OAM traffic redirections

Hello

We have three different material OAM 11 GR 1 servers in a single cluster (z1, z2, z3) on four SST 11 g webgates (v1, v2, v3, v4). We need that traffic of v1, v2, v3 webgates goes to z1, z2 servers OAM and traffic of the v4 goes to z3.

All four webgates are under a domain xyz.company.com

Need to switch on how can achieve us?

In addition,

Can we have two agents OAM (webgate1 and webgate2) in the console of the OAM with the same favorite host (xyz.caompany.com)? If so, how can we make this configuration?

Thank you

It is technically possible to reach above scenario with unique webgate profile.

"inactiveReconfigPeriod" is the parameter set by the user in the webgate profile. This profile decides the frequency at which webgate configuration is updated.

Do 'inactiveReconfigPeriod' at-2, so that the webgate configuration not updated automatically.

Go to host webgate V4 OSH, locate the ObAccessClient.xml file. Updated the ObAccessClient.xml file so that it contains only the server of OAM z3.

Monitor connections to make sure that V4 webgate only connects to the server OAM z3.

Downside of this solution is if you make changes in the configurations webgate you must manually copy the ObAccessClient.xml file on each server.

I hope this helps.

Tags: Fusion Middleware

Similar Questions

ASA cx does not not with traffic redirection

Hi all

I am facing a problem with asa cx feature where asa is having all the traffice defined, but there is no traffic coming to cx.traffic of the asa is visible that in the case of monitor only mode.please tell me:

1. how to redirect all traffic to the asa in asa cx.

2. how to add the entire interior of the customers work asa cx envoirment to check the details there instead of the ip address.

NOTE: I'm working through PRSM NOT BY CLI.

Hello

If the traffic is then visible on CX in the single mode of monitor, your redirection strategy are correct.

Only change, you need to do is only on ASA to ensure that you have a monitor only in your policy plan.

To monitor only:

Policy-map CX

class CX
cxsc farm-fail monitor only

For roller online:

Policy-map CX

class CX
cxsc fail-close

Also on CX GUI disable monitor mode only:

Navigate: Settings > monitor only and disable monitor mode only.

I hope that helps!

Thank you

R.Seth

Be sure to mark the response as correct if it can help resolve your query!

Traffic redirect Internet from the remote site on the main site using the tunel of vpn ipsec

Hi all

I have a problem to redirect internet traffic from my remote to the main site by the IPSEC VPN tunnel. The remote site is a Cisco 2801 router with ios (c2800nm-advipservicesk9 - mz.124 - 22.T) and the remote site has ios (C870-ADVSECURITYK9-M, Version 12.4 (15) T12, fc3 SOFTWARE VERSION). This redirect does not work and the last jump with extended traceroute form the remote site is the ip wan of the main site.

Is there someone who can help me with the right settings this redirection via VPN?

the remote site config file:

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Tableau Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;}

crypto ISAKMP policy 8

BA 3des

md5 hash

preshared authentication

ISAKMP crypto key dgsn2010 address 41.223.X.X

!

!

Crypto ipsec transform-set esp-3des vpn

!

vpndgsn 10 ipsec-isakmp crypto map

Description at HQ

set of peer 41.223.X.X

Set transform-set vpn

match address VPNHQ

!

interface FastEthernet0

IP 41.223.X.X 255.255.255.0

NAT outside IP

IP virtual-reassembly

IP tcp adjust-mss 1300

automatic duplex

automatic speed

vpndgsn card crypto

!

interface FastEthernet 4

192.168.11.1 IP address 255.255.255.0

IP nat inside

no ip virtual-reassembly

!

IP route 0.0.0.0 0.0.0.0 41.223.X.X

VPNHQ extended IP access list

ip licensing 192.168.11.0 0.0.0.255 any

!

the main site config file:

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Tableau Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-marge-haut : 0 cm ; mso-para-marge-droit : 0 cm ; mso-para-marge-bas : 10.0pt ; mso-para-marge-gauche : 0 cm ; ligne-hauteur : 115 % ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ;}

crypto ISAKMP policy 10

BA 3des

md5 hash

preshared authentication

ISAKMP crypto key dgsn2010 address 41.223.X.X

!

