SSL or TLS client configure problems !!

Hello,
I am using Solaris native DS5.1, configured to use ssl certificate based authentication (server now running ssl configured.
Using OpenSSL created certificate and certutil tools I created cert7.db for client solaris 9 and even redhat 7.3 client.
How I can tel the client to authenticate through ssl (port 636) and to use cert7.db (where to put cert7.db file now at /var/ldap ).
Also how I can test if ssl port 636 is working and accepting ldap queries.
N.B. The system is working fine with normal port 389 fine, all clients are happy without ssl.
Thanks
Farah

Sorry, I should have mentioned that you need to use the version of ldapsearch that comes with Directory Server - mine is located in /usr/iplanet/ds5/shared/bin/. So you will probably want to amend your PATH. You will also need to add the relevant libraries to your LD_LIBRARY_PATH - mine being /usr/iplanet/ds5/lib:$LD_LIBRARY_PATH.
I've successfully used OpenSSL to create my directory server certificate & have (finally!) got OpenSSL-created client certificates to work. All I can say is make sure the server certificate is trusted.
Incidently, you do not use the "-n" flag with the tstclnt command unless you are using a client certificate. My advice to use this command was probably misleading. Maybe the better way of testing your SSL connection is simply to run the relevant ldapsearch command, e.g.
ldapsearch -v -Z -p 636 -P /var/ldap -b "ou=people,o=myorg" "cn=*"

Similar Messages

Problems with exporting PWA views (grids in general) to Excel 2010 with Windows 8 + IE 10 as a client configuration

Hello,
I wondering if windows 8 + IE10 is a supported client configuration for PWA (Project Server 2010). I am unable to export PWA views to Excel 2010. No problems with Windows 7 + IE8/9
Any ideas?
thanks,
Daniel
Daniel Villacis

Hi,
We followed the below steps in the local machine and check the behavior.
a. Open the Windows registry editor (regedit.exe)
b. Go the location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\excel.exe
c. Here, you’ll see a string value named “useURL”
d. Rename this value to something else. For example “useURLx”
Note: You might have to restart the machine to apply the registry change to take effect.

Vpn configuration problems 2621xm and vpn client

hello,
I'm trying to configure my home cisco 2621xm to accept vpn connections. I've used many cisco pdf documents and they all same almost the same so I've done my configuration using these documents.
now I just can't get past this error message I'm getting and I have no idea why this is happening.
any ideas to help me get past this step, I'm really stuck here.
also, I've tried vpn client version 5 and 4.8
cisco ios version is:
Cisco IOS Software, C2600 Software (C2600-ADVIPSERVICESK9-M), Version 12.4(16), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 20-Jun-07 05:48 by prod_rel_team
ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)
vision-router-01 uptime is 2 hours, 53 minutes
System returned to ROM by power-on
System image file is "flash:c2600-advipservicesk9-mz.124-16.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 2621XM (MPC860P) processor (revision 1.0) with 127308K/3764K bytes of memory.
Processor board ID JAD06350FM7
M860 processor: part number 5, mask 2
2 FastEthernet interfaces
32K bytes of NVRAM.
49152K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
here is my the config that's vpn related
aaa authentication login MYTAC group tacacs+ local enable
aaa authorization network GROUPAUTHOR local
username someuser password 0 somepassword
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 10 periodic
crypto isakmp client configuration group VTELVPN
key cisco123
dns 192.168.10.5
domain xyz.com
pool VTELVPNPOOL
crypto ipsec transform-set VTELSET1 esp-aes esp-sha-hmac
crypto dynamic-map VTELDYNAMAP 10
set transform-set VTELSET1
set identity thisrouter-01
reverse-route
crypto map VTELCLIENTMAP client authentication list MYTAC
crypto map VTELCLIENTMAP isakmp authorization list GROUPAUTOHOR
crypto map VTELCLIENTMAP client configuration address respond
crypto map VTELCLIENTMAP 10 ipsec-isakmp dynamic VTELDYNAMAP
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp chap hostname xxxxxx
ppp chap password 7 hahahahohoho
ppp pap sent-username xxxxxx password 7 hahahahohoho
crypto map VTELCLIENTMAP
ip local pool VTELVPNPOOL 192.168.6.3 192.168.6.254

Hi
Can you try assigning a static ip to the dialer interface and try checking out the vpn connectivity ?
regds

SSL VPN with client, anyconnect.

