Teardown
can anyone please explain me exactly what is tear down time. is that always same as machine hours.
regards
jaya
The downtime of a machine following a given production order which usually involves removing parts such as jigs and fixtures and which must be completely finished before setting up for the next order.
For understnading in short this can be taken as a reverse of set up time.
Regards
Soundararajan M.
Similar Messages
-
Understanding teardown from log
Is the Reset-I always from the device on the higher security level interface (in this case 172.16.112.10/3389?
In the second case, what conclusions can be drawn from the teardown information "TCP FINs" - who is it that send the first FIN?
I'm strugglig to find the reasons for connections "freezing" or closing, but no errors that I can relate to the connection ids what so ever.
asa.log:2014-02-03T15:04:32.186954+01:00 10.1.4.1 %ASA-6-302013: Built inbound TCP connection 1730891653 for wan:195.195.195.195/49624 (195.195.195.195/49624) to vlan547:172.16.112.10/3389 (212.112.9.209/3389)
asa.log:2014-02-03T17:21:36.585964+01:00 10.1.4.1 %ASA-6-302014: Teardown TCP connection 1730891653 for wan:195.195.195.195/49624 to
vlan547:172.16.112.10/3389 duration 2:17:05 bytes 35781464 TCP Reset-I
asa.log:2014-02-03T13:14:51.660321+01:00 10.1.4.1 %ASA-6-302013: Built inbound TCP connection 1729135626 for wan:195.195.195.195/50005 (195.195.195.195/50005) to vlan547:172.16.112.10/3389 (212.112.9.209/3389)
asa.log:2014-02-03T18:05:02.785968+01:00 10.1.4.1 %ASA-6-302014: Teardown TCP connection 1729135626 for wan:195.195.195.195/50005 to vlan547:172.16.112.10/3389 duration 4:50:14 bytes 36231472 TCP FINsHi,
The TCP Reset-I and TCP Reset-O should refer to the TCP RST coming from either higher or lower "security-level" interface.
There are some other things affected by the "security-level" also in the output of the ASA. For example when you check the output of "show conn" command the host on the lowest "security-level" interface is listed first. Same goes for log messages. The host on the lowest "security-level" interface is mentioned first in the log messages for Building and Teardown the connection.
To my understanding there is no way to determine the side which normally closed the connection from the log message itself. I would presume that the Client would usually do this but can't be 100% sure that its always like this.
If there is not a clear indication that the firewall is doing something to the connection then I would suggest capturing traffic to find out what is happening to the connection. You can either attach some host to the network to capture all the traffic from some port or perhaps capture traffic on the ASA itself.
You could for example configure a capture for your RDP connection like this
access-list RDP-CAP permit tcp host host
access-list RDP-CAP permit tcp host host
capture RDP-CAP type raw-data access-list RDP-CAP interface outside buffer 33500000 circular-buffer
If you are expecting a lot of data you will either have to do the capture on some other device (ASAs buffer limited to approx the above amount of Bytes) or you can either create a capture for each direction separately to maximize the amount of traffic that can be captured.
You could also leave out the Data in the actual packets and only capture the headers by using this command
capture RDP-CAP type raw-data access-list RDP-CAP interface outside buffer 33500000 circular-buffer headers-only
You can naturally use both of the above commands. Naturally you will have to use a different name for the "capture", I am not sure do you have to use a different ACL.
You can then use this command to check if there is traffic captured
show capture
If you wish to show capture contents on the CLI then you can use this command
show capture RDR-CAP
Then again you might want to load the capture to your host/server and open it with Wireshark then you could use this command
copy /pcap capture:RDP-CAP tftp://x.x.x.x/RDP-CAP.pcap
You can remove the capture with the command
no capture RDP-CAP
You will have to remove the capture ACL separately.
I am not sure how much information can be gotten from the RDP server itself. I dont have to deal with the IT side at all usually so I don't really know to what extent you would be able to log what the actual server does during those connection issues. A traffic capture would certainly tell what happens to the data/connection.
Hope this helps
- Jouni -
Unit tests: more than one startup (teardown) process
Whether I can create more than one startup (teardown) process?
MikeAt this time if you need more than one you would need to use pl/sql and write them.
We will be adding ability to have more than one in the next version. -
2.1.0.63: Teardown Table or Row Restore failed
Hello all,
I'm trying to explorer the new unit testing functionality of SQL Developer. Some of my basic testing as gone well, but now I'm hitting an error that I can't resolve.
My unit test has a Startup Process of "Table or Row Copy" that populates the target table (and using a WHERE clause) successfully. I've configured the Teardown Process with "Table or Row Restore".
