Unreserve funds failed. Contact Purchasing Administrator if necessary

Dear All:
When want to change the detail for one requsition in iProcurement, show the error"*unreserve funds failed. Contact Purchasing Administrator if necessary*". How can I solve the issue?
My environment is : Oracle R12.1.3 | Aix 6.1
Regards
Terry

Hi,
Could you please check what is the value set for the profile --> POR: Enable Check Funds..? set it as "*No checkfunds"* and try again to change the requisition.
You can check below URL for details :
http://forums.oracle.com/forums/thread.jspa?threadID=2179974&tstart=60
/S.P DASH

Similar Messages

I am trying to download the InDesign CS5.5 update and keep getting "Update Failed" "Please contact your Administrator if you wish to apply updates on your machine". I have done this and now have Administrator rights, but I am still getting the message. Ho

I am trying to download the InDesign CS5.5 update and keep getting "Update Failed" "Please contact your Administrator if you wish to apply updates on your machine". I have done this and now have Administrator rights, but I am still getting the message. How do I apply the update?

Direct Updates
https://www.adobe.com/downloads/updates/

Fail to retrieve the logon ticket,please contact the administrator

I Still get an error "Fail to retrieve the logon ticket,please contact the administrator"
here is my status
1. Set the values "2" for login/create_sso2_ticket and "1" for login/accept_sso2_ticket in DEFAULT profile at RZ10.
2. Current configurationn status is GREEN from /irj/servlet/prt/portal/prtroot/com.sap.ip.bi.supportdesk.default
3. Xcelsius 2008 SP3 Fp 6
4. SAP GUI 7.2
5. BW 7.02 sp8
6. Kernel Version: 7.02 PatchLevel 108637
I configured sap notes 1508663, 1400236, 1413075, 1413903, 1430575, 1083421, 937697, and so on..
but, still got that error..
where can i check to fix it?

Hello,
I'd suggest opening a message with support, it sounds like you have covered the basics.
Note 1430575 also suggests after RZ10:
Tick Entended Maintenance and click Change
Add the following Parameters and their corresponding value:
Parameter Name: Parameter value
login/accept_sso2_ticket 1
login/create_sso2_ticket 2
Restart the BW server
Thanks,
Ryan

Failed to process inbox; contact your administrator

Hi All,
I have created Service Order Application which is explained in help.sap.com. As per the scenario i have created
2 tables ZTR_ORDER_HDR and ZTR_ORDER_ITM ,
2 Nodes ORDERHEADER and ORDERITEM under ORDER Standard Data Object,
3 BAPI Wrappers ZTR_ORDER GETLIST*, *ZTRORDER_GETDETAIL and ZTR_ORDER_MODIFY,
finally i created Mobile Service Compopnent and Mobile UI Component for Handhelds using NWDS.
Application Deployed Successfully, after launching the simulator it is showing empty table (with out data).
I tried to sync but Device not registered error coming.
I created the same application using Mobile UI Component for Laptop, after launching the MobileWebdynpro Client it is showing Deployable Components. When i click on Process Now button Failed to process inbox, contact your administrator error. But Synchronization is successful here.
one more thing i am not defining any Distribution Model Category and Rules. when i checked in sdoe_wd tcode data is showing in CDS tables.
Pls advise me anyone what i missed in the above scenario. What i will have to do next.
Thanks&Regards
Murthy

it was resolved by me.
thanks
murthy

Funds check on Purchase Order creation

Hello all,
When attempting to do funds check for Purchase Order the following error occurs.
ERROR
Procedure PSA_BC_XLA_PUB.Budgetary_Control returns an error without any details to the calling procedure PO_ENCUMBRANCE_POSTPROCESSING.execute_gl_call.Please contact your support representative.
For this issue i did below steps:
1. Navigate to System Administrator Responsibility > System > Profiles
2. Set the profile option "PSA: R12 Upgrade Date" with the date format as mentioned below:
MM/DD/YYYY HH24:MI:SS
I changed like this 04/01/2011 02:32:37
close and reopen the applicaiton. still its giving the same error.
Please guide me to resolve this issue.
Thanks and Regards,
Muthu

