Tunnel comes up the syn packets denied on inbound interface

Similar Messages

• Unable to open pst file error details access to the path is denied

  Hello,
  iam trying to do a mailboximport-request from a QNAP-nas that is member of the domain.
  When doing the mailboximport i am getting the following error : unable to open pst file error details access to the path is denied.
  Which permissions do i need to have on the folder/file on the qnap to import the .pst-file?
  Thx

  Move your PST files to a windows server.  Exchange Trusted Subsystem is a universal group in Active Directory.
  Read more here: http://technet.microsoft.com/en-us/library/ee633455(v=exchg.141).aspx#Pre
  Mike Crowley | MVP
  My Blog --
  Planet Technologies

• How to use jmf convert the rtp packet (captured by jpcap) in to wav file?

  I use the jpcap capture the rtp packets(payload: ITU-T G.711 PCMU ,from voip)
  and now I want to use JMF read those data and convert in to wav file
  How to do this? please help me

  pedrorp wrote:
  Hi Captfoss!
  I fixed it but now I have another problem. My application send me this message:
  Cannot initialize audio renderer with format: LINEAR, Unknown Sample Rate, 16-bit, Mono, LittleEndian, Signed
  Unable to handle format: ALAW/rtp, Unknown Sample Rate, 8-bit, Mono, FrameSize=8 bits
  Failed to prefetch: com.sun.media.PlaybackEngine@1b45ddc
  Error: Unable to prefetch com.sun.media.PlaybackEngine@1b45ddc
  This time the fail is prefetching. I have no idea why this problem is. Could you help me?The system cant play an audio file / stream if it doesn't know the sample rate...somewhere along the way, in your code, the sample rate got lost. Sample rates are highly important, because they tell the system how fast to play the file.
  You need to go look through your code and find where the sample rate information is getting lost...

• HT201303 last time i bought apps by using visa gift card so iam trying to use the kind of visa gift card and the system is denying the method payment ....any idea how to solve this with my itune account ?

  last time i bought apps by using visa gift card so iam trying to use the kind of visa gift card and the system is denying the method payment ....any idea how to solve this with my itune account ?

  A few reasons I can think of, but instead of shooting in the dark, lets check with experts who can look at your account.
  iTunes Store Support
  http://www.apple.com/emea/support/itunes/contact.html

• Site2Site Tunnel issue PSEC(epa_des_crypt): decrypted packet failed SA identity check

