Zbf ha configuration
Hey!
Are there any better examples with diargrams how to configure zbf ha than these:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-2mt/sec-data-zbf-15-2mt-book.pdf
I just need a simple configuration where 2 routers LAN interface is in HA state and WAN interfaces are in default zones without HA
I cannot say which one it will be since I do not have a final plan yet. The initial request shows that 2 WLC's are active while one is in standby. I do not believe this is a supported configuration based on this link.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01110100.html#concept_6C8DB7891E764C869E5FC11349120C20
Let's say though this is going to be setup in the old fashion, Primary/Secondary/Tertiary, is there some detailed documentation on this? HA SSO seems like the way to go but I am going off the info I have gotten so far.
Similar Messages
-
Hello, i am working with 871w and i am trying to switch form ip inspect to zone-based firewall. Below are the class-maps, policy-map, zone-pairs, zones, and ACLs. The issues i am having is that onces i depoly the ZBF, i can not get ip via DHCP. Please review and suggest any impovements or fixes needed?
class-map type inspect match-any Egress-Filter match access-group name egress-filter
class-map type inspect match-any Guest_Protocols match protocol http
match protocol https match protocol dns
class-map type inspect match-any Ingress-Filter match access-group name ingress-filter
class-map type inspect match-any All_Protocols match protocol tcp
match protocol udp match protocol icmp
class-map type inspect match-all DHCP-Allow match access-group name dhcp-allow
policy-map type inspect Self_to_Internet class type inspect Egress-Filter
inspect
class class-default
drop log
policy-map type inspect Internet_to_Self class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Trusted_To_Self class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
policy-map type inspect Guest_to_Internet class type inspect Guest_Protocols
inspect
class class-default
drop log
policy-map type inspect Internet_to_Guest class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Trusted_to_Self class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
policy-map type inspect Self_to_Trusted class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
policy-map type inspect Trusted_to_Internet class type inspect All_Protocols
inspect
class class-default
drop log
policy-map type inspect Internet_to_Trusted class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Guest_to_Self class type inspect All_Protocols inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
policy-map type inspect Self_to_Guest
class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
zone-pair security Trusted->Internet source Trusted destination Internet service-policy type inspect Trusted_to_Internet
zone-pair security Guest->Internet source Guest destination Internet service-policy type inspect Guest_to_Internet
zone-pair security Internet->Trusted source Internet destination Trusted service-policy type inspect Internet_to_Trusted
zone-pair security Internet->Guest source Internet destination Guest service-policy type inspect Internet_to_Guest
zone-pair security Self->Internet source self destination Internet service-policy type inspect Self_to_Internet
zone-pair security Internet->Self source Internet destination self service-policy type inspect Internet_to_Self
zone-pair security Self->Trusted source self destination Trusted service-policy type inspect Self_to_Trusted
zone-pair security Trusted->Self source Trusted destination self service-policy type inspect Trusted_to_Self
zone-pair security Self->Guest source self destination Guest service-policy type inspect Self_to_Guest
zone-pair security Guest->Self source Guest destination self service-policy type inspect Guest_to_Self
zone security Trustedzone security Guestzone security Internet
ip access-list extended NAT deny ip 192.168.16.0 0.0.0.63 192.168.16.64 0.0.0.15
permit ip any any
ip access-list extended dhcp-allow permit udp any eq bootps any
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any eq bootpc any
ip access-list extended egress-filter permit ip <REMOVED> 0.0.0.2 any
remark ----- Junk Traffic -----
deny ip any host <REMOVED>
deny ip any host <REMOVED>
deny ip host <REMOVED> any
deny ip host <REMOVED> any
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip any any
ip access-list extended ingress-filter remark ----- Allow access from work
permit ip <REMOVED> 0.0.0.127 any
permit ip <REMOVED 0.0.0.31 any
permit ip <REMOVED> 0.0.0.255 any
permit esp any host <REMOVED>
permit gre any host <REMOVED>
permit udp any host <REMOVED> eq isakmp
remark ----- To get IP form COX -----
permit udp any eq bootps any eq bootpc deny icmp any any
deny udp any any eq echo
deny udp any eq echo any
deny tcp any any fragments
deny udp any any fragments
deny ip any any fragments
deny ip any any option any-options
deny ip any any ttl lt 4
deny ip any host <REMOVED>
deny ip any host <REMOVED>
deny udp any any range 33400 34400
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
remark ----- Internal networks -----
deny ip <REMOVED> 0.0.0.3 any
deny ip any anyRunning Config
! Last configuration change at 05:24:59 AZT Sun Feb 19 2012 by asucrews
! NVRAM config last updated at 05:25:57 AZT Sun Feb 19 2012 by asucrews
version 12.4
configuration mode exclusive auto expire 600
parser cache
no service log backtrace
no service config
no service exec-callback
service nagle
service slave-log
no service slave-coredump
no service pad to-xot
no service pad from-xot
no service pad cmns
no service pad
no service telnet-zeroidle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no service exec-wait
service linenumber
no service internal
no service scripting
no service compress-config
service prompt config
no service old-slip-prompts
service pt-vty-logging
no service disable-ip-fast-frag
service sequence-numbers
hostname rtwan
boot-start-marker
boot-end-marker
logging exception 4096
logging count
no logging message-counter log
no logging message-counter debug
logging message-counter syslog
no logging snmp-authfail
no logging userinfo
logging buginf
logging queue-limit 100
logging queue-limit esm 0
logging queue-limit trap 100
logging buffered 65536
no logging persistent
logging rate-limit 512 except critical
logging console guaranteed
logging console critical
logging monitor debugging
logging on
enable secret 5
enable password 7
aaa new-model
aaa group server radius rad_eap
server auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods
action-type start-stop
group rad_acct
aaa session-id common
memory-size iomem 10
clock timezone AZT -7
clock save interval 8
errdisable detect cause all
errdisable recovery interval 300
dot11 syslog
dot11 activity-timeout unknown default 60
dot11 activity-timeout client default 60
dot11 activity-timeout repeater default 60
dot11 activity-timeout workgroup-bridge default 60
dot11 activity-timeout bridge default 60
dot11 ssid guestonpg
vlan 2
authentication open
authentication key-management wpa optional
guest-mode
wpa-psk ascii 7
dot11 ssid playground
vlan 1
authentication open
authentication key-management wpa optional
wpa-psk ascii 7
dot11 aaa csid default
no ip source-route
no ip gratuitous-arps
ip icmp redirect subnet
ip spd queue threshold minimum 73 maximum 74
ip options drop
ip dhcp bootp ignore
ip dhcp excluded-address 192.168.16.33 192.168.16.40
ip dhcp excluded-address 192.168.16.1 192.168.16.7
ip dhcp pool vlan1pool
import all
network 192.168.16.0 255.255.255.224
default-router 192.168.16.1
domain-name jeremycrews.home
lease 4
ip dhcp pool vlan2pool
import all
network 192.168.16.32 255.255.255.224
default-router 192.168.16.33
domain-name guest.jeremycrews.home
lease 0 6
ip cef
ip inspect name firewall tcp router-traffic
ip inspect name firewall udp router-traffic
ip inspect name firewall icmp router-traffic
no ip bootp server
no ip domain lookup
ip domain name jeremycrews.home
ip host rtwan.jeremycrews.home 192.168.16.1 192.168.16.33
ip host ap1.jeremycrews.home 192.168.16.2 192.168.16.34
ip host ap2.jeremycrews.home 192.168.16.3 192.168.16.35
ip host ap3.jeremycrews.home 192.168.16.4 192.168.16.36
ip host ooma.jeremycrews.home 192.168.16.5
ip host xbox.jeremycrews.home 192.168.16.6
ip host wii.jeremycrews.home 192.168.16.7
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip accounting-threshold 100
ip accounting-list 192.168.16.0 0.0.0.31
ip accounting-list 192.168.16.32 0.0.0.31
ip accounting-transits 25
ip igmp snooping vlan 1
ip igmp snooping vlan 1 mrouter learn pim-dvmrp
ip igmp snooping vlan 2
ip igmp snooping vlan 2 mrouter learn pim-dvmrp
ip igmp snooping
login block-for 120 attempts 5 within 60
login delay 5
login on-failure log
parameter-map type inspect log
audit-trail on
dot1x system-auth-control
memory free low-watermark processor 65536
memory free low-watermark IO 16384
file prompt alert
emm clear 1b5b324a1b5b303b30480d
vtp file flash:vlan.dat
vtp mode server
vtp version 1
username privilege 15 password 7
username privilege 15 password 7
no crypto isakmp diagnose error
archive
log config
no record rc
logging enable
no logging persistent reload
no logging persistent
logging size 255
notify syslog contenttype plaintext
no notify syslog contenttype xml
hidekeys
path tftp://192.168.16.12/rtwan-config
maximum 10
no rollback filter adaptive
rollback retry timeout 0
write-memory
time-period 10080
scripting tcl low-memory 28965007
scripting tcl trustpoint untrusted terminate
no scripting tcl secure-mode
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh break-string ~break
ip ssh logging events
ip ssh version 2
ip ssh dh min size 1024
class-map type inspect match-any Egress-Filter
match access-group name egress-filter
class-map type inspect match-any Guest_Protocols
match protocol http
match protocol https
match protocol dns
match protocol bootpc
match protocol bootps
class-map type inspect match-any Ingress-Filter
match access-group name ingress-filter
class-map type inspect match-any All_Protocols
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all DHCP-Allow
match access-group name dhcp-allow
policy-map type inspect Self_to_Internet
class type inspect Egress-Filter
inspect
class class-default
drop log
policy-map type inspect Internet_to_Self
class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Self_To_Self
class class-default
drop log
policy-map type inspect Trusted_To_Self
class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
policy-map type inspect Guest_to_Internet
class type inspect Guest_Protocols
inspect
class class-default
drop log
policy-map type inspect Internet_to_Guest
class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Trusted_to_Self
class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
policy-map type inspect Self_to_Trusted
class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
policy-map type inspect Trusted_to_Internet
class type inspect All_Protocols
inspect
class class-default
drop log
policy-map type inspect Internet_to_Trusted
class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Guest_to_Self
class type inspect All_Protocols
inspect
class class-default
drop log
policy-map type inspect Self_to_Guest
class type inspect All_Protocols
inspect
class class-default
drop log
zone security Trusted
zone security Guest
zone security Internet
zone-pair security Trusted->Internet source Trusted destination Internet
