0 255.255.255.0 outside
  http San_Mateo_Inside 255.255.255.255 inside
  http San_Mateo_Inside 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 173.12.XXX.XXX
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  vpn-sessiondb max-webvpn-session-limit 10
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh 10.0.1.0 255.255.255.0 inside
  ssh San_Mateo_Inside 255.255.255.0 inside
  ssh 10.1.10.0 255.255.255.0 outside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.0.5.10-10.0.5.30 inside
  dhcpd dns 75.75.75.75 75.75.76.76 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  anyconnect-essentials
  svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1 regex "Intel Mac OS X"
  svc profiles CATS disk0:/cats.xml
  svc enable
  tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
  dns-server value 75.75.75.75
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  webvpn
    svc profiles value CATS
  username user1 password tTq7bIZ.C4x0j.qv encrypted privilege 15
  username ********* password sPxon1E6hTszm7Ko encrypted privilege 15
  tunnel-group 173.12.XXX.XXX type ipsec-l2l
  tunnel-group 173.12.XXX.XXX ipsec-attributes
  pre-shared-key *****
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:1751532c3624a6c2eec3c1ae0c31fe03
  : end
  Site B:
  ASA Version 8.2(5)
  hostname ***************
  enable password 6.De4e7UzES9wBPg encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.100.10 Web_Server
  name 10.0.6.0 Ghost_Flower_Inside
  name 10.0.5.0 San_Mateo_Inside
  name 10.0.5.100 Any_Connect_100
  name 10.0.5.101 Any_Connect_101
  name 10.0.5.102 Any_Connect_102
  name 10.0.5.103 Any_Connect_103
  name 10.0.5.104 Any_Connect_104
  name 10.0.5.105 Any_Connect_105
  name 10.0.5.106 Any_Connect_106
  name 10.0.5.107 Any_Connect_107
  name 10.0.5.108 Any_Connect_108
  name 10.0.5.109 Any_Connect_109
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  switchport access vlan 12
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.5.201 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 173.10.XXX.XXX 255.255.255.252
  interface Vlan12
  no forward interface Vlan1
  nameif dmz
  security-level 50
  ip address 192.168.100.1 255.255.255.0
  ftp mode passive
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 75.75.75.75
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group network Any_Connect_DHCP
  network-object host Any_Connect_100
  network-object host Any_Connect_101
  network-object host Any_Connect_102
  network-object host Any_Connect_103
  network-object host Any_Connect_104
  network-object host Any_Connect_105
  network-object host Any_Connect_106
  network-object host Any_Connect_107
  network-object host Any_Connect_108
  network-object host Any_Connect_109
  access-list outside_access_in extended permit tcp any interface outside eq www
  access-list outside_access_in extended permit tcp any interface outside eq ssh
  access-list outside_1_cryptomap extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
  access-list inside_nat0_outbound extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
  access-list inside_nat0_outbound extended permit ip object-group Any_Connect_DHCP any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  ip local pool AnyConnectDHCPPool Any_Connect_100-10.0.5.110 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  global (dmz) 1 192.168.100.2 netmask 255.255.255.255
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (dmz,outside) tcp interface www Web_Server www netmask 255.255.255.255
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 173.10.242.182 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication http console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 10.0.1.0 255.255.255.0 inside
  http 10.1.10.0 255.255.255.0 outside
  http San_Mateo_Inside 255.255.255.255 inside
  http San_Mateo_Inside 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 173.12.XXX.XXX
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  vpn-sessiondb max-webvpn-session-limit 10
  telnet timeout 5
  ssh 192.168.1.0 255.255.255.0 inside
  ssh 10.0.1.0 255.255.255.0 inside
  ssh San_Mateo_Inside 255.255.255.0 inside
  ssh 10.1.10.0 255.255.255.0 outside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.0.5.10-10.0.5.30 inside
  dhcpd dns 75.75.75.75 75.75.76.76 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  anyconnect-essentials
  svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1 regex "Intel Mac OS X"
  svc profiles CATS disk0:/cats.xml
  svc enable
  tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
  dns-server value 75.75.75.75
  vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  webvpn
    svc profiles value CATS
  username ************** password sPxon1E6hTszm7Ko encrypted privilege 15
  tunnel-group 173.12.XXX.XXX type ipsec-l2l
  tunnel-group 173.12.XXX.XXX ipsec-attributes
  pre-shared-key *****
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:1751532c3624a6c2eec3c1ae0c31fe03
  : end

  Hi Kevin,
  Both the sides have IP address of 173.10.XXX.XXX  on the respective Outside interfaces and you have configured the peers for 173.12.X.X.
