Splitting traffic between 2 diff instances of WLS (one 5.1 & other 7.0)
Hi,
At my company, we are exploring the possibility of upgrading the appserver for
our website from WLS 5.1 to WLS 7.0. We run iPlanet web server. However, to reduce
risk and short-term costs, we are looking at only migrating a few key web-pages
to WLS 7.0 and keeping the remaining pages on the existing instance of WLS 5.1.
We want to maintain a single instance of the iPlanet web server.
I want to know whether this is a viable strategy i.e. splitting the web-traffic
to 2 different instances of WLS running different versions.
Thanks for your help.
You cannot register 2 versions of our plugin in one iplanet instance
b'coz the function names are same. So in reality it's not possible to
have 1 iplanet instance to route requests to 2 different WLS versions.
Kumar
Andy Davis wrote:
Hi,
At my company, we are exploring the possibility of upgrading the appserver for
our website from WLS 5.1 to WLS 7.0. We run iPlanet web server. However, to reduce
risk and short-term costs, we are looking at only migrating a few key web-pages
to WLS 7.0 and keeping the remaining pages on the existing instance of WLS 5.1.
We want to maintain a single instance of the iPlanet web server.
I want to know whether this is a viable strategy i.e. splitting the web-traffic
to 2 different instances of WLS running different versions.
Thanks for your help.
Similar Messages
-
Communication between Two WebLogic instances on the same machine
Hi,
We're having a problem with communication between two copies of Weblogic on
the same machine. They are configured with seperate ports (regular and SSL).
Independantly, they run fine. I can access EJBs running on either of them.
The problem is that a bean in one of them has code which attempts to access
an EJB on the other one. The procude fails when trying to obtain the initial
context. This same code works if compilied independantly of WebLogic on the
same machine.
Are there any known issues regards communication between two running
instances of Weblogic on the same machine?
Thanks in advance,
Randy Yarger
marchFIRST
[email protected]Thanks for the prompt reply.
There is one IP address (internal address 10.227.1.34) one the machine. WLS1
is set up at ports 7001 and 5133. WLS2 is setup at ports 7004 and 7005.
When WLS1 attempts to obtain a context to WLS2 with the URL
t3://10.227.1.34:7004/ it pauses for a long period of time. Running truss
on the both WLS processes shows communication occuring between the two
followed by long periods of silence. Finally WLS2 spits out the error
ConnectionException[7001,7001,5133,5133,7001,7001] (paraphrased, I can get
the entire error if it would help).
After another long pause, WLS1 quits trying with the error 'Server
10.227.1.34:7004 not found' (again paraphrased).
Among the things we've tried:
* Changing the URL from the IP to 127.0.0.1
* Enabling/disabling SSL on either or both WLSs.
* Changing the server name in WLS2's copy of weblogic.properties from
'myserver' to 'myserver2' (previously they were both 'myserver')
* Upgrading WLS2 to 5.1.0sp5 (Tried upgrading WLS1, but was getting class
not found errors and quit because that WLS is being used by other people)
This is a Solaris server. WLS1 is running 5.1.0 and WLS2 is running 5.1.0sp5
Any suggestions would be appreciated.
Best,
Randy Yarger
marchFIRST
[email protected]
"Michael Girdley" <[email protected]> wrote in message
news:[email protected]...
>
>
There should not be. What is your network configuration? Are they on
separate IP addresses?
Thanks,
Michael
Michael Girdley
BEA Systems Inc
"Randy Jay Yarger" <[email protected]> wrote in message
news:[email protected]...
Hi,
We're having a problem with communication between two copies of Weblogicon
the same machine. They are configured with seperate ports (regular andSSL).
Independantly, they run fine. I can access EJBs running on either of
them.
The problem is that a bean in one of them has code which attempts toaccess
an EJB on the other one. The procude fails when trying to obtain theinitial
context. This same code works if compilied independantly of WebLogic onthe
same machine.
Are there any known issues regards communication between two running
instances of Weblogic on the same machine?
Thanks in advance,
Randy Yarger
marchFIRST
[email protected] -
ASA 5510 Not able to route traffic between 2 LAN interfaces
Hi everybody,
I need help to enable traffic between two physical ports on my Cisco ASA 5510. I created access rules and NAT but traffic doe not go from accounting interface to Inside. I am able to access internet from both interfaces. Can someone pin point me in the right direction since I am not an expert in Cisco but has to finish this by the end of the week.