  Hi,
  I have a slight issue I'm having some problems resolving..
  The scenario is as follows;
  I have an external provider which connects to me via VPN to a Juniper SSG firewall, that works fine.
  I then have an external site, which does NOT reside in my MPLS cloud, so I have to deploy IPSec via Internet to reach it.
  That also works fine and I have multiple SA's running on that site with no issues or problems.
  The external provider has a small network device deployed on the external site which monitor cooling values in one of our warehouses.
  The external site which is connect via IPSEC has a Cisco 1921 and a numerous Cisco 3550 deployed.
  The VLAN for the cooling provider is vlan 150 and is setup with 10.150.4.0/24 where .1 is the def gw and .10 is the cooling monitor device.
  The external provider's servers are located within 192.168.220.0/24 subnet.
  As of right now, we can reach the Cisco 1921 through the whole IPsec tunnel from 192.168.220.182 with all services, ping, telnet whatnot, but we are unable to ping the cooling device from 192.168.220.0/24.
  However from the Cisco 1921, we can ping both 192.168.220.0/24 and the locally connected 10.150.4.10
  So basicly it seems to be the last bit when the traffic goes through the 1921 and to the switch where it fails and I can't for the life of me figure out why.
  Network diagram attached.. any ideas?
  This is the 1921 config:
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime
  service timestamps log datetime msec localtime
  service password-encryption
  hostname bergen-vpn-gw
  boot-start-marker
  boot system flash flash:c1841-adventerprisek9-mz.124-25d.bin
  boot-end-marker
  logging buffered 50000
  aaa new-model
  aaa authentication login default local
  aaa authentication enable default enable
  aaa session-id common
  clock timezone CET 1
  clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
  no ipv6 cef
  no ip source-route
  ip cef
  no ip bootp server
  no ip domain lookup
  ip domain name xxxxx
  multilink bundle-name authenticated
  license udi pid CISCO1921/K9 sn FCZ1508C1P4
  license boot module c1900 technology-package securityk9
  license boot module c1900 technology-package datak9
  vtp mode client
  redundancy
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key harakiri address 1.2.3.4
  crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
  crypto map VPN 10 ipsec-isakmp
  set peer 1.2.3.4
  set transform-set 3DES-SHA
  match address VPN
  interface GigabitEthernet0/0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip route-cache cef
  no ip route-cache
  duplex auto
  speed auto
  interface GigabitEthernet0/0.99
  description *** Test VLAN To be removed ***
  encapsulation dot1Q 99
  ip address 10.90.90.1 255.255.255.0
  no ip route-cache
  interface GigabitEthernet0/0.112
  encapsulation dot1Q 112
  ip address 192.168.112.1 255.255.255.0
  ip helper-address 172.30.1.223
  no ip route-cache
  interface GigabitEthernet0/0.150
  encapsulation dot1Q 150
  ip address 10.150.4.1 255.255.255.0
  no ip redirects
  no ip proxy-arp
  no ip route-cache
  interface GigabitEthernet0/0.178
  encapsulation dot1Q 178
  ip address 192.168.178.1 255.255.255.0
  ip helper-address 172.30.1.223
  no ip redirects
  no ip proxy-arp
  no ip route-cache
  interface GigabitEthernet0/0.999
  encapsulation dot1Q 999
  no ip route-cache
  interface GigabitEthernet0/1
  ip address 1.2.3.4 255.255.255.252
  no ip redirects
  no ip proxy-arp
  no ip route-cache cef
  no ip route-cache
  duplex auto
  speed auto
  crypto map VPN
  interface FastEthernet0/0/0
  switchport access vlan 99
  interface FastEthernet0/0/1
  interface FastEthernet0/0/2
  interface FastEthernet0/0/3
  interface Vlan1
  no ip address
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip route 0.0.0.0 0.0.0.0 85.200.203.29
  ip access-list extended VPN
  permit ip 10.90.90.0 0.0.0.255 172.30.1.0 0.0.0.255
  permit ip 10.90.90.0 0.0.0.255 172.22.0.0 0.0.255.255
  permit ip 10.90.90.0 0.0.0.255 172.18.5.0 0.0.0.255
  permit ip 10.90.90.0 0.0.0.255 10.50.0.0 0.0.255.255
  permit ip 192.168.112.0 0.0.0.255 172.30.1.0 0.0.0.255
  permit ip 192.168.112.0 0.0.0.255 172.22.0.0 0.0.255.255
  permit ip 192.168.112.0 0.0.0.255 172.18.5.0 0.0.0.255
  permit ip 192.168.112.0 0.0.0.255 10.50.0.0 0.0.255.255
  permit ip 192.168.178.0 0.0.0.255 172.30.1.0 0.0.0.255
  permit ip 192.168.178.0 0.0.0.255 172.22.0.0 0.0.255.255
  permit ip 192.168.178.0 0.0.0.255 172.18.5.0 0.0.0.255
  permit ip 192.168.178.0 0.0.0.255 10.50.0.0 0.0.255.255
  permit ip 192.168.112.0 0.0.0.255 172.30.240.0 0.0.0.255
  permit ip 192.168.178.0 0.0.0.255 172.30.240.0 0.0.0.255
  permit ip 192.168.112.0 0.0.0.255 10.70.0.0 0.0.0.255
  permit ip 192.168.178.0 0.0.0.255 10.70.0.0 0.0.0.255
  permit ip 10.150.4.0 0.0.0.255 192.168.220.0 0.0.0.255 log
  ip sla 1
  icmp-echo 172.30.1.223 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 1 start-time now
  ip sla 2
  icmp-echo 10.50.1.200 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 2 start-time now
  ip sla 3
  icmp-echo 172.18.5.121 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 3 start-time now
  ip sla 4
  icmp-echo 172.22.0.140 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 4 start-time now
  ip sla 5
  icmp-echo 172.30.240.40 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 5 start-time now
  ip sla 6
  icmp-echo 10.70.0.200 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 6 start-time now
  cdp source-interface GigabitEthernet0/0.112
  snmp-server community bamacomro RO
  cdp source-interface GigabitEthernet0/0.112
  snmp-server community bamacomro RO
  snmp-server community bamacomrw RW
  control-plane
  banner motd ^CCC-----------------------------------------------------------------------------
  This system is solely for the use of authorised users for official purposes.
  You have no expectation of privacy in its use and to ensure that the system
  is functioning properly, individuals using this computer system are subject
  to having all their activities monitored and recorded by system personell.
  Use of this system evidence an express consent to such monitoring and
  agreement that if such monitoring reveals evidence of possible abuse or
  criminal activity, system personell may provide the result of such
  monitoring to appropiate officials.
  -----------------------------------------------------------------------------^C
  line con 0
  exec-timeout 5 0
  logging synchronous
  line aux 0
  line vty 0 4
  access-class telnet in
  exec-timeout 180 0
  logging synchronous
  transport input telnet ssh
  line vty 5 15
  access-class telnet in
  exec-timeout 180 0
  password 7 094F471A1A0A
  logging synchronous
  transport input telnet ssh
  scheduler allocate 20000 1000
  end

