WISM and NAC OOB/ Client in a different WLC problem

Similar Messages

• Several clients in CRM PCUI.  Problems reusing the same iView for ValueHelp

  Hi, all:
    We are implementing a new scenario with PCUI (based on Case Management) and using the client number 400.
    The problem is that this is the second scenario because there is an already customized scenario using client 200 of the CRM server and the same EP.
    These are the symptoms:
  a) Launching the application from the SAP_GUI (like a CRM BSP Application) the main screen and the value helps (pop-up windows) are working correctly.
  b) Launching the application from a newly create BSP iView, the main screen appears correctly; but the pop-up windows are not working.  These are the issues i have seen:
  1.- The system object with the system alias SAP_CRM points to client 200.
  2.- The iView that is called when the value help is clicked has the value SAP_CRM as the system alias.  And it is accessing client 200 even thought the URL parameter sap-client=400 is passed to it.
  I tried a workaround copying standard iView located in:
  pcd:portal_content/com.sap.pct/specialist/com.sap.pct.crm/com.sap.pct.crm.roles/com.sap.pct.crm.core.defaultservices/com.sap.pct.crm.core.valuehelp
  to another location in Portal Content and changing the parameter system alias to SAP_CRM_400 (which is a correct system object pointing to client 400).  But i don't know how to configure the search to use this iview instead of the standard one.
    Can anyone help me with this workaround or with other solution to this problem?
  Thank you,
  Fran
  Edited by: Francisco Javier Rodríguez Nieto on Apr 15, 2009 9:13 AM

  Saurabh,
  If you have added your field through the EEW you can follow my weblog to add them to the PC-UI application: https://www.sdn.sap.com/sdn/weblogs.sdn?blog=/pub/wlg/2040. [original link is broken] [original link is broken] [original link is broken] [original link is broken] [original link is broken] [original link is broken] [original link is broken] [original link is broken] [original link is broken] If you are missing something and/or something is unclear let me know and I will update this BLOG and help you solve your issue. Tiest.

• NAC OOB and 6500 in Virtual Switch Mode

  Is there any issue or special care to implement NAC OOB in Central Deploy, VGW, using AD SSO for wired clients where the Core Switch is a pair of 6500 in Virtual Switch Mode?
  The customer uses Radius IAS for authentication. How does it fit with the AD SSO?

  Hi Bruce,
  I am afraid there are some arguments missing in your db command.
  To manually add the OID of  Cat4507R+E to CAM's database here is the  procedure to do this.
  [root@cca-3140-cam ~]# psql -h localhost -U postgres controlsmartdb -c "INSERT INTO supported_switch VALUES ('1.3.6.1.4.1.9.1.1286', '4', 'Cisco Catalyst 4507 R+E')" INSERT 0 1
  psql: warning: extra command-line argument "INSERT" ignored
  psql: warning: extra command-line argument "0" ignored
  psql: warning: extra command-line argument "1" ignored
  INSERT 0 1
  Then to make sure it is there:
  [root@cca-3140-cam ~]# psql -h localhost -U postgres controlsmartdb -c "SELECT * FROM supported_switch" | grep 1286
  The output should be:
  1.3.6.1.4.1.9.1.1286      |     4 | Cisco Catalyst 4507 R+E
  Restart perfigo service on NAC Manager and try to manage the switch  using the model used by the above command.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Macintosh clients, 802.1x and NAC.

  I'm prototyping a NAC setup which has to cater for Macintosh clients as well as Windows. I can get the Macs to authenticate via 802.1x (surprisingly easy using the built in software!) but what I can't do is setup a Posture Validation Rule to identify that the client is a Mac and not a Windows machine. I've tried using the Cisco:PA:OS-Version condition set specifying "contains" MAC. I've also tried "contains" 10 but it doesn't work. I think it probably doesn't work as the condition set depends on the CTA being installed on the Mac which it isn't (and it's not an option either).
  EDIT: Anyone tried installing the CTA on a MAC? It's horrific. Extract the files and run the install, OK so far. It then puts the config ini file in a directory no user (not even Admins) has permissions to so you can't modify it and BOY do you need to modify it!
  Any ideas?

