Routing problem between the VPN Client and the router's Ethernet device
Hello
I have a Cisco 1721 in a test environment.
A net 172.16.0.0/19 simulates the Internet and a net 192.168.1.0/24 simulates the net, the VPN tunnel must go to (intranet).
The net 172.16.0.0 depends on the router 0 FastEthernet, Intranet (VPN) hangs on Ethernet 0.
The configuration was inspired form the sample Configuration
"Configuring the Client VPN Cisco 3.x for Windows to IOS using Local extended authentication"
and the output of the ConfigMaker configuration.
Authentication and logon works. Client receives an IP address from the pool. But there's a routing problem
side of routers. Ping client-side - do not work (the VPN client statistics that count encrypt them packets, but not to decrypt).
Ping the router works too, but decrypt and encrypt customer statistics in VPN packets count progressive
(customer has a correct route and return ICMP packets to the router).
The question now is:
How to route packets between the Tunnel and an Ethernet device (Ethernet 0)?
conf of the router is attached - hope that's not too...
Thanks & cordially
Thomas Schmidt
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- snipp .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
!
version 12.2
horodateurs service debug uptime
Log service timestamps uptime
encryption password service
!
!
host name * moderator edit *.
!
enable secret 5 * moderator edit *.
!
!
AAA new-model
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
! only for the test...
!
username cisco password 0 * moderator edit *.
!
IP subnet zero
!
audit of IP notify Journal
Max-events of po verification IP 100
!
crypto ISAKMP policy 3
3des encryption
preshared authentication
Group 2
!
ISAKMP crypto client configuration group 3000client
key cisco123
pool ippool
!
! We do not want to divide the tunnel
! ACL 108
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
interface Ethernet0
no downtime
Description connected to VPN
IP 192.168.1.1 255.255.255.0
full-duplex
IP access-group 101 in
IP access-group 101 out
KeepAlive 10
No cdp enable
!
interface Ethernet1
no downtime
address 192.168.3.1 IP 255.255.255.0
IP access-group 101 in
IP access-group 101 out
full-duplex
KeepAlive 10
No cdp enable
!
interface FastEthernet0
no downtime
Description connected to the Internet
IP 172.16.12.20 255.255.224.0
automatic speed
KeepAlive 10
No cdp enable
!
! This access group is also only for test cases!
!
no access list 101
access list 101 ip allow a whole
!
local pool IP 192.168.10.1 ippool 192.168.10.10
IP classless
IP route 0.0.0.0 0.0.0.0 172.16.12.20
enable IP pim Bennett
!
Line con 0
exec-timeout 0 0
password 7 * edit from moderator *.
line to 0
line vty 0 4
!
end
^-^-^-^-^-^-^-^-^-^-^-^-^- snapp ^-^-^-^-^-^-^-^-^-^-^-^-^-^-
Thomas,
Can't wait to show something that might be there, but I don't see here. You do not have the card encryption applied to one of the interfaces, perhaps it was not copied. Assuming your description you do it, or should it be, applied to the fa0 and you are connected. Try how you ping? Since the router or a device located on E0? If you ping the router, you will need to do an extended ping of E0 to the ip address of the client has been assigned. If your just ping the router without the extension, you will get sales and decrypts that you declare on the client. Have you tried to ping from the client to interface E0? Your default route on the router is pointing to fa0? You have a next hop to affect? You have several NIC on the client pc? Turn off your other network cards to check that you don't have a problem with routing on the client if you have more than one.
Kurtis Durrett
Tags: Cisco Security
Similar Questions
-
Differences between the version of BlackBerry Device Software and platform. Help, please...
Hi guys!
I'm really confused... Help, please!
We have developed applications for our customers. We tested with our BB8700 and it works fine.
We used JDE4.2 for development... and we think that it will work on v4.2 based handsets.
But our customers wrote that it works on v3.7. Why? Is this possible?
I looked at the information about my 8700 device and then noticed: v4.2.1.107 (platform v2.3.0.84)
-What are the differences between the version of BlackBerry Device Software and platform?
Possible customers spoke of version 3.7 of the platform?
There is a list of the devices, where we can find the version of BlackBerry Device Software by BlackBerry device model?
Or where we can find information about the models of devices that will support our application?
Thanks in advance!
AFAIK there is no version 3.7 platform.
Customer talking about the OS version.
So, if they have the device OS version 3.7 you must use JDE JDE 3.6, 3.7 or older.
Or take updated device OS if the necessary software is available.
-
Cisco VPN Client and Windows XP VPN Client IPSec to ASA
I configured ASA for IPSec VPN via Cisco VPN Client and XP VPN client communications. I can connect successfully with Cisco VPN Client, but I get an error when connecting with the XP client. Debugging said "misconfigured groups and transport/tunneling mode" I know, they use different methods of transport and tunneling, and I think that I have configured both. Take a look at the config.
PS a funny thing - when I connect with client VPN in Windows Server 2003, I have no error. The only difference is that client XP is behind an ADSL router and client server is directly connected to the Internet on one of its public IP of interfaces. NAT in the case of XP can cause problems?
