WAAS - MAPI AO故障排除
章节:排除MAPI AO故障
本文介绍如何排除MAPI AO故障。
指南内容
主要文章
了解WAAS架构和流量
初步WAAS故障排除
故障排除优化
应用加速故障排除
排除CIFS AO故障
排除HTTP AO故障
排除EPM AO故障
排除MAPI AO故障
排除NFS AO故障
SSL AO故障排除
视频AO故障排除
排除通用AO故障
排除过载情况故障
排除WCCP故障
AppNav故障排除
排除磁盘和硬件故障
串行内联集群故障排除
vWAAS故障排除
排除WAAS Express故障
排除NAM集成故障
主要文章
了解WAAS架构和流量
初步WAAS故障排除
故障排除优化
应用加速故障排除
排除CIFS AO故障
排除HTTP AO故障
排除EPM AO故障
排除MAPI AO故障
排除NFS AO故障
SSL AO故障排除
视频AO故障排除
排除通用AO故障
排除过载情况故障
排除WCCP故障
AppNav故障排除
排除磁盘和硬件故障
串行内联集群故障排除
vWAAS故障排除
排除WAAS Express故障
排除NAM集成故障
目录
- 1 MAPI加速器
- 2 加密MAPI加速
- 2.1 摘要
- 2.2 功能信息
- 2.3 故障排除方法
- 2.4 数据分析
- 2.5 常见问题
- 2.5.1 问题 1:在核心WAE上配置的加密服务标识在AD中没有正确的权限。
- 2.5.2 决议1:请查阅配置指南并验证AD中的对象是否具有正确的权限。必须将“复制目录更改”和“复制目录更改全部”都设置为允许。
- 2.5.3 问题 2:核心WAE与它尝试从中检索密钥的KDC之间存在时间偏差
- 2.5.4 决议2:在所有WAE(尤其是核心)上使用ntpdate将时钟与KDC同步。然后指向企业NTP服务器(与KDC可能相同)。
- 2.5.5 问题 3:您为加密服务定义的域与Exchange服务器所在的域不匹配。
- 2.5.6 决议3:如果您的核心WAE为不同域中的多个Exchange服务器提供服务,则必须为Exchange服务器所在的每个域配置加密服务标识。
- 2.5.7 问题 4:如果WAN安全失败,您的连接可能会丢弃到TG
- 2.5.8 第4号决议:从两个WAE中删除对等证书验证配置,并重新启动核心WAE上的加密服务。
- 2.5.9 问题 5:如果Outlook客户端使用NTLM,连接将向下推送到通用AO。
- 2.5.10 第5号决议:客户必须在其Exchange环境中启用/要求Kerberos身份验证。不支持NTLM(自5.1起)
- 3 MAPI AO日志记录
MAPI加速器
MAPI加速器可优化Microsoft Outlook Exchange电子邮件流量。Exchange使用EMSMDB协议,该协议分层在MS-RPC上,而MSMDB协议又使用TCP或HTTP(不支持)作为低级传输。
MAPI AO支持Microsoft Outlook 2000至2007客户端,用于缓存和非缓存模式流量。使用消息身份验证(签名)或加密的安全连接不会被MAPI AO加速。从较旧客户端的此类连接和连接被转移到通用AO以进行TFO优化。此外,不支持Outlook Web Access(OWA)和Exchange-Exchange连接。
注意:默认情况下,Microsoft Outlook 2007已启用加密。必须禁用加密才能从MAPI应用加速器中获益。在Outlook中,选择“工具”>“电子邮件帐户”,选择“查看”或“更改现有电子邮件帐户”,然后单击“下一步”。选择Exchange帐户,然后单击Change。单击“More Settings(更多设置)” ,然后单击“Security(安全)”选项卡。取消选中“在Microsoft Office Outlook和Microsoft Exchange Server之间加密数据”复选框,如图1所示。
或者,您也可以使用组策略禁用Exchange Server的所有用户加密。
- 图1.在Outlook 2007中禁用加密
在以下情况下,MAPI AO不处理连接:
- 加密连接(转给通用AO)
- 不支持的客户端(转给通用AO)
- 无法恢复的分析错误。客户端和服务器服务之间的所有TCP连接都已断开。当客户端重新连接时,所有连接都会被切断到通用AO。
- 当WAE过载时,客户端尝试在连接上建立新的关联组。
- 当WAE过载且MAPI保留的连接资源不可用时,客户端会建立连接。
Outlook客户端和服务器在会话中通过称为关联组的一组TCP连接进行交互。在关联组中,对象访问可以跨任何连接,并且根据需要动态创建和释放连接。客户端可以同时打开多个关联组到不同服务器或同一服务器。(公用文件夹部署在邮件存储的不同服务器上。)
关联组内的所有MAPI连接必须在分支机构和数据中心内通过相同的WAE对。如果关联组中的某些连接没有在这些WAE上通过MAPI AO,MAPI AO将看不到在这些连接上执行的事务,并且连接被说为“逃避”关联组。因此,不应在构成高可用性组的串行群集内联WAE上部署MAPI AO。
MAPI连接的故障症状是Outlook错误症状,如重复消息或Outlook停止响应。
在TFO过载条件下,现有关联组的新连接将通过并逃离MAPI AO,因此MAPI AO会提前保留大量连接资源,以尽量减小过载条件的影响。有关保留的MAPI连接及其对设备过载的影响的详细信息,请参阅排除过载条件文章中的“MAPI应用加速器保留连接对过载的影响”一节。
使用show accelerator和show license命令验证常规AO配置和状态,如“排除应用加速故障”文章中所述。MAPI加速器操作需要企业许可证,并且必须启用EPM应用程序加速器。
接下来,使用图2所示的show accelerator mapi命令验证MAPI AO的特定状态。您希望看到MAPI AO已启用、运行和注册,并且显示连接限制。如果配置状态为启用,但操作状态为关闭,则表示许可问题。
- 图2.验证MAPI加速器状态
使用show statistics accelerator epm命令验证EPM AO是否正常工作。检查客户端启动时Total Handled Connections、Total Requests Successfully Analysed和Total Responses Successfullyd计数器是否增加。
使用show running-config命令验证MAPI和EPM流量策略是否已正确配置。您希望看到Email-and-Messaging应用程序操作的accelerate mapi,并且希望看到定义的MS-EndPortMapper分类器和流量策略,如下所示:
WAE674# sh run | include mapi
map adaptor EPM mapi
name Email-and-Messaging All action optimize full accelerate mapi
WAE674# sh run | begin MS-EndPointMapper
...skipping
classifier MS-EndPointMapper
match dst port eq 135
exit
WAE674# sh run | include MS-EndPointMapper
classifier MS-EndPortMapper
name Other classifier MS-EndPortMapper action optimize DRE no compression none accelerate MS-port-mapper
使用show policy-engine application dynamic命令验证是否存在动态匹配规则,如下所示:
- 查找具有用户ID的规则:EPM和映射名称:uuida4f1db00-ca47-1067-b31f-00dd010662da。
- “流”字段指示与Exchange服务的活动连接总数。
- 对于每个MAPI客户端,您应看到一个单独的条目,其用户ID为:MAPI。
使用show statistics connection optimized mapi命令检查WAAS设备是否正在建立优化的MAPI连接。验证MAPI连接的Accel列中是否显示“M”,该列表示已使用MAPI AO,如下所示:
WAE674# show stat conn opt mapi Current Active Optimized Flows: 2 Current Active Optimized TCP Plus Flows: 1 Current Active Optimized TCP Only Flows: 1 Current Active Optimized TCP Preposition Flows: 0 Current Active Auto-Discovery Flows: 0 Current Reserved Flows: 12 <---------- Added in 4.1.5 Current Active Pass-Through Flows: 0 Historical Flows: 161 D:DRE,L:LZ,T:TCP Optimization RR:Total Reduction Ratio A:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO ConnID Source IP:Port Dest IP:Port PeerID Accel RR 342 10.56.94.101:4506 10.10.100.100:1456 0:1a:64:d3:2f:b8 TMDL 61.0% <-----Look for "M"