  I had that issue 1 year go
  "decrypted packet failed SA identity check" means that we have decrypted a traffic that does not match the proxy ID negotiated
  Juniper is violating RFC4301. there is nothing we can do against RFC violation
  As mentioned in Section 4.4.1, "The Security Policy Database (SPD)",
  the SPD (or associated caches) MUST be consulted during the
  processing of all traffic that crosses the IPsec protection boundary,
  including IPsec management traffic.  If no policy is found in the SPD
  that matches a packet (for either inbound or outbound traffic), the
  packet MUST be discarded.
  I know JNPR can do 2 vpn modes. There is one where we could use a VTI instead of a crypto map on the Cisco side. That was the solution to the problem we had.
  Cheers,

• I can't find and stet up the Cisco packet tracer program in my Macbook , i need help?

  i can't find and stet up the Cisco packet tracer program in my Macbook , i need help?

  Check my post
  http://rafavg77.wordpress.com/2013/09/07/como-empaquetar-packet-tracer-exe-a-una -app-nativa-en-mac-os-x/
  I think it will help, sorry for my english

• I recently installed icloud, now i am trying to set my ical, however when I try to set up an account on my ical with the ical url its says that the access is denied? I am lost! HELP!!!

  i recently installed icloud, now i am trying to set my ical, however when I try to set up an account on my ical with the ical url its says that the access is denied? I am lost! HELP!!!

  From Here   http://support.apple.com/kb/HE37
  I have multiple Apple IDs. Is there a way for me to merge them into a single Apple ID?
  Apple IDs cannot be merged. You should use your preferred Apple ID from now on, but you can still access your purchased items such as music, movies, or software using your other Apple IDs.

• CSM RST issues after SYN packet

  Environment:
  A couple of CSMs in a campus manage costumer's WAP browsing service. A VIP virtualizes WAP1 and WAP2 service on different tcp, udp port and CSM balances it to WAP gateway proxies.
  WAP gateway's proxies initiate new connection to internet passing through CSM.
  HTTP sessions are intercepted and balanced to transparent proxies to provide enrichment.
  NAT is implemented for all traffic that goes out to CSM.
  Other flows are managed by this CSM but they aren't involved in the reset issues.
  Behavior:
  Costumer sets up connection with his WAP gateway. WAP gateway initiates connection to internet properly and flow is properly balanced to transparent proxies.
  Transparent proxy also initiates new connection to internet.
  Sometime CSM sends RST to transparent proxies and they send to all other elements a 502 bad gateway error.
  RST packet is sent in two different cases.
  1. RST after a few SYN packets, 30 second between first and last SYN.
  2. RST immediately after the first SYN packet from transparent proxies.
  My ideas:
  I putted a test WEB server on the Client VLAN of CSM to leave out other network elements or internet problems
  The second issue probably is a sell-out of some resources. Looking “LB Rjct: no cl NAT port” counter on CSM's tech-support it increases. Probably one IP of NAT isn't enough anymore.
  No ideas for the first issue.
  Do you have any idea?
  Thanks in advance.
  Roberta

  when you say, RST after a few SYN, does it mean the 3-way handshake never completes ?
  So, the server never responds with a SYN/ACK ??
  30 sec is the pending timeout on the CSM.
  That's the time we allow the tcp 3-way handshake to complete.
  You can increase this timeout with the command 'pending ' under the vserver.
  You can verify if this is a pending timeout issue w/ the command :
  sho mod csm 3 tech proc 1 | i Pending
  Gilles.