When running the UT, I get the error "Teardown Table or Row Restore failed: ORA-06502: PL/SQL: numeric or value error: character string buffer too small ORA-06512: at line 22" on the Teardown node. I've tried tweaking the Teardown settings to no avail.
I'm not sure what to do to resolve this error. (My code doesn't even have 22 lines of code.)
Any thoughts on troubleshooting this?
Thanks,
John
Edited by: user8153814 on Jan 11, 2010 4:53 PM
Added SQL Developer version number to the subject(with apologies to John for not noticing this much earlier,)
Can you provide:
1. Definition for the table (don't care about names if that's sensitive, but column data type specification and any constraints are important)
2. Options specified for startup
3. Options specified for teardown
Thanks,
Brian Jeffries
SQL Developer Team -
Applet teardown what is it ?
Hi All,
I have seen in java console logs "applet teardown" started logs. It would be helpfull if you can explain in detail.
My issue is that when I lauch applet, I get error "Unable to Start Plugin".
is there setting that can be done at applet side to create core dump of java process/applet so that we will come to know exact issue ?
java plug in versions are
Java Plug-in 1.6.0_11
J2SE 1.4.2 Update 5
JRE 1.4.2_16
Please note that in java console there are no errors.
Renjith.OK, so now you are in the market for a display. I have no idea who these people are but this will give some guidance on price:
http://www.dvwarehouse.com/Apple-LCD-Display-for-iMac-27-Mid-2010-661-5568---p-3 8499.html
And then there's the sometimes murky world of eBay:
http://www.ebay.com/itm/LCD-Display-27-inch-iMac-661-5527-/110727633992?pt=LH_De faultDomain_0&hash=item19c7e19c48
Again, no endorsement or personal recommendation, just some Googling for you. -
TCP Reset-O - Teardown tcp conncetion
Dec 23 2013 20:04:31: %FWSM-6-302013: Built outbound TCP connection 146543498379530235 for inside:192.168.5.250/4831 (172.168.25.1/4380) to P_DMZ:172.168.25.13/139 (172.168.25.13/139)
Dec 23 2013 20:04:31: %FWSM-6-302013: Built outbound TCP connection 146543850566848420 for inside:10.2.37.24/4830 (172.168.25.1/4379) to P_DMZ:172.168.25.13/445 (172.168.25.13/445)
Dec 23 2013 20:04:31: %FWSM-6-302013: Built outbound TCP connection 146546388892520514 for inside:10.2.37.24/4832 (172.168.25.1/4381) to P_DMZ:172.168.25.13/139 (172.168.25.13/139)
+++++++++++++++++++++++++++++++++++++++++++++++
Dec 23 2013 20:04:31: %FWSM-6-302014: Teardown TCP connection 146546388892520514 for inside:10.2.37.24/4832 to P_DMZ:172.168.25.13/139 duration 0:00:00 bytes 190 TCP Reset-I
Dec 23 2013 20:04:31: %FWSM-6-302014: Teardown TCP connection 146529170368630773 for inside:10.2.37.176/2943 to P_DMZ:172.168.25.13/445 duration 0:00:04 bytes 8159 TCP Reset-O
++++++++++++++++++++++++++++++++++++++++++++
Dec 23 2013 12:07:30: %FWSM-6-305012: Teardown dynamic tcp translation from inside:112.31.1.37/2924 to Photo_DMZ:172.168.25.1/60861 duration 0:00:30
Dec 23 2013 12:07:30: %FWSM-6-305012: Teardown dynamic tcp translation from inside:112.31.1.37/2926 to Photo_DMZ:172.168.25.1/60869 duration 0:00:30
++++++++++++++++++++++++++++++++++++++++++++++++
some user not able to connect server ip address 172.168.25.13
server ip add 172.168.25.13
user from 10.X,192.X,15.X
Continues message we are getting in FWSM and some user from 10.X,192.X,15.X are able to connect this server some user not able to .
If changes required in windows server what changes need to done if changes to required firewall FWSM to changes need to be done.Reset-O means that the Reset is from the Outside.
Here is the syslog messages for your reference:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/system/message/logmsgs_external_docbase_0900e4b18059d73b_4container_external_docbase_0900e4b180ef4f45.html#wp1280675
The logs means that the firewall already torn down the connection and it receives the ACK afterwards. -
Galaxy S6 teardown reveals a battery that's almost impossible to replace
The Samsung Galaxy S6 is a cutting edge piece of mobile technology, so who can resist wanting to take a peek inside at the hardware and at how it’s all put together?