注意:在版本4.1.5中,当前保留流计数器已添加到输出中。此计数器指WAE上当前未使用但留作将来MAPI连接的保留MAPI连接资源数。有关保留的MAPI连接及其对设备过载的影响的详细信息,请参阅排除过载条件文章中的“MAPI应用加速器保留连接对过载的影响”一节。
如果您在Accel列中观察到与“TGDL”的连接,则这些连接会向下推送到通用AO,并仅通过传输优化进行优化。如果这些是您希望由MAPI AO处理的连接,则可能是因为它们是加密的MAPI连接。要检查已请求的已加密MAPI连接数,请使用show statistics accelerator mapi命令,如下所示:
wae# sh stat accel mapi MAPI: Global Statistics ----------------- Time Accelerator was started: Thu Nov 5 19:45:19 2009 Time Statistics were Last Reset/Cleared: Thu Nov 5 19:45:19 2009 Total Handled Connections: 8615 Total Optimized Connections: 8614 Total Connections Handed-off with Compression Policies Unchanged: 0 Total Dropped Connections: 1 Current Active Connections: 20 Current Pending Connections: 0 Maximum Active Connections: 512 Number of Synch Get Buffer Requests: 1052 Minimum Synch Get Buffer Size (bytes): 31680 Maximum Synch Get Buffer Size (bytes): 31680 Average Synch Get Buffer Size (bytes): 31680 Number of Read Stream Requests: 3844 Minimum Read Stream Buffer Size (bytes): 19 Maximum Read Stream Buffer Size (bytes): 31744 Average Read Stream Buffer Size (bytes): 14556 Minimum Accumulated Read Ahead Data Size (bytes): 0 Maximum Accumulated Read Ahead Data Size (bytes): 1172480 Average Accumulated Read Ahead Data Size (bytes): 594385 Local Response Count: 20827 Average Local Response Time (usec): 250895 Remote Response Count: 70486 Average Remote Response Time (usec): 277036 Current 2000 Accelerated Sessions: 0 Current 2003 Accelerated Sessions: 1 Current 2007 Accelerated Sessions: 0 Secured Connections: 1 <-----Encrypted connections Lower than 2000 Sessions: 0 Higher than 2007 Sessions: 0
通过搜索以下消息,可以在系统日志中查找请求加密MAPI连接的客户端的IP地址:
2009 Jan 5 13:11:54 WAE512 mapi_ao: %WAAS-MAPIAO-3-132104: (929480) Encrypted connection. Client ip: 10.36.14.82
您可以使用show statistics connection optimized mapi detail命令查看MAPI连接统计信息,如下所示:
WAE674# show stat conn opt mapi detail
Connection Id: 1830
Peer Id: 00:14:5e:84:24:5f
Connection Type: EXTERNAL CLIENT
Start Time: Thu Jun 25 06:32:27 2009
Source IP Address: 10.10.10.10
Source Port Number: 3774
Destination IP Address: 10.10.100.101
Destination Port Number: 1146
Application Name: Email-and-Messaging <-----Should see Email-and-Messaging
Classifier Name: **Map Default**
Map Name: uuida4f1db00-ca47-1067-b31f-00dd010662da <-----Should see this UUID
Directed Mode: FALSE
Preposition Flow: FALSE
Policy Details:
Configured: TCP_OPTIMIZE + DRE + LZ
Derived: TCP_OPTIMIZE + DRE + LZ
Peer: TCP_OPTIMIZE + DRE + LZ
Negotiated: TCP_OPTIMIZE + DRE + LZ
Applied: TCP_OPTIMIZE + DRE + LZ
Accelerator Details:
Configured: MAPI <-----Should see MAPI configured
Derived: MAPI
Applied: MAPI <-----Should see MAPI applied
Hist: None
Original Optimized
-------------------- --------------------
Bytes Read: 4612 1973
Bytes Written: 4086 2096
. . .
本地和远程响应计数和平均响应时间如下输出所示:
. . . MAPI : 1830 Time Statistics were Last Reset/Cleared: Thu Jun 25 06:32:27 2009 Total Bytes Read: 46123985 Total Bytes Written: 40864046 Number of Synch Get Buffer Requests: 0 Minimum Synch Get Buffer Size (bytes): 0 Maximum Synch Get Buffer Size (bytes): 0 Average Synch Get Buffer Size (bytes): 0 Number of Read Stream Requests: 0 Minimum Read Stream Buffer Size (bytes): 0 Maximum Read Stream Buffer Size (bytes): 0 Average Read Stream Buffer Size (bytes): 0 Minimum Accumulated Read Ahead Data Size (bytes): 0 Maximum Accumulated Read Ahead Data Size (bytes): 0 Average Accumulated Read Ahead Data Size (bytes): 0 Local Response Count: 0 <---------- Average Local Response Time (usec): 0 <---------- Remote Response Count: 19 <---------- Average Remote Response Time (usec): 89005 <---------- . . .
