diference between two fields of two groups

Hello

'Data model' I have two groups with a data link between them. In 'layout model' (report 6) I have to show the difference between the two fields (one from each group). I tried with the formula column, but when I run the report I get the REP-1517 + column "XXXl" made reference to the "YYY" column, which has an incompatible frequency.

Thank you for your help.

This should work if the formula column is placed in the group in 'detail '. The other way, it won't work, and it makes sense because for each record in the master group there may be multiple records in the detail group, so, how if reports decides which of the records on the details to use in the formula column.

Tags: Oracle Development

Similar Questions

How to make a text field to autopopulate based on responses in two groups of option buttons

I use Adobe Acrobat Pro and am very new to this.
What I want to achieve:
I have two sets of radio buttons; a group is the choice of 'Probability' and the other group is the choice of the "Consequence". Based on what the user takes away in these two groups, I want the form to automatically fill the level of risk in another area. For example If the user selects 'Negligible' in the Group result and 'Rare' in the Group of probability; the field entitled risk rating should display the word "Low". If they choose "Negligible" and "almost certain" the domain of the risk rating should show "moderate". Please let me know if you need further information. Thanks in advance.

You can use something like this code as the custom field of risk assessment calculation script:
```
var consequence = this.getField("Consequence").valueAsString;
var likelihood = this.getField("Likelihood").valueAsString;

if (consequence=="Insignificant" && likelihood=="Rare") event.value = "Low";
else if (consequence=="Insignificant" && likelihood=="Almost Certain") event.value = "Moderate";
// etc.
else event.value = "";
```
Edit: Small error fixed in code.

Select all dates between two fields txt. How?
In a slider form 6i, I need to select all dates between two dates provided. I have two fields text Fld1 and Chp2 with the data type date. There is no table behind the two fields.
For example
': FLD1: = MARCH 1, 2013;
': CHP2: = MARCH 10, 2013;

Now I have to choose all dates between 01-mar-2013 and 2013-mar-10 '. How to do?
Gul says:
In a slider form 6i, I need to select all dates between two dates provided. I have two fields text Fld1 and Chp2 with the data type date. There is no table behind the two fields.
For example
': FLD1: = MARCH 1, 2013;
': CHP2: = MARCH 10, 2013;

Now I have to choose all dates between 01-mar-2013 and 2013-mar-10 '. How to do?

As'salamualikum Gul

Try this
```
SELECT TO_DATE('01-MAR-2013', 'DD-MON-RRRR') - 1 + rownum AS d
FROM ALL_OBJECTS
WHERE TO_DATE('01-MAR-2013', 'DD-MON-RRRR') - 1 + rownum BETWEEN TO_DATE('01-MAR-2013', 'DD-MON-RRRR') AND TO_DATE('10-MAR-2013', 'DD-MON-RRRR')
```
Hope this helps

How to caluclate tat between two dates of a timestamp field

Hello
could help to caluclate days between two dates and unique timestamp filed with this
query
Select * from m_activity_transaction where actn_opp_id in)
Select actn_opp_id in the m_activity_transaction where ACTN_ACTV_ID = 218
Actn_opp_id group
view count (*) > 1) and ACTN_ACTV_ID = 218
order of actn_performed_on
IAM get output is

ACTN_ID ACTN_OPP_ID ACTN_PERFORMED_ON
319415 95831 JANUARY 27, 12 AM 11.06.20.000000
315249 95831 8 FEBRUARY 12 05.32.54.000000 PM
301927 103509 20 DECEMBER 11 04.01.43.000000 PM
301458 103509 19 DECEMBER 11 04.51.03.000000 PM
294841 115840 10 JANUARY 12 03.20.12.000000 PM
312062 115840 11 JANUARY 12 05.17.06.000000 PM

Normand to caluclate number days between two dates like January 27, 12 AM 11.06.20.000000 and I 05.32.54.000000 8 February 12 PM where actn_id is unique AND ACTN_OPP_ID IS NOT UNIQUE.
Thanks in advance,
VVR.