Hi Muthu;
There are 28 docs avaliable which is mention your error message.From search:
R12: Funds Check Error 'PSA_BC_XLA_PUB.Budgetary_Control Returns an Error' for Purchase Orders and Requisitions When Federal Financial is Installed [ID 1292042.1]
Procedure PSA_BC_XLA_PUB.Budgetary_Control Returns an Error Due To "XLA_AP_TECHNICAL_ERROR" [ID 950385.1]
R12: Purchasing Documents Fail Funds Check Or Going To Pre-approved Status Due To Budgetary Control Exceptions - Troubleshooting [ID 603057.1]
For more please make search on metalink
Regard
Helios

Error occurred in deployment step 'Install app for SharePoint': We're sorry, we weren't able to complete the operation, please try again in a few minutes. If you see this message repeatedly, contact your administrator.

While deploying sharepoint hosted app i am getting error "Error occurred in deployment step 'Install app for SharePoint': We're sorry, we weren't able to complete the operation, please try again in a few minutes. If you see this message repeatedly, contact
your administrator.". From the developer site i remove the app manually and after deploying i am getting the same error again.
Harminder singh

I was trying to install SharePoint 2013 on premise development environment and encountered the following issues while deploying the app using Visual studio 2013.
Please refer these articles for configuration settings.
http://blogs.msdn.com/b/how24/archive/2013/06/14/prepare-your-sharepoint-2013-farm-for-app-development-and-debugging.aspx
http://www.codeproject.com/Articles/515677/MyplusFirstplusSharepoint-HostedplusAppplusinplus2
http://blogs.technet.com/b/mspfe/archive/2013/01/31/configuring-sharepoint-on-premise-deployments-for-apps.aspx
http://aanuwizard.com/2012/12/07/article-14-from-30-system-account-can-not-deploy-or-purchase-an-app-in-sharepoint-2013-rtm/
Error 1:
Error occurred in deployment step 'Install app for SharePoint': The System Account cannot perform this action.
Error 2:
The local SharePoint server is not available. Check that the server is running and connected to the SharePoint farm.
Error 3:
Error occurred in deployment step 'Install app for SharePoint': We're sorry, we weren't able to complete the operation, please try again in a few minutes. If you see this message repeatedly, contact your administrator.
Solution:
For error 1, follow these instructions:
a. Create a new domain account DOMAIN\myApp_Admin
b. add DOMAIN\myApp_Admin to local admin group
c. add DOMAIN\myApp_Admin to Farm Administrators group
   Central Admin site --> Site Settings --> People and groups
   Add DOMAIN\myApp_Admin
For error 2 & 3, follow these instructions:
1. Grant DOMAIN\myApp_Admin accont a sysadmin server role on SQL server
2. Open SharePoint Power Shell and execute Add-SPShellAdmin <DOMAIN\myApp_Admin> command.
3. Grant DOMAIN\myApp_Admin a db_owner rights to web application Content database that you would like to use for debugging SharePoint 2013 app.
4. Make sure following roles are assigned for SharePoint_Config database
   SharePoint_Shell_Access
   SPDDataAccess
   public
5. Make sure following roles are assigned for SharePoint_Content database
   db_owner
5. Make sure following roles are assigned for SharePoint_AdminContent database
   public

The Managed Metadata Service or Connection is currently not available. The Application Pool or Managed Metadata Web Service may not have been started. Please Contact your Administrator.

Hi,
I'm not able to access the term store. I get an below mentioned error.
"The Managed Metadata Service or Connection is currently not available. The Application Pool or Managed Metadata Web Service may not have been started. Please Contact your Administrator. "
Since this is happening on my local machine (Dev environment). I have full control on the term store and the all the site collections.
Hence, this is not a permission issue.
I have checked, the Metadata service is active on the machine. All the application pools in IIS is running.
After reading one of the recommendation on internet, I created a new Managed Metadata Service.
After which I was able access both (old and new) MMS from Central Admin only (highlight the MMS from manage service applications and click Manage ) and not from the site collection (term store management).
Now again its not working after I did an IISRESET.
The managed metadata service (Managed Metadata Service Connection) is grayed out.
ULS Error says:
Failed to create ManageLink for service proxy 'Managed Metadata Service'. Exception: System.TimeoutException: The request channel timed out attempting to send after 00:00:09.9999999. Increase the timeout value passed to the call to Request or increase the SendTimeout
value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. ---> System.TimeoutException: The HTTP request to 'http://mitkar4:32843/7a91ec90b46843e995c144be48d804f0/MetadataWebService.svc' has exceeded the allotted
timeout of 00:00:09.9990000. The time allotted to this operation may have been a portion of a longer timeout. ---> System.Net.WebException: The operation has timed out
Please let me know if you need more information.

