VTI tunnel problem

Similar Messages

• VTI tunnels vs InterVLAN

  Hi everyone!
  We have 2 Cisco routers - 3925 (office A) and 2921 (office B). There are VTI tunneling (with 3DES encryption), EIGRP dynamic routing (main and reserve optic channels) and 1 default VLAN #2. It`s working model which is used between 2 offices.
  Now I have a task to add VLAN #3 in Office B which is used in Office A and routed to FireWall. VLAN #3 must be routed bypassing VTI tunnel. As I understand I should use InterVLAN feature on both routers. But it doesn`t work. :(
  Here are configs:
  Office A (3925):
  interface GigabitEthernet0/0
   no ip address
  interface GigabitEthernet0/0.2
   encapsulation dot1Q 2
   ip address 192.168.100.181 255.255.255.0
  interface GigabitEthernet0/0.3
   encapsulation dot1Q 3
   ip address 192.168.150.10 255.255.255.0
  interface GigabitEthernet0/1
   no ip address
  interface GigabitEthernet0/1.2
   encapsulation dot1Q 2
   ip address 10.48.101.178 255.255.255.0
  interface GigabitEthernet0/1.3
   encapsulation dot1Q 3
   ip address 10.48.103.178 255.255.255.0
  router eigrp 100
   network 192.168.100.0 0.0.0.255
   network 192.168.104.0 0.0.0.255
   network 192.168.201.176 0.0.0.255
   network 192.168.202.176 0.0.0.255
  ip route 0.0.0.0 0.0.0.0 192.168.100.180
  ip route 10.48.103.0 255.255.255.0 GigabitEthernet0/1.3
  ip route 192.168.150.0 255.255.255.0 192.168.100.2
  Office B (2921):
  interface GigabitEthernet0/0
   no ip address
  interface GigabitEthernet0/0.2
   encapsulation dot1Q 2
   ip address 192.168.104.1 255.255.255.0
  interface GigabitEthernet0/0.3
   description MOWDT Vlan 3
   encapsulation dot1Q 3
   ip address 192.168.150.11 255.255.255.0
  interface GigabitEthernet0/1
   no ip address
  interface GigabitEthernet0/1.2
   encapsulation dot1Q 2
   ip address 10.48.101.179 255.255.255.0
  interface GigabitEthernet0/1.3
   encapsulation dot1Q 3
   ip address 10.48.103.179 255.255.255.0
  router eigrp 100
   network 192.168.100.0 0.0.0.255
   network 192.168.104.0 0.0.0.255
   network 192.168.201.176 0.0.0.255
   network 192.168.202.176 0.0.0.255
  ip route 0.0.0.0 0.0.0.0 192.168.100.180
  ip route 10.48.103.0 255.255.255.0 GigabitEthernet0/1.3
  ip route 192.168.150.0 255.255.255.0 GigabitEthernet0/1.3
  Could you please assist where is the problem?

  These both lines do the same things one is being explicitly value is defined and other is set for auto-discovery, however when it comes tunnel interface all you need is to set the mtu size to 1400.
  one:  ip tcp adjust-mss 1300
  two:  tunnel path-mtu-discovery
  Now when an additional command, which you need to disable split-horizon on eigrp and the "x" is your process ID, which you need for spoke-to-spoke communication, to pass via the hub.
  no ip split−horizon eigrp x
  "If I disable these features won't i have problems with fragmentation ?"
  Which is taken care by setting mtu size to 1400.
  Now you set the "ip tcp adjust-mss 1380" on your physical interfaces facing toward your internal switch.
  Have you tried it?
  thanks
  Message was edited by: Rizwan Mohamed

• Is it possible to create a VTI tunnel from my 877 router to my ASA

  Hi all
  I woulke like to know is it possible to create a VTI tunnel from my 877 router to my ASA, rather than creating a cryptomap on the router ?
  cheers
  Carl

  Yes you can
  Forgot to add that it possible when configuring ezvpn where the 877 is a remote client and Asa server
  Sent from Cisco Technical Support iPhone App

• VTI tunnel & OSPF

  Hi all,
  I have configured VTI tunnel interfaces (tunnel mode ipsec ipv4) and OSPF on that interfaces.
  VTI is encrypting all data traffic. But what about OSPF traffic?
  Is OSPF traffic encrypted also or I need to configure OSPF authentication?
  Thanks

  OSPF exchange is already encrypted inside of the tunnel, so u don't have to use ospf-authentication. OSPF uses tunnel IP addresses for communications, and traffic flow between those two addresses is possible only throught the secure tunnel.

