ToS Preservation with egress remarking on inner packet

Similar Messages

• Error: The decapsulated inner packet doesn't match the negotiated policy in the SA

  I upgraded my ASA from 8.2(1) to 8.4(3) as I wanted to try to get Android devices to properly connect via VPN.
  After some effort, I was able to get the Android devices to connect via VPN.  However, my syslog server has a number of errors recorded that look this this:
  %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x1E76EFA6, sequence number= 0x1F0) from x.x.x.x (user= testuser) to y.y.y.y.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as z.z.z.z, its source as a.a.a.a, and its protocol as tcp.  The SA specifies its local proxy as y.y.y.y/255.255.255.255/udp/42246 and its remote_proxy as x.x.x.x/255.255.255.255/udp/0.
  Digging further, it seems this error might be due to a NAT issues with the VPN connections.  VPN previously worked with Cisco's VPN client on Windows, though I did not test to see if that is no longer working.  However, I made no changes in the config, except for those related to additions needed to support L2TP.  With the below config, Android clients can connect to the ASA and access the internal network, but they cannot connect to external addresses.  I'm at a loss.
  The addresses used in the config: 192.168.1.0/24 are on the internal LAN and 192.168.3.0/24 are addresses assigned to VPN clients.
  I noted in the config this line:
  access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
  The access list is not referenced anywhere, though it was referenced in the 8.2(1) config like this:
  nat (inside) 0 access-list inside_nat0_outbound
  I'm not sure what else changed, but I've looked over the config and I just cannot see what the issue might be.  I'm hoping somebody might be able to point out my error.
  Here's the config file (at least the parts that might be of interest):
  : Saved
  ASA Version 8.4(3)
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  boot system disk0:/asa843-k8.bin
  object network obj-192.168.3.0
  subnet 192.168.3.0 255.255.255.0
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  access-list outside_access_in extended permit icmp any interface outside time-exceeded
  access-list outside_access_in extended permit icmp any interface outside echo-reply
  access-list outside_access_in extended permit icmp any interface outside unreachable
  access-list outside_mpc extended permit ip any interface outside
  access-list inside_mpc extended permit ip 192.168.1.0 255.255.255.0 any
  access-list testVPN_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any
  access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
  ip local pool VPN-Pool-1 192.168.3.1-192.168.3.254 mask 255.255.255.0
  ip verify reverse-path interface outside
  nat (inside,any) source static any any destination static obj-192.168.3.0 obj-192.168.3.0 no-proxy-arp
  object network obj-192.168.3.0
  nat (outside,outside) dynamic interface
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANSP esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANSP mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSP esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSP mode transport
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set ikev1 transform-set ESP-AES-128-SHA-TRANSP ESP-3DES-SHA-TRANSP
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 5
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  group-policy testVPN internal
  group-policy testVPN attributes
  wins-server value 192.168.1.8
  dns-server value 192.168.1.8 192.168.1.4
  vpn-idle-timeout none
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value testVPN_splitTunnelAcl
  default-domain value test.us
  group-policy testVPNnsl2tp internal
  group-policy testVPNnsl2tp attributes
  wins-server value 192.168.1.8
  dns-server value 192.168.1.8 192.168.1.4
  vpn-idle-timeout none
  vpn-tunnel-protocol l2tp-ipsec
  group-policy testVPNns internal
  group-policy testVPNns attributes
  wins-server value 192.168.1.8
  dns-server value 192.168.1.8 192.168.1.4
  vpn-idle-timeout none
  vpn-tunnel-protocol ikev1
  username testuser password PASSWORD encrypted privilege 15
  username testuser2 password PASSWORD nt-encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool VPN-Pool-1
  default-group-policy testVPNnsl2tp
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group testVPN type remote-access
  tunnel-group testVPN general-attributes
  address-pool VPN-Pool-1
  default-group-policy testVPN
  tunnel-group testVPN ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group testVPNns type remote-access
  tunnel-group testVPNns general-attributes
  address-pool VPN-Pool-1
  default-group-policy testVPNns
  tunnel-group testVPNns ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group testVPNnsl2tp type remote-access
  tunnel-group testVPNnsl2tp general-attributes
  address-pool VPN-Pool-1
  default-group-policy testVPNnsl2tp
  tunnel-group testVPNnsl2tp ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group testVPNnsl2tp ppp-attributes
  authentication ms-chap-v2
  One last question: in order to get the connection from Android to work, I was forced to use "tunnel-group DefaultRAGroup".  Is that actually a limitation, or did I make an error that forced that requirement?  I wanted to use "tunnel-group testVPNnsl2tp".
  Thanks!