service-policy type inspect Trusted_to_Internet
zone-pair security Guest->Internet source Guest destination Internet
service-policy type inspect Guest_to_Internet
zone-pair security Internet->Trusted source Internet destination Trusted
service-policy type inspect Internet_to_Trusted
zone-pair security Internet->Guest source Internet destination Guest
service-policy type inspect Internet_to_Guest
zone-pair security Self->Internet source self destination Internet
service-policy type inspect Self_to_Internet
zone-pair security Internet->Self source Internet destination self
service-policy type inspect Internet_to_Self
zone-pair security Self->Trusted source self destination Trusted
service-policy type inspect Self_to_Trusted
zone-pair security Trusted->Self source Trusted destination self
service-policy type inspect Trusted_to_Self
zone-pair security Self->Guest source self destination Guest
service-policy type inspect Self_to_Guest
zone-pair security Guest->Self source Guest destination self
service-policy type inspect Guest_to_Self
bridge irb
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
snmp trap link-status
interface Null0
no ip unreachables
interface FastEthernet0
description To switch
switchport access vlan 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1-4094
switchport mode trunk
switchport voice vlan none
switchport priority extend none
switchport priority default 0
snmp trap link-status
ip igmp snooping tcn flood
interface FastEthernet1
switchport access vlan 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1-4094
switchport mode trunk
switchport voice vlan none
switchport priority extend none
switchport priority default 0
shutdown
snmp trap link-status
spanning-tree portfast
ip igmp snooping tcn flood
interface FastEthernet2
switchport access vlan 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1-4094
switchport mode access
switchport voice vlan none
switchport priority extend none
switchport priority default 0
shutdown
snmp trap link-status
spanning-tree portfast
ip igmp snooping tcn flood
interface FastEthernet3
description Ooma Hub 192.168.16.5
switchport access vlan 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1-4094
switchport mode access
switchport voice vlan none
switchport priority extend none
switchport priority default 0
shutdown
snmp trap link-status
spanning-tree portfast
ip igmp snooping tcn flood
interface FastEthernet4
description Cox Internet Connection
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip flow ingress
ip flow egress
ip nat outside
no ip virtual-reassembly
duplex auto
speed auto
snmp trap link-status
no cdp enable
zone-member security Internet
interface Dot11Radio0
description Radio b/g
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
beacon period 100
beacon dtim-period 2
dot11 extension aironet
encryption vlan 1 mode ciphers aes-ccm tkip wep128
encryption vlan 2 mode ciphers aes-ccm tkip wep128
broadcast-key vlan 1 change 3600 membership-termination
broadcast-key vlan 2 change 3600 membership-termination
ssid guestonpg
ssid playground
countermeasure tkip hold-time 60
short-slot-time
speed ofdm join
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
packet retries 64
preamble-short
channel least-congested
fragment-threshold 2346
station-role root
rts threshold 2312
rts retries 64
antenna receive diversity
antenna transmit diversity
payload-encapsulation rfc1042
snmp trap link-status
interface Dot11Radio0.1
description Home WLAN
encapsulation dot1Q 1 native
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.2
description Guest WLAN
encapsulation dot1Q 2
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Vlan1
description Home LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
autostate
snmp trap link-status
bridge-group 1
bridge-group 1 spanning-disabled
interface Vlan2
description Guest LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
autostate
snmp trap link-status
bridge-group 2
bridge-group 2 spanning-disabled
interface BVI1
description Home Bridge LAN to WLAN
ip address 192.168.16.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
snmp trap link-status
zone-member security Trusted
interface BVI2
description Guest Bridge LAN to WLAN
ip address 192.168.16.33 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
snmp trap link-status
zone-member security Guest
ip classless
ip forward-protocol nd
no ip http server
ip http port 80
ip http authentication enable
no ip http secure-server
ip http secure-port 443
ip http secure-active-session-modules all
ip http max-connections 5
ip http timeout-policy idle 180 life 180 requests 1
ip http active-session-modules all
ip http digest algorithm md5
ip http client cache memory pool 100
ip http client cache memory file 2
ip http client cache ager interval 5
ip http client connection timeout 10
ip http client connection retry 1
ip http client connection idle timeout 30
ip http client response timeout 30
ip http path
ip flow-top-talkers
top 10
sort-by bytes
ip nat inside source static tcp 192.168.16.6 53 interface FastEthernet4 53
ip nat inside source static tcp 192.168.16.6 3074 interface FastEthernet4 3074
ip nat inside source static udp 192.168.16.6 3074 interface FastEthernet4 3074
ip nat inside source static tcp 192.168.16.6 80 interface FastEthernet4 80
ip nat inside source static udp 192.168.16.6 88 interface FastEthernet4 88
ip nat inside source static udp 192.168.16.6 53 interface FastEthernet4 53
ip nat inside source list NAT interface FastEthernet4 overload
ip access-list extended NAT
deny ip 192.168.16.0 0.0.0.63 192.168.16.64 0.0.0.15
permit ip any any
ip access-list extended dhcp-allow
permit udp any eq bootps any
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any eq bootpc any
ip access-list extended egress-filter
permit ip 0.0.0.2 any
remark ----- Junk Traffic -----
deny ip any host
deny ip any host
deny ip host any
deny ip host any
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip any any
ip access-list extended ingress-filter
remark ----- Allow access from work
permit ip 0.0.0.127 any
permit ip 0.0.0.31 any
permit ip 0.0.0.255 any
permit esp any host
permit gre any host
permit udp any host eq isakmp
remark ----- To get IP form COX -----
permit udp any eq bootps any eq bootpc
deny icmp any any
deny udp any any eq echo
deny udp any eq echo any
deny tcp any any fragments
deny udp any any fragments
deny ip any any fragments
deny ip any any option any-options
deny ip any any ttl lt 4
deny ip any host
deny ip any host
deny udp any any range 33400 34400
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
remark ----- Internal networks -----
deny ip 0.0.0.2 any
deny ip any any
no ip sla logging traps
ip sla 1
icmp-echo 8.8.4.4 source-interface FastEthernet4
frequency 120
history hours-of-statistics-kept 1
history filter failures
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-interface FastEthernet4
frequency 30
history hours-of-statistics-kept 1
history filter failures
ip sla reaction-configuration 1 react connectionLoss threshold-type consecutive 5 action-type trapAndTrigger
ip sla reaction-trigger 1 2
logging history size 1
logging history warnings
logging trap informational
logging delimiter tcp
logging facility local7
no logging source-interface
access-list 1 permit 192.168.16.0 0.0.0.63
access-list 20 permit 127.127.1.1
access-list 20 permit 192.43.244.18
access-list 20 permit 204.235.61.9
access-list 20 permit 173.201.38.85
access-list 20 permit 216.229.4.69
access-list 20 permit 152.2.21.1
access-list 20 permit 130.126.24.24
access-list 21 permit 192.168.16.0 0.0.0.63
access-list 22 permit 192.168.16.0 0.0.0.63
mac-address-table aging-time 300
cdp run
snmp-server engineID local
snmp-server view *ilmi system included
snmp-server view *ilmi atmForumUni included
snmp-server view v1default iso included
snmp-server view v1default internet.6.3.15 excluded
snmp-server view v1default internet.6.3.16 excluded
snmp-server view v1default internet.6.3.18 excluded
snmp-server view v1default ciscoMgmt.394 excluded
snmp-server view v1default ciscoMgmt.395 excluded
snmp-server view v1default ciscoMgmt.399 excluded
snmp-server view v1default ciscoMgmt.400 excluded
snmp-server view *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F ieee802dot11 included
snmp-server view *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F internet included
snmp-server community 1682CrewsSNMP v1default RW 22
snmp-server priority normal
no snmp-server trap link ietf
snmp-server trap authentication vrf
snmp-server trap authentication acl-failure
snmp-server trap authentication unknown-content
snmp-server packetsize 1500
snmp-server queue-limit notification-host 10
snmp-server chassis-id FHK111016LX
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps tty
snmp-server enable traps pw vc
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps adslline
snmp-server enable traps flash insertion removal
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ipsla
snmp-server host 192.168.16.10 traps version 1 udp-port 162
snmp-server inform retries 3 timeout 15 pending 25
snmp mib nhrp
snmp mib notification-log globalsize 500
snmp mib notification-log globalageout 15
snmp mib community-map ILMI engineid
snmp mib community-map engineid
radius-server local
no authentication mac
eapfast authority id
eapfast authority info
eapfast server-key primary 7
eapfast server-key secondary 7
nas key 7
group users
vlan 1
ssid playground
block count 5 time 60
reauthentication time 3600
group guest
vlan 2
ssid guestonpg
block count 3 time 60
reauthentication time 3600
user nthash 7 group users
user nthash 7 group guest
radius-server attribute 32 include-in-access-req format %h
radius-server host auth-port 1645 acct-port 1646 key 7
radius-server vsa send accounting
control-plane
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip
alias exec h help
alias exec lo logout
alias exec p ping
alias exec r resume
alias exec s show
alias exec u undebug
alias exec un undebug
alias exec w where
default-value exec-character-bits 7
default-value special-character-bits 7
default-value data-character-bits 8
line con 0
password 7
logging synchronous
no modem enable
transport output ssh
line aux 0
password 7
logging synchronous
transport output ssh
line vty 0 4
password 7
logging synchronous
transport preferred ssh
transport input all
transport output ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
process cpu threshold type total rising 80 interval 10 falling 40 interval 10
ntp authentication-key 1 md5 7
ntp authenticate
ntp trusted-key 1
ntp source FastEthernet4
ntp access-group peer 20
ntp access-group serve-only 21
ntp master 1
ntp server 152.2.21.1 maxpoll 4
ntp server 204.235.61.9 maxpoll 4
ntp server 130.126.24.24
ntp server 216.229.4.69 maxpoll 4
ntp server 173.201.38.85 maxpoll 4
cns id hostname
cns id hostname event
cns id hostname image
cns image retry 60
netconf max-sessions 4
netconf lock-time 10
netconf max-message 0
event manager scheduler script thread class default number 1
event manager scheduler applet thread class default number 32
event manager history size events 10
event manager history size traps 10
end -
Hello,
I am wondering if this is necessary to enable ip virtual-reassembly on the internet facing interface on a VPN router(DMVPN spoke) in case if I don't have any NAT configured on it. I run ZBF and have only policy that allows only VPN traffic for DMVPN spoke, DHCP and management via SSH from some specific host only . I am reluctant to enable it, need expert's comment.