Config is:
!
interface GigabitEthernet0/2.30
Description remote access
VLAN 30
nameif remote access
security-level 0
IP 85.*. *. 1 255.255.255.0
!
access-list 110 scope ip allow a whole
NAT list extended access permit tcp any host 10.254.17.10 eq ssh
NAT list extended access permit tcp any host 10.254.17.26 eq ssh
access-list extended ip allowed any one sheep
access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.121.0 255.255.255.0
flow-export destination inside-Bct 192.168.1.27 9996
IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0
ARP timeout 14400
global (outside-Baku) 1 interface
global (outside-Ganja) interface 2
NAT (inside-Bct) 0 access-list sheep-vpn
NAT (inside-Bct) 1 access list nat
NAT (inside-Bct) 2-nat-ganja access list
Access-group rdp on interface outside-Ganja
!
Access remote 0.0.0.0 0.0.0.0 85.*. *. 1 2
Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1
Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
dynamic-access-policy-registration DfltAccessPolicy
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto ipsec transform-set newset aes - esp esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac vpnclienttrans
Crypto ipsec transform-set vpnclienttrans transport mode
Crypto ipsec transform-set esp-3des esp-md5-hmac raccess
life crypto ipsec security association seconds 214748364
Crypto ipsec kilobytes of life security-association 214748364
raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1
card crypto interface for remote access vpnclientmap
crypto isakmp identity address
ISAKMP crypto enable vpntest
ISAKMP crypto enable outside-Baku
ISAKMP crypto enable outside-Ganja
crypto ISAKMP enable remote access
ISAKMP crypto enable Interior-Bct
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
No encryption isakmp nat-traversal
No vpn-addr-assign aaa
Telnet timeout 5
SSH 192.168.1.0 255.255.255.192 outside Baku
SSH 10.254.17.26 255.255.255.255 outside Baku
SSH 10.254.17.18 255.255.255.255 outside Baku
SSH 10.254.17.10 255.255.255.255 outside Baku
SSH 10.254.17.26 255.255.255.255 outside-Ganja
SSH 10.254.17.18 255.255.255.255 outside-Ganja
SSH 10.254.17.10 255.255.255.255 outside-Ganja
SSH 192.168.1.0 255.255.255.192 Interior-Bct
internal vpn group policy
attributes of vpn group policy
value of DNS-server 192.168.1.3
Protocol-tunnel-VPN IPSec l2tp ipsec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
BCT.AZ value by default-field
attributes global-tunnel-group DefaultRAGroup
raccess address pool
Group-RADIUS authentication server
Group Policy - by default-vpn
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
Hello
For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.
Please see configuration below:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml
or
Please see the section of tunnel-group config of the SAA.
There is a tunnel-group called "rtptacvpn" and a pre-shared key associated with it. This group name is used by the VPN Client Group name.
So, you would need a specific tunnel-group name configured with a pre-shared key and use it on the Cisco VPN Client.
Secondly, because you are behind a router ADSL, I'm sure that's configured for NAT. can you please activate NAT - T on your ASA.
"crypto isakmp nat-traversal.
Thirdly, change the transformation of the value
raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
Let me know the result.
Thank you
Gilbert
-
VPN client and contradictory static NAT entries
Hello, we have a VPN IPSEC implemented on a router for remote access. It works very well, for the most part. We have also a few PAT static entries to allow access to a web server, etc. from the outside. We deny NATting from the range of IP addresses for the range of VPN client and it works except for entries that also have PAT configurations.
So, for example, we have web server 10.0.0.1 and a PAT redirection port 10.0.0.1: 80 to the IP WAN port 80. If a VPN client tries to connect to 10.0.0.1: 80, the syn - ack packet back to the customer WAN IP VPN on the router! If the VPN client connects to the RDP server 10.0.0.2:3389, it works very well that this server is not a static entry PAT.
Is there a way to get around this?
Thank you!
There is a way to get around, use the same settings you have for your dynamic nat in your nat staitc entries, something like this:
Currently, it should show as:
IP nat inside source static XXXXX XXXX 80 80
you need to take it
IP nat inside source static 80 XXXX XXXX 80 map route AAAA
When your itinerary map YYY refers to something with an acl that you refuse traffic from inside your router for the pool of vpn
IP Access-list ext nonat
deny ip 10.0.0.0 0.0.0.255
Licensing ip 10.0.0.0 0.0.0.255 any
route allowed AAAA 10 map
match ip address sheep
You even need all the static PAT
HTH
Ivan
-
Have problems with the IPSec VPN Client and several target networks
I use an ASA 5520 8.2 (4) running.
My goal is to get a VPN client to access more than one network within the network, for example, I need VPN client IPSec and power establish tcp connections on servers to 192.168.210.x and 10.21.9.x and 10.21.3.x
I think I'm close to having this resolved, but seems to have a routing problem. Which I think is relevant include:
Net1: 192.168.210.0/32
NET2: 10.21.0.0/16
NET2 has several subnets defined VIRTUAL local network:
DeviceManagement (vlan91): 10.21.9.0/32
Servers (vlan31): 10.21.3.0/32
# See the road
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is x.x.x.x network 0.0.0.0
C 192.168.210.0 255.255.255.0 is directly connected to the inside
C 216.185.85.92 255.255.255.252 is directly connected to the outside of the
C 10.21.9.0 255.255.255.0 is directly connected, DeviceManagement
C 10.21.3.0 255.255.255.0 is directly connected, servers
S * 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outdoor
I can communicate freely between all networks from the inside.
interface GigabitEthernet0/0
Description * INTERNAL NETWORK *.