In this way.

with data as
(
select 315249 a, 95831 b, to_date('27-JAN-12 11.06.20 AM', 'DD-MON-RR HH.MI.SS AM') dt from dual union all
select 319415, 95831, to_date('08-FEB-12 05.32.54 PM', 'DD-MON-RR HH.MI.SS AM') from dual union all
select 301927, 103509 , to_date('20-DEC-11 04.51.03 PM', 'DD-MON-RR HH.MI.SS AM') from dual union all
select 301458 , 103509 , to_date('19-DEC-11 04.01.43 PM', 'DD-MON-RR HH.MI.SS AM') from dual union all
select 363810 , 144656 , to_date('27-JUN-12 12.43.28 PM', 'DD-MON-RR HH.MI.SS AM') from dual union all
select 363500 , 144656 , to_date('26-JUN-12 11.41.50 AM', 'DD-MON-RR HH.MI.SS AM') from dual union all
select 363354 , 144656 , to_date('25-JUN-13 12.41.13 PM', 'DD-MON-RR HH.MI.SS AM') from dual
)
select a, b, diff_in_days
  from (
        select a, b, trunc(dt - lag(dt) over (partition by b order by dt, a)) diff_in_days
          from data
       ) tab
 where tab.diff_in_days is not null;

A                      B                      DIFF_IN_DAYS
---------------------- ---------------------- ----------------------
319415                 95831                  12
301927                 103509                 1
363810                 144656                 1
363354                 144656                 362

How grep connectors in a group, between two words required?

Must catch some connectors between two words in a very comprehensive document.
1 Joanna of Smith
2 Felicitas of the Tour
3 Perpetua is Beatrice Kennedy
but the solution is very poor resolved in three steps and it seems to be just one channel.
{1 < \u\l{2,}of (\u\l{2,})+\ >)
{2 < \u\l{2,} Delcourt (\u\l{2,})+\ >)
{3 < \u\l{2,}y (\u\l{2,})+\ >)

Try this one:

((? \u\l+)+((de) (la)? | y) (\u\l+)+)

It seemed to work when I tested it on your sample.

Cannot sort bookmarks; they are divided into two groups

I am trying to sort the bookmarks in the bookmarks Menu by name. They seem to be divided into two groups with no demarcation between them. The first group ends with "Windows"; the second group starts with 'test ideas '. In the list in the bookmarks Menu, "Essay Ideas," comes just after "Windows". Right click on the bookmarks Menu and choose sort by name doesn't fix this.

There are separators between these two groups?
- http://KB.mozillazine.org/Sorting_and_rearranging_bookmarks_-_Firefox
- https://support.Mozilla.org/KB/sorting+bookmarks
Can drag you these bookmarks manually in the order you want?

How do you find the average value of all the data between two points on a single channel

I'm tring to calculate the average value of all data points in a single field between two distinct points

I rasthaus an illustration.

Hi smoothdurban,

I thought you wanted to specify the area of interest with the sliders of the band. If you rather automatically define the area of interest based on thresholds, etc., we cannot see the interactive nature of the example I sent.

What are the criteria used to determine the start and end of the region of interest lines?

I would be able to type this out for you if you sent a representative data set ([email protected])

Brad Turpin

Tiara Product Support Engineer

National Instruments

Vs LACP LAG between two PowerConnect 5448 s

Hi all.

Just got a switch configuration quad for our infrastructure EqualLogic SAN using PowerConnect 5448 s. One thing I never did before her configuration of aggregation of links.

If I wanted to set up an aggregate of 4-port connection between two switches, say on ports 1 to 4, and our iSCSI VLANS is 1000, the below will work?

serial interface ethernet g(1-4)

channel-group mode 1 on

interface port-channel 1

switchport general

switchport General pvid 1000

I've seen documentation on how to get the ports-working channels between a 5000 or 6000 switch and a Cisco Catalyst switch, but not just any what docs on how to connect two switches PowerConnect. The doc of interoperability for Cisco <->Dell seems to want to use LACP on the side of Dell. I wonder, should I configure and link LACP on the two 5448 aggregate s I have are running?

Thanks for in advance for any advice or assistance!

Joe

IPSec Tunnel permanent between two ASA

Hello

I configured a VPN IPSec tunnel between two ASA 5505 firewall. I want to assure you as the IPSec tunnel (this is why the security association) is permanent and do not drop due to the idle state.

What should I do?

Thanks for any help

Yves

Disables keepalive IKE processing, which is enabled by default.