  I'm on the home straight with this one. Essentially to get the CTA to work using the built in 802.1x supplicant on Windows or MacOS you need to run a mix of NAC L2 IP and NAC L2 802.1x. This requires a little extra config on the switch but nothing tragic (it's all in the (NAC Framework Configuration Guide).
  The reason for this is that the CTA requires a network channel to be open so it can run EAP over UDP (EOU) to do posture validation and the 802.1x part of the process gets the machine onto the network so the CTA can do it's stuff.
  With this setup in place and the CTA properly configured (as mentioned previously this is the permissions setup on the Mac created by the CTA install makes this far more difficult than it should be) the process works pretty well, popup messages work, browser launch and URL redirection work. Looks good.
  The fly in the ointment is wireless. The freebie CTA doesn't support it, no way. For a PC the answer is to buy the Cisco Secure Services Client which does support wireless and (I think) run that alongside the CTA (haven't fully worked this one out yet). If you have a wireless Mac, you're stuffed, Simple as that, which from my point of view is a real pain as the customer I'm developing this for wants posture validation for PCs and Macs, wired and wireless.
  Hope this helps someone somewhere avoid a little pain! : )

• NAC - OOB - Virtual IP - users lost connecti

  Hi.
  So my problem is the follow:
  I have i my customer a NAC OOB - Virtual Ip Gateway.
  So, we have a many port profiles. Each Port profile witch its own authentication vlan and access vlan, for example:
  TI -  auth vlan 585 -  access vlan 85
  ENGINEERING - auth vlan 586 - access vlan 86
  And works very very fine.
  BUT
  There is a common location called PLATFORM (auth vlan 587, access vlan 87) where, to put port profile on each User interface on the switch after 20 minutes or less, the machines that are on this profile (VLANs 587, 87) lose network connectivity, without bounce.
  I checked and, some machines for no reason, are changed to vlan authentication without snmp Linkdown and even get stuck in with User certifield device list.
  Other machines remain in vlan access, but lose all connectivity to the network without ping gateway and any other device.
  Another vlan (for ex: vlan 1) that is not controlled by NAC continues to communicate normally.
  I tried to see any logs on the switch but could not see anything abnormal (yet).
  Other locations with others port profiles work normally.
  The uplinks on this switches and interfaces users dont have any CRC or errors.
  Could anyone help me? This is causing problems in my account.

  Hi,
  I understand then that the clients are not connecting through local or SSO mode, is that correct?
  I would suggest 3 things so far:
  1. Check the logs on the switches where the CAS's are connected, I had a similar problem where CAS would stop responding and the switches would complain about vlan mismatch or mac flapping, if you notice errors on the switches verify that you have:
  * Vlan mapping enabled correctly
  * Different native VLAN on the switch interface for trusted and untrusted CAS ethx.
  * The correct vlans configured on each port: for untrusted just the authentication (layer 2) vlans, for trusted interface the access vlan (20) and the management vlan.
  2. Enable the management vlan tag on the trusted interface of the CAS and use your CAS management vlan.
  3. On the CAM go to the Clean access server section, manage one of your CAS's, the first window will show the services currently running on the CAS, verify if the SSO service is running, if it's not running, verify the configuration. If it's not allowing you to enable it, verify the time settings on your devices, the AD user and all the other settings needed for this to work.
  Hope this helps,
  Regards,

• After adding 2nd WiSM and failing over AP's some apps don't work

  We have a dual core made up of 2 6513's. In 6513#1 we have WiSM#1 which we have had for sometime now. We have added a 2nd WiSM in 6513#2 for redundancy purposes also we are going to be re-configuring the WiSM in 6513#1 to more match that of the new WiSM in 6513#2. We have installed the new WiSM and failed over the AP's from 6513#1 so we can re-configure it's WiSM. The failover went great and no issues, with the exception that a web application or two didn't function from wireless clients and users were having issues getting to some mapped drives. The only difference from the new WiSM config vs the old WiSM is that on the old WiSM the AP's were in the same VLAN as the controller management interfaces. Now with the new WiSM it's configuration has the controllers AP mgt interfaces ip addresses in a different VLAN from the AP's, we are doing this based on Cisco best practices. If we revert the AP's back to the original WiSM/controllers the PC's where they are on the same vlan/subnet the applications and shares that were having issues the other way work. We have placed a call with Cisco TAC and they say our configs look good and we even sent them some packet captures and they said everything looks normal. The wireless clients can ping and resolve the server hosting the application database just fine.
  Thanks