• How can the IPS inspect the encrypted packets?

  dear experts, hello
  i'd like to ask a question about how the IPS can inspect and prevent any atteck in the encrypted packets in some sessions
  such as vpn or ssh sessions, is there a technique helping for
  that in the IPS?
  thanks alot for your help
  labib makar

  Labib;
    For traffic exiting a VPN tunnel, you can place the IPS sensor behind the VPN termination point so it has access to the unencrypted traffic.
    There is not an option to inspect SSL encrypted traffic; you would need to rely on a host-based system such as Cisco Security Agent to assist in providing such protection.
  Scott

• Thoughts on tracking requirements for Canadians on com. in the future

  In contemplating the ramifications of transferring my listings to com. in the future in order to continue selling in U.S. dollars and the suggestions from some people on this board that many Canadian sellers will be unable to meet the the requirements needed to remain qualified for the TRS status due to the high costs re tracking in Canada, what are your thoughts on the possibility of Ebay continuing to grant Canadian sellers an exemption on tracking requirements, albeit it be on com. Your thoughts ? Bill Lynn

  pierrelebel wrote:
  For more factual information about the Global Top Rated Seller (TRS) program allowing you to earn 20% rebate on your FVF fees: http://pages.ebay.ca/help/sell/top-rated.html That program - applicable to Canadians - should not be confused with the TRS-Plus program, requiring tracking.I've just read through the link that 'poco' posted above, and if I'm not mistaken (someone please correct me if I am) there seem to have been some subtle changes in the rules for Canadian sellers with respect to US TRS and US TRS Plus.  Some time ago (I think it was in 2014, but it may have been earlier), eBay dropped the "pseudo" tracking that was allowing many Canadian sellers to maintain US TRS Plus, and introduced verified tracking.  Prior to that time, any confirmation number (Light/Small Packet for example) would be counted toward the US TRS Plus tracking requirement.  I know this because I did have US TRS Plus for several months prior to that change.  At that time, US TRS did not require tracking.  I'm certain of this because my US TRS continued (and has continued to the current date, according to my dashboard today).  Now here's the thing: in the link posted by 'poco', eBay's rules for Canadian sellers to qualify for US TRS are now (in part), as follows.  Note the tracking requirement:  To become a US Top-rated seller you need to meet the following performance requirements:Have an eBay account that's been active for at least 90 daysHave a positive Feedback rating of at least 98%Have at least 100 transactions and $1,000 in sales with US buyers during the last 12 monthsUpload shipment tracking to your buyer's My eBay within your promised handling time for at least 90% of your transactions with US buyers in the last 3 months. US TRS Plus, on the other hand, now mentions nothing about tracking: Top Rated PlusTo qualify for Top Rated Plus, listings need to meet the following requirements:Meet all of the requirements of a Top Rated Seller listed above.Offer a 14-day or more, money back return policy.Offer same business day or 1 business day handling. I'm really curious what this is about: Is this an error on the 'help' pages (which we all know happens from time to time), or have the requirements for Canadians to qualify for the basic US TRS been just "quietly" changed in the last while?  If so, why is my Dashboard still showing me as US TRS?  Is it because this is a very recent development, i.e. only the last couple of months, and hasn't yet been reflected in the current evaluation cycle?   If anyone has any insight into this, I'd be pleased to know.  My understanding was that Canadian sellers were exempt (or at least used to be) from the tracking requirements for US TRS, but needed it for US TRS Plus.  So, contrary to my earlier post, that US TRS designation should follow us if we're listing on .com.  Yet not according to the above link to eBay's rules on TRS.  I'm so confused!   

