Zone IP address
hey all,
i have managed to set up zones on my solaris host but the ip addresses i assign them cant be pinged! i get "host unreachable from gateway...."
the global zone ip is 192.168.0.1 and the zone ip is 192.168.0.15. I tried setting up the global zone to be the network server but still no connection.
any help?
Here is the out-put:
global zone
ifconfig -a
lo0: flags=2001000849<UP, LOOPBACK, RUNNING, MULTICAST, IPv4, VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
lo0:1: flags=2001000849<UP, LOOPBACK, RUNNING, MULTICAST, IPv4, VIRTUAL> mtu 8232 index 1
zone zone2
inet 192.168.10.11 netmask ffffff00
lo0:2: flags=2001000849<UP, LOOPBACK, RUNNING, MULTICAST, IPv4, VIRTUAL> mtu 8232 index 1
zone zone2
inet 127.0.0.1 netmask ff000000
lo0:3: flags=2001000859<UP, POINTOPOINT, LOOPBACK, RUNNING, MULTICAST, IPv4, VIRTUAL> mtu 8232 index 1
inet 192.168.10.1 --> 127.0.0.1 netmask ffffff00
zone2
ifconfig -a
lo0:1 flags=2001000849<UP, LOOPBACK, RUNNING, MULTICAST, IPv4, VIRTUAL> mtu 8232 index 1
inet 192.168.10.11 netmask ffffff00
ifconfig -a
lo0:2 flags=2001000849<UP, LOOPBACK, RUNNING, MULTICAST, IPv4, VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
here is the out-put for netstat -r
global zone
netstat -r
Destination Gateway Flags Ref Use Interface
224.0.0.0 jsolaris U 1 0 lo0:3
localhost localhost UH 31 234 lo0
zone2
netstat -r
224.0.0.0 192.168.10.11 U 1 0 lo0:1
localhost localhost UH 3 8 lo0:2
I hope that will help.
thanks
Similar Messages
-
Time zone in Vendor master address
Hi
Our client is sending some data with the message type ADRMS. It contains the valueof Time zone also.
But when we display the vendor through transaction XK03, it does not show the value of time zone in address view.
Could you all please help me that where we maintain the value of time zone in vendor master.
Thanks & Regards
ShilpiIn vendor master in the Address view at street adreess you will find Time zone.just go to xk02 and if you still doesn't find then there you will find a More fields icon (a plus icon in a box).In it you will find it.it should be remembered that entry of country and region is must.
If you still doesnot find then go to spro@financial accounting@accounts receivable and payable@vendor accounts@master data@preparation of creating master dat@define account group with screen layout@here double click on the vendor account group and further double click on general data.Again double click on address and check whether Time zone is suppressed and if suppressed then make it optional.
regards,
indranil -
I am encountering a strange behavior in new zones created using zonemgr 2.0.6 (this is the only way I create zones, so I do not know if the issue is more general). When I create a new zone, two strange things are happening:
1. Immediately after the zone is created, no services are running, not even ssh
2. About 10 minutes later, a whole bunch of services are running. Most of these are not running on the global zone.
For reference, nmap output on the global zone is the following:
[dcomsm1@dcomsm1:~] $ nmap t2000
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-28 20:51 EST
Interesting ports on 131.247.16.134:
Not shown: 991 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
2161/tcp open apc-agent
3052/tcp open powerchute
4045/tcp open lockd
32774/tcp open sometimes-rpc11
32775/tcp open sometimes-rpc13
32776/tcp open sometimes-rpc15
32777/tcp open sometimes-rpc17
The new zone is created using the following zonemgr arguments:
[root@t2000:~/zonecfgs] # more ./temp.sh
#!/usr/bin/bash
./zonemgr -a add -n drenkhah -z "/export/zones" -P "root_pw" -I "131.247.16.159|e1000g0|25|drenkhah" -R "/root|/usr/bin/bash" -s "basic|lock"
zone creation output is as follows:
[root@t2000:~/zonecfgs] # ./temp.sh
Checking to see if the zone IP address (131.247.16.159) is already in use...IP is available.
cannot create '/drenkhah': leading slash in name
chmod: WARNING: can't access /export/zones/drenkhah
chown: /export/zones/drenkhah: No such file or directory
Zone drenkhah will be placed in the following directory: /export/zones/drenkhah
Preparing to install zone <drenkhah>.
Creating list of files to copy from the global zone.
Copying <2568> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <1042> packages on the zone.
Initialized <1042> packages on zone.
Zone <drenkhah> is initialized.
The file </export/zones/drenkhah/root/var/sadm/system/logs/install_log> contains a log of the zone installation.
Creating the sysidcfg file for automated zone configuration.
Booting zone for the first time.
Waiting for first boot tasks to complete.
Waiting for automatic post-install reboot to complete
Updating netmask information.
Updating /etc/inet/hosts of the global zone with the drenkhah IP information.
Generating ssh host keys. Details in the (/root/.zonemgr/zone28330-ssh.log) file.
svcadm: Pattern 'svc:/network/ssh' doesn't match any instances
Setting the root user's home directory to /root
Setting the root user's shell to /usr/bin/bash
Disabling un-necessary services via basic method for the default services.
Zone drenkhah is complete and ready to use.
nmap output just after creating the zone is as follows:
[dcomsm1@dcomsm1:~] $ nmap drenkhah
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-28 17:53 EST
All 1000 scanned ports on 131.247.16.159 are closed
Nmap done: 1 IP address (1 host up) scanned in 29.39 seconds
nmap output 17 minutes later is as follows:
[dcomsm1@dcomsm1:~] $ nmap drenkhah
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-28 18:10 EST
Interesting ports on 131.247.16.159:
Not shown: 986 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
79/tcp open finger
111/tcp open rpcbind
513/tcp open login
514/tcp open shell
587/tcp open submission
4045/tcp open lockd
6112/tcp open dtspc
6788/tcp open unknown
6789/tcp open ibm-db2-admin
7100/tcp open font-service
Nmap done: 1 IP address (1 host up) scanned in 29.25 seconds
Note that there are many open ports
# uname -a
SunOS t2000 5.10 Generic_137137-09 sun4v sparc SUNW,Sun-Fire-T200
Thanks
ManishThe Leopard OS X firewall is application based and not port based. Honestly, I haven't played with it enough to know for certain how to answer your question.
But... when you do connection sharing, you're essentially doing a port based NAT for the systems on the other side of your Mac. This pretty much keeps you from initiating anything to the other system even without a local firewall unless you were to configure port forwarding.
As for blocking packets, you would need to use the 'ipfw' command to do things at the port level. -
How to add network information for failover zones with logical hostname?
Hello!
As stated in [http://docs.sun.com/app/docs/doc/819-3069/ds_template-21?a=view] I must not configure network addresses for a zone when I manage these with a logical hostname:
If you require the SUNW.LogicalHostName resource type to manage all the zone's addresses, configure a SUNW.LogicalHostName resource with a list of the zone`s addresses and do not configure them by using the zonecfg utility.But when I start the zone for the first time using "zlogin -C" it does not ask me any questions about the network. Of course, there is no adapter configured. But how do I add information like routes or nameservers to the system when using a logical hostname?