  We did create the mobility groups, and we are using DHCP opt 43. The AP's find the 2nd WiSM#2 just fine and associate to the controllers and all the WLAN's work just fine. The only issue is that after the AP's are on the new WiSM and controllers there is an application or 2 that is having trouble locating it's database server and that some share's are not working. Again the only difference in this new setup in that now the AP's are on a different subnet/vlan from the controller mgt addresses where as before they were in the same subnet/vlan and the application and shares worked fine. It's almost like it is a bit of a routing issue?
  Thanks

• NAC OOB VIRTUAL GW PROBLEM

  Hi,
  I am trying to setup a NAC OOB Virtual GW Scenario (attached is the visio schematic of the setup):
  Switch: 3550 (ios 12.2(46) adv ip serv)
  NAC 4130 appliances: v4.1.6 (also tried v4.5)
  Switch Configuration of the trunks to the CAS):
  - int f0/23 (connected to CAS e0) -> dot1q trunk with native vlan 999 and allowed vlans 199 (mgt vlan of cas) and 10 (hosts access vlan)
  - int f0/21 (connected ro CAS e1) -> dot1q trunk with native vlan 998 and allowed vlans 100 (hosts authentication vlan)
  - SVIs on switch: 199, 10, 200 (CAM mgt vlan), 99 (dns, dhcp)
  The problem I am facing is that the host once connected to a managed port is able to acquire an ip from the access vlan from the dhcp server but is not redirected to the login page. I tried to follow some hints provided in previous posts but none of them worked for me. I configured the following:
  - Login Page
  - Configured IP based traffic control on the unautheticated role to permit all traffic (also host based to permit https://192.168.199.1 -> cas' ip with trusted dns my dns server 192.168.99.1)
  - Managed subnet with unused ip in access vlan (192.168.10.253) and vlan id that of the auth vlan (100)
  - vlan mapping between untrusted vlan 100 and trusted vlan 10
  - tried to access a resolvable website by my dns from the host (as per the suggestion from a previous post for someone who was facing the same prob)
  - also tried to access the cas' login page from the host with vain, eventhough it is accessible from trusted subnets
  Note: I followed the configuration guide of both v4.1.6 and v4.5 and with both versions I was facing the same problem.
  I would be very thankful for any hints to help me solve this issue.
  Questions: When the host is connected to a managed host (assigned to the managed vlan 100) and it is assigned an ip from the a access vlan 10. Shouldn't I be able to access the managed subnet case I configured ip traffic control policy to permit all traffic from untrusted to trusted? also shouldn't I be able to resolve website's ip with "nslookup x.com" since dns traffic is by default configured and also trusted dns server 192.168.99.1 is configured?
  Thanks in advance for any help.

  It arised to be that the 3550/3560/3750 are not supported for Central Deployment. The problem is solved.
  Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment
  For Cisco Clean Access (NAC Appliance) in In-Band Central Deployment mode, when a Cisco Catalyst 3560/3750 series switch is used as a Layer 3 switch and if both ports of the Clean Access Server (CAS) are connected to the same 3560/3750 switch, the minimum switch IOS code required is Cisco IOS release 12.2(25)SEE.
  Because caveat CSCdu27506 is not fixed on the Catalyst 3550 series switch, when the Catalyst 3550 is used as a Layer 3 switch, it cannot be used in NAC Appliance In-Band Central Deployment.
  For further details, refer to switch IOS caveat CSCdu27506:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdu27506
  See also Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB).
  Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)
  Table 6 describes Cisco Catalyst switch model support for the Virtual Gateway VLAN Mapping feature of the Clean Access Server for either in-band (IB) or out-of-band deployments (OOB). This table is intended to clarify CAS network deployment options when connecting the CAS in Virtual Gateway (bridge) mode to the switches listed.
  Table 6 Switch Support for CAS Virtual Gateway In-Band/OOB VLAN Mapping Feature
  Cisco Catalyst Switch Model Virtual Gateway
  Central Deployment
  (both interfaces into same switch) Edge Deployment
  (each interface into different switch)
  6000/6500 Yes Yes
  4000/4500 Yes Yes
  3750/3560 (L3 switch) Yes with 12.2(25) SEE and higher 1
  Yes
  3550 (L3 switch) No 1
  Yes
  3750/3560 (L2 switch) Yes Yes
  3550 (L2 switch) Yes Yes
  2950/2960 Yes Yes
  2900XL No 2
  Yes
  3500XL Yes Yes
  28xx NME Yes with 12.2(25) SEE and higher 1
  Yes
  1 Due to switch caveat CSCdu27506. See Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment for details.
  2 2900 XL does not support removing VLAN 1 from switch trunks.