!

Crypto ipsec transform-set esp-3des vpn

!

vpncreo 10 ipsec-isakmp crypto map

Description FOR bastos

set of peer 41.205.X.X

Set transform-set vpn

match address 110

!

interface FastEthernet0/0

Description OF WAN

IP 41.223.X.X 255.255.255.240

NAT outside IP

IP tcp adjust-mss 1492

vpncreo card crypto

!

interface FastEthernet0/1

Description OF LAN

IP 192.168.10.1 255.255.255.0

IP nat inside

automatic duplex

automatic speed

!

overload of IP nat inside source list NAT interface FastEthernet0/0

IP route 0.0.0.0 0.0.0.0 41.223.31.241

access-list 110 permit ip any 192.168.11.0 0.0.0.255

NAT extended IP access list

deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 any

permit ip 192.168.10.0 0.0.0.255 any

ip licensing 192.168.11.0 0.0.0.255 any

!

You must configure the routing policy based closure for NAT can be invoked on the main site.

Here is an example configuration for your reference:

http://www.Cisco.com/en/us/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

Additionally, make sure that you don't do any NATing at your remote end, IE: you must configure the NAT exemption for all traffic from 192.168.11.0/24 to any (Internet).

Hope that helps.

Offbox activate PRSM CX Redirection of traffic

Hello

IV ' e had installed (Offbox) 9.3 PRSM.

I imported a pair of tilting ASA5585-X - each with a (big) inside CX module

How the hell you set a policy of redirection of traffic to send traffic through the modules CX!

IM pulling my hair out, if you add the tab 'traffic redirection' is said "no element is found."

Im not surprised, its not allowed - I want to put on with PRSM!

This software is terrible!

Pete

Hi Pete. A break on what hair you have left and check the CX Module Quick Start Guide for the ASDM method.

Short answer is that you use a rule of service strategy (policy-map). The CLI so that it is further explained in the User Guide for the ASA CX.

You can set this bit on the PRSM ASA technically but you would have to first import and manage the SAA itself (not just the modules CX). I have not tried this method as PRSM is a bad tool to manage an ASA. Same Cisco directs you little far this option in their documentation

Redirect WCCP and Performance hit on 3750

Maybe it's more of a "resizing" qtn more than anything else.

Yesterday, I activated wccp redirect on a stack of distribution has collapsed/3750 of base, in an office with 150users. WAI is model 612.

As soon as the configuration of the redirect has been applied, I found the network slowing significantly and received an event alert CPU of NEM, reports that CPU on 3750 stack exceeds the set threshold (65%). Put the threshold on the one hand, the cli is terribly slow and so I removed immediately redirect to the relevant interfaces. He bought the network back to normal in terms of performance.

Is this a calibration problem or maybe a bad configuration or something else...?

WAE:

EDGE-WAE-01 #show worm
Cisco Wide Area Application Services (WAAS) software
Copyright (c) 1999-2009 by Cisco Systems, Inc.
Cisco Wide Area Application Services Software Release 4.1.3 (build b55 April 18, 2009)
Version: oe612 - 4.1.3.55

00:13:45 compiled April 18, 2009 by cnbuild

System has been restarted on Tue Apr 27 04:30:10 2010.
The system was 6 hours, 21 minutes, 0 seconds.

EDGE-WAE-01 #show inv

PID: WAE-612-K9 VID: 0 SN: KQLLZBL
EDGE-WAE-01 #sh worm
Cisco Wide Area Application Services (WAAS) software
Copyright (c) 1999-2009 by Cisco Systems, Inc.
Cisco Wide Area Application Services Software Release 4.1.3 (build b55 April 18, 2009)
Version: oe612 - 4.1.3.55

00:13:45 compiled April 18, 2009 by cnbuild

System has been restarted on Tue Apr 27 04:30:10 2010.
The system was 6 hours, 31 minutes, 8 seconds.

