Transparent proxy with ACE+CE (Client-ip spoof) slow response.

Similar Messages

• System-wide Transparent Proxy With URL Patterns

  Internet censorship -where I live- has almost turned web unusable so  I decided to setup a transparent proxy using Tor for my home network.
  Since Tor is so slow -here- proxying all traffic through Tor would slow my connection to a crawl.  Therefore I need a mechanism to selectively proxy the traffic.
  I know a bit of 'iptables' and it looks to me like the solution to my problem.  However there's a trick.  As most of the websites I need to access through Tor (like Google+, Facebook and such) use several IP addresses for their entry points, it's almost impossible for me to add 'iptables' rules for all of those IP addresses.  I need a mechanism to proxy the traffic based on URL patterns.  For example I need to be able to proxy access to '*.facebook.com' through Tor.
  So the question boils down to:  how can I setup a system-wide transparent proxy using URL patterns?
  Any idea/hint is much appreciated.  TIA,
  Bahman
  Last edited by bahman (2012-01-04 07:48:44)

  Use privoxy with socks5 forwarding:
  http://www.privoxy.org/user-manual/config.html#SOCKS
  http://www.privoxy.org/user-manual/acti … F-PATTERNS

• Config transparent Proxy with LDAP authen with L4 switch?

  How to config policy based routing on L4 switch if wsa run in transparent mode with LDAP authentication?
  Async OS: 5.1.0-420
  Thank you,
  Thanapol

  Ezekiel,
  I wanted to add some clarification to your comments:
  1) Network TAP connected to T1/T2.
  This will work good. You will need to tap one direction of traffic to the T1 port and the other direction in to the T2 interface.
  2) L4 switch connected to P1.
  This will NOT work. Further explaination below. What you can do is use a switch that supports port spanning / port mirroring. You'll need to send a COPY of all traffic going to gateway to the T1 interface.
  The L4TM will need to be in 'duplex' mode - Configurable in the GUI.
  3) WCCP v2 connected to P1.
  WCCP cannot be used at all with the L4TM, because WCCP doesn't 'copy' the traffic, it redirects it.
  L4TM information
  The L4TM can be thought of as a completely seperate appliance that operates primarily via the t1 / t2 interfaces.
  The L4TM is a sniffer application, meaning that you cannot redirect traffic to it (such as L4 switching PBR or WCCP), but you can send a copy of traffic to it (port mirroring or physical tap).
  If you are blocking with the L4TM, the WSA will use M1/P1 to send the TCP RST packets. This is the ONLY use for the M1/P1 interfaces that the L4TM will use.
  The P1 interface is intended to be used for Web proxy traffic and the L4TM does not listen on this interface.

• ACE 4710 transparent LB with two Caches and two routers.

  Hello,
  I have ACE 4710 that load balance two cach flows (bluecoat), i am doing pbr on the routers to send the traffic destined to port 80 to ACE then Cach farm. After that the Cach flow will get the page from the internet via two routers. The return traffic will match another pbr on the routers with source port 80 that will send it to the ACE then CachFlow again .....then to the users.
  I am not using ip-spoofing on the CachFlow for now. In the figure attached i created a VIP 0.0.0.0 0.0.0.0 port 80 on the interface on the ACE facing the routers, but the question is do i have to create another VIP 0.0.0.0 0.0.0.0 port 80 on the interface on ACE facing the Cach Flow? or just forward the traffic on the default route? What might be the default route since i have to use two routers and i cannot use hsrp?
  Kindly I need some assistance
  Thank you and regards,
  George
  access-list PERMIT_ALL line 8 extended permit ip any any
  access-list CFLOW line 8 extended permit ip any any
  ip name-server 8.8.8.8
  ip name-server 4.2.2.2
  ##################################Config for Cache Cache Servers###################
  probe http CISCO_WWW_PROBE
    ip address 72.163.4.161
    interval 2
    faildetect 2
    passdetect interval 2
    passdetect count 5
    request method head url /index.html
    expect status 200 200
    exit
  probe http YAHOO_WWW_PROBE
    ip address 87.248.112.181
    interval 2
    faildetect 2
    passdetect interval 2
    passdetect count 5
    request method head url /index.html
    expect status 200 200
    exit
  serverfarm host TRANSPARENT_PROXY_SF
    description Transparent Proxy Farm
    transparent
    predictor hash url
    probe CISCO_WWW_PROBE
    probe YAHOO_WWW_PROBE
    rserver CFLOW01
      inservice
    rserver CFLOW02
      inservice
    exit
    exit
  ############################################# Router Cache Farm ############################
  probe icmp ICMP_PROBE
    description *** Probe for icmp health monitoring ***
    interval 5
    faildetect 2
    passdetect interval 60
    passdetect count 2
    exit
  rserver host Router01
    description Connection to Sodetel Router
    ip address 192.168.14.4
    probe ICMP_PROBE
    inservice
  rserver host Router02
    description Connection to IDM Router
    ip address 192.168.14.5
    probe ICMP_PROBE
    inservice
  serverfarm host Routers
    description Transparent Proxy Farm
    transparent
    predictor hash url
    probe ICMP_PROBE
    rserver Router01
      inservice
    rserver Router02
      inservice
    exit
    exit
  ################################# Management################################
  class-map type management match-any REMOTE_MGMT
    description Allow Remote management for below protocols
    8 match protocol icmp any
    9 match protocol ssh source-address 172.31.13.31 255.255.255.255
    10 match protocol ssh source-address 172.31.31.21 255.255.255.255
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
    class REMOTE_MGMT
      permit
  class-map match-all CFLO2Internet
    2 match virtual-address 0.0.0.0 0.0.0.0 any
  class-map match-all TRANSPARENT_VIP_CM
    2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
  policy-map type loadbalance first-match TRANSPARENT_LB_PM
    class class-default
      serverfarm TRANSPARENT_PROXY_SF backup Routers
  policy-map type loadbalance first-match CFLO2Internet_LB
    class class-default
      serverfarm Routers
  policy-map multi-match CFLO2Internet_PM
    class CFLO2Internet
      loadbalance vip inservice
      loadbalance policy CFLO2Internet_LB
      loadbalance vip icmp-reply active
      connection advanced-options TCP
  policy-map multi-match L3L4_PM
    class TRANSPARENT_VIP_CM
      loadbalance vip inservice
      loadbalance policy TRANSPARENT_LB_PM
      loadbalance vip icmp-reply active
      connection advanced-options TCP
  ====Interfaces======
  interface vlan 11
    description Interface between Routers and ACE
    ip address 192.168.14.2 255.255.255.224
    alias 192.168.14.1 255.255.255.224
    peer ip address 192.168.14.3 255.255.255.224
    no icmp-guard
    access-group input PERMIT_ALL
    service-policy input REMOTE_MGMT_ALLOW_POLICY
    service-policy input L3L4_PM
    no shutdown
  interface vlan 21
    description Connection to CFlow ServerFarm
    ip address 192.168.12.2 255.255.255.224
    alias 192.168.12.1 255.255.255.224
    peer ip address 192.168.12.3 255.255.255.224
    no icmp-guard
    access-group input CFLOW
    service-policy input CFLO2Internet_PM ------>>>> Is this necessary???
    no shutdown

  Hi George,
  In the topology you described, only the service-policy in the interface towards the routers is necessary. For the traffic from the caches, the ACE will just forward to the default gateway.
  The only problem is, as you mentioned, that you cannot use HSRP. In that case, you can still configure two default gateways, but there is no way to predict which one the ACE will use at a given time (the way it does to select the one it will use is sending an ARP request to both gateways and using the one that replies first until the ARP entry expires)
  If you need to load-balance the traffic between both routers, then yes, you would need to configure a new VIP on the cache side and load-balanced to a transparent serverfarm composed of both routers.
  Regards
  Daniel