  Please ensure the correct IP addresses for VPN peers are configured , via the following command:
  crypto map outside_map 1 set peer X.X.X.X
  e.g. If you have 173.10.X.X on Site X and 173.12.X.X on Site Y , then
  On Site X, peer would be
  crypto map outside_map 1 set peer 173.12.X.X
  and the tunnel-group will be
  tunnel-group 173.12.XXX.XXX type ipsec-l2l
  tunnel-group 173.12.XXX.XXX ipsec-attributes
  pre-shared-key *****
  On Site Y, peer would be
  crypto map outside_map 1 set peer 173.10.X.X
  and the tunnel-group will be
  tunnel-group 173.10.XXX.XXX type ipsec-l2l
  tunnel-group 173.10.XXX.XXX ipsec-attributes
  pre-shared-key *****
  Also , the nat exempt would be complimentary on each other i.e.
  On Site X,
  access-list inside_nat0_outbound extended permit ip San_Mateo_Inside 255.255.255.0 Ghost_Flower_Inside 255.255.255.0
  On Site Y,
  access-list inside_nat0_outbound extended permit ip Ghost_Flower_Inside 255.255.255.0 San_Mateo_Inside 255.255.255.0
  Hope that helps.
  Regards,
  Dinesh Moudgil

• VPN not working after adding subinterface - ASA 5510

  Hello,
  Currently I want to add a second lan (vlan) in a customers network. The new network will be for a wireless infrastructure.
  There is also VPN Configured on the ASA - One with L2TP for Windows Clients and an IPsec for Cisco Clients.
  Former we only had one outside (Eth0/0) and one inside interface (Eth0/1) on the ASA.
  Now I want to use the Eth0/2 with subinterfaces, so that we will be flexible for future, when deploying more vlans.
  But now, when i turn the first subinterface Eth0/2.2 to no-shut the VPN Connections does not work any more.
  Bulding up the VPN connection works, but it seems that the traffic is not tunneled. (I checked this, because tracert to an internal adress goes to the internet)
  Below there is my config, i don't know whats wrong. I think split-tunnel is configured correctly (because it works when i delete eth0/2.2)
  TREV is the network of this location.
  Company1,2,3 are remote locations.
  : Saved
  ASA Version 8.2(5)
  hostname XXXXXXX
  domain-name domain.lan
  enable password XXXXXXXXXXX encrypted
  passwd XXXXXXXXXX encrypted
  names
  name 192.168.100.0 TREV
  name 192.168.200.0 COMPANY3
  name XXXXXXXX Company1
  name 192.168.1.0 Company2
  name XXXXXXXXX GCT
  name XXXXXXXX BMD
  name 192.168.110.0 Wireless
  name 192.168.201.0 COMPANY3-VPN
  name 192.168.11.0 COMPANY2-VPN
  name 192.168.101.0 TREV-VPN
  interface Ethernet0/0
  description Outside
  nameif outside
  security-level 0
  ip address XXXXX 255.255.255.248
  interface Ethernet0/1
  description Inside
  nameif inside
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  interface Ethernet0/2
  description Trunk Interface
  no nameif
  no security-level
  no ip address
  interface Ethernet0/2.2
  description Wireless
  vlan 110
  nameif wlan
  security-level 100
  ip address 192.168.110.1 255.255.255.0
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 192.168.100.10
  domain-name domain.lan
  dns server-group COMPANY2
  name-server 192.168.1.16
  domain-name domain.local
  dns server-group COMPANY3
  name-server 192.168.200.1
  domain-name domain.local
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group network VPN_Networks
  network-object COMPANY3 255.255.255.0
  network-object COMPANY3-VPN 255.255.255.0
  network-object COMPANY2 255.255.255.0
  network-object COMPANY2-VPN 255.255.255.0
  network-object TREV 255.255.255.0
  network-object TREV-VPN 255.255.255.0
  object-group network DM_INLINE_NETWORK_1
  network-object COMPANY2 255.255.255.0
  network-object COMPANY3 255.255.255.0
  network-object COMPANY3-VPN 255.255.255.0
  network-object COMPANY2-VPN 255.255.255.0
  network-object Wireless 255.255.255.0
  access-list INCOMING remark *** ICMP Erlauben ***
  access-list INCOMING extended permit icmp any any echo-reply
  access-list INCOMING extended permit icmp any any time-exceeded
  access-list INCOMING extended permit icmp any any unreachable
  access-list INCOMING extended permit icmp any any parameter-problem
  access-list INCOMING extended permit icmp any any source-quench
  access-list INCOMING extended permit icmp any any echo
  access-list INCOMING remark *** Wartung Company1 ***
  access-list INCOMING remark *** Wartung BMD ***
  access-list INCOMING remark *** Mail ***
  access-list ......