I've set up a simple test on SSL VPN with client on a 3800.
It didnt work. I assume i have to turn on the IP http server so that the client can hit it.
but when I turned it on, the client goes to SDM, nothing with ssl vpn happened. it tells me the pay is not available.
The underlying routing is fine.
Could you tell me where it is configured wrong?
Config is copied below.
thanks,
Han
=======
Current configuration : 3340 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
enable password cisco
aaa new-model
aaa authentication login default local
aaa session-id common
no network-clock-participate slot 1
crypto pki trustpoint TP-self-signed-3551041125
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3551041125
revocation-check none
rsakeypair TP-self-signed-3551041125
crypto pki certificate chain TP-self-signed-3551041125
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353531 30343131 3235301E 170D3131 31313135 31383238
30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35353130
34313132 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CFCF CFFAD76A 50DA82C9 8D4E3F90 64AD24EB 5409C5E2 43BC64F3 07F6C0E0
29FF2D71 0DA0D897 2F814BD2 7F817503 429D4BC6 6AD6EEA4 DFA74BAD 0EAF84D5
6ED55EC0 6C637178 BEEBCD1D 184BB90C CA84E974 48003885 87B53F2E 36A04661
23DA2CBB DD8EEE1D 2F25AF9A E21DC288 BF76A17C C1F4BA07 95F09377 A12BE01A
53750203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17526F75 7465722E 776E7362 6E6F632E 696E7465 726E616C
301F0603 551D2304 18301680 14BE9E8F ED788928 560D7CA1 EED89B0D DE34D772
5D301D06 03551D0E 04160414 BE9E8FED 78892856 0D7CA1EE D89B0DDE 34D7725D
300D0609 2A864886 F70D0101 04050003 818100BC 4A2A3C47 7BF809AF 78EE0FD9
73692913 F280765E BAFAECAB ED32C38D 3030810B C62C7F45 13C8A6EE AE96A891
CDD4C78B 803299AD EB098B27 383CEF6F 0E2B811F 3ECFADBA 07CD0AC6 BBB8C5FE
B2FC0FD8 562B7100 BB28036E 4575D1F5 B17687C6 8EACBD66 A9E52FEE A030E69A
CAAE9F1B 618FA59D 02C25BC8 77D6CAC2 C7E56F
quit
dot11 syslog
ip cef
multilink bundle-name authenticated
voice-card 0
no dspfarm
username cisco1 privilege 15 secret 5 $1$L2RA$Zqs6FLce5Ns5fny5aRL49/
archive
log config
hidekeys
interface GigabitEthernet0/0
ip address dhcp
duplex auto
speed auto
media-type rj45
end
interface Loopback1
ip address 1.1.1.1 255.255.255.0
interface GigabitEthernet0/0
ip address dhcp
duplex auto
speed auto
media-type rj45
ip local pool svc-poll 1.1.1.50 1.1.1.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
ip http server
no ip http secure-server
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
scheduler allocate 20000 1000
webvpn gateway SSLVPN
ip interface GigabitEthernet0/0 port 443
ssl trustpoint local
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn context SSLVPN
ssl authenticate verify all
policy group default
   functions svc-required
   svc default-domain "test.org"
   svc keep-client-installed
   svc split dns "primary"
default-group-policy default
gateway SSLVPN
inservice
end

Using the SDM follow the below config example
http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml
The text "cisco 3800 ssl vpn configuration" in my favorite search engine, identified the above.
HTH>