加密MAPI加速
摘要
自WAAS 5.0.1起,MAPI加速器现在可以加速加密的MAPI流量。在5.0.3版本中,此功能将默认启用。但是,为了成功加速加密的MAPI流量,WAAS和Microsoft AD环境中都有许多要求。本指南将帮助您验证eMAPI功能并排除故障。
功能信息
eMAPI将默认在5.0.3中启用,并且需要以下条件才能成功加速加密流量。
1)CMS安全存储必须在所有核心WAE上初始化和打开
2)WAE必须能够解析Exchange服务器和Kerberos KDC(Active Directory控制器)的FQDN
3)WAE时钟必须与KDC同步
4)必须在从Outlook到Exchange的路径中的所有WAE上启用SSL加速器、WAN安全和eMAPI
5)路径中的WAE必须具有正确的策略映射配置
6)核心WAE必须配置一个或多个加密服务域标识(用户或机器帐户)
7)如果使用计算机帐户,则此WAE必须加入AD域。
8)然后,使用计算机或用户帐户使用案例,需要为Active Directory中的这些对象授予特定权限。必须将“复制目录更改”和“复制目录更改全部”都设置为允许。
建议通过通用安全组执行此操作(例如,将权限分配给组,然后将加密服务中指定的WAAS设备和/或用户名添加到该组)。 有关AD配置和WAAS CM GUI的屏幕截图,请参阅随附的指南。
故障排除方法
第1步 — 检验加密服务身份配置和密钥检索成功
当诊断命令(下面的步骤2)验证加密服务是否存在时,它不验证密钥检索是否成功。因此,我们不知道是否在Active Directory(计算机或用户帐户)中为对象授予了适当的权限,只需运行该诊断命令即可。
对配置和验证加密服务是否成功检索密钥需要执行的操作的摘要
用户帐户:
1.创建AD用户
2.创建AD组,并将“复制目录更改”和“复制目录更改全部”设置为ALLOW
3.将用户添加到创建的组
4.在加密服务中定义用户帐户域标识
5.运行get key diagnostic cli
windows-domain diagnostics encryption-service get-key <exchange server FQDN> <domain name>
请注意,您应使用在服务器上配置的实际/实际Exchange服务器名称,而不应使用可能解析为多个Exchange服务器的NLB/VIP类型FQDN。
6.如果密钥检索工作完成
成功示例:
pdi-7541-dc#windows-domain diagnostics encryption-service get-key pdidc-exchange1.pdidc.cisco.com pdidc.cisco.com
SPN pdidc-exchange1.pdidc.cisco.com,域名:pdidc.cisco.com
正在检索密钥。
pdi-7541-dc#windows-domain diagnostics encryption-service get-key pdidc-exchange1.pdidc.cisco.com pdidc.cisco.com
SPN pdidc-exchange1.pdidc.cisco.com,域名:pdidc.cisco.com
pdidc-exchange1.pdidc.cisco.com的密钥驻留在内存密钥缓存中
计算机帐户
1.将核心WAE设备加入AD域
2.创建AD组,并将“复制目录更改”和“复制目录更改全部”设置为ALLOW
3.将计算机帐户添加到已创建的组
4.配置加密服务以使用计算机帐户
5.给予某个时间,使组策略应用于加入的计算机,或强制应用AD. gpupdate /force中的组策略。
6.运行get key diagnostic cli
windows-domain diagnostics encryption-service get-key <exchange server FQDN> <domain name>
请注意,您应使用在服务器上配置的实际/实际Exchange服务器名称,而不应使用可能解析为多个Exchange服务器的NLB/VIP类型FQDN。
7.如果密钥检索工作完成
有关加密服务和AD配置的更多详细信息和屏幕截图,请参阅随附的指南。
第2步 — 在5.0.3中引入了新的诊断命令来检查某些所需设置。
加速̶器MAPI验证加密设置
1.CLI执行各种有效性检查。其输出总结了将加密MAPI流量作为边缘或核心加速的能力。
2.检查各组件的状态/配置属性,使加密服务正常工作。
3.当发现配置问题时,系统将输出缺失的内容以及CLI或修复问题的操作。
4.将摘要作为边缘设备和核心设备。既可以是边缘又可以是核心的设备,应该为边缘和核心都运行EMAPI。
以下是错误配置WAE的输出示例:
Core#accelerator mapi verify encryption-settings
[EDGE:]
Verifying Mapi Accelerator State
--------------------------------
Status: FAILED
Accelerator Config State Operational State
----------- ------------ -----------------
mapi Disabled Shutdown
>>Mapi Accelerator should be Enabled
>>Mapi Accelerator should be in Running state
Verifying SSL Accelerator State
-------------------------------
Status: FAILED
>>Accelerator Config State Operational State
----------- ------------ -----------------
ssl Disabled Shutdown
>>SSL Accelerator should be Enabled
>>SSL Accelerator should be in Running state
Verifying Wan-secure State
--------------------------
Status: FAILED
>>Accelerator Config State Operational State
----------- ------------ -----------------
wan-secure Disabled Shutdown
>>Wan-secure should be Enabled
>>Wan-secure should be in Running state
Verifying Mapi Wan-secure mode Setting
---------------------------------
Status: FAILED
Accelerator Config Item Mode Value
----------------------- ---- ------
WanSecure Mode User Not Applicable
>>Mapi wan-secure setting should be auto/always
Verifying NTP State
--------------------
Status: FAILED
>>NTP status should be enabled and configured
Summary [EDGE]:
===============
Device has to be properly configured for one or more components
[CORE:]
Verifying encryption-service State
----------------------------------
Status: FAILED
Service Config State Operational State
----------- ------------ -----------------
Encryption-service Disabled Shutdown
>>Encryption Service should be Enabled
>>Encryption Service status should be in 'Running' state
Verifying Encryption-service Identity Settings
----------------------------------------------
Status: FAILED
>>No active Encryption-service Identity is configured.
>>Please configure an active Windows Domain Encryption Service Identity.