TIA
StephanHi Stephan,
I can only assume that when the zone was configured via zonecfg without any network interfaces that sysidcfg did not ask you for the default route or name service, as such you will need to setup those parts up manually.
Please take a look at the FAQs for zones, i.e. http://opensolaris.org/os/community/zones/faq/ in particular
http://opensolaris.org/os/community/zones/faq/#u5
http://opensolaris.org/os/community/zones/faq/#cfg_defroute
Finally, if you require a NIS client then please see http://docs.sun.com/app/docs/doc/816-5166/ypinit-1m?a=view
Regards
Neil -
I have a V20z running a global zone on an IANA private network of 172.30.0.x and nic bge0
I also have a non-global zone on a public IP of 207.246.20.169 and nic bge1.
I am unable to ping from one zone to the next via a gateway. Normally the global zone would use a standard gateway for that network and my public network would also use a standard gateway for that network.
What appears to be happening is that despite what is in my /etc/defaultrouter the zone itself is the gateway.
For example, to ping something from either zone which would require the gateway results in:
ICMP Host Unreachable from gateway 'zone name' (zone ip address)
What I want to happen is that the global zone honors the gateway that is normally used in this network and the non-global zone uses/honors the gateway that is normally used in that network.
It doesn't seem to matter if I have the normal internal gateway in my /etc/defaultrouter or if I have the normal public gateway in /etc/defaultrouter or if I have both in /etc/defaultrouter (all in the global zone of course).
Do I need to use routed to achieve this? Am I missing something here?I hammered the problem out by adding a static route in the global zone:
route add 172.30.0.0 207.246.20.161
Where 207.246.20.161 is my gateway on the public side.
I slapped this into an /etc/init.d script in the global zone and ran it from /etc/rc2.d like the article below suggests:
http://www.sun.com/bigadmin/content/submitted/persistent_routing.html -
Scalable service instance deregistered on multi-zone cluster
I have a pair of systems clustered with multiple zones configured on each. The zones are not clustered, however the dataservices are run on the zones in pairs. Some services are failover, some are scalable.
The problem arises with the scalable resources. There are multiple instances of the same application running on different zones (by intances I mean dev on one pair, tst on another pair, etc.). These instances all use the same ports on different IP addresses, where the IPs are configured as shared addresses. If I stop the application on one zone the ports that it uses will be deregistered on all of the zones therefore killing instances that I'm not working on. This problem happens even for instances of the application which have not yet been configured into the cluster as dataservices. This defeats the purpose of having zones if I can't work on them in isolation.
I could cluster the zones, but I have no need to fail over the whole zone, and I need to have both failover and scalable resources so I'd need double the number of zones if I clustered the zones themselves.
If anyone has some thoughts I'd appreciate it.
Edited by: taccooper on Dec 8, 2009 10:14 AMHi,
you are hitting a restriction with scalable addresse and normal zones (zone nodes), let me elaborate a bit.
Sun Cluster is supporting 3 type of local zone models.
1. the failover zoone, where a zone is installed on shared storage and is failed over between the nodes. Note that sclabel addresse do not work here.
2. zone nodes you are failing over resource groups between zones, scalable addresses are supported here, but you can have one port bound to only one address.
3. zone clusters, in a zone cluster you have an almost complete cluster running between th zones. the zone clustrs are isolated against each other. Here you are completely free in deploying scalble address. The zones of a zone cluster are from the special brand cluster.
You have configured model 2, but you need model 3 to deploy what you want. The bad news is that you have to delete your zones and reinstall them with the clzonecluster utility. If you do not want this you must configure different ports between the multiple instances of your application. This is the only way to keep model two.
Hope that helps
Detlef -
Why wont my DMVPN get phased 1 isakmp?
I’m trying to setup a DMVPN solution with the hub behind a firewall using a static 1 to 1 NAT.
I can get the DMVPN to work fine, but once I add the ipsec policy it doesn’t go passed ISAKMP phase 1.
I have put rules in the firewall to allow NAT-T, GRE tunnels, ESP and AH, I have also put in a allow any any rule just in case I missed something! I was getting a NAT-T issue but then put in the command line no crypto ipsec nat-transparency udp-encapsulation and this solved the issue and ISAKMP phase 1 completed. I have also tried changing the mode from tunnel to transport and back again.
I have tried crypto maps as I wasn’t sure if it was a UDP header issue due to the NAT’ing
My setup is as follows:
Cisco 1941--------JUNIPER SXR-------CLOUD--------Cisco 382
(HUB) (FIREWALL) (SW 3750) (SPOKE)
(STATIC 1 2 1 NAT)
--------------HUB--------------------------
Cisco 1941 - HUB
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
version 15.2
crypto isakmp policy 1
authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile TTCP_PRO
set transform-set TTCP_SET
interface Tunnel12345
description DMVPN TUNNEL
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 12345
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TTCP_PRO
interface GigabitEthernet0/0
description LINK TO FW ON VLAN 1960
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.20.254 255.255.255.0
duplex auto
speed auto
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 192.168.10.254
----------------------Spoke--------------------------
cisco 3825 - Spoke
Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)
version 15.1
crypto isakmp policy 1
authentication pre-share
crypto isakmp key TTCP_KEY address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 3
crypto isakmp nat keepalive 200
crypto ipsec transform-set TTCP_SET esp-aes esp-sha-hmac
mode transport
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile TTCP_PRO
set transform-set TTCP_SET
interface Tunnel12345
description DMVPN TUNNEL
ip address 10.10.10.2 255.255.255.0
no ip redirects
ip nhrp map 10.10.10.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
ip nhrp network-id 12345
ip nhrp nhs 10.10.10.1
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile TTCP_PRO
interface GigabitEthernet0/0
description LINK TO INTERNET
ip address 2.2.2.2 255.255.255.0
duplex auto
speed auto
media-type rj45
interface GigabitEthernet0/1
ip address 192.168.30.1 255.255.255.0
duplex auto
speed auto
media-type rj45
router ospf 1