Here is my configuration below, so all far works fine:
interface FastEthernet4
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
zone-member security outside
ip tcp adjust-mss 1360
duplex auto
speed auto
no cdp enable
end
ip access-list extended ISAKMP_IPSEC_DHCP_in
permit udp any any eq bootpc
permit esp host <PUBLIC IP OF DMVPN HUB> any
permit udp host <PUBLIC IP OF DMVPN HUB> eq isakmp any eq isakmp
permit udp host <PUBLIC IP OF DMVPN HUB> eq non500-isakmp any eq non500-isakmp
ip access-list extended ISAKMP_IPSEC_DHCP_out
permit udp any any eq bootps
permit esp any host <PUBLIC IP OF DMVPN HUB>
permit udp any eq isakmp host <PUBLIC IP OF DMVPN HUB> eq isakmp
permit udp any eq non500-isakmp host <PUBLIC IP OF DMVPN HUB> eq non500-isakmp
ip access-list extended SSHaccess
permit tcp host <MGMT HOST> any eq 22
permit tcp host <MGMT HOST> any eq 22
class-map type inspect match-all IPSEC-DHCP-IN-cmap
match access-group name ISAKMP_IPSEC_DHCP_in
class-map type inspect match-all SSHaccess-cmap
match access-group name SSHaccess
policy-map type inspect Outside-Router-pmap
class type inspect SSHaccess-cmap
inspect
class type inspect IPSEC-DHCP-IN-cmap
pass
class class-default
drop log
class-map type inspect match-all IPSEC-DHCP-OUT-cmap
match access-group name ISAKMP_IPSEC_DHCP_out
policy-map type inspect Router-Outside-pmap
class type inspect IPSEC-DHCP-OUT-cmap
pass
class class-default
drop log
policy-map type inspect Inside-Outside-pmap
class class-default
drop log
policy-map type inspect Outside-Inside-pmap
class class-default
drop log
policy-map type inspect Outside-Outside-pmap
class class-default
drop log
zone-pair security outside-to-router source outside destination self
service-policy type inspect Outside-Router-pmap
zone-pair security router-to-outside source self destination outside
service-policy type inspect Router-Outside-pmap
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect Inside-Outside-pmap
zone-pair security outside-to-inside source outside destination inside
service-policy type inspect Outside-Inside-pmap
zone-pair security outside-to-outside source outside destination outside
service-policy type inspect Outside-Outside-pmapHello Ruterford,
As Marcin said not related to that.
Now let's talk about the usage of that feature:
It would basically let you configure the router to react to fragmentation attacks where you will deterine how much fragments a packet can have or the maximum amount of IP packets that can be using the reasembly feature at the same time, the time you have to reassemble an IP packet.
So based on how the network behaves, the traffic you receive you can make a desicion about to enable it or not/
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
ZBF in a mixed ipv4 and ipv6 environment, don't touch ipv4
I have a dual stacked router for both ipv4 and ipv6. Ipv4 traffic should pass the zbf untouched due to the fact that there is another rock solid ipv4 firewall egress of the inside Interface. Is there a way that a class map like this could function on ipv6 traffic only?:
class-map type inspect match-any fullproto
description Permitted Traffic to internet
match protocol http
match protocol https
match protocol dns
match protocol imaps
match protocol icmp
match protocol ftp
match protocol ntp
match protocol rtsp
match protocol realmedia
match protocol netshow
match protocol appleqtc
match protocol streamworks
match protocol vdolive
match protocol ssh
match protocol user-rdp
So far there is only a CBAC solution in place for ipv6.
I'm showing my Interfaces:
interface FastEthernet0/0
description *** Inside IPV6 ***
no ip address
speed auto
full-duplex
ipv6 address FE80::1 link-local
ipv6 address ????:????:????:10::1/64
ipv6 nd other-config-flag
ipv6 dhcp relay destination ?:?:?:10::12
ipv6 traffic-filter inne6-inn in
no cdp enable
no mop enabled
interface FastEthernet0/0.4
description *** Inside IPV4 ***
encapsulation dot1Q 4
ip address 82.?.?.129 255.255.255.248
no cdp enable
interface FastEthernet0/1
description *** Outside ***
ip address 82.?.?.42 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
speed auto
full-duplex
ipv6 address FE80::2 link-local
ipv6 address ?:599::2/126
ipv6 enable
ipv6 nd prefix default no-advertise
ipv6 nd prefix ?:599::/126 no-advertise
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 nd router-preference High
ipv6 inspect ipv6-cbac out
ipv6 traffic-filter ut-inn6 in
no cdp enable
no mop enabled
Please advise.
Regards,
HenningI didn't test it, but what about the following:
Configure a new class-map where you match on an ipv6 access-list "any to any"
Configure a third class map of type ""match all" where you match on your "fullproto" class-map and also the above ipv6 class-map. For this class map you configure your inspections.
For ipv4-traffic you configure a class with a "pass" action in both directions. -
Application Inspection of ZBF Router
Hello there,
I just wanna verify what I've learned about:
Stateful Inspection (packet filtering up to L5) and
Application Inspection (packet filtering up to L7)
Regarding an IOS ZBF (IOS ver 12.4(20)T on a router, do these commands implement Application Inspection ?
(I mean: do they satisfy a protocol like ftp and enable the router to learn about dynamic ports and unwanted activities?)
class-map type inspect match-any CM
match protocol ftp
match protocol http
policy-map type inspect PM
class type inspect CM
inspect
zone-pair security IN-OUT source inside destination outside
service-policy type inspect PM
or do they implement Stateful Inspection only ? if so yes, how to add Application Inspection feature (on ftp traffic ,for example)?
1 more question, is "application-specific matching" another expression of "application inspection feature" ?
thanks !Have u looked at the example in the above maintioned link ?
Define class-maps that describe the traffic that you want to permit between zones, according to policies described earlier:
conf t
class-map type inspect match-any internet-traffic-class
match protocol http match protocol https match protocol dns match protocol icmp
Configure a policy-map to inspect traffic on the class-maps you just defined:
conf t
policy-map type inspect private-internet-policy
class type inspect internet-traffic-class
inspect
Configure the private and Internet zones and assign router interfaces to their respective zones:
conf t
zone security private
zone security internet
int bvi1
zone-member security private
int fastethernet 0
zone-member security internet
Configure the zone-pair and apply the appropriate policy-map.
Note: You only need to configure the private Internet zone pair at present in order to inspect connections sourced in the private zone traveling to the Internet zone:
conf t
zone-pair security private-internet source private destination internet
service-policy type inspect private-internet-policy
This completes the configuration of the Layer 7 inspection policy on the private Internet zone-pair to allow HTTP, HTTPS, DNS, and ICMP connections from the clients zone to the servers zone and to apply application inspection to HTTP traffic to assure that unwanted traffic is not allowed to pass on TCP 80, HTTP’s service port.
Define class-maps that describe the traffic that you want to permit between zones, according to policies described earlier:
conf t
class-map type inspect match-any L4-inspect-class
match protocol tcp match protocol udp match protocol icmp
Configure policy-maps to inspect traffic on the class-maps you just defined:
conf t
policy-map type inspect clients-servers-policy
class type inspect L4-inspect-class
inspect
Configure the clients and servers zones and assign router interfaces to their respective zones:
conf t
zone security clients
zone security servers
int vlan 1
zone-member security clients
int vlan 2
zone-member security servers
Configure the zone-pair and apply the appropriate policy-map.