Galaxy S6 teardown reveals battery that's difficult to replaceI have had a ZT for 2 weeks now with no major issues. I have had to reset it a few times, but that was no big deal. The battery life is great on it. I have 207 CDs/2486 songs on it (at 28 kbps/WMA) and have 8 GB still left on it. The sound is great. The player is sturdy. I am 40-something, and just wanted one place to store by favorite CDs (I have about 700).
Hard dri've players are not meant to be bumped around, even iPods. I think the battery is supposed to have about 300 charges on it. With a 24-hour battery life, and me with an 8-5 job, I will probably only use it 2-3 hours a weekday, so one charge is lasting a week. I read a thread here that said that CL will replace the battery for $99, but no one has done that yet (since the players are so new).
I have not tried to use it as a mass storage device... I have a couple of cheap pen dri'ves for that. I understand it can be done as long as the Creative software is on all computers that you connect your ZT to. This is not a big deal to me, but I can appreciate other people's desire for this. I wanted a player that could store 300+ CDs on it, and this fits the bill well. -
TCP teardown and method close of the socket API
Hi,
If I call the method 'close' of the java tcp socket, does the tcp teardown occur asynchronously? Or does method 'close' block as long as the tcp handshake to close the connection needed?
Thanks
ChrisBy default, close() will flush any remaining data and tear down the connection asynchronously.
You can change this behaviour with the SO_LINGER socket option, see Socket javadoc. SO_LINGER has operating system dependent corner cases, see http://www.developerweb.net/forum/archive/index.php/t-2982.html
These also have paragraphs on the behaviour on a couple of OSes, search for SO_LINGER:
http://docs.sun.com/app/docs/doc/816-0214/6m6nf1ook?a=view
http://www.informatik.uni-frankfurt.de/doc/man/hpux/getsockopt.2.html
http://msdn2.microsoft.com/en-us/library/ms737582.aspx -
Mysterious Teardown Problem with NIO
I have an NIO proxy server which relays state information from a number of servers to a number of clients. A requirement for this system is that we can restart the proxy server (together with a couple of other components) from a web app.
I tear down the proxy server by
- interrupting out of the read loop
- cancelling all keys associated with the channel
- closing the socket on the channel
- closing the channel.
I do this for for both the input (server side) channel and the output (client side) channel.
I then discard the proxy server, create a new one and start it up.
Now here's the mysterious bit. The new server operates just fine for a minute or two. And then it stops seeing any input.
The thread responsible for input reading freezes on the call to -
myKeysAdded = myAcceptKey.selector().select();and the stack looks something like this:
WindowsSelectorImpl$SubSelector.poll0(long, int, int[], int[], int[], long)
WindowsSelectorImpl$SubSelector.poll() line: 270
WindowsSelectorImpl$SubSelector.access$400(WindowsSelectorImpl$SubSelector) line: 252
WindowsSelectorImpl.doSelect(long) line: 133
WindowsSelectorImpl(SelectorImpl).lockAndDoSelect(long) line: 69
WindowsSelectorImpl(SelectorImpl).select(long) line: 80
WindowsSelectorImpl(SelectorImpl).select() line: 84
ProxyServer$BrowserSelector.run() line: 123If I completely destroy the process (and the jvm) and start a new one everything goes back to working normally.
Has anyone got any suggestions? I'm in hair-tearing mode on this one.
Thx TOTW.I tear down the proxy server by
- interrupting out of the read loopDon't you mean the select() loop?
- cancelling all keys associated with the channelUnnecessary.
- closing the socket on the channel
- closing the channel.Only one of these is necessary. Closing the socket closes the channel and vice versa.
When you have closed all the channels, you then need to call selector.selectNow() (search this forum for why), and then close the selector. -
ABAP Unit: Can one call a method in the setup/teardown methods?
Hi all,
I'm using ABAP Unit test ClasseS (what's with the odd capitalization BTW?) in the class builder on NW7.0.
In my SETUP method I do not want to do a CREATE OBJECT, but want to use a GET_INSTANCE method of my main class to instantiate my object.
When I execute my unit test however the instance methods all fail with CX_REF_NOT_ASSIGNED - meaning there is no instance m_ref.
OK, fair enough methinks, let me debug and see what's going on.
Surprise: When I set a breakpoint in the SETUP method it all runs fine. Instances are instantiated and instance method tests execute successfully.
So now I'm a bit stuck trying to investigate a problem that disappears everytime you look at it, a bit like trying to see if the light is off when the fridge is closed... Any ideas?
Cheers,
Mike
Edit: Just to clarify, here's some code:
method setup.
m_ref = zcl_myclass=>get_instance( im_key = 'ABC' ).
" when debugging m_ref is always instantiated and test runs successfully!
endmethod. "Setup
method get_some_data.
result = m_ref->get_some_data( ).