• IPhoto '08 Book upload errors with squid transparent proxy - tip

  Hi folks
  I've just "solved" a problem I was having with iPhoto Book uploads. The solution may apply to other publishing products from iPhoto and possibly iDisk uploads too.
  My firewall & proxy setup is basically Linux iptables redirecting all outbound http (port 80) connections to a dansguardian filter, which in turn is passed onto a squid instance running as a transparent proxy (oh, and there's a privoxy in this all too!). Yeah, OK, I know, slightly paranoid, but I don't want my children accidently browsing stuff I don't think they are old enough for yet!
  Now I had the problem before with iPhoto '06 as well, but at the time just didn't have the time or inclination to figure out what the problem was, and just did the book order and upload from the office, where it went through without a problem. This time I decided to dig a bit and see what was happening. The clue that triggered off the solution was watching the part of the order process where the book data is uploaded. In my default setup, the upload bar would scream through to 100%, and then sit there for ages, before coming back with a connection error. Watching the network flashy lights on the NIC on the firewall though, it suddenly dawned on me that what was happening was that the upload was screaming through to the squid (as there was no outbound network activity from the firewall while this was happening) and then sitting there waiting for squid to pass it on to the Apple site (as shown by the outbound NIC activity light suddenly going bonkers once the uoload bar hit 100%).
  So clearly there's a problem sending book orders via a squid proxy setup as a transparent proxy. It might also very well be dansguardian interfering and wanting to take the entire upload and checking it before passing it on to squid. I already have site exception setup for all apple.com urls though in dansguardian, so didn't think it would be that. I thought about dicking around with the squid acl's but didn't have the enthusiasm to spend half the day getting that working.
  So what I did in the end was tail the squid logs to see what was being proxied whilst the book order was going on, and then dropped in 3 new rules in my iptables setup just before the redirect rule. Tried ordering the book again, and voila!
  The three rules I inserted were:
  $IPTABLES -t nat -A PREROUTING -s ! 10.1.1.1 -p tcp -d mercury.apple.com -j ACCEPT
  $IPTABLES -t nat -A PREROUTING -s ! 10.1.1.1 -p tcp -d configuration.apple.com -j ACCEPT
  $IPTABLES -t nat -A PREROUTING -s ! 10.1.1.1 -p tcp -d publish.mac.com -j ACCEPT
  The "-s ! 10.1.1.1" bit is obviously particular to my setup, as I wouldn't want connections from the router itself being proxied, so that may need to either be customised or left out altogether. These three rules are then immediately followed by the redirect:
  $IPTABLES -t nat -A PREROUTING -s ! 10.1.1.1 -p tcp --dport 80 -j REDIRECT --to-port 8081
  Hope that is of some help to someone out there!
  K

  Tony,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at
  http://support.novell.com.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://support.novell.com/forums)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Java client for OSB proxy with JMS Transport

  Hi,
  I am trying to call OSB proxy with JMS Transport. I am generating the client through ant task clientgen and following this article
  http://www.oracle.com/technetwork/articles/murphy-soa-jms-092653.html
  The osb proxy is req-response and is simply routing to BS which return a string value.
  When I run my client, it get stuck and does not return at all. Has any one trying java client in such scenario?
  What I may be missing?
  Below is snipped of client code:
  String url = "http://localhost:7021/sbresource?PROXY/MySample/MyJMSProxyService";
  CreditLoanApprovalServiceSoapBindingQSService service = new CreditLoanApprovalServiceSoapBindingQSService_Impl(url);
  MyPortType port = service.getCreditLoanApprovalServiceSoapBindingQSPort();
  LoanStruct in = new LoanStruct(); //populated the data structure
  String loanResult = port.processLoanApp(in); // Stuck here without any error
  System.out.println("LoanResult--> " + loanResult);
  Thx
  /Ashwani

  http://localhost:7021/sbresource?PROXY/MySample/MyJMSProxyService is the WSDL URL of the proxy.
  Transport is is picked by the client from wsdl.
  As far as the documentation of client generation is there, there is no change.
  But meanwhile I have started working on sending the message directly to queue. JMSProxy is getting called. May be I will first run the proxy this way and then try troubleshooting the java client.
  Regards
  Ashwani

• ABAP client proxy With Receiver JDBC Adapter

  Hello Experts,
  I am working on a scenerio ABAP client proxy With Receiver JDBC Adapter.
  The client proxy program will fetch the master data related to equipment in plant maintenance module and  will update the sql database through Receiver JDBC Adapter .
  my requirement is if the equipement is created in sap then the  scheduled job has to trigger the client proxy program and send the message with status 'created'  to sql data base.
  if the equipment is modified in sap then the scheduled job has to trigger the client proxy program and send the message with status 'modify' to sql data base.
  please let me know how can i write the logic/code for this scenerio in client proxy program.
  Tables for equipment master i am using  is EQUI and fields are   ERDAT and AEDAT which is created date and modified date.
  fields for scheduling start date is tbtcp-sdldate.
  Thanks in advance.
  Ram.

  Hello Ram,
     Here you can check if updated date field is not empty then send status as created and if this field is not blank then send status as modified record.
  Monica

• Connecting to DirectAccess server from a client behind proxy with authentication

  Hi,
  All our DA clients are working fine except those that are working from a client company where a proxy with authentication is used.
  Our DA server is running Windows server 2012 and clients are running Windows 7.
  I have found similar posts, where it states it is a known issue and it is fixed by a new feature in Windows 2012, however i cannot find more info:
  http://technet.microsoft.com/en-us/library/hh831416.aspx
  IP-HTTPS runs in a system context rather than a user context. This context can cause connection issues. For example, if a DirectAccess
  client computer is located in the network of a partner company that uses a proxy for Internet access, and WPAD auto detection is not used, the user must manually configure proxy settings in order to access the Internet. These settings are configured in Internet
  Explorer on a per user basis, and cannot be retrieved in an intuitive way on behalf of IP-HTTPS. In addition, if the proxy requires authentication, the client provides credentials for Internet access, but IP-HTTPS will not provide the credentials required
  to authenticate to DirectAccess. In Windows Server 2012, a new feature solves these issues. Specifically, the user can configure IP-HTTPS to work when behind a proxy that is not configured using WPAD and IP-HTTPS will request and provide the proxy credentials
  needed to IP-HTTPS request authenticated, and relay it to the DirectAccess server.

  Hello,
  As far as I know it's a feature of Windows 2012 URA with a Windows 8 client.
  Unfortunatelly you will have trouble with proxy authentication with Windows 7 client I think
  Regards,
  Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) :
  http://security.sakuranohana.fr/

• Standalone java as client java proxy with xi

  hi,
  i am coming from ABAPer, i have read inside story part 1 and 2, this seems J2EE Application.
  i am not clear on standalone java as client java proxy with xi.
  i have ClassProxy.zip generated by IR and some aii_***.jar.
  could you tell me what the step by step is?
  any helpful comments will be apprecidated.
  thanks
  venjamin

  hi
  good
  go through these links, i hope these will help you to solve your problem.
  http://help.sap.com/saphelp_srm30/helpdata/en/0f/80243b4a66ae0ce10000000a11402f/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/d4/d12940cbf2195de10000000a1550b0/content.htm
  http://www.seeburger.com/fileadmin/com/pdf/SAP_Exchange_Infrastructure_Integratio_Strategy.pdf
  thanks
  mrutyun

• Replacing MS ISA proxy with IronPort WSA proxy - ISA firewall client?

  Replacing MS ISA proxy with IronPort WSA proxy - what about the ISA firewall client?
  Does Cisco have an equivalent of the Microsoft ISA Firewall Client?
  How does WSA handle complex protocols (such as ftp) through the proxy server?

  We are replacing MS ISA proxy servers with IronPort WSA S370 proxy servers.
  We have several apps that make use the MS firewall client.
  The MS firewall client enables HTTP-tunneling of TCP & UDP through the ISA proxy servers instead of going through firewalls.
  These apps use various ports - and there are rules setup on the ISAs specifially for these apps and their ports.
  Also we have serveral uses of RPD, telnet, and SSH using the firewall client to HTTP-tunnel through the proxy servers -- and these have  specific ISA rules setup for them too.
  I can find HTTP-tunneling software - commercial and freeware - but can't find any that I think will work through the IronPort WSA S370 proxy servers.
  Would like to find someone who has implemented HTTP-tunneling using IronPort WSA 370 proxy servers.
  Thanks again for your input.

