XI Replaying Messages
Hi,
Just after a bit of advice.
Theoretical scenario is :
Unrecoverable system failure in the ERP system during batch window means that we have to recover to last backup which was taken immediately prior to the batch run. I therefore need to replay all integration points including anything that has come through XI. Replaying Files shouldn't be a problem as they would have been archived. However how do I replay other messages originating via SOAP, HTTP etc that were previously marked in XI as successful.
Anyone know of any papers out there that have touched on XI restore, recovery and more specifically to me 'replay' strategies.
Thanks
Nigel
Hi Michal,
Thanks for the reply. Its very useful and I can see its use in both a development environment and as an ad-hoc utility in the production envirnoment when you need to reprocess a single message.
However I think the very nature of the multiple steps you have to go through for each message makes it unsuitable when you need to process potentially hundreds of messages.
Anyone out there have any other more bulk oriented solutions.
Thanks
Nigel
Similar Messages
-
1522 MAP through 1042 RAP not working
I'm trying to mesh a 1522 MAP through a 1042 RAP but this doen´t work. I get strange messages on the trap log:
1 Mon Mar 26 18:40:19 2012 Mesh child node 'f0:25:72:d9:69:6f' has changed its parent to mesh node '58:35:d9:c6:60:10' from mesh node '58:35:d9:c6:60:1f'. .. .
3 Mon Mar 26 18:37:13 2012 Mesh child node 'f0:25:72:d9:69:6f' has changed its parent to mesh node '58:35:d9:c6:60:10' from mesh node '58:35:d9:c6:60:10'. 4 Mon Mar 26 18:34:00 2012 Mesh node 'f0:25:72:d9:69:6f' has changed its parent 5 times in last one hour.
5 Mon Mar 26 18:34:00 2012 Mesh child node 'f0:25:72:d9:69:6f' has changed its parent to mesh node '58:35:d9:c6:60:10' from mesh node '58:35:d9:c6:60:1f'. 6 Mon Mar 26 18:33:44 2012 Mesh child node 'f0:25:72:d9:69:6f' is no longer associated with mesh node '58:35:d9:c6:60:10'.
9 Mon Mar 26 18:30:33 2012 Mesh child node 'f0:25:72:d9:69:6f' has changed its parent to mesh node '58:35:d9:c6:60:10' from mesh node '58:35:d9:c6:60:1f'. ...
12 Mon Mar 26 18:27:27 2012 Mesh child node 'f0:25:72:d9:69:6f' has changed its parent to mesh node '58:35:d9:c6:60:10' from mesh node '58:35:d9:c6:60:1f'.
... etc ...
30 Mon Mar 26 18:08:48 2012 Mesh child node 'f0:25:72:d9:69:6f' has changed its parent to mesh node '58:35:d9:c6:60:10' from mesh node '58:35:d9:c6:60:10'.
If i debug the 1042 i also see "... has 1 AES-CCMP TSC replays messages..."
Any ideas?
I have some 1522 MAP meshing through 1142 working fine on same 5508 controller version, i think there are few differences between 1042 an 1142.Update:
Doing some more testing in my lab i discover that the problem is the 1522 is not upgrading version through 1042, neither through 1142. Once the upgrade version process is done the 1522 MAP works fine through the 1142 RAP.
As i don´t have physical access to the 1522, ¿is there any way to upgrade the version through wireless? -
Example using of getMessage(s) with JMS error queues?
Hi,
I'm cobbling together various tools for easier management of replaying messages left in error queues and the likes, and whilst I've got messages being moved around the place on demand, I can't make any progress using getMessage() and getMessages() to print out vital statistics of a message / all the messages in a queue, including hopefully ripping out excerts of the XML payload in them. Can someone provide / point me to an example of these being in use? I can get a successful execution of getMessages() but am usure what to really do next with the object returned, how to iterate through and such.