Thank you,
Sigor
Here is my configuration:
ASA Version 8.2(2)
hostname Cisco
domain-name xxx.com
names
interface Ethernet0/0
description Outside
nameif Outside
security-level 0
ip address 101.101.101.101 255.255.240.0
interface Ethernet0/1
description Inside Network
nameif Inside
security-level 90
ip address 192.168.10.1 255.255.255.0
interface Ethernet0/2
description Accounting
nameif Accounting
security-level 100
ip address 20.0.1.1 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone EST -5
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name xxx.com
same-security-traffic permit inter-interface
object-group service Port-10000 tcp
port-object eq 10000
object-group service Port-8080 tcp
port-object eq 8080
object-group service Port-8011 tcp
port-object eq 8011
object-group service DM_INLINE_TCP_1 tcp
group-object Port-8080
port-object eq www
group-object Port-8011
object-group service DM_INLINE_TCP_2 tcp
group-object Port-10000
port-object eq https
port-object eq www
object-group service rdp tcp
port-object eq 3389
object-group service DM_INLINE_TCP_3 tcp
group-object rdp
port-object eq ftp
object-group service DM_INLINE_TCP_4 tcp
group-object Port-10000
port-object eq www
port-object eq https
port-object eq ssh
object-group service DM_INLINE_TCP_5 tcp
group-object Port-8011
group-object Port-8080
port-object eq www
object-group service DM_INLINE_TCP_6 tcp
group-object Port-10000
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_7 tcp
group-object rdp
port-object eq ftp
access-list Outside_access_in extended permit tcp any host 101.101.101.104 object-group DM_INLINE_TCP_5
access-list Outside_access_in extended permit tcp any host 101.101.101.102 object-group DM_INLINE_TCP_6
access-list Outside_access_in extended permit tcp any host 101.101.101.103 object-group DM_INLINE_TCP_7
access-list Outside_access_in extended permit tcp any host 101.101.101.106 eq smtp
access-list Outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list CiscoIPsec_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list Accounting extended permit ip 20.0.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list Accounting extended permit ip 20.0.1.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Accounting 1500
mtu management 1500
ip local pool IPSecDHCP 192.168.80.100-192.168.80.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (Accounting) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp 101.101.101.104 www 192.168.10.14 www netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.104 8011 192.168.10.14 8011 netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.104 8080 192.168.10.14 8080 netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.102 10000 192.168.10.3 10000 netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.102 https 192.168.10.3 https netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.102 www 192.168.10.3 www netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.103 ftp 192.168.10.17 ftp netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.103 3389 192.168.10.32 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.106 smtp 192.168.10.23 smtp netmask 255.255.255.255
static (Inside,Accounting) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-group Outside_access_in in interface Outside
access-group Accounting in interface Accounting
route Outside 0.0.0.0 0.0.0.0 101.101.101.101 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 Inside
http 20.0.1.0 255.255.255.0 Accounting
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 32608000
crypto ipsec security-association replay disable
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256
-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer 89.216.17.35
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
dhcpd address 20.0.1.100-20.0.1.200 Accounting
dhcpd dns 192.168.10.19 8.8.8.8 interface Accounting
dhcpd lease 306800 interface Accounting
dhcpd domain abtscs.com interface Accounting
dhcpd enable Accounting
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy CiscoIPsec internal
group-policy CiscoIPsec attributes
dns-server value 192.168.10.30 192.168.10.19
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CiscoIPsec_splitTunnelAcl
default-domain value xxx.com
vpn-group-policy CiscoIPsec
tunnel-group 198.226.20.35 type ipsec-l2l
tunnel-group 198.226.20.35 ipsec-attributes
pre-shared-key *****
tunnel-group CiscoIPsec type remote-access
tunnel-group CiscoIPsec general-attributes
address-pool IPSecDHCP
default-group-policy CiscoIPsec
tunnel-group CiscoIPsec ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
Cryptochecksum:2a7c97a7a22397908ef83ca6f0065919
: endWithout diving too deep into your config, I noticed a couple of things:
interface Ethernet0/1
description Inside Network
nameif Inside
security-level 90
ip address 192.168.10.1 255.255.255.0
interface Ethernet0/2
description Accounting
nameif Accounting
security-level 100
ip address 20.0.1.1 255.255.255.0
On an ASA, higher security level interfaces are always allowed, by default, to lower security levels, but not the other way around. So, if you want to keep this config, you would need an acl on the Inside interface to allow traffic to go from level 90 to 100:
access-list Inside permit ip any any
access-group Inside in interface Inside
The acl will permit the traffic into either interface (outside or Accounting). As long as you have your other rules set up correctly, this should resolve your issue...