• Can log into Yosemite server (4.0) VPN service with a Mavericks client, but not Yosemite client

  Sever Info:
  Yosemite Server 4.0 running on a late 2009 Mac Mini with 8 GB RAM with vpnd service enabled
  The server was upgraded to Yosemite - not clean install - this may not matter (see below)
  Airport extreme router with standard VPN UDP ports for L2TP forwarded to server (500, 1701, 4500)
  Client info:
  MB Air 13" early 2014 with 8 GB RAM
  Yosemite
  Mavericks 10.9.5 running as a Parallels virtual machine (don't ask - I need it to run an app for work that is not yet compatible with Yosemite)
  OD service is NOT running - no VPN connections ever occurred from ANY client with this service running - OD is not needed in my case fortunately
  With the OD service off, I can connect via the Mavericks virtual machine just fine, but not with Yosemite. With Yosemite, the ppp connection appears to occur, but server config requests appear to fall on deaf ears (client side doesn't appear to respond) until the connection times out. Can't figure out what triggers the client response to a server config request. Client side complains about no route to host and IP addresses don't get assigned to the connection.
  The connection happens successfully in an eyeblink with the Mavericks client. Same username/password/shared secret in both instances.
  Tried a generated .vpnconfig from the server, this also did not work.
  It's possible that it is an auth problem, but can't figure out how the process occurs or what may be going wrong. There does not seem to be an obvious way to increase the granularity of the logging such that it might give other hints - at least that I can find. I found plenty of references to VPN issues when people upgraded from Mountain Lion to Mavericks as well as work arounds for this. I tried the most promising looking of those - no love. I reverted everything back to stock install since I could at least connect with Mavericks.
  If log entries would be helpful, they are included below. I've stared at them long enough - perhaps a new set of eyes can provide a hint.
  In addition, I can find no documentation regarding the VPN service in Yosemite server so as to get a clue as to whether there have been changes in racoon since Mavericks.
  Thanks in advance for any suggestions. I would be glad to supply any other info needed for an accurate diagnosis .
  Pat
  ==
  Regarding the Yosemite client connection in the Yosemite server VPN Service log:
  2014-10-21 12:18:30 MDT
  Incoming call... Address given to client = 192.168.1.228
  Tue Oct 21 12:18:30 2014 : Directory Services Authentication plugin initialized
  Tue Oct 21 12:18:30 2014 : Directory Services Authorization plugin initialized
  Tue Oct 21 12:18:30 2014 : publish_entry SCDSet() failed: Success!
  Tue Oct 21 12:18:30 2014 : publish_entry SCDSet() failed: Success!
  Tue Oct 21 12:18:30 2014 : publish_entry SCDSet() failed: Success!
  Tue Oct 21 12:18:30 2014 : L2TP incoming call in progress from 'my.dotted.quad.address'...
  Tue Oct 21 12:18:30 2014 : L2TP received SCCRQ
  Tue Oct 21 12:18:30 2014 : L2TP sent SCCRP
  Tue Oct 21 12:18:30 2014 : L2TP received SCCCN
  Tue Oct 21 12:18:30 2014 : L2TP received ICRQ
  Tue Oct 21 12:18:30 2014 : L2TP sent ICRP
  Tue Oct 21 12:18:30 2014 : L2TP received ICCN
  Tue Oct 21 12:18:30 2014 : L2TP connection established.
  Tue Oct 21 12:18:30 2014 : using link 0
  Tue Oct 21 12:18:30 2014 : Using interface ppp0
  Tue Oct 21 12:18:30 2014 : Connect: ppp0 <--> socket[34:18]
  Tue Oct 21 12:18:30 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x93542b1> <pcomp> <accomp>]
  Tue Oct 21 12:18:33 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x93542b1> <pcomp> <accomp>]
  Tue Oct 21 12:18:36 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x93542b1> <pcomp> <accomp>]
  Tue Oct 21 12:18:39 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x93542b1> <pcomp> <accomp>]
  Tue Oct 21 12:18:42 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x93542b1> <pcomp> <accomp>]
  Tue Oct 21 12:18:45 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x93542b1> <pcomp> <accomp>]
  Tue Oct 21 12:18:48 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x93542b1> <pcomp> <accomp>]
  Tue Oct 21 12:18:51 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x93542b1> <pcomp> <accomp>]
  Tue Oct 21 12:18:54 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x93542b1> <pcomp> <accomp>]
  Tue Oct 21 12:18:57 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x93542b1> <pcomp> <accomp>]
  Tue Oct 21 12:19:00 2014 : LCP: timeout sending Config-Requests
  Tue Oct 21 12:19:00 2014 : Connection terminated.
  Tue Oct 21 12:19:00 2014 : L2TP disconnecting...
  Tue Oct 21 12:19:00 2014 : L2TP sent CDN
  Tue Oct 21 12:19:00 2014 : L2TP sent StopCCN
  Tue Oct 21 12:19:00 2014 : L2TP disconnected
  2014-10-21 12:19:00 MDT
     --> Client with address = 192.168.1.228 has hungup
  ==
  Client side log for this connection using the Yosemite client:
  Tue Oct 21 14:32:08 2014 : publish_entry SCDSet() failed: Success!
  Tue Oct 21 14:32:08 2014 : publish_entry SCDSet() failed: Success!
  Tue Oct 21 14:32:08 2014 : L2TP connecting to server 'myserver.com' (my.dotted.quad.address)...
  Tue Oct 21 14:32:08 2014 : IPSec connection started
  Tue Oct 21 14:32:09 2014 : IPSec connection established
  Tue Oct 21 14:32:10 2014 : L2TP connection established.
  Tue Oct 21 14:32:10 2014 : L2TP set port-mapping for en0, interface: 4, protocol: 0, privatePort: 0
  Tue Oct 21 14:32:10 2014 : Using interface ppp0
  Tue Oct 21 14:32:10 2014 : Connect: ppp0 <--> socket[34:18]
  Tue Oct 21 14:32:10 2014 : L2TP port-mapping for en0, interfaceIndex: 0, Protocol: None, Private Port: 0, Public Address: 3fe4b3e8, Public Port: 0, TTL: 0.
  Tue Oct 21 14:32:10 2014 : L2TP port-mapping for en0 inconsistent. is Connected: 1, Previous interface: 4, Current interface 0
  Tue Oct 21 14:32:10 2014 : L2TP port-mapping for en0 initialized. is Connected: 1, Previous publicAddress: (0), Current publicAddress 3fe4b3e8
  Tue Oct 21 14:32:10 2014 : L2TP port-mapping for en0 fully initialized. Flagging up
  Tue Oct 21 14:32:25 2014 : write: No route to host
  Tue Oct 21 14:32:25 2014 : write: Host is down
  Tue Oct 21 14:32:28 2014 : write: Host is down
  Tue Oct 21 14:32:28 2014 : write: Host is down
  Tue Oct 21 14:32:31 2014 : write: Host is down
  Tue Oct 21 14:32:31 2014 : write: Host is down
  Tue Oct 21 14:32:34 2014 : write: Host is down
  Tue Oct 21 14:32:34 2014 : write: Host is down
  Tue Oct 21 14:32:37 2014 : write: Host is down
  Tue Oct 21 14:32:37 2014 : write: Host is down
  Tue Oct 21 14:32:40 2014 : LCP: timeout sending Config-Requests
  Tue Oct 21 14:32:40 2014 : Connection terminated.
  Tue Oct 21 14:32:40 2014 : L2TP disconnecting...
  Tue Oct 21 14:32:40 2014 : L2TP error sending CDN (Host is down)
  Tue Oct 21 14:32:40 2014 : L2TP clearing port-mapping for en0
  Tue Oct 21 14:32:40 2014 : L2TP disconnected
  ==
  Pertinent client side log for connection of Mavericks client to Yosemite server:
  Tue Oct 21 13:29:13 2014 : Connect: ppp0 <--> socket[34:18]
  Tue Oct 21 13:29:13 2014 : L2TP port-mapping for en0, interfaceIndex: 0, Protocol: None, Private Port: 0, Public Address: 3fe4b3e8, Public Port: 0, TTL: 0.
  Tue Oct 21 13:29:13 2014 : L2TP port-mapping for en0 inconsistent. is Connected: 1, Previous interface: 4, Current interface 0
  Tue Oct 21 13:29:13 2014 : L2TP port-mapping for en0 initialized. is Connected: 1, Previous publicAddress: (0), Current publicAddress 3fe4b3e8
  Tue Oct 21 13:29:13 2014 : L2TP port-mapping for en0 fully initialized. Flagging up
  Tue Oct 21 13:29:21 2014 : local  IP address 192.168.1.229
  Tue Oct 21 13:29:21 2014 : remote IP address 192.168.1.2
  Tue Oct 21 13:29:21 2014 : primary   DNS address 192.168.1.2
  Tue Oct 21 13:29:21 2014 : secondary DNS address 8.8.8.8