Thanks
Chris.Hi Chris,
There are open source solutions for message management. In particular, you might want to investigate Hermes:
http://blogs.oracle.com/jamesbayer/2008/01/hermes_jms_open_source_jms_con.html
As for browsing messages via getMessages(), here's a code snippet. Note that one should never attempt to get too many messages at a time via "getNext()" -- instead call getNext() multiple times. Otherwise, if there are too many messages, the client or server might run out of memory.
# create a cursor to get all the messages in the queue
# by passing ‘true’ for selector expression,
# and long value for cursor timeout
cursor1=cmo.getMessages(‘true’,9999999)
# get the next 5 messages starting from the cursor’s
# current end position
# this will adjust the cursor’s current start position and
# end position “forwards” by 5
msgs = cmo.getNext(cursor1, 5)
# print all the messages’ contents
print msgs
# get 3 messages upto the cursor’s current start position
# this will adjust the cursor’s current start and end position backwards by 3
# this will the current position of the message by 1
msgs = cmo.getPrevious(cursor1, 3)
# print all the messages’ contents
print msgs
Finally, here's code based on public APIs that can help with exporting messages to a file. It uses Java, not WLST. I haven't tested it personally. I'm not sure if there's away to do this in WLST.
* pseudo code for JMS Message Export operation based on
* current implementation in the Administration Console
import java.io.File;
import java.io.FileOutputStream;
import java.io.OutputStreamWriter;
import java.io.BufferedWriter;
import java.io.Writer;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import weblogic.apache.xerces.dom.DocumentImpl;
import weblogic.apache.xml.serialize.OutputFormat;
import weblogic.apache.xml.serialize.XMLSerializer;
import weblogic.management.runtime.JMSDestinationRuntimeMBean;
import weblogic.management.runtime.JMSDurableSubscriberRuntimeMBean;
import weblogic.management.runtime.JMSMessageManagementRuntimeMBean;
import javax.management.openmbean.CompositeData;
import weblogic.jms.extensions.JMSMessageInfo;
import weblogic.jms.extensions.WLMessage;
import weblogic.messaging.kernel.Cursor;
public void exportMessages(
String fileName,
JMSDestinationRuntimeMBean destination,
/* or JMSDurableSubscriberRuntimeMBean durableSubscriber */,
String messageSelector) throws Exception {
BufferedWriter bw = null;
try {
File selectedFile = new File(file);
if (destination == null /* or durableSubscriber == null */) {
throw new IllegalArgumentException("A valid destination runtime or durableSubscriber runtime mbean must be specified");
JMSMessageManagementRuntimeMBean runtime = (JMSMessageManagementRuntimeMBean) destination /* durableSubscriber */;
bw = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(file),"UTF-8"));
String xmlDeclaration = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>";
String exportStart = "<JMSMessageExport>";
final String exportEnd = "</JMSMessageExport>";
final String indent = " ";
bw.write(xmlDeclaration);
bw.newLine();
bw.write(exportStart);
bw.newLine();
bw.newLine();
bw.write(indent);
CompositeData[] messageInfos = null;
OutputFormat of = new OutputFormat();
of.setIndenting(true);
of.setLineSeparator("\n"+indent);
of.setOmitXMLDeclaration(true);
XMLSerializer ser = getXMLSerializer(bw, of);
String cursor = JMSUtils.getJMSMessageCursor(runtime, selector,0);
while ((messageInfos = runtime.getNext(cursor,new Integer(20))) != null) {
for (int i = 0; i < messageInfos.length; i++) {
JMSMessageInfo mhi = new JMSMessageInfo(messageInfos);
Long mhiHandle = mhi.getHandle();
CompositeData m = runtime.getMessage(cursor, mhiHandle);
// need to get the message with body
JMSMessageInfo mbi = new JMSMessageInfo(m);
WLMessage message = mbi.getMessage();
ser.serialize(message.getJMSMessageDocument());
messageInfos[i] = null;
bw.newLine();
bw.write(exportEnd);
bw.flush();
bw.close();
runtime.closeCursor(cursor);
LOG.success("jms exportmessage success");
} catch (Exception e) {
try {
if(bw != null)
bw.close();
} catch (IOException ioe) { }
LOG.error(e);
LOG.error("jms exportmessage error");
throw(e);
LOG.success("jms exportmessage success");
private XMLSerializer getXMLSerializer(
Writer writer,
OutputFormat of) {
return new XMLSerializer(writer, of) {
protected void printText(
char[] chars,
int start,
int length,
boolean preserveSpace,
boolean unescaped) throws IOException {
super.printText(chars,start,length,true,unescaped);
protected void printText(
String text,
boolean preserveSpace,
boolean unescaped ) throws IOException {
super.printText(text,true,unescaped);
public static String getJMSMessageCursor(
JMSMessageManagementRuntimeMBean runtime,
String selector,
int cursorTimeout) throws weblogic.management.ManagementException
return runtime.getMessages(
selector,
new Integer(cursorTimeout),
new Integer(Cursor.ALL));
Hope this helps,
Tom -
JMS (bea 9) redelivery does not work ?