(config) #tunnel - 10.165.205.222 group ipsec-attributes

KeepAlive (ipsec-tunnel-config) #isakmp disable

Set a maximum time for VPN connections with the command of vpn-session-timeout in group policy configuration mode or username configuration mode:

attributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - idle - timeout no

attributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - session - timeout no

Thank you

Ajay

Remote access PIX - two groups

Hi all

Please is it possible to distinguish two groups of remote access on the radius server?

For example, I have two groups. One for employees and secondly to externalist.

I authentificate the server a radius.

It is possible to distinguish between these two groups on the radius server?

How can I do this?

Because when I create two groups of tunnel and two political groups, I am still able to access the two groups with the users in the Group employee or externalist. And when I look for log on to the IAS server, I couldn't distinguish between the journal entry when I login as employee and when I log in as externalist :(

Thanks in advance

Tomas

Tomas,

OK, so we have 2 groups of tunnel and 2 group policies for groups of tunnel, here's what you have to do.

* First, we close group policy to groups of tunnel so that a single policy would not use the other tunnel-group. To achieve this, some examples of CLI commands

attributes global-tunnel-group test1

strategy-group-by default peche1

tunnel-group test2 General attributes

strategy-group-by default granted.2

attributes of the peche1 group policy

group-lock value test1

policy2 group policy attributes

group-lock value test2

* Now lets do the config on IAS. You should have 2 remote access policies separate created for your groups of 2 different windows in IAS, for example

Remote access policy x

If the Windows group matches "yourdomain\externalist".

Grant access

Remote access policy is

If the Windows group matches "yourdomain\employees".

Grant access

Now in the remote x access policy, click on edit profile > click on advanced > click Add. Choose the attribute "Class". This policy is for externalists and lets say we want to lock windows to the tunnel test1 group group. Then enter UO = Policy1 value in the attribute Class. It is the name of group policy that we have locked in tunnel-group test1

Follow the same path and get into UO = policy2 for remote access policy there, employees windows group.

Concerning

FabricPath or OTV between two data center using Direct fiber cable

Hello

I have two data center both of them has the same equipment N7k, N5k and N2k, and we want the dataCenter being active/active, I'm really confused to use OTV or FabricPath characteristic, if someone can help me with my scenario and explain to me what is the best solution and advantage and disadvantage between OTV and PabrcPath.

Many thanks in advance

Hi Steven,

No problem, I'll go through your points as completely as possible. I advise you to read more about these protocols, maybe if you have access to INE or similar, see their videos on this. I would also like to say again that I have not seen all documentation Cisco indicating that FabricPath to be used as a DCI.

With regard to the way fabric you ask what follows...
```
 1. only can use it between two datacenters of you have more we can't, please correct me?
```
No, you can use the path of fabric with more than two data centers, but even with OTV, you can use it with more than two data centers.
```
 2. HSRP localization can not be implemented as OTV. However You can have two differnet Gateways at the Data Center 1 and 2 using two different HSRP groups. If server is moved dynamically from, (i didn't understand this point can you please explain with example?
```
OK, so this is a GREAT topic. Location of HSRP CAN be implemented with OTV, but cannot be implemented with fabric path. First hop redundancy protocols can be localized and is supported by Cisco with OTV, this basically allows the same default gateway to reside in two of your data centers providing the ACTIVE/ACTIVE configuration. So no matter where your VM is, they did not change their default, even if gateway your servers to move to the other datacenter.

If we didn't have this, we would have only an active member of HSRP divided between DC and things would be extremely troublesome in regard to traffic flows. A virtual machine in DC2 VLAN needs to talk to host in VLAN B. But the default gateway is completely in DC1. So frame is sent to the ICD in DC1, then the gateway by default, routes packets VLAN B. This VLAN B lies in fact in DC2, so now it has to go all the way back to DC2. You get my point...? :)

With localization happen only local to the domain controller. If all servers / VMS in the domain controller can speak locally to its "own" default gateway.
```
 3. unknown unicast flooding (can you give me an example?)
```
Unknown unicast traffic is unicast packets/images with unknown destination mac address. By default, switches are flooding this type of traffic to all ports in the VLAN. With path of fabric that would take place during your DCI, but with OTV, it is all taken care locally, so massive savings on bandwidth here and it is much more effective.
```
 4. ARP optimization between Data Center (can you give an example regarding ARP optimization?)
```
There is another function of OTV, which makes it far superior on the way of tissue. Essentially, we are reducing the volume of traffic passing through the transport infrastructure (i.e. ICD)