Hi Victoria,
Thanks for your reply
I tried making all the changes you had recommended and which are mentioned in the link you have provided.
I tried making all possible combination of changes to the web.config and client.config files but it does not make any difference to the environment.
One thing is that, my error in ULS logs has changed.
Error 1:
Exception returned from back end service. System.TimeoutException: The request channel timed out attempting to send after 00:00:09.9999999. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted
to this operation may have been a portion of a longer timeout. ---> System.TimeoutException: The HTTP request to 'http://mitkar4:32843/b1640facdf8b49b0886fea1bd37b8eb3/MetadataWebService.svc' has exceeded the allotted timeout of 00:00:09.9990000. The time
allotted to this operation may have been a portion of a longer timeout. ---> System.Net.WebException: The operation has timed out
at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
at System.Net.HttpWebRequest.GetRequestStream()
at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream() --- End of inner exception stack trace ---
at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()
at System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout)
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout) --- End of inner exception stack trace --- Server stack trace:
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.SharePoint.Taxonomy.IMetadataWebServiceApplication.GetServiceSettings(Guid rawPartitionId)
at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<ReadApplicationSettings>b__2e(IMetadataWebServiceApplication serviceApplication)
at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2c.<RunOnChannel>b__2b()
Error 2:
Error encountered in background cache check System.TimeoutException: The request channel timed out attempting to send after 00:00:09.9999999. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time
allotted to this operation may have been a portion of a longer timeout. ---> System.TimeoutException: The HTTP request to 'http://mitkar4:32843/b1640facdf8b49b0886fea1bd37b8eb3/MetadataWebService.svc' has exceeded the allotted timeout of 00:00:09.9990000.
The time allotted to this operation may have been a portion of a longer timeout. ---> System.Net.WebException: The operation has timed out
at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
at System.Net.HttpWebRequest.GetRequestStream()
at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream() --- End of inner exception stack trace ---
at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()
at System.ServiceModel.Channels.HttpOutput.Send(TimeSpan timeout)
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.SendRequest(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout) --- End of inner exception stack trace --- Server stack trace:
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.SharePoint.Taxonomy.IMetadataWebServiceApplication.GetServiceSettings(Guid rawPartitionId)
at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2f.<ReadApplicationSettings>b__2e(IMetadataWebServiceApplication serviceApplication)
at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2c.<RunOnChannel>b__2b()
at Microsoft.Office.Server.Security.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.<>c__DisplayClass2c.<RunOnChannel>b__2a()
at Microsoft.Office.Server.Utilities.MonitoredScopeWrapper.RunWithMonitoredScope(Action code)
at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.RunOnChannel(CodeToRun codeToRun, Double operationTimeoutFactor)
at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.ReadApplicationSettings(Guid rawPartitionId)
at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.get_ServiceApplicationSettings()
at Microsoft.SharePoint.Taxonomy.MetadataWebServiceApplicationProxy.TimeToCheckForUpdates()
at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.CheckForChanges()
at Microsoft.SharePoint.Taxonomy.Internal.TaxonomyCache.<LoopForChanges>b__0().

There is no iView available for system "SAP_SRM": object "qte". For more information, contact your administrator.

Dear All
I am getting an error in my SRM system.
Er "There is no iView available for system "SAP_SRM": object "qte". For more information, contact your administrator."
I followed the below thread.
There is no iView available for system "SAP_SRM... | SCN
I have assigned the Iview to this role.
The same changes i have done in Development system
where it is working fine.
But in my QA system i am getting this error.
My Portal version is 7.3.
Please help with your valuable suggestion
Regards,
Prashant krishen.