  Tue Oct 21 13:29:21 2014 : l2tp_wait_input: Address added. previous interface setting (name: en0, address: 10.0.1.38), current interface setting (name: ppp0, family: PPP, address: 192.168.1.229, subnet: 255.255.255.0, destination: 192.168.1.2).
  Tue Oct 21 13:29:21 2014 : Committed PPP store
  Tue Oct 21 13:29:21 2014 : Committed PPP store
  Tue Oct 21 13:52:32 2014 : [DISCONNECT]
  Tue Oct 21 13:52:32 2014 : Hangup (SIGHUP)
  Tue Oct 21 13:52:32 2014 : Connection terminated.
  Tue Oct 21 13:52:32 2014 : Connect time 23.4 minutes.
  Tue Oct 21 13:52:32 2014 : Sent 2674664 bytes, received 10680854 bytes.
  Tue Oct 21 13:52:32 2014 : L2TP disconnecting...
  Tue Oct 21 13:52:32 2014 : L2TP clearing port-mapping for en0
  Tue Oct 21 13:52:32 2014 : L2TP disconnected
  ==
  Regarding the Mavericks client connection in the Yosemite server VPN Service log:
  2014-10-21 12:09:48 MDT Incoming call... Address given to client = 192.168.1.226
  Tue Oct 21 12:09:48 2014 : Directory Services Authentication plugin initialized
  Tue Oct 21 12:09:48 2014 : Directory Services Authorization plugin initialized
  Tue Oct 21 12:09:48 2014 : publish_entry SCDSet() failed: Success!
  Tue Oct 21 12:09:48 2014 : publish_entry SCDSet() failed: Success!
  Tue Oct 21 12:09:48 2014 : publish_entry SCDSet() failed: Success!
  Tue Oct 21 12:09:48 2014 : L2TP incoming call in progress from ‘my.dotted.quad.address’…
  Tue Oct 21 12:09:48 2014 : L2TP received SCCRQ
  Tue Oct 21 12:09:48 2014 : L2TP sent SCCRP
  Tue Oct 21 12:09:48 2014 : L2TP received SCCCN
  Tue Oct 21 12:09:48 2014 : L2TP received ICRQ
  Tue Oct 21 12:09:48 2014 : L2TP sent ICRP
  Tue Oct 21 12:09:49 2014 : L2TP received ICCN
  Tue Oct 21 12:09:49 2014 : L2TP connection established.
  Tue Oct 21 12:09:49 2014 : using link 0
  Tue Oct 21 12:09:49 2014 : Using interface ppp0
  Tue Oct 21 12:09:49 2014 : Connect: ppp0 <--> socket[34:18]
  Tue Oct 21 12:09:49 2014 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x4bc40d9f> <pcomp> <accomp>]
  Tue Oct 21 12:09:49 2014 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x71598937> <pcomp> <accomp>]
  Tue Oct 21 12:09:49 2014 : lcp_reqci: returning CONFACK.
  Tue Oct 21 12:09:49 2014 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x71598937> <pcomp> <accomp>]
  Tue Oct 21 12:09:49 2014 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x4bc40d9f> <pcomp> <accomp>]
  Tue Oct 21 12:09:49 2014 : sent [LCP EchoReq id=0x0 magic=0x4bc40d9f]
  Tue Oct 21 12:09:49 2014 : sent [CHAP Challenge id=0x73 <074a110a5e0620296b1937345c34090e>, name = “myserver.private”]
  Tue Oct 21 12:09:49 2014 : rcvd [LCP EchoReq id=0x0 magic=0x71598937]
  Tue Oct 21 12:09:49 2014 : sent [LCP EchoRep id=0x0 magic=0x4bc40d9f]
  Tue Oct 21 12:09:49 2014 : rcvd [LCP EchoRep id=0x0 magic=0x71598937]
  Tue Oct 21 12:09:49 2014 : rcvd [CHAP Response id=0x73 <dfed1e41e1fb8c1132387c3d7792b1880000000000000000b2b163259cbe410aae792093680ba7 a89da3b46737c0d8d200>, name = "somelocaluser"]
  Tue Oct 21 12:09:54 2014 : sent [CHAP Success id=0x73 "S=00EDB07933CE697641E2263A2A76386389512329 M=Access granted"]
  Tue Oct 21 12:09:54 2014 : CHAP peer authentication succeeded for somelocaluser
  Tue Oct 21 12:09:54 2014 : DSAccessControl plugin: User 'somelocaluser' authorized for access
  Tue Oct 21 12:09:54 2014 : sent [IPCP ConfReq id=0x1 <addr 192.168.1.2>]
  Tue Oct 21 12:09:54 2014 : sent [ACSCP ConfReq id=0x1]
  Tue Oct 21 12:09:54 2014 : rcvd [CHAP Response id=0x73 <dfed1e41e1fb8c1132387c3d7792b1880000000000000000b2b163259cbe410aae792093680ba7 a89da3b46737c0d8d200>, name = "somelocaluser"]
  Tue Oct 21 12:09:54 2014 : sent [CHAP Success id=0x73 "S=00EDB07933CE697641E2263A2A76386389512329 M=Access granted"]
  Tue Oct 21 12:09:54 2014 : rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
  Tue Oct 21 12:09:54 2014 : ipcp: returning Configure-NAK
  Tue Oct 21 12:09:54 2014 : sent [IPCP ConfNak id=0x1 <addr 192.168.1.226> <ms-dns1 192.168.1.2> <ms-dns3 8.8.8.8>]
  Tue Oct 21 12:09:54 2014 : rcvd [IPV6CP ConfReq id=0x1 <addr fe80::021c:42ff:febf:bf66>]
  Tue Oct 21 12:09:54 2014 : Unsupported protocol 0x8057 received
  Tue Oct 21 12:09:54 2014 : sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 02 1c 42 ff fe bf bf 66]
  Tue Oct 21 12:09:54 2014 : rcvd [ACSCP ConfReq id=0x1 <route vers 16777216> <domain vers 16777216>]
  Tue Oct 21 12:09:54 2014 : sent [ACSCP ConfRej id=0x1 <route vers 16777216>]
  Tue Oct 21 12:09:54 2014 : rcvd [IPCP ConfAck id=0x1 <addr 192.168.1.2>]
  Tue Oct 21 12:09:54 2014 : rcvd [ACSCP ConfAck id=0x1]
  Tue Oct 21 12:09:54 2014 : rcvd [IPCP ConfReq id=0x2 <addr 192.168.1.226> <ms-dns1 192.168.1.2> <ms-dns3 8.8.8.8>]
  Tue Oct 21 12:09:54 2014 : ipcp: returning Configure-ACK
  Tue Oct 21 12:09:54 2014 : sent [IPCP ConfAck id=0x2 <addr 192.168.1.226> <ms-dns1 192.168.1.2> <ms-dns3 8.8.8.8>]
  Tue Oct 21 12:09:54 2014 : ipcp: up
  Tue Oct 21 12:09:54 2014 : found interface en0 for proxy arp
  Tue Oct 21 12:09:54 2014 : local  IP address 192.168.1.2
  Tue Oct 21 12:09:54 2014 : remote IP address 192.168.1.226
  Tue Oct 21 12:09:54 2014 : Received acsp/dhcp dictionaries
  Tue Oct 21 12:09:54 2014 : Received acsp/dhcp dictionaries
  Tue Oct 21 12:09:54 2014 : l2tp_wait_input: Address added. previous interface setting (name: en0, address: 192.168.1.2), current interface setting (name: ppp0, family: PPP, address: 192.168.1.2, subnet: 255.255.255.0, destination: 192.168.1.226).
  Tue Oct 21 12:09:54 2014 : rcvd [ACSCP ConfReq id=0x2 <domain vers 16777216>]
  Tue Oct 21 12:09:54 2014 : sent [ACSCP ConfAck id=0x2 <domain vers 16777216>]
  Tue Oct 21 12:09:54 2014 : Received protocol dictionaries
  Tue Oct 21 12:09:54 2014 : Committed PPP store
  Tue Oct 21 12:09:54 2014 : sent [ACSP data <payload len 24, packet seq 0, CI_DOMAINS, flags: START END REQUIRE-ACK>
      <domain: name private>
      <domain: name local>]
  Tue Oct 21 12:09:54 2014 : rcvd [IP data <src addr 192.168.1.226> <dst addr 255.255.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> <parameters = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
  Tue Oct 21 12:09:54 2014 : sent [IP data <src addr 192.168.1.2> <dst addr 192.168.1.226> <BOOTP Reply> <type ACK> <server id 0xc0a80102> <domain name "local">]
  Tue Oct 21 12:09:57 2014 : sent [ACSP data <payload len 24, packet seq 0, CI_DOMAINS, flags: START END REQUIRE-ACK>
      <domain: name private>
      <domain: name local>]
  Tue Oct 21 12:10:00 2014 : sent [ACSP data <payload len 24, packet seq 0, CI_DOMAINS, flags: START END REQUIRE-ACK>
      <domain: name private>
      <domain: name local>]
  Tue Oct 21 12:10:03 2014 : sent [ACSP data <payload len 24, packet seq 0, CI_DOMAINS, flags: START END REQUIRE-ACK>
      <domain: name private>
      <domain: name local>]
  Tue Oct 21 12:10:06 2014 : sent [ACSP data <payload len 24, packet seq 0, CI_DOMAINS, flags: START END REQUIRE-ACK>
      <domain: name private>
      <domain: name local>]
  Tue Oct 21 12:10:09 2014 : sent [ACSP data <payload len 24, packet seq 0, CI_DOMAINS, flags: START END REQUIRE-ACK>
      <domain: name private>
      <domain: name local>]
  Tue Oct 21 12:10:09 2014 : rcvd [LCP TermReq id=0x2 "User request"]
  Tue Oct 21 12:10:09 2014 : LCP terminated by peer (User request)
  Tue Oct 21 12:10:09 2014 : ipcp: down
  Tue Oct 21 12:10:09 2014 : sent [LCP TermAck id=0x2]
  Tue Oct 21 12:10:09 2014 : l2tp_wait_input: Address deleted. previous interface setting (name: en0, address: 192.168.1.2), deleted interface setting (name: ppp0, family: PPP, address: 192.168.1.2, subnet: 255.255.255.0, destination: 192.168.1.226).
  Tue Oct 21 12:10:09 2014 : L2TP received CDN
  Tue Oct 21 12:10:09 2014 : Connection terminated.
  Tue Oct 21 12:10:09 2014 : Connect time 0.4 minutes.
  Tue Oct 21 12:10:09 2014 : Sent 1003 bytes, received 646 bytes.
  Tue Oct 21 12:10:09 2014 : L2TP disconnecting...
  Tue Oct 21 12:10:09 2014 : L2TP disconnected
  2014-10-21 12:10:09 MDT   --> Client with address = 192.168.1.226 has hungup