Note: You only need to configure the clients-servers zone-pair at present, to inspect connections sourced in the clients zone traveling to the servers zone:
conf t
zone-pair security clients-servers source clients destination servers
service-policy type inspect clients-servers-policy
This completes the configuration of the Layer 4 inspection policy for the clients-servers zone-pair to allow all TCP, UDP, and ICMP connections from the client zone to the server zone. The policy does not apply fixup for subordinate channels, but provides an example of simple policy to accommodate most application connections.
Obviously, "Inspect" is used for both L4 (tcp, udp) and L7 (http, dns) inspection.
So, It depends on the protocol being inspected, not on the keyword "inspect".
But I'm not sure what's going on with icmp ? It is in both cases matched and inspected. -
I have a router with 2 vrfs on sub interfaces.
Customer requirement dictates that I need to use Cisco ZBF between these vrf 'Zones'.
Customer requirement also dictates I need to allow only one particular packet to traverse this boundary. The packet in question has a specific hex value at a particular byte in the payload.
ZBF does not support deep packet inspection as standard.
I can match the required packet using simple FPM config to match the nth packet from the start of the IP header. When called from a corresponding policy-map and applied to a sub-interface (inbound and outbound) this can restrict all traffic between the zones other than the requires packet type.
FPM effectively meets the customer requirements but for security reasons I'm still required to implement ZBF as well !
I'm struggling to get my head around if there is a way to join these features together to make a more elegant solution. Maybe by nesting a FPM 'access-control' class-map within a ZBF 'inspect' class map and using the ZBF for stateful inspection.
Has anyone ever tried to do something similar?Hi
I had same doubt about languajes in FPM ; finally i made the translations by signing in the different languajes and set the labels in FPM editor ; but that was because i just need 2 languajes ; and that is not your requirement.
However, i put here the answers i received in that thread, i hope these help you.
Languages in FPM Configuration editor
Best Regards
Frank -
After reading some info on Julio's website, I have come to think my VPN configs are a bit too fat and not very streamline. My configs are starting to hammer CPU on the routers now, especially as the remote offices are now starting to use VDSL speeds. What are you thoughts?
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 104
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any PING_ACCESS
match access-group name PING_ACCESS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any SNMP_ACCESS
match access-group name SNMP_ACCESS
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
match class-map SNMP_ACCESS
match class-map PING_ACCESS
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all SDM_VPN_PT
match access-group 103
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 102
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class type inspect sdm-access
inspect
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key m0n5t3r address ***.***.***.***
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
mode tunnel
crypto map ipsec-TEST 10 ipsec-isakmp
set peer ***.***.***.***
set transform-set aes-sha
set pfs group2
match address 101Sorry for the late reply. I have not been getting any email notifications since the new support website was launched.
If that is all the ZBF config you have it is not much configured...relitively speaking. So that leads me to beleive that if you are experiencing performance issues it could be related to the amount of traffic that is traversing the 887 router, and its ability to handle that traffic.
You do have some redundant config in there but that should not affect performance in any significant way...just to point out an example:
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
This could have been done using just the ccp-cls-icmp-access class map. But as I said it should not affect performance.
Have you checked memory usage on the router and not just the CPU?
How many users are connecting through the router on a daily basis?
It could very well be that the amount of traffic passing through the router is becoming more than it can handle, and an upgrade to a more robust router is needed.
Please remember to rate and select a correct answer -
Really Slow web surfing through ZBF with IOS Content filter
Edited: attached partial output of "sh policy-map type inspect zone-pair urlfilter"
Hey, all
We have a 1921 router with IOS Content filter subscribsion and it is also configured as ZBF running latest IOS v15.1. End-user keep complaining about slow web surfing. I connected to network and tested myself and found intermittent surfing experience.
For example, access to www.ibm.com or www.cnn.com hangs 7 times of 10 attempts and maybe only loads reasonablly quick in 1-2 time of the 3. This also affects the speed of download from websites.
I have the case openned with Cisco TAC and CCIE checked my configure but nothing caught his eyes...
I decide to post the issue here in case we both missed something:
Current configuration : 18977 bytes
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname abc_1921
boot-start-marker
boot system flash:/c1900-universalk9-mz.SPA.151-4.M4.bin
boot-end-marker
aaa new-model
aaa authentication login default local
aaa authentication login NONE_LOGIN none
aaa authorization exec default local
aaa session-id common
clock timezone AST -4 0
clock summer-time ADT recurring 3 Sun Mar 2:00 2 Sun Nov 2:00
no ipv6 cef
ip source-route
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.9
ip dhcp excluded-address 192.168.1.111 192.168.1.254
ip dhcp pool DHCPPOOL
import all
network 192.168.1.0 255.255.255.0
domain-name abc.local
dns-server 192.168.10.200 192.168.10.202
netbios-name-server 4.2.2.4
default-router 192.168.1.150
option 202 ip 192.168.1.218
lease 8
ip domain name abc.locol
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip port-map user-port-1 port tcp 5080
ip port-map user-port-2 port tcp 3389
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type inspect global
log dropped-packets enable
parameter-map type urlfpolicy trend cprepdenyregex0
allow-mode on
block-page message "The website you have accessed is blocked as per corporate policy"
parameter-map type urlf-glob cpaddbnwlocparapermit2
pattern www.alc.ca
pattern www.espn.com
pattern www.bestcarriers.com
pattern www.gulfpacificseafood.com
pattern www.lafermeblackriver.ca
pattern 69.156.240.29
pattern www.tyson.com
pattern www.citybrewery.com
pattern www.canadianbusinessdirectory.ca
pattern www.homedepot.ca
pattern ai.fmcsa.dot.gov
pattern www.mtq.gouv.qc.ca
pattern licenseinfo.oregon.gov
pattern www.summitfoods.com
pattern www.marine-atlantic.ca
pattern www.larway.com
pattern www.rtlmotor.ca
pattern *.abc.com
pattern *.kijiji.ca
pattern *.linkedin.com
pattern *.skype.com
pattern toronto.bluejays.mlb.com
pattern *.gstatic.com
parameter-map type urlf-glob cpaddbnwlocparadeny3
pattern www.facebook.com
pattern www.radiofreecolorado.net
pattern facebook.com
pattern worldofwarcraft.com
pattern identityunknown.net
pattern static.break.com
pattern lyris01.media.com
pattern www.saltofreight.com
pattern reality-check.com
pattern reality-check.ca
parameter-map type ooo global
tcp reassembly timeout 5
tcp reassembly queue length 128
tcp reassembly memory limit 8192
parameter-map type trend-global global-param-map
cache-size maximum-memory 5000
crypto pki token default removal timeout 0
crypto pki trustpoint Equifax_Secure_CA
revocation-check none
crypto pki trustpoint NetworkSolutions_CA
revocation-check none
crypto pki trustpoint trps1_server
revocation-check none
crypto pki trustpoint TP-self-signed-3538579429
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3538579429
revocation-check none
rsakeypair TP-self-signed-3538579429
!! CERTIFICATE OMITED !!