• Need lightroom 4.4 asmac is 10.6.8 and not compatible with anything higher. Does this come with the creative cloud? Would really like a disc but that doesn't seem to happen anymore. Currently have cs4 and d7100 hence need 4.4 to open raw Any idea

  need lightroom 4.4 asmac is 10.6.8 and not compatible with anything higher. Does this come with the creative cloud? Would really like a disc but that doesn't seem to happen anymore. Currently have cs4 and d7100 hence need 4.4 to open raw Any ideas? Is this now customer service or does adobe have a customer service team . Site not user friendly. Thanks

  Graham Giles wrote:
  Have you seen this type of problem before? I think it could be a serious issue for anyone in a similar position.
  No; but then, I've not had occasion to use TDM. I've been using firerwire drives for over 10 years, both FW400 and FW800, with no issues except a bit of instability using a B&W G3 machine.
  TDM should be safe. Using cautious, manual copying of files from the Target machine to the Host machine should not result in unexpected loss of files or damage to the Target drive's directories. It should behave exactly the same as if it were an external (to the Host) firewire drive.
  •  I don't suppose there is anything I can do to 'put back' lost items from a separate Time Machine drive which has an up to date backup on it.
  There is probably a way to do that - seems to me that's one of the reasons for a Time Machine volume.
  On the other hand, if the Time Machine volume is rigidly linked to the now-absent OS on the original drive, there may be no way to effectively access the files in the TM archive.
  I know that using a cloned drive would work well in this instance.
  I have no experience with Time Machine, so perhaps someone who has will chime in with suggestions.
  With the machine in TDM with the other machine, have you tried running Disk Utility to see if you can effect repairs to the drive?

• Hello i have what i think is a first generation Ipod touch which didn't not come with the app store on it already does this mean I cant get apps for my Ipod touch?

  Hello i have what I think is a first generation Ipod touch which did not come with the App store already downloaded onto it, can I not download apps to my Ipod touch?

  If you have a 1G iPod you can update to as far as 3.1.3.  Yu get hat paid update here:
  Purchasing iOS 3.1 Software Update for iPod touch (1st generation)
  You can identofy your iPod here:
  Identifying iPod models
  What iOS is curently on your iPod (Setting>Genral>About>Version) you need as lest 2.0 for apps but most apps need 3.0 or later.

• Is there an application like "snag it" for mac?  Does it come with the Mountain Lion OS, or do I have to buy it separately?

  Is there an application like "snag it", which is part of the Microsoft Office suite for mac?  Does it come with the Mountain Lion OS, or do I have to buy it separately?  If it is a separate purchse, what would you recommend?

  Built-in to OS X is the ability to capture an entire screen or selected portions. Snaps are saved to the Desktop by default:
  COMMAND-SPACE-3 snaps the entire screen.
  COMMAND-SPACE-4 lets you select a portion of the screen to snap.
  In your Utilities folder is a utility called Grab that provides similar functionality and more.
  Then there are dozens of third-party solutions such as SnapNDrag and SnapzProX. You will find them and others at MacUpdate or CNET Downloads. Most have trial versions or trial times so you can test them out.

• Is LiveCycle only a part of Adobe Acrobat 9 Pro EXTENDED, or does it come with the pro version too?

  Sorry, I know this is dated but my company doesnt offer Acrobat X (yet. It is currently pending approval from IT). Anyway, I am wondering if the Livecycle designer program comes with the Adobe Acrobat 9 Professional version or just the Extended which I cannot get? This is very important as I will be using it to create a form (literally just one form lol).
  Thanks

  Designer ES is distributed with both Acrobat 9 Pro and Acrobat 9 Pro Extended for Windows.
  Steve

• How do I download Adobe Flash Player on my MacBook Pro?  It says that I have to disable my antivirus software but I never installed one. Does it come with the Mac in the first place?

  How do I download Adobe Flash Player on my MacBook Pro?  It says that I have to disable my antivirus software but I never installed one. Does it come with the Mac in the first place? If so, how can I disable it or get Adobe Flash Player?

  That message is just a standard one issued, mainly for Windows users, you can disregard it if you didn't install any anti-virus. (OS X has one installed by Apple that doesn't interfere)
  It's just some forms of anti-malware are really paranoid and lock the entire machine down. (like Norton)
  If you need assistance installing Flash
  How to install/uninstall Flash, fix problems
  How to uninstall/install software on your Mac