VTI tunnel problem
Hi all,
We have VTI tunnels between Cisco (3825 and 878) and Juniper (SRX3600).
Sometimes tunnel is going down and I should manualy shutdown and no shutdown tunnel interface to bring it up.
This is logs from Cisco:
%%crypto-4-recvd_pkt_inv_spi: decaps: rec'd ipsec packet has invalid spi for destaddr=X.Y.100.200, prot=50, spi=0xc5d07a33(3318774323), srcaddr=X.Y.100.100
%%crypto-4-ikmp_no_sa: ike message from X.Y.100.100 has no sa and is not an initialization offer
X.Y.100.100 is Juniper SRX3600
X.Y.100.200 is Cisco 3825
But I see this logs more often, than tunnel is going down!
So what is problem?
Thanks
Hello,
this should help #crypto isakmp invalid-spi-recovery
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080bf6100.shtml
Best Regards
Please rate all helpful posts and close solved questions
Similar Messages
-
Hi everyone!
We have 2 Cisco routers - 3925 (office A) and 2921 (office B). There are VTI tunneling (with 3DES encryption), EIGRP dynamic routing (main and reserve optic channels) and 1 default VLAN #2. It`s working model which is used between 2 offices.
Now I have a task to add VLAN #3 in Office B which is used in Office A and routed to FireWall. VLAN #3 must be routed bypassing VTI tunnel. As I understand I should use InterVLAN feature on both routers. But it doesn`t work. :(
Here are configs:
Office A (3925):
interface GigabitEthernet0/0
no ip address
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.100.181 255.255.255.0
interface GigabitEthernet0/0.3
encapsulation dot1Q 3
ip address 192.168.150.10 255.255.255.0
interface GigabitEthernet0/1
no ip address
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.48.101.178 255.255.255.0
interface GigabitEthernet0/1.3
encapsulation dot1Q 3
ip address 10.48.103.178 255.255.255.0
router eigrp 100
network 192.168.100.0 0.0.0.255
network 192.168.104.0 0.0.0.255
network 192.168.201.176 0.0.0.255
network 192.168.202.176 0.0.0.255
ip route 0.0.0.0 0.0.0.0 192.168.100.180
ip route 10.48.103.0 255.255.255.0 GigabitEthernet0/1.3
ip route 192.168.150.0 255.255.255.0 192.168.100.2
Office B (2921):
interface GigabitEthernet0/0
no ip address
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.104.1 255.255.255.0
interface GigabitEthernet0/0.3
description MOWDT Vlan 3
encapsulation dot1Q 3
ip address 192.168.150.11 255.255.255.0
interface GigabitEthernet0/1
no ip address
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.48.101.179 255.255.255.0
interface GigabitEthernet0/1.3
encapsulation dot1Q 3
ip address 10.48.103.179 255.255.255.0
router eigrp 100
network 192.168.100.0 0.0.0.255
network 192.168.104.0 0.0.0.255
network 192.168.201.176 0.0.0.255
network 192.168.202.176 0.0.0.255
ip route 0.0.0.0 0.0.0.0 192.168.100.180
ip route 10.48.103.0 255.255.255.0 GigabitEthernet0/1.3
ip route 192.168.150.0 255.255.255.0 GigabitEthernet0/1.3
Could you please assist where is the problem?These both lines do the same things one is being explicitly value is defined and other is set for auto-discovery, however when it comes tunnel interface all you need is to set the mtu size to 1400.
one: ip tcp adjust-mss 1300
two: tunnel path-mtu-discovery
Now when an additional command, which you need to disable split-horizon on eigrp and the "x" is your process ID, which you need for spoke-to-spoke communication, to pass via the hub.
no ip split−horizon eigrp x
"If I disable these features won't i have problems with fragmentation ?"
Which is taken care by setting mtu size to 1400.
Now you set the "ip tcp adjust-mss 1380" on your physical interfaces facing toward your internal switch.
