Unable to see logs while using split tunnel for RA
hi everyone,
I have config RA VPN at my home lab using split tunnel.
I can connect fine and able to browse the internet.
When i go to internet sites i do not see logs generated on the VPN ASA?
Need to understand whats the reason behind this?
ASA1# sh conn all
5 in use, 12 most used
UDP outside 10.0.0.51:138 inside 10.0.0.255:138, idle 0:01:38, bytes 201, flags -
TCP outside 192.168.98.2:49509 NP Identity Ifc 192.168.1.171:443, idle 0:00:07, bytes 1067370, flags UOB
TCP outside 192.168.98.2:49507 NP Identity Ifc 192.168.1.171:443, idle 0:00:03, bytes 137779, flags UOB
UDP outside 192.168.98.2:49903 NP Identity Ifc 192.168.1.171:500, idle 0:00:01, bytes 40927, flags -
TCP outside 192.168.99.2:35902 NP Identity Ifc 192.168.1.171:22, idle 0:00:00, bytes 179887, flags UOB
Where 192.168.98.2 is IP of PC.
10.0.0.51 is IP assigned from VPN pool to PC.
Regards
Mahesh
Hi Mahesh,
You are using Split Tunnel VPN. This means that you have configured the VPN Client connection to only tunnel specific networks through the VPN Connection while its active. You have probably configured an ACL that contains your LAN network behind the ASA.
This means that only traffic destined to that LAN network mentioned in the ACL reaches your ASA through the VPN Connection.
The Internet traffic of the user or any traffic that is NOT destined to that network in the ACL will simply use the VPN Client users PCs local Internet connection or local network.
This is the reason you are not seeing any of the Internet connections from the VPN Client on the ASA. The VPN Client connection is only configured to forward traffic to the LAN network and pass all other traffic past the VPN Connection through the users local network connection.
If you were to configure Full Tunnel VPN for the user this would mean that ALL traffic would be forwarded from the VPN Client through the ASA and the ASA would control where that traffic would be forwarded and if that traffic would be allowed.
If you want to look at the current configuration on the CLI you would first have to issue
show run tunnel-group
And find the connection that you are using at the moment. Then you would have to check what "group-policy" is configured under that "tunnel-group"
Then you could issue the command
show run group-policy
This would list you the Group Policy configuration for the VPN connection and would show something like this under it
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
The above configuration would show you the ACL that the VPN Client configuration is using to tell the VPN Client what traffic to send through the VPN Connection.
Hope this helps
- Jouni
Similar Messages
-
Unable to access inside network using Split tunnel RA VPN
Hi Everyone,
I configured RA Split tunnel VPN.
Connection works fine.
Inside Interface of ASA has connection to Switch IP 10.1.12.1.
When connected via RA VPN i try https://10.1.12.1 but it does not open up.
Inside Interface of ASA has IP 10.0.0.1
ASA1# $
Session Type: IKEv1 IPsec Detailed
Username : ipsec-user Index : 23
Assigned IP : 10.0.0.51 Public IP : 192.168.98.2
Protocol : IKEv1 IPsec
License : Other VPN
Encryption : IKEv1: (1)AES256 IPsec: (1)AES128
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 2130969 Bytes Rx : 259008
Pkts Tx : 6562 Pkts Rx : 3682
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : ipsec-group Tunnel Group : ipsec-group
Login Time : 11:10:41 MST Sun Jan 26 2014
Duration : 0h:40m:30s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
IKEv1 Tunnels: 1
IPsec Tunnels: 1
IKEv1:
Tunnel ID : 23.1
UDP Src Port : 62751 UDP Dst Port : 500
IKE Neg Mode : Aggressive Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 83975 Seconds
D/H Group : 2
Filter Name :
Client OS : WinNT Client OS Ver: 5.0.07.0440
IPsec:
Tunnel ID : 23.2
Local Addr : 0.0.0.0/0.0.0.0/0/0
Remote Addr : 10.0.0.51/255.255.255.255/0/0
Encryption : AES128 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 26375 Seconds
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 2137160 Bytes Rx : 259088
Pkts Tx : 6571 Pkts Rx : 3684
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 2426 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
From ASA i can ping the switch IP
ASA1# ping 10.1.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1#
logs from firewall
Jan 26 2014 11:53:20: %ASA-6-302014: Teardown TCP connection 51636 for outside:10.0.0.51/50747(LOCAL\ipsec-user) to identity:10.0.0.1/443 duration 0:00:00 bytes 1075 TCP Reset-O (ipsec-user)
Jan 26 2014 11:53:20: %ASA-6-106015: Deny TCP (no connection) from 10.0.0.51/50747 to 10.0.0.1/443 flags FIN ACK on interface outside
Why firewall logs show https connection to 10.0.0.1 instead of 10.1.12.1?