Summary [CORE]: Applicable only on CORE WAEs
============================================
Device has to be properly configured for one or more components
以下是正确配置的核心WAE的输出:
Core#acc mapi verify encryption-settings [EDGE:]
Verifying Mapi Accelerator State
--------------------------------
Status: OK
Verifying SSL Accelerator State
-------------------------------
Status: OK
Verifying Wan-secure State
--------------------------
Status: OK
Verifying Mapi encryption Settings
----------------------------------
Status: OK
Verifying Mapi Wan-secure mode Setting
---------------------------------
Status: OK
Verifying NTP State
--------------------
Status: OK
Summary [EDGE]:
===============
Device has proper configuration to accelerate encrypted traffic
[CORE:]
Verifying encryption-service State
----------------------------------
Status: OK
Verifying Encryption-service Identity Settings
----------------------------------------------
Status: OK
Summary [CORE]: Applicable only on CORE WAEs
============================================
Device has proper configuration to accelerate encrypted traffic
第3步 — 手动验证上述诊断命令未检查的WAE设置。
1)在检查是否配置了NTP时,上述命令实际上并不验证WAE和KDC之间的时间是否同步。在核心和KDC之间同步的时间对于密钥检索成功非常重要。
如果手动检查显示它们不同步,强制WAE时钟同步的简单方法是ntpdate命令(ntpdate <KDC ip>)。 然后将WAE指向企业NTP服务器。
2)验证dnslookup在Exchange服务器FQDN和KDC的FQDN的所有WAE上是否成功
3)检验路径中所有WAE上的类映射和策略映射是否配置正确。
pdi-7541-dc#sh class-map type waas MAPI
类映射类型waas match-any MAPI
匹配tcp目标epm mapi(0个流匹配)
pdi-7541-dc#show policy-map type waas策略映射类型waas
WAAS-GLOBAL(共6084690个)
类MAPI(0个流匹配)
优化完全加速mapi应用电子邮件和消息
4)验证CMS安全存储是否在所有WAE上打开并初始化“show cms secure store”
数据分析
除了分析诊断命令和手动show命令的输出外,您可能需要查看sysreport。
具体而言,您将要查看mapiao-errorlog、sr-errorlog(仅核心WAE)和wsao-errorlog文件。
每个日志中都会出现提示,具体取决于场景,这将引导您找到连接丢弃到通用AO的原因。
此处的示例输出可作为参考,显示各种工作组件
此输出来自sr-errorlog,显示计算机帐户加密服务身份的验证
注意:这仅确认Core WAE已加入域且计算机帐户存在。
07/03/2012 19:12:07.278(Local)(6249 1.5) NTCE (278902) Adding Identity MacchineAcctWAAS to map active list in SRMain [SRMain.cpp:215] 07/03/2012 19:12:07.279(Local)(6249 1.5) NTCE (279018) Adding identity(MacchineAcctWAAS) to Map [SRDiIdMgr.cpp:562] 07/03/2012 19:12:07.279(Local)(6249 1.5) NTCE (279282) Activate Id: MacchineAcctWAAS [SRMain.cpp:260] 07/03/2012 19:12:07.279(Local)(6249 1.5) NTCE (279306) Identity MacchineAcctWAAS found in the Map [SRDiIdMgr.cpp:702] 07/03/2012 19:12:07.279(Local)(6249 1.5) NTCE (279321) Authentication for ID: MacchineAcctWAAS [SRDiIdMgr.cpp:398] 07/03/2012 19:12:07.330(Local)(6249 1.5) NTCE (330581) Authentication success, tkt validity starttime 1341342727 endtime 1341378727 [SRDiIdMgr.cpp:456] 07/03/2012 19:12:07.330(Local)(6249 1.5) NTCE (330599) ID_TAG :MacchineAcctWAAS Name : pdi-7541-dc Domain : PDIDC.CISCO.COM Realm : PDIDC.CISCO.COM CLI_GUID : SITE_GUID : CONF_GUID : Status:ENABLED Black_Listed:NO AUTH_STATUS: SUCCESS ACCT_TYPE:Machine [SRIdentityObject.cpp:85] 07/03/2012 19:12:07.331(Local)(6249 1.5) NTCE (331685) DN Info found for domain PDIDC.CISCO.COM [SRIdentityObject.cpp:168] 07/03/2012 19:12:07.347(Local)(6249 1.5) NTCE (347680) Import cred successfull for pn: pdi-7541-dc@PDIDC.CISCO.COM [AdsGssCli.cpp:111]
此输出再次来自Core sr-errorlog,显示从KDC成功检索密钥。
10/23/2012 15:46:55.673(Local)(3780 1.2) NTCE (673766) Key Not Found in cache, initiating retrieval for spn:exchangeMDB/pdidc-exchange1.pdidc.cisco.com [SRServer.cpp:297] 10/23/2012 15:46:55.673(Local)(3780 1.2) NTCE (673811) Queued InitiateKeyRetrieval task [SRServer.cpp:264]10/23/2012 15:46:55.673(Local)(3780 1.2) NTCE (673819) Key retrieval is in Progress [SRServer.cpp:322] 10/23/2012 15:46:55.673(Local)(3780 0.0) NTCE (673818) Initiating key retrieval [SRServer.cpp:271] 10/23/2012 15:46:55.673(Local)(3780 1.2) NTCE (673827) initiating key retrieval in progress [SRDataServer.cpp:441] 10/23/2012 15:46:55.673(Local)(3780 1.2) NTCE (673834) Sending ack for result 2, item name /cfg/gl/sr/sr_get_key/pdidc-exchange1.pdidc.cisco.com@pdidc.cisco.com [SRDataServer.cpp:444] 10/23/2012 15:46:55.673(Local)(3780 0.0) NTCE (673922) Match found for DN: pdidc.cisco.com is ID:MacchineAcctWAAS [SRDiIdMgr.cpp:163] 10/23/2012 15:46:55.673(Local)(3780 0.0) NTCE (673937) Identity MacchineAcctWAAS found in the Map [SRDiIdMgr.cpp:702] 10/23/2012 15:46:55.673(Local)(3780 0.0) NTCE (673950) DN Info found for domain pdidc.cisco.com [SRIdentityObject.cpp:168] 10/23/2012 15:46:55.674(Local)(3780 0.0) NTCE (674011) DRS_SPN: E3514235-4B06-11D1-AB04-00C04FC2DCD2/e4c83c51-0b59-4647-b45d-780dd2dc3344/PDIDC.CISCO.COM for PDI-7541-DC@PDIDC.CISCO.COM [GssCli.cpp:51] 10/23/2012 15:46:55.674(Local)(3780 0.0) NTCE (674020) CREATED srkr obj(0x50aa00) for spn (exchangeMDB/pdidc-exchange1.pdidc.cisco.com) [SRKeyMgr.cpp:134] 10/23/2012 15:46:55.674(Local)(3780 1.3) NTCE (674421) Import cred successfull for pn: PDI-7541-DC@PDIDC.CISCO.COM [GssCli.cpp:135] 10/23/2012 15:46:55.676(Local)(3780 1.3) NTCE (676280) session(0x50aa00) Complete TGT stage of GSS Successful, Initiating AppApi [SRKeyRetriever.cpp:408] 10/23/2012 15:46:55.676(Local)(3780 0.1) NTCE (676415) SRKR: Success in posting connect to service <ip:0e:6e:03:a3><port:135> [IoOperation.cpp:222] 10/23/2012 15:46:55.676(Local)(3780 0.0) NTCE (676607) Connected to server. [IoOperation.cpp:389] 10/23/2012 15:46:55.677(Local)(3780 0.0) NTCE (677736) SRKR: Success in posting connect to service <ip:0e:6e:03:a3><port:1025> [IoOperation.cpp:222] 10/23/2012 15:46:55.678(Local)(3780 0.1) NTCE (678001) Connected to server. [IoOperation.cpp:389] 10/23/2012 15:46:55.679(Local)(3780 0.1) NTCE (679500) Cleaning up credential cache for PDI-7541-DC@PDIDC.CISCO.COM [GssCli.cpp:212] 10/23/2012 15:46:55.680(Local)(3780 0.1) NTCE (680011) Parsing DRSBIND Response [AppApiDrsBind.cpp:222] 10/23/2012 15:46:55.680(Local)(3780 0.1) NTCE (680030) DRSBind Success, Status:00000000 [AppApiDrsBind.cpp:359] 10/23/2012 15:46:55.685(Local)(3780 0.1) NTCE (685502) session(0x50aa00) Successful in Key Retrieval from AD for SPN:exchangeMDB/pdidc-exchange1.pdidc.cisco.com [SRKeyRetriever.cpp:269] 10/23/2012 15:46:55.685(Local)(3780 0.1) NTCE (685583) Send Key response to the Client for spn: exchangeMDB/pdidc-exchange1.pdidc.cisco.com, # of req's : 1 [SRKeyMgr.cpp:296] 10/23/2012 15:46:55.685(Local)(3780 0.1) NTCE (685594) Deleting spn: exchangeMDB/pdidc-exchange1.pdidc.cisco.com entry from Pending key request map [SRKeyMgr.cpp:303]
此输出来自边缘WAE上的mapian-errorlog文件,以便成功进行eMAPI连接
'''10/23/2012 17:56:23.080(Local)(8311 0.1) NTCE (80175) (fl=2433) Edge TCP connection initiated (-1409268656), Conn: [14.110.3.117:58352 <=> 14.110.3.99:27744], Flavor: 0 [EdgeTcpConnectionDceRpcLayer.cpp:43] 10/23/2012 17:56:23.080(Local)(8311 0.1) NTCE (80199) Edge TCP connection initiated (-1409268656), Conn: [14.110.3.117:58352 <=> 14.110.3.99:27744], Flavor: 0 [EdgeTcpConnectionDceRpcLayer.cpp:48] 10/23/2012 17:56:23.108(Local)(8311 0.0) NTCE (108825) (fl=2433) Bind Request from client with AGID 0x0, callId 2, to dest-ip 14.110.3.99, AuthLevel: PRIVACY AuthType: SPNEGO AuthCtxId: 0 WsPlumb:1 [EdgeTcpConnectionDceRpcLayer.cpp:1277]''' 10/23/2012 17:56:23.109(Local)(8311 0.0) NTCE (109935) CheckAndDoAoshReplumbing perform replumbing wsPlumbState 1 [Session.cpp:315] 10/23/2012 17:56:23.109(Local)(8311 0.0) NTCE (109949) (fl=2433) AOSH Replumbing was performed returned Status 0 [Session.cpp:337] 10/23/2012 17:56:23.109(Local)(8311 0.0) NTCE (109956) CheckAndPlumb WanSecure(14) ret:= [1,0] WsPlumb:4 fd[client,server]:=[25,26] [AsyncOperationsQueue.cpp:180] 10/23/2012 17:56:23.312(Local)(8311 0.1) NTCE (312687) (fl=2433) Connection multiplexing enabled by server on the connection. [EdgeTcpConnectionDceRpcLayer.cpp:499] 10/23/2012 17:56:23.312(Local)(8311 0.1) NTCE (312700) (fl=2433) Header signing enabled by server on the connection. [EdgeTcpConnectionDceRpcLayer.cpp:510] 10/23/2012 17:56:23.312(Local)(8311 0.1) NTCE (312719) (fl=2433) OnNewConnection - Client IP 14.110.3.117 (0xe6e0375), Serv IP 14.110.3.99 (0xe6e0363), nDstPort=27744, nAssociationGroup=0x11de4,conn_fd=26, bWasConnectionFromReservedPool=0, bIsNewMapiSession=1 [ConnectionReservationManager.cpp:255] '''10/23/2012 17:56:23.366(Local)(8311 0.1) NTCE (366789) (fl=2433) Received security context from core with auth context id: 0 [EdgeTcpConnectionDceRpcLayer.cpp:2912] 10/23/2012 17:56:23.367(Local)(8311 0.1) NTCE (367157) (fl=2433) Security Layer moved to ESTB state [FlowSecurityLayer.cpp:311]''' 10/23/2012 17:56:23.368(Local)(8311 0.1) NTCE (368029) (fl=2433) Informational:: Send APC set to WS: asking for Cipher 2 [EdgeTcpConnectionDceRpcLayer.cpp:809] 10/23/2012 17:56:23.368(Local)(8311 0.1) NTCE (368041) (fl=2433) Sec-Params [CtxId, AL, AT, ACT, DCT, [Hs, ConnMplx, SecMplx]]:=[0, 6, 9, 18, 18 [1,1,0]] [FlowIOBuffers.cpp:477] 10/23/2012 17:56:23.369(Local)(8311 0.0) NTCE (369128) (fl=2433) CEdgeTcpConnectionEmsMdbLayer::ConnectRequestCommon (CallId 2): client version is ProductMajor:14, Product Minor:0, Build Major:6117, Build Minor:5001 Client ip 14.110.3.117 Client port 58352 Dest ip 14.110.3.99 Dest port 27744 [EdgeTcpConnectionEmsMdbLayer.cpp:1522] 10/23/2012 17:56:23.868(Local)(8311 0.1) ERRO (868390) (fl=2433) ContextHandle.IsNull() [EdgeTcpConnectionEmsMdbLayer.cpp:1612] 10/23/2012 17:56:23.890(Local)(8311 0.0) NTCE (890891) (fl=2433) CEdgeTcpConnectionEmsMdbLayer::ConnectRequestCommon (CallId 3): client version is ProductMajor:14, Product Minor:0, Build Major:6117, Build Minor:5001 Client ip 14.110.3.117 Client port 58352 Dest ip 14.110.3.99 Dest port 27744 [EdgeTcpConnectionEmsMdbLayer.cpp:1522]
这是同一TCP连接的mapiao-errorlog的相应核心WAE输出
'''10/23/2012 17:56:54.092(Local)(6408 0.0) NTCE (92814) (fl=21) Core TCP connection initiated (11892640), Conn: [14.110.3.117:58352 <=> 14.110.3.99:27744], F
lavor: 0 [CoreTcpConnectionDceRpcLayer.cpp:99]
10/23/2012 17:56:54.092(Local)(6408 0.0) NTCE (92832) Core TCP connection initiated (11892640), Conn: [14.110.3.117:58352 <=> 14.110.3.99:27744], Flavor: 0
[CoreTcpConnectionDceRpcLayer.cpp:104]'''
10/23/2012 17:56:54.175(Local)(6408 0.0) NTCE (175035) SrlibCache Cache eviction starting: static void srlib::CSrlibCache:: OnAoShellDispatchCacheCleanup(vo
id*, aosh_work*) [SrlibCache.cpp:453]
10/23/2012 17:56:54.175(Local)(6408 0.0) NTCE (175068) last_cleanup_time (1344411860), evict_in_progress(1) handled_req_cnt (1) cache_size (0) [SrlibCache.