Speed 1000
full duplex
nameif inside
security-level 100
IP 192.168.210.1 255.255.255.0
OSPF hello-interval 2
OSPF dead-interval 7
!
interface Redundant1.31
VLAN 31
nameif servers
security-level 100
IP 10.21.3.1 255.255.255.0
!
interface Redundant1.91
VLAN 91
nameif DeviceManagement
security-level 100
IP 10.21.9.1 255.255.255.0
permit same-security-traffic inter-interface
NO_NAT list of allowed ip extended access all 172.31.255.0 255.255.255.0
IP local pool vpnpool 172.31.255.1 - 172.31.255.254 mask 255.255.255.0
Overall 101 (external) interface
NAT (inside) 0-list of access NO_NAT
NAT (inside) 101 192.168.210.0 255.255.255.0
NAT (servers) 101 10.21.3.0 255.255.255.0
NAT (DeviceManagement) 101 10.21.9.0 255.255.255.0
static (inside, DeviceManagement) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
static (inside, servers) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
static (servers, upside down) 10.21.3.0 10.21.3.0 netmask 255.255.255.0
static (DeviceManagement, upside down) 10.21.9.0 10.21.9.0 netmask 255.255.255.0
access list IN LAN extended permitted tcp 192.168.210.0 255.255.255.0 any
access list IN LAN extended permit udp 192.168.210.0 255.255.255.0 any
LAN-IN scope ip 192.168.210.0 access list allow 255.255.255.0 any
LAN-IN extended access list allow icmp 192.168.210.0 255.255.255.0 any
access list IN LAN extended permitted tcp 10.21.0.0 255.255.0.0 any
access list IN LAN extended permitted udp 10.21.0.0 255.255.0.0 any
LAN-IN scope 10.21.0.0 ip access list allow 255.255.0.0 any
LAN-IN extended access list allow icmp 10.21.0.0 255.255.0.0 any
standard access list permits 192.168.210.0 SPLIT-TUNNEL 255.255.255.0
standard access list permits 10.21.0.0 SPLIT-TUNNEL 255.255.0.0
group-access LAN-IN in the interface inside
internal VPNUSERS group policy
attributes of the VPNUSERS group policy
value of server DNS 216.185.64.6
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value of SPLIT TUNNEL
field default value internal - Network.com
type VPNUSERS tunnel-group remote access
tunnel-group VPNUSERS General attributes
address vpnpool pool
strategy-group-by default VPNUSERS
tunnel-group VPNUSERS ipsec-attributes
pre-shared key *.
When a user establishes a VPN connection, their local routing tables have routes through the tunnel to the 10.21.0.0/16 and the 192.168.210.0/32.
They are only able to communicate with the network 192.168.210.0/32, however.
I tried to add the following, but it does not help:
router ospf 1000
router ID - 192.168.210.1
Network 10.21.0.0 255.255.0.0 area 1
network 192.168.210.0 255.255.255.252 area 0
area 1
Can anyone help me please with this problem? There could be a bunch of superfluous things here, and if you could show me, too, I'd be very happy. If you need more information on the config, I'll be happy to provide.
Hello Kenneth,
Based on the appliance's routing table, I can see the following
C 10.21.9.0 255.255.255.0 is directly connected, DeviceManagement
C 10.21.3.0 255.255.255.0 is directly connected, servers
C 192.168.210.0 255.255.255.0 is directly connected to the inside
And you try to connect to the 3 of them.
Politics of Split tunnel is very good, the VPN configuration is fine
The problem is here
NO_NAT list of allowed ip extended access all 172.31.255.0 255.255.255.0
NAT (inside) 0-list of access NO_NAT
Dude, you point to just inside interface and 2 other subnets are on the device management interface and the interface of servers... That is the question
Now how to solve
NO_NAT ip 192.168.210.0 access list allow 255.255.255.0 172.31.255.0 255.255.255.0
no access list NO_NAT extended permits all ip 172.31.255.0 255.255.255.0
NO_NAT_SERVERS ip 10.21.3.0 access list allow 255.255.255.0 172.31.255.0 255.255.255.0
NAT (SERVERS) 0 ACCESS-LIST NO_NAT_SERVERS
Permit access-list no.-NAT_DEVICEMANAGMENT ip 10.21.9.0 255.255.255.0 172.31.255.0 255.255.255.0
NAT (deviceManagment) 0-no.-NAT_DEVICEMANAGMENT access list
Any other questions... Sure... Be sure to note all my answers.
Julio
-
Between the VPN Client and VPN from Site to Site
Looking for an example of ASA 8.0 configuration allowing traffic between a Cisco VPN client host and destination of remote access connected via LAN/Site-to-Site tunnel. The remote access client and the tunnel site-to-site terminate on the same device of the SAA.
Thanks in advance.
-Rey
Hi Rey,
Here is an example of a config for what you are looking for.
I hope this helps.
PS: This uses GANYMEDE + for authentication, you can replace it with your authentication method.