  Chris,
  This is still a bit off the mark.  I think I might be confusing the issue by including some of the VPN configuration that I had previously installed and working (e.g., two other VPN tunnel groups with split tunneling on one of them).  Let's just remove that stuff from consideration.  I actually tested the current configs just to see if they are working since the upgrade.  testVPN is working with the split tunneling, but testVPNns (no-split tunneling) does not allow external access.  I guess there is a NAT config issue there, too, but not sure what it is, yet.  I've not investigated that closely.
  I want to solve one problem at a time, though I understand there are some interdependencies.
  What I'd like to focus on right now is just the L2TP VPN connection.
  From what I've been able to understand from the documentation, what I need are these lines:
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANSP esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANSP mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSP esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSP mode transport
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set ikev1 transform-set ESP-AES-128-SHA-TRANSP ESP-3DES-SHA-TRANSP
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  group-policy testVPNnsl2tp internal
  group-policy testVPNnsl2tp attributes
  wins-server value 192.168.1.8
  dns-server value 192.168.1.8 192.168.1.4
  vpn-idle-timeout none
  vpn-tunnel-protocol l2tp-ipsec
  tunnel-group DefaultRAGroup general-attributes
  address-pool VPN-Pool-1
  default-group-policy testVPNnsl2tp
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key P74bmqL6rT40bl5
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  crypto ikev1 policy 5
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  I still want to assign the IP addresses to VPN clients out of 192.168.3.0/24.
  The tricky part is understanding exactly what NAT rules to insert and to avoid that error message I'm getting relatred to the encapsulated packets.  I tried to introduce the commands you had, but it's missing stuff that I would need for L2TP/IPSec (e.g., "mode transport").  I also don't think I want "pfs group5".  The above config "works" in that I get connected -- all negotiation is done.  It's just that packets from the VPN client are not able to go out to the Internet and I'm seeing that encapsulation error messages when I try to send a packet.
  Paul

• Wireless QoS - CAPWAP getting tagged DSCP 26 while inner packet is DSCP 24.

  Hello,
  I'm facing an issue regarding QoS and wireless. I've attached a drawing of my set up as well. 
  My set up consists of a Cisco wireless 7925 phone, a 3702i access point, and a WISM2 controller (running newest 7.6 code). 
  My access point is connected to a 3750 switch, the switchport is in access mode, and is trusting the dscp values from the access point (mls qos trust dscp). QoS is also enabled on the switch (mls qos). 
  Please see my attached picture of a visual representation to what I'm going to describe. 
  In my particular scenario I'm looking at SKINNY traffic between the phone and the call manager. Per our Wired QoS design SKINNY traffic is tagged with DSCP 24 or CS3.  Traffic from the call manager to the phone is being tagged correctly all the way through (from the wired segment, to the controller and from the controller to the access point) the inner packet and the CAPWAP header is tagged correctly with DSCP 24. 
  Return traffic from the phone to the call manager is a different story. The phone is clearly tagging the SKINNY traffic with DSCP 24 as well, this is evident by looking at the inner packet in captures. However, the CAPWAP header is being tagged DSCP 26 for some reason. Basically it looks like the access point is building the CAPWAP header with the value of 26 despite the fact that the original packet is marked 24. 
  I'd like to further understand why this is happening in only one direction (from AP to the controller) and if there is any way to change the behavior. 
  One thing I might have stumbled on is how the 802.11e values map to DSCP values. Looking at the binary representations of 24 and 26, they both end up mapping back to the 802.11e value 3. My current thinking is the access point just sees this 802.11e value #3 and then tags it to 26 automatically instead of 24. I'm not sure why the access point can't read the correct DSCP value of the inner packet (being tagged by the phone) and simply map that same value to the CAPWAP header. 
  Any help or further insight into this would be greatly appreciated. 
  Thanks! 