Have you tried it?
thanks
Message was edited by: Rizwan Mohamed -
Is it possible to create a VTI tunnel from my 877 router to my ASA
Hi all
I woulke like to know is it possible to create a VTI tunnel from my 877 router to my ASA, rather than creating a cryptomap on the router ?
cheers
CarlYes you can
Forgot to add that it possible when configuring ezvpn where the 877 is a remote client and Asa server
Sent from Cisco Technical Support iPhone App -
Hi all,
I have configured VTI tunnel interfaces (tunnel mode ipsec ipv4) and OSPF on that interfaces.
VTI is encrypting all data traffic. But what about OSPF traffic?
Is OSPF traffic encrypted also or I need to configure OSPF authentication?
ThanksOSPF exchange is already encrypted inside of the tunnel, so u don't have to use ospf-authentication. OSPF uses tunnel IP addresses for communications, and traffic flow between those two addresses is possible only throught the secure tunnel.
-
Hi All,
I need to connect some routers to an ASA using IPSec tunnels. The goal is to get netflow traffic from the routers to a collector behide an ASA using IPSec tunnels.
Recently I found out (locally orginated) netflow isn't properly encrypted when send through an IPSec tunnel (http://www.plixer.com/blog/network-traffic-analysis/sending-netflow-over-ipsec-tunnels/. The workaround seems to be using flexible netflow (which my collector doesn't support) or using a real tunnel interface on the router.
This implies I need to use:
- IPSec/GRE
- EzVPN with DVTI
- SVTI...?
Since GRE is not supported on the ASA and I want the tunnel to be always active, implementing static VTI tunnels might be a good idea. So I would like to use something like this on the router.
interface Tunnel0
ip unnumberd loopback0
tunnel source x.x.x.x
tunnel destination y.y.y.y
tunnel mode ipsec ipv4
My question is, does anybody know if you can build an IPSec tunnel between an ASA and a router, using a SVTI interface on the router? A code sample for the ASA and the router would be more than welcome.
RegardsHi Hielke ,
if you managed to match the SAs proposed by the router when using SVTI which is any to any , and you will do this on the ASA using a crypto map access-list as follow :
access-list crypto VPN permit ip any any
then all traffic leaving the interface where the crypto map is applied will be subject to encryption , which is not practical in most cases .you may use different interface (on the ASA) to this tunnel with the SVTI as it will use any any and that traffic is different than the one leaving the outside interface .
so as Marcin this will not scale for you
HTH
Mohammad. -
Hi all ,
I need create VPN tunnels between two ASAs devices . And these devices are connected through DSL . And as you know in this case we use private outside IP address , because there is a NAT device at the outside . The problem is that no VPN tunnel is created even though all the parameters and the pre-shared-key are typical .I hve allready configured following configuration.
no crypto map newmap interface outside
no crypto map newmap 171 set peer 195.11.199.144
no isakmp key ********* address 195.11.199.144 netmask 255.255.255.255 no-xauth no-config-mode
crypto map newmap 171 set peer 195.11.204.5
isakmp key ******** address 195.11.204.5 netmask 255.255.255.255 no-xauth no-config-mode
clear crypto ipsec sa
clear crypto isakmp sa
crypto map newmap interface outside
Setting were applied successfully however Still VPN tunnel is not been initiated. -
Tunneling Problem using HttpsUrlConnection
Hi,
I had gone through forums regarding this topic and still i am facing the same problem using the HttpsUrlConnection. We are working behind a proxy so we have to make a proxy authorization if we want to connect to a server in the internet.
But in case of HttpUrlConnection, everything works
fine. But if we do the same with a HttpsUrlConnection, the authentication fails. It throws an IOException
with the message
Unable to tunnel through 192.9.100.10:80.
Proxy returns "HTTP/1.1 407 Proxy authentication required"
Sample code as follows,
The following code doesn't have any problem becos it works fine with HttpUrlConnection and also it is working without proxyserver for https as well.
This is running under MSVM.
I don't want to use SSLSocketFactory and i need to use following layout(i.e only with Httpsurlconnection)
Is there any way to make work with proxyserver? Or can't we do this at all?