" without breakpoint in the setup method, this fails because m_ref is not assigned
endmethod.
Edited by: Mike Pokraka on Jun 23, 2008 11:57 PMNever mind, found problem, schoolboy error:
My class_setup method created test data but the update hadn't completed so my GET_INSTANCE failed in normal execution but worked in debug because of the associated delay. 'commit work' needed an 'and wait' and now it's happy. -
Flash plugin on windows 7 teardown the TCP session immediately after successful SSL handshake
I have a RHEL platform in which tomcat is listening on 443 port.
Scope of Problem:
With the latest flash plugin, i am experiencing issue with Firefox on SSL port on Windows platform.
i.e.
Everythig works fine on non-SSL mode on Firefox, Chrome, IE on Windows 7.
Everythig works fine on SSL mode on Chrome, IE on Windows 7.
Analysis from Wireshark Captures:
I could see successful SSL handshake between firefox and my tomcat server.
Immediately after the handshake, the client teared down the session by sending a FIN/ACK packet.
Workaround:
Install older version of the flash plugin on Firefox.
Is there a non issue in SSL mode which is causing this issue?
Wireshark Trace:
Further observations:
===================
We observed this problem on Flash 13.0.0.182 build.
To debug this issue, we tried using the Flash debug image (13.0.0.182) and observed that the functionality is working.
In the Flash debug image, Firefox started showing us a popup indicating untrusted certificate "This page requires a secure connection which includes server authentication. The Certificate Issuer for this site is untrusted or unknown. Do you wish to proceed ? "
If we click "yes", then the complete functionality works fine.
Any clues/pointers, why the above popup is not coming in non-debug Flash image?I've had a similar problem since upgrading to Firefox 22 on Windows 7 x64. After resuming from hibernation, Firefox appears unresponsive; however, I believe it is a problem with redrawing the window. If I click to a different tab, nothing happens, but if I minimize Firefox and restore it, it now shows the new tab I switched to. If I have a video open and I click play, there is no visual change, but I hear the sound start. The normal functionality is resumed when closing Firefox and re-opening it.
-
Applet teardown by itself in af:popup in firefox3
this only happens in firefox3 ,no problem in ie and chrome.
and this issue really agonize me a lot. i really appreciate any help!!
the code just like this:
<af:popup id="popup" contentDelivery="lazyUncached">
<af:panelWindow id="pw1">
<f:verbatim >
<applet height="50px" width="100px" archive="audio.jar"
id="applet" name="applet" code="" codebase="" mayscript="true">
<param name="test" value="111"/>
</applet>
</f:verbatim>
</af:panelWindow>
</af:popup>
<af:commandImageLink text="pop" id="gil0" partialSubmit="true">
<af:showPopupBehavior popupId="::popup" triggerType="click"/>
</af:commandImageLink>
after click the commandImageLink ,popup shows and applet starts, but in FF3, applet will be destroyed quickly. any ideal???
thanks!!!in the Java console,it shows the applet is destroyed. no error trace found there.
seems the space for applet in the UI disappears, then the applet instance is destroyed by java plugin.
through firebug, there will be an uncaught js error thrown.
uncaught exception: [Exception... "Component is not available" nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)" location: "JS frame :: http://127.0.0.1:7101/LTWeb/afr/partition/gecko/default/opt/boot-11.1.1.3.0-0084.js :: anonymous :: line 4524" data: no]
this js exception is thrown from adf face internal js which is only for Mozilla based (gecko rendering engine) browsers.
is this maybe a adf bug for firefox3? -
Hi All,
Need help to understand how the CAPWAP tunnel work when one in the bundled (group of 4) port from portchannel group was shutdown.
Here's the logical diagram
APs <-> Access Switch <-portchannel-> Distri Switch <-portchannel-> Core Switch <-portchannel-> WLC
1 of 4 bundled uplink ports in portchannel shown in RED text was shutdown deliberately during this time the Prime Infra 1.3 reports that APs was disassociated from the controller and 1 minute later Prime Infra reports that the APs was now associated to the controller without touching any devices.
Is this a normal behaviour of a CAPWAP? If not then, what should I do?
Regards,
DaveWhat is the load-balancing mechanism of your switch etherchannels ? "show etherchannel load-balance" should tells you this.
If AP to WLC capwap traffic went through the interface you shutdown, then there is possibility your AP lost connectivity to WLC momentarily. But should not take that long to revert traffic to any other interfaces.
You can do a test like this. Enable Telnet for one your AP (via WLC GUI : Wireless -> select your AP -> Advanced -> tick Telnet checkbox). Then telnet to AP & ping your WLC IP from there. Then shutdown one of your (out of 4) your switch etherchannel interface & see whether you will see ping drops for short period of time). If packet drops see how many drops before getting the connectivity back.