Regards
MaheshHi Jouni,
ASA1# sh ip address
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 10.0.0.1 255.255.255.0 CONFIG
Vlan2 outside 192.168.1.171 255.255.255.0 CONFIG
Vlan3 sales 10.12.12.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 10.0.0.1 255.255.255.0 CONFIG
Vlan2 outside 192.168.1.171 255.255.255.0 CONFIG
Vlan3 sales 10.12.12.1 255.255.255.0 CONFIG
Connection is split tunnel.
when i check stats on vpn client all i see bypassed packets.
ASA1# sh run group-polic$
group-policy ipsec-group internal
group-policy ipsec-group attributes
dns-server value 64.59.144.19
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
ipv6-split-tunnel-policy excludespecified
split-tunnel-network-list value ipsec-group_splitTunnelAcl
Regards
Mahesh
Message was edited by: mahesh parmar -
Unable to activate namespace while using external defintions for mapping.
Hi,
In my scenario, am using XSD's imported as External defintions as my req and res message types. In the message interface the req and res namespace of the imported XSD's are different to the one in which the rest of the objects are created. Now, when I activate the objects, am getting the follwing error - Namespace urn:wb.apdrp.testwsdl.com is not defined in the software component version WBSEDCL_TEST_00 , 1.0 of wbsedcl, please help...
Regards
SathishHi,
It is possible to activate the objects in the namespace and not the namespace. I got the following error when i tried to activate my message interface.
Internal problem occurred (INTERNAL_PROBLEM) -
MESSAGE ID: com.sap.aii.utilxi.swing.framework.rb_exceptions.INTERNAL_PROBLEM
STACKTRACE:
com.sap.aii.utilxi.swing.framework.FrameworkException: Internal problem occurred
java.lang.NullPointerException -
com.sap.aii.utilxi.swing.framework.FrameworkException: Internal problem occurred
java.lang.NullPointerException
at com.sap.aii.ibrep.gui.interfaces.ExternalDefinitionController.genericFrameworkEvent(ExternalDefinitionController.java:92) -
I am unable to print anything while using firefox as my browser !
i am unable to print anything while using firefox as my browser !
Hi Philip,
This could be an issue with some corrupt print preferences. In your toolbar go to about:config and reset all of your print.preferences. This could hopefully help!
- Sarah -
Error: 1013231 Unable to update database while in readonly mode for backup
Hi all,
Wen im deleting the members for dimendsion , its giving error (hyperion 11.1 aso)
Error: 1013231 Unable to update database while in readonly mode for backup , how can i solve this problem ,plz can any one help on this
ThanksHas somebody set the database ready for archiving, maybe some maxl has been run and the db has not been returned from read only mode.
Try running the following Maxl (change app.db to match your app/db)
alter database app.db end archive;
Cheers
John
http://john-goodwin.blogspot.com/ -
Xcelsius error: Unable to load URL while using QAAWS on XI 3.0.
Hi Experts,
I am getting "unable to load url" in xcelsius 2008 while importing a qaaws url.
After all the testing below are my observations:-
1) This has something to do with QAAWS.
2) When I logged into QAAWS and tried accessing the newly created url from the browser. It gave this error " can not communicate to the server mcc69u01:6400" but intrestingly the cms port is located at 6464 and not 6400.
3) For every other application like infoview and cmc it picks the correct port i.e. 6464.