System.setProperty("proxySet","true");
System.setProperty("https.proxyHost","proxyIP");
System.setProperty("https.proxyPort","80");
OutputStream os = null;
OutputStreamWriter osw = null;
InputStream is = null;
InputStreamReader isr = null;
BufferedReader br = null;
URL url;
String line = null;
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
String login = proxyUserName+":"+proxyPassWord;
String encodedLogin = new sun.misc.BASE64Encoder().encode(login.getBytes());
url = new URL("https://www.verisign.com");
HttpsURLConnection con = null;
con =(HttpsURLConnection) url.openConnection();
con.setRequestProperty("Proxy-Authorization", encodedLogin);
con.setRequestMethod("GET");
con.setDoOutput(true);
con.setDoInput(true);
con.setUseCaches(false);
con.connect();
os = con.getOutputStream();
osw = new OutputStreamWriter(os);
osw.write("SampleMsg");
osw.flush();
osw.close();
is = con.getInputStream();
isr = new InputStreamReader(is);
br = new BufferedReader(isr);
while ( (line = br.readLine()) != null)
System.out.println("line: " + line);
Can any one help me regarding this?I need a reply very urgently.
Thanks,
Prabhakaran RHope this help.
Note to change the properties to fit your system, and use the supported package ( JSSE, JRE1.5.......).
You can use URLConnection for both HTTP or HTTPS protocol.
import java.io.*;
import java.net.*;
import java.security.*;
import java.util.*;
import javax.net.ssl.*;
public class testSSL9 {
public testSSL9() {
byte[] data = httpConnection();
System.out.println(new String(data));
public static void main(String[] args) {
Properties sysprops = System.getProperties();
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
// sysprops.put("java.protocol.handler.pkgs",
// "com.sun.net.ssl.internal.www.protocol");
sysprops.put("java.protocol.handler.pkgs",
"javax.net.ssl.internal.www.protocol");
sysprops.put("javax.net.ssl.trustStore",
"D:/jdk1.4/jre/lib/security/cacerts");
sysprops.put("javax.net.debug", "ssl,handshake,data,trustmanager");
sysprops.put("https.proxyHost", "172.16.0.1");
sysprops.put("https.proxyPort", "3128");
sysprops.put("https.proxySet", "true");
sysprops.put("http.proxyHost", "172.16.0.1");
sysprops.put("http.proxyPort", "3128");
sysprops.put("proxySet", "true");
testSSL9 testSSL91 = new testSSL9();
private byte[] httpConnection() {
try {
URL url = null;
// String strurl = "https://www.verisign.com";
String strurl = "https://central.sun.net";
// String strurl = "http://www.yahoo.com"; --> use: HttpURLConnection
url = new URL(strurl);
HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
HttpsURLConnection.setFollowRedirects(false);
connection.setDoOutput(true);
connection.setDoInput(true);
connection.setUseCaches(false);
connection.connect();
InputStream stream = null;
BufferedInputStream in = null;
ByteArrayOutputStream bytearr = null;
BufferedOutputStream out = null;
try {
stream = connection.getInputStream();
in = new BufferedInputStream(stream);
bytearr = new ByteArrayOutputStream();
out = new BufferedOutputStream(bytearr);
catch (Exception ex1) {
System.out.println(ex1);
System.out.println("Server reject connection...sory");
int i = 0;
while ( (i = in.read()) != -1) {
out.write(i);
out.flush();
stream.close();
in.close();
bytearr.close();
out.close();
return bytearr.toByteArray();
catch (Exception ex) {
ex.printStackTrace();
return null;
} -
Oracle 9i Web Services Quickstart Install TCP tunneling problem
When I try to run the OTNGUIDGenerator example using the TCP Tunneling portion of the Oracle 9i Web Services Quickstart
Install I get this in the From localhost8900 tunnel window:
<?xml version='1.0' encoding='UTF-8'?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Body>
<ns1:getGUID xmlns:ns1="oracle.otn.ws.emarket.OTNGUIDGenerator" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
</ns1:getGUID>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
I get this in the From 127.0.0.1:8888 window:
HTTP/1.1 404 Not Found
Date: Mon, 28 Oct 2002 20:38:06 GMT
Server: Oracle9iAS (9.0.2.0.0) Containers for J2EE
Content-Length: 171
Connection: Close
Content-Type: text/html