Kind regards
Assia
-
The remote VPN Clients and Internet access
I apologize in advance if this question has already been addressed. I am currently using a PIX Firewall Version 6.1 520 (2) running. I have several remote users that VPN for the PIX. Once the VPN tunnel is started, they are more able to connect to internet from their local computers. Is there a configuation on the PIX that allows remote users to have access to the internet when you are connected to the PIX.
TIA,
Jeff Gulick
The Pix does not allow traffic enter and exit on the same interface. Therefore, a VPN user cannot access the Internet through the tunnel. If you use the Cisco client, enable tunneling split so that all traffic through the tunnel.
If you use PPTP, you can turn off the option that makes the remote network, the default gateway. However, local routes should be added to these clients when they connect.
Or you can use an additional interface on the firewall. One that puts an end to VPN tunnels and another providing for Internet connectivity. In this way the traffic is not enter/leave on the same interface.
Of course, it is preferable if the customer Internet traffic does not go through the tunnel. It wastes your bandwidth and has security problems as well. I suggest you use the client to Cisco and the split tunneling.
-
How to install the VPN Client and the tunnel from site to site on Cisco 831
How can I configure a Cisco 831 router (Branch Office) so that it will accept incoming VPN Client connections and initiate tunneling IPSec site to site on our hub site that uses a VPN 3005 concentrator? I could get the tunnel to work by configuring it in a dynamic encryption card, but interesting traffic side Cisco 831 would not bring the tunnel upward. I could only put on the side of the hub. If I use a static encryption card and apply it to the external interface of the 831 I can get this working but then I couldn't get the VPN Client to work.
Thank you.
The dynamic map is called clientmap
The static map is called mymapYou should have:
no card crypto not outmap 10-isakmp ipsec dynamic dynmap
map mymap 10-isakmp ipsec crypto dynamic clientmapinterface Ethernet1
crypto mymap mapFederico.
-
Network problem between the machines Win XP and Win 7
I have 2 machines, a desktop and a laptop. The office is currently running Windows 7 Pro (installed on 2010-01-01) and the laptop is running Win XP Pro.
The desktop (Win 7) can see the laptop (XP) on the network and can access the shared folders.
However, the reverse is not true. The laptop can detect the office as a computer on the network. I can double click the icon and see the files of office that are shared. But when I try to access the content of the files, I get a message that says I don't have permissions and contact the system administrator.
I also have a problem with the shared printer (connected to desktop Win 7). Before the upgrade both machines can print, after the upgrade, the laptop (Win XP) stopped printing. I installed the XP drivers for the printer (using the functionality of additional drivers) on Win 7, deleted the printer on the XP computer connection and he still added. The XP machine was able to find the printer on the network, but when I try to print, I get an arror message saying that "(l'imprimante peut être désactivé, pas branché ou les pilotes ne sont pas installés)."
I think that the two problems are related, but I can't understand where is the problem. Print and file sharing is 'on' on both computers, the firewall is configured to allow printing the file and shares, folders are set to 'share', with "everyone" under permissions and both machines have the same network name.
Any ideas? Am I missing something? Is it possible to reset all default values so I can set up the network again from scratch?
Thanks in advance a lot.
Probably, you have a misconfigured firewall and/or do not have matching accounts/passwords user on both machines.
Here are the steps of general network troubleshooting. Just cannot apply to your situation, so just take the bits that are. It may seem daunting, but if you follow the steps in the links and suggestions below calmly and consistently, you will have no difficulty to implement your sharing.Problems sharing files between computers on a network are usually caused by 1) a misconfigured firewall or a firewall neglected (including a dynamic firewall in a virtual private network); or (2) inadvertently run two firewalls such as the firewall of Windows and a third-party firewall. and/or (3) do not have accounts to the same users and passwords on all computers in the workgroup. (4) tries to create actions where the operating system does not.
In Windows 7, go to control panel > everything in Control Panel > network and sharing Center. Click on "change the advanced sharing settings. You don't want to use the residential group unless you have all Windows 7 machines. If you do and you want to use the homegroup, see Windows 7 Help & Support. Otherwise, in sharing advanced:
Discovery of plug in the network
Open the files and printers sharing
Turn on the sharing section Public folder sharing
Plug the password protected sharingA. configure the firewall on all machines to allow traffic to local area network (LAN) as being approved. With the Windows Firewall, turning on window file sharing and printer as the above will take care of that for you. If you are not running a third-party firewall or you have an antivirus/security with its own firewall component program, then you're fine. With a third-party firewall, I usually set up the allocation of LAN with an IP address range. E.g. would be 192.168.1.0 - 192.168.1.254. Obviously you would substitute your correct subnet. Refer to the safety of any third party program or the user forums for how to correctly configure its firewall. Do not run more than one firewall. DON'T STOP FIREWALLS; CONFIGURE THEM CORRECTLY.
(B) to facilitate the Organization, put all computers in the same workgroup. This is done from the System applet in Control Panel, the computer name tab.