cpp:464]
10/23/2012 17:56:54.175(Local)(6408 0.0) NTCE (175121) SendNextCmd isDuringSend 0, WriteQueue sz 1, isDuringclose 0 [SrlibClientTransport.cpp:163]
10/23/2012 17:56:54.175(Local)(6408 0.0) NTCE (175132) SendNextCmd: Sending request: exchangeMDB/PDIDC-EXCHANGE1.pdidc.cisco.com:23[v:=11], WriteQueue sz 0
[bClose 0] [SrlibClientTransport.cpp:168]
10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185576) OnReadComplete len 4 status 0 isDuringRead 1, isDuringHeaderRead 1, isDuringclose 0 [SrlibTransport.
cpp:127]
10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185587) Parse header, msg body len 152 [SrlibTransport.cpp:111]
10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185592) ReadNextMsg isDuringRead 0, isDuringHeaderRead 1, isDuringclose 0 [SrlibTransport.cpp:88]
10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185623) OnReadComplete len 148 status 0 isDuringRead 1, isDuringHeaderRead 0, isDuringclose 0 [SrlibTranspor
t.cpp:127]
'''10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185688) Insert new KrbKey: exchangeMDB/PDIDC-EXCHANGE1.pdidc.cisco.com::23[v:=11]:[{e,f,l}:={0, 0x1, 16} [S
rlibCache.cpp:735]
'''10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185747) ReadNextMsg isDuringRead 0, isDuringHeaderRead 0, isDuringclose 0 [SrlibTransport.cpp:88]
'''10/23/2012 17:56:54.261(Local)(6408 0.1) NTCE (261575) (fl=21) Successfully created memory keytab with name: MEMORY:exchangeMDB@PDIDC-EXCHANGE1.pdidc.cisco
.com0nxrPblND [GssServer.cpp:468]
10/23/2012 17:56:54.261(Local)(6408 0.1) NTCE (261613) (fl=21) Successfully added entry in memory keytab. [GssServer.cpp:92]
10/23/2012 17:56:54.261(Local)(6408 0.1) NTCE (261858) (fl=21) Successfully acquired credentials. [GssServer.cpp:135]'''
常见问题
以下是导致eMAPI连接切换到通用AO(TG)的一些常见原因。
问题 1:在核心WAE上配置的加密服务标识在AD中没有正确的权限。
核心WAE上sr-errolog的输出
09/25/2012 18:47:54.147(Local)(9063 0.1) ERRO (147570) session(0x517fa0) Failed to Retrieve Key from AD for SPN:exchangeMDB/outlook.sicredi.net.br error:16 [SRKeyRetriever.cpp:267] '''09/25/2012 18:47:54.147(Local)(9063 0.1) ERRO (147592) Key retrieval failed with Status 16 [SRKeyMgr.cpp:157] ''''''09/25/2012 18:47:54.147(Local)(9063 0.1) ERRO (147623) Identity "WAASMacAct" has been blacklisted [SRDiIdMgr.cpp:258] ''''''09/25/2012 18:47:54.147(Local)(9063 0.1) ERRO (147631) Key retrieval failed due to permission issue [SRKeyMgr.cpp:167] '''09/25/2012 18:47:54.147(Local)(9063 0.1) ERRO (147636) Identity: WAASMacAct will be black listed. [SRKeyMgr.cpp:168] 09/25/2012 18:47:54.147(Local)(9063 0.1) NTCE (147657) Calling KrbKeyResponse key handler in srlib [SRServer.cpp:189] 09/25/2012 18:47:54.147(Local)(9063 0.1) NTCE (147722) Queued send reponse buffer to client task [SrlibServerTransport.cpp:136] 09/25/2012 18:47:54.147(Local)(9063 0.1) NTCE (147730) KrbKeyResponse, sent to client session object [SrlibServer.cpp:203] 09/25/2012 18:47:54.147(Local)(9063 0.0) NTCE (147733) SendNextCmd isDuringSend 0, WriteQueue size 1 isDuringClose 0 [SrlibServerTransport.cpp:308] 09/25/2012 18:47:54.147(Local)(9063 0.1) NTCE (147740) Send Key response to the Client
决议1:请查阅配置指南并验证AD中的对象是否具有正确的权限。必须将“复制目录更改”和“复制目录更改全部”都设置为允许。
问题 2:核心WAE与它尝试从中检索密钥的KDC之间存在时间偏差
核心WAE上sr-errolog的输出
10/23/2012 01:31:33.507(Local)(1832 0.1) NTCE (507836) Initiating key retrieval [SRServer.cpp:271] 10/23/2012 01:31:33.507(Local)(1832 0.1) NTCE (507878) Match found for DN: pdidc.cisco.com is ID:MacchineAcctWAAS [SRDiIdMgr.cpp:163] 10/23/2012 01:31:33.507(Local)(1832 0.1) NTCE (507888) Identity MacchineAcctWAAS found in the Map [SRDiIdMgr.cpp:702] 10/23/2012 01:31:33.507(Local)(1832 0.1) NTCE (507901) DN Info found for domain pdidc.cisco.com [SRIdentityObject.cpp:168] 10/23/2012 01:31:33.507(Local)(1832 0.1) NTCE (507923) DRS_SPN: E3514235-4B06-11D1-AB04-00C04FC2DCD2/e4c83c51-0b59-4647-b45d-780dd2dc3344/PDIDC.CISCO.COM for PDI-7541-DC@PDIDC.CISCO.COM [GssCli.cpp:51] 10/23/2012 01:31:33.507(Local)(1832 0.1) NTCE (507933) CREATED srkr obj(0x2aaaac0008c0) for spn (exchangeMDB/pdidc-exchange1.pdidc.cisco.com) [SRKeyMgr.cpp:134] 