Unable to allow inbound ICMPv6 on ASA version 9.0(1)
I have upgraded an ASA 5505 to 9.0(1) as I would like to use ipv6 version of dhcprelay. That said, I am unable to obtain a global unicast address but the link-local address is able to communication with the ISP's gateway/DHCP provider which I hope will allow v6 dhcprelay provide internal clients with IP's from the ISP. Trouble is, unsolicated inbound ICMPv6 messages from the ISP's gateway are being dropped on the way into outside interface.
%ASA-3-313008: Denied IPv6-ICMP type=129, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=131, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=131, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=136, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=136, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
%ASA-3-313008: Denied IPv6-ICMP type=136, code=0 from fe80::201:5cff:fe3b:3c41 on interface outside
I am able to ping the ISP's link-local address of fe80::201:5cff:fe3b:3c41 but I would assume that is because I am initiating the connection. Below is the ASA's configuration. Any help would be appreciated.
ASA Version 9.0(1)
hostname edge
domain-name domain.com
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
ipv6 address fec0::/64 eui-64
ipv6 enable
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ipv6 enable
ipv6 nd suppress-ra
boot system disk0:/asa901-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name domain.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list OUTSIDE-IN extended permit icmp6 any any
access-list OUTSIDE-IN extended permit icmp6 any any membership-report
access-list OUTSIDE-IN extended permit icmp6 any any membership-report 0
access-list OUTSIDE-IN extended permit icmp6 any any echo-reply 0
access-list OUTSIDE-IN extended permit icmp6 any any echo-reply
access-list OUTSIDE-IN extended permit icmp6 host fe80::201:5cff:fe3b:3c41 interface outside
access-list OUTSIDE-IN extended permit icmp6 any interface outside membership-report
access-list OUTSIDE-IN extended permit icmp6 any interface outside membership-report 0
pager lines 24
logging enable
logging console warnings
logging monitor warnings
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
nat (inside,outside) after-auto source dynamic any interface
access-group OUTSIDE-IN in interface outside
ipv6 icmp permit any inside
ipv6 icmp permit any membership-report outside
ipv6 icmp permit any echo-reply outside
ipv6 icmp permit any router-advertisement outside
ipv6 icmp permit any neighbor-solicitation outside
ipv6 icmp permit any neighbor-advertisement outside
ipv6 icmp permit any outside
ipv6 dhcprelay server fe80::201:5cff:fe3b:3c41 outside
ipv6 dhcprelay enable inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 10.0.0.101-10.0.0.200 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd option 3 ip 10.0.0.1 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:00029d8b1ed6504390a6e607bd1772dc
: end
Hi Jim, thanks for the reply.
More detail about "unable to obtain a global unicast" address would be helpful. For example, is the upstream ISP emitting router advertisements, or not? If they are really doing v6 you should be seeing router-advertisements sourced from fe80::/64+their EUI-64 MAC mapping and probably including at least one /64 or larger prefix flagged for autoconfiguration. Which your outside interface should be able to pick up. Try replacing ipv6 enable with ipv6 address autoconfig, and regardless write back with the output from show ipv6 interface so we can see what's going on a little better.
I did try enabling autoconfiguration but learned that Comcast uses DHCP to distribute their residential customers /64 allocations. My link-local address was able to communicate with their gateway [fe80::201:5cff:fe3b:3c41] which also appeared to be the same device or at least an alias for their DHCP server [ff02::1:2]. I learned this after throwing a tap on the connection and obtaining an global IP with a host that could leverage DHCPv6 verse the ASA which cannot. I also tried pinging ff02::1:2 and the response would come from the aforementioned gateway link-local address but the ASA would block these responses since I guess it was interpreting them as spoofed. The sh ipv6 int outside only shows the link-local address, even with autoconfiguration enabled.
In passing, there isn't really any IPv6 NAT, barring the still-experimental RFC-6296 prefix substitution. And site-local fec0::/10 addresses were deprecated in RFC3879 back in 2004, to the point that newly conforming routers aren't allowed to even configure them as interface addresses, much less forward packets sourced from them. So you probably need a different IPv6 routing strategy for the inside vlan. E.g., have your ISP delegate to you a /48 or a /60 or something and put different /64 subnets on the inside and outside interfaces, with an explicit ipv6 default route, e.g . ipv6 route outside ::/0 fe80::201:5cff:fe3b:3c41I don't think there is any IPv6 equivalent of setroute from "ip address dhcp setroute".