  access-list Trev-nat0 remark *** NoNat ***
  access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
  access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
  access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
  access-list DefaultRAGroup_splitTunnelAcl standard permit TREV 255.255.255.0
  access-list outside_1_cryptomap extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
  access-list inside_debug extended permit tcp any host 192.168.100.5
  access-list inside_debug extended permit tcp any TREV 255.255.255.0
  access-list Wireless-nat0 extended permit ip Wireless 255.255.255.0 TREV 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  mtu wlan 1500
  ip local pool VPN-Pool 192.168.101.1-192.168.101.31 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  global (outside) 2 XXXXXXXXXXX
  nat (inside) 0 access-list Trev-nat0
  nat (inside) 2 192.168.100.25 255.255.255.255
  nat (inside) 2 192.168.100.250 255.255.255.255
  nat (inside) 1 TREV 255.255.255.0
  nat (wlan) 0 access-list Wireless-nat0
  static (inside,outside) tcp interface 444 192.168.100.10 444 netmask 255.255.255.255
  static (inside,outside) tcp interface https 192.168.100.10 https netmask 255.255.255.255
  .... a lot of statics..............
  static (inside,outside) tcp XXXXXXXXXX pop3 192.168.100.25 pop3 netmask 255.255.255.255
  static (inside,outside) tcp XXXXXXXXXX  995 192.168.100.25 995 netmask 255.255.255.255
  access-group INCOMING in interface outside
  route outside 0.0.0.0 0.0.0.0 XXXXXXXXXX  1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.100.10
  timeout 5
  key *****
  radius-common-pw *****
  aaa-server RADIUS2 protocol radius
  aaa-server RADIUS2 (inside) host 192.168.100.10
  key *****
  radius-common-pw *****
  aaa authentication ssh console LOCAL
  http server enable 4430
  http COMPANY2 255.255.255.0 management
  http TREV 255.255.255.0 inside
  http Company1 255.255.255.224 outside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES_128_SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES_128_SHA mode transport
  crypto ipsec transform-set TRANS_ESP_AES_256_SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES_256_SHA mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_AES_128_SHA TRANS_ESP_AES_256_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_3DES_SHA
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 178.188.202.78
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 20
  authentication pre-share
  encryption des
  hash sha
  group 5
  lifetime 28800
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash sha
  group 5
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh bit-Studio 255.255.255.224 outside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh TREV 255.255.255.0 inside
  ssh timeout 60
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcprelay server 192.168.100.10 inside
  dhcprelay enable wlan
  dhcprelay setroute wlan
  dhcprelay timeout 90
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  wins-server value 192.168.100.10
  dns-server value 192.168.100.10
  vpn-tunnel-protocol IPSec l2tp-ipsec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
  default-domain value domain.lan
  intercept-dhcp enable
  group-policy IPsecVPN internal
  group-policy IPsecVPN attributes
  wins-server value 192.168.100.10
  dns-server value 192.168.100.10
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
  default-domain value domain.lan
  username admin password XXXXXXXXXX encrypted privilege 15
  username vpntest password XXXXXXXXX nt-encrypted
  tunnel-group DefaultRAGroup general-attributes
  address-pool VPN-Pool
  authentication-server-group RADIUS
  default-group-policy DefaultRAGroup
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  no authentication chap
  authentication ms-chap-v2
  tunnel-group XXXXXXXXX type ipsec-l2l
  tunnel-group XXXXXXXXXXXX ipsec-attributes
  pre-shared-key *****
  tunnel-group IPsecVPN type remote-access
  tunnel-group IPsecVPN general-attributes
  address-pool VPN-Pool
  authentication-server-group RADIUS
  default-group-policy IPsecVPN
  tunnel-group IPsecVPN ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f2041a5902e945a130fe25fbb8e5d368
  : end

  Hi,
  First I would go through all the NAT0/NAT Exempt rules you have for VPNs. They seem to contain useless lines where either destination or source network isnt correct.
  Lets look at the NAT0 ACL you have line by line
  access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
  The above access-list has the correct source network configured Yet it has its destination addresses configured with an "object-group" which contains your LAN network
  You should probably remove the LAN network from the object-group VPN_Networks
  access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
  To my understanding the above ACL line doesnt serve any purpose as the networks configured under VPN_Networks arent located behind your "inside" interface (Other than the one I'm asking to remove from the object-group)
  access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
  The above ACL overlap with the very first ACL lines configurations and needlesly makes the configuration harder to read. It also contains the Wireless network which it shouldnt
  I would suggest simplifying your NAT0 configurations for example in the following way (change the names if you want if youre going to try it out)
  object-group network TREV-LAN
    description Local networks
    network-object 192.168.100.0 255.255.255.0
  object-group network VPN-NETWORKS
  description Remote networks
  network-object 192.168.200.0 255.255.255.0
  network-object 192.168.201.0 255.255.255.0
  network-object 192.168.1.0 255.255.255.0
  network-object 192.168.11.0 255.255.255.0
  network-object 192.168.101.0 255.255.255.0
  access-list TREV-LAN-NAT0 remark NAT0 / NAT Exempt for VPN Connections
  access-list TREV-LAN-NAT0 permit ip object-group TREV-LAN object-group VPN-NETWORKS
  With the above configurations
  You have all NAT0 with a single line of access-list configuration (not counting the remark line as it doesnt affect anything)
  If there is changes in the VPN pools, VPN remote networks or LAN networks you can simply change them under the configured object-groups instead of touching the actual ACL. There might be situations where you should change the ACL from the above if there is some bigger changes to network
  So as I said, I would start with changing the above NAT configurations and then test the VPN again. If it doesnt work we will have to check some other things out.