redundancy
ip ssh version 2
class-map type inspect match-any INCOMING_VPN_TRAFFIC_MAP
match access-group name REMOTE_SITE_SUBNET
class-map type inspect match-all PPTP_GRE_INSPECT_MAP
match access-group name ALLOW_GRE
class-map type inspect match-all INSPECT_SKINNY_MAP
match protocol skinny
class-map type inspect match-all INVALID_SOURCE_MAP
match access-group name INVALID_SOURCE
class-map type inspect match-all ALLOW_PING_MAP
match protocol icmp
class-map type urlfilter match-any cpaddbnwlocclasspermit2
match server-domain urlf-glob cpaddbnwlocparapermit2
class-map type urlfilter match-any cpaddbnwlocclassdeny3
match server-domain urlf-glob cpaddbnwlocparadeny3
class-map type urlfilter trend match-any cpcatdenyclass2
class-map type inspect match-all cpinspectclass1
match protocol http
class-map type inspect match-any CUSTOMIZED_PROTOCOL_216
match protocol citriximaclient
match protocol ica
match protocol http
match protocol https
class-map type inspect match-any INSPECT_SIP_MAP
match protocol sip
class-map type urlfilter trend match-any cptrendclasscatdeny1
match url category Abortion
match url category Activist-Groups
match url category Adult-Mature-Content
match url category Chat-Instant-Messaging
match url category Cult-Occult
match url category Cultural-Institutions
match url category Gambling
match url category Games
match url category Illegal-Drugs
match url category Illegal-Questionable
match url category Internet-Radio-and-TV
match url category Joke-Programs
match url category Military
match url category Nudity
match url category Pay-to-surf
match url category Peer-to-Peer
match url category Personals-Dating
match url category Pornography
match url category Proxy-Avoidance
match url category Sex-education
match url category Social-Networking
match url category Spam
match url category Tasteless
match url category Violence-hate-racism
class-map type inspect match-any INSPECT_PROTOCOLS_MAP
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol icmp
class-map type urlfilter trend match-any cptrendclassrepdeny1
match url reputation ADWARE
match url reputation DIALER
match url reputation DISEASE-VECTOR
match url reputation HACKING
match url reputation PASSWORD-CRACKING-APPLICATIONS
match url reputation PHISHING
match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
match url reputation SPYWARE
match url reputation VIRUS-ACCOMPLICE
class-map type inspect match-all CUSTOMIZED_NAT_MAP_1
match access-group name CUSTOMIZED_NAT_1
match protocol user-port-1
class-map type inspect match-all CUSTOMIZED_NAT_MAP_2
match access-group name CUSTOMIZED_NAT_2
match protocol user-port-2
class-map type inspect match-any INSPECT_H323_MAP
match protocol h323
match protocol h323-nxg
match protocol h323-annexe
class-map type inspect match-all INSPECT_H225_MAP
match protocol h225ras
class-map type inspect match-all CUSTOMIZED_216_MAP
match class-map CUSTOMIZED_PROTOCOL_216
match access-group name CUSTOMIZED_NAT_216
policy-map type inspect OUT-IN-INSPECT-POLICY
class type inspect INCOMING_VPN_TRAFFIC_MAP
inspect
class type inspect PPTP_GRE_INSPECT_MAP
pass
class type inspect CUSTOMIZED_NAT_MAP_1
inspect
class type inspect CUSTOMIZED_NAT_MAP_2
inspect
class type inspect CUSTOMIZED_216_MAP
inspect
class class-default
drop
policy-map type inspect urlfilter cppolicymap-1
description Default abc Policy Filter
parameter type urlfpolicy trend cprepdenyregex0
class type urlfilter cpaddbnwlocclasspermit2
allow
class type urlfilter cpaddbnwlocclassdeny3
reset
log
class type urlfilter trend cptrendclasscatdeny1
reset
log
class type urlfilter trend cptrendclassrepdeny1
reset
log
policy-map type inspect IN-OUT-INSPECT-POLICY
class type inspect cpinspectclass1
inspect
service-policy urlfilter cppolicymap-1
class type inspect INSPECT_PROTOCOLS_MAP
inspect
class type inspect INVALID_SOURCE_MAP
inspect
class type inspect INSPECT_SIP_MAP
inspect
class type inspect ALLOW_PING_MAP
inspect
class type inspect INSPECT_SKINNY_MAP
inspect
class type inspect INSPECT_H225_MAP
inspect
class type inspect INSPECT_H323_MAP
inspect
class class-default
drop
zone security inside
description INTERNAL_NETWORK
zone security outside
description PUBLIC_NETWORK
zone-pair security INSIDE_2_OUTSIDE source inside destination outside
service-policy type inspect IN-OUT-INSPECT-POLICY
zone-pair security OUTSIDE_2_INSIDE source outside destination inside
service-policy type inspect OUT-IN-INSPECT-POLICY
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key password address 11.22.3.1
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set TunnelToCold esp-3des
crypto map TunnelsToRemoteSites 10 ipsec-isakmp
set peer 11.22.3.1
set transform-set TunnelToCold
match address TUNNEL_TRAFFIC2Cold
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description OUTSIDE_INTERFACE
ip address 1.1.1.186 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex full
speed 1000
crypto map TunnelsToRemoteSites
crypto ipsec df-bit clear
interface GigabitEthernet0/1
description INSIDE_INTERFACE
ip address 192.168.1.150 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex full
speed 1000
ip forward-protocol nd
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.1.217 5080 interface GigabitEthernet0/0 5080
ip nat inside source route-map NAT_MAP interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.216 80 1.1.1.187 80 extendable
ip nat inside source static tcp 192.168.1.216 443 1.1.1.187 443 extendable
ip nat inside source static tcp 192.168.1.216 1494 1.1.1.187 1494 extendable
ip nat inside source static tcp 192.168.1.216 2598 1.1.1.187 2598 extendable
ip nat inside source static tcp 192.168.1.213 3389 1.1.1.187 3390 extendable
ip nat inside source static tcp 192.168.1.216 5080 1.1.1.187 5080 extendable
ip route 0.0.0.0 0.0.0.0 1.1.1.185
ip access-list standard LINE_ACCESS_CONTROL
permit 192.168.1.0 0.0.0.255
ip access-list extended ALLOW_ESP_AH
permit esp any any
permit ahp any any
ip access-list extended ALLOW_GRE
permit gre any any
ip access-list extended CUSTOMIZED_NAT_1
permit ip any host 192.168.1.217
permit ip any host 192.168.1.216
ip access-list extended CUSTOMIZED_NAT_2
permit ip any host 192.168.1.216
permit ip any host 192.168.1.212
permit ip any host 192.168.1.213
ip access-list extended CUSTOMIZED_NAT_216
permit ip any host 192.168.1.216
ip access-list extended INVALID_SOURCE
permit ip host 255.255.255.255 any
permit ip 127.0.0.0 0.255.255.255 any
ip access-list extended NAT_RULES
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended REMOTE_SITE_SUBNET
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ABM
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2Bridgewater
permit ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ColdbrookDispatch
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ColdbrookETL
permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ColdbrookTrailershop
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2Moncton
permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2MountPearl
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2Ontoria
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
ip access-list extended WEB_TRAFFIC
permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 10 permit 192.168.1.0 0.0.0.255
route-map NAT_MAP permit 10
match ip address NAT_RULES
snmp-server community 1publicl RO
control-plane
line con 0
logging synchronous
login authentication NONE_LOGIN
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class LINE_ACCESS_CONTROL in
exec-timeout 30 0
logging synchronous
transport input all
scheduler allocate 20000 1000
ntp server 0.ca.pool.ntp.org prefer
ntp server 1.ca.pool.ntp.org
endHi,
I know this is for a different platform but have a look at this link:
https://supportforums.cisco.com/thread/2089462
Read through it to get some idea of the similarity, but in particular note the last entry almost a year after the original post.
I too am having trouble with http inspection, if I do layers 3 & 4 inspection there is no issue whatsoever, but as soon as I enable layer 7 inspection then I have intermittent browsing issues.
The easy solution here is to leave it at layers 3 & 4, which doesn't give you the flixibility to do cool things like blocking websites, IM, regex expression matching etc... but in my opinion I just don't think these routers can handle it.
It appears to be a hit and miss affair, and going on the last post from the above link, you might be better off in having the unit replaced under warranty.
The alternative is wasting a lot of time and effort and impacting your users to get something up and running that in the end is so flaky that you have no confidence in the solution and you are then in a situation where ALL future issues users are facing MIGHT be because of this layer 7 inspection bug/hardware issue etc?
I would recommend you use the router as a frontline firewall with inbound/outbound acl's (no inspection), and then invest a few $ in getting an ASA dedicated firewall (but that's just me ) -
VRF aware Remote Access on ZBF
Hello,
In our environment we have a Zone based firewall on CIsco ASR 1000 XE router, terminating normal IPsec VPN sessions on ZBF. The router has one outgoing physical interface (g0/0/0) connected to ISP as outside Interface and multiple Interfaces on the Inside network on Port channels VLAN/VRF.
The remote access VPN (Easy VPN) is applied using crypto map configuration on the interface connected to ISP.
Now, there was also a requirement to provide IPSec termination on the same physical inteface g0/0/0 to a different customer via a VRF aware Remote access. Two configuration templates were implemented with similar results. IPSec Tunnel comes up fine for the VRF profile but tunnel cannot pass traffic. Ping from IPsec client to an IP address on the Inside network times out and trace route shows that this gets dropped somwhere in the ISP cloud.
Configuration 1 - Crypto Dynamic Map
crypto isakmp policy 15
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration group admin-vpn
key _____
pool vpn-pool
acl VPN-LIST
crypto isakmp client configuration group centralsTEMP-vpn
key __________
pool centrals vpn-pool
acl VPN-LIST
crypto isakmp profile softclient
match identity group admin-vpn
client authentication list userauth
isakmp authorization list groupauthor
client configuration address respond
crypto isakmp profile centralsoftclient
vrf Branch
match identity group branch-vpn
client authentication list userauth
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set SECURITYSET esp-aes esp-md5-hmac
mode tunnel
crypto ipsec transform-set branchtemp esp-aes esp-md5-hmac
mode tunnel
crypto dynamic-map branchvpn 10
set transform-set branchtemp
set isakmp-profile centralsoftclient
reverse-route
crypto dynamic-map vpnmap 10
set transform-set SECURITYSET
set isakmp-profile softclient
crypto map vpnmap 10 ipsec-isakmp dynamic vpnmap ---> Normal VPN
crypto map vpnmap 20 ipsec-isakmp dynamic branchvpn --> IPSec Aware VPN
crypto map vpnmap
Configuration 2 - DVTI
crypto ipsec profile branchclient
set transform-set branchtemp
crypto isakmp profile centralsoftclient
vrf global
match identity group centralsTEMP-vpn
client authentication list userauth
isakmp authorization list groupauthor
client configuration address respond
virtual-template 2
interface Virtual-Template2 type tunnel
ip vrf forwarding branch
ip unnumbered GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile branchclient
Please advise if there is any VPN related configuration issue or a Zone based firewall issue.Hi Marcin,
Thank you very much for your response and actually, we did open a TAC and the problem was resolved using Crypto Map dynamic configurations for both Standard and IPSec aware VPN's. Some specific policies on ZBF were tweaked (for example echo-reply packet inspection was deleted(configured for Pass) and also some access-lists which had unwanted entries were cleaned up.
Thanks again for your help.