• Static VTI tunnel to asa

  Hi All,
  I need to connect some routers to an ASA using IPSec tunnels. The goal is to get netflow traffic from the routers to a collector behide an ASA using IPSec tunnels.
  Recently I found out (locally orginated) netflow isn't properly encrypted when send through an IPSec tunnel (http://www.plixer.com/blog/network-traffic-analysis/sending-netflow-over-ipsec-tunnels/. The workaround seems to be using flexible netflow (which my collector doesn't support) or using a real tunnel interface on the router.
  This implies I need to use:
  - IPSec/GRE
  - EzVPN with DVTI
  - SVTI...?
  Since GRE is not supported on the ASA and I want the tunnel to be always active, implementing static VTI tunnels might be a good idea. So I would like to use something like this on the router.
  interface Tunnel0
  ip unnumberd loopback0
  tunnel source x.x.x.x
  tunnel destination y.y.y.y
  tunnel mode ipsec ipv4
  My question is, does anybody know if you can build an IPSec tunnel between an ASA and a router, using a SVTI interface on the router? A code sample for the ASA and the router would be more than welcome.
  Regards

  Hi Hielke ,
  if you managed to match the SAs proposed by the router when using SVTI which is any to any , and you will do this on the ASA using a crypto map access-list as follow :
  access-list crypto VPN permit ip any any
  then all traffic leaving the interface where the crypto map is applied will be subject to encryption , which is not practical in most cases .you may use different  interface (on the ASA) to this tunnel with the SVTI as it will use any any and that traffic is different than the one leaving the outside interface .
  so as Marcin this will not scale for you
  HTH
  Mohammad.

• VPN tunnel Problem

  Hi all ,
  I need create VPN tunnels between two  ASAs devices . And these devices are connected through DSL . And as you know in this case we use private outside IP address , because there is  a NAT device at the outside . The problem is that no VPN tunnel is created even though all the parameters and the pre-shared-key are typical .

  I hve allready configured following configuration.
  no crypto map newmap interface outside
  no crypto map newmap 171 set peer 195.11.199.144
  no isakmp key ********* address 195.11.199.144 netmask 255.255.255.255 no-xauth no-config-mode
  crypto map newmap 171 set peer 195.11.204.5
  isakmp key ******** address 195.11.204.5 netmask 255.255.255.255 no-xauth no-config-mode
  clear crypto ipsec sa
  clear crypto isakmp sa
  crypto map newmap interface outside
  Setting were applied successfully however Still VPN tunnel is not been initiated.

• Tunneling Problem using HttpsUrlConnection

  Hi,
  I had gone through forums regarding this topic and still i am facing the same problem using the HttpsUrlConnection. We are working behind a proxy so we have to make a proxy authorization if we want to connect to a server in the internet.
  But in case of HttpUrlConnection, everything works
  fine. But if we do the same with a HttpsUrlConnection, the authentication fails. It throws an IOException
  with the message
  Unable to tunnel through 192.9.100.10:80.
  Proxy returns "HTTP/1.1 407 Proxy authentication required"
  Sample code as follows,
  The following code doesn't have any problem becos it works fine with HttpUrlConnection and also it is working without proxyserver for https as well.
  This is running under MSVM.
  I don't want to use SSLSocketFactory and i need to use following layout(i.e only with Httpsurlconnection)
  Is there any way to make work with proxyserver? Or can't we do this at all?
  System.setProperty("proxySet","true");
  System.setProperty("https.proxyHost","proxyIP");
  System.setProperty("https.proxyPort","80");
  OutputStream os = null;
  OutputStreamWriter osw = null;
  InputStream is = null;
  InputStreamReader isr = null;
  BufferedReader br = null;
  URL url;
  String line = null;
  System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  String login = proxyUserName+":"+proxyPassWord;
  String encodedLogin = new sun.misc.BASE64Encoder().encode(login.getBytes());
  url = new URL("https://www.verisign.com");
  HttpsURLConnection con = null;
  con =(HttpsURLConnection) url.openConnection();
  con.setRequestProperty("Proxy-Authorization", encodedLogin);
  con.setRequestMethod("GET");
  con.setDoOutput(true);
  con.setDoInput(true);
  con.setUseCaches(false);
  con.connect();
  os = con.getOutputStream();
  osw = new OutputStreamWriter(os);
  osw.write("SampleMsg");
  osw.flush();
  osw.close();
  is = con.getInputStream();
  isr = new InputStreamReader(is);
  br = new BufferedReader(isr);
  while ( (line = br.readLine()) != null)
       System.out.println("line: " + line);
  Can any one help me regarding this?I need a reply very urgently.
  Thanks,
  Prabhakaran R