  - Jouni

• Server monitor not working

  Guys,
  I have server monitor installed on a 10.5.8 client mini to monitor our 9 xserves and it works fine on all the older ones (all G4 or G5 xserves running tiger or panther) but will not detect any of the 4 new Intel Xeon xserves running 10.5 (mixture of .6 and .8). In each case it alternates between reporting "Software is not installed properly on server" and "CANNOTLOAD_BUNDLEERR".
  I'm assuming this is something specific to 10.5 - some sort of SNMP setting or something perhaps? Obviously I've checked the passwords, I'm using root username/password for each one, all the servers are on and available, and like I say, it's working fine on the older ones.
  Anybody had any experience with this and know the answer?
  Further info: 3 of the servers (of which one is 10.5 and not working) are on the local network (local to the monitoring mini), the remaining 3 10.5's are each on other LAN's to which I have a currently working VPN. In each case the 10.5 machine which isn't working is on the same LAN as an older machine that is, so I know that's not the issue.

  The Intel XServes seem to operate differently than the old G5 units when it comes to LOM. Mine has been giving me a bugger of a time getting Server Monitor to work properly, but right now it seems to be functioning..
  Have you gone to Server Monitor on each of the Intel units and set up the "Configure Local Machine" from the Server menu? It should reject you if you enter the IP address of the Ethernet connection to your LAN - you have to use a different IP address. Configure only the information for 'Network 1' with the info for your LAN.
  It may be purely anecdotal, but it seemed to start working for me after I enabled the firewall on the server, leaving all the ports on the LAN open and shutting everything down on the other address groups.
  -Douggo

• PIX 501 config - access to internal network not working from remote VPN users - everything on the inside is OK

  One other thing - I had a problem with the key pairing so I rebuilt the rsa 1024 and the unit started working. Unfortunately I reloaded without the config in place and now I cannot get it to work again. Any help will be greatly apprecaited although I did review a dozen other posts of people having similar problems and for some reason there is never any conclusion as to the solution and I am not sure why.           
  Some other info from the client end:
  I just ran the stats on the client and packets are being encrypted BUT none are decrypted.
  Also Tunnel received 0 and sent 115119
  Encryption is 168-bit 3-DES
  Authentication is HMAC-SHA1
  also even though the allow LAN is selected in the Cisco VPN client it states the local LAN is disabled in the client stats
  also Transparent tunneling is selcted but in the stats it states it is inactive
  I am connecting with the Cisco VPN Client Ver 5.0.07.0440
  This config works. It is on the internal net 192.168..40.x and all users obtain dhcp and surf the web. It has required ports opened.The problem is that you can connect remotely via the VPN and you receive an IP address from the remote-vpn pool but you cannot see any machines on the internal network. The pix is at 40.2 and you cannot ping the pix and the pix from the remote PC connecting via the VPN and youcannot ping the remote PC from the PIX console when the remote is connected and receives the first IP address in the VPN pool of 192.168.40.25
  I need to  see the internal network and map network drives. I have another friend that is running the same config and it works but his computer is on a linksys wireless and has an IP of 192.168.1.x and the IP he receives from the VPN pool is 192.168.1.25 so I do not know if the same network is allowing this config to work even if there is an error in the config. In my present case I obtain the ip of 192.168.40.25 from the VPN pool and my connecting pc on 192.168.1.x    I really am not sure how the VPN virtual adapter works. I am assuming it routes all traffic from your connecting PC to and from the virtual adapater but I really do not know for sure.
  Other people have had similar issues with accessing the internal network from the VPN. One solution was the split-tunnel, another was the natting and another had to do with the encrption where there and an issue with the encrypt and ecrypt which was stopping the communicaton via the VPN.
  I still cannot seem to find the issue with this config and any help will be greatly appreciated.