C. create the counterpart of the user accounts and passwords on all machines. You do not need to be logged into the same account on all machines and assigned to each user account passwords can be different; accounts/passwords just need to exist and to match on all machines. DO NOT NEGLECT TO CREATE PASSWORDS, EVEN IF ONLY OF SIMPLE. If you want a machine to boot directly to the desktop (a particular user account) for convenience, you can do this:
Start > Search box > type: netplwiz [Enter]
Click continue (or provide an administrator password) when you are prompted by UACUncheck "users must enter a user name and password to use this computer". Select a user account to connect automatically by clicking on the account you want to highlight and press OK. Enter the password for this user account (when it exists) when you are prompted. Leave blank if there is no password (null).
XP - set up Windows to automatically connect (MVP Ramesh) - http://windowsxp.mvps.org/Autologon.htm
D. Si one or more of the computers on your network are XP Pro or Media Center, turn off Simple file sharing (Folder Options > view tab).
E. create share as you wish. In Windows 7 I usually share the Desktop of the user and the Public directory.
F. you have the job of file sharing (and tested by exchanging a file between machines), if you want to share a printer connected locally to one of your computers, share of this machine. Then go to the printer mftr Web site. and download the latest drivers for the correct system. Install them on the target machines. The printer must be collected during the installation procedure. If this isn't the case, install the drivers and then use the Add Printer Wizard. In some cases, printers must be installed as local printers, but it is outside this response. MS - MVP - Elephant Boy computers - don't panic!
-
Communication problem between the listener and OEM
Hi all
I got my OEM running and communicates with the database without any problem until I had a problem with the other guests and to kill some OEM process and listener, now it does not communicate with the listener.
I rebooted my PC and tried to leave in the hope that it worked as it had been, but the result is on the contrary. Somehow, the communication is corrupt. Currently, I can start the OEM help
but when I try to start the listener from the browser of Net Services Administration: connection to the host, it keeps from without success.emtcl start dbconsole
What follows is the trace file of the Manager, who got warnings and errors that I don't understand
and here is the content of the file log listeneremagent.trc: SQL = " OCISessionGet"... LOGIN = dbsnmp/<PW>@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=firefly.snowdrop.com)(PORT=1521))(CONNECT_DATA=(SID=inara))) 2011-06-14 17:22:42,398 Thread-421710160 ERROR vpxoci: ORA-12541: TNS:no listener 2011-06-14 17:22:42,398 Thread-421710160 WARN vpxoci: Login 0x68d100 failed, error=ORA-12541: TNS:no listener 2011-06-14 17:22:42,398 Thread-421710160 WARN TargetManager: Exception in computing dynamic properties of {inara.snowdrop.com, oracle_database },GetDbBlockSize::ORA-12541: TNS:no listener 2011-06-14 17:22:42,400 Thread-424859984 ERROR TargetManager: nmeetm.c : Target inara.snowdrop.com has a failed critical dynamic property 2011-06-14 17:22:42,403 Thread-424859984 WARN upload: Upload manager has no Failure script: disabled 2011-06-14 17:22:42,403 Thread-424859984 WARN upload: Amount of upload data will be recalculated due to reload.enabling collections and regenerating metadata. 2011-06-14 17:22:42,403 Thread-424859984 WARN TargetManager: Regenerating all Metadata 2011-06-14 17:22:42,470 Thread-424859984 WARN upload: Truncating value of "SHORT_NAME" from "Average Synchronous Single-Block Read Latency (ms)" to "Average Synchronous Single-Block Read La" 2011-06-14 17:22:42,471 Thread-424859984 WARN upload: Truncating value of "SHORT_NAME" from "Average Synchronous Single-Block Read Latency (ms)" to "Average Synchronous Single-Block Read La" 2011-06-14 17:22:42,568 Thread-424859984 WARN upload: Truncating value of "COLUMN_LABEL" from "Total messages processed per queue per subscriber per minute in the last interval" to "Total messages processed per queue per subscriber per minute in " 2011-06-14 17:22:42,568 Thread-424859984 WARN upload: Truncating value of "COLUMN_LABEL" from "Total messages received per queue per subscriber per minute in the last interval" to "Total messages received per queue per subscriber per minute in t" 2011-06-14 17:22:42,568 Thread-424859984 WARN upload: Truncating value of "COLUMN_LABEL" from "Messages processed per queue (%) per subscriber per minute in the last interval" to "Messages processed per queue (%) per subscriber per minute in th" 2011-06-14 17:22:42,568 Thread-424859984 WARN upload: Truncating value of "COLUMN_LABEL" from "Age of the first message in persistent queue per subscriber (seconds)" to "Age of the first message in persistent queue per subscriber (sec" 2011-06-14 17:22:42,568 Thread-424859984 WARN upload: Truncating value of "COLUMN_LABEL" from "Age of the first message in the buffered queue per queue (seconds)" to "Age of the first message in the buffered queue per queue (second" 2011-06-14 17:22:42,584 Thread-424859984 WARN collector: enable collector 2011-06-14 17:22:42,588 Thread-424859984 WARN collector: Regenerating all DefaultColls 2011-06-14 17:22:43,715 Thread-421710160 ERROR upload: Exceeded max. amount of upload data: 212 files, 200.680481 MB Data. 88.62% of disk used. Disabling collections. 