HTH,
John -
Error in shared component import within same as well as diff instance.
Please help me with below issue:
I am trying to import shared components related to a single page within same instance to diff application.I changed the application_id to target application_id and also set wwv_flow_api.g_id_offset to diff value.
Still getting following error:
ORA-20001: GET_BLOCK Error. ORA-20001: Execution of the statement was unsuccessful. ORA-00001: unique constraint (APEX_030200.WWV_FLOW_MENU_TEMP_IDX2) violated <pre>begin begin wwv_flow_api.create_menu_template ( p_id=&gt; 94480251996632657 + wwv_flow_api.g_id_offset, p_flow_id=&gt; wwv_flow.g_flow_id, p_name=&gt;'Breadcrumb Menu', p_before_first=&gt;'', p_current_page_option=&gt;'&lt;a href=&quot;#LINK#&quot; class=&quot;t20Current&quot;&gt;#
And also tried to import shared components of single page to a application in diff instance.I changed the application_id,workspace_id with target application_id and workspace_id and also set wwv_flow_api.g_id_offset to diff value.
there also I am getting same error.The error seems to be that the template (some breadcrumb template) does exist already. What kind of shared component do you want to copy? Some, like images and templates, can be shared between applications in the same workspace. Thats the main reason why they are named "shared". Also possible would be that this component was created or is using some standard template/theme/menu, that is created during the standard apex installation. Or it was already copied during the workspace installation.
Edited by: Sven W. on Aug 7, 2012 7:42 PM -
Hey,
I want to write a diff instance class.
The DiffInstance will get two instances of the same class and will return a collection of difference between the instance.
This is done because there are a lot of services that triger by changes in the model.
For example - audit need the diff between previoues state to new state, businees trigers that are intresting in changes in the model state and etc.
So i plan to get the new state in the fron service compare it to the old state and sent the diff to any registered service (like audit).
1. are you agree with me that its better to take the diff in central place and avoid compute the diff in each of the registered services?
2. what do you think will be a good structre for the diff result? my first thought was something like jxpath (or any other navigation expression like -http://java-source.net/open-source/expression-languages ), but i have two problems with this:
a. sets
b. what if one of this tools need to get the field for annotation info?
any ideas?avihai wrote:
Hey,
I want to write a diff instance class.
The DiffInstance will get two instances of the same class and will return a collection of difference between the instance.
You do mean a class file and not either of the following?
- java source
- instance of a class
This is done because there are a lot of services that triger by changes in the model.
For example - audit need the diff between previoues state to new state, businees trigers that are intresting in changes in the model state and etc.
So i plan to get the new state in the fron service compare it to the old state and sent the diff to any registered service (like audit).
Sounds wrong to me. If you update something then you should plan on doing a static migration at the time of the update unless there is some business reason that prevents that. Attempting dynamic migration is not only very error prone but can impact performance for an indefinite period as well.
1. are you agree with me that its better to take the diff in central place and avoid compute the diff in each of the registered services?
2. what do you think will be a good structre for the diff result? my first thought was something like jxpath (or any other navigation expression like -http://java-source.net/open-source/expression-languages ), but i have two problems with this:
a. sets
b. what if one of this tools need to get the field for annotation info? No idea how that could be used to express a difference.
The form of the difference is driven by the use to which the difference will be used. That said XML is one form. -
Deploying multiple apps on one instance of wls 8.1
We currently have have one huge application (one ear file) running on one instance
of wls 8.1. We plan to break this up in 3 different application (3 different ear
files). We are using split
development directory structure of weblogic 8.1. Out problem is, we have some
ejbs and some war files (like servlets anf jsps) which are common across all the
applications. How do we manage this ? Do we make a different application for this
common component ?
Thanks in advance.
YogeshOut of curiousity, why are you splitting up the ear?
How do you intend to package the common ejbs/webapps across the 3 ear files?
If you're going to copy the common files into each application, then i
would probably have a separate build.xml that builds the common pieces.
The other apps can just copy these common pieces into their build
directory. If the common pieces aren't changing very frequently, then
this is pretty nice.