network 10.10.10.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 2.2.2.3
------------------------FIREWALL---------------------------
[edit]
Admin@UK_FIREWALL# show
## Last changed: 2014-07-23 19:54:53 UTC
version 10.4R6.5;
system {
host-name FIREWALL;
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
https {
system-generated-certificate;
interface vlan.0;
dhcp {
router {
192.168.20.254;
pool 192.168.20.0/24 {
address-range low 192.168.20.20 high 192.168.20.250;
default-lease-time 3600;
propagate-settings vlan.1960;
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/24;
ge-0/0/7 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan1960;
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
unit 1960 {
family inet {
address 192.168.10.254/24;
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.2;
protocols {
stp;
security {
nat {
static {
rule-set STATIC_NAT_RS1 {
from zone untrust;
rule NAT_RULE {
match {
destination-address 1.1.1.1/32;
then {
static-nat prefix 192.168.10.10/32;
screen {
ids-option untrust-screen {
icmp {
ping-death;
ip {
source-route-option;
tear-drop;
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
land;
zones {
security-zone trust {
address-book {
address SERVER-1 192.168.10.10/32;
host-inbound-traffic {
system-services {
all;
protocols {
all;
interfaces {
vlan.1960 {
host-inbound-traffic {
system-services {
dhcp;
all;
ike;
protocols {
all;
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
all;
ike;
protocols {
all;
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
all;
ike;
protocols {
all;
policies {
from-zone trust to-zone untrust {
policy PERMIT_ALL {
match {
source-address SERVER-1;
destination-address any;
application any;
then {
permit;
policy ALLOW_ESP {
match {
source-address any;
destination-address any;
application ESP;
then {
permit;
policy ALLOW_IKE_500 {
match {
source-address any;
destination-address any;
application junos-ike;
then {
permit;
policy ALLOW_PING {
match {
source-address any;
destination-address any;
application junos-icmp-ping;
then {
permit;
policy ALLOW_NAT-T {
match {
source-address any;
destination-address any;
application junos-ike-nat;
then {
permit;
policy ALLOW_GRE {
match {
source-address any;
destination-address any;
application junos-gre;
then {
permit;
policy AH_51 {
match {
source-address any;
destination-address any;
application AH_PO_51;
then {
permit;
policy ANY_ANY {
match {
source-address any;
destination-address any;
application any;
then {
permit;
from-zone untrust to-zone trust {
policy ACCESS {
match {
source-address any;
destination-address SERVER-1;
application any;
then {
permit;
policy ALLOW_ESP {
match {
source-address any;
destination-address any;
application any;
then {
permit;
policy ALLOW_IKE_500 {
match {
source-address any;
destination-address any;
application junos-ike;
then {
permit;
policy ALLOW_PING {
match {
source-address any;
destination-address any;
application any;
then {
permit;
policy ALLOW_GRE {
match {
source-address any;
destination-address any;
application junos-gre;
then {
permit;
policy ALLOW_NAT-T {
match {
source-address any;
destination-address any;
application junos-ike-nat;
then {
permit;
policy AH_51 {
match {
source-address any;
destination-address any;
application AH_PO_51;
then {
permit;
policy ANY_ANY {
match {
source-address any;
destination-address any;
application any;
then {
permit;
applications {
application ESP protocol esp;
application AH_PO_51 protocol ah;
vlans {
vlan-trust {
vlan-id 3;
vlan1960 {
vlan-id 1960;
interface {
ge-0/0/7.0;
l3-interface vlan.1960;
------------------------------DEBUG------------------------------
-----------Cisco 1941-----------------
HUB#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.10.1 2.2.2.2 QM_IDLE 1006 ACTIVE
IPv6 Crypto ISAKMP SA
UK_HUB#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
UK_HUB# debug dm al al
*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is OFF
*Jul 25 12:22:39.036: NHRP RIB_RWATCH: Debugging is ON
*Jul 25 12:22:58.976: ISAKMP:(1006):purging node 1130853900
*Jul 25 12:23:14.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP: set new node 670880728 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006): processing HASH payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006): processing SA payload. message ID = 670880728
*Jul 25 12:23:14.708: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:14.708: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:14.708: ISAKMP: attributes in transform:
*Jul 25 12:23:14.708: ISAKMP: encaps is 2 (Transport)
*Jul 25 12:23:14.708: ISAKMP: SA life type in seconds
*Jul 25 12:23:14.708: ISAKMP: SA life duration (basic) of 3600
*Jul 25 12:23:14.708: ISAKMP: SA life type in kilobytes
*Jul 25 12:23:14.708: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 25 12:23:14.708: ISAKMP: authenticator is HMAC-SHA
*Jul 25 12:23:14.708: ISAKMP: key length is 128
*Jul 25 12:23:14.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:14.708: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0,
remote_proxy= 2.2.2.2/255.255.255.255/47/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:14.708: map_db_find_best did not find matching map
*Jul 25 12:23:14.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:14.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:14.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:14.708: ISAKMP: set new node 2125889339 to QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 838208952, message ID = 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:14.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:14.708: ISAKMP:(1006):purging node 2125889339
*Jul 25 12:23:14.708: ISAKMP:(1006):deleting node 670880728 error TRUE reason "QM rejected"
*Jul 25 12:23:14.708: ISAKMP:(1006):Node 670880728, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:14.708: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_READY
*Jul 25 12:23:28.976: ISAKMP:(1006):purging node 720369228
*Jul 25 12:23:44.704: ISAKMP (1006): received packet from 2.2.2.2 dport 500 sport 500 Global (R) QM_IDLE
*Jul 25 12:23:44.704: ISAKMP: set new node -1528560613 to QM_IDLE
*Jul 25 12:23:44.704: ISAKMP:(1006): processing HASH payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006): processing SA payload. message ID = 2766406683
*Jul 25 12:23:44.704: ISAKMP:(1006):Checking IPSec proposal 1
*Jul 25 12:23:44.704: ISAKMP: transform 1, ESP_AES
*Jul 25 12:23:44.704: ISAKMP: attributes in transform:
*Jul 25 12:23:44.704: ISAKMP: encaps is 2 (Transport)
*Jul 25 12:23:44.704: ISAKMP: SA life type in seconds
*Jul 25 12:23:44.704: ISAKMP: SA life duration (basic) of 3600
*Jul 25 12:23:44.704: ISAKMP: SA life type in kilobytes
*Jul 25 12:23:44.704: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 25 12:23:44.708: ISAKMP: authenticator is HMAC-SHA
*Jul 25 12:23:44.708: ISAKMP: key length is 128
*Jul 25 12:23:44.708: ISAKMP:(1006):atts are acceptable.
