Is multi-tenant EBS?

Hi all

EBS R12.2.4

OEL 6

Amazon Cloud.

We intend to sell (to rent) manage services of cloud of EBS for SMEs.

For as little as 1 rental per hour, the client user can use our cloud EBS.

They do not have to buy the license or servers but only rent per hour. Given that we will be buying the license.

My question is, can I configure several different companies in BSE?

Thank you very much

Hello

I've seen some companies with a single entity on top and the other entities belonging to the first and they use a single license which covers all companies.

As far as I know, as long as you pay the license for your actual use so you should be in the safe side.

Contact Oracle salesrep or account manager for a definitive answer.

Kind regards

Bashar

Tags: Oracle Applications

Similar Questions

See multi-tenant

I'm sure there must be a discussion, I'm not finding on this, but here's what I'm looking for:
Currently, view (5 or 6) can belong only to a single domain.
VCloud multi tenant implementations are OK with having more than one domain (or subdomain) within the tenant space, but as far as I can see, ONLY supports files with different permissions and roles within each of records (or higher level). It is possible to configure a trust between the domains for authentication, but which places a burden on the 'original' area if you want to configure domain based prominent roles.
Has anyone seen or heard any information that points to it becomes a true multi domain or solution tenant multi outside the incorporation of views in a cell vCloud?
Thank you
Roger

You're right, view of the Horizon is not intended to be used in an environment when you need to multi-tenant real, there are ways to get it to work this way, but generally require a lot of manual steps and you could get in configurations not supported.

Fortunately, there's a solution to this, its called VMware DaasS (formerly Desktone), it is built for shared all along.

Linjo

Question of design on unique constraints while moving to multi-tenant
Hi all

Please see the definition of this simple table:
```
CREATE TABLE emp 
    ( 
     id INTEGER  NOT NULL , 
     name VARCHAR2 (30 CHAR)  NOT NULL , 
     birthdate DATE  NOT NULL , 
     username VARCHAR2 (10 CHAR) ,
     CONSTRAINT PK_ PRIMARY KEY ( id ) ,
     CONSTRAINT UC_emp_username UNIQUE ( username )
    );
```
In this framework, each user can (not essential, authorized NULL) have a user name. A user name can only be used once. An application that uses this type of table is not multi-tenant capable.

Now if I run the application of several tenants, I add a column tenant_id like this:
```
CREATE TABLE emp 
    ( 
     id INTEGER  NOT NULL , 
     name VARCHAR2 (30 CHAR)  NOT NULL , 
     birthdate DATE  NOT NULL , 
     username VARCHAR2 (10 CHAR) ,
     tenant_id INTEGER  NOT NULL ,
     CONSTRAINT PK_ PRIMARY KEY ( id ) ,
     CONSTRAINT UC_emp_tenant_username UNIQUE ( tenant_id, username )
    );
```
I have archived almost my goal:
However, a user can (not essential, authorized NULL) have a user name. A user name cannot be used once BY the TENANT (see changed CPU). Of course, each tenant must be provided with an account named 'administrator', so the CPU must include the tenant_id. But what does not work:

As soon as I add a 2nd employee for a tenant and this user doesn't have a login name (and therefore no user name), the UC has banned the addition of this user.
It was no problem in the 1st case, because the CPU included a single column and a row in the base table with a NULL value in this column is simply ignored in the index.
In the 2nd case, each row in the base table is included in the CPU, because the tenant_id column is NOT NULL. If the combination {tenant_id:1, username: NULL} cannot exist only once. This means that almost all employees must have a user name.