HTH
Rasika
**** Pls rate all useful responses **** -
No ethernet in windows 7 on mac mini (late 2014)
Hi.
I bought the new mac mini and installed windows 7 64bit but no ethernet driver...
any advice?From the same iFixit guide, this is your WiFi card...
Broadcom BCM4360KML1G 5G WiFi 3-Stream 802.11ac Gigabit Transceiver
You should look at the Bootcamp drivers, because they already have BMC43xx drivers which support 802.11n a/b/g/n/ac. The Late 2013 rMBP for example supports it.
From the 2013 rMBP teardown...
Apple's go-to provider of 802.11ac support is again at work. The Broadcom BCM4360 on this AirPort card enables operation on the 5 GHz band at speeds up to 1.3 Gbps.
I suggest you try this. -
I will PAYPAL 100 bucks to the person who can help me with 5510 issue
Below is a on going chat i am having with a PIX expert... Can anyone see where the problem is when you read the message below???
Cisco ASA 5510 configuration for host inside private network
Question: We have a Citrix host behind a new 5510 that needs to be accessed by the public. I have tried to follow the examples on cisco.com but still continue to get errors. I KNOW I am missing something simple. I have taken out all my 'tries' and have basic config below with errors.
I am new to PIX/ASA and would live some suggestions on the proper Access Group and corresponding ACL to get the 192.168.71.100/72.54.197.26 Citrix server to accept ssl from outside.
ASA Version 7.0(8)
interface Ethernet0/0
description Outside interface to Cbeyond
nameif OUTSIDE
security-level 0
ip address 72.54.197.28 255.255.255.248
interface Ethernet0/1
description Inside interface to internal network
nameif INSIDE
security-level 100
ip address 192.168.72.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.71.2 255.255.255.0
management-only
object-group service Citrix1494 tcp
port-object eq citrix-ica
port-object eq www
port-object eq https
port-object range 445 447
nat-control
global (OUTSIDE) 1 interface
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (OUTSIDE,INSIDE) 192.168.72.100 72.54.197.26 netmask 255.255.255.255
static (INSIDE,OUTSIDE) 72.54.197.26 192.168.72.100 netmask 255.255.255.255
route OUTSIDE 0.0.0.0 0.0.0.0 72.54.197.25 100
http server enable
http 192.168.71.0 255.255.255.0 management
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
Error Log:
3|Apr 15 2011 21:06:07|305005: No translation group found for tcp src INSIDE:192.168.72.75/57508 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 21:06:01|305005: No translation group found for tcp src INSIDE:192.168.72.75/57508 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 21:05:58|305005: No translation group found for tcp src INSIDE:192.168.72.75/57508 dst OUTSIDE:72.54.197.26/443
5|Apr 15 2011 21:05:42|111008: User 'root' executed the 'no access-list OUTSIDE_access_in extended permit tcp host 72.54.197.26 host 72.54.197.26' command.
4|Apr 15 2011 21:05:20|106023: Deny tcp src OUTSIDE:114.38.58.208/2817 dst INSIDE:72.54.197.26/445 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:05:17|106023: Deny tcp src OUTSIDE:114.38.58.208/2817 dst INSIDE:72.54.197.26/445 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:04:37|106023: Deny tcp src OUTSIDE:221.1.220.185/12200 dst INSIDE:72.54.197.26/1080 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:03:50|106023: Deny tcp src OUTSIDE:32.141.52.12/1787 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:03:44|106023: Deny tcp src OUTSIDE:32.141.52.12/1787 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:03:41|106023: Deny tcp src OUTSIDE:32.141.52.12/1787 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:02:23|106023: Deny tcp src OUTSIDE:32.141.52.12/1785 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:02:17|106023: Deny tcp src OUTSIDE:32.141.52.12/1785 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
4|Apr 15 2011 21:02:14|106023: Deny tcp src OUTSIDE:32.141.52.12/1785 dst INSIDE:72.54.197.26/443 by access-group "OUTSIDE_access_in"
5|Apr 15 2011 21:01:56|111008: User 'root' executed the 'access-list OUTSIDE_access_in line 1 extended permit tcp host 72.54.197.26 host 72.54.197.26' command.