• NAC OOB problem - moving users between ports

  Hi,
  I have a problem with an OOB deployment I am currently working on: when I move an authenticated OOB client from one switch to another, it remains stuck in the auth VLAN. It seems that NAC doesn't detect the new port correctly.
  This is what I did to replicate the issue, in detail:
  1) A computer is connected to port 'a' on switch 'A' (A[a]). The port is automatically changed to auth VLAN and authentication and posture assessment are performed.
  2) The computer passes both, and the port is changed back to the designated Access VLAN. OOB user appears in the Online Users list, and the computer is added to the Discovered (Wired) Clients list. All the detailed information on both pages is correct.
  3) The computer is disconnected. OOB user is removed from the Online Users list, but the computer remains in the Discovered Clients list.
  4) The computer is connected to port 'b' on switch 'B' (B[b]). It is automatically changed to auth VLAN and authentication and posture assessment passes successfully one more time. However, the information in the Discovered Clients list is not updated and, moreover, OOB user appears once again in the Online Users list - but the specified location is port A[a]!
  The end result is taht the computer remains stuck in the Auth VLAN and NAC Agent Authentication dialogue keeps popping out.
  I tried the reverse scenario (port B[b] to port A[a]) after manually clearing all user and client information, and the result was pretty much the same...
  Thanks,
  Boris

  Faisal,
  The configuration includes the following lines (on both switches I used for access):
    snmp-server community *** RW
    snmp-server community *** RO
    snmp-server trap-source Vlan2 (management subnet)
    snmp-server location 10.0.0.101 (NAM IP address)
    snmp-server enable traps snmp linkdown linkup
    snmp-server enable traps mac-notification change move threshold
    snmp-server host 10.0.0.101 version 2c cisco  mac-notification snmp
  Also, NAC added the following line on monitored interfaces:
    snmp trap mac-notification change added
  Is this all that is required to send MAC-change and MAC-move traps?
  I captured SNMP traps with a 'tcpdump' on the NAM and I can confirm it receives traps from both switches, with correct source IP addresses. I will try to look into a "raw" dump to see the exact traps it received...
  Regards,
  Boris

• L2 OOB and L3 OOB at the same time

  Can you run L2 OOB and L3 OOB at the same time?
  I have a core 6509 and it is trunked to access layer switches “ 4506 and 2960s”.
  The problem is that I am installing a 3845 router” off the 6509” to act as a hub for crypto tunnels. The spokes will be 2821 routers with 2960 switch on its own subnet that requires routing not L2.
  Could someone provide a good example of configuration? Most confused with the CAS.
  In the above need do I have E0 and E1 in different VLANS with different IP's.
  Using a 10.x.x.x /24 private address network.

  Yes you can run layer 2 and layer 3 in other words client adjacency is 0 hops from cas in respect to the 6509 and multi hops in respect to the 2960 switches at the remotes.
  Unfortunately its not as simple as providing you a working config getting this set up is usually a 1 week process for most cisco partners.

• NAC OOB Configuration

  Hi!
  I'm implementing an NAC oob solution. tTe CAS and CAM are in the Data-center on an remote network, and i need to control the vlan's that my users access on my remote sites.
  How do i make them authenticate on the remote CAS? (the Cas is on an remote network)
  TKX
  Miguel

  Hi,
  Well, it looks like you are starting now, so I would advise to get in touch with the OOB concept and guidelines:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html.
  You have L2/L3 mode.
  You have OOB/InB mode.
  You have Real-Ip/Virtual gateway mode.
  You have 2 main VLANs for the clients: authentication (untrusted) and access (trusted) vlans.
  The goal is to make the client fall into the auth vlan prior to login, and the traffic flow through the CAS so that the CAS can permit/deny the client from passing traffic.
  You have also, nice chalk-talks where you can see VODs explaining the steps for configuring several features/deployments:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Remote App and Desktop RDP client never succeed to logon the RDS gateway server running Windows 2012R2