I'm a bit at a loss. Any help is therefore welcome.
I am using Bea 9 and Java 1.5.
I have a MDB bean that attempts to transmit data to a foreign site via ftp. When it fails to transmit files, it errors and the message's content (a file) that I attempted to send to remote system is rollbacked. I have set the redelivery count to -1 and the redelivery delay to 1 minute. After a minute, the message is replayed and this as long as the bean is unable to transfer the file. This is what I wanted to do. And all is fine.
But...
If I stop the server while messages are waiting to be redelivered and then launch again the server just after, then the server only replays 2 or 3 messages (or 2 or 3 times the same message) and then stop replaying messages which should be redelivered every minute. New messages sent to the bean are also not presented to the bean. Everything seems frozen as far as this bean is concerned..
But, if I look at the console and display the monitoring info of this MDB after a restart, I read :
Beans In Use Count 0
Waiter Current Count 0
Timeout Total Count 0
Access Total Count 2
Destroyed Total Count 2
Connection Status Connected
Destination FtpQueue
JMS Client ID
Status running
Last Exception java.lang.Error: com.mycompany.FtpException: Could not connect to server ftpsrv2
It is "running"...
Any ideas ?
Thanks in advance for any tips.
P.Z.Hi,
Redelivery delays themselves are not persisted - messages that are subject to a redelivery delay should be immediately redelivered if their host JMS server is shutdown and restarted.
MDBs that are causing rollbacks/recovers have a built in pause/retry algorithm that causes them to automatically shutdown after a certain number of failures and then restart after an interval. The purpose is to prevent failing MDBs from running in a tight loop. The MDB edocs provide a bit more detail.
If this doesn't help, I have some questions that might help narrow down the problem:
-- Are the messages persistent?
-- Is the JMS server running on the same server as the MDB? If not, which server are you stopping?
-- How are you stopping the server?
-- What do the pending and current counts look like on the destination?
-- Are you using the "unit-of-order" feature?
Tom Barnes
WebLogic Messaging Developer Team -
How can MDB send back a feedback to the client?
Hi colleagues, I have made a client which sends a text message to a MDB. Before sending, I have created a queue for replay messages and I have this piece of code:
txtMsg.setJMSReplyTo(replyQueue);
msgID = txtMsg.getJMSMessageID();
qReceiver = qs.createReceiver(replyQueue);
qSender.send(txtMsg);
qc.start();
receivedMsg = (TextMessage) qReceiver.receive();
So the question is, how to send back from the MDB to the client a message if I already have this code in the MDB:
String msgID = msg.getJMSMessageID();
Destination destination = msg.getJMSDestination();
String txtMsg = ((TextMessage)msg).getText();
String sender = (String) ((TextMessage)msg).getObjectProperty("JMSSender");
I wanna send back for example, the messages' ID.
thanks in advance!I thought MDBs did not have clients.An MDB can have pretty much whatever it wants :). Its a very common requirement for an MDB to talk to a database, talk to an EJB or send new messages to some destination or combinations of all of those things.