  1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.
  Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.
  2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.
  There are ways to back up a computer that isn't fully functional. Ask if you need guidance.
  3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.
  You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.
  In this case, however, there are a couple of ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone with the necessary skill can verify what it does.
  You may not be able to understand the script yourself. But variations of the script have been posted on this website thousands of times over a period of years. The site is hosted by Apple, which does not allow it to be used to distribute harmful software. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message.
  Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.
  4. Here's a summary of what you need to do, if you choose to proceed:
  ☞ Copy a line of text in this window to the Clipboard.
  ☞ Paste into the window of another application.
  ☞ Wait for the test to run. It usually takes a few minutes.
  ☞ Paste the results, which will have been copied automatically, back into a reply on this page.
  The sequence is: copy, paste, wait, paste again. You don't need to copy a second time. Details follow.
  5. You may have started the computer in "safe" mode. Preferably, these steps should be taken in “normal” mode, under the conditions in which the problem is reproduced. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.
  6. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.
  7. The script is a single long line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, though you may not see all of it in the browser window, and you can then copy it. If you try to select the line by dragging across the part you can see, you won't get all of it.
  Triple-click anywhere in the line of text below on this page to select it:
  PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/libexec;clear;cd;p=(Software Hardware Memory Diagnostics Power FireWire Thunderbolt USB Fonts SerialATA 4 1000 25 5120 KiB/s 1024 85 \\b%% 20480 1 MB/s 25000 ports ' com.clark.\* \*dropbox \*genieo\* \*GoogleDr\* \*k.AutoCAD\* \*k.Maya\* vidinst\* ' DYLD_INSERT_LIBRARIES\ DYLD_LIBRARY_PATH -86 "` route -n get default|awk '/e:/{print $2}' `" 25 N\\/A down up 102400 25600 recvfrom sendto CFBundleIdentifier 25 25 25 1000 MB com.apple.AirPortBaseStationAgent 464843899 51 5120 files );N5=${#p[@]};p[N5]=` networksetup -listnetworkserviceorder|awk ' NR>1 { sub(/^\([0-9]+\) /,"");n=$0;getline;} $NF=="'${p[26]}')" { sub(/.$/,"",$NF);print n;exit;} ' `;f=('\n%s: %s\n' '\n%s\n\n%s\n' '\nRAM details\n%s\n' %s\ %s '%s\n-\t%s\n' );S0() { echo ' { q=$NF+0;$NF="";u=$(NF-1);$(NF-1)="";gsub(/^ +| +$/,"");if(q>='${p[$1]}') printf("%s (UID %s) is using %s '${p[$2]}'",$0,u,q);} ';};s=(' s/[0-9A-Za-z._]+@[0-9A-Za-z.]+\.[0-9A-Za-z]{2,4}/EMAIL/g;/\/Shared/!s/(\/Users\/)[^ /]+/\1USER/g;s/[-0-9A-Fa-f]{22,}/UUID/g;' ' s/^ +//;/de: S|[nst]:/p;' ' {sub(/^ +/,"")};/er:/;/y:/&&$2<'${p[10]} ' 1s/://;3,6d;/[my].+:/d;s/^ {4}//;H;${ g;s/\n$//;/s: [^EO]|x([^08]|02[^F]|8[^0])/p;} ' ' 5h;6{ H;g;/P/!p;} ' ' ($1~/^Cy/&&$3>'${p[11]}')||($1~/^Cond/&&$2!~/^N/) ' ' /:$/{ N;/:.+:/d;s/ *://;b0'$'\n'' };/^ *(V.+ [0N]|Man).+ /{ s/ 0x.... //;s/[()]//g;s/(.+: )(.+)/ (\2)/;H;};$b0'$'\n'' d;:0'$'\n'' x;s/\n\n//;/Apple[ ,]|Genesy|Intel|SMSC/d;s/\n.*//;/\)$/p;' ' s/^.*C/C/;H;${ g;/No th|pms/!p;} ' '/= [^GO]/p' '{$1=""};1' ' /Of/!{ s/^.+is |\.//g;p;} ' ' $0&&!/ / { n++;print;} END { if(n<200) print "com.apple.";} ' ' $3~/[0-9]:[0-9]{2}$/ { gsub(/:[0-9:a-f]{14}/,"");} { print|"tail -n'${p[12]}'";} ' ' NR==2&&$4<='${p[13]}' { print $4;} ' ' END { $2/=256;if($2>='${p[15]}') print int($2) } ' ' NR!=13{next};{sub(/[+-]$/,"",$NF)};'"`S0 21 22`" 'NR!=2{next}'"`S0 37 17`" ' NR!=5||$8!~/[RW]/{next};{ $(NF-1)=$1;$NF=int($NF/10000000);for(i=1;i<=3;i++){$i="";$(NF-1-i)="";};};'"`S0 19 20`" 's:^:/:p' '/\.kext\/(Contents\/)?Info\.plist$/p' 's/^.{52}(.+) <.+/\1/p' ' /Launch[AD].+\.plist$/ { n++;print;} END { print "'${p[41]}'";if(n<200) print "/System/";} ' '/\.xpc\/(Contents\/)?Info\.plist$/p' ' NR>1&&!/0x|\.[0-9]+$|com\.apple\.launchctl\.(Aqua|Background|System)$|'${p[41]}'/ { print $3;} ' ' /\.(framew|lproj)|\):/d;/plist:|:.+(Mach|scrip)/s/:[^:]+//p ' '/^root$/p' ' !/\/Contents\/.+\/Contents|Applic|Autom|Frameworks/&&/Lib.+\/Info.plist$/ { n++;print;} END { if(n<1100) print "/System/";} ' '/^\/usr\/lib\/.+dylib$/p' ' /Temp|emac/{next};/(etc|Preferences|Launch[AD].+)\// { sub(".(/private)?","");n++;print;} END { print "'${p[41]}'.plist\t'${p[42]}'";if(n<500) print "Launch";} ' ' /\/(Contents\/.+\/Contents|Frameworks)\/|\.wdgt\/.+\.([bw]|plu)/d;p;' 's/\/(Contents\/)?Info.plist$//;p' ' { gsub("^| |\n","\\|\\|kMDItem'${p[35]}'=");sub("^...."," ") };1 ' p '{print $3"\t"$1}' 's/\'$'\t''.+//p' 's/1/On/p' '/Prox.+: [^0]/p' '$2>'${p[43]}'{$2=$2-1;print}' ' BEGIN { i="'${p[26]}'";M1='${p[16]}';M2='${p[18]}';M3='${p[31]}';M4='${p[32]}';} !/^A/{next};/%/ { getline;if($5<M1) a="user "$2"%, system "$4"%";} /disk0/&&$4>M2 { b=$3" ops/s, "$4" blocks/s";} $2==i { if(c) { d=$3+$4+$5+$6;next;};if($4>M3||$6>M4) c=int($4/1024)" in, "int($6/1024)" out";} END { if(a) print "CPU: "a;if(b) print "I/O: "b;if(c) print "Net: "c" (KiB/s)";if(d) print "Net errors: "d" packets/s";} ' ' /r\[0\] /&&$NF!~/^1(0|72\.(1[6-9]|2[0-9]|3[0-1])|92\.168)\./ { print $NF;exit;} ' ' !/^T/ { printf "(static)";exit;} ' '/apsd|BKAg|OpenD/!s/:.+//p' ' (/k:/&&$3!~/(255\.){3}0/ )||(/v6:/&&$2!~/A/ ) ' ' $1~"lR"&&$2<='${p[25]}';$1~"li"&&$3!~"wpa2";' ' BEGIN { FS=":";p="uniq -c|sed -E '"'s/ +\\([0-9]+\\)\\(.+\\)/\\\2 x\\\1/;s/x1$//'"'";} { n=split($3,a,".");sub(/_2[01].+/,"",$3);print $2" "$3" "a[n]$1|p;b=b$1;} END { close(p);if(b) print("\n\t* Code injection");} ' ' NR!=4{next} {$NF/=10240} '"`S0 27 14`" ' END { if($3~/[0-9]/)print$3;} ' ' BEGIN { L='${p[36]}';} !/^[[:space:]]*(#.*)?$/ { l++;if(l<=L) f=f"\n   "$0;} END { F=FILENAME;if(!F) exit;if(!f) f="\n   [N/A]";"file -b "F|getline T;if(T!~/^(AS.+ (En.+ )?text$|(Bo|PO).+ sh.+ text ex)/) F=F" ("T")";printf("\nContents of %s\n%s\n",F,f);if(l>L) printf("\n   ...and %s more line(s)\n",l-L);} ' ' s/^ ?n...://p;s/^ ?p...:/-'$'\t''/p;' 's/0/Off/p' ' END{print NR} ' ' /id: N|te: Y/{i++} END{print i} ' ' / / { print "'"${p[28]}"'";exit;};1;' '/ en/!s/\.//p' ' NR!=13{next};{sub(/[+-M]$/,"",$NF)};'"`S0 39 40`" ' $10~/\(L/&&$9!~"localhost" { sub(/.+:/,"",$9);print $1": "$9;} ' '/^ +r/s/.+"(.+)".+/\1/p' 's/(.+\.wdgt)\/(Contents\/)?Info\.plist$/\1/p' 's/^.+\/(.+)\.wdgt$/\1/p' ' /l: /{ /DVD/d;s/.+: //;b0'$'\n'' };/s: /{ /V/d;s/^ */- /;H;};$b0'$'\n'' d;:0'$'\n'' x;/APPLE [^:]+$/d;p;' ' /^find: /d;p;' "`S0 44 45`" ' BEGIN{FS="= "} /Path/{print $2} ' ' /^ *$/d;s/^ */   /;' );c1=(system_profiler pmset\ -g nvram fdesetup find syslog df vm_stat sar ps sudo\ crontab sudo\ iotop top pkgutil 'PlistBuddy 2>&1 -c "Print' whoami cksum kextstat launchctl sudo\ launchctl crontab 'sudo defaults read' stat lsbom mdfind ' for i in ${p[24]};do ${c1[18]} ${c2[27]} $i;done;' defaults\ read scutil sudo\ dtrace sudo\ profiles sed\ -En awk /S*/*/P*/*/*/C*/*/airport networksetup mdutil sudo\ lsof test osascript\ -e );c2=(com.apple.loginwindow\ LoginHook '" /L*/P*/loginw*' "'tell app \"System Events\" to get properties of login items'|tr , \\\n" 'L*/Ca*/com.ap*.Saf*/E*/* -d 1 -name In*t -exec '"${c1[14]}"' :CFBundleDisplayName" {} \;|sort|uniq' '~ $TMPDIR.. \( -flags +sappnd,schg,uappnd,uchg -o ! -user $UID -o ! -perm -600 \)' '.??