  Remote App and Desktop RDP client never succeed to logon the RDS gateway server running Windows 2012R2
  1. Client Os : Windows 7 Pro
  2. Server OS : Windows Server 2012R2 with RDS broker and RDS Gateway server with 3.part Certificate  with friendly name sky.mti-itservice.no activated.
  The  main problem is following: The RDP logon session never ends
  Any ideas ?
  Regards
  Kenneth Knudsen
  Email : [email protected]
  mvh Kenneth Knudsen MCSE 2003 HP ASE

  Hi Kenneth,
  Here for your case suggest you to configure RDP session time limit so that your user can disconnect\log off once the specific time limit reached.
  You can setup the session time limit in different method.
  1. Open the Server Manager, select Remote Desktop Services.
  2. In Remote desktop Services, in right side you can drop down to collections.
  3. Select the collection which you want to edit the settings.
  4. Under collections Properties, select Task and then Edit Properties.
  5. In Properties dialog box, select Session.
  6. You can find all thetimeout settings under session collection properties; edit according to your requirements and then OK. 
  And apart also by group policy setting as below.
  Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits 
  User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits 
  -  Set time limit for disconnected sessions
  -  Set time limit for active but idle Remote Desktop Services sessions
  -  Set time limit for active Remote Desktop Services sessions
  -  End session when time limits are reached
  Please check which setting suitable for your environment and you can apply for your case.
  [Forum FAQ] Restrict number of Active Sessions in RDS 2012 and 2012 R2
  https://social.technet.microsoft.com/Forums/en-US/00c2252b-8ec0-489f-8da2-07a434a9b5a2/forum-faq-restrict-number-of-active-sessions-in-rds-2012-and-2012-r2?forum=winserverTS
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• How do I use pots on my client machine to change values, from the field, on my server machine and all other client machines?

  I am using Lookout 4.5, build 12, and I am having a problem concerning pots. I have data tables created for the different size sewer stations my system monitors. For each station, there are setpoints for starting and stopping of the pumps. I want to be able to change the setpoints for a station on the client file using a pot and have it change on all other machines running Lookout. I did this in 3.8 using DDE, but I don't want to use DDE anymore.
  I created a pot on the client file and URL'ed it to a pot on the server. On the server I created a table with a generic member "A" named "Lead Setp" and then created a member "A1" named
  "C5_1LeadSetp" then a member "A2" named "C3_1LeadSetp" and so on....
  In this table I connected the generic member "A" to the Pot I created on the server, and I connected A1 to its corresponding setpoint signal coming in from the field.
  On the client file I connected (in the table similar to the one on the server but with all signals for the station) the "A1" member to the setpoint signal coming in from the field, and I connected the "A" member to the Pot I created on the client file which is URL'ed to the pot on the server file.
  But, when I change the value of the pot on the client file, only the pot on the server and the "A" member in the table on the server change to the value of the pot on the client. The "A1" member whose screen I am changing the values from on the client does not change! This is the last thing I have to do and my file will be completely converted to 4.0. Does anyone have any ideas?
  Thanks for any responses..
  GBWY
  Jason
  Jason Phillips

  Hi Jason,
  If I understood your task correctly, you want to change the Setpoints on the Server DataTable using Pots from different clients. And also reflect these changes on the clients locally.
  You correctly remoted the Pots on the Clients to the corresponding Pots on the Server. However, you do not need tables on your clients. All you need is Expressions on each client to the particular cell of the Clients.
  So, to summarize: On the Server, the Pots write to the DataTable. And since the Pots on the Clients are remoted to these Pots on the Server, you can affect any change using these Pots. Because of the common remote source (Server Pots, i.e.) all of these Pots will always be in sync. Finally, to get the Setpoints on the Clients, just insert Expressio
  ns to the Server's DataTable.
  I am attaching a simple example (exmpl.zip) which does this. There are three processes -- My_Server, My_Client1, and My_Client2. I had them setup on the same machine so the paths are all process relative, but you can always change those to computer relative or absolute and move the client processes to diff machines.
  Hope this helps.
  Rgds,
  Khalid
  Attachments:
  exmpl.zip ‏12 KB

• Client in a different machine..