  Hope this help.
  Note to change the properties to fit your system, and use the supported package ( JSSE, JRE1.5.......).
  You can use URLConnection for both HTTP or HTTPS protocol.
  import java.io.*;
  import java.net.*;
  import java.security.*;
  import java.util.*;
  import javax.net.ssl.*;
  public class testSSL9 {
  public testSSL9() {
  byte[] data = httpConnection();
  System.out.println(new String(data));
  public static void main(String[] args) {
  Properties sysprops = System.getProperties();
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  // sysprops.put("java.protocol.handler.pkgs",
  // "com.sun.net.ssl.internal.www.protocol");
  sysprops.put("java.protocol.handler.pkgs",
  "javax.net.ssl.internal.www.protocol");
  sysprops.put("javax.net.ssl.trustStore",
  "D:/jdk1.4/jre/lib/security/cacerts");
  sysprops.put("javax.net.debug", "ssl,handshake,data,trustmanager");
  sysprops.put("https.proxyHost", "172.16.0.1");
  sysprops.put("https.proxyPort", "3128");
  sysprops.put("https.proxySet", "true");
  sysprops.put("http.proxyHost", "172.16.0.1");
  sysprops.put("http.proxyPort", "3128");
  sysprops.put("proxySet", "true");
  testSSL9 testSSL91 = new testSSL9();
  private byte[] httpConnection() {
  try {
  URL url = null;
  // String strurl = "https://www.verisign.com";
  String strurl = "https://central.sun.net";
  // String strurl = "http://www.yahoo.com"; --> use: HttpURLConnection
  url = new URL(strurl);
  HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
  HttpsURLConnection.setFollowRedirects(false);
  connection.setDoOutput(true);
  connection.setDoInput(true);
  connection.setUseCaches(false);
  connection.connect();
  InputStream stream = null;
  BufferedInputStream in = null;
  ByteArrayOutputStream bytearr = null;
  BufferedOutputStream out = null;
  try {
  stream = connection.getInputStream();
  in = new BufferedInputStream(stream);
  bytearr = new ByteArrayOutputStream();
  out = new BufferedOutputStream(bytearr);
  catch (Exception ex1) {
  System.out.println(ex1);
  System.out.println("Server reject connection...sory");
  int i = 0;
  while ( (i = in.read()) != -1) {
  out.write(i);
  out.flush();
  stream.close();
  in.close();
  bytearr.close();
  out.close();
  return bytearr.toByteArray();
  catch (Exception ex) {
  ex.printStackTrace();
  return null;
  }