  Return traffic from the phone to the call manager is a different story. The phone is clearly tagging the SKINNY traffic with DSCP 24 as well, this is evident by looking at the inner packet in captures. However, the CAPWAP header is being tagged DSCP 26 for some reason. Basically it looks like the access point is building the CAPWAP header with the value of 26 despite the fact that the original packet is marked 24.
  Note that when AP receives packet, it will only see the wireless header UP (user prioroity) value & not inner IP packet DSCP header. So all mapping of outer CAPWAP DSCP is based on UP value.  Refer this table & UP3 will map to AF31 (DSCP value 26)
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch5_QoS.html#_Ref167257742
  I'd like to further understand why this is happening in only one direction (from AP to the controller) and if there is any way to change the behavior.
  When it comes from UCCM side, signaling traffic already marked with CS3. So when WLC map that to CAPWAP, it will simply use that IP packet DSCP value to derive the outer CAPWAP DSCP. So packet goes as CS3 in that direction.
  If you want to change this behavior (client to AP-> WLC), you can apply a qos service policy to re-write DSCP26 to CS3 on your 3750 switch where AP connects.
  http://mrncciew.com/2012/11/30/understanding-wireless-qos-part-2/
  Refer this post from Jerome to see background of this AF31 or CS3 debate when classifying voice control traffic.
  http://wirelessccie.blogspot.com.au/2011/02/wired-qos-for-voice-control-af31-dscp.html
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Problem with final variables and inner classes (JDK1.1.8)

  When using JDK1.1.8, I came up with following:
  public class Outer
      protected final int i;
      protected Inner inner = null;
      public Outer(int value)
          i = value;
          inner = new Inner();
          inner.foo();
      protected class Inner
          public void foo()
              System.out.println(i);
  }causing this:
  Outer.java:6: Blank final variable 'i' may not have been initialized. It must be assigned a value in an initializer, or in every constructor.
  public Outer(int value)
  ^
  1 error
  With JDK 1.3 this works just fine, as it does with 1.1.8 if
  1) I don't use inner class, or
  2) I assign the value in initializer, or
  3) I leave the keyword final away.
  and none of these is actually an option for me, neither using a newer JDK, if only there is another way to solve this.
  Reasons why I am trying to do this:
  1) I can't use a newer JDK
  2) I want to be able to assign the variables value in constructor
  3) I want to prevent anyone (including myself ;)) from changing the value in other parts of the class (yes, the code above is just to give you the idea, not the whole code)
  4) I must be able to use inner classes
  So, does anyone have a suggestion how to solve this problem of mine? Or can someone say that this is a JDK 1.1.8 feature, and that I just have to live with it? In that case, sticking to solution 3 is probably the best alternative here, at least for me (and hope that no-one will change the variables value). Or is it crappy planning..?

  You cannot use a final field if you do not
  initialize it at the time of declaration. So yes,
  your design is invalid.Sorry if I am being a bit too stubborn or something. :) I am just honestly a bit puzzled, since... If I cannot use a final field in an aforementioned situation, why does following work? (JDK 1.3.1 on Linux)
  public class Outer {
          protected final String str;
          public Outer(String paramStr) {
                  str = paramStr;
                  Inner in = new Inner();
                  in.foo();
          public void foo() {
                  System.out.println("Outer.foo(): " + str);
          public static void main( String args[] ) {
                  String param = new String("This is test.");
                  Outer outer = new Outer(param);
                  outer.foo();
          protected class Inner {
                  public void foo() {
                          System.out.println("Inner.foo(): " + str);
  } producing the following:
  [1:39] % javac Outer.java
  [1:39] % java Outer
  Inner.foo(): This is test.
  Outer.foo(): This is test.
  Is this then an "undocumented feature", working even though it shouldn't work?
  However, I assume you could
  get by with eliminating the final field and simply
  passing the value directly to the Inner class's
  constructor. if not, you'll have to rethink larger
  aspects of your design.I guess this is the way it must be done.
  Jussi