* -path .Trash -prune -o -type d -name *.app -print -prune' :${p[35]}\" :Label\" '{/,}L*/{Con,Pref}* -type f ! -size 0 -name *.plist -exec plutil -s {} \;' "-f'%N: %l' Desktop L*/Keyc*" therm sysload boot-args status " -F '\$Time \$Message' -k Sender kernel -k Message Req 'bad |Beac|caug|corru|dead[^bl]|FAIL|fail|GPU |hfs: Ru|inval|jnl:|last value [1-9]|n Cause: -|NVDA\(|pagin|proc: t|Roamed|rror|ssert|Thrott|tim(ed? ?|ing )o|WARN' -k Message Rne 'Goog|ksadm|SMC:|suhel| VALI|xpma' -o -k Sender fseventsd -k Message Req 'SL' " '-du -n DEV -n EDEV 1 10' 'acrx -o comm,ruid,%cpu' '-t1 10 1' '-f -pfc /var/db/r*/com.apple.*.{BS,Bas,Es,J,OSXU,Rem,up}*.bom' '{/,}L*/Lo*/Diag* -type f -regex .\*[cght] ! -name .?\* ! -name \*ag \( -exec grep -lq "^Thread c" {} \; -exec printf \* \; -o -true \) -execdir stat -f:%Sc:%N -t%F {} \;|sort -t: -k2 |tail -n'${p[38]} '/S*/*/Ca*/*xpc* >&- ||echo No' '-L /{S*/,}L*/StartupItems -type f -exec file {} +' '-L /S*/L*/{C*/Sec*A,Ex}* {/,}L*/{A*d,Ca*/*/Ex,Co{mpon,reM},Ex,In{p,ter},iTu*/*P,Keyb,Mail/B,Pr*P,Qu*T,Scripti,Sec,Servi,Spo,Widg}* -path \\*s/Resources -prune -o -type f -name Info.plist' '/usr/lib -type f -name *.dylib' `awk "${s[31]}"<<<${p[23]}` "/e*/{auto,{cron,fs}tab,hosts,{[lp],sy}*.conf,mach_i*/*,pam.d/*,ssh{,d}_config,*.local} {,/usr/local}/etc/periodic/*/* /L*/P*{,/*}/com.a*.{Bo,sec*.ap}*t {/S*/,/,}L*/Lau*/*t .launchd.conf" list getenv /Library/Preferences/com.apple.alf\ globalstate --proxy '-n get default' -I --dns -getdnsservers\ "${p[N5]}" -getinfo\ "${p[N5]}" -P -m\ / '' -n1 '-R -l1 -n1 -o prt -stats command,uid,prt' '--regexp --only-files --files com.apple.pkg.*|sort|uniq' -kl -l -s\ / '-R -l1 -n1 -o mem -stats command,uid,mem' '+c0 -i4TCP:0-1023' com.apple.dashboard\ layer-gadgets '-d /L*/Mana*/$USER&&echo On' '-app Safari WebKitDNSPrefetchingEnabled' "+c0 -l|awk '{print(\$1,\$3)}'|sort|uniq -c|sort -n|tail -1|awk '{print(\$2,\$3,\$1)}'" );N1=${#c2[@]};for j in {0..9};do c2[N1+j]=SP${p[j]}DataType;done;N2=${#c2[@]};for j in 0 1;do c2[N2+j]="-n ' syscall::'${p[33+j]}':return { @out[execname,uid]=sum(arg0) } tick-10sec { trunc(@out,1);exit(0);} '";done;l=(Restricted\ files Hidden\ apps 'Elapsed time (s)' POST Battery Safari\ extensions Bad\ plists 'High file counts' User Heat System\ load boot\ args FileVault Diagnostic\ reports Log 'Free space (MiB)' 'Swap (MiB)' Activity 'CPU per process' Login\ hook 'I/O per process' Mach\ ports kexts Daemons Agents XPC\ cache Startup\ items Admin\ access Root\ access Bundles dylibs Apps Font\ issues Inserted\ dylibs Firewall Proxies DNS TCP/IP Wi-Fi Profiles Root\ crontab User\ crontab 'Global login items' 'User login items' Spotlight Memory Listeners Widgets Parental\ Controls Prefetching SATA Descriptors );N3=${#l[@]};for i in 0 1 2;do l[N3+i]=${p[5+i]};done;N4=${#l[@]};for j in 0 1;do l[N4+j]="Current ${p[29+j]}stream data";done;A0() { id -G|grep -qw 80;v[1]=$?;((v[1]==0))&&sudo true;v[2]=$?;v[3]=`date +%s`;clear >&-;date '+Start time: %T %D%n';};for i in 0 1;do eval ' A'$((1+i))'() { v=` eval "${c1[$1]} ${c2[$2]}"|'${c1[30+i]}' "${s[$3]}" `;[[ "$v" ]];};A'$((3+i))'() { v=` while read i;do [[ "$i" ]]&&eval "${c1[$1]} ${c2[$2]}" \"$i\"|'${c1[30+i]}' "${s[$3]}";done<<<"${v[$4]}" `;[[ "$v" ]];};A'$((5+i))'() { v=` while read i;do '${c1[30+i]}' "${s[$1]}" "$i";done<<<"${v[$2]}" `;[[ "$v" ]];};';done;A7(){ v=$((`date +%s`-v[3]));};B2(){ v[$1]="$v";};for i in 0 1;do eval ' B'$i'() { v=;((v['$((i+1))']==0))||{ v=No;false;};};B'$((3+i))'() { v[$2]=`'${c1[30+i]}' "${s[$3]}"<<<"${v[$1]}"`;} ';done;B5(){ v[$1]="${v[$1]}"$'\n'"${v[$2]}";};B6() { v=` paste -d: <(printf "${v[$1]}") <(printf "${v[$2]}")|awk -F: ' {printf("'"${f[$3]}"'",$1,$2)} ' `;};B7(){ v=`grep -Fv "${v[$1]}"<<<"$v"`;};C0() { [[ "$v" ]]&&sed -E "$s"<<<"$v";};C1() { [[ "$v" ]]&&printf "${f[$1]}" "${l[$2]}" "$v"|sed -E "$s";};C2() { v=`echo $v`;[[ "$v" != 0 ]]&&C1 0 $1;};C3() { v=`sed -E "${s[63]}"<<<"$v"`&&C1 1 $1;};for i in 1 2;do for j in 0 2 3;do eval D$i$j'(){ A'$i' $1 $2 $3; C'$j' $4;};';done;done;{ A0;D20 0 $((N1+1)) 2;D10 0 $N1 1;B0;C2 27;B0&&! B1&&C2 28;D12 15 37 25 8;A1 0 $((N1+2)) 3;C0;D13 0 $((N1+3)) 4 3;D23 0 $((N1+4)) 5 4;D13 0 $((N1+9)) 59 50;for i in 0 1 2;do D13 0 $((N1+5+i)) 6 $((N3+i));done;D13 1 10 7 9;D13 1 11 8 10;D22 2 12 9 11;D12 3 13 10 12;D23 4 19 44 13;D23 5 14 12 14;D22 6 36 13 15;D22 7 37 14 16;D23 8 15 38 17;D22 9 16 16 18;B1&&{ D22 35 49 61 51;D22 11 17 17 20;for i in 0 1;do D22 28 $((N2+i)) 45 $((N4+i));done;};D22 12 44 54 45;D22 12 39 15 21;A1 13 40 18;B2 4;B3 4 0 19;A3 14 6 32 0;B4 0 5 11;A1 17 41 20;B7 5;C3 22;B4 4 6 21;A3 14 7 32 6;B4 0 7 11;B3 4 0 22;A3 14 6 32 0;B4 0 8 11;B5 7 8;B1&&{ A2 19 26 23;B7 7;C3 23;};A2 18 26 23;B7 7;C3 24;D13 4 21 24 26;B4 4 12 26;B3 4 13 27;A1 4 22 29;B7 12;B2 14;A4 14 6 52 14;B2 15;B6 14 15 4;B3 0 0 30;C3 29;A1 4 23 27;B7 13;C3 30;D13 24 24 32 31;D13 25 37 32 33;A2 23 18 28;B2 16;A2 16 25 33;B7 16;B3 0 0 34;B2 21;A6 47 21&&C0;B1&&{ D13 21 0 32 19;D13 10 42 32 40;D22 29 35 46 39;};D23 14 1 62 42;D12 34 43 53 44;D12 22 20 32 25;D22 0 $((N1+8)) 51 32;D13 4 8 41 6;D12 26 28 35 34;D13 27 29 36 35;A2 27 32 39&&{ B2 19;A2 33 33 40;B2 20;B6 19 20 3;};C2 36;D23 33 34 42 37;B1&&D23 35 45 55 46;D23 32 31 43 38;D12 36 47 32 48;D13 20 42 32 41;D13 37 2 48 43;D13 4 5 32 1;D13 4 3 60 5;D12 26 48 49 49;B3 4 22 57;A1 26 46 56;B7 22;B3 0 0 58;C3 47;D22 4 4 50 0;D23 22 9 37 7;A7;C2 2;} 2>/dev/null|pbcopy;exit 2>&-
  Copy the selected text to the Clipboard by pressing the key combination command-C.
  8. Launch the built-in Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Click anywhere in the Terminal window and paste by pressing command-V. The text you pasted should vanish immediately. If it doesn't, press the return key.
  9. If you see an error message in the Terminal window such as "Syntax error" or "Event not found," enter
  exec bash
  and press return. Then paste the script again.
  10. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. In most cases, the difference is not important. If you don't know the password, or if you prefer not to enter it, press the key combination control-C or just press return  three times at the password prompt. Again, the script will still run.
  If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.
  11. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, there will be nothing in the Terminal window and no indication of progress. Wait for the line
  [Process completed]
  to appear. If you don't see it within half an hour or so, the test probably won't complete in a reasonable time. In that case, close the Terminal window and report what happened. No harm will be done.
  12. When the test is complete, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.
  At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "Process completed" message to appear in the Terminal window. Please wait for it and try again.
  If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.
  13. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "You are not authorized to post." That's a bug in the forum software. Please post the test results on Pastebin, then post a link here to the page you created.
  14. This is a public forum, and others may give you advice based on the results of the test. They speak only for themselves, and I don't necessarily agree with them.
  Copyright © 2014 by Linc Davis. As the sole author of this work, I reserve all rights to it except as provided in the Use Agreement for the Apple Support Communities website ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