EDGE-WAE-01 # poster run | WCCP Inc.

WCCP router-list of the 1 10.10.50.1
WCCP promiscuity of tcp router-list-num 1 l2-redirect
WCCP version 2
!
evacuation-method interception-method wccp negotiated return

!

---------------------------------------------------------------------------------------

3750:

edge-cre-01 #show sdm prefer
The current model is "routing Office" model.
The chosen model optimizes resources in
the switch to sustain this level of features for
8 routed interfaces and 1024 VLANS.

!

processor of WS-C3750G-24TS-1U (PowerPC405) Cisco (revision F0) with K 131072 bytes of memory.

512K bytes of memory simulated by flash not volatile configuration.

SW Version SW Image model switch ports
------ ----- ----- ---------- ----------
* WS-C3750G-24TS-1U 12.2 1 28 (50) SE3 C3750-IPSERVICESK9-M
2 28 WS-C3750G-24TS-1U 12.2 SE3 (50) C3750-IPSERVICESK9-M

Switch 02
---------------

Switch availability: 3 days, 4 hours, 39 minutes

Configuration register is 0xF

edge-cre-01 # poster run | WCCP Inc.
61 TN-WAAS-OUT list redirect IP WCCP
62 TN-WAAS-IN redirect-list IP WCCP

!

edge-cre-01 #show run | start the standard TN-WAAS-OUT ip access list

Standard TN-WAAS-OUT of access list IP
10.10.10.0 permit 0.0.1.255
permit 10.10.25.0 0.0.0.255
!
TN-WAAS-IN extended IP access list
permit tcp 10.20.0.0 0.1.255.255 10.10.10.0 0.0.1.255
permit tcp 10.20.0.0 0.1.255.255 10.10.25.0 0.0.0.255
permit tcp 10.128.16.0 0.0.0.255 10.10.10.0 0.0.1.255

Here is a list of best practices to follow to do forwarding of wccp on hardware platforms such as the 3750. I found it in the link below.

http://www.Cisco.com/Web/services/news/ts_newsletter/tech/ChalkTalk/archives/200806.html

The following best practices should be applied to the implementation of WCCP on a hardware platform:
- L2 transfer
- Assignment of mask
- Interception of incoming traffic
- No ' exclude ip wccp redirect in.
Your configuration "output method negotiated return of interception-method wccp" will appeal to a WCCP GRE tunnel to create of the 3750 to CAI. All traffic will be then be redirected a software based on this configuration line.

"Game of negotiated return as the method of evacuation. With this specification, the Cisco WAE uses GRE to return traffic redirected to the router intercepting. Note: in this case, WCCP negotiated WCCP GRE return method. »

Found here: https://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/prod_white_paper0900aecd806d976a_ps6474_Products_White_Paper.html

I'd stick to best practices that Zach has described in the link at the beginning of this post. It's a very well written on the WCCP redirect article.

Concerning

ASA - Tunnel all traffic, allow rays to communicate with each other

Well, I hope someone can help me with this headache! Switching to employ a PIX and VPN 3005 concentrator Office at home in an ASA5510 for firewall and IPSEC tunnels. It is pretty much a
- VPN on a stick, multiple rays.
- All traffic sent by tunnel
- Internet access through main office (using the web filter) of
- VOIP to VOIP between rays
- All departments are using the clients VPN 3005 HW or ASA 5505 s
HEADQUARTERS: 10.0.0.0/24

Speaks 1: 192.168.11.0 / 24

Speaks 2: 192.168.12.0 / 24

Speaks 3: 192.168.13.0 / 24

-continues to 192.168.31.0 / 24

Spoke with the current configuration, 1 can communicate with all the resources in the home, office and Internet integrated properly checked by a tracert. However, the rays cannot communicate with each other. This is required for VOIP traffic, when all TALK TALK calls are made (sites).