What is the solution here?
Drop the CPU is not a solution.
Is it really necessary to move the user name column to a new table, as in the following? It just doesn't feel good to introduce a table of relationship for a 1:1 relationship.
```
CREATE TABLE emp 
    ( 
     id INTEGER  NOT NULL , 
     name VARCHAR2 (30 CHAR)  NOT NULL , 
     birthdate DATE  NOT NULL , 
     tenant_id INTEGER  NOT NULL ,
     CONSTRAINT PK_emp PRIMARY KEY ( id )
    ) ;

CREATE TABLE username 
    ( 
     id INTEGER  NOT NULL , 
     emp_id INTEGER  NOT NULL , 
     username VARCHAR2 (30 CHAR)  NOT NULL , 
     tenant_id INTEGER  NOT NULL ,
     CONSTRAINT PK_username PRIMARY KEY ( id ) ,
     CONSTRAINT UC_username_emp UNIQUE ( emp_id ) ,
     CONSTRAINT UC_username_username_tenant UNIQUE ( username , tenant_id ) ,
     CONSTRAINT FK_username_emp FOREIGN KEY ( emp_id ) REFERENCES emp ( id ) 
    ) 
;
```
Any ideas or links to books that are greatly appreciated.

Thank you
Blama
Hi, Lawrence.

Sorry, I'm not sure you understand the problem. It would be useful that you posted some INSERT statements that should be allowed, and some that must fail because they violate the rule of oneness. Or by post at least a scneario of business that you might neeed to model. For example "tenant 1 has 3 employees: 11, 12 and 13." Employee 11A username "FFL". 12 has no username. 13 should be able to choose any username except "Elf", or not having a (just like the 12). 2 a 2 employees... »

You can create an index based on a single function. For example, if the user name is optional:
```
CREATE UNIQUE INDEX emp_name_unique ON
username ( NVL2 (username, tenant_id, NULL)
         , username
         );
```
If username is NULL, then the two expressions of the index will be NULL and no index entry will be. So there may be a number any lines with the same tenant_id, but no user name, but only one line for each (tenant_id, username) combination when there is a user name.

Laurent wrote:
... Is it really necessary to move the user name column to a new table, as in the following? It just doesn't feel good to introduce a table of relationship for a 1:1 relationship.

Good instinct; It's weird (but not necessarily bad) to have a one-to-one relationship between the tables, but do you? When you say things like

... A user name cannot be used once a TENANT...

or

... As soon as I add a 2nd employee for a tenant...

Looks like you have a one-to-many relationship, or maybe a many-to-many relationship, or maybe even two relationships, neither of which is unequivocal.

Published by: Frank Kulash, October 26, 2012 09:15

Orchestrator and multi-tenant

I use Orchestrator in a multi-tenancy environment. What I try to do is:
Set up a master orchestrator instance where I can centralize workflow execution.
Implemented the slave instances in environments different tenant I can call with the plugin multiple nodes.
The problem is that the environments are separate and accessible only via a vpn tunnel.
How should I configure master orchestrator and the slave to connect via vpn?
I must:
1. use a "plugin of VPN connection' if there is one, to establish a connection via vpn?
2. use the plug-in of HTTP-rest and give the two VCOs, one IP address public and some time to public web interface, if it can be done safely, perhaps to paste the slave vCO in the DMZ?
3 another way?
Thanks for the input!

If you have an always on the VPN connection to the remote/slave instances then just opening the firewall ports to allow the master to connect to the instance of remote/slave.

Ports are listed on page 38 & 39:

http://pubs.VMware.com/vSphere-55/topic/com.VMware.ICbase/PDF/vCenter-Orchestrator-552-install-config-Guide.PDF

Documentation of the plugin of several nodes:

http://pubs.VMware.com/Orchestrator-plugins/topic/com.VMware.ICbase/PDF/using-multi-node-plugin-10-Guide.PDF

From what I can tell, you would need the following ports open between the master (source) and remote/slave (destination):
- TCP - 8230 - the main port to communicate with the server Orchestrator (JNDI port).
- Trust TCP - 8250 - for SSL (multi-noeuds plugin documentation - "Activate Orchestrator for the remote execution Workflow")

Importing data in a multi-tenant environment

I need a solution in a multitenant environment where customers can send large amounts of data by post on a physical storage device, and we can import into the data center. How can I design my infrastructure for this? Should I create an intermediate storage solution, where I can plug in a USB device and copy them to a special data store that has special security and containment and then selectively allow it to transfer to selective areas only? The problem is that if the customer must give us a virtual machine to import with 4 TB of data, it is no good way to download where we would have controls real network set up to analyze the data and to ensure that what can be done on the vpn connection.
However if a storage device can be browsed in the data center that we do not know what is on it, it could potentially have anything on that. That means good design to enable this to happen look like when I determine what this client USB storage device will connect to the and where the entry point so that the data will be in our environment?