• Oracle 9i Web Services Quickstart Install TCP tunneling problem

  When I try to run the OTNGUIDGenerator example using the TCP Tunneling portion of the Oracle 9i Web Services Quickstart
  Install I get this in the From localhost8900 tunnel window:
  <?xml version='1.0' encoding='UTF-8'?>
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <SOAP-ENV:Body>
  <ns1:getGUID xmlns:ns1="oracle.otn.ws.emarket.OTNGUIDGenerator" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
  </ns1:getGUID>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  I get this in the From 127.0.0.1:8888 window:
  HTTP/1.1 404 Not Found
  Date: Mon, 28 Oct 2002 20:38:06 GMT
  Server: Oracle9iAS (9.0.2.0.0) Containers for J2EE
  Content-Length: 171
  Connection: Close
  Content-Type: text/html
  <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>404 Not Found</H1>Resource /j2ee-web/oracle.otn.ws.emarket.OTNGUIDGenerator not found on this server</BODY></HTML>
  This is my webservices stub
  public class OTNGUIDGeneratorStub
  /** public String endpoint = "http://otn.oracle.com/ws/oracle.otn.ws.emarket.OTNGUIDGenerator"; */
  public String endpoint = "http://127.0.0.1:8900/j2ee-web/oracle.otn.ws.emarket.OTNGUIDGenerator";
  private OracleSOAPHTTPConnection m_httpConnection = null;
  public OTNGUIDGeneratorStub()
  System.setProperty("oracle.soap.transport.noHTTPClient", "true");
  m_httpConnection = new OracleSOAPHTTPConnection();
  Properties props = new Properties();
  /** props.put(OracleSOAPHTTPConnection.PROXY_AUTH_TYPE, "basic");
  props.put(OracleSOAPHTTPConnection.PROXY_HOST, "proxy.scott.af.mil");
  props.put(OracleSOAPHTTPConnection.PROXY_PORT, "375");
  props.put(OracleSOAPHTTPConnection.PROXY_USERNAME, "fowlerji");
  props.put(OracleSOAPHTTPConnection.PROXY_PASSWORD, "F1234567*g"); */
  m_httpConnection.setProperties(props);
  Not sure what to call the server - this works okay when I'm not using tunneling and using our proxy server??

  I think your problem is that you have a proxy user/password and the TCP Monitor (both the command line and built-in 9.0.3 version) do not support that - they only support specification of the proxy server itself :-(
  It is a feature request that I hope will make it into the late spring/early summer release of JDeveloper - I wrote it up as a request based on the number of folks who faced this issue with these tutorials.
  Mike.

• Anchor Eiop tunnel problem 5.2

  Hi,
  were using two dmz WLCs for "guest-Access" - one is designated for an Hotspot and one for a direct dmz access. The internal wlc uses the management-interface as interface in the wlan-config and the internal wlc has all accesspoints directly connected and have the same configuration as the dmz wlcs and both ssids are active. Between the inside and outside wlcs we have differend subnets routers and also checkpoint firewall clusters - but no NAT. All Wlcs are in the same mobility group.
  The problem is, that under some condition the mobility feature hangs up ! The internal WLC authenticates the client and give him full access (including IP) but the client can not ping or connect to any device behind the eiop tunnel.(in the DMZ) That problem occurs to both DMZ WLCs. On the wcs i can see that there was a short interrupt of the ancor-tunnels but the alarm disappears. While the client can't forward any traffic a debug mobility or an mobility ping works fine and shows no problems (a lot of keepalives from all wlcs)! The only way to get the tunnel working for traffic-forwarding is to reboot the external wlcs in the DMZ. Rebooting the internal won't help!
  Do you have any information or suggestion what can causes that kind of problem ? Is there any debug command wehere i can detect the problem ?
  Thanks, Dennis

  I am just wanting to verify that all controllers are on the same version of code. A mismatch between an older 5.1 controller or before my result in a problem establishing the tunnel because of the 2 different protocols being used to talk between the AP and the controllers. 5.1 and before is LWAPP 5.2 and later is CAPWAP I believe.

• Reverse SSH Tunnel problem?

  I'm trying to do a reverse SSH tunnel for a VNC project. I'm successful when I do it on a Linux box or Cygwin under Windows, but I'm having problems under Mac OS.
  Here's what I do:
  Terminal 1:
  ssh -nNTvvv -R 5500:localhost:5500 -l my_username myhost.com
  Then, to see what's going on, I run in terminal 2:
  nc -l -p 5500
  Then, in a third terminal, I ssh over to myhost.com, and telnet to localhost 5500.
  If I initiate this whole setup on other platforms, I can then type stuff in my in the third terminal and see it echoed happily in terminal 2.
  Under Mac OS, everything goes fine until I do the telnet on myhost.com. The diagnostic in terminal 1 is:
  debug1: channel 0: new [::1]
  debug1: confirm forwardeded-tcpip
  debug3: channel 0: waiting for connection
  debug1: channel 0: not connected: Connection refused
  It's not a firewall issue, as I can telnet directly to port 5500 on the Mac from myhost.com without any problem.
  Google gives me no help here. Any ideas?
  Thanks!
  12" G4 Powerbook   Mac OS X (10.4.8)  