Logging information when talk of talks initiated icmp:
- No group of translation found for icmp src, dst outside: 192.168.31.1 inside: 192.168.11.1 (type 8, code 0)
If I remove the nat (outside) 1 192.168.0.0 255.255.00 - rays will begin to respond to each other, but then the rays cannot tunnel through the Home Office Internet traffic. My brain is so scrambled after the cramming of VPN configurations for these days, so I hope someone has an idea. I've always used concentrators 3005, so it's a little different! In the search for documentation for this configuration, I was surprised that this isn't a most common topology. It seems that this article would (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml), but there is no rays! In any case, I'm sure this has something to do with NAT rules and perhaps who need access for traffic list speaks of talking.

=============================================

ASA Version 8.2 (1)
!
hostname asa5510

interface Ethernet0/0
Speed 100
full duplex
nameif outside
security-level 0
IP address 97.65.x.x 255.255.255.224

interface Ethernet0/1
Speed 100
full duplex
nameif inside
security-level 100
IP 10.0.0.40 255.255.0.0

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

the DM_INLINE_NETWORK_1 object-group network
object-network 10.0.0.0 255.255.0.0

object-network 192.168.0.0 255.255.0.0

access-list sheep extended ip 10.0.0.0 allow 255.255.0.0 192.168.0.0 255.255.0.0

Allow Access-list extended wccp servers ip host 10.0.0.83 a

Redirect traffic extended access-list deny ip any object-group DM_INLINE_NETWORK_1

Redirect traffic scope permitted any one ip access-list

Global 1 interface (outside)
NAT (outside) 1 192.168.0.0 255.255.0.0
NAT (inside) 0 access-list sheep
NAT (inside) 1 10.0.0.0 255.255.0.0

Route outside 0.0.0.0 0.0.0.0 97.65.x.x 1
Route inside 192.168.0.0 255.255.255.0 10.0.0.1 1
Route inside 192.168.2.0 255.255.255.0 10.0.0.1 1
Route inside 192.168.3.0 255.255.255.0 10.0.0.1 1

Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto ipsec df - bit clear-df outdoors

Crypto-map dynamic dynmap 1 transform-set RIGHT

map mymap 65535-isakmp ipsec crypto dynamic dynmap

mymap outside crypto map interface

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400

crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400

crypto ISAKMP ipsec-over-tcp port 10000

management-access inside

a basic threat threat detection

no statistical access list - a threat detection
no statistical threat detection tcp-interception

WCCP web cache redirect-list Redirect-traffic group-list password xxxxxxx wccp-servers
WCCP 90 redirect-list traffic Redirect wccp servers group-list password xxxxxxx

WebVPN

internal MJHIvpn group strategy

attributes of Group Policy MJHIvpn
value of server WINS 10.0.10.1 10.0.10.2
value of 10.0.10.1 DNS server 10.0.10.2
allow password-storage
Split-tunnel-policy tunnelall
mjhi.local value by default-field
allow to NEM

username field-3002 SjfS1Pq2xZGxHicx encrypted password

attributes of username field-3002
VPN-access-hour no
VPN - 250 simultaneous connections
VPN-idle-timeout no
VPN-session-timeout no
Protocol-tunnel-VPN IPSec
allow password-storage
type of remote access service

remote access to field tunnel-group type

General-field tunnel-group attributes
Group Policy - by default-MJHIvpn

IPSec-attributes of tunnel-group field
pre-shared-key *.

class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the they
inspect the icmp
!
global service-policy global_policy

Hello Ala,

In Act got to be with the Nat configuration.

So basically you want to tunnel the traffic on the rays to communicate with each other.

OK, it would be with a nat 0 with the access list with the corresponding traffic outside.

Also on the crypto ACL for each site configuration, you must add an entry for the traffic of other offices.

I hope that I have explained myself.

Have a good

Julio

Note all useful posts!

OSH and OAM
OHS 11.1.1.5
11.1.1.5 OAM

I am able to protect resources in the folder htdocs OSH by OAM. But there are web pages in the htdocs directory that does not need to be protected by the means of the OAM.