Best Regards,
Mohan -
Hello to everyone,
I write because I have decided to pass from a cisco 2811 with ios 12.4/k9 to a cisco 1941 ios 15/k9, migrating configuration I have a problem with the ZBF.
I do not know if it's a problem of policy or differences between ios.
Could someone help me please?
Thank you all in advance
Regards,
Salvatore
Update: Configuration modified and IOS upgrade.Salvatore,
I don't know what problem exactly you face with your ZBF, but this may help you trbouleshooting your ZBF.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080a63b94.shtml
Thanks! -
Airport can no longer read or write the configuration of Time Capsule
I have a MacBook Pro running OSX 10.8.3 and maintained with all available patches. I have also a Time Capsule with version 7.6.3 of the firmware. I use AirPort 6.2. So everything seems to be updated with the latest versions.
This has really been a good setup for nearly a year now, but earlier this month Time Machine suddenly stopped to work and could no longer do backups to the Time Capsule. I have tried to factory reset the Time Capsule several times, but I still get problems when writing the configuration to the Time Capsule. I get an error message saying "An error occurred while updating the configuration".
Airport is furthermore not able to detect the Time Capsule correctly anymore, so I have to configure it by entering the IP address. But after setting up WLAN, disks, etc. and enhanching the security, I just receive the error message when I try to write the config. The Internet connection works perfectly anyway, both via cable and wireless.
Anyone got any tips?Do the setup by ethernet in full isolation from the network.
Start from a full factory reset.
I would recommend you take the firmware back to 7.6.1 or even earlier if the TC is older than 12months. 7.5.2 was very reliable. All these bugs started with 7.6 and the change to Lion.
I would also recommend installing 5.6 utility.
How to load 5.6 into ML.
1. Download 5.6 for Lion.
http://support.apple.com/kb/DL1482
Click to open the dmg but do not attempt to install the pkg.. it won't work anyway.
2. Download and install unpkg.
http://www.timdoug.com/unpkg/
Run unpkg on the desktop.. it is very simple.. drag the AirPortUtility56.pkg file over to unpkg.. and it will create a new directory of the same name on the desktop.. drill down.. applications utilities .. there lo and behold is Airport utility 5.6 .. drag it to your main utilities directory or just run it from current location.
You cannot uninstall 6.1 (now 6.2 if you updated) so don't try.. and you cannot or should not run them both at the same time.. so just ignore the toyland version.. the plastic hammer.. and start using 5.6.. a real tool.
For screen shots see this post.
https://discussions.apple.com/thread/4668746?tstart=0 -
Error while Provisioning a user to Exchange:Configuration OIM 9.1 & JBOSS
Hi,
I am facing the below error while provisioning a user to Exchange. The Resource gets provisioned. But inside the resource, two tasks (Create User & Set Mailbox) are rejected. When i retry these tasks, the Resource status is set to Revoked in the Resource Profile of OIM. The AD Provisioning is working fine. There are 2 AD IT Resources here. Database is Oracle 10g.
Error:
2012-03-02 15:06:10,347 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[xlWebApp]] action: LogonAction: User 'RWFLORENCIO' logged on in session 8B825B2D391A654D975CDC91FECB5E8E
2012-03-02 15:06:34,712 INFO [STDOUT] Running GETFULLNAME
2012-03-02 15:06:34,712 INFO [STDOUT] Target Class = gitidm.LogProfileUser
2012-03-02 15:06:34,721 INFO [STDOUT] Running GETMANAGER
2012-03-02 15:06:34,721 INFO [STDOUT] Target Class = gitidm.LogProfileUser
2012-03-02 15:07:00,233 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzavri15-1iti
2012-03-02 15:07:00,233 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:07:00,233 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:07:55,208 INFO [STDOUT] Running IDMVALIDATION
2012-03-02 15:07:55,208 INFO [STDOUT] Target Class = gitidm.CustomApproval
2012-03-02 15:07:55,267 INFO [STDOUT] select USR_MANAGER_KEY from USR where USR_UDF_EMP_NO='540087'
2012-03-02 15:07:55,267 INFO [STDOUT] result : OK
2012-03-02 15:07:55,559 INFO [STDOUT] Running GETKEY
2012-03-02 15:07:55,559 INFO [STDOUT] Target Class = java.lang.String
2012-03-02 15:07:55,559 INFO [STDOUT] Running GETIH1
2012-03-02 15:07:55,559 INFO [STDOUT] Target Class = gitidm.CustomApproval
2012-03-02 15:07:55,614 INFO [STDOUT] select USR_MANAGER_KEY from USR where USR_UDF_EMP_NO='540087'
2012-03-02 15:08:00,207 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzavssb3-1itk
2012-03-02 15:08:00,207 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:08:00,207 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:08:16,901 INFO [STDOUT] Masuk exception
2012-03-02 15:08:16,988 DEBUG [org.jboss.ejb.StatelessSessionContainer] Useless invocation of remove() for stateless session bean
2012-03-02 15:08:17,000 DEBUG [org.jboss.ejb.StatelessSessionContainer] Useless invocation of remove() for stateless session bean
2012-03-02 15:08:17,016 DEBUG [org.jboss.ejb.StatelessSessionContainer] Useless invocation of remove() for stateless session bean
2012-03-02 15:08:17,030 DEBUG [org.jboss.ejb.StatelessSessionContainer] Useless invocation of remove() for stateless session bean
2012-03-02 15:08:17,046 DEBUG [org.jboss.ejb.StatelessSessionContainer] Useless invocation of remove() for stateless session bean
2012-03-02 15:08:17,304 INFO [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[xlWebApp]] action: LogonAction: User 'XELSYSADM' logged on in session 8B825B2D391A654D975CDC91FECB5E8E
2012-03-02 15:09:00,192 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzavu2lc-1itr
2012-03-02 15:09:00,192 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:09:00,193 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:09:16,525 INFO [STDOUT] Running TOLOWERCASE
2012-03-02 15:09:16,526 INFO [STDOUT] Target Class = java.lang.String
2012-03-02 15:09:16,642 INFO [STDOUT] Running TOLOWERCASE
2012-03-02 15:09:16,643 INFO [STDOUT] Target Class = java.lang.String
2012-03-02 15:09:17,139 INFO [STDOUT] Running CHECKCHILDOBJECT
2012-03-02 15:09:17,139 INFO [STDOUT] Target Class = gitidm.CheckEmptyChild
2012-03-02 15:09:17,217 INFO [STDOUT] Connected to IAM
2012-03-02 15:09:17,218 INFO [STDOUT] Query : select * from UD_EMAILOF join obi on obi.obi_key=UD_EMAILOF.obi_key join UD_MAILFOC on UD_MAILFOC.UD_EMAILOF_KEY=UD_EMAILOF.UD_EMAILOF_KEY where obi.req_key='44002'
2012-03-02 15:09:17,228 INFO [STDOUT] Total record : 1
2012-03-02 15:09:17,228 INFO [STDOUT] Is Admin not filled the child form ? FILLED
2012-03-02 15:09:17,231 INFO [STDOUT] Disconnected from IAM
2012-03-02 15:09:17,606 INFO [STDOUT] Running SETPROXYADDRESS
2012-03-02 15:09:17,607 INFO [STDOUT] Target Class = email.Provisioning
2012-03-02 15:09:17,622 INFO [STDOUT] SetProxyAddressForSubsidiary
2012-03-02 15:09:17,622 INFO [STDOUT] Running INSERTTOLOG
2012-03-02 15:09:17,623 INFO [STDOUT] Target Class = gitidm.LogProvisioning
2012-03-02 15:09:17,701 INFO [STDOUT] Query Log= insert into IDM_PROV_LOG values (sysdate,'Request for Email Account','RWFLORENCIO','rwflorencio','Set Proxy Address','FAILED','NO')
2012-03-02 15:09:18,870 INFO [STDOUT] Running CHANGEDOMAINUSER
2012-03-02 15:09:18,870 INFO [STDOUT] Target Class = adir.Provisioning
2012-03-02 15:09:18,945 INFO [STDOUT] Running GETDNUSERPLDT
2012-03-02 15:09:18,945 INFO [STDOUT] Target Class = email.Provisioning
2012-03-02 15:09:18,961 INFO [STDOUT] GetDN
2012-03-02 15:09:18,991 INFO [STDOUT] GETDN():CN=FLORENCIO\, Raul W.,OU=PLDT Non-Executives,OU=Test Area,DC=ISSecLAB,DC=NET
2012-03-02 15:09:18,991 INFO [STDOUT] Running ENABLEMAILBOXPLDT
2012-03-02 15:09:18,991 INFO [STDOUT] Target Class = email.Provisioning
2012-03-02 15:09:19,019 INFO [STDOUT] EnableMailbox
2012-03-02 15:09:19,020 INFO [STDOUT] user ssh ->Administrator
2012-03-02 15:09:50,426 INFO [STDOUT] error ->Could not connect for 30000 milliseconds
2012-03-02 15:09:51,428 INFO [STDOUT] Disconnected: 192.168.1.72. Press Enter to exit
2012-03-02 15:09:51,428 INFO [STDOUT] Running INSERTTOLOG
2012-03-02 15:09:51,428 INFO [STDOUT] Target Class = gitidm.LogProvisioning
2012-03-02 15:09:51,502 INFO [STDOUT] Query Log= insert into IDM_PROV_LOG values (sysdate,'Request for Email Account','RWFLORENCIO','rwflorencio','Enable Mailbox','FAILED','Could not connect for 30000 milliseconds')
2012-03-02 15:09:53,940 INFO [STDOUT] Running SETMAILBOX