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>404 Not Found</H1>Resource /j2ee-web/oracle.otn.ws.emarket.OTNGUIDGenerator not found on this server</BODY></HTML>
This is my webservices stub
public class OTNGUIDGeneratorStub
/** public String endpoint = "http://otn.oracle.com/ws/oracle.otn.ws.emarket.OTNGUIDGenerator"; */
public String endpoint = "http://127.0.0.1:8900/j2ee-web/oracle.otn.ws.emarket.OTNGUIDGenerator";
private OracleSOAPHTTPConnection m_httpConnection = null;
public OTNGUIDGeneratorStub()
System.setProperty("oracle.soap.transport.noHTTPClient", "true");
m_httpConnection = new OracleSOAPHTTPConnection();
Properties props = new Properties();
/** props.put(OracleSOAPHTTPConnection.PROXY_AUTH_TYPE, "basic");
props.put(OracleSOAPHTTPConnection.PROXY_HOST, "proxy.scott.af.mil");
props.put(OracleSOAPHTTPConnection.PROXY_PORT, "375");
props.put(OracleSOAPHTTPConnection.PROXY_USERNAME, "fowlerji");
props.put(OracleSOAPHTTPConnection.PROXY_PASSWORD, "F1234567*g"); */
m_httpConnection.setProperties(props);
Not sure what to call the server - this works okay when I'm not using tunneling and using our proxy server??I think your problem is that you have a proxy user/password and the TCP Monitor (both the command line and built-in 9.0.3 version) do not support that - they only support specification of the proxy server itself :-(
It is a feature request that I hope will make it into the late spring/early summer release of JDeveloper - I wrote it up as a request based on the number of folks who faced this issue with these tutorials.
Mike. -
Anchor Eiop tunnel problem 5.2
Hi,
were using two dmz WLCs for "guest-Access" - one is designated for an Hotspot and one for a direct dmz access. The internal wlc uses the management-interface as interface in the wlan-config and the internal wlc has all accesspoints directly connected and have the same configuration as the dmz wlcs and both ssids are active. Between the inside and outside wlcs we have differend subnets routers and also checkpoint firewall clusters - but no NAT. All Wlcs are in the same mobility group.
The problem is, that under some condition the mobility feature hangs up ! The internal WLC authenticates the client and give him full access (including IP) but the client can not ping or connect to any device behind the eiop tunnel.(in the DMZ) That problem occurs to both DMZ WLCs. On the wcs i can see that there was a short interrupt of the ancor-tunnels but the alarm disappears. While the client can't forward any traffic a debug mobility or an mobility ping works fine and shows no problems (a lot of keepalives from all wlcs)! The only way to get the tunnel working for traffic-forwarding is to reboot the external wlcs in the DMZ. Rebooting the internal won't help!
Do you have any information or suggestion what can causes that kind of problem ? Is there any debug command wehere i can detect the problem ?
Thanks, DennisI am just wanting to verify that all controllers are on the same version of code. A mismatch between an older 5.1 controller or before my result in a problem establishing the tunnel because of the 2 different protocols being used to talk between the AP and the controllers. 5.1 and before is LWAPP 5.2 and later is CAPWAP I believe.
-
Reverse SSH Tunnel problem?
I'm trying to do a reverse SSH tunnel for a VNC project. I'm successful when I do it on a Linux box or Cygwin under Windows, but I'm having problems under Mac OS.
Here's what I do:
Terminal 1:
ssh -nNTvvv -R 5500:localhost:5500 -l my_username myhost.com
Then, to see what's going on, I run in terminal 2:
nc -l -p 5500
Then, in a third terminal, I ssh over to myhost.com, and telnet to localhost 5500.
If I initiate this whole setup on other platforms, I can then type stuff in my in the third terminal and see it echoed happily in terminal 2.
Under Mac OS, everything goes fine until I do the telnet on myhost.com. The diagnostic in terminal 1 is:
debug1: channel 0: new [::1]
debug1: confirm forwardeded-tcpip
debug3: channel 0: waiting for connection
debug1: channel 0: not connected: Connection refused
It's not a firewall issue, as I can telnet directly to port 5500 on the Mac from myhost.com without any problem.