Thus, I did not define policies for OAM resources. But when I have access to these resources, I get a 404 not found error page. Homepage even to access the OHS is return 404 error.

http://localhost:7777 /-404 page not found

Why is this behavior? My 11g indicator a deny on unprotected webgate is enabled. What is the origin of the problem?
Hi Kestar,

Yes, it is expected with 11g WebGates behavior (and 10g WebGates with refuse together on not protected). When resources are not included in any policy OAM, then the WebGate said the web server do not allow access. If you want OAM to redirect under these circumstances, then resources need to be in an Application domain and you can then take the action with an authentication (or authorization) success or failure url parameter. An alternative might be to change the behavior of the web server, possibly using directives ErrorDoc.

I expect the WebGate to query the OAM server to check whether or not the resource is protected, but this happens behind the scenes - not in the http stream. It must be visible in the OAM (server and webgate) newspapers.

Kind regards
Colin

OAM: What identity server is used by the password policy?
Hello

Setup of the OAM has two identity (ois1, ois2) servers, two webpass (wp1, wp2) on two web servers. WP1 wp2 pointing ois2 is pointing to ois1 only

We have two sets of Policy manager, the server access and WebGate. GT1 is pointing to aaa1 and wg2 points to aaa2.

Now, when a user tries to access a page protected OAM webgate and password policy is applied, make the server identity comes into picture? If so, which identity server is used here, ois1 or ois2?

I want to use ois1 for all requests coming from Web server with GT1. How can I do?

Thanks in advance.
Hi anon,.

The process is that when executing the authentication (specifically the validate_password plugin) is the access server that evaluates the password policy. If necessary, OAM then redirects the user to a WebPass for password or challenge/response according to the redirects specified in the password policy.

Thus, ois is relevant that the user is redirected (as the WebPass connects to the ois) in the case otherwise, it is not used at all - and you can control who access or servers are used by the WebGate on AccessGate configuration screens. I can't imagine a way to OAM to password policy redirect to different WebPasses based on the WebGate is used.

Kind regards
Colin

VPN tunnel cascade w / SW NSA FWs

Hello

I have questions about VPN cascading between 3 firewall SonicWALL NSA. Let me explain my situation and what I want to achieve.

As shown in the diagram above, I have 3 branches connected to the Internet, which advanced to the LAN is the NSA SW FW. There is a VPN tunnel between each site: Site_A Site_ B, Site_A Site_ C, Site_B Site_ C. The Internet of the Site A traffic is redirected to the Site B. This Site A Cross Site B to access the Internet and LAN B. Site A through C access LAN C Site.

My question is: is it possible to remove the tunnel VPN Site_A-Site_C to and instead, through Site B to C LAN access? If so, how you can achieve this configuration?

What worries me is the VPN tunnel options that allow you to redirect all Internet traffic or a specific destination of LAN through objects (screenshots from Site A) address:

Without the redirection of Internet traffic, I thought about creating a group of addresses, including 2 B LAN and LAN C address objects. But I want to keep the Internet through Site B traffic redirection.

What do you think?

Thanks in advance for your help.

Hello

My comments below:

If you route indeed all traffic from A to B, the following must fill.

1. remove the tunnel A C

Ok.

2. site B will have A subnet that is defined as a local resource for C

Do you mean this by local resource?

3 C is going to have A subnet defined as remote resource

Ok.

If you route any traffic from A to B, the following must fill.

First step would be to remove the tunnel VPN between A and C, but I guess that you have assumed that it was already done.

1. define the C subnet as a remote resource on Site A

Yes, like a remote network for the A - B VPN tunnel.

2. tunnel of site B to A will need to subnet C defined as local resource

Ok.

3. tunnel of site B and C will need subnet defined as local resource

Ok.

4. the site will need to subnet C has defined as remote resource

Yes.

I'll do a test soon with 3 sites and see how it goes.

Filtering on ASA - CX without content license

Hello

Please can someone advise if it is possible to configure the URL/content filtering on a box of ASA - CX with an expired license?