Integration Directory(Configuration) Problem

Hi All,
I am facing one Probelm. I am working one the client through Citrix. I am not able to open Integration Directory(Configuration Problem) . In onsite it's working fine. Reming all other applications(Integartion Repository and SLD and Runtime work bench) are working fine.
if I open Integration Directory i am getting this messge.
<jnlp spec="1.0+" codebase="http://filp55.group.upm-kymmene.com:50100/dir">
    <information>
        <title>Integration Builder</title>
        <vendor>SAP AG</vendor>
        <homepage href="http://www.sap.com" />
        <description type="one-line">Directory</description>
        <description type="short">Directory</description>
        <description type="tooltip">Directory</description>
        <icon hight="64" href="start/graphics/sap6464.gif" type="splash" width="64" />
        <icon hight="32" href="start/graphics/SAP3232.gif" width="32" />
    </information>
    <security>
        <all-permissions />
    </security>
    <resources>
        <j2se version="1.4+" initial-heap-size="32m" max-heap-size="1024m" />
        <jar href="directory/aii_ibdir_client.jar" />
        <jar href="directory/aii_ibdir_core.jar" />
        <jar href="directory/aii_ibdir_sbeans.jar" />
        <jar href="directory/aii_ibdir_rb.jar" />
        <jar href="directory/aii_ib_client.jar" />
        <jar href="directory/aii_ib_core.jar" />
        <jar href="directory/aii_ib_sbeans.jar" />
        <jar href="directory/aii_ib_rb.jar" />
        <jar href="directory/aii_util_icons.jar" />
        <jar href="directory/aii_util_swing.jar" />
        <jar href="directory/aii_util_xml.jar" />
        <jar href="directory/aii_util_xsd.jar" />
        <jar href="directory/aii_utilxi_misc.jar" />
        <jar href="directory/aii_util_rb.jar" />
        <jar href="directory/clientaii_ib_sbeans.jar" />
        <jar href="directory/clientaii_ibdir_sbeans.jar" />
        <jar href="directory/frog.jar" />
        <jar href="directory/focus14.jar" />
        <jar href="directory/sapxmltoolkit.jar" />
        <jar href="directory/jta.jar" />
        <jar href="directory/ejb20.jar" />
        <jar href="directory/exception.jar" />
        <jar href="directory/logging.jar" />
        <jar href="directory/guidgenerator.jar" />
        <jar href="directory/jperflib.jar" />
        <jar href="directory/sapni.jar" />
        <jar href="directory/sapj2eeclient.jar" />
        <property name="sap.theme" value="Streamline" />
        <property name="jnlp.log.initialConfiguration" value="FILE, SIMPLE" />
    <property name="jnlp.com.sap.aii.ib.client.properties" value="com.sap.aii.ib.client., com.sap.aii.ib.core., com.sap.aii.util.xml., com.sap.aii.connect., com.sap.aii.repository.mapping.additionaltypes, com.sap.aii.docu., com.sap.aii.ibrep.core., com.sap.aii.ibdir.core.*" /><property name="jnlp.com.sap.aii.connect.integrationserver.r3.sysnr" value="01" /><property name="jnlp.com.sap.aii.connect.landscape.contextroot" value="sld" /><property name="jnlp.com.sap.aii.connect.cr.name" value="filp40.group.upm-kymmene.com" /><property name="jnlp.com.sap.aii.ib.client.content.languages" value="EN,DE" /><property name="jnlp.com.sap.aii.connect.repository.contextroot" value="rep" /><property name="jnlp.com.sap.aii.ib.client.login.languages" value="EN,DE" /><property name="jnlp.com.sap.aii.connect.directory.rmiport" value="50104" /><property name="jnlp.com.sap.aii.connect.cr.contextroot" value="sld" /><property name="jnlp.com.sap.aii.connect.rwb.r3.client" value="790" /><property name="jnlp.com.sap.aii.connect.directory.contextroot" value="dir" /><property name="jnlp.com.sap.aii.connect.rwb.contextroot" value="rwb" /><property name="jnlp.com.sap.aii.connect.landscape.httpsport" value="@com.sap.aii.server.httpsport.lcr@" /><property name="jnlp.com.sap.aii.connect.repository.rmiport" value="50104" /><property name="jnlp.com.sap.aii.connect.repository.httpport" value="50100" /><property name="jnlp.com.sap.aii.connect.directory.name" value="filp55.group.upm-kymmene.com" /><property name="jnlp.com.sap.aii.connect.cr.httpsport" value="@com.sap.aii.server.httpsport.cr@" /><property name="jnlp.com.sap.aii.connect.repository.name" value="filp55.group.upm-kymmene.com" /><property name="jnlp.com.sap.aii.connect.integrationserver.contextroot" value="run" /><property name="jnlp.com.sap.aii.connect.integrationserver.name" value="filp55.group.upm-kymmene.com" /><property name="jnlp.com.sap.aii.connect.rwb.httpsport" value="@com.sap.aii.connect.rwb.httpsport@" /><property name="jnlp.com.sap.aii.connect.landscape.httpport" value="50000" /><property name="jnlp.com.sap.aii.docu.languages" value="null" /><property name="jnlp.com.sap.aii.ib.client.jnlp.j2se.initialheapsize" value="32m" /><property name="jnlp.com.sap.aii.util.xml.parserFactory" value="com.sap.engine.lib.jaxp.SAXParserFactoryImpl" /><property name="jnlp.com.sap.aii.connect.directory.httpport" value="50100" /><property name="jnlp.com.sap.aii.connect.directory.httpsport" value="@com.sap.aii.server.httpsport.directory@" /><property name="jnlp.com.sap.aii.connect.integrationserver.r3.httpport" value="8001" /><property name="jnlp.com.sap.aii.connect.rwb.name" value="filp55.group.upm-kymmene.com" /><property name="jnlp.com.sap.aii.connect.integrationserver.r3.client" value="790" /><property name="jnlp.com.sap.aii.connect.cr.httpport" value="50000" /><property name="jnlp.com.sap.aii.connect.landscape.name" value="filp40.group.upm-kymmene.com" /><property name="jnlp.SAPMYNAME" value="filp55_GTX_01" /><property name="jnlp.com.sap.aii.connect.rwb.httpport" value="50100" /><property name="jnlp.com.sap.aii.docu.url" value="null" /><property name="jnlp.com.sap.aii.ib.client.applicationname.directory" value="sap.com/com.sap.xi.directory/" /><property name="jnlp.com.sap.aii.util.xml.transformerFactory" value="com.sap.engine.lib.jaxp.TransformerFactoryImpl" /><property name="jnlp.com.sap.aii.ib.client.applicationname.repository" value="sap.com/com.sap.xi.repository/" /><property name="jnlp.com.sap.aii.ib.client.login.InitialContextFactory" value="com.sap.engine.services.jndi.InitialContextFactoryImpl" /><property name="jnlp.com.sap.aii.connect.integrationserver.httpport" value="50100" /><property name="jnlp.client" value="true" /><property name="jnlp.com.sap.aii.connect.repository.httpsport" value="@com.sap.aii.server.httpsport.repository@" /><property name="jnlp.com.sap.aii.ib.client.jnlp.j2se.maxheapsize" value="1024m" /><property name="jnlp.com.sap.aii.connect.integrationserver.httpsport" value="@com.sap.aii.connect.integrationserver.httpsport@" /><property name="jnlp.com.sap.aii.connect.integrationbuilder.startpage.url" value="rep/start/index.jsp" /><property name="jnlp.com.sap.aii.connect.integrationserver.r3.httpsport" value="@com.sap.aii.connect.integrationserver.r3.httpsport@" /><property name="jnlp.com.sap.aii.connect.rwb.r3.sysnr" value="01" /><property name="jnlp.com.sap.aii.util.xml.schemaValidator" value="com.sap.engine.lib.schema.validator.SchemaValidator" /><property name="jnlp.rc.release" value="7_00" /><property name="jnlp.rc.applname" value="DIRECTORY" /><property name="jnlp.rc.supportpackage" value="09" /><property name="jnlp.rc.synctime" value="${sync.time}" /></resources>
    <application-desc main-class="com.sap.aii.ibdir.gui.appl.ApplicationImpl">
        <argument>webstart</argument>
    </application-desc>
</jnlp>
Please help me on this..........
Thanks in Advacne.
Regards,
Chandra