James
http://logicblaze.com/ -
Hello
I just watched a strange thing - there is basic MPLS connection between PE1 <-> P <-> PE2 Router and I sniff outgoing messages from PE1 in this scenario. MPLS is enabled global with "ip cef" and also on all interfaces with "tag-switching ip" command - nothing else.
Now, If I ping from PE2 to PE1, then I didn't noticed any MPLS messages at all - for ICMP echo request messages is this ok, because (last) P-Router pops the label, but why there is no label on ICMP echo replay messages? If I send out some message from PE1, then is this message tagged, but not in case of replay message.
I'm a bit confused about it
thanksHi Dmytro,
When you trigger ping from PE2, it will be sent with source address as outgoing interface address which in this case will be the address on link connected between PE2 and P. This address will be advertised by P to PE1 with label 3 which means to pop.
So when PE1 replies, it sends without any label. This is expected.
As Ivan suggested, Can you try pinging between loopback address/. This will get you ICMP reply pkt with label imposed in your sniffer capture
HTH,
Nagendra -
How to give the replay service desk messages
Hi Gurs,
I configured the service desk , now i am able to see the satilite system messgages in crm_dno_monitor , but how can i give the replay to the message please help me .
cheersHi Gopal Rao,
As per your Message I came to know that you want to send a reminder / reply to the message creator (Key User) about the Status of the Message he created.
If you are looking for the above then you need to creat a smartform (mail form) and assign to the action definition as smart mail.
In the T.code SPPCADM go to the Application and the action profile - Action definition - E-mail to Msg Creator - Processing Type - Smart Forms Mail form Name: CRM_SLFN_ORDER_SERVICE_01 (Standard) copy the mail for as per your requirements (T.code- SMARTFORMS) do changes and save it and assign in the above said action definition with the condition.
Hope this will address your message.
Regards,
44040 -
I have been playing the video replays from Lone Star Park for years with no problem. I loaded Mozilla Firefox and now I can no longer access the replays. I get a message that data downloaded,Windows Media Player opens,but when I try to download, I get a message saying the video cannot be played. This is very important and I am thinking of removing Mozilla!
Hi there
I had the same problem and I found this answer to a similar question to ours, so I copied and pasted it for you
Reset the device by holding down the home button and the sleep/wake button at the same time for approximately 10 seconds. After it resets the message will be gone and you can go to settings > icloud and put in your password.
That seems to be a bug with the password alert where it won't respond correctly sometimes.
Hope this helps -
JMS Message Download & Replay Utility
Hi,
I was wondering if there is a utility to download JMS Messages (with their Message Properties) & Replay them whenever needed.
I want to do this to test few applications, want to avoid dependency on other teams to send same messages again and again.
TIA,
AmitCheck this link. It is a very good utility.
http://forums.bea.com/bea/thread.jspa?threadID=200077532&tstart=0 -
Is there anything I can do
Contact iTunes and requirst a redownload
How to report/refund an issue with your iTunes Store, App Store, Mac App Store, or iBooks Store purchase -
Can we display custom error message in user decision step screen.
Hi,
My requirement is to display error message when approver selects reject button in user decision step.
based on some condition i need to display error message in user decision screen when approver tries to
reject .
Please help
Thanks,
PhaniHi ibrahim,
Thanks for your Replay.
steps
1. cretae global class with interface IF_SWF_IFS_WORKITEM_EXIT.
2. cretae Event with importing parameter.
where i need to call EVENT_RAISED method ,do inned to call that method in
IF_SWF_IFS_WORKITEM_EXIT ?
how SWRCO_EVENT_AFTER_EXECUTION value is passed to method EVENT_RAISED ?
Thanks,
phani -
How to make numbers in message text input fields left aligned?