-- Rob
Yogesh Ranjan wrote:
We currently have have one huge application (one ear file) running on one instance
of wls 8.1. We plan to break this up in 3 different application (3 different ear
files). We are using split
development directory structure of weblogic 8.1. Out problem is, we have some
ejbs and some war files (like servlets anf jsps) which are common across all the
applications. How do we manage this ? Do we make a different application for this
common component ?
Thanks in advance.
Yogesh -
2 vs 1 instance of WLS ?
Greetings !!!
Leaving other parametes same, would 2 instances of WLS with smaller
values of Heap size, executeThreadCount, DBConnections etc. each would
provide better perfrormance than one instances of WLS with higher number
for these paramaters ? Has anyone done benchmarks for such a scenario???
Environement: 2-CPU box, 1GB RAM, Solaris 6, JDK_1.2.2_05a & WLS
5.1-SP5
Thanks for your help/suggestions/pointers???
SamMike,
Originally, the 'more, smaller instances' was a work-around for poorgarbage
collection. I believe that the later JDK's are much better at it. Wouldn'tit
make more sense to simply fix the garbage collection?There is the GC issue, but it is mostly a non-issue now with Hotspot. IBM's
JDKs also have much-improved GC implementations.
It's a queuing theory thing - 1 pool of 50 db connections will be able tostand
more load than 2 pools of 50 db connections, or 10 pools of 5 dbconnections.
Same goes for execution threads.Au contraire ... the front queue (e.g. a hardware load balancer) may
subscribe to that theory, but consider the bank vs. the check-out line
example from CS 101.
However, I don't believe that is the real issue. It's all about how many
requests you complete per second per unit of hardware. Obviously if one
instance works the best, then you stick with that.
Oh, I forgot one - when you start up a cluster with many instances, yournetwork
traffic goes wild. I think this was fixed around 4.5.1 SP 10.Are you telling me that there was a release of WL before 5.1? ;-)
And they have 'director' in front of their names.See below.
Peace,
Director Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"Mike Reiche" <[email protected]> wrote in message
news:[email protected]...
>
"Cameron Purdy" <[email protected]> wrote:
Hi Mike,
Someone needs to send this to www.urbanlegends.com.I'd like to do some testing with WL6.0/JDK1.3/Hotspot 2.0/Solaris 8 etc.,
and in that case you might be right. On some systems, you can crank the
execute threads way up and it won't make a difference -- the system will
not
get saturated.Originally, the 'more, smaller instances' was a work-around for poorgarbage
collection. I believe that the later JDK's are much better at it. Wouldn'tit
make more sense to simply fix the garbage collection?
Let's see what else - you also have to cut your connection pool sizes
in
half.
Most apps keep the pool size about the same as the exec thread count.It's a queuing theory thing - 1 pool of 50 db connections will be able tostand
more load than 2 pools of 50 db connections, or 10 pools of 5 dbconnections.
Same goes for execution threads.
Oh, I forgot one - when you start up a cluster with many instances, yournetwork
traffic goes wild. I think this was fixed around 4.5.1 SP 10.
We run two instances per box here and I wish we didn't.Based on your stated feelings, is there any reason why you run two
instances
per box?Because there are people here that read about what what a great
idea it was. And they have 'director' in front of their names.
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"Mike Reiche" <[email protected]> wrote in message
news:[email protected]...
Someone needs to send this to www.urbanlegends.com.
Using two instances vs. one instance doubles all kinds of things -
memory
required, overhead,
context switching, all class loading and JSP compiling, configuration
and
maintenance. And if you
use the same jsp workingDir for both WLS the two WLS will overwrite
each
other's generated
class files. (and they don't warn you about that in the doc). Let's seewhat else - you also have
to cut your connection pool sizes in half.
If you're not getting enough concurrency, then increase the number ofexecuteThreads.
If you want reliability, then fix whatever is breaking. It always
better
to not fail than to
recover nicely from a failure.
We run two instances per box here and I wish we didn't.
Mike
"Cameron Purdy" <[email protected]> wrote:
Sam,
It is best to test with your particular application but ... in most
cases,
adding a second instance of WebLogic to a particular host will make
more
effective use of the processor(s) in the server. Since you are payingper
processor, why not take full advantage of them? ;-)
Also, using two network interfaces, you can bind one WL instance to
one
NIC
and the other WL instance to the other NIC and thus not lose the site
if
one
of the networks goes down. (I don't know yet how to force WL to
assign
the
secondary from the other network, though.)