When ARP, host in DC1 to host that responds in DC2, we use links and there is travel time of package that might be minimal, but is not the most optimal. OTV AED - or edge device spy ARP response and subsequently knows that this mapping exists from there. ARP takes place after the first Protocol, the EDA almost proxy ARP to DC1 so the ARP request locally does not have to travel to DC2.
```
 5. Typically two flows (Odd VLANs by OTV-VDC-1 and even vlans by OTV-VDC-2) carry the entire layer 2 traffic flow between the two Data Centes. Hence the load balancing the links is not efficient. ( (can you explain compare with FabricPath if you have example?)
```
IMHO, it's bad and good. Balance the workload of the OTV if you have more than an AED on site. VLAN strange appointment via an AED, even numbered VLAN go through the other. Depending on traffic on VLANs, this could become unbalanced. Fabric used by all its links to mac addresses 'route' to the respective SID - ID switch she needs to do. So perhaps a better uniformity of split here.
```
 6. VLAN scalability for OTV is lower than FabricPath as of this content writing. (can you explain what this mean i didn't understand it)
```
I completely disagree with this comment. I too do not understand.
```
 7. Resiliency of FabricPath network is better than OTV in some failure scenarios.(can me an example ?)
```
I also disagree with that. Resilience of path of fabric could be same as OTV or perhaps better. However, my personal experience is that OTV fine tuning with things like BFD failover is much faster!

Fabric is good because the control of aircraft ISIS and its operation is admirable, but could say the same for the OTV.

Lets say one of the DCI links had to die, the transmission of the tissue path would continue through the other links, then perhaps for low latency, high frequency, environments that would be beneficial. OTV will change the EDA and re - learn mac, announced by other AEDS, addresses, but as I said, the time could be extremely minimal and tuning. This isn't a big deal, unless you need under second time convergence!

I hope that I have answered your questions, I recommend use for your DCI OTV, use the path of fabric for your inside of local switching in your DC. This has been implemented repeatedly and the links I sent you the models validated Cisco also point out.

Remember - fabric has been built to be a step towards TRILL, and replacement of protocols spanning-tree, OTV was built especially for the dci. They are both built and examples of specific design. It makes no sense to get these confused or mixed up, unless there is a real and pressing the case.

Joel conclusion is right, use the right tools for the job. If the use case is good for the FP then OK, if not, OTV.

Rcmnd - reading http://www.packetmischief.ca/2013/04/23/DCI-series-overlay-transport-vir...

These are just my thoughts.

Bilal (CCIE #45032)

Public static IPsec tunnel between two routers cisco [VRF aware]

Hi all

I am trying to configure static IPsec tunnel between two routers. Router R1 has [no VRF] only global routing table.

Router R2 has two routing tables:

* vrf INET - used for internet connectivity

* global routing table - used for VPN connections

Here are the basic configs:

R1

crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key 7V7u841k2D3Q7v98d6Y4z0zF address 203.0.0.3
invalid-spi-recovery crypto ISAKMP
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
transport mode
!
Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
game of transformation-TRSET_AES-256_SHA
!
interface Loopback0
10.0.1.1 IP address 255.255.255.255
IP ospf 1 zone 0
!
interface Tunnel0
IP 192.168.255.34 255.255.255.252
IP ospf 1 zone 0
source of tunnel FastEthernet0/0
tunnel destination 203.0.0.3
ipv4 ipsec tunnel mode
Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
!
interface FastEthernet0/0
IP 102.0.0.1 255.255.255.0

!