Hello

You could, but especially you'd before the data is loaded just to be sure. You have your "trustzone infiltration" and 'transfer trustzone', then 'tenant '. This way your penetration device (USB over IP, whatever) cannot directly touch the tenant. I put what I consider each area to be in parentheses.

Penetration: (red, untrusted, outside)

USB over IP w/target penetration VM w/tenant data VMDK.

You can check here malware if you wish, but this virtual machine is connected USB I'll just say he is corrupt and accept it.

After transfer, disconnect the tenant data VMDK.

Transfer: (Orange: inspect, confidence, DMZ)

Mount the 'tenant data VMDK' transfer VM.

Perform all your audit for AV, etc. No data clean them as needed.

Yes listening on the network of the "call home", etc.

Make sure the transfer area is intact and clean.

When you are SURE there are no problems:

Then transfer the data to the box renter directly if he is small enough, or take it apart the tenant data VMDK.

Tenant area (green, confidence, internal)

Mount the VMDK of tenant data to the VM that requires it.

Connect the application

Best regards
Edward L. Haletky
VMware communities user moderator, VMware vExpert 2009-2015

Author of the books ' VMWare ESX and ESXi in the business: Planning Server Virtualization Deployment, Copyright 2011 Pearson Education. ' Of VMware VSphere and Virtual Infrastructure Security: securing the virtual environment ', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Practice of virtualization, LLC - vSphere Upgrade Saga - virtualization security Table round Podcast

Multi-node EBS administration node
Hi hussein.

What do you mean by 'node of Directors' in EBS? What is the node Manager of CM?

Moreover, we had a meeting with the technical support of Oracle. Our customer get their services to implement 'RAC' to
the EBS R12, which was awarded to us for implementation. I am very grateful that they have entrusted it to Oracle.
The Oracle tech support pre-reqs to implement the RAC has been install on several nodes, say node1 for level apps and
Node2 for Db layer, and he told me to put the 'node of Directors' on the Db layer so that it is able to
paraller transformation.

How do you put the administration in the Db layer node when cloning? or cracking of the nodes?

Thank you very much

Mrs. k
Hello

If you are referring to the shared file request system then the answer is Yes. However, you can have an APPL_TOP unified with a traditional installation of several node (i.e. you do not have to have a disk shared for application-level nodes). As mentioned earlier, in R12 you will find that you have the same files on each node of the application layer (no matter it is traditional shared filesystem or multinode installation application).

Kind regards
Hussein

Multi-tenant IOS Firewall and security even subinterfaces 9.0

Hi all

I'm so used to< 8.3="" and="" am="" having="" great="" difficulty="" getting="" an="" environment="" working="" properly="" so="" i'm="" now="" going="" to="" leverage="" the="" cisco="">

We set up a network with clients behind a pair of 5510 s. All of these clients will have their own dedicated sous-interface in their own VLAN. Out the door, I got inter - allowed security-same interface and all networks communicate with each other. I certainly don't want that, so I have disabled this command and now each network client is unable to communicate with each other, as expected.

The problem now lies in networks where a customer have 2 VLANS separated (say a staging and a prod environment) where they need to communicate. Is it feasible if they are of the same security level and even security allowed inter-interface is disabled? I just need to create an ACL for the networks to talk? Is there a better way to do this with the same security allowed active inter-interface?

8.3 pre, I have same security allowed active inter-interface, but traffic could not speak to the other interface unless I created an exemption NAT and ACLs. Always create a NAT exemption?

Hello

The basic problem that you run with different software levels is the parameter 'nat-control' that exists in 8.2 (or earlier version), but does not exist in version 8.3 (or subsequent version of the Software ASA).

In the 8.2 and pre software you got with the nat configuration change 'control' of requiring a connection to have a NAT configuration to be able to pass traffic through the ASA. Of course this coupled with the 'security level' gave you more changes to control traffic without resorting to the ACL.