Interesting and good information! So at the point that I was unable to use autoconfiguration but was able to connect to their link-local address (pongs from my ping), I loaded up the new, shiny 9.0(1) release which supports DHCPv6 relaying and gave it a whirl. I specified the gateway address as the DHCPv6 relay server but no luck. Via some debugging, I saw requests from internal clients on the internal going out but no responses. I assumed that this would work find over the ASA's link-local address as that is what a traditional client that does support DHCPv6 would communicate over but no dice.
Your icmp6 commands puzzle me a little. ipv6 icmp permit any outside is the default interface behavior, and makes all the preceding permits moot. Maybe you are planning to replace it with a deny at some future point? Not filtering ICMPv6 at routed interfaces is less dangerous than in the v4 case, as most of the interesting stuff has restrictions to the on-link VLAN like requiring hop limit=255 or link-local source addresses.
My understanding was also that ICMPv6 stuff should work fine without the statements, but after failed autoconfiguration and DHCPv6 relay attempts I was trying to get a little creative, or disparate. I reached out to Comcast's Business and put in a TAC ticket. Although this was for a residential setup, Comcast support (at least the three representatives I spoke with) did not know what IPv6 was and wanted to charge me for premium support (you can imagine my reluctance). I reached out to their business side and they were more interested in helping. Not having an account limited my support but in short, they did not at this time support static /64 allocations, at least that's what I was told. It might of been worth upgrading to a business account if they did but instead I am going to purchase a router which will support DHCPv6...
Similar Messages
-
Unable to allow traffic from remote office - Cisco RV220W
Hi there,
I have just bought the RV220W Cisco router firewall because my DLINK-1600 got broken and now I am unable to allow access to the machines located behind this router from the machines located at a remote office. Any help would be much appreciated!!
This is the situation:
1. Two remote offices A and B connected by a VPN tunnel (this connection is managed by an external provider and it is properly functioning)
2. IP range A office: 192.168.236.0/24
3. IP range B office: 192.168.237.0/24
4. Office A: CISCO RV220W router/firewall (the one that I´ve just bought as the old dlink has broken). This RV220W is connected to a cisco router (managed by provider) that is the one with the VPN tunnel to the other office. The CISCO router does not do NAT. On the other end (Office B) there is another CISCO router managed by the provider.
5. Everything was working smoothly until our old router/firewall got broken and that is when I bought the rv220w. I have set up the CISCO RV220W at office A and the machines can ping the machines located at office B and can browse the internet, i.e., the traffic going out is OK and in that sense everything works smoothly.
6. The problem is that the machines located at office B cannot access the machines located behind the CISCO RV220W and I know it is a problem of the firewall as if I capture traffic coming from office B, I can see that it is dropped by the CISCO RV220W.
7. I have tried to enable an access rule in the firewall to allow traffic from office B (see picture below) but it does not seem to work. In the field, Send to Local Server (DNAT IP) I have entered the WAN IP of my router (you cannot leave it blank) … this rule does not work at all. I think that is not properly configured but I don´t know how to do it.
8. As you see, the problem is that I don´t know how to set up a rule to allow specific traffic coming from the WAN (traffic from remote office – 192.168.237.0/24) to the LAN at office A - 192.168.236.0/24.
In the old router/firewall I just had to create a rule specifying the source interface (WAN) and network (Office B) and the destination interdace (LANOfficeA) and network (Office A). It does not seem that here I can do the same. i mean, you always have to point to a server ip inside the LAN??
I know it has to be a very easy thing to do but at this moment I am completely stuck. If anyone can give me some advice would be great.
Thanks a lot for your help in advanced!
EvaHi Eva, the default inbound policy cannot be changed. It will block all inbound traffic. To my knowledge there is not a way around this. Access rules are the only way to 'poke' a hole through the firewall but as you note, it is for a specific host. Values such as .0 and .255 do not work.