Hello,
1)
May be the problem is a network connectivity issue. Do one thing copy the "cahce" folder from some other client PC(which has successfully opened IR and ID) to your client PC. The folder resides in "C:Documents and Settings<yourUserProfile>Application DataSunJavaDeploymentjavaws".
Copy "cache" folder to your client PC under the above path.
/people/shabarish.vijayakumar/blog/2006/02/13/unable-to-open-iresrid-xipipi-71-updated-for-pi-71-support
https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/1688 [original link is broken] [original link is broken] [original link is broken]
2) Go to http://filp55.group.upm-kymmene.com:50100/rep/
Click on Administration -> Java Web Start -> Java Web Start Administration ->
Try
1. Re-initialization (then try logging)
2. Re-initialization and force-signing (then try logging)
3. Delete lock (then try logging)
Do this for IR and ID tabs.
3) Check can be a firewall issue.
4) Check wether sufficient roles have been assigned -> Tcode -> SU01 -> roles tab. These roles need to be assigned to your username
SAP_BC_AI_LANDSCAPE_DB_RFC
SAP_SLD_CONFIGURATOR
SAP_SLD_DEVELOPER
SAP_XI_BPE_CONFIGURATOR_ABAP
SAP_XI_BPE_MONITOR_ABAP
SAP_XI_DEVELOPER
SAP_XI_DEVELOPER_ABAP
SAP_XI_DEVELOPER_J2EE
SAP_XI_MONITOR
SAP_XI_MONITOR_ABAP
SAP_XI_MONITOR_J2EE
<b>*******************Reward,if found useful</b>
Edited by: BVS on May 7, 2008 3:01 PM

Why does SSL VPN require client for full functionality?So What's the point?