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1
*Jul 25 12:23:44.708: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.10.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0,
remote_proxy= 2.2.2.2/255.255.255.255/47/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:23:44.708: map_db_find_best did not find matching map
*Jul 25 12:23:44.708: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jul 25 12:23:44.708: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
*Jul 25 12:23:44.708: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 2.2.2.2)
*Jul 25 12:23:44.708: ISAKMP: set new node 1569673109 to QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 838208952, message ID = 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 25 12:23:44.708: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:23:44.708: ISAKMP:(1006):purging node 1569673109
*Jul 25 12:23:44.708: ISAKMP:(1006):deleting node -1528560613 error TRUE reason "QM rejected"
*Jul 25 12:23:44.708: ISAKMP:(1006):Node 2766406683, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 25 12:23:44.708: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_READY
---------Cisco 3825------------------
SPOKE_1#sh dm
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel12345, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 1.1.1.1 10.10.10.1 IPSEC 1d22h S
SPOKE_1#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 QM_IDLE 1006 ACTIVE
IPv6 Crypto ISAKMP SA
SPOKE_1#debug dm all all
*Jul 25 12:50:23.520: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:23.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:23.520: SA has outstanding requests (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:23.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jul 25 12:50:23.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 1627587566
*Jul 25 12:50:23.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:23.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:23.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:23.520: ISAKMP:(1006):Node 1627587566, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:23.520: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 25 12:50:23.524: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:23.524: ISAKMP: set new node -1682318828 to QM_IDLE
*Jul 25 12:50:23.524: ISAKMP:(1006): processing HASH payload. message ID = 2612648468
*Jul 25 12:50:23.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 484617190, message ID = 2612648468, sa = 0x70B05F14
*Jul 25 12:50:23.524: ISAKMP:(1006): deleting spi 484617190 message ID = 1627587566
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node 1627587566 error TRUE reason "Delete Larval"
*Jul 25 12:50:23.524: ISAKMP:(1006):deleting node -1682318828 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:23.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:23.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 25 12:50:34.972: NHRP: Setting retrans delay to 64 for nhs dst 10.10.10.1
*Jul 25 12:50:34.972: IPSEC-IFC MGRE/Tu12345(2.2.2.2/1.1.1.1): connection lookup returned 691EDEF4
*Jul 25 12:50:34.972: NHRP: Attempting to send packet via DEST 10.10.10.1
*Jul 25 12:50:34.972: NHRP: NHRP successfully resolved 10.10.10.1 to NBMA 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Encapsulation succeeded. Tunnel IP addr 1.1.1.1
*Jul 25 12:50:34.972: NHRP: Send Registration Request via Tunnel12345 vrf 0, packet size: 92
*Jul 25 12:50:34.972: src: 10.12.34.1, dst: 10.10.10.1
*Jul 25 12:50:34.972: (F) afn: IPv4(1), type: IP(800), hop: 255, ver: 1
*Jul 25 12:50:34.972: shtl: 4(NSAP), sstl: 0(NSAP)
*Jul 25 12:50:34.972: pktsz: 92 extoff: 52
*Jul 25 12:50:34.972: (M) flags: "unique nat ", reqid: 65537
*Jul 25 12:50:34.972: src NBMA: 2.2.2.2
*Jul 25 12:50:34.972: src protocol: 10.12.34.1, dst protocol: 10.10.10.1
*Jul 25 12:50:34.972: (C-1) code: no error(0)
*Jul 25 12:50:34.972: prefix: 32, mtu: 17916, hd_time: 7200
*Jul 25 12:50:34.972: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Jul 25 12:50:34.972: Responder Address Extension(3):
*Jul 25 12:50:34.972: Forward Transit NHS Record Extension(4):
*Jul 25 12:50:34.972: Reverse Transit NHS Record Extension(5):
*Jul 25 12:50:34.972: NAT address Extension(9):
*Jul 25 12:50:34.972: (C-1) code: no error(0)
*Jul 25 12:50:34.972: prefix: 32, mtu: 17916, hd_time: 0
*Jul 25 12:50:34.972: addr_len: 4(NSAP), subaddr_len: 0(NSAP), proto_len: 4, pref: 0
*Jul 25 12:50:34.972: client NBMA: 1.1.1.1
*Jul 25 12:50:34.972: client protocol: 10.10.10.1
*Jul 25 12:50:34.972: NHRP: 116 bytes out Tunnel12345
*Jul 25 12:50:34.972: NHRP-RATE: Retransmitting Registration Request for 10.10.10.1, reqid 65537, (retrans ivl 64 sec)
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 1566291204
*Jul 25 12:50:36.132: ISAKMP:(1006):purging node 742410882
*Jul 25 12:50:53.520: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 2.2.2.2:0, remote= 1.1.1.1:0,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1)
*Jul 25 12:50:53.520: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 25 12:50:53.520: ISAKMP: set new node 0 to QM_IDLE
*Jul 25 12:50:53.520: SA has outstanding requests (local 112.176.96.152 port 500, remote 112.176.96.124 port 500)
*Jul 25 12:50:53.520: ISAKMP:(1006): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jul 25 12:50:53.520: ISAKMP:(1006):beginning Quick Mode exchange, M-ID of 2055556995
*Jul 25 12:50:53.520: ISAKMP:(1006):QM Initiator gets spi
*Jul 25 12:50:53.520: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Jul 25 12:50:53.520: ISAKMP:(1006):Node 2055556995, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 25 12:50:53.520: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 25 12:50:53.520: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Jul 25 12:50:53.520: ISAKMP: set new node -1428573279 to QM_IDLE
*Jul 25 12:50:53.524: ISAKMP:(1006): processing HASH payload. message ID = 2866394017
*Jul 25 12:50:53.524: ISAKMP:(1006): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2888331328, message ID = 2866394017, sa = 0x70B05F14
*Jul 25 12:50:53.524: ISAKMP:(1006): deleting spi 2888331328 message ID = 2055556995
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node 2055556995 error TRUE reason "Delete Larval"
*Jul 25 12:50:53.524: ISAKMP:(1006):deleting node -1428573279 error FALSE reason "Informational (in) state 1"
*Jul 25 12:50:53.524: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 25 12:50:53.524: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETESome time ago I was running a similar setup, but the firewall was an ASA, not a Juniper.
Some comments:
You shouldn't disable NAT-transparence. It should work with the default-setting which is "enabled"
The firewall only has to allow UDP/500 and UDP4500. It will never see any other traffic between the hub and spoke.
The firewall shouldn't do any inspections etc. on the traffic to the hub.
You shouldn't use wildcard-PSKs. The better solution is to use digital certificates.
You probably need some MTU/MSS-settings like "ip mtu 1400" and "ip tcp adjust mss 1360".
For running ospf through DMVPN make sure the Hub is the DR and set the network-type to broadcast. -
Designjet 120 won't print - please read maintenance log and advise
Here is the maintenance log. Printer has been unused in a while. Says ink is full.