10/23/2012 01:31:33.508(Local)(1832 1.6) NTCE (508252) Import cred successfull for pn: PDI-7541-DC@PDIDC.CISCO.COM [GssCli.cpp:135] 10/23/2012 01:31:33.511(Local)(1832 1.6) ERRO (511151) CreateSecurityContext: gss_init_sec_context failed [majorStatus = 851968 (0xd0000)] [GssCli.cpp:176] '''10/23/2012 01:31:33.511(Local)(1832 1.6) ERRO (511170) GSS_MAJOR ERROR:851968 msg_cnt:0, Miscellaneous failure (see text)CD2 [GssCli.cpp:25] 10/23/2012 01:31:33.511(Local)(1832 1.6) ERRO (511177) GSS_MINOR ERROR:2529624064 msg_cnt:0, Clock skew too great [GssCli.cpp:29] 10/23/2012 01:31:33.511(Local)(1832 1.6) ERRO (511182) gsskrb5_get_subkey failed: 851968,22, [GssCli.cpp:198] 10/23/2012 01:31:33.511(Local)(1832 1.6) ERRO (511188) session(0x2aaaac0008c0) Error: Invalid security ctx state, IsContinue is false with out token exchange [SRKeyRetriever.cpp:386] 10/23/2012 01:31:33.511(Local)(1832 1.6) ERRO (511193) session(0x2aaaac0008c0) Failed to Retrieve Key from AD for SPN:exchangeMDB/pdidc-exchange1.pdidc.cisco.com error:1 [SRKeyRetriever.cpp:267]''' 10/23/2012 01:31:33.511(Local)(1832 0.0) ERRO (511213) Key retrieval failed with Status 1 [SRKeyMgr.cpp:157]
决议2:在所有WAE(尤其是核心)上使用ntpdate将时钟与KDC同步。然后指向企业NTP服务器(与KDC可能相同)。
问题 3:您为加密服务定义的域与Exchange服务器所在的域不匹配。
核心WAE上sr-errolog的输出
10/23/2012 18:41:21.918(Local)(3780 1.5) NTCE (918788) Key retrieval is in Progress [SRServer.cpp:322] 10/23/2012 18:41:21.918(Local)(3780 1.5) NTCE (918793) initiating key retrieval in progress [SRDataServer.cpp:441] 10/23/2012 18:41:21.918(Local)(3780 0.0) NTCE (918790) Initiating key retrieval [SRServer.cpp:271] 10/23/2012 18:41:21.918(Local)(3780 1.5) NTCE (918798) Sending ack for result 2, item name /cfg/gl/sr/sr_get_key/pdidc-exchange.cisco.com@cisco.com [SRDataServer.cpp:444] 10/23/2012 18:41:21.918(Local)(3780 0.0) ERRO (918813) Failed to find Identity match for domain cisco.com [SRDiIdMgr.cpp:157] 10/23/2012 18:41:21.918(Local)(3780 0.0) NTCE (918821) Failed to find identity match for domain [SRKeyMgr.cpp:120] 10/23/2012 18:41:21.918(Local)(3780 0.0) NTCE (918832) Send Key response to the Client for spn: exchangeMDB/pdidc-exchange.cisco.com, # of req's: 1 [SRKeyMgr.cpp:296]
决议3:如果您的核心WAE为不同域中的多个Exchange服务器提供服务,则必须为Exchange服务器所在的每个域配置加密服务标识。
请注意,目前不支持子域包括。因此,如果您有myexchange.sub-domain.domain.com ,则加密服务标识必须位于sub-domain.domain.com中;它不能在父域中。
问题 4:如果WAN安全失败,您的连接可能会丢弃到TG
eMAPI连接可以移交给通用AO,因为WAN安全插拔失败。WAN Secure plumb失败,因为证书验证失败。对等证书验证将失败,因为正在使用默认自签名对等证书或证书已合法失败的OCSP检查。
核心WAE设置
crypto pki global-settings ocsp url http://pdidc.cisco.com/ocsp revocation-check ocsp-cert-url exit ! crypto ssl services host-service peering peer-cert-verify exit ! WAN Secure: Accelerator Config Item Mode Value ----------------------- ---- ------ SSL AO User enabled Secure store User enabled Peer SSL version User default Peer cipher list User default Peer cert User default Peer cert verify User enabled
这将导致以下mapian-errorlog和wsao-errorlog条目:
此处的提示是突出显示的第一行“连续断开超过四次”
客户端WAE上的Mapian-errorlog:
'''10/08/2012 20:02:15.025(Local)(24333 0.0) NTCE (25621) (fl=267542) Client 10.16.1.201 disconnected more than four consecutive times - push down to generic ao. [EdgeTcpConnectionDceRpcLayer.cpp:1443] '''10/08/2012 20:02:15.025(Local)(24333 0.0) NTCE (25634) (fl=267542) CEdgeIOBuffers:: StartHandOverProcessSingleConnection: SECURED_STATE_NOT_ESTABLISHED [EdgeIOBuffers.cpp:826] 10/08/2012 20:02:15.025(Local)(24333 0.0) NTCE (25644) (fl=267542) CEdgeIOBuffers::CheckSendHandOverRequestToCoreAndBlockLan - Blocking LAN for read operations after last fragment of call id 0, current call id is 2 [EdgeIOBuffers.cpp:324] 10/08/2012 20:02:15.048(Local)(24333 0.1) NTCE (48753) (fl=267542) Connection multiplexing enabled by server on the connection. [EdgeTcpConnectionDceRpcLayer.cpp:499] 10/08/2012 20:02:15.048(Local)(24333 0.1) NTCE (48771) (fl=267542) Header signing enabled by server on the connection. [EdgeTcpConnectionDceRpcLayer.cpp:510] 10/08/2012 20:02:15.048(Local)(24333 0.1) NTCE (48779) (fl=267542) CEdgeIOBuffers:: StartHandOverProcessSingleConnection: GENERAL_UNCLASSIFIED [EdgeIOBuffers.cpp:826]