  Figured it out - did a no ip ssh v 2 and hey presto started working

• Tunnel Problem

  I'm trying to simulate a tunnel through a service provider:
  I have 3 Routers, which are connected with static routes and are all pinging each other other through serial and fastethernet interfaces.
  Router 1 and Router 3 are acting as tunnel endpoints. Router 2 is service provider.
  Configurations:
  Router 1 Loopbacks:
  192.168.2.0
  192.168.3.0
  192.168.4.0
  Router 3 Loopbacks:
  192,168.13.0
  192.168.14.0
  Router 1 and 2: 192.168.8.1 255.255.255.252
  Rouer 2 and 3: 192.168.9.1 255.255.255.252
  Tunnel is: 10.40.40.1 on R1
                 10.40.40.2 on R3
  Router 1:
  Interface Tunnel 0
  Tunnel Source: 192.168.8.1
  Tunnel Destination: 192.168,9.2
  ip route 192.168.9.2 255.255.255.255 192.168.8.2
  router eigrp 1
  network 192.168.2.0
  network 192.168.3.0
  network 192.168.4.0
  Router 3:
  Interface Tunnel 0
  Tunnel Source: 192.168.9.2
  Tunnel Destination: 192.168.8.1
  ip route 192.168.8.1 255.255.255.255 192.168.9.1
  router eigrp 1
  network 192.168.13.0
  network 192.168.14.0
  After these configurations I see on both routers 1 and 3 the Tunnels are in up/up and I can ping 10.40.40.1 to 10.40.40.2, but no eigrp router are coming up, what is the problem ??? Is the source and destination ip addresses correct, are my ip route statics correct ?? Please help.
  Thanks,
  Sergei.
  After this configuration I see my Tunnel on both Roter

  Sergei,
  Add the tunnel network into your Router EIGRP 1 statements in router 1 & 3. I believe that should do the trick.
  router eigrp 1
  network 10.40.40.0

• VTI Tunnel Bandwidth Statements

  What is the proper way to set bandwidth statements on VTI/GRE tunnels over an MPLS network when different locations have different bandwidth capacities?
  For example:
  Location 1 - DS3 - 44mbps
  Location 2 - DS1 - 1.5mbps
  Would I put 'bandwidth 1500' on both ends of the tunnel or would I put 'bandwidth 44000' on the DS3 side and 'bandwidth 1500' on the DS1.

  Hi Peter,
  To my knowledge, bandwidth statement will not restrict the volume of traffic. Instead it is just a parameter used for control plane calculations. If you really want to restrict the volume of traffic flowing over these interfaces, you may have to think of shaping the same.
  HTH,
  Nagendra

• MPLS TE tunnel problem

  Hi,
  i created MPLS TE tunnel between three Cisco 2811 series routers and configured that MPLS TE tunnel will reserve 1Mbps of bandwidth.Then I started to send constant 3 Mbps data flow trough the MPLS TE tunnel (everything looks ok: tunnel is up, bandwidth is reserved, all the data flow entering the tunnel). The problem is that data flow leaving the tunnel at 3Mbps rate. Why tunnel don’t limit data rate?????

  The tunnel doesn't do rate-limiting. Bandwidth at the tunnel level is only a control plane feature.
  You need to configure admission control on the tunnel headend with CAR or some other form of rate limiting if you want to enforce the tunnel reserved bandwidth.
  Hope this helps,

• Tunneling Problem.

  Hello All,
  This is Jay Kishan. I work in Pakistan Petroleum Limited as a Network Associate. There is a little problem that i am facing recently. We have a Head Office in Karachi and a Remote Location is Islamabad. We are connecting them with a Primary DXX Link with an active VSAT Backup Link. As soon as the DXX Link goes down the VSAT Link comes up automatically. But the DXX Provider has introduced a few more non-cisco devices in the middle and now we have to create a tunnel from our ISB 2610 Router to KHI 3661 Router. The reason for creating the tunnel is that we dont want the DXX provider to know our network. But the problem that we have at our hand is that the tunnel never goes down as the interfaces on both the routers are connected to devices that wont go down. But there can be a problem in some other middle device because of which the link may not work. So the situation is that even the DXX Link isnt working the tunnel is still up and the VSAT Backup link doesnt come up. So how can i make sure that if the DXX Link stops working the tunnel could sense it and the VSAT Backup link comes up automatically. I will be very much thankful for any sort of help. Thanks in advance.
  Regards,
  Jay Kishan
  PPL