The main variable that you are looking for is throughput: Can you
handle
more concurrent requests? This measurement is basically the number of
typical requests per period of time that are possible before you seethe
server queues growing. In other words, once the server queues start
growing, that means that your cluster isn't managing to keep up, andyou
have lost the war.
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com
+1.617.623.5782
WebLogic Consulting Available
"sam ernie" <[email protected]> wrote in message
news:[email protected]...
Greetings !!!
Leaving other parametes same, would 2 instances of WLS with smaller
values of Heap size, executeThreadCount, DBConnections etc. each
would
provide better perfrormance than one instances of WLS with highernumber
for these paramaters ? Has anyone done benchmarks for such ascenario???
Environement: 2-CPU box, 1GB RAM, Solaris 6, JDK_1.2.2_05a & WLS
5.1-SP5
Thanks for your help/suggestions/pointers???
Sam -
340 bridge traffic between two non root bridges
I have a deployent with a 340 series bridge acting as root bridge and two 340 bridges acting as non-root remotes. The hosts hanging off the non-root bridges can communicate with the hosts hanging off the root bridge but i cannot get communication to work between hosts on the two non-root bridges. Is there some sort of split horizon type setting I need to configure on the root-bridge to allow traffic back out the radio interface.
There isn't anything in the bridges that would block traffic between the two sites. Is this one large subnet, or are there two subnets? If there are two, how are you routing between the two?
Can one non-root bridge ping the other non-root? -
How can i share purchased apps between 2 diff users on the same mac?
How can I share purchased apps between 2 diff users on the same mac?
A purchased app is associated with an Apple ID. A user with a different Apple ID cannot use the app unless they also use the same Apple ID.
I cannot use my wife's apps nor she mine because each were purchased with different Apple IDs. -
ASA5505 - Blocking internal traffic between 2 servers
Hi guys/ladies
I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
10.50.15.4 > fileserver
10.50.15.5 > domain controller (exchange)
10.50.15.6 > terminal server
10.50.15.7 > terminal server
Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
2
Oct 27 2012
14:51:05
106007
10.50.15.6
55978
DNS
Deny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query
What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
Any idea why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
Any help you can give would be great as this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.Result of the command: "show cap asp | include 10.50.15.6"
15: 10:09:21.796849 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389: udp 163
16: 10:09:22.189153 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389: udp 163 Drop-reason: (acl-drop) Flow is denied by configured rule
17: 10:09:22.596252 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
18: 10:09:23.625913 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
19: 10:09:24.625227 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
20: 10:09:26.635236 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86
25: 10:09:30.653500 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86
27: 10:09:34.655025 802.1Q vlan#1 P0 10.50.15.6.137 > 10.50.15.255.137: udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
28: 10:09:34.655071 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.255.138: udp 237
29: 10:09:34.655193 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.5.138: udp 237 Drop-reason: (acl-drop) Flow is denied by configured rule
30: 10:09:34.764700 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
31: 10:09:34.899337 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
32: 10:09:35.901946 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
33: 10:09:36.915937 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
34: 10:09:37.773916 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
35: 10:09:38.942715 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
37: 10:09:42.937695 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
38: 10:09:43.788579 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
41: 10:09:55.803608 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
42: 10:09:56.814166 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
43: 10:09:57.820804 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule -
Traffic Between 2 Ports on Different VLANs on the Same Switch
Hi,
This question probably results from a flaw in my understanding of network layer 2 versus layer 3 and VLANs so any additional context in that regard would be very welcome
If I've got 2 systems on difference VLANs that are connected to ports on the same switch (e.g. 2950), with that switch being connected via an uplink to a router or layer 3 switch and i want to pass traffic between the 2 systems (e.g. copy a file from a folder shared on one system to another), will the traffic pass directly from one port on the 2950 to the other? Or will it need to go through the uplink? I guess it will need to go through the uplink initially as layer 3 needs to be involved for inter-VLAN routing but wondering if layer 2 MAC address will ultimately be learned, allowing traffic to pass directly between the systems, not over the uplink.
Thanks in advance,
cisco_reader.If the hosts are on different Layer 2 Vlans and you want to pass data between them, that data needs to be 'Routed'.
In order to Route data from one Layer 2 Vlan to another, you need a device capable of Layer 3 Routing. That device can be a traditional Router or can be something called a Layer 3 switch.
A 2950 switch is Layer 2 only so has the ability to create many Layer 2 Vlans which is what you have done. In order to route traffic between those Vlans, you can either use a router or a L3 switch.