• How to create a DB Adapter with select query having inner query

  Hi All,
  I am trying to create a DB Adapter with select query. The query has some inner queries in it. It is just like this select a, b, c, (select d from e) d, (select e from e) e from tablename.
  The problem here is with the xsd generated for this query. Xsd is not getting generated properly for all the fields it is just getting generated till c element and when it encounters
  the inner query it is stopping the generation of xsd. So for the above query the xsd is something similar to the below
  <xs:complexType name="rewOutput">
  <xs:sequence>
  <xs:element name="a" type="xs:string" nillable="true"/>
  <xs:element name="b" type="xs:string" nillable="true"/>
  <xs:element name="c" type="xs:string" nillable="true"/>
  <xs:element name="select_d" type="xs:string" nillable="true"/>
  </xs:sequence>
  </xs:complexType>
  as shown above the xsd is just getting generated till the first inner query. What should be done to get the full fledged xsd. Should it be manually built ?? Please help me on this.
  Thanks In Advance.
  Edited by: 959766 on Nov 30, 2012 1:20 AM

  Hi,
  I don't think the parser will be able to understand your query properly... I would try building the xsd manually...
  Cheers,
  Vlad

• Problem with opening remarks in forms

  Hello,
  If we include an opening remark with a certain number of letters then the text will not shown up and the first page of the form remains empty.
  Please see the example with the purchase order. We've the same problems in all other forms.
  Is there a limitation of characters for the opening remarks in our forms? Can wie increase this number?
  Regards,

  Hi,
  1. There is no example attached in your post.
  2. Yes there is limitation of characters allowed in opening and closing remarks. System will allow maximum of 64,000 characters.
  Thanks & Regards,
  Nagarajan

• White space not preserved with XSL Mapping

  Hello
  Is there a problem with preserving white space when using a XSL mapping? My schema has the following included:
                <xs:element name="FileVersion" minOccurs="1" maxOccurs="1">
                  <xs:simpleType>
                    <xs:restriction base="xs:string">
                      <xs:length value="5"/>
                      <xs:whiteSpace value="preserve"/>
                    </xs:restriction>
                  </xs:simpleType>
                </xs:element>             
  The whiteSpace attribute alone didn't do it, so I've added length as well which didn't help either.
  My imported XSL mapping writes a fix value of " 6.00" (having a leading space) into the field:
       <FileVersion>
            <xsl:value-of select="' 6.00'"/>
       </FileVersion>
  Processing the mapping with an external tool provides the correct output with a leading space.
  The leading space is missing in the output file or when I do testing in the integration builder. Looking at the target payload in sxmb_moni also shows me the value without leading space:
    <FileVersion>6.00</FileVersion>
  What do I miss? I haven't really found a posting regarding the issue, hence I assume it isn't really one!? Any feedback is appreciated.
  Thanks,
  Daniel

  My XSLT mapping does not have a preserve-space declaration. I am using Altova MapForce, and apparently preserve-space is not a declaration that is supported by MapForce. I would need to manually add it to the mapping after generating it in the tool. Nevertheless, isn't preserve-space the default anyway if nothing is declared, and therefore not necessary?.

• Compiler bug with generics and private inner classes

  There appears to be a bug in the sun java compiler. This problem was reported against eclipse and the developers their concluded that it must be a problem with javac.
  Idea also seems to compile the example below. I couldn't find a bug report in the sun bug database. Can somebody tell me if this is a bug in javac and if there is a bug report for it.
  https://bugs.eclipse.org/bugs/show_bug.cgi?id=185422
  public class Foo <T>{
  private T myT;
  public T getT() {
  return myT;
  public void setT(T aT) {
  myT = aT;
  public class Bar extends Foo<Bar.Baz> {
  public static void main(String[] args) {
  Bar myBar = new Bar();
  myBar.setT(new Baz());
  System.out.println(myBar.getT().toString());
  private static class Baz {
  @Override
  public String toString() {
  return "Baz";
  Eclipse compiles and runs the code even though the Baz inner class is private.
  javac reports:
  Bar.java:1: Bar.Baz has private access in Bar
  public class Bar extends Foo<Bar.Baz>
  ^
  1 error

  As I said in my original post its not just eclipse that thinks the code snippet is compilable. IntelliJ Idea also parses it without complaining. I haven't looked at the java language spec but intuitively I see no reason why the code should not compile. I don't think eclipse submitting bug reports to sun has anything to do with courage. I would guess they just couldn't be bothered.