Dear All
thanks for your reply.
I am able to resolve the issue.
In my case there was some parameter missing in transported object.
I followed some steps.
1) I compare the Iview property of transported object with Specialist object.
2) I found that OBN parameter was missing.
3) I include it as per above document.
4)But after that in the rfx response, iview was opening in some tab but when i was trying to open with Overview item i was getting error.
5) Than i search in portal content with *qte*
6) I found more iview in Quotation folder i added those iview in strategic purchaser in navigation folder.
This is how i am able to resolve.
Thanks everybody for you prompt answer and support

What's the point of including "You might contact your administrator if you think this is a mistake" when a post is pulled?

I understand that the mods here can't possibly reply to everyone who has a post pulled for ToU. One can vaguely try to contact an administrator indirectly, perhaps, by posting here. (When this takes the form of a "why was my post pulled" post, this usually starts a discussion of some kind, which may or may not have any value, but which almost always fails to elicit any direct participation of the Hosts, and gives the impression, at least, it's being completely ignored by them.)
Since there is no way of directly contacting an administrator, either for ToU or for any other reason, which this appears to suggest is possible, why not just get rid of it?

>...although the OP's question still remains....
I'm now referred to as the OP?
If you got the email with content for the "final straw" post, which was mine, then you will know what I wrote. I already had one post pulled in that thread for a ToU and I did receive the obligatory email for that. I did not receive an email for the "final straw" post. Just the entire thread got pulled almost immediately at that point.
Everything I am writing here now is deliberately being veiled and obscured to the limit possible without losing all meaning and just turning this into noise. No one who didn't receive that email content for my post will have any very clear idea what this is all about.
My "final straw" comments related to several things: some copyright issues concerning the site under discussion; the ToU of that site as, in fact, necessarily prohibiting even the linking of content from that site, and an attempt to differentiate, in general, between what is illegal and what is a violation of the ToU, and not illegal, as such, for any service on any site. I'm not opening all of that up again here, since whatever it was I wrote will probably just get this post pulled.
All I can say is I attempted assiduously to stay clear of the Apple ToU violation for which I was cited by the Apple email in my earlier post which was pulled -- or any ToU violation, for that matter. I was not discussing Apple's policies, nor was I giving "forbidden" instructions. That the entire thread got pulled has to make me think that straying into those waters -- perhaps, my discussion of copyright issues in regard to the behavior of the other site under consideration, especially, made someone very nervous. Or maybe it was something other than that. But I will never know.
In any case, "You might contact your administrator if you think...." is genuinely silly, and unless it's somehow ineradicable from the Jive template -- I see now Meg has given that as a possible reason -- I can't see why it shouldn't be removed.
Message was edited by: WZZZ

BI publisher - Unauthorized Access: please contact the administrator

I am getting an error message in BI publisher - Unauthorized Access: please contact the administrator
when trying to enter the shared folders
after installing the Oracle BI EE 10.1.3.4.1
try to connect to the biee - works
try to create a report - works
try to connect to the BIP - works
try to create a report - works
able to see the bi catalog from the bip - works
change the biee to work with LDAP
try to connect to the biee - works
try to create a report - works
try to connect to the BIP - works
try to enter into the shared folder in the BIP - error "publisher
Unauthorized Access: please contact the administrator"
can't create a report - there is no link "create report"/"create folder"
able to see the bi catalog from the bip - bi catalog is empty

Hi
I am working with tleiba.
We have tried to work as described above
BI Server ==> LDAP <== XMLP Server (BI PUB)
and maybe because we are using Microsoft Active Directory it didn't worked (I am not sure it is related to which A/D or LDAP mechanism we are using, but it failed we kept getting configuration error)
so we gave up (anyone succeeded with MS A/D ?)
now we are working with the local publisher security and creating local users and permissions (and of course this is working)
all but one thing:
When we are trying to create new report in the "Data Model" -> NEW and in the TYPE we choose "ORACLE BI Answers".
in the details when we try opening the Catalog we are getting :
"Oracle BI Catalog
BI Catalog Home
Empty catalog.
regarding configuration in :Admin>Oracle BI Presentation Services under Integration we have used the following:
Server Protocol - http
Server Version - v4
* Server - <full server name with domain >
* Port - 80
* Administrator Username <we have used the correct Administrator username>
Administrator Password <we have used the correct Administrator password>
URL Suffix analytics/saw.dll
Session Timeout 90
any idea ?