  This is the config
  interface ethernet0 100full
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  enable password somepassword
  hostname hostname
  fixup protocol dns maximum-length 512
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol skinny 2000
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names
  object-group network internal_trusted_net
    network-object 192.168.40.0 255.255.255.0
  object-group icmp-type icmp_outside
    icmp-object echo-reply
    icmp-object unreachable
    icmp-object time-exceeded
    icmp-object source-quench
  access-list OutToIn permit icmp any xxx.xxx.xxx.0 255.255.255.248 object-group icmp_outside
  access-list no_nat_inside permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
  access-list split_tunnel permit ip 192.168.40.0 255.255.255.0 192.168.40.0 255.255.255.0
  access-list OutToIn permit ip any any
  access-list outbound permit ip any any
  (NOTE: I had many more entries in the access list but removed them. Even with the above two allowing everything it does not work)
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip address outside xxx.xxx.xxx.xxx 255.255.255.248
  ip address inside 192.168.40.2 255.255.255.0
  ip audit info action alarm
  ip audit attack action alarm
  ip local pool vpn_client_pool 192.168.40.25-192.168.40.30
  pdm history enable
  arp timeout 14400
  global (outside) 1 interface
  I had this statement missing from the previous posted config but even with the nat (inside) 0 access-list no_nat_inside  it still does not work.
  nat (inside) 0 access-list no_nat_inside
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  access-group acl_outside_in in interface outside
  access-group outbound in interface inside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
  timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout uauth 0:05:00 absolute
  aaa-server TACACS+ protocol tacacs+
  aaa-server RADIUS protocol radius
  aaa-server LOCAL protocol local
  http server enable
  http 192.168.40.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server community $XXXXXX$
  no snmp-server enable traps
  floodguard enable
  sysopt connection permit-ipsec
  crypto ipsec transform-set 3des_strong esp-3des esp-sha-hmac
  crypto dynamic-map clientmap 50 set transform-set 3des_strong
  crypto map vpn 50 ipsec-isakmp dynamic clientmap
  crypto map vpn client configuration address initiate
  crypto map vpn client configuration address respond
  crypto map vpn client authentication LOCAL
  crypto map vpn interface outside
  isakmp enable outside
  isakmp identity address
  isakmp client configuration address-pool local vpn_client_pool outside
  isakmp nat-traversal 20
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  vpngroup remote-vpn split-tunnel split_tunnel
  vpngroup remote-vpn idle-time 10800
  vpngroup remote-vpn password ANOTHER PASSWORD
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 192.168.40.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 60
  dhcpd address 192.168.40.100-192.168.40.131 inside
  dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
  dhcpd lease 3600
  dhcpd ping_timeout 750
  dhcpd enable inside
  username AUSER password PASSWORD privilege 15
  terminal width 80
  ****************** End of config
  I have been searching docs and other people's postings trying to obtain the info to make this work. It appears pretty much boiler plate but I believe my problem is in the natting. I am using a range in the internal network for the VPN pool and I have tried switching this to other networks but this has not helped. Unfortunately I have been unable to get the PDM to work and I believe this is a PC config thing and I did not want to waste the time on it. I read a post where a person using the PDM interface with the same problem (not being able to access the internal network)  was able to go to a section in the VPN wizard and set the Address Exeption Translation. They said they originally set the VPN subnet when they did not have to. Many of the other blogs I read also stated that if the natting is not proper  for the VPN pool- that it will not work but I am confused by the examples. They show as I do the complete range for an access-list called no_nat_inside but I believe it should only have the VPN pool IP range and not the entire network since the others do require natting - not sure if my thought process is correct here. Any help will be greatly apprecaited. Also this morning I just tried a boiler plate example from CISCO and it also did not do what I need for it to do. And I also connect a PC to obtain an IP to see if I can see it - no good. The PC can ping the PIX and viceversa but no one can ping the remote PC that connects via the CISCO Remote VPN client even though it receive an address from the vpnpool. Also include LAN is checked off on the client. This was mentioned in anther post.
  Thank you once again.

  Hi,
  PIX501 is a very very old Cisco firewall that has not been sold for a long time to my understanding. It also doesnt support even close to new software levels.
  If you wanted to replace the PIX501 the corresponding model nowadays would be ASA5505 which is the smallest Cisco ASA firewall with 8 switch port module. There is already a new ASA5500-X Series (while ASA5505 is of the original ASA 5500 Series) but they have not yet introduced a replacing model for this model nor have they stopped selling this unit. I have a couple of them at home. Though naturally they are more expensive than your usual consumer firewalls.
  But if you wanted to replace your PIX firewall then I would probably suggest ASA5505. Naturally you could get some other models too but the cost naturally rises even more. I am not sure at what price these are sold as used.
  I used some PIX501 firewalls at the start of my career but have not used them in ages since ASA5505 is pretty much the firewall model we use when we need a firewall/vpn device for a smaller network/branch site.