• Any example of dynamic proxy with RMI?

  Hi, are there any good example of dynamic proxy with RMI, using the new RemoteObjectInvocationHandler class?
  I am currently implementing a Registry, and want to use dynamic proxy to wrap around the registry stub, to pass extra information to the client.
  I've tried it, but the program will hang and get this exception:
  Exception in thread "RMI TCP Connection(1616)-192.168.1.23" java.lang.OutOfMemoryError: Java heap space
  My implementation looks like this:
  public RegistryImpl extends RemoteServer Implements Registry {
      public RegistryImpl(int port, Properties... properties) throws RemoteException, ChannelException {
           // Create a reference for the registry.
       LiveRef liveref = new LiveRef(id, port);
          ref = new UnicastServerRef(liveref);
           Registry proxy = (Registry)RegistryProxy.newProxyInstance(
                this.getClass().getClassLoader(),
                this.getClass().getInterfaces(),
                new RemoteObjectInvocationHandler(this.getRef()));
           /* Using dynamic proxy */
           usref.exportObject(proxy, null, true);
  public class RegistryProxy extends Proxy implements Registry {
       private InvocationHandler handler;
       public RegistryProxy(InvocationHandler handler) {
            super(handler);
            this.handler = handler;
       public Remote lookup(String name) throws RemoteException, NotBoundException, AccessException {
            Remote result;
            try {
                 Method m = Registry.class.getMethod("lookup", new Class[]{String.class});
                 result = (Remote)handler.invoke(this, m, new Object[]{name});
            } catch (SecurityException e) {
                 throw new UndeclaredThrowableException(e);
            } catch (NoSuchMethodException e) {
                 throw new UndeclaredThrowableException(e);
            } catch (Throwable e) {
                 throw new UndeclaredThrowableException(e);
            return result;
       public void bind(String name, Remote remoteObj) throws RemoteException, AlreadyBoundException, AccessException {
       public void unbind(String name) throws RemoteException, NotBoundException, AccessException {
       public void rebind(String name, Remote remoteObj) throws RemoteException, AccessException {
       public String[] list() throws RemoteException, AccessException {
  }I am new to Java programming, any help is appriciated.
  Regards
  Eddie

  Hi Eddie,
  Perhaps you might like this one:
  http://wiki.java.net/bin/view/Communications/TransparentProxy
  it uses dynamic proxies to achieve complete RMI transparency.
  Something to consider, good luck.
  John

• Transparent design with router on both sides?