-Tom
Please mark answered for helpful posts -
Unable to process inbound EDI docs from TP-multiple Host ID's,1 transaction
Issue:
Unable to process inbound EDI documents from trading partners
(Same doctype and revision, but diff receiver ID’s for host)
Host: ISA ID’s are HOSTA, HOSTB
Transaction: X12, 210, 5010
Trading Partner A: sends EDI document with these values
Interchange Sender ID: TPA
Application Sender's Code: TPA
Interchange Receiver ID: HOSTA
Application Receiver's Code: HOSTA
B2B setups are as below
Business action: Process_210
Operational Capability for Trading Partner A : Process_210_Initiator It has
Interchange Sender ID as TPA
Interchange Receiver ID as TPA
Application Sender's Code: TPA
Application Receiver's Code: TPA
This creates a Process_210_Responder for HOST
It has
Interchange Sender ID as HOSTA
Interchange Receiver ID as HOSTA
Application Sender's Code: HOSTA
Application Receiver's Code: HOSTA
Validated Agreement and deployed, Result is success and everything works fine until here
Note: B2B validates taking everything from Process_210_Initiator except the Interchange Receiver ID that it gets from the Process_210_Responder
New Trading Partner B also sends us an X12, 210, 5010 but he uses Receiver ID as HOSTB
Trading Partner B: sends EDI document with these values
Interchange Sender ID: TPB
Application Sender's Code: TPB
Interchange Receiver ID : HOSTB
Application Receiver's Code: HOSTB
B2B setups are as below
Business action: Process_210
Operational Capability for Trading Partner B : Process_210_Initiator It has
Interchange Sender ID as TPB
Interchange Receiver ID as TPB
Application Sender's Code: TPB
Application Receiver's Code: TPB
This doesn’t create a new Process_210_Responder for HOST It has
Interchange Sender ID as HOSTA
Interchange Receiver ID as HOSTA
Application Sender's Code : HOSTA
Application Receiver's Code : HOSTA
Validated Agreement and deployed, Result the document fails with error
Validation of Interchange parameters failed. Please verify all the Interchange parameters in the B2B configuration match the Group parameters in the message. Make sure that the ecs file for this Interchange is valid
Upon looking at the log file it fails, as the Interchange Receiver ID in data is HOSTB where as in Process_210_Responder it is setup as HOSTA
Work Around that we tried, but could not succeed
Create a new business action called Process_210_HOSTB, created a new Document Protocol Revision X12_5010_HOSTB,Created a doc type 210 version 5010 under that
Used this new Business action for Trading Partner B so the new setups look like this
Business action : Process_210_HOSTB
Operational Capability for Trading Partner B : Process_210_HOSTB_Initiator It has
Interchange Sender ID as TPB
Interchange Receiver ID as TPB
Application Sender's Code : TPB
Application Receiver's Code : TPB
This creates a new Process_210_HOSTB_Responder for HOST It has
Interchange Sender ID as HOSTB
Interchange Receiver ID as HOSTB
Application Sender's Code : HOSTB
Application Receiver's Code : HOSTB
Validated Agreement, but could not deploy as I was getting AIP-11016 SQL error , may be integrity constraint issue
Note: I was able to deploy this agreement if I change the Document Type from 210 to something else like 210_new, but since the document is EDI I can’t have the Document Type as anything except 210Ramesh,
Sorry for the delay , but this was the first thing I tried and it didn't work, I tried again just to be sure, it didn't work I am getting this error
When group Receiver ID didn't match
"Validation of Group parameters failed. Please verify all the Group parameters in the B2B configuration match the Group parameters in the message. The following parameters do not match the configured parameters in B2B"
In addition, when Interchange Receiver ID did not match
"Validation of Interchange parameters failed. Please verify all the Interchange parameters in the B2B configuration match the Group parameters in the message. Make sure that the ecs file for this Interchange is valid"
Here is the log file extract
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:ISelectorImpl Enter
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:ISelectorImpl validateEnvelope = true
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:ISelectorImpl Leave
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:cloneSelector Enter
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:cloneSelector Return = oracle.tip.adapter.b2b.document.edi.ISelectorImpl@12d8ecd
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:getValue Param Name = SeverityConfig
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:getValue Value = null
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:cloneSelector Enter
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:cloneSelector Return = oracle.tip.adapter.b2b.document.edi.ISelectorImpl@1fa5e5e
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:reset Enter
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:reset Leave
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:cloneSelector Enter
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:cloneSelector Return = oracle.tip.adapter.b2b.document.edi.ISelectorImpl@497062
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup Enter
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup key = InterchangeReceiverQual, val = [02]
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup param = [02]
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup key = InterchangeSenderID, val = [REMOTETP]
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup param = [REMOTETP]
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup key = InterchangeReceiverID, val = [SLCY]
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup param = [SLCY]
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup key = Standard, val = [X12]
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup param = [X12]
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup key = InterchangeControlVersion, val = [00200]