However, in the new software of 8.3 and later the "nat-control" level no longer exists and that a connection has a NAT configuration that be applied or not ASA still allows the connection (subject other ASA controls allow) so basically you won't need NAT configurations between your local interface. The most common NAT configurations should be between your local interface and the "external" ASA interface.

If you try to control traffic between interfaces with the global configuration commands you mention, you will eventually be 'juggling' with the 'security level' configurations autour constantly so that the correct rules for traffic is applied.

This question came up on these forums every now and then, and I almost always offer the same approach which is to set up an ACL on EACH interface of the ASA.
- Remember to leave the 'same-security-traffic"on the SAA configurations. It is because even if you have interface ACL allowing traffic, if they are for some reason any left with identical "security level"custom ACL be sufficient to allow the traffic. "
- Configure each interface an ACL
- Initially to configure the ACL to create a "object-group" that will contain EACH network behind your local interface of firewall (except the "outside" ofcourse)
- Use this category 'object' at THE start of ACL interface to BLOCK ALL traffic behind this interface to these networks
- After that allow or block different/Out Internet - linked as usual traffic
- In the same networks 2 (or more) behind the need of different interfaces to communicate with each other, set up a statement that allows early each ACL. The already existing 'decline' exposed with the 'object' group already will ensure that other traffic between networks are blocked
A very simple example, you might want to consider the following

Networks:
- LAN1: 10.10.10.0/24
- LAN2: 10.10.20.0/24
- DMZ1: 192.168.100.0/24
- DMZ2: 192.168.200.0/24
permit same-security-traffic inter-interface

Interface GigabitEthernet0/0

Description box

interface GigabitEthernet0/0.10

VLAN 10

nameif LAN1

security-level 100

IP 10.10.10.1 255.255.255.0

interface GigabitEthernet0/0.20

VLAN 20

nameif LAN2

security-level 100

IP 10.10.20.1 255.255.255.0

interface GigabitEthernet0/0.100

VLAN 100

nameif DMZ1

security-level 100

IP 192.168.100.1 address 255.255.255.0

interface GigabitEthernet0/0,200

VLAN 200

nameif DMZ2

security-level 100

192.168.200.1 IP address 255.255.255.0

object-group network BLOCK-LOCAL-NETWORKS

object-network 10.10.10.0 255.255.255.0

object-network 10.10.20.0 255.255.255.0

object-network 192.168.10.0 255.255.255.0

object-network 192.168.20.0 255.255.255.0

access-list LAN1 - IN note allow HTTP / HTTPS in the DMZ1 Server

access-list LAN1 - permit tcp 10.10.10.0 255.255.0 host 192.168.100.100 eq www

access-list LAN1 - permit tcp 10.10.10.0 255.255.0 host 192.168.100.100 eq https

LAN1-IN access-list note block traffic to another local network

access-list LAN1 - deny ip any object-group NETWORK-LOCAL-BLOCK

Note LAN1-IN access list allows any outbound

access-list IN LAN1 ip 10.10.10.0 allow 255.255.255.0 any

LAN1-IN group access to the LAN1 interface

And of course all other ACL would follow the same model in one form or another. You would really have to worry about traffic is allowed between interfaces, but rather the most work would probably add "allowed" in the upper part of each ACL when required for communication inter-interface. But I guess that the amount of these additions would remain also to a manageable level for FW admins.

Naturally in environments the biggest you would probably get a high-end ASA and virtualize it and separate each customer environment in their own security context where you would avoid this situation together. Naturally the biggest points against this solution usually can be fresh and the fact that virtualize the ASA multiple context mode disables some essential operational capability of the SAA, which the most important is probably the Client VPN connections (VPN L2L is supported in the software in multiple context Mode 9.x)

Hope this helps

Don't forget to mark the reply as the answer if it answered your question. And/or useful response rates

Request more if needed

-Jouni

Multi-tenant and different charactersets

It is possible to have different files with different charactersets PDB is a CBD?