  Here is a PDF of the original ASA5500 Series.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf
  Here is a PDF of the new ASA5500-X Series
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
  I am afraid that its very hard for me atleast to troubleshoot this especially since I have not seen any outputs yet. Also the very old CLI and lack of GUI (?) make it harder to see what the problem is.
  Could you provide the requested outputs?
  From the PIX after connection test
  show crypto ipsec sa
  Screen captures of the VPN Client routing and statistics sections.
  - Jouni

• ACE SSL terminate not working ... please help

  Hello, I configured cisco ace 4710 with ssl-proxy and it is not working, but http://10.1.40.2 and http://10.1.40.3 is OK.  When i put https://10.1.41.20 the output is: "There is a problem with this website's security certificate", so i click in "Continue to this website (not recommended)" and the ace dont balance the output show error "Internet Explorer cannot display the webpage".
  The configuration:
  ace-demo/Admin# sh run
  Generating configuration....
  boot system image:c4710ace-mz.A3_2_4.bin
  boot system image:c4710ace-mz.A3_2_1.bin
  login timeout 0
  hostname ace-demo
  interface gigabitEthernet 1/1
    channel-group 1
    no shutdown
  interface gigabitEthernet 1/2
    channel-group 1
    no shutdown
  interface gigabitEthernet 1/3
    channel-group 1
    no shutdown
  interface gigabitEthernet 1/4
    channel-group 1
    no shutdown
  interface port-channel 1
    switchport trunk allowed vlan 400-401,450
    no shutdown
  crypto csr-params testparams
    country PE
    state Lima
    locality Lima
    organization-name TI
    organization-unit TI
    common-name www.yyy.com
    serial-number 1000
  access-list anyone line 8 extended permit ip any any
  access-list anyone line 16 extended permit icmp any any
  parameter-map type ssl sslparams
    cipher RSA_WITH_RC4_128_MD5
    version SSL3
  rserver host rsrv1
    ip address 10.1.40.2
    inservice
  rserver host rsrv2
    ip address 10.1.40.3
    inservice
  serverfarm host farm-demo
    rserver rsrv1
      inservice
    rserver rsrv2
      inservice
  serverfarm host site-A
    rserver rsrv1
      inservice
  serverfarm host site-B
    rserver rsrv2
      inservice
  ssl-proxy service testssl
    key testkey.key
    cert testcert.pem
    ssl advanced-options sslparams
  class-map type management match-any MGMT
    2 match protocol icmp any
    3 match protocol http any
    4 match protocol https any
    5 match protocol snmp any
    6 match protocol telnet any
    7 match protocol ssh any
  class-map match-any VIP
    6 match virtual-address 10.1.41.10 any
  class-map type generic match-any WAN-site-A
    2 match source-address 192.168.10.106 255.255.255.255
    3 match source-address 192.168.10.125 255.255.255.255
  class-map type generic match-any WAN-site-B
    2 match source-address 192.168.10.96 255.255.255.255
    3 match source-address 192.168.10.93 255.255.255.255
  class-map type management match-any icmp
    2 match protocol icmp any
  class-map match-any vip-ssl-10.1.41.20
    2 match virtual-address 10.1.41.20 tcp eq https
  policy-map type management first-match ICMP
    class icmp
      permit
  policy-map type management first-match MGMT
    class MGMT
      permit
  policy-map type loadbalance first-match vip-ssl-10.1.41.20
    class class-default
      serverfarm farm-demo
  policy-map type loadbalance generic first-match lb-server
    class WAN-site-A
      serverfarm site-A
    class WAN-site-B
      serverfarm site-B
    class class-default
      serverfarm farm-demo
  policy-map multi-match client-side
    class VIP
      loadbalance vip inservice
      loadbalance policy lb-server
  policy-map multi-match lb-vip
    class vip-ssl-10.1.41.20
      loadbalance vip inservice
      loadbalance policy vip-ssl-10.1.41.20
      loadbalance vip icmp-reply
      ssl-proxy server testssl
  interface vlan 400
    description side-server
    ip address 10.1.40.1 255.255.255.0
    access-group input anyone
    service-policy input ICMP
    no shutdown
  interface vlan 401
    description side-client
    ip address 10.1.41.1 255.255.255.0
    access-group input anyone
    access-group output anyone
    service-policy input ICMP
    service-policy input client-side
    service-policy input lb-vip
    no shutdown
  interface vlan 450
    description mgmt
    ip address 10.1.45.1 255.255.255.0
    access-group input anyone
    service-policy input MGMT
    no shutdown
  ip route 192.168.10.0 255.255.255.0 10.1.45.10
  And the proof:
  ace-demo/Admin# sh serverfarm farm-demo
  serverfarm     : farm-demo, type: HOST
  total rservers : 2
                                                  ----------connections-----------