"Startup failed, contact your retailer"

I recently bought a nokia X6. while browsing through my photos it suddenly went dead and whenever i try to switch it on i get a message "Startup failed, contact your retailer"? Can this problem be solved? And if the sofware is corrupt, is the software available online incase i have to flash? what could be the possible reason for this?
And whats the best antivirus software for my phone which will keep away all the virus and malware.

you dont need anti virus
try holding the green red and camera key down while powering on until you see nokia hansdhake if this fails return it to point of purchase or a nokia care centre
If i have helped at all a click on the white star below would be nice thanks.
Now using the Lumia 1520

Photoshop CS5(64Bit): "You don't have permission to save to this location. Contact the administrator to obtain permission." I am the administrator and I give myself permission. What can I do to save the file?

Photoshop CS5(64Bit): "You don't have permission to save to this location. Contact the administrator to obtain permission." I am the administrator and give myself permission. What can I do to save the file? This is the user's PC, licensed PS CS5 software and Win 7 OS.

Temporarily save to another folder, until you figure it out.
Just because you are the owner and are the sole administrator, does not always guarantee that you have permission. There are several folders that you can not access no matter how hard you try. As for folders in your document folder, it is more likely a basic permission setting that took on permissions of a copied file. Some folders and files are set to a child/parent default setting, meaning the child folder/file (the one you are accessing) has the identical settings of its parent and when the parent changes, so does the child.
You can alter the parent or the child folder/file.
Right click on the folder/file select properties.
Click on the security tab.
Click on each of the group names and see what permissions are set.
You can then edit a group if necessary.
If it will not allow it, you may need to use the advanced button to create a new copy of the group which should happen when you alter its settings (In other words, you don't have to physically create the copy, it does it for you when you OK the changes)
The administrator should have full access to the folder in the documents folder, if you are listed as an associate of the administrator group your name should also be listed there with full access. The System should also have full access.
All other groups should have reading access only if they exist.

Search has encountered a problem that prevents results from being returned. If the issue persists, please contact your administrator.

Hello Guys,
I am creating resultsource from central admin. If I create it from central admin it works fine. But if I am creating result source from power shell scripts it shows me following error message.
An exception of type 'Microsoft.Office.Server.Search.Query.InternalQueryErrorException' occurred in Microsoft.Office.Server.Search.dll but was not handled in user code
Additional information: Search has encountered a problem that prevents results from being returned. If the issue persists, please contact your administrator.
Any suggestion ?
Thanks in Advance.

Hi,
Please provide more specific information about the issue. What type of content source you tried creating via powershell?
Make sure you are using the approproate permission and search service application.
Here is the reference for creating content resource via script:
http://technet.microsoft.com/en-us/library/ff607867(v=office.15).aspx
Regards,
Rebecca Tu
TechNet Community Support

An error has occurred while accessing SQL database or system resources. If this is the first time you have seen this message, please try again later. If this problem persists, please contact your administrator.

I have SP Server 2010, and when I try to DELETE a rule within an existing Audience, "Property (Account Name) = domain/username", I get this error, "An error has occurred while accessing SQL database or system resources. If this
is the first time you have seen this message, please try again later. If this
problem persists, please contact your administrator." When I try to "MODIFY" the rule I get this error, "One or more values typed on this page are not valid. Check the text for the indicated fields."
The last time I checked it was working, I'm not aware of any new updates installed recently? I did a full Profile Synchronization as well, but still not working, please advise? -- Evenstarline

Hi Sara,
First of all thank you very much for your prompt responses. Here are my comments to each of your suggestions below, and just to let you know I am using a Farm Admin account.  I
was able to do this way after we upgraded from SP 2007 to SP 2010 as well.   I would like to mention I'm not a SP expert, just been given the responsibility due to another person handling it just left, so apologize with some of
my novice questions below?
1. When I change the Operators to "Contains" or "Not Contains" get generates this error below.
     Error generating in red towards top of the audience page..."One or more values typed on this page are not valid. Check the text for the indicated fields."
     Error occurred where you enter your "Value"..."Could not resolve the user identity. Please re-enter the account name."
2. We have a 3-server-tier topology (SPWeb, SPDB, and SPFarm). Does the updates only apply to where the Central Admin is installed, which is the "SPFarm"? I checked all
3 servers, and NONE of the updates (KB2899494, KB2889845, and KB2883055) you'd mentioned are installed.
3. I'm new to IISRET, I need to be extra cautious of what I run in production, is this safe to run with no problem? What does it do? And How do I run it?
4. I'm also new to viewing the ULS log. I'd just downloaded a viewer for it. I'm assuming the only logs I need to be concern with viewing are within the SPAdmin (where Central
Admin is installed)? There's so many of them, what should I be looking for exactly?
Evenstarline