No, this is not possible. All PDB files have the same charactersets as the CBD:

https://docs.Oracle.com/database/121/NLSPG/ch2charset.htm#NLSPG1035

Several tenants on the configuration of the disks Exadata

Hello
Exadata pre-built 2 bow TIE, ASM 3 configured disk group.
Please may I know what is the configuration of Group of disc for the consolidation of Multi tenant on exadata.
Thank you

Since the DSO balances actually all batteries on all counts on all the disks on all storage servers, it is actually irrelevant whether you have one or several starts as long as your start is spread across all disks. This is one reason why having less starts can be beneficial, because they are guaranteed to be spread across all disks in the exadata rack. If people try to change the standard configuration after installation there are chances of them being wrong, dropping disks off starts and slice not uniformly leading to loss of performance, availability and recovereability.

Installation of the EBS R12

Hello
For a user multi installation EBS R12, it is possible to install without logging as root? If Yes, what are the privileges appropriate for the new user of the OS, it can install

VMahadev wrote:

Hello

For a user multi installation EBS R12, it is possible to install without logging as root? If Yes, what are the privileges appropriate for the new user of the OS, it can install

Yes it is possible, but you will have an application owner user and database level node files.

If you want user applmgr upgraded node files of own apps and user oracle owning the db level node files then install quick there must be run in as root.

If you want a user (applmgr and oracle) to have the apps and db level nodes files can install quick there must be running as that user.

12.2- http://docs.oracle.com/cd/E26401_01/doc.122/e22950/T422699i4773.htm#3708205

12.1 - Setup guide of oracle E-Business Suite: using quick installation

Thank you

Hussein

Tenant Admins can see machines in other tenants to 6.2

Scenario: multi-tenant approx.
Tenant Admins can go to Administration-> tenant-> reclamation Machines. They can then choose a machine that has been commissioned to another tenant and select recover Virtual Machine. This happened with one of my clients and I just reproduced the issue on a laboratory env.
That's what I did:
Created a user of SMS-tenantadmin
Added to the Admins of GSS tenant tenant
Added to the Group of this tenant Affairs
Created a user dcd-tenantadmin
Added to the Admins of tenant tenant DCD
Added to the Group of this tenant Affairs
Note: users are not member of any global groups with the exception of users in the domain, they are not members of the fabric Admins or IaaS Admins and have no membership any in any other tenants.
Logged in as ESG-tenantadmin
Sailed to Administration-> tenant Machines-> reclamation
I am able to see the 2 machines under the tenant of the GSS
I am able to see the machine that I put in service to the tenant DCD
Tenant admin should be able to recover virtual machines within their own tenant.
I made a mistake somewhere? Is this a bug with vRA 6.2?

VMware has recognized that it is a bug. The fix will be included in 6.2.3 release (Q3?). I have clients who are interested in a faster solution, so a hotfix request was sent to VMware Engineering. I'll post again when the fix is available.

Using the data of EBS in BI Publisher
Question: Is it possible to directly use EBS data in BI Publisher? If so, can you point me to the documentation?

Here's the scenario:

Imagine that our company uses Oracle E-Business Suite. All the columns, tables and diagrams Oracle related to BSE. It is the backbone of our company data. Couldn't live without it.

We're also crazy to OBIEE, especially BI Publisher. We have people who are experts in BI Publisher.

The CEO of the company would like to enjoy the mountains of data available in EBS, but also the expertise of the people who are trained and skilled in BI Publisher, using the data of EBS directly in BI Publisher. The Director-general provided us with a budget and staffing appropriate to perform a single installation of all structures must be added, or middle, for this to happen.

Objective of the Chief Executive Officer is for data additions and revisions in EBS will be included automatically in the reports BI Publisher. Assuming that between Monday and Tuesday, none of the structural changes that occurred in any of the EBS diagrams, tables or columns, assuming that everything we have done is add and/or modify data from BSE, then the BI Publisher reports must reflect the Monday data Monday and, without having to do anything in the meantime, reflect the Tuesday data just sitting Tuesday and running the editor of BI reports Tuesday morning. Not every day to rebuild XML files or something like that. Just clean and totally transparent use of the EBS data it gets added and updated during the normal course of business.

In general, what steps do we need to carry out - in EBS, in the XML Editor (if any) and BI Publisher - to directly use the data of EBS in BI Publisher on a daily basis as described above?