         real                  weight state        current    total      failures
     ---+---------------------+------+------------+----------+----------+---------
     rserver: rsrv1
         10.1.40.2:0           8      OPERATIONAL  0          25         19
     rserver: rsrv2
         10.1.40.3:0           8      OPERATIONAL  0          23         18
  ace-demo/Admin# sh crypto files
  Filename                                 File  File    Expor      Key/
                                           Size  Type    table      Cert
  admin                                    887   PEM     Yes         KEY
  testcert.pem                             709   PEM     Yes        CERT
  testkey.key                              497   PEM     Yes         KEY
  ace-demo/Admin#
  ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
  Status     : ACTIVE
  Interface: vlan 1 401
    service-policy: lb-vip
      class: vip-ssl-10.1.41.20
        ssl-proxy server: testssl
        loadbalance:
          L7 loadbalance policy: vip-ssl-10.1.41.20
          VIP ICMP Reply       : ENABLED
          VIP State: INSERVICE
          Persistence Rebalance: DISABLED
          curr conns       : 0         , hit count        : 38       
          dropped conns    : 18       
          client pkt count : 159       , client byte count: 12576              
          server pkt count : 16        , server byte count: 640                
          conn-rate-limit      : 0         , drop-count : 0        
          bandwidth-rate-limit : 0         , drop-count : 0        
        compression:
          bytes_in  : 0                  
          bytes_out : 0                  
          Compression ratio : 0.00%
  in other time:
  ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
  Status     : ACTIVE
  Interface: vlan 1 401
    service-policy: lb-vip
      class: vip-ssl-10.1.41.20
        ssl-proxy server: testssl
        loadbalance:
          L7 loadbalance policy: vip-ssl-10.1.41.20
          VIP ICMP Reply       : ENABLED
          VIP State: INSERVICE
          Persistence Rebalance: DISABLED
          curr conns       : 0         , hit count        : 170      
          dropped conns    : 89       
          client pkt count : 703       , client byte count: 60089              
          server pkt count : 85        , server byte count: 3400               
          conn-rate-limit      : 0         , drop-count : 0        
          bandwidth-rate-limit : 0         , drop-count : 0        
        compression:
          bytes_in  : 0                  
          bytes_out : 0                  
          Compression ratio : 0.00%
  ace-demo/Admin#
  ace-demo/Admin# sh stats crypto server
  +----------------------------------------------+
  +---- Crypto server termination statistics ----+
  +----------------------------------------------+
  SSLv3 negotiated protocol:                       43
  TLSv1 negotiated protocol:                        0
  SSLv3 full handshakes:                           37
  SSLv3 resumed handshakes:                         0
  SSLv3 rehandshakes:                               0
  TLSv1 full handshakes:                            0
  TLSv1 resumed handshakes:                         0
  TLSv1 rehandshakes:                               0
  SSLv3 handshake failures:                         6
  SSLv3 failures during data phase:                 0
  TLSv1 handshake failures:                         0
  TLSv1 failures during data phase:                 0
  Handshake Timeouts:                               0
  total transactions:                               0
  SSLv3 active connections:                         0
  SSLv3 connections in handshake phase:             0
  SSLv3 conns in renegotiation phase:               0
  SSLv3 connections in data phase:                  0
  TLSv1 active connections:                         0
  TLSv1 connections in handshake phase:             0
  TLSv1 conns in renegotiation phase:               0
  TLSv1 connections in data phase:                  0
  +----------------------------------------------+
  +------- Crypto server alert statistics -------+
  +----------------------------------------------+
  SSL alert CLOSE_NOTIFY rcvd:                      0
  SSL alert UNEXPECTED_MSG rcvd:                    0
  SSL alert BAD_RECORD_MAC rcvd:                    0
  SSL alert DECRYPTION_FAILED rcvd:                 0
  SSL alert RECORD_OVERFLOW rcvd:                   0
  SSL alert DECOMPRESSION_FAILED rcvd:              0
  SSL alert HANDSHAKE_FAILED rcvd:                  0
  SSL alert NO_CERTIFICATE rcvd:                    0
  SSL alert BAD_CERTIFICATE rcvd:                   0
  SSL alert UNSUPPORTED_CERTIFICATE rcvd:           0