• JTable with different number of columns (packets)

  Hi experts,
  is it possible to draw a single JTable which have different number of columns in each row
  if yes good
  if no my project is to build a comperhensive packet sniffer what is the most appropriate swing component to repersent a packets (data,Ack,...) which have different number of fields and when i select one packet it is highlighted with different color
  Best Regards

  AHDK wrote:
  is it possible to draw a single JTable which have different number of columns in each rowThis is about how to make a cell span multiple cells: [http://www.codeguru.com/java/articles/139.shtml]
  The code is a little buggy. I used it in a practical example, and removed the bugs:
  [http://forum.byte-welt.net/attachment.php?attachmentid=132&d=1249675825] (source code is included in the jar file)

• EEM- Email alert with IP SLA Based on Packet Loss

  hi joseph,
  i need your advise, i want to get alert email based on IP SLA Packet loss
  the scenarion as below :
  1. If the traffic hit threshold packet loss greater than 20% as long 15 minutes --> send email
  2. If reset condition packet loss eq 0% as long 15 minutes --> send email again
   I don't know how to configure it condition. could you help me to verify my configuration below?
  ip sla logging traps
  ip sla 1 
   icmp-jitter 10.216.0.105 source-ip 10.216.0.107 num-packets 100 interval 40
   frequency 50
  ip sla schedule 1 life forever start-time now
  ip sla reaction-configuration 1 react Packetloss threshold-value 3 1 threshold-type immediate action-type trapOnly
  ip sla enable reaction-alerts
  event manager applet TEST 
   event syslog pattern "IP SLAs\(1\): Threshold exceeded"
   action 2.0 mail server "10.240.0.10" to "[email protected]" from "[email protected]" subject "Alert for Intermittent Link" body "link intermittent in x %"
  thank you

  What's you have could work with a few modifications.  First, increase that threshold-value of 3 to 20.  You can leave the falling threshold value of 1.  You'll need to add another applet to match the falling threshold syslog message.  Not sure exactly what that one will look like.
  The first applet will look like this:
  event manager environment q "
  event manager applet ipsla-threshold-exceeded
   event syslog pattern "IP SLAs\(1\): Threshold exceeded"
   action 001 cli command "enable"
   action 002 cli command "config t"
   action 003 cli command "no event manager applet ipsla-healthy"
   action 004 cli command "event manager applet ipsla-unhealthy"
   action 005 cli command "event timer countdown time 900"
   action 006 cli command "action 1.0 mail server $q 10.240.0.10$q to $q [email protected]$q from $q [email protected]$q subject $q Alert for Intermittent Link$q body $q link intermittent in 20 %$q"
   action 007 cli command "action 2.0 cli command enable"
   action 008 cli command "action 3.0 cli command $q config t$q"
   action 009 cli command "action 4.0 cli command $q no event manager applet ipsla-unhealthy$q"
   action 010 cli command "action 5.0 cli command end"
   action 011 cli command "end"
  And the second applet (the one where you'll need to fill in the appropriate syslog pattern) will look like:
  event manager applet ipsla-threshold-normal
   event syslog pattern "FALLING THRESHOLD PATTERN HERE"
   action 001 cli command "enable"
   action 002 cli command "config t"
   action 003 cli command "no event manager applet ipsla-unhealthy"
   action 004 cli command "event manager applet ipsla-healthy"
   action 005 cli command "event timer countdown time 900"
   action 006 cli command "action 1.0 mail server $q 10.240.0.10$q to $q [email protected]$q from $q [email protected]$q subject $q Link is stable$q body $q Link has been stable for 15 minutes$q"
   action 007 cli command "action 2.0 cli command enable"
   action 008 cli command "action 3.0 cli command $q config t$q"
   action 009 cli command "action 4.0 cli command $q no event manager applet ipsla-healthy$q"
   action 010 cli command "action 5.0 cli command end"
   action 011 cli command "end"

• Call preservation with Gatekeeper controlled inter-cluster trunks on CM8.5

  Is call preservation possible with gatekeeper contolled ICT on CM 8.5 when a subscriber goes down? My testing shows the call drops. Can this be corrected?