Hi Friends
I have completed one of my task .but getting result right side of the field.
how to make numbers in message text input fields left aligned?
Thanks
AravindaHi ,
Sorry for late replay i am trying this alos not set that page....
pageContext.forwardImmediatelyToCurrentPage(null, true, null);
and one more that kff field working is fine for ex display any text pled displayed properly and only problem is not set the value and HrSitKeyFlex6 and HrSitKeyFlex7 fields are perfectly get the values but not pront HrSitKeyFlex8 that only my issue....
Regards,
Srini -
One computer at COMPANY-A is attempting to communicate with two
computers located at COMPANY-B, via an IPsec tunnel between the
two companies.
All communications are via TCP protocol.
All devices present public IP addresses to one another, although they
may have RFC 1918 addresses on other interfaces, and NAT may be in use
on the COMPANY-B side. (NAT is not being used on the COMPANY-A side.)
The players:(Note: first three octets have been changed for security reasons)
COMPANY-A computer 1.2.3.161
COMPANY-A router 1.2.3.8 (also IPsec peer)
COMPANY-A has 1.2.3.0/24 with no subnetting.
COMPANY-B router 4.5.6.228 (also IPsec peer)
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
COMPANY-B has 4.5.6.0/23 subnetted in various ways.
COMPANY-B also has 9.10.11.0/24, but it is not involved in the issue.
What works:
The COMPANY-A computer 1.2.3.161 can communicate via the single IPsec
tunnel to COMPANY-B computer #1 4.5.7.94 without problems.
The "show crypto session detail" command shows Inbound/Outbound packets
flowing in the dec'ed and enc'ed positions.
What doesn't:
When the COMPANY-A computer 1.2.3.161 attempts to communicate
via the single IPsec tunnel with the COMPANY-B computer #2 4.5.7.29,
the COMPANY-A router eventually reports five of these messages:
Oct 9 15:24:54.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:24:57.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:03.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:15.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:39.329: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:26:27.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
and the "show crypto session detail" shows inbound packets being dropped.
The COMPANY-A computer that opens the TCP connection never gets past the
SYN_SENT phase of the TCP connection whan trying to communicate with the
COMPANY-B computer #2, and the repeated error messages are the retries of
the SYN packet.
On the COMPANY-A side, this IPsec configuration has been set up on a 3745,
a 3725, and some 76xx routers were tried, all with similar behavior,
with packets from one far-end computer passing fine, and packets from
another far-end computer in the same netblock passing through the same
IPsec tunnel failing with the "failed SA identity" error.
The COMPANY-A computer directs all packets headed to COMPANY-B via the
COMPANY-A router at 1.2.3.8 with this set of route settings:
netstat -r -n
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
4.5.7.0 1.2.3.8 255.255.255.0 UG 0 0 0 eth3
1.2.3.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
10.1.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth3
10.0.0.0 10.1.1.1 255.0.0.0 UG 0 0 0 eth0
0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth3
The first route line shown is selected for access to both COMPANY-B computers.
The COMPANY-A router (IPsec tunnel endpoint, 1.2.3.8) has this
configuration:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 4.5.6.228
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set COMPANY-B01 esp-3des esp-sha-hmac
crypto map COMPANY-BMAP1 10 ipsec-isakmp
description COMPANY-B VPN
set peer 4.5.6.228
set transform-set COMPANY-B01
set pfs group2
match address 190
interface FastEthernet0/0
ip address 1.2.3.8 255.255.255.0
no ip redirects
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map COMPANY-BMAP1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.2.3.1
ip route 10.0.0.0 255.0.0.0 10.1.1.1
ip route 1.2.3.8.0 255.255.255.0 FastEthernet0/0
access-list 190 permit ip host 1.2.3.161 4.5.7.0 0.0.0.255
access-list 190 permit ip host 1.2.3.161 9.10.11.0 0.0.0.255
bridge 1 protocol ieee
One of the routers tried had this IOS/hardware configuration:
Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(25c),
RELEASE SOFTWARE (fc2)
isco 3725 (R7000) processor (revision 0.1) with 115712K/15360K bytes of memory.