2011-06-14 17:22:43,715 Thread-421710160 WARN collector: Disable collector 2011-06-14 17:22:46,814 Thread-421710160 ERROR pingManager: nmepm_pingReposURL: Did not receive a response header from repository 2011-06-14 17:22:46,929 Thread-421710160 ERROR pingManager: nmepm_pingReposURL: Did not receive a response header from repository 2011-06-14 17:23:16,099 Thread-435099984 ERROR command: nmejcn: received no status header from repository at https://firefly.snowdrop.com:5500/em/upload/ 2011-06-14 17:23:17,071 Thread-415410512 ERROR pingManager: nmepm_pingReposURL: Did not receive a response header from repository 2011-06-14 17:23:17,201 Thread-415410512 ERROR pingManager: nmepm_pingReposURL: Did not receive a response header from repository 2011-06-14 17:24:17,230 Thread-424859984 WARN ssl: <nmehlssl.c:nmehlssl_readcb>: nmehl_read_sock timed out, rsf = -5, setting read timeout flag 2011-06-14 17:24:17,230 Thread-424859984 WARN ssl.io: fd=14: nmehlssl_read, nzos_Read error = 28862 readTimed Out = 1 2011-06-14 17:24:17,230 Thread-424859984 WARN http: <nmehl.c>:<nmehl_readline>: nmehlssl_read() timed out 2011-06-14 17:24:17,230 Thread-424859984 ERROR pingManager: nmepm_pingReposURL: Error in request response. code = 400. text = 2011-06-14 17:24:47,355 Thread-424859984 WARN ssl: <nmehlssl.c:nmehlssl_readcb>: nmehl_read_sock timed out, rsf = -5, setting read timeout flag 2011-06-14 17:24:47,355 Thread-424859984 WARN ssl.io: fd=7: nmehlssl_read, nzos_Read error = 28862 readTimed Out = 1 2011-06-14 17:24:47,355 Thread-424859984 WARN http: <nmehl.c>:<nmehl_readline>: nmehlssl_read() timed out 2011-06-14 17:24:47,355 Thread-424859984 ERROR pingManager: nmepm_pingReposURL: Error in request response. code = 400. text = 2011-06-14 17:25:47,446 Thread-315353424 WARN ssl: <nmehlssl.c:nmehlssl_readcb>: nmehl_read_sock timed out, rsf = -5, setting read timeout flag 2011-06-14 17:25:47,446 Thread-315353424 WARN ssl.io: fd=7: nmehlssl_read, nzos_Read error = 28862 readTimed Out = 1 2011-06-14 17:25:47,446 Thread-315353424 WARN http: <nmehl.c>:<nmehl_readline>: nmehlssl_read() timed out 2011-06-14 17:25:47,446 Thread-315353424 ERROR pingManager: nmepm_pingReposURL: Error in request response. code = 400. text =
Could someone give me a pointer on how to solve this?14-JUN-2011 17:28:39 * <unknown connect data> * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.5)(PORT=54171)) * establish * <unknown sid> * 12525 TNS-12525: TNS:listener has not received client's request in time allowed TNS-12535: TNS:operation timed out TNS-12606: TNS: Application timeout occurred 14-JUN-2011 17:28:39 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=__jdbc__)(USER=oracle))(SERVICE_NAME=inara.snowdrop.com)) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.5)(PORT=54168)) * establish * inara.snowdrop.com * 0 14-JUN-2011 17:28:39 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=__jdbc__)(USER=oracle))(SERVICE_NAME=inara.snowdrop.com)) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.5)(PORT=54166)) * establish * inara.snowdrop.com * 0 14-JUN-2011 17:28:39 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=__jdbc__)(USER=oracle))(SERVICE_NAME=inara.snowdrop.com)) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.5)(PORT=54165)) * establish * inara.snowdrop.com * 0 14-JUN-2011 17:28:39 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=__jdbc__)(USER=oracle))(SERVICE_NAME=inara.snowdrop.com)) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.5)(PORT=54158)) * establish * inara.snowdrop.com * 0 Tue Jun 14 17:28:59 2011 14-JUN-2011 17:28:59 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=__jdbc__)(USER=oracle))(SERVICE_NAME=inara.snowdrop.com)) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.5)(PORT=54161)) * establish * inara.snowdrop.com * 0 14-JUN-2011 17:28:59 * service_update * inara * 0 14-JUN-2011 17:28:59 * service_update * inara * 0
Kind regards
ValHi Valerie,
... not easy to distance :-(
The tnsping should work - I have known nothing that this command was suspended. I've never known such problems in GC...
"But perhaps article ID ' unable to connect to the database: connection failure may be due to a slow network, or the presence of an intermediate firewall" setting up data in the grid control [1074643.1 ID] "MOS might be useful.
-
Hello
If you have a black screen which can be if the processor is dead or memory is dead how you know if you do not reserve memory, the problem is the processor or memory?
I tried this on my computer, I put on the CPU and I got black screen, I put in memory and I got black screen.
Thank you
Johan
Thank you
so in this case, how you can know if it is the processor or memory is the problem.
you have to always have book of memory by you to resolve these issues (to make sure if the memory is problem) what memory or processor its work not at all.
or it is too nested ways!
Johan
From what you described, it is possible that the processor, the RAM and the motherboard are all damaged. Or also the cold of power supply the problem (which could be checked for appropriate using a voltmeter). If you do not reply the existing motherboard then without spare parts (RAM, processor and motherboard) to use in tests, there is nothing more you can do with it to test these components.