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup param = [00200]
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup key = ec_DataNodeName, val = [Interchange]
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup key = InterchangeSenderQual, val = [02]
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup param = [02]
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup return = true
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup return = true
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:getValue Param Name = ecsFileKey
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:getValue Value = 60DD87849FFE4147BFCEB66842A33298-26-1-4
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:getValueBlob Param Name = ecsOptFileBlob
2008.07.28 at 14:31:24:917: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:getValueBlob Param Name = ecsFileBlob
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:getStream Enter
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:getStream Leave
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:getValue Param Name = SeverityConfig
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:getValue Value = null
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:setControlNumber sName = Interchange, controlNumber = 210011217
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:setControlNumber return = true
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:getValue Param Name = TPName
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:getValue Value = RemoteTP
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doCommit Enter
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doCommit NodeGUID = {156BEDFC-931E-4923-840D-3AC0BAB670F2} position = 0
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doCommit Leave
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:cloneSelector Enter
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:cloneSelector Return = oracle.tip.adapter.b2b.document.edi.ISelectorImpl@1b5c22f
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup Enter
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup key = GroupReceiverID, val = [STMSLCY]
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup param = [SLCY]
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup Value and doc parameter don't match2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup key = GroupVersionNumber, val = [005010]
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup param = [005010]
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup key = ec_DataNodeName, val = [Group]
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup key = GroupSenderID, val = [REMOTETP]
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup param = [REMOTETP]
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup return = false
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doLookup return = false
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:getValue Param Name = TPName
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:getValue Value = RemoteTP
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doCommit Enter
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doCommit getLookUpError Key = key = [GroupReceiverID] value = [STMSLCY] param = [SLCY] Value = null
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doCommit NodeGUID = {6EE88EFC-B084-4FA8-8EE8-8C7BD397E9F1} position = 0
2008.07.28 at 14:31:25:011: Thread-10: B2B - (DEBUG) oracle.tip.adapter.b2b.document.edi.ISelectorImpl:doCommit Leave
2008.07.28 at 14:31:25:073: Thread-10: B2B - (DEBUG) iAudit report :
Error Brief :
5082: XEngine error - Guideline look-up failed. -
I have a cd of New Yorker magazine cartoons which I got in 2004. It requires adobe 6.0.1 but my computer will not allow me to install that version as it is outdated. I have windows 7. How to I get this CD to open? -Bob
If the CD absolutely requires that old version, then it is basically obsolete. However, it might work with the current version ... have you installed the current version of Adobe Reader, and if so what does it say when you try to use the CD?
-
We are unable to open a Pages 5.0.1 document in Pages 4.2 and retain ability to edit all aspects of the document. I have tried saving the 5.0.1 version in Pages '09 but am still unable to open it in the earlier version of pages. Help?
No, it isn't. Pages 5 isn't compatible with Pages 4.3 as it is lacking more than 90 features that Pages 4 has. So when you open a Pages 4 document in Pages 5 only the simplest documents will look the same in Pages 5.
Pages 4 can't open Pages 5 documents at all!! You have to export back to Pages 09 as I said above.
You probably will be more happy if you just use Pages 4 (Pages 09). There are many threads in this forum that describes the lack of compatibility between the two versions. Pages 5 is in my view not Pages anymore.
If you don't desperately need Pages 5 for moving documents over iCloud to new iOs devices don't use it. -
I have a new iPhone 5s. When I try to sync it with my iTunes account it is unable and advises to update iTunes to version 11.1. Whn I attempted this iTunes advised that the current version I have (10.6.3) is the most up to date!
If you're on a Mac, you need to upgrade it to Mac OS X 10.6.3 and then 10.6.8, which requires that it has an Intel CPU and at least 1GB of RAM.
(100999) -
With Namit Agarwal and Rahul Govindan
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
This is a continuation of the live webcast.
Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.
Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
Remember to use the rating system to let Namit and Govindan know if you have received an adequate response.
Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
Webcast related links:
Slides from the live webcast
Video Recording of the live webcast
Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcastHello Namit and Rahul,
Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
1) How is ASA CX different from other UTM solutions ?