Processor board ID XXXXXXXXXXXXXXX
R7000 CPU at 240MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
2 FastEthernet interfaces
4 ATM interfaces
DRAM configuration is 64 bits wide with parity disabled.
55K bytes of NVRAM.
31296K bytes of ATA System CompactFlash (Read/Write)
250368K bytes of ATA Slot0 CompactFlash (Read/Write)
Configuration register is 0x2102
#show crypto sess
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:06:26:27
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 651 drop 16 life (KB/Sec) 4496182/23178
Outbound: #pkts enc'ed 574 drop 2 life (KB/Sec) 4496279/23178
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
The COMPANY-B device on their end of the IPsec VPN is a Juniper SSG1000
Version 6.1 (ScreenOS)
We only have a limited view into the Juniper device configuration.
What we were allowed to see was:
COMPANY-B-ROUTER(M)-> sh config | incl COMPANY-A
set address "Untrust" "oss-COMPANY-A-1.2.3.161" 1.2.3.161 255.255.255.255
set ike gateway "COMPANY-A-1-GW" address 1.2.3.8 Main outgoing-interface "ethernet2/1" preshare xxxxxxxxxxxxxxxxxxxxxx proposal "pre-g2-3des-sha"
set vpn "COMPANY-A-1-IKE" gateway "COMPANY-A-1-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha-28800"
set policy id 2539 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "9.10.11.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2500
set policy id 2500 from "Trust" to "Untrust" "9.10.11.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2539
set policy id 2541 from "Trust" to "Untrust" "4.5.7.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2540
set policy id 2540 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "4.5.7.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2541
COMPANY-B-ROUTER(M)->
I suspect that this curious issue is due to a configuration setting on the
Juniper device, but neither party has seen this error before. COMPANY-B
operates thousands of IPsec VPNs and they report that this is a new error
for them too. The behavior that allows traffic from one IP address to
work and traffic from another to end up getting this error is also unique.
As only the Cisco side emits any error message at all, this is the only
clue we have as to what is going on, even if this isn't actually an IOS
problem.
What we are looking for is a description of exactly what the Cisco
IOS error message:
IPSEC(epa_des_crypt): decrypted packet failed SA identity check
is complaining about, and if there are any known causes of the behavior
described that occur when running IPsec between Cisco IOS and a Juniper
SSG device. Google reports many other incidents of the same error
message (but not the "I like that IP address but hate this one" behavior),
and not just with a Juniper device on the COMPANY-B end, but for those cases,
not one was found where the solution was described.
It is hoped that with a better explanation of the error message
and any known issues with Juniper configuration settings causing
this error, we can have COMPANY-B make adjustments to their device.
Or, if there is a setting change needed on the COMPANY-A router,
that can also be implemented.
Thanks in advance for your time in reading this, and any ideas.Hello Harish,
It is believed that:
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
both have at least two network interfaces, one with a public IP address
(which we are supposedly conversing with) and one with a RFC 1918 type
address. COMPANY-B is reluctant to disclose details of their network or
servers setup, so this is not 100% certain.
Because of that uncertainty, it occurred to me that perhaps COMPANY-B
computer #2 might be incorrectly routing via the RFC 1918 interface.
In theory, such packets should have been blocked by the access-list on both
COMPANY-A router, and should not have even made it into the IPsec VPN
if the Juniper access settings work as it appears they should. So I turned up
debugging on COMPANY-A router so that I could see the encrypted and
decrypted packet hex dumps.
I then hand-disassembled the decoded ACK packet IP header received just
prior to the "decrypted packet failed SA check" error being emitted and
found the expected source and destination IP addresses (4.5.7.29 and 1.2.3.161),
in the unecapsulated packet. I also found the expected port numbers of the TCP
conversation that was trying to be established in the TCP header. So, it
looks like COMPANY-B computer #2 is emitting the packets out the right
interface.