I was interested in SSL VPN because I thought that I could have the same functionality I have when connecting via Cisco VPN 3000 concentrator (IPSec with AH and ESP enabled), but without the hassle to deploy and maintain client VPN's for thousands of users.
However, to my disappointment, based on the information below from www.cisco.com (and I believe that it is the case from other vendors, right?) SSL VPN offers limited functionality if deployed clientless. Why is like that?
Imagine I have a VPN (IPSec) solution functional today. If I deploy SSL VPN (clientless) what lack in functionality should I experience? Why a VPN client is required if SSL VPN can successfully establish the tunnel? I don't get it.
"...SSL VPNs provide two different types of access: clientless access and full network access. Clientless access requires no specialized VPN software on the user desktop; all VPN traffic is transmitted and delivered through a standard Web browser. Because all applications and network resources are accessed through a browser, only Web-enabled and some client-server applications-such as intranets, applications with Web interfaces, e-mail, calendaring, and file servers-can be accessed using a clientless connection. This limited access is suitable for partners or contractors that should be provided access to a limited set of resources on the network. And because no special-purpose VPN software has to be delivered to the user desktop, provisioning and support concerns are minimized."

Hi,
Clientless SSL VPN only able to access application through browser (i.e. HTTP and HTTPS). If you need to acces other application like RDC, you need full SSL client.
Full SSL Client is deployed automatically depends on how you configure the SSL VPN box (temporary or permanently);
1. From the SSL VPN box, you can configure it to download and be installed to user PC permanently (500KB+). When the user successfully authenticated by the SSL VNP box, it will download the client and install automatically/permanently without any help from the network administrator. The user need to login on his/her PC with administrator priviledge.
2. From the SSL VPN box, you can configure it to download and be installed to user PC temporary (500KB+). When the user successfully authenticated by the SSL VPN box, it will download the client and install temporary without any help from the network administrator. The user need to login on his/her PC with administrator priviledge.
In one of my deployment, I have 1000+ SSL VPN user. I just need to create a 10 page User Manual/Guide complete with troubleshooting on their own. I use the first option which is automatically download and permanently install in their PC. Patching the SSL VPN Full Client need to upload the new client in the SSL VPN box only and it will automatically patch the client in user PC.
Dandy

Policy Based Routing with VPN Client configuration

Hi to all,
We have a Cisco 2800 router in our company that also serves as a VPN server. We use the VPN Client to connect to our corporate network (pls don't laugh, I know that it is very obsolete but I haven't had the time lately to switch to SSL VPN).
The router has two WAN connections. One is the primary wan ("slow wan" link with slower upload 10D/1U mbps) and it is used for the corporate workstations used by the emploees. The other is our backup link. It has higher upload speed - 11D/11U mbps, (fast wan), and thus we also use the high upload link for our webserver (I have done this using PBR just for the http traffic from the webserver). For numerous other reasions we can not use the `fast wan` connection as our primary connection and it is used anly as a failover in case the primary link fails.
The `fast wan` also has a static IP address and we use this static IP for the VPN Client configuration.
Now the thing is that because of the failover, when we connect from the outside using the VPN Client, the traffic comes from the`fast wan` interface, but exits from the `slow wan` interface. And because the `slow wan` has only 1mbps upload the vpn connection is slow.
Is there any way for us to redirect the vpn traffic to always use the `fast wan` interface and to take advantage of the 11mbps upload speed of that connection?
This is our sanitized config
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group dc
key ***
dns 192.168.5.7
domain corp.local
pool SDM_POOL_1
acl 101
max-users 3
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group dc
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile SDM_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
interface Loopback0
ip address 10.10.10.1 255.255.255.0
interface FastEthernet0/0
description *WAN*
no ip address
ip mtu 1396
duplex auto
speed auto
interface FastEthernet0/0.3
description FAST-WAN-11D-11U
encapsulation dot1Q 3
ip address 88.XX.XX.75 255.255.255.248
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
interface FastEthernet0/0.4
description SLOW-WAN-10D-1U
encapsulation dot1Q 4
ip address dhcp
ip nat outside
ip virtual-reassembly
no cdp enable
interface FastEthernet0/1
description *LOCAL*
no ip address
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/1.10
description VLAN 10 192-168-5-0
encapsulation dot1Q 10
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly max-reassemblies 32
no cdp enable
interface FastEthernet0/1.20
description VLAN 20 10-10-0-0
encapsulation dot1Q 20
ip address 10.10.0.254 255.255.255.0
ip access-group PERMIT-MNG out
ip nat inside
ip virtual-reassembly
!!! NOTE: This route map is used to PBR the http traffic for our server
ip policy route-map REDIRECT-VIA-FAST-WAN
no cdp enable
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Virtual-Template3
no ip address
interface Virtual-Template4
no ip address
ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152
ip forward-protocol nd
!!! SLOW-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5
!!! FAST-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10
ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload
ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 10.10.0.0 0.0.0.255 any
ip access-list extended FAST-WAN-NAT
permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit icmp 192.168.5.0 0.0.0.255 any
permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit icmp 10.10.0.0 0.0.0.255 any
ip access-list extended REDIRECT-VIA-FAST-WAN
deny   tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
ip access-list extended SLOW-WAN-NAT
permit ip 192.168.5.0 0.0.0.255 any
permit ip 10.10.0.0 0.0.0.255 any
route-map FAST-WAN-NAT-RMAP permit 10
match ip address FAST-WAN-NAT
match interface FastEthernet0/0.3
route-map REDIRECT-VIA-FAST-WAN permit 10
match ip address REDIRECT-VIA-FAST-WAN
set ip next-hop 88.XX.XX.73
route-map SLOW-WAN-NAT-RMAP permit 10
match ip address SLOW-WAN-NAT
match interface FastEthernet0/0.4