  I am looking to solve a design which has to work in two scenarios. Preferably with an in-line solution.
  1. Transparent design with VRF on both sides:
  FW-VRF (Subnet A)
        |
        | (VLAN 11)      | ACE (Subnet A)
        |
        | (VLAN 12)
        |
  LAN-VRF
        |
        |  (VLAN 13)
        |
  Real servers (Subnet B)
  2. Transparent design in plain bridge mode
  FW-VRF (Subnet A)
        |
        | (VLAN 11)      |
     ACE (Subnet A)
        |
        | (VLAN 12)
        |
  Real servers (Subnet A)
  As mentioned, I am aiming for a single design for both scenarios. A routed design will not pass in the first scenario and a one-arm solution will be inefficient in the second scenario. (both due to existing infrastructure) Is it possible to solve this with a transparent solution in both scenarios? I can't seem to get it to work.
  Thanks in advance for any help!

  I'm gonna expand my question a bit as I can not seem to get a working config in scenario 1. From the ACE I can ping the VRFs on both side of the ACE. I can on the other hand not ping neither the bvi-address of the ACE nor one VRF from the other. Can anyone notice any immediate errors in my config? Thanks in advance for any help!
  Addresses:
  10.3.66.1 - FW_VRF on client side
  10.3.66.6 - LAN_VRF on server side
  10.3.66.7 - BVI if on ACE
  ===Admin===
  resource-class TEST_res
  limit-resource all minimum 10.00 maximum unlimited
  boot system image:c4710ace-mz.A3_2_0.bin
  hostname 4710Appl
  interface gigabitEthernet 1/1
  description Management port
  switchport access vlan 752
  no shutdown
  interface gigabitEthernet 1/2
  description Client side LAN
  switchport trunk allowed vlan 2522
  no shutdown
  interface gigabitEthernet 1/3
  description Server side LAN
  switchport trunk allowed vlan 2524
  no shutdown
  interface gigabitEthernet 1/4
  shutdown
  access-list BPDU ethertype permit bpdu
  access-list ALL line 8 extended permit ip any any
  access-list everyone line 8 extended permit ip any any
  access-list everyone line 16 extended permit icmp any any
  class-map type management match-any REMOTE_ACCESS
  description Remote access traffic match
  2 match protocol ssh any
  3 match protocol icmp any
  4 match protocol snmp any
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
  permit
  interface vlan 752
  description Management VLAN
  ip address 10.7.52.63 255.255.255.0
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
  ip route 0.0.0.0 0.0.0.0 10.3.66.1
  context TEST_context
  allocate-interface vlan 752
  allocate-interface vlan 2522
  allocate-interface vlan 2524
  member TEST_res
  context TEST_context_routed
  username admin password 5 $1$bale5EiS$bEdquz.bbcW3wRcfeSzbu/  role Admin domain
  default-domain
  username www password 5 $1$bsOdgxav$1uywtkwFEj3QalKaOTrkZ1  role Admin domain de
  fault-domain
  ssh key rsa 1024 force
  ===Application context===
  access-list ALL line 8 extended permit ip any any
  access-list ALL line 16 extended permit icmp any any
  class-map type management match-any REMOTE_ACCESS
  description Remote access traffic match
  2 match protocol ssh any
  3 match protocol icmp any
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
  permit
  interface vlan 752
  ip address 10.7.52.64 255.255.255.0
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
  interface vlan 2522
  description Client side VLAN
  bridge-group 1
  access-group input ALL
  access-group output ALL
  no shutdown
  interface vlan 2524
  description Server side VLAN
  bridge-group 1
  access-group input ALL
  access-group output ALL
  no shutdown
  interface bvi 1
  ip address 10.3.66.7 255.255.255.240
  no shutdown
  ip route 0.0.0.0 0.0.0.0 10.3.66.1

• Transparent proxy & IP/IP gateway

  I am trying to configure our BM3.7 system to us transparent proxy in
  conjunction with IP/IP gateway.
  I want to be able to take advantage of the caching features of the
  proxy and
  the access control of the gateway.
  According to the install manual I must have the client configured with
  the
  IP gateway client software. However, it does not work correctly for
  some
  reason. The current proxy gateway status shows "No HTTP proxy server
  found"
  At one point I DID get a proxy server connection and things worked
  great,
  but for some reason I list it again after only a few minutes. ( I may
  have
  inadvertently changed a setting that screwed it up) Now, I can not
  get ti
  to work. Can any one give some suggestions?

  OK, I think I have it.
  I don't need the gateway. (Although the install PDF says I do)
  From other article I see that the IP/IP gateway is no longer required
  for
  access control ( as the PDF states)

• ASA cut through proxy with RADIUS challenge response?

  Have this working for IPSEC VPN on same box (tested on 8.2.1 and 8.2.3)
  Want to do cut through proxy with challenge response - same ASA and same RADUIS server but using aaa authentication match command and this is what happens...
  It looks like the ASA sends a completely different radius authentication request than with VPN authentication request. Is there any way to specify what request is sent?
  What the RADIUS Server sees with ASA VPN auth - THIS WORKS OK (included for comparison)
  Date: 15/11/2010
  Time: 3:53:57 PM
  Type: Information
  Source: Server
  Category: RADIUS
  Code: I-006001
  Description: A RADIUS Access-Request has been received.
  AMID: 0xC8500B80B3D8F49C6CB37E5D32DA6682
  Details:
  Source Location : 10.xx.21.24
  Client Location : 10.xx.21.230:1025
  Request ID : 31
  Password Protocol : PAP
  Input Details : RADIUS Code:1, RADIUS Id:31, , User-Name:xxxx, User-Password:******, NAS-IP-Address:10.xx.21.230, NAS-Port:31, NAS-Port-Type:Virtual, vendor(9):attrib(1):0x1A2000000009011A69703A736F757263652D69703D31302E32312E352E313137, Calling-Station-Id:ip:source-ip=10.21.5.117
  Action : Process
  What the RADIUS Server sees with ASA cut thru - THIS FAILS (any help V welcome)
  Date: 17/11/2010
  Time: 2:29:31 PM
  Type: Warning
  Source: Server
  Category: RADIUS
  Code: W-006001
  Description: An invalid RADIUS packet has been received.
  AMID: 0xC19D988F83365F20151C3F6339DEC74B
  Details:
  Source Location : 10.xx.21.24:1812 (Authentication)
  Client Location : 10.xx.21.230:1025
  Reason : The sub-protocol of the received RADIUS packet cannot be determined
  Request ID : 33
  Input Details : 0x01210066055A8B6881266714BDB20380B9FE5FAC01066962333504060AC815E60506000000203D06000000051A2000000009011A69703A736F757263652D69703D31302E34302E352E3131311F1A69703A736F757263652D69703D31302E34302E352E313131
  Request Type : Access-Request
  Thanks in advance
  IB

  Hi Ian,
  sorry for the late reaction - do you still need help with this?
  The difference between the working (VPN) auth and the failing (CTP) auth seems to be that VPN is using PAP (so no challenge-response!) while the CTP is using MS-Chapv2
  So my guess is that your Radius server does not support MS-Chapv2. If that is the case then you may want to try this:
  aaa-server () host
  no mschapv2-capable
  Although this command is not really meant to be used in this scenario, so I'm not sure if it will work but I'm hoping it will make the ASA revert to PAP for all auth requests to this host.
  Note that you won't be doing challenge/response, so your passwords will be transmitted over the wire (encrypted).
  hth
  Herbert