I connected the PRSM onbox, I can't create objects and policies needed to enable filtering.

Also, I redirect to installation to the CX (for testing purposes), however in the current state (without a license) browsing all watch a 'redirect' screen and nothing happens the message stay here and does not have traffic redirected to the ASA. It is also due to licensing (there is currently no policy in place)

We are in the process of buying licenses STROKE and WSE, so I just want to check what the expected behaviours should be.

Thank you very much

CX is end of sales and new licenses are not sold by Cisco as of August 17, 2015. Reference.

A CX unlicensed generally cannot apply, create, or modify policies through its premises PRSM (or he can take an out of area PRSM) if the license for the feature is not present and active (IE out of date). It is further explained in the section User Guide on licensing.

You must use the power of fire and associated licenses for new deployments.

SG300-52. Prefer to send traffic to the default gateway rather than static route? Network stops if I disable ICMP redirects.

I have 4 switches, each act as their own with a 26 subnet mask. They have static routes for every other switch. The firewall has a static route to each switch. If I unplug the LAN of the Firewall interface, traffic stops the flow of the switches. If I block the side LAN firewall, ICMP redirects, traffic stalls outside.

So if you are connected to this switch, say that you pull an ip address of 192.168.122.20. Your front door is the 192.168.122.62 switch. If you try to access a server 192.168.127.142, the SG300 sends your traffic to 192.168.127.254 to get an ICMP redirect, rather than simply to communicate directly with 192.168.127.50.

My network 'basic' is 192.168.127.0/24 vlan1 and the firewall is 192.168.127.254

This is the route of one of my switches table (which has 192.168.122.0/26 and ports run on vlan122)
```
 Maximum Parallel Paths: 1 (1 after reset) IP Forwarding: enabled Codes: > - best, C - connected, S - static S 0.0.0.0/0 [1/1] via 192.168.127.254, 73:48:13, vlan 1 C 192.168.122.0/26 is directly connected, vlan 122 S 192.168.123.0/26 [1/1] via 192.168.127.123, 73:48:13, vlan 1 S 192.168.124.0/26 [1/1] via 192.168.127.124, 73:48:13, vlan 1 S 192.168.125.0/26 [1/1] via 192.168.127.125, 73:48:14, vlan 1 C 192.168.127.0/24 is directly connected, vlan 1 
```
In any case, what gives? Why the switch would first try to send the stream to the firewall?

EDIT: Here is the server routing table:
```
 [email protected]/* */:~$ ip route show default via 192.168.127.254 dev eth0 192.168.122.0/26 via 192.168.127.122 dev eth0 192.168.123.0/26 via 192.168.127.123 dev eth0 192.168.124.0/26 via 192.168.127.124 dev eth0 192.168.125.0/26 via 192.168.127.125 dev eth0 192.168.127.0/24 dev eth0 proto kernel scope link src 192.168.127.142 
```
Hi Jonathan,.

I'm sorry. I misunderstood the routing table you want to accomplish. Your concern seems relevant given that the matching rule more will be selected instead of one: page 275 http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/...

... "When the routing of traffic, the next hop is decided based on the longest match on the prefix (LPM algorithm). A destination IPv4 address might match several routes in the IPv4 static routing Table. The device uses the matching route with the higher, subnet mask that is, the longest match on the prefix. "...

So go ahead and report it to the support team so the guys can make the laboratory, confirm it and declare additional:

http://www.Cisco.com/c/en/us/support/Web/TSD-Cisco-small-business-suppor...

Kind regards

Aleksandra

IOM - Forced OAM of password change signout redirection URL

Hello
We have integrated the OAM and IOM 11.1.2.2 using a DCC 11g webgate.
SignOut IOM correctly goes to the page of disconnection, OAM. Aclose with the help of IOM forgotten password OI featureM redirects to the OAM login page.
My problem occurs when a user is forced to change their password at the first login. Screens of the IOM appears as expected, but after completing the page and clicking on 'Submit', the display shows an error ' ADFC-02017: the value of the url cannot be null or empty. Logs show SSOAutoLoginHelper: redirect Signout URL: null.
Change of password is successful, is just the redirect which fails.
Can someone tell me where the redirect Signout URL must be set?
Thank you
Darren

Thanks for your reply, but it's an integrated OAM and IOM put in place there is no link of password change created by me.