Can you try to use PBR Match track object,
Device(config)# route-map abc
Device(config-route-map)# match track 2
Device(config-route-map)# end
Device# show route-map abc
route-map abc, permit, sequence 10
Match clauses:
track-object 2
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Additional References for PBR Match Track Object
This feature is a part of IOS-XE release 3.13 and later.
PBR Match Track Object
Cisco IOS XE Release 3.13S
The PBR Match Track Object feature enables a device to track the stub object during Policy Based Routing.
The following commands were introduced or modified: match track tracked-obj-number
Cheers,
Sumit

Changes to Verizon email servers and Non-SSL capable email clients

Need to change over my pop/smtp settings to the new settings as per Verizon notification. I have quite a few non-SSL capable email clients. Does Verizon provide a non-SSL email server on port other than 25 I can use ?

blottje wrote:
Need to change over my pop/smtp settings to the new settings as per Verizon notification. I have quite a few non-SSL capable email clients. Does Verizon provide a non-SSL email server on port other than 25 I can use ?
Not once they turn off the old incoming/outgoing servers. (Supposedly coming in September.)
What email clients are you using that don't allow for SSL???
If a forum member gives an answer you like, give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer as Accepted Solution so others can see the solution to the problem.
"All knowledge is worth having."

Client deletion Problem - Urjent..

Hi Experts,
There is an existing DEV-QA-PRD environment. There is a need to have a complete Configuration copy of PRD in DEV2 system, which will be used to build another Production Stream (DEV2, QA2, PRD2) for another project.
When we are deleting client ,below Problems we have facing :
1) Production equivalent client (4 TB of data) is taking too much time while deleting tables (step 4 in the diagram below).
2) Of the total 34,882 tables, 34,855 tables took almost 7-8 days to delete.
3) Last 30-35 tables are taking a lot of time to delete, these are probably the largest tables in the system
4) Tables EDIDS and CDCLS are currently being deleted for the last 3-4 days
5) Adding more processes to the Dev2 system is not helping either.
6) At the current rate, these tables will take another 1.5-2 weeks, which seems to be a long time
7) Some more tables which took more time were SWWLOGHIST, IDOCREL, SRRELROLES
Other information:
1) Operating System used for the ECC 5.0 is: Tru64 / HP, Oracle 9i DB (List of Service packs and Patches are attached)
2) Production system has data worth approx. 4TB
3) No Data Archiving has been done since the inception of the system
I need your Suggestions and Comments on this ---its urjent
Points will rewarded for suitable answers
Regards
Prabhu

Hi Prabhakar
Any other comments Plz...
Ok, you wanted it )) here is mine
so far:
- you copied your huge database (where you don't delete / archive old data) to the new server
- you are now deleting row by row all that data
- you will end up having a still huge but empty database, because the tables / tablespaces won't shrink after the client deletion
This does not make any sense to me, am i missing something :(((
Are there other clients in the prod system, which you keep?
@ Markus: i don't think they have 100+ gb memory to cache their huge tables in the sga
I guess the client deletion has something like a MAX ROWS COMMIT limit to prevent undo overflow. If this number is for example 100'000 rows, then you have to execute 100 delete statements (-> 100 full scans) on a 10mio row table. This of course is taking ages. Even worse it gets slower and slower, because the first delete up to 100'000 rows gets the first blocks, the second scans the same blocks, but they are empty now, so it has to scan further, and so on...
Best regards
Michael
Update: i recall there was a sap note somewhere, i just checked, here it is:
365304 - CC-ADMIN: Reports for deleting tables
Edited by: mho on Jan 8, 2008 2:40 PM