6|Apr 15 2011 21:00:13|302013: Built outbound TCP connection 7173 for OUTSIDE:150.70.85.65/443 (150.70.85.65/443) to INSIDE:192.168.72.100/2959 (72.54.197.26/2959)
6|Apr 15 2011 20:56:57|302016: Teardown UDP connection 7082 for OUTSIDE:72.54.197.26/137 to INSIDE:192.168.72.17/137 duration 0:02:01 bytes 62
6|Apr 15 2011 20:55:19|302013: Built outbound TCP connection 7088 for OUTSIDE:184.85.253.178/80 (184.85.253.178/80) to INSIDE:192.168.72.100/2879 (72.54.197.26/2879)
6|Apr 15 2011 20:55:19|302013: Built outbound TCP connection 7086 for OUTSIDE:74.125.159.147/80 (74.125.159.147/80) to INSIDE:192.168.72.100/2878 (72.54.197.26/2878)
6|Apr 15 2011 20:54:55|302015: Built outbound UDP connection 7082 for OUTSIDE:72.54.197.26/137 (192.168.72.100/137) to INSIDE:192.168.72.17/137 (72.54.197.28/24)
6|Apr 15 2011 20:54:17|302021: Teardown ICMP connection for faddr 10.160.68.225/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:15|302020: Built outbound ICMP connection for faddr 10.160.68.225/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:13|302021: Teardown ICMP connection for faddr 172.28.16.2/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7074 for OUTSIDE:199.7.52.190/80 (199.7.52.190/80) to INSIDE:192.168.72.100/2815 (72.54.197.26/2815)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7073 for OUTSIDE:199.7.55.72/80 (199.7.55.72/80) to INSIDE:192.168.72.100/2813 (72.54.197.26/2813)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7072 for OUTSIDE:199.7.55.72/80 (199.7.55.72/80) to INSIDE:192.168.72.100/2812 (72.54.197.26/2812)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7071 for OUTSIDE:199.7.52.190/80 (199.7.52.190/80) to INSIDE:192.168.72.100/2811 (72.54.197.26/2811)
6|Apr 15 2011 20:54:12|302013: Built outbound TCP connection 7070 for OUTSIDE:184.85.253.19/80 (184.85.253.19/80) to INSIDE:192.168.72.100/2810 (72.54.197.26/2810)
3|Apr 15 2011 20:54:12|106014: Deny inbound icmp src OUTSIDE:172.28.16.2 dst INSIDE:72.54.197.26 (type 0, code 0)
6|Apr 15 2011 20:54:11|302020: Built outbound ICMP connection for faddr 172.28.16.2/0 gaddr 72.54.197.26/1 laddr 192.168.72.100/1
6|Apr 15 2011 20:54:10|302013: Built outbound TCP connection 7063 for OUTSIDE:64.4.18.90/80 (64.4.18.90/80) to INSIDE:192.168.72.100/2809 (72.54.197.26/2809)
3|Apr 15 2011 20:52:17|305005: No translation group found for tcp src INSIDE:192.168.72.75/56624 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:52:11|305005: No translation group found for tcp src INSIDE:192.168.72.75/56624 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:52:08|305005: No translation group found for tcp src INSIDE:192.168.72.75/56624 dst OUTSIDE:72.54.197.26/443
2|Apr 15 2011 20:50:02|106001: Inbound TCP connection denied from 187.28.118.35/1973 to 72.54.197.26/445 flags SYN on interface OUTSIDE
2|Apr 15 2011 20:49:59|106001: Inbound TCP connection denied from 187.28.118.35/1973 to 72.54.197.26/445 flags SYN on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60784 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60783 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60781 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60782 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60779 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:58|106001: Inbound TCP connection denied from 184.27.73.83/443 to 72.54.197.26/60785 flags RST on interface OUTSIDE
2|Apr 15 2011 20:49:35|106001: Inbound TCP connection denied from 217.10.43.52/1486 to 72.54.197.26/445 flags SYN on interface OUTSIDE
2|Apr 15 2011 20:49:32|106001: Inbound TCP connection denied from 217.10.43.52/1486 to 72.54.197.26/445 flags SYN on interface OUTSIDE
3|Apr 15 2011 20:48:17|305005: No translation group found for tcp src INSIDE:192.168.72.97/55593 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:48:11|305005: No translation group found for tcp src INSIDE:192.168.72.97/55593 dst OUTSIDE:72.54.197.26/443
3|Apr 15 2011 20:48:08|305005: No translation group found for tcp src INSIDE:192.168.72.97/55593 dst OUTSIDE:72.54.197.26/443
THANKS!!
Reply.................................
ok do this:
no static (OUTSIDE,INSIDE) 192.168.72.100 72.54.197.26 netmask 255.255.255.255
clear xlate
access-list Outside-ACL extended permit tcp any host 72.54.197.26 object-group Citrix1494
access-group Outside-ACL in interface OUTSIDE
That should do it for you..
/M_4911140.html
Reply........................
kenboonejr:
Your reverse static needs to be taken out. then you need to do a "clear xlate" command. do that and post your config again and let me see it. I'll be standing by.