2012-03-02 15:09:53,940 INFO [STDOUT] Target Class = email.Provisioning
2012-03-02 15:09:53,959 INFO [STDOUT] userssh ->Administrator
2012-03-02 15:09:53,959 INFO [STDOUT] userid ->ISSECLAB\Administrator
2012-03-02 15:10:00,461 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzavvd3h-1itu
2012-03-02 15:10:00,462 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:10:00,462 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:10:00,577 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzavvd6p-1itv
2012-03-02 15:10:00,577 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:10:00,578 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:10:00,865 INFO [ADAPTER.AUTH_AD] Start initiate reconciliation info user
2012-03-02 15:10:00,865 INFO [ADAPTER.AUTH_AD] Start initiate reconciliation
2012-03-02 15:10:07,034 INFO [STDOUT] select usr.usr_key,usr.usr_password from usr left join GIT_AUTH_AD on GIT_AUTH_AD.usr_key=usr.usr_key where usr.usr_password != GIT_AUTH_AD.USR_PASSWORD
2012-03-02 15:10:25,353 INFO [STDOUT] Could not connect for 30000 milliseconds
2012-03-02 15:10:26,357 INFO [STDOUT] Disconnected: 192.168.1.72. Press Enter to exit
2012-03-02 15:11:00,222 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzavwn7i-1itx
2012-03-02 15:11:00,223 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:11:00,223 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:11:51,773 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] run: IdleRemover notifying pools, interval: 450000
2012-03-02 15:12:00,219 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzavxxi3-1itz
2012-03-02 15:12:00,220 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:12:00,220 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:13:00,229 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzavz7t1-1iu2
2012-03-02 15:13:00,229 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:13:00,229 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:14:00,192 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzaw0i2o-1iu5
2012-03-02 15:14:00,192 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:14:00,193 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:14:02,974 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:14:02,974 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:14:02,975 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:14:02,975 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:14:02,975 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:14:53,473 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:14:53,473 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:14:53,474 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:14:53,474 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:14:53,474 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:15:00,249 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzaw1sex-1iu7
2012-03-02 15:15:00,249 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:15:00,249 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:15:00,591 INFO [ADAPTER.AUTH_AD] Start initiate reconciliation info user
2012-03-02 15:15:00,592 INFO [ADAPTER.AUTH_AD] Start initiate reconciliation
2012-03-02 15:15:00,727 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzaw1ss0-1iu9
2012-03-02 15:15:00,727 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:15:00,728 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:15:06,711 INFO [STDOUT] select usr.usr_key,usr.usr_password from usr left join GIT_AUTH_AD on GIT_AUTH_AD.usr_key=usr.usr_key where usr.usr_password != GIT_AUTH_AD.USR_PASSWORD
2012-03-02 15:15:18,066 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:15:18,075 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:15:18,075 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:15:18,076 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:15:18,076 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:16:00,220 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzaw32os-1iub
2012-03-02 15:16:00,221 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:16:00,221 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:16:00,536 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:16:00,537 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:16:00,537 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:16:00,538 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:16:00,539 WARN [XELLERATE.WEBAPP] TimeZone is not set for the browser's machine.
2012-03-02 15:17:00,200 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzaw4cyw-1iud
2012-03-02 15:17:00,200 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:17:00,201 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:18:00,209 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzaw5n9t-1iuf
2012-03-02 15:18:00,210 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:18:00,210 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:19:00,211 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzaw6xkj-1iuh
2012-03-02 15:19:00,212 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:19:00,212 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:19:21,833 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] run: IdleRemover notifying pools, interval: 450000
2012-03-02 15:20:00,500 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzaw8838-1iuk
2012-03-02 15:20:00,501 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:20:00,501 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:20:00,673 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzaw8881-1iul
2012-03-02 15:20:00,674 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:20:00,674 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:20:00,930 INFO [ADAPTER.AUTH_AD] Start initiate reconciliation info user
2012-03-02 15:20:00,931 INFO [ADAPTER.AUTH_AD] Start initiate reconciliation
2012-03-02 15:20:07,489 INFO [STDOUT] select usr.usr_key,usr.usr_password from usr left join GIT_AUTH_AD on GIT_AUTH_AD.usr_key=usr.usr_key where usr.usr_password != GIT_AUTH_AD.USR_PASSWORD
2012-03-02 15:21:00,306 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzaw9i8g-1iun
2012-03-02 15:21:00,306 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:21:00,306 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:22:00,281 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzawasih-1iup
2012-03-02 15:22:00,282 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:22:00,282 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:23:00,303 DEBUG [org.jboss.ejb.StatefulSessionContainer] Created new session ID: gzawc2tl-1iur
2012-03-02 15:23:00,304 DEBUG [org.jboss.ejb.StatefulSessionContainer] Using create method for session: public void com.thortech.xl.ejb.databeansimpl.tcDataBaseBean.ejbCreate() throws javax.ejb.CreateException
2012-03-02 15:23:00,304 DEBUG [org.jboss.proxy.ejb.ProxyFactory] seting invoker proxy binding for stateful session: stateful-unified-invoker
2012-03-02 15:23:27,310 INFO [STDOUT] Running CHANGEDOMAINUSER
2012-03-02 15:23:27,312 INFO [STDOUT] Target Class = adir.Provisioning
2012-03-02 15:23:27,413 INFO [STDOUT] Running GETDNUSERPLDT
2012-03-02 15:23:27,414 INFO [STDOUT] Target Class = email.Provisioning
2012-03-02 15:23:27,432 INFO [STDOUT] GetDN
2012-03-02 15:23:27,473 INFO [STDOUT] GETDN():CN=FLORENCIO\, Raul W.,OU=PLDT Non-Executives,OU=Test Area,DC=ISSecLAB,DC=NET
2012-03-02 15:23:27,473 INFO [STDOUT] Running ENABLEMAILBOXPLDT
2012-03-02 15:23:27,474 INFO [STDOUT] Target Class = email.Provisioning
2012-03-02 15:23:27,495 INFO [STDOUT] EnableMailbox
2012-03-02 15:23:27,496 INFO [STDOUT] user ssh ->Administrator
2012-03-02 15:23:55,851 WARN [org.jboss.tm.TransactionImpl] Transaction TransactionImpl:XidImpl[FormatId=257, GlobalId=oim1.isseclab.net/5544083, BranchQual=, localId=5544083] timed out. status=STATUS_ACTIVE
2012-03-02 15:23:55,874 WARN [XELLERATE.DATABASE] Trying to get the connection count : 0
2012-03-02 15:23:55,875 WARN [XELLERATE.DATABASE] Trying to get the connection count : 1
2012-03-02 15:23:55,876 WARN [XELLERATE.DATABASE] Trying to get the connection count : 2
2012-03-02 15:23:55,877 WARN [XELLERATE.DATABASE] Trying to get the connection count : 3
2012-03-02 15:23:55,878 WARN [XELLERATE.DATABASE] Trying to get the connection count : 4
2012-03-02 15:23:55,878 ERROR [XELLERATE.DATABASE] Class/Method: DirectDB/getConnection encounter some problems: Error while retrieving database connection.Please check for the follwoing
Database srever is running.
Datasource configuration settings are correct.