Google gives me no help here. Any ideas?
Thanks!
12" G4 Powerbook Mac OS X (10.4.8)Figured it out - did a no ip ssh v 2 and hey presto started working
-
I'm trying to simulate a tunnel through a service provider:
I have 3 Routers, which are connected with static routes and are all pinging each other other through serial and fastethernet interfaces.
Router 1 and Router 3 are acting as tunnel endpoints. Router 2 is service provider.
Configurations:
Router 1 Loopbacks:
192.168.2.0
192.168.3.0
192.168.4.0
Router 3 Loopbacks:
192,168.13.0
192.168.14.0
Router 1 and 2: 192.168.8.1 255.255.255.252
Rouer 2 and 3: 192.168.9.1 255.255.255.252
Tunnel is: 10.40.40.1 on R1
10.40.40.2 on R3
Router 1:
Interface Tunnel 0
Tunnel Source: 192.168.8.1
Tunnel Destination: 192.168,9.2
ip route 192.168.9.2 255.255.255.255 192.168.8.2
router eigrp 1
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
Router 3:
Interface Tunnel 0
Tunnel Source: 192.168.9.2
Tunnel Destination: 192.168.8.1
ip route 192.168.8.1 255.255.255.255 192.168.9.1
router eigrp 1
network 192.168.13.0
network 192.168.14.0
After these configurations I see on both routers 1 and 3 the Tunnels are in up/up and I can ping 10.40.40.1 to 10.40.40.2, but no eigrp router are coming up, what is the problem ??? Is the source and destination ip addresses correct, are my ip route statics correct ?? Please help.
Thanks,
Sergei.
After this configuration I see my Tunnel on both RoterSergei,
Add the tunnel network into your Router EIGRP 1 statements in router 1 & 3. I believe that should do the trick.
router eigrp 1
network 10.40.40.0 -
VTI Tunnel Bandwidth Statements
What is the proper way to set bandwidth statements on VTI/GRE tunnels over an MPLS network when different locations have different bandwidth capacities?
For example:
Location 1 - DS3 - 44mbps
Location 2 - DS1 - 1.5mbps
Would I put 'bandwidth 1500' on both ends of the tunnel or would I put 'bandwidth 44000' on the DS3 side and 'bandwidth 1500' on the DS1.Hi Peter,
To my knowledge, bandwidth statement will not restrict the volume of traffic. Instead it is just a parameter used for control plane calculations. If you really want to restrict the volume of traffic flowing over these interfaces, you may have to think of shaping the same.
HTH,
Nagendra -
Hi,
i created MPLS TE tunnel between three Cisco 2811 series routers and configured that MPLS TE tunnel will reserve 1Mbps of bandwidth.Then I started to send constant 3 Mbps data flow trough the MPLS TE tunnel (everything looks ok: tunnel is up, bandwidth is reserved, all the data flow entering the tunnel). The problem is that data flow leaving the tunnel at 3Mbps rate. Why tunnel dont limit data rate?????The tunnel doesn't do rate-limiting. Bandwidth at the tunnel level is only a control plane feature.
You need to configure admission control on the tunnel headend with CAR or some other form of rate limiting if you want to enforce the tunnel reserved bandwidth.
Hope this helps, -
Hello All,
This is Jay Kishan. I work in Pakistan Petroleum Limited as a Network Associate. There is a little problem that i am facing recently. We have a Head Office in Karachi and a Remote Location is Islamabad. We are connecting them with a Primary DXX Link with an active VSAT Backup Link. As soon as the DXX Link goes down the VSAT Link comes up automatically. But the DXX Provider has introduced a few more non-cisco devices in the middle and now we have to create a tunnel from our ISB 2610 Router to KHI 3661 Router. The reason for creating the tunnel is that we dont want the DXX provider to know our network. But the problem that we have at our hand is that the tunnel never goes down as the interfaces on both the routers are connected to devices that wont go down. But there can be a problem in some other middle device because of which the link may not work. So the situation is that even the DXX Link isnt working the tunnel is still up and the VSAT Backup link doesnt come up. So how can i make sure that if the DXX Link stops working the tunnel could sense it and the VSAT Backup link comes up automatically. I will be very much thankful for any sort of help. Thanks in advance.