Ideally, I like just go to the Admin page in BI Publisher and add EBS as a new data source, or perhaps to use the section of the integration of the Admin page, as we would with discoverer or workspace of Hyperion and Shared Services. But I know that's not as simple as that.

Can you help clarify?

Thank you!
"Ideally, I like just go to the Admin page in BI Publisher and add EBS as a new data source, or perhaps to use the section of the integration of the Admin page, as we would with discoverer or workspace of Hyperion and Shared Services. '" But I know that's not as simple as that. »

I don't know why you don't think it's as simple as that, but it is. Add a new JDBC data source, assign it to BEEP roles, create templates of data/queries against this data source and you're ready to go.

To use the multi-org views, you need to set the org_id in forward initiation of the report.

What version of BEEP are you using? We have the last BEEP 11 g, we use eBS (R12) as the security model, Teradata is our main source of data, but almost all the reports uses the security context for the multi-org eBS to limit the data of Teradata, based on the security profile of the user as defined in eBS.

I hope this helps.

Thank you
Sunder

N6cessoires for several EBS 11.5.10.2 nodes are what preinstallation tasks?
The Oracle Applications installation guide only explains (?) not the pre-installation tasks... For example

Configure the kernel parameter, shell limits etc. which is normally required for the installation of the DB.

What kind of pre-installation tasks are so n6cessoires for multi-node EBS 11.5.10.2 installtion again outside to install JDK, Perl and creating users & groups of BONES?

Published by: fjean on January 14, 2009 10:02
Please refer to:

Note: 294932,1 - recommendations for install of Oracle 11i Applications
https://metalink2.Oracle.com/MetaLink/PLSQL/ml2_documents.showDocument?p_database_id=not&P_ID=294932.1

Note: 316806.1 - Oracle Applications Installation update Notes, Release 11i (11.5.10.2)
https://metalink2.Oracle.com/MetaLink/PLSQL/ml2_documents.showDocument?p_database_id=not&P_ID=316806.1

802.11n interference

How sensitive is 802.11n to other networks 802.11 x?

We seek to use Cisco 802.11n in a building up, but it's going to be multi-tenant building and several networks 802.11 x can become current.

Is there any good documentation on issues related to the interference and 802.11n that someone can offer?

Thank you.

Regarding the interference... 802.11n operating in the 2.4 GHz 20 MHz spectrum will suffer interference even in 802. 11 b / g... If you enable a 40 MHz channel of liaison, then interference will probably get worse because of this will diminish the 3 overlapping channels just 1-channel therefore interference will see immediately.

That said, if you are designing a mutli-tennant for 802.11n, I would start using the range of 5 GHz because that his vacuum cleaner and you will be able to use the binding channel or the 40 MHz band to increase the speed and the bandwidth of the WLAN overall.

I have attached a design guide for your comment... hope this helps you in your steps.

Strange problem in IPSec Tunnel - 8.4 NAT (2)

Helloo all,.

This must be the strangest question I've seen since the year last on my ASA.

I have an ASA 5540, who runs the code of 8.4 (2) without any problem until I ran into this problem last week and I spent sleepless nights with no resolution! Then, take a deep breath and here is a brief description of my setup and the problem:

A Simple IPSEC tunnel between my 8.4 (2) ASA 5540 and a Juniper SSG 140 6.3.0r9.0 (road OS based VPN) screen

The tunnel rises without any problem but the ASA refused to encrypt the traffic but it decrypts with GLORY!

Here are a few outputs debug, see the output and a package tracer output that also has an explanation of my problem of NAT WEIRD:

my setup - (I won't get into the details of encryption tunnel as my tunnel negotiations are perfect and returns from the outset when the ASA is configured as response only)

CISCO ASA - IPSec network details

LAN - 10.2.4.0/28

REMOTE NETWORK - 192.168.171.8/32

JUNIPER SSG 140 - IPSec networks details

ID OF THE PROXY:

LAN - 192.168.171.8/32

REMOTE NETWORK - 10.2.4.0/28

Name host # sh cry counterpart his ipsec

peer address:

Tag crypto map: outside_map, seq num: 5, local addr:

outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8

local ident (addr, mask, prot, port): (10.2.4.0/255.255.255.240/0/0)

Remote ident (addr, mask, prot, port): (192.168.171.8/255.255.255.255/0/0)

current_peer:

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

#pkts decaps: 72, #pkts decrypt: 72, #pkts check: 72

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

success #frag before: 0, failures before #frag: 0, #fragments created: 0

Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

#send errors: 0, #recv errors: 0

local crypto endpt. : 0, remote Start. crypto: 0

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500

current outbound SPI: 5041C19F

current inbound SPI: 0EC13558

SAS of the esp on arrival:

SPI: 0x0EC13558 (247543128)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel}

slot: 0, id_conn: 22040576, crypto-card: outside_map

calendar of his: service life remaining key (s): 3232

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0xFFFFFFFF to 0xFFFFFFFF

outgoing esp sas:

SPI: 0x5041C19F (1346486687)

transform: esp-3des esp-sha-hmac no compression

running parameters = {L2L, Tunnel}

slot: 0, id_conn: 22040576, crypto-card: outside_map

calendar of his: service life remaining key (s): 3232

Size IV: 8 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

CONTEXTS for this IPSEC VPN tunnel:

# Sh asp table det vpn context host name

VPN CTX = 0x0742E6BC

By peer IP = 192.168.171.8

Pointer = 0x78C94BF8

State = upwards

Flags = BA + ESP

ITS = 0X9C28B633

SPI = 0x5041C19D

Group = 0

Pkts = 0

Pkts bad = 0

Incorrect SPI = 0

Parody = 0

Bad crypto = 0

Redial Pkt = 0

Call redial = 0

VPN = filter

VPN CTX = 0x07430D3C

By peer IP = 192.168.1.8

Pointer = 0x78F62018

State = upwards

Flags = DECR + ESP

ITS = 0X9C286E3D

SPI = 0x9B6910C5

Group = 1

Pkts = 297

Pkts bad = 0

Incorrect SPI = 0

Parody = 0

Bad crypto = 0

Redial Pkt = 0

Call redial = 0

VPN = filter

outside_cryptomap_4 to access extended list ip 10.2.4.0 allow 255.255.255.240 host 192.168.171.8

NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search

network of the Ren - around object

subnet 10.2.4.0 255.255.255.240

network of the host object counterpart

Home 192.168.171.8

HS cry ipsec his

IKE Peer:

Type: L2L role: answering machine

Generate a new key: no State: MM_ACTIVE

output packet tracer extracted a packet transmitted by the network of 10.2.4.0/28 to 192.168.171.8 host

Phase: 7

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0x7789d788, priority = 70, domain = encrypt, deny = false

Hits = 2, user_data is0x742e6bc, cs_id = 0x7ba38680, reverse, flags = 0 x 0 = 0 protocol

IP/ID=10.2.4.0 SRC, mask is 255.255.255.240, port = 0

IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

input_ifc = none, output_ifc = external

VPN settings corresponding to the encrytpion + encapsulation and the hits here increment only when I run a test of tracer from my host on the remote peer inside package.

A tracer complete package out for a packet of the 10.2.4.1 255.255.255.255 network to host 192.168.171.8:

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit rule

Additional information:

Direct flow from returns search rule:

ID = 0x77ebd1b0, priority = 1, domain = allowed, deny = false

hits = 3037156, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8

Mac SRC = 0000.0000.0000, mask is 0000.0000.0000

DST = 0000.0000.0000 Mac, mask is 0100.0000.0000

input_ifc = output_ifc = any to inside,

Phase: 2

Type:-ROUTE SEARCH

Subtype: entry

Result: ALLOW

Config:

Additional information:

in 192.168.171.0 255.255.255.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0x77ec1030, priority = 0, sector = inspect-ip-options, deny = true

hits = 212950, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

input_ifc = output_ifc = any to inside,

Phase: 4

Type:

Subtype:

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0x7c12cb18, priority = 18, area = import-export flows, deny = false

hits = 172188, user_data = 0x78b1f438, cs_id = 0 x 0, use_real_addr, flags = 0 x 0,

IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

input_ifc = output_ifc = any to inside,

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

NAT (inside, outside) static source Ren - Ren - about destination static counterpart-host peer to route non-proxy-arp-search

Additional information:

Definition of static 10.2.4.1/2700 to 10.2.4.1/2700

Direct flow from returns search rule:

ID = 0x77e0a878, priority = 6, area = nat, deny = false

hits = 9, user_data is 0x7b7360a8, cs_id = 0 x 0, use_real_addr, flags = 0 x 0, proto

IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0

IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

input_ifc = inside, outside = output_ifc

(it's the weird NAT problem I see. I see the number of hits is increment only when I run the packet tracer understands even I have pings (traffic) the 192.168.171.8 constant welcomes the 10.2.4.1/28)-s'il please see the package I pasted after the capture section)

Phase: 6

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional information:

Direct flow from returns search rule:

ID = 0x7b8751f8, priority = 70, domain = encrypt, deny = false

hits = 3, user_data = 0x7432b74, cs_id = 0x7ba38680, reverse, flags = 0 x 0, proto

IP/ID=10.2.4.1 SRC, mask is 255.255.255.240, port = 0

IP/ID=192.168.171.8 DST, mask is 255.255.255.255, port = 0, dscp = 0 x 0

input_ifc = none, output_ifc = external

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional information:

Reverse flow from returns search rule:

ID = 0x78b0c280, priority = 69 = ipsec-tunnel-flow area, deny = false

hits = 154, user_data is 0x7435f94, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

IP/ID=192.168.171.8 SRC, mask is 255.255.255.255, port = 0

IP/ID=10.2.4.1 DST, mask is 255.255.255.240, port = 0, dscp = 0 x 0

input_ifc = out, output_ifc = any

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional information:

Reverse flow from returns search rule:

ID = 0x77e7a510, priority = 0, sector = inspect-ip-options, deny = true

hits = 184556, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol

IP/ID=0.0.0.0 SRC, mask is 0.0.0.0, port = 0

IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, dscp = 0 x 0

input_ifc = out, output_ifc = any

Phase: 9

Type: CREATING STREAMS

Subtype:

Result: ALLOW

Config:

Additional information:

New workflow created with the 119880921 id, package sent to the next module

Information module for forward flow...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Information for reverse flow...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input interface: inside

entry status: to the top

entry-line-status: to the top

output interface: outside

the status of the output: to the top

output-line-status: to the top

Action: allow

Hostname # sh Cap A1

8 packets captured

1: 12:26:53.376033 192.168.10.252 > 10.2.4.1: icmp: echo request

2: 12:26:53.376597 10.2.4.1 > 192.168.10.252: icmp: echo reply

3: 12:26:56.487905 192.168.171.8 > 10.2.4.1: icmp: echo request

4: 12:27:01.489217 192.168.171.8 > 10.2.4.1: icmp: echo request

5: 12:27:03.378245 192.168.10.252 > 10.2.4.1: icmp: echo request

6: 12:27:03.378825 10.2.4.1 > 192.168.10.252: icmp: echo reply

7: 12:27:06.491597 192.168.171.8 > 10.2.4.1: icmp: echo request

8: 12:27:11.491856 192.168.171.8 > 10.2.4.1: icmp: echo request

8 packets shown

As you can see, there is no echo response packet at all because the package may not be wrapped while he was sent to.

I'm Karen with it. In addition, he is a firewall multi-tenant live production with no problems at all outside this for a Juniper ipsec tunnel!

Also, the 192.168.10.0/24 is another remote network of IPSec tunnel to this network of 10.2.4.0/28 and this IPSEC tunnel has a similar Juniper SSG 140 screen os 6.3.0r9.0 at the remote end and this woks like a charm with no problems, but the 171 is not be encrypted by the ASA at all.

If someone could help me, that would be greatt and greatly appreciated!

Thanks heaps. !

Perfect! Now you must find something else inside for tomorrow--> forecast rain again

Please kindly marks the message as answered while others may learn from it. Thank you.

Is multi-tenant EBS?

Similar Questions

Maybe you are looking for