2) How is dynamic application inspection of CX better than other inspection engines ?
3) What features or functionalities on the CX are available by default ?
4) what are the different ways we can run or install CX on the ASA platform ?
5) What VPN features are supported with multi context ASA in the 9.x release ?
6) What are the IPv6 Enhancements in the ASA version 9.x ?
Request you to please provide your responses to them individually.
Thanks. -
"Unable to find inbound interface"
Hi all,
I have an error in sxmb_moni. Everytime I click on the red flag, I get the error, "Unable to find inbound interface". I already checked namespaces and SCV in IR. I also checked Interface Determination in ID. They are all correct. I have already tested my config in QAS, and everything went well. I'm having problems right now in PRD. Can somebody help me? thanks.
When I run Test Tool Config, I get the following error:
Interface Determination
Thanks.
Regards,
IXError when determining the inbound interface: Problem evaluating a condition: Exception
CX_SWF_RLS_RULE occurred (program: CL_SWF_RLS_CONDITION==========CP, include:
CL_SWF_RLS_CONDITION==========CM00Q, line: 160).
Payload problem check these solved threads:
Error
Error in Receiver Determination
regards,
Abhishek -
I have a desktop mac operating on Mac OSx 10.4.11 and the system does not recognize my iphone and I am unable to upgrade to the newest itunes version. What do I need to do?
Backup first
It is always best to have a full bootable backup before you upgrade. If you fail to do this you will be unable to return to this OS if you decide you don't like the new OS. Also there is a slight chance that an install could lose everything on the Mac. The backup must be to an external hard disk. Preferably use Carbon Copy Cloner to make a bootable backup of the whole disk.
Erase before the install
Once you have a bootable backup on an external disk it is best to erase the internal disk with the new installer DVD before you install.
During the install
Preferably do not import any data or preferences from earlier OSs during the install process as this can reintroduce bugs.
OS numbers and names
OS X 10.4.x - Tiger
OS X 10.5.x - Leopard
OS X 10.6.x - Snow Leopard
OS X 10.7.x - Lion
OS X 10.8.x - Mountain Lion
More about Macs
The Apple History site has specifications for every Mac ever produced: http://www.apple-history.com/
Upgrade to Leopard
Those wishing to upgrade to Leopard should be aware that install disks can be expensive unless you contact Apple. Details: http://lowendmac.com/deals/best-os-x-leopard-prices.html Standard Leopard installers impose several hardware limitations including speed and RAM size but all these restrictions can be overcome. Google for details. Leopard works well at 500 MHz with 1 GB of RAM and many happy users have less than this.
Upgrade beyond Leopard
OSs beyond OS X 10.5.8 require an Intel processor. If in doubt check this: Click the apple at the top left of your screen and select 'About this Mac'. This will give you your OS number. Then click 'More Info' to see which processor you have. If it says PowerPC you cannot upgrade to Snow Leopard and above. If you have an Intel Mac it is well worth upgrading to Snow Leopard now and then considering other options after that. You can buy Snow Leopard here: http://store.apple.com/us/product/MC573Z/A
Upgrade beyond Snow Leopard
Information about upgrading Snow Leopard to Lion or Mountain Lion: http://store.apple.com/us/product/MD256Z/A
Important
Check that your Mac complies with any requirements. If you are not in the US you should use the Change Country link at the bottom of Apple pages. -
I-tunes is note letting me access i-tunes store without first dowloading the new version of i-tunes. The problem is that my older operating system won't work and is not allowing the newer i-tune versions to work. How can I just get use the old i-tunes?
Hi,
Not sure if any of you above have managed to solve your problem or not but after coming across this same problem myself today as I am currently 'sofa bound' I decided to make it my mission to find a way around it.
Initially I did think, having ready what seemed like a million questions and people with the same problem, that the only way was to buy OS X 10.5 ... HOWEVER, no. In among all these threads I found a jewel - Download I Tunes 9.2.1 which gets rid of the download itunes 10 advert and allows you to then buy from itunes again :-) I am now one very happy lady.
I apologise to all those that dont have older versions of OS X that maybe wont support even this upgrade but certainly for those like me with just 4yr old lap tops at least it means it not longer means buying a new one.
Hope this helps son very frustrated people like myself - so much for apple support! -
ASDM is unable to read the configuration from ASA.