Regards,
Jay Kishan
PPLJay
The GRE keepalive is a very nice feature and it does sound like it would solve your problem. It was introduced somewhat recently (I just looked at the notes and it indicates that it was introduced on some platforms in 12.2(8)T and a bit later on other platforms). What platform are you running this on and what version of code?
The configuration is pretty straightforward:
interface tunnel n
keepalive
and it has optional parameters on the keepalive to specify how many seconds and how many retries.
If you router does not have keepalive as a command under the tunnel interface, then that is a good indication that the version of code that you are running does not have this feature. Would it be worth upgrading code to get this feature?
HTH
Rick -
SSL-Tunneling Problem with Stronghold
Hello,
I installed HTTP-Tunneling between a Java-Client and a WLS 4.5.1SP 13
throuch a Stronghold-Server using mod_wl_ssl.so.
But when I'm trying to connect via HTTPS (port 443) to the Stronghold, the
plugin is no longer working correctly. I get the following output in the log
of the plug-in:
--------------Begin--------------
========New Request: [GET
/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=634395
5830116743121 HTTP/1.0] =========
Thu Jan 4 18:46:57 2001 Cookie String missing in the Cookie
Thu Jan 4 18:46:57 2001 queryStr =
wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=6343955830116743121
Thu Jan 4 18:46:57 2001 The request string is
'/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
55830116743121'
Thu Jan 4 18:46:57 2001 After trimming path:
'/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
55830116743121'
Thu Jan 4 18:46:57 2001 Now trying whatever is on the list;
ci->canUseSrvrList = 1
Thu Jan 4 18:46:57 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
Thu Jan 4 18:46:57 2001 general list: trying connect to 'agni'/7002
Thu Jan 4 18:46:57 2001 Connected to agni:7002
Thu Jan 4 18:46:57 2001 Headers from the client [Accept]=[text/html,
image/gif, image/jpeg, *; q=.2, */*; q=.2]
Thu Jan 4 18:46:57 2001 Headers from the client [Host]=[sbcipx:443]
Thu Jan 4 18:46:57 2001 Headers from the client [User-Agent]=[Java1.2.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS [Accept]=[text/html,
image/gif, image/jpeg, *; q=.2, */*; q=.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS [Host]=[sbcipx:443]
Thu Jan 4 18:46:57 2001 Sending header to WLS [User-Agent]=[Java1.2.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[X-WebLogic-Force-Cookie]=[true]
Thu Jan 4 18:46:57 2001 Sending header to WLS [WL-Proxy-SSL]=[true]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[Proxy-Client-IP]=[192.168.17.116]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[X-Forwarded-For]=[192.168.17.116]
Thu Jan 4 18:47:12 2001 sysRecv failed, return val = [0] errno=0
errmsg=[Error 0]
Thu Jan 4 18:47:12 2001 Error reading WebLogic Response from agni:7002
Return Value = -1
Thu Jan 4 18:47:12 2001 Marking agni:7002 as bad
Thu Jan 4 18:47:12 2001 Got FAILOVER response from sendRequest... will
retry
Thu Jan 4 18:47:12 2001 Attempting a connect with the forceCookie bit
turned ON : [1]
Thu Jan 4 18:47:12 2001 Now trying whatever is on the list;
ci->canUseSrvrList = 1
Thu Jan 4 18:47:12 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
Thu Jan 4 18:47:12 2001 Request timed out after 10 seconds
Thu Jan 4 18:47:12 2001 Redirecting the error response to the errorPage =
[http://www.finance.ch]
Thu Jan 4 18:47:12 2001 r->status=302 returning 0
Thu Jan 4 18:47:14 2001
---------------End
Any Ideas, what I didn't configured correctly for the stronghold/plug-in/WLS
Thank you
Remo"Remo Schnidrig" <[email protected]> wrote:
Hello,
I installed HTTP-Tunneling between a Java-Client and a WLS 4.5.1SP 13
throuch a Stronghold-Server using mod_wl_ssl.so.