/M_6253131.html
Was this comment helpful?
Yes No
charlietaylor:
ASA Version 7.0(8)
hostname 5510
domain-name xxxxx
enable password xxxxx encrypted
passwd xxxxx encrypted
names
dns-guard
interface Ethernet0/0
description Outside interface to Cbeyond
nameif OUTSIDE
security-level 0
ip address 72.54.197.28 255.255.255.248
interface Ethernet0/1
description Inside interface to internal network
nameif INSIDE
security-level 100
ip address 192.168.72.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.71.2 255.255.255.0
management-only
banner exec xxxxx
banner login VPN firewall/router
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup INSIDE
dns name-server 66.180.96.12
dns name-server 64.180.96.12
object-group service Citrix1494 tcp
port-object eq citrix-ica
port-object eq www
port-object eq https
port-object range 445 447
access-list Outside-ACL extended permit tcp any host 72.54.197.26 object-group C
itrix1494
pager lines 24
logging enable
logging asdm informational
logging mail critical
logging from-address xxxxx
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu management 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (OUTSIDE) 1 interface
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) 72.54.197.26 192.168.72.100 netmask 255.255.255.255
access-group Outside-ACL in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 72.54.197.25 100
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username root password xxxxxx encrypted privilege 15
http server enable
http 192.168.71.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.72.0 255.255.255.0 management
telnet 192.168.73.0 255.255.255.0 management
telnet 192.168.71.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.71.3-192.168.71.254 management
dhcpd dns 66.180.96.12 64.180.96.12
dhcpd lease 3600
dhcpd ping_timeout 50
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
smtp-server 66.180.96.57
Cryptochecksum:472013675a200d36e6155c03238fa05c
: end
[OK]
5510#
Was this comment helpful?
Yes No
kenboonejr:
Ok so at this point if you issues a clear xlate command that would have flushed the translation table and citrix should be able to get out with the current configuration. If it can't post the logs for it.. This is the right config for what you want to do.
Was this comment helpful?
Yes No
charlietaylor:
Did that, no connections. Here is what the log says with the config above right after I cle xlate and try to connect from outside.....
6|Apr 21 2011 12:40:44|302014: Teardown TCP connection 8954 for OUTSIDE:74.125.159.105/80 to INSIDE:192.168.72.100/57140 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:40:43|302013: Built outbound TCP connection 9079 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57142 (72.54.197.26/57142)
6|Apr 21 2011 12:40:14|302013: Built outbound TCP connection 8954 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57140 (72.54.197.26/57140)
6|Apr 21 2011 12:40:13|302014: Teardown TCP connection 8618 for OUTSIDE:74.125.159.105/80 to INSIDE:192.168.72.100/57134 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:39:43|302013: Built outbound TCP connection 8618 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57134 (72.54.197.26/57134)
6|Apr 21 2011 12:39:35|302014: Teardown TCP connection 8369 for OUTSIDE:74.125.159.105/80 to INSIDE:192.168.72.100/57129 duration 0:00:30 bytes 0 SYN Timeout
AND....
Citrix server can not even get out to internet, here is the logs say when you try to open a browser.....
6|Apr 21 2011 12:39:05|302013: Built outbound TCP connection 8369 for OUTSIDE:74.125.159.105/80 (74.125.159.105/80) to INSIDE:192.168.72.100/57129 (72.54.197.26/57129)
6|Apr 21 2011 12:38:55|302014: Teardown TCP connection 8227 for OUTSIDE:74.125.159.99/80 to INSIDE:192.168.72.100/57121 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:38:25|302013: Built outbound TCP connection 8227 for OUTSIDE:74.125.159.99/80 (74.125.159.99/80) to INSIDE:192.168.72.100/57121 (72.54.197.26/57121)
6|Apr 21 2011 12:37:36|302014: Teardown TCP connection 7667 for OUTSIDE:216.52.233.134/443 to INSIDE:192.168.72.100/57108 duration 0:00:30 bytes 0 SYN Timeout
6|Apr 21 2011 12:37:32|302014: Teardown TCP connection 7568 for OUTSIDE:74.125.159.99/80 to INSIDE:192.168.72.100/57107 duration 0:00:30 bytes 0 SYN Timeout
Was this comment helpful?
Yes No
kenboonejr:
ok so firewall is showing the rules for the inbound stuff working, but the citrix server is not responding that is why you are getting a SYN timeout.
Does your citrix box have multiple IP addresses or multiple NICs?
What is the default gateway on the citrix box.
I can guarantee you that the config is good.