  Hi,
  I ve a problem with JMS. I am developing a JMS Application with WebSphere and MQ Series.
  The application runs fine if i have the both the publisher and subscriber in the same machine.
  Now i want to move the client to a different machine say X. To do that should the machine 'x' need to have WebSphere environment because i'm using WebSphere for JNDI.
  If the machine doesnot have the WebSphere environment is it possible to achieve.
  If yes how to do that..
  Thanks
  MeenaO

  I think the jndi service can be accessed froma remote m/c, you can initialize the context with the appropriate paramters, so the lookups on the topic and connection factories and continue with your work.

• WLC 5508 , AP client dhcp address different from WLAN interface VLAN subnet?

  Hope the title makes sense, here's my situation: I have multiple businesses on 1 WLC 5508, there's a LAG to my core switch with seperate interfaces for each, broken up by vlans.
  My question is: if i have a WLAN setup to use interface "Company A" which is vlan 10 with an ip of 10.0.1.5 which then points to 10.0.1.10 for dhcp.
  Can the WLAN client connecting to the Company A WLAN use an IP in a different IP range?(192.168.1.10?) can the wlc route? from the perspective of the DHCP server where doers the request come from? (10.0.1.5?)
  Can the DHCP server 10.0.10.10 on vlan 10 respond back with and ip on a different subnet to assign to the client to use and still be fully fonctioning? would the default gateway for the client need to be 10.0.1.5?  So the clients ip would be 192.168.1.10 /24 with a gateway of 10.0.1.5 (ip adress fo vlan10 interface on WLC) And if multiple clients on the same subnet wanted to talk to each other woudl the WLC know how to route them to each other without passing through the default gateway?
  Sorry if this is confusing I'm having a bit of a hard time explaining it in works, i can try and draw somethign up if it makes more sense.
  thanks
  Eric

  I think if you want these clients to stick to a WLAN configured on a VLAN that has a different IP addressing you could configure your VLAN with the normal IP addressing then add on the SVI the 2nd IP_Class_default_gateway.
  E.G.
  Vlan 10
  interface vlan 10
  ip address 10.0.10.1 255.255.255.0
  ip address 192.168.1.1 255.255.255.0 secondary
  Clients that receive IP address from 192.168.1.0/24 network will be able to reach 192.168.1.1 and all traffic will pass right.

• Error is STMS when import client from 2 different system

  I have two system in same landscape, system 1 is production with system ID : SEP, system 2 is develop with system ID : SED (is Domain Controller),
  system 1 & 2 in same domain with Domain Controller : DOMAIN_SED in STMS
  And then, I exported client 800 on production system (system 1) with profile SAP_EXPA
  and I have 3 request : KO00189.SEP ; KT00189.SEP ; KX00189.SEP (cofiles) and RO00189.SEP ; RT00189.SEP ; RX00189.SEP (data)
  I copied 3 request above into system 3 (system 3 is different landscape with 2 system above and i setup system 3 at different location, so called backup system. System 3 is setup with system ID: SED and Domain Controller DOMAIN_SED too)
  Then i imported client 800 into system 3
  and i have an error in system 3 : System unknown in Transport Management System
  Please help me ...
  Thanks all

  hi Shanker !
  after reset user TMSADM -> connection not change -> connection work OK
  i tried it but error remaining
  Information extra :
  system 3 is a physical system with Domain Controller : DOMAIN_SED ****** SID : SED and  extra setup a virtual system as SEP on system 3
  I configured tranport route from SED to SEP, so error "System unknown in Transport Management System" no longer
  but arise new error "Error occurred in SED TMS communication"
  Information extra error "Error occurred in SED TMS communication" when import request :
  Error occurred in SED TMS communication
  Message no. XT149
  Diagnosis
  An error occurred in the TMS communication layer of the following SAP system:
     System: SED.DOMAIN_SED(000)
     Function: TMS_CC_READ_CCCFLOW_OF_TRKORR
     Error: SERVICE_NOT_AVAILABLE ()
  System Response
  The function terminates.
  Procedure
  Check your transport control station configuration with transaction STMS.
  thanks all
  I hope error to solve soon .....