The IP packet header of the encrypted packet showed the IP addresses of the
two routers at each terminus of the IPsec VPN, but since I don't know what triggers
the "SA check" error message or what it is complaining about, I don't know what
other clues to look for in the packet dumps.
As to your second question, "can you check whether both encapsulation and
decapsulation happening in 'show crypto ipsec sa'", the enc'ed/dec'ed
counters were both going up by the correct quantities. When communicating
with the uncooperative COMPANY-B computer #2, you would also see the
received Drop increment for each packet decrypted. When communicating
with the working COMPANY-B computer #1, the Drop counters would not
increment, and the enc'ed/dec'ed would both increment.
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:54
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 5 life (KB/Sec) 4458308/28784
Outbound: #pkts enc'ed 401 drop 3 life (KB/Sec) 4458308/28784
Attempt a TCP communication to COMPANY-B computer #2...
show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:23
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 6 life (KB/Sec) 4458307/28753
Outbound: #pkts enc'ed 402 drop 3 life (KB/Sec) 4458307/28753
Note Inbound "drop" changed from 5 to 6. (I didn't let it sit for all
the retries.)
#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: COMPANY-BMAP1, local addr 1.2.3.8
protected vrf: (none)
local ident (addr/mask/prot/port): (1.2.3.161/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.5.7.0/255.255.255.0/0/0)
current_peer 4.5.6.228 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 402, #pkts encrypt: 402, #pkts digest: 402
#pkts decaps: 376, #pkts decrypt: 376, #pkts verify: 376
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 6
local crypto endpt.: 1.2.3.8, remote crypto endpt.: 4.5.6.228
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xDF2CC59C(3744253340)
inbound esp sas:
spi: 0xD9D2EBBB(3654478779)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDF2CC59C(3744253340)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
The "send" errors appear to be related to the tunnel reverting to a
DOWN state after periods of inactivity, and you appear to get one
each time the tunnel has to be re-negotiated and returned to
an ACTIVE state. There is no relationship between Send errors
incrementing and working/non-working TCP conversations to the
two COMPANY-B servers.
Thanks for pondering this very odd behavior. -
J1IS No account is specified in item 0000000002 Message no. F5670
Hello
While making Vendor Return Excise Invoice through J1IS
I am getting the following message
No account is specified in item 0000000002
Message no. F5670
What could be the possible reason for the error.
With Regards
Niti NarayanHi
Thanks for the replay
What should be the Excise Transction Type (ETT)
Regards
Niti Narayan -
Hello,
I'm doing Exchange 2010 database full backup using windows server backup (windows 2008 R2) every weekend. I have a Mac user which Mac Outlook 2011 which somehow managed to corrupt his mailbox. I.e. on Wednesday many messages and contacts disappeared (all
contact gone) after his Outlook told his something about "corrupted database". I'm not sure what Mac Outlook did, but fact is that his mailbox has zero contacts and many inbox message are gone. Hard deleted items don't contain lost messages.
So I have DB backup from weekend before and weekend after. No circular logging, so all logs in place.
Is there a way how I can restore his mailbox back to the point in time? I want to restore his mailbox how it was on Wednesday morning. For it looks obvious that since I have log files from Monday to Friday, it should be possible to replay logs until certain
time.
I tried to did thick trick by removing Friday and Thursday logs and doing soft recovery, but got Operation terminated with error -543 (JET_errRequiredLogFilesMissing, The required log files for recovery is missing.) They indeed missing:
dbtime: 2221857861 (0x846edc45)
State: Dirty Shutdown
Log Required: 2895446-2895464 (0x2c2e56-0x2c2e68)
Log Committed: 0-2895465 (0x0-0x2c2e69)
Log Recovering: 2838005 (0x2b4df5)
Log required are logs from they day of backup, so they are really missed in that case, but that's what I want - restore DB with less/older logs to get back in time, when mailbox was not corrupted.