If you decided to use a router, look up something called 'Router on a Stick' which involves creating a Trunk link from the 2950 to the Router and then setting up Subinterfaces on the Routers port to act as the 'Default Gateway' for each of your Vlans. -
WCCP on ASA & traffic between physical interfaces on ASA
Hello,
I am trying to get WCCP working on the ASA for WAAS implementation. Here is a simple snapshot of my config:
Eth 0/0 : Outside (to internet)
Eth 0/1 : Vlan1 (20.20.0.0/16) (trunk port to remote office LAN)
Eth 0/1.211 : Vlan211 (20.21.10.0/24)
Eth 0/1.212 : Vlan212 (20.21.20.0/24)
Eth 0/1.220 : Vlan220 (20.22.0.0/16)
Eth 0/2 : WAAS (20.21.30.0/24)
I have the site to site tunnel working. I can ping the WAAS device from the other end of the tunnel but I cannot ping it from the 20.20.0.0/16 network. I have enabled traffic between interfaces on same security level as WAAS and LAN have same security.
I get this error message:
3 Feb 12 2007 17:54:05 305006 20.20.10.101 portmap translation creation failed for icmp src WAAS:20.21.30.230 dst LAN:20.20.10.101 (type 8, code 0)
How can I fix this?
My second question is regarding WCCP on ASA. Here is the WCCP part of the config I have:
wccp 61 redirect-list WCCP_To_LAN
wccp 62 redirect-list WCCP_To_WAN
wccp interface outside 62 redirect in
wccp interface LAN 61 redirect in
access-list WCCP_To_LAN extended permit ip any 20.20.0.0 255.252.0.0
access-list WCCP_To_WAN extended permit ip 20.20.0.0 255.252.0.0 any
I am not seeing any packets being redirected to the WAE. I once changed the access lists to 'any any' and I saw some packets but I couldn't ping or telnet to the remote site. Could it be a loop? Is there any way to exclude traffic to avoid loop?
Thanks
Ankitcommon guys
Am I doing something wrong here?
No one replies to my posts. I had the same experience with the previous one.
Is this not the right forum for this query???
Ankit -
How to enable traffic between VPN clients in Windows Server 2012 R2?
Hello,
I installed Remote Access role with VPN.
IPv4 Router is enabled: http://snag.gy/UAMY2.jpg
VPN clients should use static ip pool: http://snag.gy/REjkB.jpg
One VPN user is configured to have static ip: http://snag.gy/TWwq0.jpg
VPN server uses Windows Authentication and Windows Accounting.
With this setup, VPN clients can connect to server, get ip addresses and can see server via server's vpn ip. Server can connect to VPN clients too (Using client's vpn ips). But VPN clients can't communicate with each other.
For example, VPN server has ip 192.168.99.5
VPN Client 1 - 192.168.99.6
VPN Client 2 - 192.168.99.7
I am able to ping 192.168.99.5 from both clients, and able to ping 192.168.99.6 and 192.168.99.7 from server via remote desktop. But I am not able to ping 192.168.99.7 from client 1 and 192.168.99.6 from client 2.
If I trace route from 192.168.99.6 to 192.168.99.7 - I can see that packets goes to server (192.168.99.5) and next hop - request timeout.
What else should I configure to allow network traffic between VPN clients?Hi,
To better analyze this issue, would you please post the routing tables on the two VPN clients? You can run "route print" at the command prompt to get the routing table.
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Having issues on ASA 5510 pass traffic between interfaces
I am trying to pass traffic between two internal interfaces but am unable to. Been searching quite a bit and have tried several things to no avail. I feel like there is a simple solution here I am just not seeing. Here is the relevant portion of my config:
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
interface Ethernet0/2
nameif ct-users
security-level 100
ip address 10.12.0.1 255.255.0.0
same-security-traffic permit inter-interface
access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.12.0.0 255.255.0.0
access-list inside_access_in extended permit ip any any
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (ct-users) 0 access-list inside_nat0_outbound
nat (ct-users) 1 0.0.0.0 0.0.0.0
static (inside,ct-users) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_ipv6_in in interface inside
access-group inside_access_in in interface ct-users
access-group inside_access_ipv6_in in interface ct-users
On both networks I am able to access the internet, just not traffic between each other.