-
Alignment problem between the line and fill of forms
Anyone had the same problems with the last update. I noticed that my forms of filling line up to the width of the outer border instead of the median line. I checked the pixel grid was off and the scale of the alignment is set to Center.
see if the "use Preview limits" is on in preferences
-
Established VPN tunnel between 4.8 Client and 525 PIX but cannot ping
When there is no tunnel that is established, the client can ping all devices onsite / remote. However when the tunnel is established and the client picks up its expected the address pool IP address, the client can ping or local / remote.
Debug trace of icmp on the shows of PIX inside devices responding to pings from the client but the client
does not receive these responses and shows demand exceeded.
VPN client also shows only the transmitted data.
I'm guessing that there is a problem of routing/natting somewhere?
Would really appreciate some help on this? Ask some q If my problem is too vague.
Thanks in advance!
Would it be possible to show the hidden config of the PIX with the public IP addresses? Some things to check
--> ISAKMP Nat traversal
--> Windows Firewall
--> syspot allowed
-
Communication problems between the QML files
I'm trying to divide my request of 1 QML file to a bouquet.
I have problems with the East,
OtherQml.qml
import bb.cascades.1.0 Container { id: root property alias otherRoot: root property bool customBool Container { id: otherContent onTouch: { if (event.isUp(){ customBool = true; } } } }hand. QML
import bb.cascades.1.0 Page { Contianer { id: root OtherQml { id: otherQml onCustomBoolChanged: { if (! true) { root.background = Color.Red; console.log("customBool is: " + cusotmBool); } else { root.background = Color.Blue; customBool = false; //the false signal isnt recieved by OtherQml.qml console.log("customBool is: " + customBool); } } } } }the false signal is not received by OtherQml.qml so the functions are not able to run one time or as in this example, the background to red
Hello!
if (! true) {is always false, it should be if (! customBool) {}
Also, there is a typo in ("cusotmBool"):
console.log("customBool is: " + cusotmBool); -
506th 3.6.3 VPN client and PIX
Hello
I am trying to build a VPN between Ver of Client VPN 3.6.3 and a 6.2 (2) running of PIX 506e with 3DES.
Firewall # sh ver
Cisco PIX Firewall Version 6.2 (2)
Cisco PIX Device Manager Version 2.1 (1)
Updated Saturday, June 7 02 17:49 by Manu
Firewall up to 7 days 4 hours
Material: PIX-506E, 32 MB RAM, Pentium II 300 MHz processor
Flash E28F640J3 @ 0 x 300, 8 MB
BIOS Flash AM29F400B @ 0xfffd8000, 32 KB
Features licensed:
Failover: disabled
VPN - A: enabled
VPN-3DES: enabled
Maximum Interfaces: 2
Cut - through Proxy: enabled
Guardians: enabled
URL filtering: enabled
Internal hosts: unlimited
Flow: limited
Peer IKE: unlimited
Modified configuration of enable_15 to 22:59:47.355 UTC Friday, December 13, 2002
Firewall #.
I get the following errors:
Firewall #.
crypto_isakmp_process_block: src dest 198, Mike.
Peer VPN: ISAKMP: approved new addition: ip:Mike Total VPN peer: 1
Peer VPN: ISAKMP: ip:Mike Ref cnt is incremented to peers: 1 Total peer VPN: 1
Exchange OAK_AG
ISAKMP (0): treatment ITS payload. Message ID = 0
ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 10
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: preshared extended auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): audit ISAKMP transform 2 against the policy of priority 10
ISAKMP: encryption... What? 7?
ISAKMP: MD5 hash
ISAKMP: default group 2
ISAKMP: preshared extended auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): audit ISAKMP transform 3 against the policy of priority 10
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): audit ISAKMP transform 4 against the policy of priority 10
ISAKMP: encryption... What? 7?
ISAKMP: MD5 hash
ISAKMP: default group 2
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): audit ISAKMP transform against the policy of priority 10 5
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: preshared extended auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): audit ISAKMP transform 6 against the policy of priority 10
ISAKMP: encryption... What? 7?
ISAKMP: MD5 hash
ISAKMP: default group 2
ISAKMP: preshared extended auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): audit ISAKMP transform 7 against the policy of priority 10
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): audit ISAKMP transform 8 against the policy of priority 10
ISAKMP: encryption... What? 7?
ISAKMP: MD5 hash
ISAKMP: default group 2
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): audit ISAKMP transform 9 against the policy of priority 10
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: preshared extended auth
ISAKMP: type of life in seconds
ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4
crypto_isakmp_process_block: src dest 198, Mike.
Peer VPN: ISAKMP: ip:Mike Ref cnt is incremented to peers: 2 Total VPN peer: 1
Peer VPN: ISAKMP: ip:Mike Ref cnt decremented to peers: 1 Total peer VPN: 1
crypto_isakmp_process_block: src dest 198, Mike.
Peer VPN: ISAKMP: ip:Mike Ref cnt is incremented to peers: 2 Total VPN peer: 1
Peer VPN: ISAKMP: ip:Mike Ref cnt decremented to peers: 1 Total peer VPN: 1
crypto_isakmp_process_block: src dest 198, Mike.