Is that possible?
Thanksok so the problem is you have the dreaded -1018 error and this is a very serious issue. -1018 is not a good deal at all, in short your DB has corruption within it
and it is usually caused by a hardware or firmware related issue. Most of the time these occur somewhere within the storage subsystem, i.e. firmware upgrade or lack of firmware upgrade, Controller issue, cabling, disk, disk arrays, etc, however they can
also be caused by memory upgrades or failures, Motherboard issues etc. The -1018 tells you the DB is already damaged and if you see these its very bad and needs to be addressed ASAP else the DB's are sure to fail and the more stress you put on
them the faster the chance of failure, i.e. database backups, defrag;s and repairs etc are not recommended at all until you solve the hardware issue. So here is what I would recommend:
A: Lets try to ensure the box is stable and whatever caused the DB to get the -1018's is solved before we do anything else.
General Review: Whats changed recently? i.e. any hardware, memory, motherboard, any firmware updates on anything at all?
Event Log Review: Look at your Application Log, how long have these 1018's been occurring? Look at your System event log for errors and pay close attention to any errors regarding disk, memory or MB and report back
Protect: I would dismount the database & copy it and any others off to a secure, safe drive that is NOT connected to this system
Action: Depending on what you find in your review there are really two options
i: If you had a recent change that is easily identifiable you may be able to correct it and then we can look at finding a clean copy of the EDB and rolling up the logs OR we opt to repair the DB you have
ii: if you cannot find the issue in short order then I would suggest that you build a new Exchange Server on new hardware and migrate your mailboxes immediately.
B: Once you have addressed the -1018 issue then;
1. We need to find a database from your backups that does NOT have the -1018 result code when attempting a rollup.
2. Once you have a non -1018 result you can then grab a fresh copy of the EDB along with all logs from that point forward and make a consistent DB via rollup up to the 18th as desired.
3. If you cannot find a good copy of the EDB then you are stuck with the latest data you have and should either move all mailboxes to a new EDB on that server but ONLY IF the source of the -1018 is found and resolved, else you will just be making thing s
worse. IF you CANNOT resolve the issue that causes the -1018 then build a brand new server and move all users over to it ASAP, else you are headed for a major failure on all users.
Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline Exchange Mailbox and Public Folder EDB's and Live Exchange Servers or Import/Migrate direct from Offline EDB to Any Production Exchange Server, even cross version i.e. 2003 -->
2007 --> 2010 --> 2013 with Lucid8's
DigiScope
Maybe you are looking for
-
Hi all, Pages '08 v3.0.3 OS X 10.6.6 I have created a Pages document which is 3 A3 pages as a poster size file of some work examples. However, when I go to save the file, it almost gets there but fails at the end. This means I can't shut down my comp
-
My audio is not working and i use all the technique for this. what is the problem?
1.Product Name and Number- HP Pavilion DV4-1318TU 2.Operating System- Windows Vista 32-bit, Home Premium 3.Error Message- Failed to Play Test Tone , While I'm testing speakers. And I also reinstall audio drivers using recovery manager. 4.Any Changes
-
I need to access my MacBook Pro from Berlin with my MacAir book
Hello and thank you advance I need to access my MacBook Pro which is in London from Berlin with my MacAir Book. I bought the app SERVER on recommendation from a One to One trainer but I am now told I need a Static IP and not a dynamic one. For me to
-
Can someone please identify my problem by reading this crash report
Okay hi guys. So I spend a lot of my time playing pc games and ive recently run into a problem with one. Not many of you will know this game but it is called League of Legends. After having played this game on my mac for months i suddenly started enc
-
The order in attribute set is MESSED UP
Hello forum, Here is an intricate description of my problem: When I define BRIDGE_TYPE attribute set for Discoverer the sequence of attributes often changes in attribute set without my intervention. This is especially the problem because advanced att