IP route 203.0.0.3 255.255.255.255 FastEthernet0/0 102.0.0.2

#######################################################

R2

IP vrf INET
RD 1:1
!
Keyring cryptographic test vrf INET
address of pre-shared-key 102.0.0.1 key 7V7u841k2D3Q7v98d6Y4z0zF
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
invalid-spi-recovery crypto ISAKMP
crypto isakmp profile test
door-key test
function identity address 102.0.0.1 255.255.255.255
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
transport mode
!
Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
game of transformation-TRSET_AES-256_SHA
Test Set isakmp-profile
!
interface Loopback0
IP 10.0.2.2 255.255.255.255
IP ospf 1 zone 0
!
interface Tunnel0
IP 192.168.255.33 255.255.255.252
IP ospf 1 zone 0
source of tunnel FastEthernet0/0
tunnel destination 102.0.0.1
ipv4 ipsec tunnel mode
tunnel vrf INET
Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
!
interface FastEthernet0/0
IP vrf forwarding INET
IP 203.0.0.3 255.255.255.0

!

IP route 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

#######################################################

There is a router between R1 and R2, it is used only for connectivity:

interface FastEthernet0/0
IP 102.0.0.2 255.255.255.0
!
interface FastEthernet0/1
IP 203.0.0.2 255.255.255.0

The problem that the tunnel is not coming, I can't pass through phase I.

The IPsec VPN are not my strength. So if someone could show me what mistake I make, I'd appreciate it really.

I joined ouptup #debug R2 crypto isakmp

Source and destination Tunnel0 is belong to VRF INET, the static route need to be updated.

IP route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

crypto isakmp profile test

VRF INET

door-key test
function identity address 102.0.0.1 255.255.255.255

Catalyst 3560 liaison network between two servers ubuntu 12.04

Hello world

I'm trying to transfer data with more than 1 Gbit/s between two servers, but I just get a card (approximately 1 Gbps) NETWORK performance. Here is my configuration:

srvnettest1 and srvnettest2 are two 12.04 servers ubuntu with three network cards in each. management eth0, eth1 and eth2 are network cards that should work as a team. ;-) Here are the relevant parts of fit it:

[email protected]/* */:~# less /etc/network/interfaces

...

auto bond0

iface bond0 inet static

address 172.16.200.100

netmask 255.255.255.0

bond-mode 4

bond-miimon 100

bond-slaves none

bond-lacp-rate 1

bond-primary eth1 eth2

auto eth1

allow-bond0 eth1

iface eth1 inet manual

bond-master bond0

auto eth2

allow-bond0 eth2

iface eth2 inet manual

bond-master bond0

...

[email protected]/* */:~# less /etc/network/interfaces

...

auto bond0

iface bond0 inet static

address 172.16.200.200

netmask 255.255.255.0

bond-mode 4

bond-miimon 100

bond-slaves none

bond-lacp-rate 1

bond-primary eth1 eth2

auto eth1

allow-bond0 eth1

iface eth1 inet manual

bond-master bond0

auto eth2

allow-bond0 eth2

iface eth2 inet manual

bond-master bond0

...

It's the switch configuration (btw, this is a version of IOS in course WS-C3560G-48TS 12.2 (55) SE)

Switch#show running-config

...

interface Port-channel10

switchport access vlan 200

switchport mode access

interface Port-channel20

switchport access vlan 200

switchport mode access

interface GigabitEthernet0/1

switchport access vlan 200

switchport mode access

channel-group 10 mode active

interface GigabitEthernet0/2

switchport access vlan 200

switchport mode access

channel-group 10 mode active

interface GigabitEthernet0/3

switchport access vlan 200

switchport mode access

channel-group 20 mode active

interface GigabitEthernet0/4

switchport access vlan 200

switchport mode access

channel-group 20 mode active

...

This is my summary etherchannel:

Switch#show etherchannel summary

Flags: D - down P - bundled in port-channel

I - stand-alone s - suspended

H - Hot-standby (LACP only)

R - Layer3 S - Layer2

U - in use f - failed to allocate aggregator

M - not in use, minimum links not met

u - unsuitable for bundling

w - waiting to be aggregated

d - default port

Number of channel-groups in use: 2

Number of aggregators: 2

Group Port-channel Protocol Ports

------+-------------+-----------+-----------------------------------------------

10 Po10(SU) LACP Gi0/1(P) Gi0/2(P)

20 Po20(SU) LACP Gi0/3(P) Gi0/4(P)

My test tools are nuttcp (by transfer) and bmon (to watch what is happening during the transfer). Unfortunately, I am not able to transfer more than 1 Gbps:

[email protected]/* */:~# nuttcp -i1 172.16.200.100

97.1875 MB / 1.00 sec = 815.2409 Mbps 0 retrans

98.0625 MB / 1.00 sec = 822.4763 Mbps 0 retrans

98.0625 MB / 1.00 sec = 822.7321 Mbps 0 retrans

98.1250 MB / 1.00 sec = 823.1001 Mbps 0 retrans

98.0625 MB / 1.00 sec = 822.5306 Mbps 0 retrans

98.0625 MB / 1.00 sec = 822.7560 Mbps 0 retrans

98.1250 MB / 1.00 sec = 822.9890 Mbps 0 retrans

98.0625 MB / 1.00 sec = 822.6753 Mbps 0 retrans

98.0625 MB / 1.00 sec = 822.5528 Mbps 0 retrans

98.0625 MB / 1.00 sec = 822.7058 Mbps 0 retrans

982.5000 MB / 10.03 sec = 821.9606 Mbps 21 %TX 37 %RX 0 retrans 0.32 msRTT

In bmon, I see that a NIC (eth1) of bond0 the uplink and the other a (eth2) made the downlink:

# Interface RX Rate RX # TX Rate TX #

qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq

srvnettest2 (source: local)

0 lo 0.00B 0 0.00B 0

1 eth2 269.26KiB 4175 0.00B 0

2 eth1 123.00B 0 102.56MiB 71030

3 eth0 179.00B 2 491.00B 1

4 bond0 269.38KiB 4176 102.56MiB 71030

I tried a lot of things, but now I have no idea what to do or what to try next. It is true that I have no deep understanding of Cisco etherchannels yet, so I guess that my mistake is somewhere in the IOS configuration.

Thanks a lot for your support and welcome to Germany

Stephan

Hello Stephan,

With EtherChannels, a single flow (the flow of images/packages with the same source and destination) is always carried by a single link only. Implementation of Cisco implements not balancing on connections in an EtherChannel load by package, and it avoids a reason: executives could get reorganized, something this plain Ethernet never should do. This means that you will not see an improvement in bandwidth on the speed of a single link to your EtherChannel for a single stream. It is only the overall bandwidth for several stream which increases. The advantage of EtherChannel becomes therefore obvious that if your server starts many conversations and several stream handling.

Best regards

Peter

IPsec VPN between two routers - mode ESP Transport and Tunnel mode

Hi experts,

I have this question about the Transport mode and Tunnel mode for awhile.

Based on my understanding of 'Transport' mode is not possible because you always original "internal" private in the IP headers or IP addresses. They are always different as public IP on interfaces enabled with Crypto Card addresses. When encapsulated in the VPN tunnel, the internal IP addresses must be included or the remote VPN router won't know where to forward the packet.

To test, I built a simple GNS3 with three routers laboratory. R1 and R3 are configured as VPN routers and the R2 must simulate Internet.

My configs are also very basic. The R2 is routing between 1.1.1.0/24 and 2.2.2.0/24. It is defined as the gateway of R1 and R3.

R1:

crypto ISAKMP policy 100
BA aes
preshared authentication
Group 2
ISAKMP crypto key 123456 address 2.2.2.2
!
Crypto ipsec transform-set ESP_null null esp esp-sha-hmac
!
10 map ipsec-isakmp crypto map
defined peer 2.2.2.2
transformation-ESP_null game
match address VPN

!

list of IP - VPN access scope
ip permit 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!

R3:

crypto ISAKMP policy 100
BA aes
preshared authentication
Group 2
ISAKMP crypto key 123456 address 1.1.1.2
!
!
Crypto ipsec transform-set ESP_null null esp esp-sha-hmac
!
10 map ipsec-isakmp crypto map
defined peer 1.1.1.2
transformation-ESP_null game
match address VPN

!

list of IP - VPN access scope
Licensing ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

I configured transform-"null" value, while it will not encrypt the traffic.

Then I tried the two 'transport' mode and mode "tunnel". I ping a host in the internal network of the R1 to another host in the internal network of the R3. I also tried 'telnet'. I also captured packets and carefully compared in both modes.

Packets encapsulated in exactly the same way!

It's just SPI + sequence No. + + padding

I will attach my screenshots here for you guys to analyze it. I would be grateful for any explanation. I confused maybe just when it comes to the NAT...

I guess my next step is to check if the two modes to make the difference when the GRE is used.