  In the Service Parameters for CUCM H323.  Make sure the Allow Peer Preserve H.323 Call is set to True.  By default, its False.   I noticed this on my H323 gateways I just migrated... dropped CUCM and my calls dropped when they should have stayed up, but did not.   See that helps on the GK

• Fixed length outer table with nested repeating group inner table.

  I had to re-create a PDF using tables in an RTF template. It has a fixed 1 page width. However, one of the rows in the template has a nested table with a repeating group. I set the width of the outer table row width to 2". However when I have repeating groups it makes the outer row grow wider than the 2" inches. The option to un-select "automatically resize to fit contents" is grayed out.
  Is there a way to keep the outer table width fixed with an inner repeating group?
  Thanks.
  --Johnnie
  Edited by: Vortex13 on Jun 13, 2012 11:15 AM

  Hi Borris,
  Found the following in the Oracle Documentation under: Oracle8i Application Developer's Guide - Object-Relational Features Release 2 (8.1.6)
  2 Managing Oracle Objects / Using Collections / Collection Unnesting
  URL: http://www.znow.com/sales/oracle/appdev.816/a76976/adobjmng.htm#1002885
  Oracle8i also supports the following syntax to produce outer-join results:
  SELECT d.*, e.* FROM depts d, TABLE(d.emps)(+) e;
  The (+) indicates that the dependent join between DEPTS and D.EMPS should be NULL-augmented. That is, there > will be rows of DEPTS in the output for which D.EMPS is NULL or empty, with NULL values for columns
  corresponding to D.EMPS.

• ISG: Service with traffic policing counts dropped packets.

  Hello,
  Our company has a router Cisco 7304 NPEG100. ("show version" in the  bottom of this message). We are planing to start ISG services at this router, but there is a bug CSCei4190. When I set traffic policing in service, accounting in this service counts  packets that has been dropped by traffic policing.
  Here is example of my definition of service in RADIUS:
  User-Name = 'Internet-Service'
  Cisco-AVPair += "ip:traffic-class=in access-group 2000 priority 10"
  Cisco-AVPair += "ip:traffic-class=out access-group 2001 priority 10"
  Cisco-AVPair += "ip:traffic-class=in default drop"
  Cisco-AVPair += "ip:traffic-class=out default drop"
  Cisco-AVPair += "prepaid-config=TRAFFIC_PREPAID"
  Cisco-AVPair += "accounting-list=ISG_ACCT"
  Cisco-Service-Info += "QU;256000;D;512000"
  Acct-Interim-Interval += '60'
  When I remove Cisco-Service-Info += "QU;256000;D;512000" from service  definition, all traffic are counting correctly.
  I did not found in Bug Details, which version of IOS, I should use in my  7304 router where this bug is fixed.
  Cisco IOS Software, 7300 Software (C7300-A3JK91S-M), Version 12.2(31)SB17,  RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by Cisco Systems, Inc.
  Compiled Fri 30-Oct-09 12:35 by vpernank
  ROM: System Bootstrap, Version 12.2(22r)S, RELEASE SOFTWARE (fc1)
  BOOTLDR: 7300 Software (C7300-BOOT-M), Version 12.2(20)S6, RELEASE 
  SOFTWARE (fc4)
  7304 uptime is 17 hours, 24 minutes
  Uptime for this control processor is 17 hours, 24 minutes
  System returned to ROM by reload at 06:22:24 TSK Wed Feb 23 2005
  System restarted at 18:46:54 TSK Mon Mar 22 2010
  System image file is "disk0:c7300-a3jk91s-mz.122-31.SB17.bin"
  cisco 7300 (NPEG100) processor (revision B) with 983040K/65536K bytes of  memory.
  SB-1 CPU at 800Mhz, Implementation 0x401, Rev 0.2, 512KB L2 Cache
  4 slot midplane, Version 67.49
  Last reset from software reset or reload
  4 FastEthernet interfaces
  3 Gigabit Ethernet interfaces
  1021K bytes of non-volatile configuration memory.
  62592K bytes of ATA compact flash in bootdisk (Sector size 512 bytes).
  125952K bytes of ATA compact flash in disk0 (Sector size 512 bytes).
  Configuration register is 0x2102

