Had an issue with an oracle database
tnsping worked but connecting to the database failed.
This oracle setup used some VIPs (Scan IPs) and real DB server IP's.
Only access to the scan IP's was requested so FW was blocking the rest.
TNS-12502 error was returned from the server.
The way I could see it working in the packet captures was the client connects to the scan ip which returns the IP of the real DB server, then the client connects to the real DB server IP.
So TNSping worked, however when they tried to connect to the DB server it failed
To resolve grant access to all VIPs and real server IPs
Thursday 29 June 2017
Wednesday 7 June 2017
configure BVI (bridge-group) on ASA5506X
Step 1: Upgrade ASA to 9.7 (asdm 771) You need 9.8 otherwise BVI doesn't work with VPNs :( really disappointed with the ASA5506.
Step 2: Take a backup of your current config, If you have already created your inside interface you need to clear it out. You will lose some other config when you do this (NAT, DHCP etc).
Step3 : Create the BVI virtual interface (the number will match the bridge-group number we use later to assign ports)
interface BVI2
nameif inside
security-level 100
ip address 10.32.11.254 255.255.255.0
Step 4: Assign other ports to the bridge group (bridge-group 2 matches with BVI2 interface number) you need to give each port a nameif or it won’t work (don’t ask me how I know that)
interface GigabitEthernet1/2
bridge-group 2
nameif inside_1
security-level 100
interface GigabitEthernet1/8
bridge-group 2
nameif inside_2
security-level 100
Step 5: Setup your DHCP / ACL’s / NATs again as it might have gotten cleared out
dhcpd address 10.32.11.10-10.32.11.199 inside
dhcpd dns 10.32.0.4 10.32.0.5 interface inside
dhcpd enable inside
Step 2: Take a backup of your current config, If you have already created your inside interface you need to clear it out. You will lose some other config when you do this (NAT, DHCP etc).
Step3 : Create the BVI virtual interface (the number will match the bridge-group number we use later to assign ports)
interface BVI2
nameif inside
security-level 100
ip address 10.32.11.254 255.255.255.0
Step 4: Assign other ports to the bridge group (bridge-group 2 matches with BVI2 interface number) you need to give each port a nameif or it won’t work (don’t ask me how I know that)
interface GigabitEthernet1/2
bridge-group 2
nameif inside_1
security-level 100
interface GigabitEthernet1/8
bridge-group 2
nameif inside_2
security-level 100
Step 5: Setup your DHCP / ACL’s / NATs again as it might have gotten cleared out
dhcpd address 10.32.11.10-10.32.11.199 inside
dhcpd dns 10.32.0.4 10.32.0.5 interface inside
dhcpd enable inside
Subscribe to:
Posts (Atom)