system maintenance for hp designjet 120nr
get printer information
Printer Identification Section
Printer model name: hp designjet 120nr Printer model number: C7791B Printer serial number: SG33A1806Q Firmware release: A.02.05 Service id: 13362 Type ROM: Flash ARSS present: Yes SN: 030320 Revision: 101 Num I/O cards present: 1
Printer Status Section
Date: 02-24-2011 Printer Status: warning 01 Printhead Alignment: No Factory Paper Advance Calibration: Yes Custom Paper Advance Calibration: None Printer Latest Errors:
# 0 08601 A.02.05 SM: 03 [tError (arriageCtrl.c : 0443)] 02-23-2011 Page# 676
# 1 08101 A.02.05 SM: 01 [tError (l/PaperCtrl.c : 0321)] Date unknown Page# 669
# 2 05610 A.02.05 SM: 02 [isp_mech (MediaDevice.c : 0473)] 07-24-2004 Page# 345
# 3 08101 A.02.05 SM: 02 [isp_mech (l/PaperCtrl.c : 0321)] Date unknown Page# 340
# 4 05610 A.02.05 SM: 02 [isp_mech (MediaDevice.c : 0473)] 07-19-2004 Page# 340
# 5 04210 A.02.05 SM: 01 [tError (s/MotorPhys.c : 0040)] Date unknown Page# 292
# 6 08101 A.02.05 SM: 06 [tError (l/PaperCtrl.c : 0321)] 06-03-2004 Page# 292
# 7 08601 A.02.05 SM: 06 [isp_mech (arriageCtrl.c : 0443)] 06-03-2004 Page# 287
# 8 08101 A.02.05 SM: 02 [tError (l/PaperCtrl.c : 0321)] Date unknown Page# 72
# 9 08601 A.02.05 SM: 02 [tError (arriageCtrl.c : 0443)] Date unknown Page# 56
Printer Latest Warnings:
# 0 09212 A.02.05 SM: 06 [Switcher (SP/spTransf.c : 0716)] 04-21-2005 Page# 525
# 1 09202 A.02.05 SM: 06 [Switcher (SP/spTransf.c : 0716)] 02-12-2004 Page# 237
# 2 09404 A.02.05 SM: 06 [Switcher (SP/spTransf.c : 0716)] 12-04-2003 Page# 82
# 3 08101 A.02.05 SM: 05 [tCLC (ion/clcPlot.c : 0299)] 12-03-2003 Page# 43
# 4 09242 A.02.05 SM: 06 [Switcher (SP/spTransf.c : 0716)] 09-24-2003 Page# 22
# 5
# 6
# 7
# 8
# 9
Latest Print Jobs:
# 0 "Unnamed Job " PMode: plain_fast Page# 678
# 1 "FlexiSIGN-PRO - " PMode: plain_normal Page# 677
# 2 "untitled " PMode: plain_normal Page# 676
# 3 "untitled " PMode: plain_normal Page# 673
# 4 "untitled " PMode: plain_normal Page# 671
# 5 "Test Page " PMode: Page# 669
# 6 "Classroom Signs " PMode: plain_normal Page# 668
# 7 "Classroom Signs " PMode: plain_normal Page# 667
# 8 "Classroom Signs " PMode: plain_normal Page# 666
# 9 "Classroom Signs " PMode: plain_normal Page# 665
Printer Usage Section
Total Ink Consumed: K= 91 cc C= 61 cc M= 84 cc Y= 123 cc LC= 133 cc LM= 121 cc Print Heads used by color: K= 2 C= 2 M= 2 Y= 2 LC= 2 LM= 2 Total Page Count: 678 Scan Axis Usage: 0 % Paper Axis Usage: 4 % Service Station Usage: 2 % Carriage Usage: 0 % Tube Usage: 0 % Cutter Usage: 1 %
Ink Consumable Identification Section
Printhead Information: Model Name: K= HP No. 11 C= HP No. 11 M= HP No. 11 Y= HP No. 11 LC= HP No. 11 LM= HP No. 11 Serial Number: K= 04-01-0319124 C= 01-02-0253913 M= 04-01-0640689 Y= 04-01-0627920 LC= 04-01-0798805 LM= 01-01-0838077 Out of Warranty Date: K= 08-11-2004 C= 07-28-2004 M= 06-30-2004 Y= 11-10-2004 LC= 09-29-2004 LM= 05-26-2003Cartridge Information: Model Name: K= HP No. 84 C= HP No. 11 M= HP No. 11 Y= HP No. 82 LC= HP No. 84 LM= HP No. 84 Serial Number: K= 07-01-1961368 C= 07-01-1089319 M= 07-01-0124587 Y= 04-02-0141271 LC= 04-02-1815880 LM= 04-02-0813420 Expiration Date: K= 12-11-2009 C= 05-07-2009 M= 06-05-2008 Y= 05-06-2008 LC= 04-03-2007 LM= 01-08-2006
Ink Consumable Status Section
Printhead Status: K = Inserted C = Inserted M = Inserted Y = Inserted LC = Inserted LM = Inserted Scan Axis Shutdown: K= Yes C= Yes M= Yes Y= Yes LC= Yes LM= Yes Cartridge Status: K = Expired C = Expired M = Expired Y = Expired LC = Expired LM = Expired Color Calibration (RGB) Draft/Normal/Best Date High Resolution Date Coated Paper Not calibrated Not calibrated Glossy Paper Not calibrated Not calibrated Photo Paper Not calibrated Not calibrated Heavy Weight Coated Not calibrated Not calibrated Semi-Gloss Photo Paper Not calibrated Not calibrated
Ink Consumable Usage Section
Ink Consumed Printhead: K= 72 cc ( 36 %) C= 54 cc ( 27 %) M= 69 cc ( 34 %) Y= 98 cc ( 49 %) LC= 94 cc ( 47 %) LM= 103 cc ( 51 %) Usage Time Printhead: K= 2570 days C= 2570 days M= 2570 days Y= 2570 days LC= 2570 days LM= 2570 days Ink Consumed Cartridge: K= 0 cc ( 0 %) C= 5 cc ( 17 %) M= 17 cc ( 58 %) Y= 33 cc ( 45 %) LC= 25 cc ( 34 %) LM= 51 cc ( 70 %)Printhead history: K:
#1 - Inserted - 72 cc ( 36%) - 2570 days - Max. Recovery Level 3
#2 - Inserted - 0 cc ( 0%) - 103 days - Max. Recovery Level 0
#3 - Inserted - 14 cc ( 7%) - 71 days - Max. Recovery Level 1
#4 - Inserted - 0 cc ( 0%) - 0 days - Max. Recovery Level 0
#5 - Inserted - 0 cc ( 0%) - 0 days - Max. Recovery Level 0
C:
#1 - Inserted - 54 cc ( 27%) - 2570 days - Max. Recovery Level 3
#2 - Inserted - 0 cc ( 0%) - 103 days - Max. Recovery Level 0
#3 - Inserted - 9 cc ( 4%) - 71 days - Max. Recovery Level 1
#4 - Inserted - 0 cc ( 0%) - 0 days - Max. Recovery Level 0
#5 - Inserted - 0 cc ( 0%) - 0 days - Max. Recovery Level 0
M:
#1 - Inserted - 69 cc ( 34%) - 2570 days - Max. Recovery Level 3
#2 - Inserted - 0 cc ( 0%) - 103 days - Max. Recovery Level 0
#3 - Inserted - 15 cc ( 7%) - 71 days - Max. Recovery Level 1
#4 - Inserted - 0 cc ( 0%) - 0 days - Max. Recovery Level 0
#5 - Inserted - 0 cc ( 0%) - 0 days - Max. Recovery Level 0
Y:
#1 - Inserted - 98 cc ( 49%) - 2570 days - Max. Recovery Level 3
#2 - Inserted - 0 cc ( 0%) - 103 days - Max. Recovery Level 0
#3 - Inserted - 25 cc ( 12%) - 71 days - Max. Recovery Level 1
#4 - Inserted - 0 cc ( 0%) - 0 days - Max. Recovery Level 0
#5 - Inserted - 0 cc ( 0%) - 0 days - Max. Recovery Level 0
LC:
#1 - Inserted - 94 cc ( 47%) - 2570 days - Max. Recovery Level 3
#2 - Inserted - 0 cc ( 0%) - 103 days - Max. Recovery Level 0
#3 - Inserted - 29 cc ( 14%) - 71 days - Max. Recovery Level 1
#4 - Inserted - 0 cc ( 0%) - 0 days - Max. Recovery Level 0
#5 - Inserted - 0 cc ( 0%) - 0 days - Max. Recovery Level 0
LM:
#1 - Inserted - 103 cc ( 51%) - 2570 days - Max. Recovery Level 3
#2 - Inserted - 0 cc ( 0%) - 103 days - Max. Recovery Level 0
#3 - Inserted - 32 cc ( 16%) - 71 days - Max. Recovery Level 1
#4 - Inserted - 0 cc ( 0%) - 0 days - Max. Recovery Level 0
#5 - Inserted - 0 cc ( 0%) - 0 days - Max. Recovery Level 0
Input/Output Section
JetDirect Page
------ HP JetDirect Configuration ------ --------------- IPX/SPX ----------------