The logs show sessions getting created - not blocked so its not the firewall causing the problem. Something else is not quite right.
Rank: Sage
Was this comment helpful?
Yes No
kenboonejr:
From the ASA can you ping the real ip address of the citix server?
/M_6253131.html
Was this comment helpful?
Yes No
charlietaylor:
This network is in production. CurrentIy have a cheesy Lynksys router (the only thing it does is NAT for Citrix) and a "Transistion" throwdown firewall with two simple rules that allow all and allow outside to Citrix.
The Citrix has one nic with default gatewway same as all other devices on network (72.2) and goes out just fine until I cut over to 5510. Then is can not get out. (and yes, all other equipment is turned off and the switches are power cycled afer I power up 5510 to make sure I am not having switch arp issues)
The Citrix is in use 24/7 by remote users so I can't switch back and forth. (especialy during day when everybody goes out to Inet via this unit or the cheesy gear I am replacing)
I see the connections too but it connects for half a second and sends 0 bytes..... hmmmm
/M_4911140.htmlRank: Sage
Was this comment helpful?
Yes No
kenboonejr:
you are having arp issues with the citrix box i would think.
so once you cutover to the ASA .. can you ping the citrix box from the ASA?
The citrix arp table still shows the mac address of the linksys 72.2 interface is my guess and you would need to flush the arp table on the citrix server.
Also, how does the internet connect. Is it straight to the linksys router? Is this cable, DSL or T1 to a provider router or what. There is a router on the outside of the ASA of some sort. It could be that that devices still has the mac address of public side MAC address of the citrix box in its ARP table. Most likely that needs a reboot as well to flush its ARP table. I would bet on it.
I have been working on Cisco firewall since before Cisco bought the PIX. I can assure the config is good without that reverse static.
/M_6253131.html
Was this comment helpful?
Yes No
charlietaylor:
OK... but if it is an ARP issue would the 5510 still get the info that it is in the logs?
I mean, if packets were headed to another port why am I seeing SCR/DES info in the logs?
/M_6253131.html
Was this comment helpful?
Yes No
charlietaylor:
AND... I REALLY apperciate all your help!
/M_4911140.htmlRank: Sage
Was this comment helpful?
Yes No
kenboonejr:
you got a point there. Here is what I know. When you try to access it from the outside... the citrix doesn't respond. So could it be at that point the citrix box has the old arp entry for the linksys? so the packets aren't getting back.
So if you cut over. start everything fresh. turn off linksys. reboot ISP router/device. flush arp table on citrix. Then ping the citrix box from the ASA. If that works then try the connection from the outside. How are you connecting to the outside? Are you at a different location or are you on a mobile broadband card or what?
Was this comment helpful?
Yes No
charlietaylor:
I am physically sitting on the network. I am trying access from outside on my broadband card that is known to connect.
Their office is closed tomorrow and I am getting access to come in and powercycle every single device. I will then first try to ping Citrix from ASA and move downstream like you suggest.
Thanks again, I really do hope it is a ARP issue in a device I did not reload. (the ACTELIS ISP box and actual Citrix server)
I will let you know.
Was this comment helpful?
Yes No
charlietaylor:
reboot of every device in the network did not change anything
/M_6253131.html
Was this comment helpful?
Yes No
charlietaylor:
the ASA can ping the citrix server
/M_777876.html
Was this comment helpful?
Yes No
slamjam2000:
From your config, I don't see a route to the inside...
The only route on the ASA is to the outside:
route OUTSIDE 0.0.0.0 0.0.0.0 72.54.197.25 100
Was this comment helpful?
Yes No
charlietaylor:
so what are you suggesting?solved
Maybe you are looking for
-
How to get refund of any purchase?, How to get refund of any purchase?, How to get refund of any purchase?
-
Acrobat 7 Pro - How to disable prompt for filename?
I have a Windows XP Pro SP3 system with Office 2003 Pro and Visio 2002 Pro installed. I have an Access database that creates Visio 2002 files within the application. Within the Access database, i have the ability to print a single or multiple visio f
-
I'm just wondering what's up with the RAM usage on my macbook. Right when I start up 500MB of RAM is being used (wired and active), 100MB of it being the kernel task. After a typical session of use, I close all programs and find that the RAM usage is
-
HT1222 where can I download iOS 4.3.5
Hi, My iphone (3GS) insists that I need to upgrade my iOS in order to download some apps such Facebook. Can anyone tell me from where can I download it? Is downloading it will erase my current info in the iphone (3gs)? Thanks,
-
How do I loop external audio files?
I would like to have an external file (actually, one of several randomly selected files, but I can handle that) play and loop but I have yet to understand how to do the latter. My code works great for playing the file through one time, but when play