4) Server is present on a UNIX box.
5) I read somewhere that I need to make changes in the dsws.properties file under war files folder. There I enetered "domain= mcc69u01:6464" and restarted TOMCAT.
6) After making this change I was unable to even log into QAAWS as it gave the error 02718 " you are not authorized to create query".
7) After reverting the changes now I am able to log into QAAWS and create new queries but the same problem persist.
8) TOMCAT is listening to port 8088 for our environment.
9) Tried the same thing from a different client machine with fairly new BO XI 3.0 client installation(same server) but no success.
I believe somehow QAAWS is not able to connect to the correct port 6464 and that is the reason for this issue.
Could anyone suggest what I should do???
Thanks in anticipation,
Anshulhi Anshul,
The QAAWSservletprincipal is not related to how you log into the server when creating queries
It is used when the queries are actually running, or when you are trying to load the query to a tool like Xcelsius. I had the same unable to load error and it was caused by the QAAWSservletprincipal being set to concurrent licence when my server was all named users.
I think the issue you are seeing is more likely a bug caused by hardcoded cms port, but I think it is worth ruling out.
Regards
Alan -
Is it possible to force some urls through the vpn using split tunneling?
Hi all,
just that. We have some urls accessible only from our office lan, and will be nice to allow the clients to split tunnel all but this specific urls.
Possible? Thanks in advance!Simon,
I was thinking that you were trying to reach a web server hosted on the LAN. I see now that you are trying to reach external sites that are only accessible from the LAN. I am not aware of any way to allow a partially split tunnel, if I find anything I will update.
- Marty -
Unable to support application while using data services
I have a curve9220
all time good product
but unable to use any application while using data services
but i can browes from explore.Yes, if you want to use them on mobile network you must have a BB data plan.
1. Please thank those who help you by clicking the "Like" button at the bottom of the post that helped you.
2. If your issue has been solved, please resolve it by marking the post "Solution?" which solved it for you! -
Unable to remove *.log files using utl_file.fremove
Hi,
I want to remove .log files using the below command
I want to remvoe all the *.log files but its remvoing only one .log file
utl_file.fremove(location => dir_name, filename => log_file_name);
Any help will be needful for meIn the documentation for your unknown version of oracle you can view the definition of utl_file.fremove.
Everywhere it states utl_file.fremove removes a file, not 1 or more, and the documentation doesn't discuss the use of wildcards.
It seems like the question could have been prevented by reading docs (which almost no one here does), and you need to use Java to address your requirement.
Personally I wouldn't misuse Oracle to perform O/S tasks.
Sybrand Bakker
Senior Oracle DBA -
Unable to see the application in BPM Workspace for Sales Quote tutorial
I have created the Sales Quote tutorial steps and deployed the process. The Enter Quote Details user task is in the "SalesRep" role and I have assigned a user from WebLogic user store to "SalesRep" role in the BPM Organization artifact.
In order to kick off the process, I logged-in to BPM workspace with the user I have assigned as "SalesRep" role but don't find the Sales Quote application under the "Applications" tab.
I am using 11g PS4(11.1.1.5) and didn't seed the demo users, instead just created the user using WLS console.
Any thoughts why the user is unable to see the application in BPM Workspace?
Thanks,
SatyaCheck two things:
1. Login to Workspace as weblogic and click the Administration link at the top to verify the role is actually set to a user (just to double check this).
2. Login to EM, click the SalesQuote composite, scroll down and click the EnterQuote human task component, and click the Administration tab.
This shows you if there is a task form URI associated with this human task. If not, the initiate link won't show up in the Applications menu in Workspace.
If not, you can either deploy again from JDeveloper, making sure you have selected the task forms in the deploy wizard and making sure the deployment is successful in the Deployments log window.