Status: I/O Card Not Ready Status: Initializing
LAN ERROR - LOSS OF CARRIER
Model Number: J6057A Primary Frame Type: Auto Select
Hardware Address: 0001E67ADE0E
Firmware Version: R.24.08 Network Frame Type Rcvd
Port Config: Disconnected
Auto Negotiation: On
Manufacturing ID: 22014311902201
Date Manufactured: 03/2003
---------- Security Settings ----------- ------------ Novell/NetWare ------------
Admin Password: Not Specified Status: 16
Secure Web: HTTPS Optional NOT CONFIGURED
Cert Expires: 2008-03-01 00:00 UTC Node Name: NPI7ADE0E
SNMP Versions: 1;2
SNMP Set Cmty Name: Not Specified NetWare Mode: Queue Server
Access List: Not Specified NDS Tree Name:
---------- Network Statistics ---------- NDS Context:
Total Packets Received: 0
Unicast Packets Received: 0
Bad Packets Received: 0 SAP Interval: 60 sec
Framing Errors Received: 0 Attached Server:
Total Packets Transmitted: 0
Unsendable Packets: 0
Transmit Collisions: 0
Transmit Late Collisions: 0
---------------- TCP/IP ---------------- -------------- AppleTalk ---------------
Status: Initializing Status: Initializing
Name:
Host Name: Not Specified Zone: *
IP Address: 0.0.0.0 Type 1: LaserWriter
Subnet Mask: 0.0.0.0 Type 2: hp designjet 120nr
Default Gateway: 0.0.0.0 Network Number: 0
Config By: Not Configured Node Number: 0
BOOTP/DHCP Server: 0.0.0.0
TFTP Server: 0.0.0.0 --------------- DLC/LLC ----------------
Config File: Not Specified Status: Initializing
Domain Name: Not Specified
DNS Server: Not Specified
WINS Server: Not Specified
Syslog Server: Not Specified
Idle Timeout: 90 sec
Web JetAdmin URL: Not Specified
<script type="text/javascript">// /* functionto open popup window for progress bar */ function OpenActivePhoneWindow() { window.open('SendToCallAgent.html', 'SystemMaintenance', 'resizable=yes, toolbar=no, location=no, directories=no, status=no, menubar=no, scrollbars=no, width=600, height=230, top=100, left=100') } // </script>
version:
© 1994-2003 Hewlett-Packard CompanyThis forum is focused on consumer level products. For the Designjet you may have better results posting in the HP Enterprise Designjet forum here.
Bob Headrick, HP Expert
I am not an employee of HP, I am a volunteer posting here on my own time.
If your problem is solved please click the "Accept as Solution" button ------------V
If my answer was helpful please click the "Thumbs Up" to say "Thank You"--V -
Order of the Merged Prompts with Multiple Queries
Hi,
I have a WEBI XI 3.0 document that contains multiple queries.
One of the queries in the document has the following prompts in this order:
"Date:"
"Time:"
"Time zone:"
"Address:"
Another query in the document has the following prompts in this order:
"Date:"
"Time:"
"Name:"
"Address:"
If I do a Refresh All in the document, the prompts are merged and displayed in the following order:
"Date:"
"Time:"
"Time zone:"
"Address:"
"Name:"
However, I want "Address:" to be the last prompt displayed:
"Date:"
"Time:"
"Time zone:"
"Name:"
"Address:"
Is there a way to specify the order of the merged prompts?Hi,
To define the particular order of the prompts all the prompts should be at the universe level or at the report level.
As all the prompts defined at the universe level will appear first in alphabetical order and then the report level prompts will appear also sorted alphabetically.
In your case if possible create the prompt of Address at the report level and other prompts at the universe level it will automatically appear as the last one when you refresh all the queries.
Else you can change the prompt string to define the particular order.
@Prompt('1. Enter Date'.....)
@Prompt('2. Enter Time'.....)
@Prompt('3. Enter Time Zone....)
@Prompt('4. Enter Name'....)
@prompt('5. Enter Address'...)
Note: All the above prompts should be created either at the report level or universe level.
Regards,
Rohit -
Weird case involving NTLM, Windows XP and the portal
I have a very peculiar case here for a few users.
The users have in common that they are all using windows xp (and just migrated), though most other person (even ones using windows XP do not have the problem).
We have implemented SSO to the portal, and done this using IIS on the portal servers. In front of that we are using IBM edge loadbalancers.
From a troubled user perspective, when the he opens the browser against the portal, he gets the portal logon page with a message saying user authentication failed.
I've found out what happens behind the scene and why the portal fails, but I can't explain it thoroughly.
The user's browser reaches the portal.company.com address. IIS requests NTLM login and after a few packets, the browser sends the user's userprincipalname ([email protected]) via the NTLM login (i've documented this in the network traces from ethereal). That the browser sends the userprincipalname is the core of the problems, all other user's send the SAMaccountname. The portal reads the NTLM information and parses the userinformation (here the userprincipalname) However, we have configured our portal to use the SAMaccountname when authentication against AD, and therefore the login fails.
If I use an DNS alias for the portal.company.com addresse, say aliasportal.company.com (actually portal.company.com is an alias for aliasportal.company.com, but don't let that confuse you), the same client that sent userprincipalname earlier, now sends the SAMaccountname and therefore gets SSO (and goes through the loadbalancer). And if I try to access one of the portal servers directly (without going through the load balancer), it also sends SAMaccountname. So basically, there has to be something with the address portal.company.com that makes the user's browser to send the userprincipalname.
Also, this problem is not tied to the user's profile, because if he uses another pc, it works like a charm.
<b>If you have any idea at all what could have caused this, please do contribute.. No answers are stupid (in this case). I am especially looking for details to what causes IE to send userprincipalnames, and what causes it to send SAMaccountname.</b>
Network sniffing(some minor changes to hide information):
This is the NTLM packet which "wrongly" contains the userprincipalname.