Could not start the app due to a configuration problem

Hi Gurus,
I have an issue to be resolved asap, need your assistance.
I have implemented SAP Fiori apps (Approve Purchase Order, Approve Purchase Contract, My Leave Request and Approve Leave Request)
We have only one Gateway system and 3 back end ECC systems.
Gateway Client 220 is integrated with ECC Dev and performed all the configurations and tested successfully.
We have created a new client 320 with a copy of client 220, Integrated 320 client to ECC quality system and performed necessary configurations and while testing Approve Purchase order and Approve Purchase Contract tiles are loading the count from ECC Quality system but when I click on the tile it throws an error "could not start the app due to a configuration problem" and when I click the error ot is being redirected to Client 220.
From the inspect element I found below error
2015-04-13 12:22:13 INTEROP service's ResolveLink operation returned 2 targets for hash '#PurchaseOrder-approve', first one is used. - used target: {"id":"PurchaseOrder-approve~652","shellType":"FLP","postParameters":"","text":"Approve Purchase Orders","applicationData":"SAPUI5.Component=ui.s2p.mm.purchorder.approve","applicationAlias":"ApprovePurchaseOrders","applicationType":"URL","url":"/sap/bc/ui5_ui5/sap/mm_po_apv"}
ignored target: {"id":"PurchaseOrder-approve~65k","shellType":"FLP","postParameters":"","text":"Approve Purchase Orders","applicationData":"SAPUI5.Component=ui.s2p.mm.purchorder.approve","applicationAlias":"ApprovePurchaseOrders","applicationType":"URL","url":"/sap/bc/ui5_ui5/sap/mm_po_apv"} sap.ushell_abap.adapters.abap.NavTargetResolutionAdapter
I did not found any duplicate # key entries in table USOBHASH.
Any response is highly appreciated, thanks in advance
Regards,
Srujan

Hi Michael,
Thanks for that, I have raised an OSS message to SAP, to seek their assistance on the solution I followed to fix the issue. I have reverted back the changes and reproduced the issue for SAP guys to investigate further, at last they concluded me there is an external alias defined for /sap/bc/ui5_ui5/sap in transaction SICF in GP1/320, which contains a hard-coded client 220.
This is responsible for the fact that the services are redirected/opened in client 220
After removing the client hard-coded in system alaises under /sap/bc/ui5_ui5/ in transaction SICF, I have reverted back the change from "Alternative Logon Procedure" to "standard" in logon procedure of each service and tested, now the issue got resolved.
This could help someone to resolve the similar issue.
Thanks everyone
Regards,
Srujan

SCCM and Windows Update Client Configuration

Hello,
I am in the process of migrating SCCM 2007 client over to a new SCCM 2012 R2 site.
I deleted the AD site from 2007 and added it to 2012 and the client is pushed via Client Push. The client upgrades fine and things go well but
I run into a little problem after the client is installed.
Basically it seems to be an issue with how SCCM interacts with and controls Windows Update settings on the SCCM client. I ran into a somewhat of a major issue that caused
all (or many) of the newly upgraded clients to go the internet to download updates from Microsoft shortly after the move from the 2007 site and client upgrade to 2012. This was because the client (or at least the ones I checked) had their WU settings to “Always
download and install” (or something similar). Obviously, expected behavior with this setting, but the question is how did it get this way?
Does SCCM control any of these settings? I know it take over the WSUS settings, etc, but I didn’t think it does anything with the WU client itself.
From my understanding the WU client settings are done via GPO (local or domain) or WU setting and SCCM does not control these settings.
I’m not looking for you to solve the problem, because it’s quite tedious, I’m just hoping that someone can lead me in the right direction to find out what if any WU settings
are controlled or changed by SCCM 2007 or 2012.
Thanks
Angelo
Angelo