  Jay
  The GRE keepalive is a very nice feature and it does sound like it would solve your problem. It was introduced somewhat recently (I just looked at the notes and it indicates that it was introduced on some platforms in 12.2(8)T and a bit later on other platforms). What platform are you running this on and what version of code?
  The configuration is pretty straightforward:
  interface tunnel n
  keepalive
  and it has optional parameters on the keepalive to specify how many seconds and how many retries.
  If you router does not have keepalive as a command under the tunnel interface, then that is a good indication that the version of code that you are running does not have this feature. Would it be worth upgrading code to get this feature?
  HTH
  Rick

• SSL-Tunneling Problem with Stronghold

  Hello,
  I installed HTTP-Tunneling between a Java-Client and a WLS 4.5.1SP 13
  throuch a Stronghold-Server using mod_wl_ssl.so.
  But when I'm trying to connect via HTTPS (port 443) to the Stronghold, the
  plugin is no longer working correctly. I get the following output in the log
  of the plug-in:
  --------------Begin--------------
  ========New Request: [GET
  /HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=634395
  5830116743121 HTTP/1.0] =========
  Thu Jan 4 18:46:57 2001 Cookie String missing in the Cookie
  Thu Jan 4 18:46:57 2001 queryStr =
  wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=6343955830116743121
  Thu Jan 4 18:46:57 2001 The request string is
  '/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
  55830116743121'
  Thu Jan 4 18:46:57 2001 After trimming path:
  '/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
  55830116743121'
  Thu Jan 4 18:46:57 2001 Now trying whatever is on the list;
  ci->canUseSrvrList = 1
  Thu Jan 4 18:46:57 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
  Thu Jan 4 18:46:57 2001 general list: trying connect to 'agni'/7002
  Thu Jan 4 18:46:57 2001 Connected to agni:7002
  Thu Jan 4 18:46:57 2001 Headers from the client [Accept]=[text/html,
  image/gif, image/jpeg, *; q=.2, */*; q=.2]
  Thu Jan 4 18:46:57 2001 Headers from the client [Host]=[sbcipx:443]
  Thu Jan 4 18:46:57 2001 Headers from the client [User-Agent]=[Java1.2.2]
  Thu Jan 4 18:46:57 2001 Sending header to WLS [Accept]=[text/html,
  image/gif, image/jpeg, *; q=.2, */*; q=.2]
  Thu Jan 4 18:46:57 2001 Sending header to WLS [Host]=[sbcipx:443]
  Thu Jan 4 18:46:57 2001 Sending header to WLS [User-Agent]=[Java1.2.2]
  Thu Jan 4 18:46:57 2001 Sending header to WLS
  [X-WebLogic-Force-Cookie]=[true]
  Thu Jan 4 18:46:57 2001 Sending header to WLS [WL-Proxy-SSL]=[true]
  Thu Jan 4 18:46:57 2001 Sending header to WLS
  [Proxy-Client-IP]=[192.168.17.116]
  Thu Jan 4 18:46:57 2001 Sending header to WLS
  [X-Forwarded-For]=[192.168.17.116]
  Thu Jan 4 18:47:12 2001 sysRecv failed, return val = [0] errno=0
  errmsg=[Error 0]
  Thu Jan 4 18:47:12 2001 Error reading WebLogic Response from agni:7002
  Return Value = -1
  Thu Jan 4 18:47:12 2001 Marking agni:7002 as bad
  Thu Jan 4 18:47:12 2001 Got FAILOVER response from sendRequest... will
  retry
  Thu Jan 4 18:47:12 2001 Attempting a connect with the forceCookie bit
  turned ON : [1]
  Thu Jan 4 18:47:12 2001 Now trying whatever is on the list;
  ci->canUseSrvrList = 1
  Thu Jan 4 18:47:12 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
  Thu Jan 4 18:47:12 2001 Request timed out after 10 seconds
  Thu Jan 4 18:47:12 2001 Redirecting the error response to the errorPage =
  [http://www.finance.ch]
  Thu Jan 4 18:47:12 2001 r->status=302 returning 0
  Thu Jan 4 18:47:14 2001
  ---------------End
  Any Ideas, what I didn't configured correctly for the stronghold/plug-in/WLS
  Thank you
  Remo