A packet-tracer reveals the following (it's hitting some weird rules on the way):
cybertron# packet-tracer input inside tcp 192.168.5.2 ssh 10.12.0.2 ssh detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab827020, priority=1, domain=permit, deny=false
hits=8628156090, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
match ip ct-users 10.12.0.0 255.255.0.0 inside any
static translation to 10.12.0.0
translate_hits = 0, untranslate_hits = 6
Additional Information:
NAT divert to egress interface ct-users
Untranslate 10.12.0.0/0 to 10.12.0.0/0 using netmask 255.255.0.0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad5bec88, priority=12, domain=permit, deny=false
hits=173081, user_data=0xa8a76ac0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab829758, priority=0, domain=inspect-ip-options, deny=true
hits=146139764, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad48c860, priority=6, domain=nat-exempt-reverse, deny=false
hits=2, user_data=0xad4b5e98, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.5.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside any ct-users 10.12.0.0 255.255.0.0
NAT exempt
translate_hits = 2, untranslate_hits = 2
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad3b1f70, priority=6, domain=nat-exempt, deny=false
hits=2, user_data=0xad62b7a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,ct-users) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
match ip inside 192.168.5.0 255.255.255.0 ct-users any
static translation to 192.168.5.0
translate_hits = 1, untranslate_hits = 15
Additional Information:
Forward Flow based lookup yields rule:
in id=0xadf7a778, priority=5, domain=nat, deny=false
hits=6, user_data=0xad80cfd0, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.5.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) udp 184.73.2.1 1514 192.168.5.2 1514 netmask 255.255.255.255
match udp inside host 192.168.5.2 eq 1514 outside any
static translation to 184.73.2.1/1514
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8e2928, priority=5, domain=host, deny=false
hits=9276881, user_data=0xab8e1d20, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.5.2, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
match ip ct-users 10.12.0.0 255.255.0.0 inside any
static translation to 10.12.0.0
translate_hits = 0, untranslate_hits = 6
Additional Information:
Forward Flow based lookup yields rule:
out id=0xad158dc0, priority=5, domain=nat-reverse, deny=false
hits=6, user_data=0xac0fb6b8, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
match ip ct-users 10.12.0.0 255.255.0.0 inside any
static translation to 10.12.0.0
translate_hits = 0, untranslate_hits = 6
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xada0cd38, priority=5, domain=host, deny=false
hits=131, user_data=0xac0fb6b8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.12.0.0, mask=255.255.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xad5c1ab0, priority=0, domain=inspect-ip-options, deny=true
hits=130, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 189385494, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ct-users
output-status: up
output-line-status: up
Action: allowhow are you testing? if you are pinging between the subnets, make sure you have disabled windows firewall and/or any other firewall that is installed on the PCs (remember to re-enable it later).
Are the NAT commands there because you were trying different things to get this working? I suggest you use the command no nat-control instead. Depending on the version of ASA you are running it may already be disabled by default. In version 8.4 and later nat-control has been removed completely.
Please remember to select a correct answer and rate helpful posts -
Splitting music between iPod, iPad and iPhone
Hello all!
As the owner of all three of the above devices, I wonder sometimes what is the best way to split music between them. I have my entire library on my iPod classic but wonder how I should split things between my iPad and iPhone...Any advice?You can sync whatever you like to each device.
You can sync by playlist, genre, album, artist, etc.
Maybe you are looking for
-
Can't upgrade past v7.6.2.9-
I'm posting this here in anticipation that I won't actually hear from Apple. I sent them the same thing below. Let me know if you have any thoughts! I can not get my shows purchased from iTunes Store to show up under my ‘TV Shows’ on iTunes. Let me g
-
In trying to salvage the editing program "Image Zone" express and HP Solution Center to do scanning and editing, I upgraded to Windows 7 professional with XP compatability as I had read online, but it's a complete nightmare. The XP program cannot sc
-
I don't see the yellow paddock (that tells me the site is safe) anymore
Before I saw a yellow paddock popping up at certain websites, but I don't see it anymore
-
Western Digital Passport 320 GB on macbook
Does anyone have any experience in using a Western Digital Passport _320 GB_ model as an external HD with an intel macbook? Do you power it with 1 or both usb ports? Had any problems with it? Would you recommend? Thanks, .B.
-
Need to extend vendor to a new Purchasing Org
Hello All, I am getting a flat file with existing vendors in SAP System. I need to extend these vendor to the new specified Purchase Org. and also update the fields as per in the excel file (being uploaded). One way is to use BDC and perform the desi