But when I'm trying to connect via HTTPS (port 443) to the Stronghold, the
plugin is no longer working correctly. I get the following output in the log
of the plug-in:
--------------Begin--------------
========New Request: [GET
/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=634395
5830116743121 HTTP/1.0] =========
Thu Jan 4 18:46:57 2001 Cookie String missing in the Cookie
Thu Jan 4 18:46:57 2001 queryStr =
wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=6343955830116743121
Thu Jan 4 18:46:57 2001 The request string is
'/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
55830116743121'
Thu Jan 4 18:46:57 2001 After trimming path:
'/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
55830116743121'
Thu Jan 4 18:46:57 2001 Now trying whatever is on the list;
ci->canUseSrvrList = 1
Thu Jan 4 18:46:57 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
Thu Jan 4 18:46:57 2001 general list: trying connect to 'agni'/7002
Thu Jan 4 18:46:57 2001 Connected to agni:7002
Thu Jan 4 18:46:57 2001 Headers from the client [Accept]=[text/html,
image/gif, image/jpeg, *; q=.2, */*; q=.2]
Thu Jan 4 18:46:57 2001 Headers from the client [Host]=[sbcipx:443]
Thu Jan 4 18:46:57 2001 Headers from the client [User-Agent]=[Java1.2.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS [Accept]=[text/html,
image/gif, image/jpeg, *; q=.2, */*; q=.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS [Host]=[sbcipx:443]
Thu Jan 4 18:46:57 2001 Sending header to WLS [User-Agent]=[Java1.2.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[X-WebLogic-Force-Cookie]=[true]
Thu Jan 4 18:46:57 2001 Sending header to WLS [WL-Proxy-SSL]=[true]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[Proxy-Client-IP]=[192.168.17.116]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[X-Forwarded-For]=[192.168.17.116]
Thu Jan 4 18:47:12 2001 sysRecv failed, return val = [0] errno=0
errmsg=[Error 0]
Thu Jan 4 18:47:12 2001 Error reading WebLogic Response from agni:7002
Return Value = -1
Thu Jan 4 18:47:12 2001 Marking agni:7002 as bad
Thu Jan 4 18:47:12 2001 Got FAILOVER response from sendRequest... will
retry
Thu Jan 4 18:47:12 2001 Attempting a connect with the forceCookie bit
turned ON : [1]
Thu Jan 4 18:47:12 2001 Now trying whatever is on the list;
ci->canUseSrvrList = 1
Thu Jan 4 18:47:12 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
Thu Jan 4 18:47:12 2001 Request timed out after 10 seconds
Thu Jan 4 18:47:12 2001 Redirecting the error response to the errorPage =
[http://www.finance.ch]
Thu Jan 4 18:47:12 2001 r->status=302 returning 0
Thu Jan 4 18:47:14 2001
---------------End
Any Ideas, what I didn't configured correctly for the stronghold/plug-in/WLS
Thank you
Remo
As far as I know, HTTPS-Tunneling through NES, APACHE, and IIS
is not supported. You can setup HttpClusterServlet to do HTTPS-
Tunneling.
Jong
Maybe you are looking for
-
Display the reports under all subfolders at a time in the content area?
Hi All, In SAP EP portal,We have a requirement to display few reports wherein we have 7 roles with the same names but different ID's and they are merged together so that even if the users have 7 roles assigned he will see only 1 tab in the first leve
-
Expanded Profit Center Hierarhcy display in Report Painter.
Hello, We have built a report painter based P&L report with variation on company code and profit center. The profit center hierarchy has multiple levels. User requirement is - The report output should show the profit center hierarchy fully expand
-
Dear Gurus, In my Company there has been an excess payment to a Vendor and now the Vendor account shows a DC balance. The Vendor promised to give the amount by check, how do i clear the payment received from the Vendor against the excess amount paid
-
Adobe flash player 11.9 DEBUG projecter not working
my adobe 11.9 projecter thing is not allowing me to press create projecter, someone please help i really would like this to work
-
Does SAP GRC 5.3 Ramp up have complete integration with NW IDM 7.0? Note: We have enaged with SAP for GRC 5.3 Ramp up program and also we have the plans of integrating NW IDM 7.0 & GRC 5.3.