  SSL alert CERTIFICATE_REVOKED rcvd:               0
  SSL alert CERTIFICATE_EXPIRED rcvd:               0
  SSL alert CERTIFICATE_UNKNOWN rcvd:               6
  SSL alert ILLEGAL_PARAMETER rcvd:                 0
  SSL alert UNKNOWN_CA rcvd:                        0
  SSL alert ACCESS_DENIED rcvd:                     0
  SSL alert DECODE_ERROR rcvd:                      0
  SSL alert DECRYPT_ERROR rcvd:                     0
  SSL alert EXPORT_RESTRICTION rcvd:                0
  SSL alert PROTOCOL_VERSION rcvd:                  0
  SSL alert INSUFFICIENT_SECURITY rcvd:             0
  SSL alert INTERNAL_ERROR rcvd:                    0
  SSL alert USER_CANCELED rcvd:                     0
  SSL alert NO_RENEGOTIATION rcvd:                  0
  SSL alert CLOSE_NOTIFY sent:                      0
  SSL alert UNEXPECTED_MSG sent:                    0
  SSL alert BAD_RECORD_MAC sent:                    0
  SSL alert DECRYPTION_FAILED sent:                 0
  SSL alert RECORD_OVERFLOW sent:                   0
  SSL alert DECOMPRESSION_FAILED sent:              0
  SSL alert HANDSHAKE_FAILED sent:                  0
  SSL alert NO_CERTIFICATE sent:                    0
  SSL alert BAD_CERTIFICATE sent:                   0
  SSL alert UNSUPPORTED_CERTIFICATE sent:           0
  SSL alert CERTIFICATE_REVOKED sent:               0
  SSL alert CERTIFICATE_EXPIRED sent:               0
  SSL alert CERTIFICATE_UNKNOWN sent:               0
  SSL alert ILLEGAL_PARAMETER sent:                 0
  SSL alert UNKNOWN_CA sent:                        0
  SSL alert ACCESS_DENIED sent:                     0
  SSL alert DECODE_ERROR sent:                      0
  SSL alert DECRYPT_ERROR sent:                     0
  SSL alert EXPORT_RESTRICTION sent:                0
  SSL alert PROTOCOL_VERSION sent:                 47
  SSL alert INSUFFICIENT_SECURITY sent:             0
  SSL alert INTERNAL_ERROR sent:                    0
  SSL alert USER_CANCELED sent:                     0
  SSL alert NO_RENEGOTIATION sent:                  0
  +-----------------------------------------------+
  +--- Crypto server authentication statistics ---+
  +-----------------------------------------------+
  Total SSL client authentications:                 0
  Failed SSL client authentications:                0
  SSL client authentication cache hits:             0
  SSL static CRL lookups:                           0
  SSL best effort CRL lookups:                      0
  SSL CRL lookup cache hits:                        0
  SSL revoked certificates:                         0
  Total SSL server authentications:                 0
  Failed SSL server authentications:                0
  +-----------------------------------------------+
  +------- Crypto server cipher statistics -------+
  +-----------------------------------------------+
  Cipher sslv3_rsa_rc4_128_md5:                    43
  Cipher sslv3_rsa_rc4_128_sha:                     0
  Cipher sslv3_rsa_des_cbc_sha:                     0
  Cipher sslv3_rsa_3des_ede_cbc_sha:                0
  Cipher sslv3_rsa_exp_rc4_40_md5:                  0
  Cipher sslv3_rsa_exp_des40_cbc_sha:               0
  Cipher sslv3_rsa_exp1024_rc4_56_md5:              0
  Cipher sslv3_rsa_exp1024_des_cbc_sha:             0
  Cipher sslv3_rsa_exp1024_rc4_56_sha:              0
  Cipher sslv3_rsa_aes_128_cbc_sha:                 0
  Cipher sslv3_rsa_aes_256_cbc_sha:                 0
  Cipher tlsv1_rsa_rc4_128_md5:                     0
  Cipher tlsv1_rsa_rc4_128_sha:                     0
  Cipher tlsv1_rsa_des_cbc_sha:                     0
  Cipher tlsv1_rsa_3des_ede_cbc_sha:                0
  Cipher tlsv1_rsa_exp_rc4_40_md5:                  0
  Cipher tlsv1_rsa_exp_des40_cbc_sha:               0
  Cipher tlsv1_rsa_exp1024_rc4_56_md5:              0
  Cipher tlsv1_rsa_exp1024_des_cbc_sha:             0
  Cipher tlsv1_rsa_exp1024_rc4_56_sha:              0
  Cipher tlsv1_rsa_aes_128_cbc_sha:                 0
  Cipher tlsv1_rsa_aes_256_cbc_sha:                 0
  ace-demo/Admin# crypto verify testkey.key testcert.pem
  Keypair in testkey.key matches certificate in testcert.pem.
  ace-demo/Admin#
  ace-demo/Admin#  sh conn
  total current connections : 0
  conn-id    np dir proto vlan source                destination           state
  ----------+--+---+-----+----+---------------------+---------------------+------+

  Hello Alvaro,
  The issue here is that your config is missing the clear text port the ACE should use to send the traffic to the backend servers; in this case port 80.
  Remove the rservers from the SF "farm-demo" and then configure them back like this:
  serverfarm host farm-demo
    rserver rsrv1 80
      inservice
    rserver rsrv2 80
      inservice
  That should do the trick =)
  HTH
  Pablo