Heidi. -
Reg : I am getting an error while Using MicroSoft ODBC For Oracle Driver
I am Using MicroSoft ODBC For Oracle Driver for JDBC. Why i am using this driver is i could not able to get the arabic content if i use the other driver .I Right now i cannot change the NLS Lang because its a production server also it has around 300 gb of data and i can not take risk now by changing the NLS lang.. coming to the below error .i could able to access my data up to 4 Hours after that i am getting this error.If i restart my tomcat i can use my application one more 4 hrs .Please get back to me if u have any solution.Its very very helpful to me......+*
[java.sql.SQLException] [ Microsoft ODBC for Oracle ]
at sun.jdbc.odbc.JdbcOdbc.createSQLException(JdbcOdbc.java:6957)
at sun.jdbc.odbc.JdbcOdbc.standardError(JdbcOdbc.java:7114)
at sun.jdbc.odbc.JdbcOdbc.SQLDriverConnect(JdbcOdbc.java:3073)
at sun.jdbc.odbc.JdbcOdbcConnection.initialize(JdbcOdbcConnection.java:3
23)
at sun.jdbc.odbc.JdbcOdbcDriver.connect(JdbcOdbcDriver.java:174)
at java.sql.DriverManager.getConnection(DriverManager.java:582)
at java.sql.DriverManager.getConnection(DriverManager.java:185)
at com.iton.eoffice.DatabaseBean.connecteOfficeMoEnq(DatabaseBean.java:4
60)
at org.apache.jsp.MhewProfilesearchMoEnq_jsp._jspService(MhewProfilesear
chMoEnq_jsp.java:434)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper
.java:384)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:3
20)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:206)
at com.iton.eoffice.tree.CharacterEncodingFilter.doFilter(CharacterEncod
ingFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
alve.java:228)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
alve.java:175)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:104)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:109)
at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.j
ava:347)
at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBin
derValve.java:209)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:212)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce
ss(Http11Protocol.java:634)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:44
5)
at java.lang.Thread.run(Thread.java:619)
------------1234-----------
java.lang.NullPointerException
at com.iton.eoffice.DatabaseBean.getSQLRows(DatabaseBean.java:764)
at org.apache.jsp.MhewProfilesearchMoEnq_jsp._jspService(MhewProfilesear
chMoEnq_jsp.java:435)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper
.java:384)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:3
20)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:206)
at com.iton.eoffice.tree.CharacterEncodingFilter.doFilter(CharacterEncod
ingFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl<BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR>Originally posted by sreenivas navuluri:
Oracle(tm)Client and networking components not found. These components are supplied by Oracle Corporation and part of Oracle Version 7.2 or greater Client software installation. You will be unable to use this driver until these components have been installed . This error occurs while selecting the Microsoft Odbc for Oracle driver from the ODBC in control panel. Pls suggest<HR></BLOCKQUOTE>
null -
Error while using Noetix Generator for OBIEE 11.1.1.6.8
Hi Gurus,
We are trying to implement Noetix views for OBIEE 11.1.1.6.8 using Noetix generator for oracle business intelligence,, but we are facing below error..
Please help, thanks in advance.
" *Validation encountered following warnings..*
*Could not verify server version. Double check that your server version matches the target specified.*
*Cause: access denied for user to path /system/version*. "Hi,
I'm the Director of Engineering at Noetix that is responsible for Noetix Generator for OBIEE.
Noetix Generator utilizes OBI's web services in order to validate that your OBI admin client and server have matching versions. The validation error you're seeing appears to be caused by a permission issue while accessing the "/system/version" folder of your web catalog through that web service.
One thing you could check is the OBI account you're using in Noetix Generator to access the BI Server. That account should have administrative privileges in OBI.
I also noticed that you're attempting to use OBI 11.1.1.6.8, which we don't currently support. Your existing version of Noetix Generator may work with it, but we won't claim official support until we certify our generator against it. That will come in a future release.
Please contact Noetix Support at http://support.noetix.com if you need additional information. Our support staff can assist you in resolving this issue.
Thanks,
Jay Shipley -
R/3 Secure Store and Forward, while using SAP portal for SSO
Hello,
We are using SAP Portal UME for authentication, then SAP SSO tickets to log into the SAP R/3 system. Initially we decided that the end users would have a "disabled password" so that they must use the portal authentication mechanism to get into R/3 and therefore could not log in straight to R/3 system via SAP GUI.