客户端WAE上的Wsao-errorlog:
'''10/08/2012 20:04:34.430(Local)(5939 4.0) ERRO (430001) certificate verification failed 'self signed certificate' [open_ssl.cpp:1213] '''10/08/2012 20:04:34.430(Local)(5939 4.0) ERRO (430047) ssl_read failed: 'SSL_ERROR_SSL' [open_ssl.cpp:1217] 10/08/2012 20:04:34.430(Local)(5939 4.0) ERRO (430055) openssl errors: error:14090086: SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1244: [open_ssl.cpp:1220]
第4号决议:从两个WAE中删除对等证书验证配置,并重新启动核心WAE上的加密服务。
pdi-7541-dc(config)#crypto ssl services host-service peering pdi-7541-dc(config-ssl-peering)#no peer-cert-verify pdi-7541-dc(config)#no windows-domain encryption-service enable pdi-7541-dc(config)#windows-domain encryption-service enable
问题 5:如果Outlook客户端使用NTLM,连接将向下推送到通用AO。
您将在客户端WAE的mapian-errorlog中看到以下内容:
'''waas-edge#find-patter match ntlm mapiao-errorlog.current ''' 09/21/2012 20:30:32.154(Local)(8930 0.1) NTCE (154827) (fl=83271) Bind Request from client with AGID 0x0, callId 1, to dest-ip 172.21. 12.96, AuthLevel: PRIVACY '''AuthType:NTLM '''AuthCtxId: 153817840 WsPlumb: 2 [EdgeTcpConnectionDceRpcLayer.cpp:1277] 09/21/2012 20:30:32.154(Local)(8930 0.1) NTCE (154861) (fl=83271) '''Unsupported''' '''Auth Type :NTLM''' [EdgeTcpConnectionDceRpcLayer.cpp:1401] 09/21/2012 20:30:40.157(Local) (8930 0.0) NTCE (157628) (fl=83283) Bind Request from client with AGID 0x0, callId 2, to dest-ip 172.21. 12.96, AuthLevel: PRIVACY AuthType:NTLM AuthCtxId: 153817840 WsPlumb: 2 [EdgeTcpConnectionDceRpcLayer.cpp:1277]
第5号决议:客户必须在其Exchange环境中启用/要求Kerberos身份验证。不支持NTLM(自5.1起)
请注意,当使用CAS时,Microsoft技术简报会呼吁回退到NTLM。
Kerberos不起作用的场景是特定于Exchange 2010的,并且处于以下场景:
组织/域中的多个Exchange客户端访问服务器(CAS)。
这些CAS服务器使用任何方法群集在一起 — 使用Microsoft的内置客户端阵列功能或第三方负载均衡器。
在上述场景中,Kerberos不起作用 — 默认情况下,客户端将回退到NTLM。我认为这是因为客户端必须对CAS服务器进行身份验证,而对邮箱服务器进行身份验证,这与之前的Exchange版本中的做法相同。
在Exchange 2010 RTM中,没有修复此问题!上述场景中的Kerberos在Exchange 2010-SP1之前将无法运行。
在SP1中,可以在这些环境中启用Kerberos,但这是一个手动过程。请参阅此处的文章:http://technet.microsoft.com/en-us/library/ff808313.aspx
MAPI AO日志记录
- 以下日志文件可用于排除MAPI AO问题:
- 事务日志文件:/local1/logs/tfo/working.log(和/local1/logs/tfo/tfo_log_*.txt)
调试日志文件:/local1/errorlog/mapiao-errorlog.current(和mapiao-errorlog.*)
为便于调试,您应首先设置ACL,将数据包限制到一台主机。
WAE674(config)# ip access-list extended 150 permit tcp host 10.10.10.10 any WAE674(config)# ip access-list extended 150 permit tcp any host 10.10.10.10
要启用事务记录,请按如下方式使用transaction-logs配置命令:
wae(config)# transaction-logs flow enable wae(config)# transaction-logs flow access-list 150
可使用type-tail命令查看事务日志文件的结尾,如下所示:
wae# type-tail tfo_log_10.10.11.230_20090715_130000.txt Wed Jul 15 19:12:35 2009 :2289 :10.10.10.10 :3740 :10.10.100.101 :1146 :OT :END :EXTERNAL CLIENT :(MAPI) :822 :634 :556 :706 Wed Jul 15 19:12:35 2009 :2289 :10.10.10.10 :3740 :10.10.100.101 :1146 :SODRE :END :730 :605 :556 :706 :0 Wed Jul 15 19:12:35 2009 :2290 :10.10.10.10 :3738 :10.10.100.101 :1146 :OT :END :EXTERNAL CLIENT :(MAPI) :4758 :15914 :6436 :2006 Wed Jul 15 19:12:35 2009 :2290 :10.10.10.10 :3738 :10.10.100.101 :1146 :SODRE :END :4550 :15854 :6436 :2006 :0 Wed Jul 15 19:12:35 2009 :2284 :10.10.10.10 :3739 :10.10.100.101 :1146 :OT :END :EXTERNAL CLIENT :(MAPI) :1334 :12826 :8981 :1031
要设置和启用MAPI AO的调试日志记录,请使用以下命令。
NOTE:调试日志记录占用大量CPU资源,并且可以生成大量输出。在生产环境中谨慎、谨慎地使用它。
您可以按如下方式启用详细的日志记录到磁盘:
WAE674(config)# logging disk enable WAE674(config)# logging disk priority detail
您可以为ACL中的连接启用调试日志记录,如下所示:
WAE674# debug connection access-list 150
MAPI AO调试的选项如下:
WAE674# debug accelerator mapi ? all enable all MAPI accelerator debugs Common-flow enable MAPI Common flow debugs DCERPC-layer enable MAPI DCERPC-layer flow debugs EMSMDB-layer enable MAPI EMSMDB-layer flow debugs IO enable MAPI IO debugs ROP-layer enable MAPI ROP-layer debugs ROP-parser enable MAPI ROP-parser debugs RPC-parser enable MAPI RPC-parser debugs shell enable MAPI shell debugs Transport enable MAPI transport debugs Utilities enable MAPI utilities debugs
您可以为MAPI连接启用调试日志记录,然后显示调试错误日志的结尾,如下所示:
WAE674# debug accelerator mapi Common-flow WAE674# type-tail errorlog/mapiao-errorlog.current follow
反馈