Thanks for the extra info, Idan. I should probably admit that I am an AD admin and SCCM is handled by someone else in my department. My main issue with the LocalGPO is the Event 1096 corruption that causes all admin template settings to revert
to defaults - currently happening on over 100 workstations in our environment. 100% of these problems are caused by LocalGPO corruption and nothing else. And we will pursue resolution of this issue with Microsoft because we agree that resolving
this problem is the primary goal.
But for the sake of understanding: We don't have any non-domain members that need to be managed by SCCM. If we had a policy stating "no SCCM client configurations resulting in a LocalGPO file are to be implemented in production - all are
to be done via Domain Group Policy," is it possible to eliminate the LocalGPO entirely? Or will there always be a LocalGPO file regardless of whether or not there are settings visible from it in a gpresult report? We would not need to match
SCCM configurations in Domain Group Policy because we would not make any changes to the SCCM client resulting in a LocalGPO file at all. The slow link detection is not of concern to us because none of these settings that would not apply in this case
are SCCM-managed via LocalGPO (as far as I know):
http://blogs.technet.com/b/musings_of_a_technical_tam/archive/2012/02/27/gpos-and-slow-link-detection.aspx
Another reason why I would prefer to do these settings in Domain Group Policy is that we have Advanced Group Policy Management installed in our environment, which is subject to our Change/Release process. We can track the changes being made to clients
much more easily when they are done via AGPM. Any changes that we want to make via SCCM client could be tested first to see how LocalGPO is effected, and then those changes could be made via Domain Group Policy instead in production.
Given this info, I'm still struggling to understand why it is recommended to implement anything via SCCM client configurations resulting in a LocalGPO file. So far, the only compelling reason is that management of non-domain members is not possible
via Domain Group Policy, but that doesn't apply to our environment. Is it recommended mostly for ease of administration, so that an SCCM admin doesn't need to work with another tool (Domain Group Policy)? Any extra reasoning for this recommendation
that anyone can provide is much appreciated!

Good afternoon.I have a computer with W Vista 8, Windows office home and business 2013. I recently tried to install Photoshop Elements by CD with serial number but on the desktop appears the following message: error 1 (configuration problem) try to uninst

What's error 1 in adobe photoshop elements configuration? I have a computer with W Vista 8, Windows office home and business 2013. I recently tried to install Photoshop Elements by CD with serial number but on the desktop appears the following message: error 1 (configuration problem) try to uninstall and reinstall. I have done this but the message continues to appear

You haven't mentioned which version of PSE. If it is PSE 13, that requires a minimum of windows 7.

Problem Syncing Outlook....says outlook sync client encountered problem

I have been syncing outlook calendar and contacts from my PC to my iPhone with no problems. I have version 1.1.2 on my iPhone and 7.5 or whatever the latest is on iTunes software. The syncs were fine until recently and now I cant sync and get an error message that says "outlook sync client encountered problem" What could possibly have happened....I read some posts that say to go back to iTunes 7.3 etc....this has to be a common problem....any suggestions.

Here is an article from the apple support website that might help out.
http://docs.info.apple.com/article.html?artnum=305845

How can I Create a Client Configuration File for RemoteApp and Desktop Connection with Server 2012?

I have a working RDS RemoteApp site and looking to test out the feature in Windows 7 Control Panel\All Control Panel Items\RemoteApp and Desktop Connections
I came across this link: Create a Client Configuration File for RemoteApp and Desktop Connection and I believe this is what I need to do first, but these instructions are for
Server 2008, and I'm running 2012.
Any suggestions or tips on how I can begin testing this with Server 2012?

Hi,
You can manually enter the path to the 2012 feed and it will connect and download the RemoteApps and Desktop connections.
If you need a sample .wcx file I have posted one here a couple of times. If you want I will look for it and post a link.
-TP
I tried adding my URL's below, these are sample links that work for me right now for when I log into the web page, but neither of these work. And I'm not sure what I would need to do with or how to create a .wcx file.
When I type in my URL of: https://connect.mydomain.org/RDWeb, I get redirected to:
https://connect.mydomain.org/RDWeb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx

Itunes starts but fails to open due to audio configuration problem

Hi
I have been running itunes 7.1 quite successfully until today. Running on windows xp/toshiba laptop.
Problem occurs when i select itunes on desktop, itunes appears on task bar below, after a number of seconds the following error message appears "itunes cannot run because it has detected a problem with your audio configuration", once I click ok on this message itunes terminates.
No changes have been made to my audio configuration (to the best of my knowledge), i can run Windows Media Player and that works fine, so too real player.
I reinstalled itunes, but this did not resolve the problem. I also ran itunes from another logon on my laptop and that presented the same error. I checked all my audio settings in the control panel and also ran the diagnostics on each device and all appears to be fine.
Has anybody faced the same issue, and could anybody advise on any diagnistic tool that could assist in pinpointing the configuration problem?.
Thanks
Toshiba Satellite Windows XP Pro

Hi
Got it resolved, thanks for the prompt responses all!.
Resolved by removal current version of Quicktime thru the control panel (add/remove programs), and then reinstalled from the website.
Phew!
Toshiba Satellite Windows XP Pro

SSL or TLS client configure problems !!

Similar Messages

Maybe you are looking for