Thank you

Difan

Hi Difan,

As you point out the mode of transport is not always applicable (i.e. applicable if IP source and destination is equal to corresnpoding proxy IDs).

A typical scenario in this mode of transport is used:

-Encryption between two hosts

-GRE tunnels

-L2TP over IPsec

Even if you set "transport mode" this does not mean that it will be used. IOS routers and I blieve also ASA will perform backup even if the mode of transport is configured but does not apply in tunnel mode.

I can take a look at your traces to sniff, but all first can you please check if you transport mode on your ipsec security associations? "See the crypto ipsec his" exit you will show the tunnel or transport mode.

HTH,

Marcin

L2l VPN between two ASA5505 works not

Let me start who I know a thing or two about networks. VPN not so much.

I am trying to configure a Site-toSite VPN between two ASA 5505. I am building this in a laboratory of the Office before I deploy it to the end sites. I are the indications on this very informative forum and think I have it set up correctly. I can see the tunnel is being built and I see same incrementation of the traffic counters. But the real user sessions do not seem to work. For example, ping and telnet does not work.

An excerpt from the syslog for a ping test on a computer on the remote end.

(10.1.10.5 is the local computer, 10.1.11.5 is the remote computer. 10.1.11.1 is the interface of the ASA remote interior)

6. January 20, 2012 | 01:04:12 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
6. January 20, 2012 | 01:04:10 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
6. January 20, 2012 | 01:04:07 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
6. January 20, 2012 | 01:04:05 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
6. January 20, 2012 | 01:04:02 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
6. January 20, 2012 | 01:04:00 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
6. January 20, 2012 | 01:03:57 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
6. January 20, 2012 | 01:03:55 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
6. January 20, 2012 | 01:03:48 | 302021 | 10.1.11.5 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0 ICMP
6. January 20, 2012 | 01:03:46 | 302020 | 10.1.10.5 | 1. 10.1.11.5 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0
6. January 20, 2012 | 01:03:43 | 302021 | 10.1.11.5 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0 ICMP
6. January 20, 2012 | 01:03:41 | 302020 | 10.1.10.5 | 1. 10.1.11.5 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0
6. January 20, 2012 | 01:03:38 | 302021 | 10.1.11.5 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0 ICMP
6. January 20, 2012 | 01:03:36 | 302020 | 10.1.10.5 | 1. 10.1.11.5 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0
5. January 20, 2012 | 01:03:32 | 713041 | IP = 192.168.24.211, initiator of IKE: New Phase 1, Intf inside, IKE Peer 192.168.24.211 address local proxy 10.1.10.0, address remote Proxy 10.1.11.0, Card Crypto (outside_map)

This is the configuration for one of them. The other is configured in the same way with the usual across settings.

ASA Version 8.2 (1)
!
hostname ASATWDS
!

names of
name 10.1.11.0 remote control-network
!
interface Vlan1
nameif inside
security-level 100
IP 10.1.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 192.168.24.210 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
access extensive list ip 10.1.10.0 outside_1_cryptomap allow 255.255.255.0 255.255.255.0 network-remote control
access extensive list ip 10.1.10.0 inside_nat0_outbound allow 255.255.255.0 255.255.255.0 network-remote control
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 192.168.24.1 1
course outside remote control-network 255.255.255.0 192.168.24.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 10.1.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 192.168.24.211
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
card crypto outside_map 1 phase 1-mode of aggressive setting
card crypto outside_map 1 the value reverse-road
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 10.1.10.5 - 10.1.10.36 inside
dhcpd dns 209.18.47.61 209.18.47.62 interface inside
dhcpd allow inside
!

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group 192.168.24.211 type ipsec-l2l
IPSec-attributes tunnel-group 192.168.24.211
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:b4bea5393489da3aa83f281d3107a32e

The Configuration looks good to me, but I think that you don't need next: -.

card crypto outside_map 1 phase 1-mode of aggressive setting

card crypto outside_map 1 the value reverse-road

Anyway,.

1 > can you please check if the computer you are trying to Ping or Telnet isn't the Machine based Firewall or anti-virus or iptables (Linux)?

2 > dough out of the

a > sh crypto ipsec his

b > sh crypto isakmp his

Manish

diference between two fields of two groups

Similar Questions

Maybe you are looking for