  "Remo Schnidrig" <[email protected]> wrote:
  Hello,
  I installed HTTP-Tunneling between a Java-Client and a WLS 4.5.1SP 13
  throuch a Stronghold-Server using mod_wl_ssl.so.
  But when I'm trying to connect via HTTPS (port 443) to the Stronghold, the
  plugin is no longer working correctly. I get the following output in the log
  of the plug-in:
  --------------Begin--------------
  ========New Request: [GET
  /HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=634395
  5830116743121 HTTP/1.0] =========
  Thu Jan 4 18:46:57 2001 Cookie String missing in the Cookie
  Thu Jan 4 18:46:57 2001 queryStr =
  wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=6343955830116743121
  Thu Jan 4 18:46:57 2001 The request string is
  '/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
  55830116743121'
  Thu Jan 4 18:46:57 2001 After trimming path:
  '/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
  55830116743121'
  Thu Jan 4 18:46:57 2001 Now trying whatever is on the list;
  ci->canUseSrvrList = 1
  Thu Jan 4 18:46:57 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
  Thu Jan 4 18:46:57 2001 general list: trying connect to 'agni'/7002
  Thu Jan 4 18:46:57 2001 Connected to agni:7002
  Thu Jan 4 18:46:57 2001 Headers from the client [Accept]=[text/html,
  image/gif, image/jpeg, *; q=.2, */*; q=.2]
  Thu Jan 4 18:46:57 2001 Headers from the client [Host]=[sbcipx:443]
  Thu Jan 4 18:46:57 2001 Headers from the client [User-Agent]=[Java1.2.2]
  Thu Jan 4 18:46:57 2001 Sending header to WLS [Accept]=[text/html,
  image/gif, image/jpeg, *; q=.2, */*; q=.2]
  Thu Jan 4 18:46:57 2001 Sending header to WLS [Host]=[sbcipx:443]
  Thu Jan 4 18:46:57 2001 Sending header to WLS [User-Agent]=[Java1.2.2]
  Thu Jan 4 18:46:57 2001 Sending header to WLS
  [X-WebLogic-Force-Cookie]=[true]
  Thu Jan 4 18:46:57 2001 Sending header to WLS [WL-Proxy-SSL]=[true]
  Thu Jan 4 18:46:57 2001 Sending header to WLS
  [Proxy-Client-IP]=[192.168.17.116]
  Thu Jan 4 18:46:57 2001 Sending header to WLS
  [X-Forwarded-For]=[192.168.17.116]
  Thu Jan 4 18:47:12 2001 sysRecv failed, return val = [0] errno=0
  errmsg=[Error 0]
  Thu Jan 4 18:47:12 2001 Error reading WebLogic Response from agni:7002
  Return Value = -1
  Thu Jan 4 18:47:12 2001 Marking agni:7002 as bad
  Thu Jan 4 18:47:12 2001 Got FAILOVER response from sendRequest... will
  retry
  Thu Jan 4 18:47:12 2001 Attempting a connect with the forceCookie bit
  turned ON : [1]
  Thu Jan 4 18:47:12 2001 Now trying whatever is on the list;
  ci->canUseSrvrList = 1
  Thu Jan 4 18:47:12 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
  Thu Jan 4 18:47:12 2001 Request timed out after 10 seconds
  Thu Jan 4 18:47:12 2001 Redirecting the error response to the errorPage =
  [http://www.finance.ch]
  Thu Jan 4 18:47:12 2001 r->status=302 returning 0
  Thu Jan 4 18:47:14 2001
  ---------------End
  Any Ideas, what I didn't configured correctly for the stronghold/plug-in/WLS
  Thank you
  Remo
  As far as I know, HTTPS-Tunneling through NES, APACHE, and IIS
  is not supported. You can setup HttpClusterServlet to do HTTPS-
  Tunneling.
  Jong