All was working fine until during integration testing when someone tried to use the electronic signature function on a QM t-code (QA11) that prompted for an e-sig. Since local passwords have been disabled, the user could not execute the e-sig.
We do not want to activate local R/3 passwords for the users. Can anyone give some advice or a best practice regarding how to set up electronic sigs in R/3 while using an external authentication source? FYI, we are also trying to avoid using the LDAP connector from R/3 to our LDAP.
Please comment for any clarity needed or comments,
Thanks in advance,
RyanGood point - but I'm afraid of not knowning an instant answer.
Well, theoretically one could make use of the fact that an NWAS ABAP can act as http client (submitting http requests to the NWAS Java to validate logon data); but that's just a rough idea.
Regards, Wolfgang -
Problem while using BCP utility for witing data in file
hi all,
I have a batch file in which I am using bcp command for reading data from MS SQL and writing it in delimiter file. Now there are some exceptions in MS SQL that while writing into file whenever it encounters new line character it switches to next line while writing and starts writing the rest of the data on next.
Could you help me in getting rid of this problem. I wanted to replace the new line character with space.
Thanks and regards
NitinHi Dilip,
Before going for any other table,
As Kalnr is only one of the primary keys of table KEKO, You can try creating secondary index on KEKO, which might help in improving your report performance.
Also, you can add more conditions in where clause if possible, which will also help in improving performance.
Thansk,
Archana -
Monetization rejected while using imovie trailer for film on youtube
i love to use the trailer for making quick an nice movies. As I uploaded them to youtube and tried monetize them via youtube they get rejected due to the music.
How do I clarify that this is music from iMovie and I bought it with the software?This question comes up from time to time. YouTube and Facebook are both wrong.
There are a number of con-men who think that they can earn a quick buck from claiming that they own the copyright to Apple’s royalty-free jingles and sound effects included with the iLife applications. These are all free to use, as clearly stated in section 2.C of the iLife Software License Agreement:
“You may use the Apple and third party audio content (“Audio Content”) contained in or otherwise included with the Apple software, on a royalty-free basis, to create your own original soundtracks for your video and audio projects. You may broadcast and/or distribute your own soundtracks that were created using the Audio Content, however, individual samples, sound sets, or audio content may not be commercially or otherwise distributed on a standalone basis, nor may they be repackaged in whole or in part as audio samples, sound files, sound effects or music beds.”
http://images.apple.com/legal/sla/docs/ilife09.pdf
You should quote this (also providing the above link) when following the dispute process with YouTube.
Maybe you are looking for
-
3GS Voice Memo appears in phone will not sync to iTunes
Yes, I'm on an antiquated phone but refuse to switch until a real 4G iPhone is released! I recorded a very important interview yesterday. No matter what I do it will not sync to iTunes on my MBP. I'm running 10.6.8 Snow Leopard and iTunes 10 with all
-
To be post invoice with different currency
Hi, I have created PO in USD currency, local currency is Singapore dollors.In the vendor master i maintained in USD. I do the GR it post in to Local currency. When i do the MIRO it is possible to post in to Hong Kong dollor. Pl advice Regards, Kumar
-
Push notification not working anymore on replaced phone
Hi! I'm encountering a problem with Push Notification. My iPhone 4 (iOS 4.3.3) was replaced last friday by an Apple Store. I restored everything on it using the iTunes backup but Push Notificasion seem to be broken now: I don't receive anymore Facebo
-
In IW51 planner group should come based on object in item tab
Hi , In iw51 t code in 2nd screen , after entering data in object in item tab , i need to populate planner group based on object. i got these two fms EXIT_SAPLIWO1_005, EXIT_SAPLIWO1_004. But they are not working, please guide ... thanks ramakris
-
Camera RAW plug in needed.
I have PSE6 installed on my MacBook Pro - OSX 10.6.8 (SnowLeopard) - and I now have a Fujifilm HS20 EXR, but I cannot use the RAW mode as PSE6 doesn't recognise my RAW files. Where can I get a Camera RAW plug-in update that will allow me to carry on