  I am getting other logs sent to the syslog server, yes, just not the firewall-related "dropped packet" logs.  Here's an example of one that does make it through:
  5790: *Apr 30 15:05:27.039 UTC: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-647534746 1500 bytes is out-of-order; expectedseq:3647406270. Reason: TCP reassembly queue overflow - session 192.168.1.179:3895 to 54.240.160.142:80 on zone-pair inside-to-Transitclass WB-Browsing
  I am not allowing all the traffic across the box.  The "self-to-inside" zone-pair just allows the *firewall itself* to initiate any traffic to the inside zone.  That's temporary until I get all the management traffic to and from the firewall defined, then I will lock it down further.
  And I added the "ip inspect log drop-pkt" and it did not appear to make any difference.
  Any other suggestions?
  -Mat

• Help with TCP out-of-order packets Wireshark capture

  Hello everyone,  we have a bit of an odd issue. Can you take a look at the attached capture file and tell me what's broken? Please change the file extension from .txt to .pcapng and open with Wireshark. 
  We have a major issue where clients cannot retrieve data from the server at 10.10.7.27.
  Server is behind the firewall at 172.18.123.4 which is configured to NAT the traffic coming through.
  Please advise.

  It's actually from anywhere.  The DNS resolves the website address to a global address.  So regardless of the source (inside or out), you hit the firewall and get routed to 10.10.7.0 network.  The firewall's LAN interface shares the same VLAN as the DMVPN head-end router's LAN interface.  From the DMVPN head-end router, it goes over the DMVPN cloud (i.e. back over the internet) to our office in Florida where this site is being hosted. 
  The capture I grabbed was by SPAN port between the two LAN interfaces showing transactions between the firewall's LAN interface and the server's IP address on the 10.10.7.0 subnet.
  Site uses HTTPS and we have other servers in the same subnet (10.10.7.0) that are accessible in the same manner.  I did SPAN the ports for another webserver and did see a lot of TCP OOO and re-transmissions however not as bad as this one. 
  I do have a theory, please feel free to correct me.  Request comes in on the WAN interface, gets NATed by the firewall and sent to the DMVPN router, router encrypts the packet and places it on the wire, once the remote DMVPN peer receives the packet, it decrypts it and then sends it out it's DMZ interface connected to another application firewall. This firewall checks the packet and then sends it to the web server hosting the content.  The process is reversed for reply traffic. On top of all this, the content is served over HTTPS therefore more encryption/decryption. This seems like too much handling of the packet to me?  When the source computer sends a request, it simply times out or spends too much time within our own network causing the source to resend the request?

• Airport Extreme is messing up with IP-ID of outgoing packets

  Can someone from the kernel team at apple explain me why are they tampering with the IP-ID in the outgoing IP packets of the Air Extreme. Packets sent with IP-ID x and the device is stamping an IP-ID y after the packet gets forward to the Internet. This is really bad and screws up several diagnostic tools that rely on IP-ID to match queries.
  Cheers --RIcardo

  Hello brian cooper. Welcome to the Apple Discussions!
  For some reason the 802.11n AirPort Extreme Base Station (AEBSn) is not recognizing the modem and is unable to find the DHCP server in order for it to get a proper IP address from your ISP.
  I would start by performing a complete power recycle of your networking equipment to see if that gets them communicating again.
  Please try the following:
  o Power-down the modem, AEBSn, and computer(s); wait at least 10-15 minutes. (Note: Power-down order is not critical.)
  o Power-up the modem; wait at least 10-15 minutes.
  o Power-up (plug into power) the AEBSn; wait at least 5-10 minutes.
  o Power-up the computer(s).
  Computers connected to the AEBSn, either by wire or wireless, should now have Internet access.
  If this doesn't resolve the issue, I suggest that you perform a "hard" reset on the AEBSn, and then, go through the power recycle again. To do this properly, first power-down all of the equipment; perform the reset; re-power-down the AEBSn, and then, power-up the modem, AEBSn, and computers in order.
  If this still doesn't work, I would recommend changing the Ethernet cable to rule out any issues with it.
  Finally, if this doesn't work, the AEBSn may have a faulty WAN port or some other problem. The option then would be to take it to your local Apple store to confirm any problems.