AnyConnect error " User not authorized for AnyConnect Client access, contact your administrator"

Hi everyone,
it's probably just me but I have tried real hard to get a simple AnyConnect setup working in a lab environment on my ASA 5505 at home, without luck. When I connect with the AnyConnect client I get the error message "User not authorized for AnyConnect Client access, contact your administrator". I have searched for this error and tried some of the few solutions out there, but to no avail. I also updated the ASA from 8.4.4(1) to 9.1(1) and ASDM from 6.4(9) to 7.1(1) but still the same problem. The setup of the ASA is straight forward, directly connected to the Internet with a 10.0.1.0 / 24 subnet on the inside and an address pool of 10.0.2.0 / 24 to assign to the VPN clients. Please note that due to ISP restrictions, I'm using port 44455 instead of 443. I had AnyConnect working with the SSL portal, but IKEv2 IPsec is giving me a headache. I have stripped down certificate authentication which I had running before just to eliminate this as a potential cause of the issue. When running debugging, I do not get any error messages - the handshake completes successfully and the local authentication works fine as well.
Please find the current config and debugging output below. I appreciate any pointers as to what might be wrong here.
: Saved
ASA Version 9.1(1)
hostname ASA
domain-name ingo.local
enable password ... encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ... encrypted
names
name 10.0.1.0 LAN-10-0-1-x
dns-guard
ip local pool VPNPool 10.0.2.1-10.0.2.10 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif Internal
security-level 100
ip address 10.0.1.254 255.255.255.0
interface Vlan2
nameif External
security-level 0
ip address dhcp setroute
regex BlockFacebook "facebook.com"
banner login This is a monitored system. Unauthorized access is prohibited.
boot system disk0:/asa911-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Internal
dns domain-lookup External
dns server-group DefaultDNS
name-server 10.0.1.11
name-server 75.153.176.1
name-server 75.153.176.9
domain-name ingo.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LAN-10-0-1-x
subnet 10.0.1.0 255.255.255.0
object network Company-IP1
host xxx.xxx.xxx.xxx
object network Company-IP2
host xxx.xxx.xxx.xxx
object network HYPER-V-DUAL-IP
range 10.0.1.1 10.0.1.2
object network LAN-10-0-1-X
access-list 100 extended permit tcp any4 object HYPER-V-DUAL-IP eq 3389 inactive
access-list 100 extended permit tcp object Company-IP1 object HYPER-V-DUAL-IP eq 3389
access-list 100 extended permit tcp object Company-IP2 object HYPER-V-DUAL-IP eq 3389
tcp-map Normalizer
check-retransmission
checksum-verification
no pager
logging enable
logging timestamp
logging list Threats message 106023
logging list Threats message 106100
logging list Threats message 106015
logging list Threats message 106021
logging list Threats message 401004
logging buffered errors
logging trap Threats
logging asdm debugging
logging device-id hostname
logging host Internal 10.0.1.11 format emblem
logging ftp-bufferwrap
logging ftp-server 10.0.1.11 / asa *****
logging permit-hostdown
mtu Internal 1500
mtu External 1500
ip verify reverse-path interface Internal
ip verify reverse-path interface External
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo External
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (Internal,External) dynamic interface
object network LAN-10-0-1-x
nat (Internal,External) dynamic interface
object network HYPER-V-DUAL-IP
nat (Internal,External) static interface service tcp 3389 3389
access-group 100 in interface External
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server radius protocol radius
aaa-server radius (Internal) host 10.0.1.11
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console radius LOCAL
http server enable
http LAN-10-0-1-x 255.255.255.0 Internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map External_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map External_map interface External
crypto ca trustpoint srv01_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint asa_cert_trustpoint
keypair asa_cert_trustpoint
crl configure
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpool policy
crypto ca server
cdp-url http://.../+CSCOCA+/asa_ca.crl:44435
issuer-name CN=...
database path disk0:/LOCAL_CA_SERVER/
smtp from-address ...
publish-crl External 44436
crypto ca certificate chain srv01_trustpoint
certificate <output omitted>
quit
crypto ca certificate chain asa_cert_trustpoint
certificate <output omitted>
quit
crypto ca certificate chain LOCAL-CA-SERVER
certificate <output omitted>
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable External client-services port 44455
crypto ikev2 remote-access trustpoint asa_cert_trustpoint
telnet timeout 5
ssh LAN-10-0-1-x 255.255.255.0 Internal
ssh xxx.xxx.xxx.xxx 255.255.255.255 External
ssh xxx.xxx.xxx.xxx 255.255.255.255 External
ssh timeout 5
ssh version 2
console timeout 0
no vpn-addr-assign aaa
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd dns 75.153.176.9 75.153.176.1
dhcpd domain ingo.local
dhcpd option 3 ip 10.0.1.254
dhcpd address 10.0.1.50-10.0.1.81 Internal
dhcpd enable Internal
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address LAN-10-0-1-x 255.255.255.0
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter use-database
dynamic-filter enable interface Internal
dynamic-filter enable interface External
dynamic-filter drop blacklist interface Internal
dynamic-filter drop blacklist interface External
ntp server 128.233.3.101 source External
ntp server 128.233.3.100 source External prefer
ntp server 204.152.184.72 source External
ntp server 192.6.38.127 source External
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
ssl trust-point asa_cert_trustpoint External
webvpn
port 44433
enable External
dtls port 44433
anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 1
anyconnect profiles profile1 disk0:/profile1.xml
anyconnect enable
smart-tunnel list SmartTunnelList1 mstsc mstsc.exe platform windows
smart-tunnel list SmartTunnelList1 putty putty.exe platform windows
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
webvpn
anyconnect profiles value profile1 type user
username write.ingo password ... encrypted
username ingo password ... encrypted privilege 15
username tom.tucker password ... encrypted
class-map TCP
match port tcp range 1 65535
class-map type regex match-any BlockFacebook
match regex BlockFacebook
class-map type inspect http match-all BlockDomains
match request header host regex class BlockFacebook
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 1500
id-randomization
policy-map TCP
class TCP
set connection conn-max 1000 embryonic-conn-max 1000 per-client-max 250 per-client-embryonic-max 250
set connection timeout dcd
set connection advanced-options Normalizer
set connection decrement-ttl
policy-map type inspect http HTTP
parameters
protocol-violation action drop-connection log
class BlockDomains
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map dynamic-filter-snoop
inspect http HTTP
service-policy global_policy global
service-policy TCP interface External
smtp-server 199.185.220.249
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command service-policy
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:41a021a28f73c647a2f550ba932bed1a
: end
Many thanks,
Ingo