In my case, that error was because OID obpasswordchangeflag is set to true but that IOM usr_change_pwd_at_next_logon has not been set to 1.

This because the IOM has been upgraded from a version 10g, who has worked with an OAM 10 g version where all the functionality of password entrusted by OAM 10 g, if no user was never their flag usr_change_pwd_at_next_logon is set.

OAM - OHS & OIM 11 g: SSL performs a redirect to a Non - SSL page

Scenario:
1. the user is trying to access the identity of IOM console SSL page by browser.
2. the user sees a page of connection OAM and provide valid credentials.
3 a user is redirected to a non - SSL page (this page is empty). When the user adds to the URL, https://
the user will see the console identity homepage.
The question is in step 3. I expect to be redirected to a SSL page.
Also, I see the following error in the logs of OSH:
[2014 03-11 T 15: 49:50.5711 - 04:00] [OHS] [ERROR: 32] [] [core.c] [host_id: *] [host_addr: *] [pid: 10936] [tid: 140161346115328] [user: *] [VirtualHost: *] nzos of handshake error, returned nzos_Handshake 29049 (server *: * customer, *)
[2014 03-11 T 15: 49:50.5711 - 04:00] [OHS] [ERROR: 32] [] [core.c] [host_id: *] [host_addr: *] [pid: 10936] [tid: 140161409054464] [user: *] [VirtualHost: *: *] NZ Library Error: SSL protocol error [index: probably the client speaks HTTPS via HTTP protocol]
Should what configuration I look to fix this?

I fixed this problem with the following steps:

1. connect to the WebLogic Administration console.

2. navigate to servers-> [name of the managed server]

3. on the Configuration: general section, enable "WebLogic plug-in enabled" in the advanced option to each instance of the WebLogic Server.

Question to redirect the OAM:
I have an OAM redirect question here in a sense that when setting the original url, change the url for the https to http application.

I have a request on https://abc.com on IIS and I am protecting the root. OAM page shows to the top of the Login Page and after that I entered the credentials, I conclude that the redirect has been wanton. Instead of the https://abc.com its preparing to http://abc.com (even on the Login Page OAM, as a query string is see http instead of https) and because the site without SSL isn't open, we get an error.

Is there somehow I can force it to use https only or set this value somewhere OAM 11 G R2?

Thank you
We use 'ProxySSLHeaderVar IS_SSL' webgate configuration and make sure that you add the "IS_SSL" header in your load balancer configuration as well.

Published by: Alan Shen Sep 19, 2012 17:19

Redirect a part of the vrf traffic between 2 sites over a redundant link

Hey guys,.

We have one customer (in the vrf) with 2 sites in different States and the execution of our soul of mpls... Our main link in our heart is affected by the degradation of service and want to route the client on our redundant link while retaining all other clients going on our primary link - is it possible?

The customer in question has its own vrf (L3VPN) on both sites and running on mpls between sites. We would like to re - route this particular customer to take our backup path, while keeping everyone between sites through the primary. We do not use, rather LDP to build the SPLM.

I don't think it's possible to only re - route a customer, but I thought I would ask the question.

We cannot failover to secondary link for everyone between sites because the link doesn't have the capability.

Thanks in advance.

Hello

Using MPLS YOU would certainly be an option. You must configure MPLS TE LS during the backup. You must also set up a separate look-back on each PE interface and use this address of the loopback interface as the next hop for the specific VRF

IP vrf X

BGP jump next loopback 999

Route IP 255.255.255.255 Tu1

In this way make you sure that only the traffic for this specific VRF would be above the tunnel of TE.

Concerning

OAM traffic redirections

Similar Questions

Maybe you are looking for