2012-03-02 15:23:55,878 ERROR [XELLERATE.DATABASE] Class/Method: tcDataBase/readPartialStatement encounter some problems: Got a null connection
java.sql.SQLException: Got a null connection
at com.thortech.xl.dataaccess.tcDataBase.readPartialStatement(Unknown Source)
at com.thortech.xl.dataobj.tcDataBase.readPartialStatement(Unknown Source)
at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.cache.CacheUtil.getSetCachedQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.eventPostInsert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
at com.thortech.xl.dataobj.tcTableDataObj.save(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.insertImplementation(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
at com.thortech.xl.attestation.AttestationEngine.attestTask(Unknown Source)
at com.thortech.xl.attestation.AttestationEngine.updateResponses(Unknown Source)
at com.thortech.xl.ejb.beansimpl.AttestationOperationsBean.updateResponses(Unknown Source)
at com.thortech.xl.ejb.beans.AttestationOperationsSession.updateResponses(Unknown Source)
at sun.reflect.GeneratedMethodAccessor1129.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.jboss.invocation.Invocation.performCall(Invocation.java:359)
at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionContainer.java:237)
at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:158)
at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstanceInterceptor.java:169)
at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63)
at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121)
at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:350)
at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:181)
at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:168)
at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205)
at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:138)
at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:648)
at org.jboss.ejb.Container.invoke(Container.java:960)
at sun.reflect.GeneratedMethodAccessor132.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at org.jboss.invocation.local.LocalInvoker$MBeanServerAction.invoke(LocalInvoker.java:169)
at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:118)
at org.jboss.invocation.InvokerInterceptor.invokeLocal(InvokerInterceptor.java:209)
at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:195)
at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:61)
at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:70)
at org.jboss.proxy.ejb.StatelessSessionInterceptor.invoke(StatelessSessionInterceptor.java:112)
at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:100)
at $Proxy744.updateResponses(Unknown Source)
at Thor.API.Operations.AttestationOperationsClient.updateResponses(Unknown Source)
at sun.reflect.GeneratedMethodAccessor1128.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source)
at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
at $Proxy785.updateResponses(Unknown Source)
at com.thortech.xl.schedule.tasks.tcTskSubmitAttestationRequets.execute(Unknown Source)
at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionAction.run(Unknown Source)
at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source)
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown Source)
at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)
2012-03-02 15:23:55,885 ERROR [XELLERATE.SERVER] Class/Method: tcDataObj/eventPreInsert encounter some problems: Data Access Error
com.thortech.xl.dataaccess.tcDataSetException: Data Access Error
at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.cache.CacheUtil.getSetCachedQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.eventPostInsert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
at com.thortech.xl.dataobj.tcTableDataObj.save(Unknown Source)
at com.thortech.xl.dataobj.tcScheduleItem.insertImplementation(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
at com.thortech.xl.attestation.AttestationEngine.attestTask(Unknown Source)
at com.thortech.xl.attestation.AttestationEngine.updateResponses(Unknown Source)
at com.thortech.xl.ejb.beansimpl.AttestationOperationsBean.updateResponses(Unknown Source)
at com.thortech.xl.ejb.beans.AttestationOperationsSession.updateResponses(Unknown Source)
at sun.reflect.GeneratedMethodAccessor1129.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.jboss.invocation.Invocation.performCall(Invocation.java:359)
at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionContainer.java:237)
at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:158)
at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstanceInterceptor.java:169)
at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63)
at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121)
at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:350)
at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:181)
at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:168)
at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205)
at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:138)
at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:648)
at org.jboss.ejb.Container.invoke(Container.java:960)
at sun.reflect.GeneratedMethodAccessor132.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at org.jboss.invocation.local.LocalInvoker$MBeanServerAction.invoke(LocalInvoker.java:169)
at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:118)
at org.jboss.invocation.InvokerInterceptor.invokeLocal(InvokerInterceptor.java:209)
at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:195)
at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:61)
at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:70)
at org.jboss.proxy.ejb.StatelessSessionInterceptor.invoke(StatelessSessionInterceptor.java:112)
at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:100)
Please help as its really urgent!Hey guys! 2 days and no replies yet. please help me with this.
-
Configuring requirement : ordered item to absorb cost of free goods
Hello Friends,
I need to configure this in SAP SD.
The main item should accumulate the cost of the free goods.
I have set the cumulative indicator and deactivated pring for this item.
Do i still need to configure the stock value for the free goods as cost free item? Or is this step only applicable for
another scenario, like,
If I were to activate Pricing such that free goods is displayed as subitem and VPRS configured as cost and discount set to 100%
1. Set Item category to TANN using FREE usage AND
2. use condition type RL00 with requirement 55.
3. use pricing type B.
regards
RaviRead this SAP help at http://help.sap.com/saphelp_47x200/helpdata/en/dd/55fa4e545a11d1a7020000e829fd11/frameset.htm and the topic Free Goods in Sales and Distribution Processing for details.
Also go through each step of the configuration of the path at SPRO->Sales and distribution->basic functions->free goods.
Regards, -
Partner application configuration is missing error on SSO login page
We have APEX 3.1.2 setup as a partner application and an application within APEX setup to use SSO for authentication. Following a link to the APEX application redirects to the Single Sign-On page, as it should, but it also shows "Error: The partner application configuration is missing or expired." I type in my password and username, click the Login button, and (if I entered my username and password correctly, of course!) then the APEX application is shown. So, I cannot figure out why we're getting the no_papp_err error and I have not found any solutions to that issue on Metalink or anywhere else on the Internet. Any ideas? I'm concerned that we have a misconfiguration somewhere that is causing this error and will affect any other partner application we setup in the future.
We're on Oracle Portal 10.1.4, SSO 10.1.2, and SSL is setup on both infra and mid tiers.Did you try checking the partner application entries on the SSO-login server page?
please login as orcladmin or some other user with membership in, i beleive, iasadmins group. verify that for this partner application, what you see here corresponds to the application URL. it looks like your login page call may have issues. so check for login url too.
also check the ORASSO.WWSSO_LS_CONFIGURATION_INFO$ for entries corresponding to Apex application. -
SharePoint Foundation 2013 - Search Configuration Issue - 2 App Servers and 2 Front-End Servers
Hi,
We have a SharePoint Foundation 2013 with SP1 Environment.
In that, we have 2 Front-End Servers and 2 App Servers. In the Front-End Servers, the Search Service is stopped and is in Disabled state and in the 2 App Servers in One App Server, Search is Online and in another Search is Starting but goes to Stopped sooon
after.
Originally, we had only 1 App Server and we were running our Search Service and Search Service Application in that. Now since the index location became full and we were unable to increase the drive there, we added one more App Server and now the issue is
Search is not properly getting configured in either of these App servers. What we want to do is run Search only in the new App Server, because we have a lot of storage space for Index locations here, but in the older App Server, not run Search at all. We
tried keeping the Search Service disabled and ran the below PowerShell Scripts, but none of the ones are working. These scripts are creating the Search Service Application, but the error of "Admin Component is not Online", "Could not connect
to the machine hosting SharePoint 2013 admin component" is coming up.
http://www.funwithsharepoint.com/provision-search-for-sharepoint-foundation-2013-using-powershell-with-clean-db-names/
http://blog.falchionconsulting.com/index.php/2013/02/provisioning-search-on-sharepoint-2013-foundation-using-powershell/
http://blog.ciaops.com/2012/12/search-service-on-foundation-2013.html
Can I get some help please?
Karthick SHi Karthick,
For your issue, could you provide the
detail error message of ULS log to determine the exact cause of the error?
For SharePoint 2013, by default, ULS log is at
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS
For troubleshooting your issue, you can try to run the SharePoint Products Configuration Wizard on your WFE servers and run the script for configuring the search service on SharePoint
Foundation:
[string]$farmAcct = "DOMAIN\service_Account"
[string]$serviceAppName = "Search Service Application"
Function WriteLine
Write-Host -ForegroundColor White "--------------------------------------------------------------"
Function ActivateAndConfigureSearchService
Try
# Based on this script : http://blog.falchionconsulting.com/index.php/2013/02/provisioning-search-on-sharepoint-2013-foundation-using-powershell/
Write-Host -ForegroundColor White " --> Configure the SharePoint Foundation Search Service -", $env:computername
Start-SPEnterpriseSearchServiceInstance $env:computername
Start-SPEnterpriseSearchQueryAndSiteSettingsServiceInstance $env:computername
$appPool = Get-SPManagedAccount -Identity $farmAcct
New-SPServiceApplicationPool -Name SeachApplication_AppPool -Account $appPool -Verbose
$saAppPool = Get-SPServiceApplicationPool -Identity SeachApplication_AppPool
$svcPool = $saAppPool
$adminPool = $saAppPool
$searchServiceInstance = Get-SPEnterpriseSearchServiceInstance $env:computername
$searchService = $searchServiceInstance.Service
$bindings = @("InvokeMethod", "NonPublic", "Instance")
$types = @([string],
[Type],
[Microsoft.SharePoint.Administration.SPIisWebServiceApplicationPool],
[Microsoft.SharePoint.Administration.SPIisWebServiceApplicationPool])
$values = @($serviceAppName,
[Microsoft.Office.Server.Search.Administration.SearchServiceApplication],
[Microsoft.SharePoint.Administration.SPIisWebServiceApplicationPool]$svcPool,
[Microsoft.SharePoint.Administration.SPIisWebServiceApplicationPool]$adminPool)
$methodInfo = $searchService.GetType().GetMethod("CreateApplicationWithDefaultTopology", $bindings, $null, $types, $null)
$searchServiceApp = $methodInfo.Invoke($searchService, $values)
$searchProxy = New-SPEnterpriseSearchServiceApplicationProxy -Name "$serviceAppName - Proxy" -SearchApplication $searchServiceApp
$searchServiceApp.Provision()
catch [system.exception]
Write-Host -ForegroundColor Yellow " ->> Activate And Configure Search Service caught a system exception"
Write-Host -ForegroundColor Red "Exception Message:", $_.Exception.ToString()
finally
WriteLine
ActivateAndConfigureSearchService
Reference:
https://sharepointpsscripts.codeplex.com/releases/view/112556
Thanks,
Eric
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected].
Eric Tao
TechNet Community Support
Maybe you are looking for
-
when do games get saved? Can i do it manually? I often lose most recent game if i restore it from iCloud
-
Drag and Drop Image in Adobe Air
Is there a problem with the 'Drag Image' proxy, that is present in the DragManager class' doDrag method? I have tried using this and it works absolutely fine with a web application, but DOES NOT work with an AIR application.
-
Hi, I am an sap newbie I am creating a web repository in KM. This is the scenario I want: I want all html pages contain within a website (ie. http://www.xyz.com) to be stored in the repository. So I created an HTTP system to http://www.xyz.com and t
-
Adobe Reader XI Druck Menü fehlerhaft
Hallo, folgendes Problem, im Adobe Reader XI öffne ich ein PDF von einer bestimmten Webseite und wenn ich anschließend Drucken möchte erscheint zwar das Drucken Menü aber es sieht ziemlich zerschossen aus. In der Vorschau kein Bild, die Dropdown Menü
-
We are doing a scenario of sending Sales order idocs to Soap messages using XI. Do I still have to do the business scenario settings or can I go with the interface objects and the mapping objects?? Also there is a little confusion whie setting the in