Peer VPN: ISAKMP: ip:Mike Ref cnt is incremented to peers: 2 Total VPN peer: 1
Peer VPN: ISAKMP: ip:Mike Ref cnt decremented to peers: 1 Total peer VPN: 1
ISAKMP (0): retransmission of phase 1...
ISAKMP (0): retransmission of phase 1...
ISAKMP (0): delete SA: CBC Mike, dst 198.143.226.158
ISADB: Reaper checking HIS 0x812ba828, id_conn = 0 DELETE IT!
Peer VPN: ISAKMP: ip:Mike Ref cnt decremented to peers: 0 Total of VPN peer: 1
Peer VPN: ISAKMP: deleted peer: ip:Mike VPN peer Total: 0
Looks like I have a problem of encryption. Here is the biggest part of my setup:
: Saved
:
6.2 (2) version PIX
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password
encrypted passwd
Firewall host name
domain name
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
No fixup not protocol smtp 25
names of
access-list outside_access_in.255.255.224 all
access-list outside_access_in 255.255.255.224 all
outside_access_in tcp allowed access list all hosteq smtp
outside_access_in list access permit tcp any host eq pop3
outside_access_in list access permit tcp any host eq 5993
outside_access_in tcp allowed access list all hostq smtp
outside_access_in tcp allowed access list all pop3 hosteq
outside_access_in list access permit tcp any host eq www
outside_access_in tcp allowed access list any ftp hosteq
outside_access_in tcp allowed access list all www hosteq
outside_access_in tcp allowed access list all www hosteq
allow the ip host Toronto one access list outside_access_in
permit outside_access_in ip access list host Mike everything
outside_access_in deny ip access list a whole
pager lines 24
opening of session
monitor debug logging
buffered logging critical
logging trap warnings
history of logging warnings
host of logging inside
interface ethernet0 car
Auto interface ethernet1
ICMP allow all outside
ICMP allow any inside
Outside 1500 MTU
Within 1500 MTU
IP address outside some 255.255.255.248
IP address inside 10.1.1.1 255.255.255.0
IP verify reverse path to the outside interface
IP verify reverse path inside interface
alarm action IP verification of information
alarm action attack IP audit
IP local pool vpnpool 192.168.1.50 - 192.168.1.75
PDM location 255.255.255.255 inside xxx
location of router PDM 255.255.255.255 outside
PDM location 255.255.255.255 inside xxx
location of PDM Mike 255.255.255.255 outside
location of PDM Web1 255.255.255.255 inside
PDM location 255.255.255.255 inside xxx
PDM location 255.255.255.255 inside xxx
PDM location 255.255.255.224 out xxx
PDM location 255.255.255.224 out xxx
xxx255.255.255.224 PDM location outdoors
PDM location 255.255.255.255 out xxx
location of PDM 10.1.1.153 255.255.255.255 inside
location of PDM 10.1.1.154 255.255.255.255 inside
PDM logging 100 reviews
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Several static inside servers...
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 Router 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
No snmp server location
No snmp Server contact
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
No sysopt route dnat
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto-map dynamic dynmap 30 transform-set RIGHT
map newmap 20-isakmp ipsec crypto dynamic dynmap
newmap outside crypto map interface
ISAKMP allows outside
ISAKMP key * address Mike netmask 255.255.255.255
ISAKMP identity address
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
vpngroup mycompany vpnpool address pool
vpngroup mycompany SERVER101 dns server
vpngroup wins SERVER101 mycompany-Server
mycompany vpngroup default-domain whatever.com
vpngroup idle time 1800 mycompany
mycompany vpngroup password *.
SSH timeout 15
dhcpd address 10.1.1.50 - 10.1.1.150 inside
dhcpd dns Skhbhb
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd field ljkn
dhcpd allow inside
Terminal width 80
Cryptochecksum:0e4c08a9e834d03338974105bb73355f
: end
[OK]
Firewall #.
Any ideas?
Thank you
Mike
Hi Mike,.
You are welcome at any time. Will wait for your update
Kind regards
Arul
Maybe you are looking for
-
PpiEnableInterrupts returns error "Invalid Length specified"
I work with IVI VISA PXI plug in modules OR (defined by IVI-6, 3). Almost all of its functionality works perfectly - like module list, attributes and access the memory space, etc... The only problem I got is interruptions. 'PpiEnableInterrupts (__in
-
When I started my computer there was a warning that I have "activate this copy of Windows. I am wary because my copy of Windows has been activated when installing several years ago. The screen that told me this does not appear be an authentic window
-
How can I activate mode "Developer" on xperia Tablet z?
Hi all I own a Tablet new xperia z. One thing that I was like is that default Chrome to the display of the Desktop version of a web page by default (rather than the mobile version of a site). I found information online explaining how to proceed: http
-
I forgot my typo Admintrator of MS Windows Vista password.
In my laptop, I have four number of users, of which three are standard users and one administrator. I forgot the password of administrator user. My laptop has MS Windows Vista Premium. For this reason, I am unable to upgrade some software that requir
-
What is the diet of Microsoft Lottery?
You have won £500 000.00 on COCACOLA/MicroSoft Lotto. Name Email, mobile, & country, address to: * e-mail address is removed from the privacy *. (This massege recive me from: + 79522707683)