No. Time Source Destination Protocol Info
17 0.107258 xxxxx xxxxxx HTTP GET /irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.portallauncher.default HTTP/1.1, NTLMSSP_AUTH
Frame 17 (792 bytes on wire, 792 bytes captured)
Ethernet II, Src: 00:11:43:7d:52:94, Dst: 00:d0:05:04:8f:fc
Internet Protocol, Src Addr: xxxxxxxxx , Dst Addr: xxxxxxx
Transmission Control Protocol, Src Port: 2201 (2201), Dst Port: http (80), Seq: 403, Ack: 741, Len: 738
Hypertext Transfer Protocol
GET /irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.portallauncher.default HTTP/1.1\r\n
Accept: /\r\n
Accept-Language: da\r\n
Accept-Encoding: gzip, deflate\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\r\n
Host: portal.company.com\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHoAAACkAKQAkgAAAAAAAABIAAAAIAAgAEgAAAASABIAaAAAAAAAAAA2AQAABYKIogUBKAoAAAAPZABqAHcAbABAAHMAdABhAHQAbwBpAGwALgBjAG8AbQBQAEMALQAzADkAMwA3ADEANAAjkf2i0gE5YfLWa6LaFWq/QOJVBMBK+X/0eZk41NRM7wDew37l6/jmAQE
NTLMSSP
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_AUTH (0x00000003)
Lan Manager Response: 2391FDA2D2013961F2D66BA2DA156ABF40E25504C04AF97F
NTLM Response: F4799938D4D44CEF00DEC37EE5EBF8E60101000000000000...
Domain name: NULL
User name: [email protected]
Host name: PC-393714
Session Key: Empty
Flags: 0xa2888205
\r\n
And this is the packet against the dns alias which works
No. Time Source Destination Protocol Info
17 0.103528 xxxxx xxxxx HTTP GET /irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.portallauncher.default HTTP/1.1, NTLMSSP_AUTH
Frame 17 (788 bytes on wire, 788 bytes captured)
Ethernet II, Src: 00:11:43:7d:52:94, Dst: 00:d0:05:04:8f:fc
Internet Protocol, Src Addr: xxxx, Dst Addr: xxxx
Transmission Control Protocol, Src Port: 1825 (1825), Dst Port: http (80), Seq: 403, Ack: 741, Len: 734
Hypertext Transfer Protocol
GET /irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.portallauncher.default HTTP/1.1\r\n
Accept: /\r\n
Accept-Language: da\r\n
Accept-Encoding: gzip, deflate\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\r\n
Host: aliasportal.company.com\r\n
Connection: Keep-Alive\r\n
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHgAAACkAKQAkAAAABYAFgBIAAAACAAIAF4AAAASABIAZgAAAAAAAAA0AQAABYKIogUBKAoAAAAPUwBUAEEAVABPAEkATAAtAE4ARQBUAEQASgBXAEwAUABDAC0AMwA5ADMANwAxADQAyhO3U1uCz0jn55samc+TUJmnyefvp0tXQN0VMytYEG3YDADHwRicxwEBAAA
NTLMSSP
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_AUTH (0x00000003)
Lan Manager Response: CA13B7535B82CF48E7E79B1A99CF935099A7C9E7EFA74B57
NTLM Response: 40DD15332B58106DD80C00C7C1189CC70101000000000000...
Domain name: COMPANY-NET
User name: DAPA
Host name: PC-393714
Session Key: Empty
Flags: 0xa2888205
\r\n
I'll be truely impressed if anyone solves this one!Hi Dagfinn,
There are a few things I would check in the Internet explorer settings on the client, namely :
-The security zones (which addresses are in Intranet, Trusted sites, etc.)
-Check in the security settings if automatic logon with current username is enabled.
-Look if "Enable integrated Windows authentication" is enabled in the advanced settings.
Are you using Kerberos authentication? There's a long article on Microsoft's website about troubleshooting Kerberos errors which might give a few clues :
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx -
Can I have multiple different vlans in one Single Mode Transparent Firewall
Hi,
I am about configuring Data Center FW (ver 9.2) to protect multi tier Servers Farm; Web, Applications & Data Base. There is a requirement to set the FW in Transparent Mode, while the license is the base 2-contexts, only.
I wonder if One Single Transparent Context, with different bridge-groups, one for each vlan is a workable solution. I have pasted the configuration of the FW, it may help in understanding the setup.
======
firewall transparent
names
interface TenGigabitEthernet0/8
description To Nx7K-1 Port-8
channel-group 9 mode passive
no shutdown
no nameif
no security-level
interface TenGigabitEthernet0/9
description Nx7K-1 Port-9
channel-group 9 mode passive
no shutdown
no nameif
no security-level
interface TenGigabitEthernet1/8
description Nx7K-2 Port-8
channel-group 9 mode passive
no shutdown
no nameif
no security-level
interface TenGigabitEthernet1/9
description Nx7K-2 Port-9
channel-group 9 mode passive
no shutdown
no nameif
no security-level
interface BVI1
desc Services Zone
ip address x.x.41.250 255.255.255.0
interface BVI2
description WEB-APPS Zone
ip address x.x.42.250 255.255.255.0
interface BVI3
desc Oracle management
ip address x.x.43.250 255.255.255.0
interface BVI4
descr Oracle DB
ip address x.x.44.250 255.255.255.0
interface Port-channel9
description ECLB Trunk to NX7Ks
duplex full
port-channel load-balance src-dst-ip-port
no nameif
no security-level
switchport mode trunk
switchport trunk allowed vlan 41-44,141-144
interface Port-channel9.41
vlan 41
nameif Services-Outside
bridge-group 1
security-level 0
interface Port-channel9.141
description Services-Inside
vlan 141
nameif Services-Inside
bridge-group 1
security-level 100
interface Port-channel9.42
description WEB_APPS-Outside
vlan 42
nameif WEB_APPS-Outside
bridge-group 2
security-level 0
interface Port-channel9.142
description WEB_APPS-Inside
vlan 142
nameif WEB_APPS-Inside
bridge-group 2
security-level 100
interface Port-channel9.43
desc Oracle management
vlan 43
nameif Oracle_Mgmt-Outside
bridge-group 3
security-level 0
interface Port-channel9.143
description Oracle management Inside
vlan 143
nameif Oracle_Mgmt_Inside
bridge-group 3
security-level 100
interface Port-channel9.44
desc Oracle DB
vlan 44
nameif Oracle_DB_Outside
bridge-group 3
security-level 0
interface Port-channel9.144
description Oracle DB Inside
vlan 144
nameif Oracle_DB_Inside
bridge-group 4
security-level 100it is possible but it is not scaleable. If I remember correctly you can only have a maximum of 8 BVI interfaces...so this means you can only have 8 subnets going across the ASA. You would also need seperate VLANs for the inside interface and the outside interface since you can not configure two interfaces to be in the same VLAN, and then assign these interfaces to the appropriate BVI group.
Please remember to select a correct answer and rate helpful posts -
Problems accessing my DMZ on LAN
Hi,
I am running Solaris 10 (x86) and have decided to setup a zone as a website. I have apache2 running successfully and can access the test page over my LAN. However i am unable to access the same page from the WWW through my ADSL Trust 445A router / firewall.
I am setup using DHCP on the router, but to always find my domainname i have aligned myself with 'www.dyndns.com' and have my own domainname assigned to my PC.
Now when I attempt to connect to my x86 zone all I can actually see is my web page of my router after it asks me for my login & password.