Hi Jose,
here is what I got now:
ASA(config)# sh run | begin tunnel-group
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPNPool
authorization-required
and DAP debugging still the same:
ASA(config)# DAP_TRACE: DAP_open: CDC45080
DAP_TRACE: Username: tom.tucker, aaa.cisco.grouppolicy = DfltGrpPolicy
DAP_TRACE: Username: tom.tucker, aaa.cisco.username = tom.tucker
DAP_TRACE: Username: tom.tucker, aaa.cisco.username1 = tom.tucker
DAP_TRACE: Username: tom.tucker, aaa.cisco.username2 =
DAP_TRACE: Username: tom.tucker, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
DAP_TRACE: Username: tom.tucker, DAP_add_SCEP: scep required = [FALSE]
DAP_TRACE: Username: tom.tucker, DAP_add_AC:
endpoint.anyconnect.clientversion="3.1.02026";
endpoint.anyconnect.platform="win";
DAP_TRACE: Username: tom.tucker, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: tom.tucker, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: tom.tucker, DAP_close: CDC45080
Unfortunately, it still doesn't work. Hmmm.. maybe a wipe of the config and starting from scratch can help?
Thanks,
Ingo

Unreserve funds failed. Contact Purchasing Administrator if necessary

Similar Messages

Maybe you are looking for