Earlier today I was configuring the Cisco ASA (7.2(2)) using the ASDM, but after a reboot of the appliance I now get the following:
ASDM is unable to read the configuration from ASA.
This happens shortly after ?Loading running configuration from the device? appears in the ASDM status window.
I have tried restarting both the appliance and my workstation, but the issue persists. I have also tried clearing the ASDM cache, but that doesn?t help either. The issue occurs whether I used the Cisco ASDM Launcher or the web interface.
SSH access to the appliance works fine.
Thanks for any assistance (why is it that Cisco?s GUIs always have issues?!?).I have exactly the same issue , SSH works fine but ASDM and Web interface reply with that error message "ASDM is unable to read the configuration from ASA".
My ASA is a 5520 ver 7.1(2) with ASDM 5.1(2)
Could it be something related to Java ?
Thanks for any hint. -
since i have upgradet my ipod touch 3g with the new 5.0.1 version, i can`t upload music or pictures or apps or anything else. the synchronize button is gray and allows nothing. the i tunes version is 10.5.3 ... please help me!
First, try a system reset. It cures many ills and it's quick, easy and harmless...
Hold down the on/off switch and the Home button simultaneously until the screen blacks out or you see the Apple logo. Ignore the "Slide to power off" text if it appears. You will not lose any apps, data, music, movies, settings, etc.
If the Reset doesn't work, try a Restore. Note that it's nowhere near as quick as a Reset. Connect via cable to the computer that you use for sync. From iTunes, select the iPad/iPod and then select the Summary tab. Follow directions for Restore and be sure to say "yes" to the backup. You will be warned that all data (apps, music, movies, etc.) will be erased but, as the Restore finishes, you will be asked if you wish the contents of the backup to be copied to the iPad/iPod. Again, say "yes."
Finally, if the Restore doesn't work, let the battery drain completely. Then recharge for at least an hour and Restore again. -
Unable to continue activation after i upgrade version
unable to continue activation after i upgrade version in my 3gs who knows how to solve it?
That's almost always because the phone was hacked to illegally unlock it.
-
Parametros no ASA Version 8.2(2)12 para trafego WAAS
Necessito de informações sobre quais parametros de configuração no ASA Version 8.2(2)12, e necessario para habilitar o trafego otimizado WAAS.
Obrigado.Hi Jorge,
I'll answer in English if you don't mind.
By default, the ASA clears the WAAS TCP option.
To let it go through, you just need to apply inspect waas on the service-policy bound to the interfaces where WAAS traffic is coming.
I wrote a document some time ago that explain this:
https://supportforums.cisco.com/docs/DOC-15128#Solution_on_ASA_723_or_FWSM_321_and_after
Regards,
Nicolas -
Will an adobe subscription plan allow me to use older versions of LR and PS?
I'm sorry if I'm asking this incorrectly I don't wanna go into details of my financial woes but due to my mac being outdated I can not use editing software above Lightroom 3 and photoshop elements 11 if I purchase the monthly subscription will I be able to use these? Or does this only allow access tho the newest versions of each ?
A Cloud subscription does not include Elements at all, and does not go as far back as Lightroom 3
Cloud Plans https://creative.adobe.com/plans
-what is in the entire Cloud http://www.adobe.com/creativecloud/catalog/desktop.html
Maybe you are looking for
-
How to change security settings in Flash Player if internet is unavailable?
I have a local html page that has an embedded .swf file, which is also on my local computer. The .swf file is for local use only when there is no Internet service available. The first time I open the html page on an internet browser, IE, I got the Fl
-
Screens and ABAP Objects - R/3 4.6c
Greetings fellow SAP developers. Looking for some input here. What's the best way to manage dialog screens with ABAP OO? Do you encapsulate the screen in an object? So that there is just one method or two methods? As in: Screen->Init Or do you break
-
why did my apple watch go from processing to preparing for shipping then back to processing? Did this happen to others? What does this mean?
-
I can't download the lasted version of iTunes
I can't download the lasted verison of iTunes. It keeps coming up that the file I need is not avalible. Can you help me? Gary
-
Hi, I'm a mac newbie, so don't shout . When I go onto Apple's downloads page I see two 10.4.7 updates. One 133Mb, and the other called combo weighing in at about 255Mb. Whats the difference between them? Also if I need to re-install OSX sometime in t