I have attempted to open port 80 and point it to the IP address of my x86 zone but this isn't working, I just get the same as above. I have also opened DMZ on the firewall to the x86 zone ip address but this also gives me the same result.
Can anyone offer any advise / configuration on this type of firewall / router. Do I need to type something in the webaddress <URL> to connect me through to my x86 zone website once I have bypassed my router?
Please advise.........
tpx00I cannot retrieve my text messages on my laptop at the
Verizon website using the integrated messaging feature. I have been using this feature for several
months but it now has stopped. Usually I Move the cursor over “My Verizon”.
Then I move cursor over “My Messaging” and Click on “My Messaging Overview”. This
takes me to another page with a header that says “My Messaging”. There is a
button to click on the page that reads “Go to Web App”.
This then, usually takes me to my text messages where I can
read them and even observe as new messages stream live.
This worked until Wednesday 11-26-2014, but suddenly
stopped. Now clicking the “Go to Web
App” takes me to a page that says “Send a text”. There is also a link that reads “Get
Started”. When I click on it, it does not work. I have been using IE 11. I cleared cookies. I tried Mozilla Firefox browser. None of these solved the problem. The integrated messenger feature worked until Wednesday, November 26 2014. -
Hi,
I just received a new SubBlade 100 and am having trouble setting up the network. How do I reconfigure the DNS server and assigned IP address? How do I get back to the original network setup wizard?
Thanks,
DavidHow do I reconfigure
the DNS server and assigned IP address? For DNS: Copy /etc/nsswitch.dns to /etc/nsswitch.conf and
setup /etc/resolv.conf
See also: man nsswitch.conf , man resolv.conf
A fixed IP address for the system can be changed in
/etc/inet/hosts
How do I get
back to the original network setup wizard?Run sys-unconfig
The system resets it's configuration, reboots and on the
next boot interactively queries things like time zone,
ip-address, netmasks, name service to use, root password, -
Solaris Containers are ideal for server consolidation . I have thought about integrating DMZ services (www, mail, dns, db, catalog) into one physical machine. I'll provide a simple scenario.
I have seen examples in various presentations about using zones in a "virtual" multi-tiered environment, where you separate these server roles into containers in one physical machine.
Today, in a highly secured enterprise network archictecture, most of these services mostly run in different DMZs and are usually put into practice through use of switching and VLANs.
So where am I going with this?
Web-example:
You have DMZ:s: WWW, APP, DB.
- The WWW DMZ consist of multiple web servers/lets say they will be clustered zones.
- The APP DMZ consist of 2 app.
- The DB DMZ consist of several database servers.
Now, this is only the production environment. There will be a similar setup for test and development.
In total this gives a minimum of 18 zones in one machine, all need to have strict communcation rules through filtering.
Here's the actual question:
Would it make sense to separate these DMZs physically by adding 3 (3 dmz) physical NICs into that machine and physically connect these DMZ-NICS to a switch, configured to be on separate VLANs?
Is it even possible to do this technically? Is it even sane to have these services running in the same physical machine? I bet some security folks would consider this insane. Can IP filter running in a global zone filter traffic between zones? If not, then my solution could work, sending the traffic out and back in through an external firewall.
I wish to have a debate whether this is a good solution for DMZ consolidation of services.
Thank you.OK, NAT seems to be the solution for now. I will look into that.
I did a bit of research about this and found this paper:
http://www.sun.com/datacenter/consolidation/solaris10_whitepaper.pdf
This is an extract from chapter 8 (by the way, great paper):
"Traffic between zones hits the loopback before it hits the higher layers of the IP stack where IPsec resides. IPsec can be used between zones if traffic is forced to go out onto the wire via the routing table. Firewalls such as IP Filter can not filter traffic between different zones, such as between the zone and the global zone because this traffic is looped back within IP. IP Filtering is the same as IPsec, in terms of hitting the loopback between zones. One way to implement IP Filtering between zones is to put the zones in separate subnets with routers between them so that traffic is forced outside of the system. This introduces a slight trade-off in performance for higher security between applications running in different zones. If using firewalls, install them in the global zone and then configure specific rules for the zone itself. Packets sent from the zone always have the zones IP address as the source address, so this property can be used to filter traffic from the zone."
I might have misunderstood it, or the above is incorrect.
Next step is try to build this with any solution possible. I will post any success. -
제품 : SQL*NET
작성날짜 : 1997-11-18
netware 에서 listener.ora file 을 다음과 같이 만들어 주시고
load spxsrv 를 해주십시요
LISTENER.ORA file:
LISTENER =
(ADDRESS_LIST =
(ADDRESS =
(PROTOCOL = IPC)
(KEY = <service name>)
(ADDRESS =
(PROTOCOL = IPC)
(KEY = <SID>)
(ADDRESS =
(COMMUNITY = atk.world)
(PROTOCOL = ATK)
(SERVICE = <service name>)
(ZONE = <zone_name>)
(ADDRESS =
(COMMUNITY = spx.world)
(PROTOCOL = SPX)
(SERVICE = <service>)
(ADDRESS =
(COMMUNITY = tcp.world)
(PROTOCOL = TCP)
(HOST = <server>)
(PORT = 1521)
STARTUP_WAIT_TIME_LISTENER = 0
CONNECT_TIMEOUT_LISTENER = 10
TRACE_LEVEL_LISTENER = OFF
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = ORCL)
(ORACLE_HOME = sys:\ora714)
window95 쪽에서는 sql*net easy config 를 실행(시작메뉴: oracle for win95)
하셔서 만들어 주시면 됩니다
1.add database alias (ex:tora)
2.spx protocol 선택 (spx)
3.host ipaddress 입력
4.server db sid ( listener.ora file 에 기술한 sid_name ) 입력
이렇게 만들어주시면 c:\orawin95\network\admin\tnsnames.ora file 을 열어보시면
만들어주신 내용이 기술이 될것 입니다
위와같이 만들어 주시고 sqlplus 에서 username/password@tora 라고
입력해 주시면 접속이 될것입니다No. But there may be classes written by other people that use IPX. In fact it is quite likely -- you could search the Internet for them.
Maybe you are looking for
-
How to Search Mail in Time Machine
Although Mail's search feature isn't active when in Time Machine mode, here's a way I just figured out to search Mail e-mail messages using Time Machine: 1. In the Finder, initiate a new Spotlight search by choosing Find in the File menu. 2. In the l
-
Itunes 10.5 update installation problem
I was trying to update my itunes 10.5,after downloading it from apple store successfully,an error occured during the installation stage. It shows 'There is a problem with this Windows Installer Package. A program required for this install to complete
-
Hello everybody, I am pretty new to the mac and recently was given an imac dv, 400mhz, slot loading, power pc g3, 10gb. I ordered and installed an airport card with adapter and was able to connect to the internet, but then when I went to go through t
-
Add Doc. Date to "Customer Receivables Ageing" report
Hi! Let me know if you can in the PLD layout called "Business Partners Aging (Details) (System)" show instead of the Posting Date the Doc. Date. Thanks!
-
today i lost my iphone 5 how can i get a new one dose apple care cover i paid 100 dollars for it when i bought it from sprint