WAAS - MAPI AO故障排除
章節:排除MAPI AO故障
本文描述如何對MAPI AO進行故障排除。
指南目錄
主要文章
瞭解WAAS架構和流量
WAAS初步故障排除
故障排除最佳化
應用加速故障排除
排除CIFS AO故障
排除HTTP AO故障
排除EPM AO故障
排除MAPI AO故障
排除NFS AO故障
排除SSL AO故障
影片AO故障排除
通用AO故障排除
過載故障排除
WCCP故障排除
AppNav故障排除
磁碟和硬體故障排除
串列內聯群集故障排除
vWAAS故障排除
WAAS Express故障排除
排除NAM整合故障
主要文章
瞭解WAAS架構和流量
WAAS初步故障排除
故障排除最佳化
應用加速故障排除
排除CIFS AO故障
排除HTTP AO故障
排除EPM AO故障
排除MAPI AO故障
排除NFS AO故障
排除SSL AO故障
影片AO故障排除
通用AO故障排除
過載故障排除
WCCP故障排除
AppNav故障排除
磁碟和硬體故障排除
串列內聯群集故障排除
vWAAS故障排除
WAAS Express故障排除
排除NAM整合故障
目錄
- 1 MAPI加速器
- 2 加密的MAPI加速
- 2.1 摘要
- 2.2 功能資訊
- 2.3 故障排除方法
- 2.4 資料分析
- 2.5 常見問題
- 2.5.1 問題1:核心WAE上配置的加密服務標識在AD中沒有正確的許可權。
- 2.5.2 決議1:請參考配置指南,並驗證AD中的對象具有正確的許可權。「Replicating Directory Changes」和「Replicating Directory Changes All」必須都設定為允許。
- 2.5.3 問題2:核心WAE與其嘗試從中檢索金鑰的KDC之間存在時間偏差
- 2.5.4 決議2:在所有WAE(尤其是核心)上使用ntpdate將時鐘與KDC同步。然後指向企業NTP伺服器(最好與KDC相同)。
- 2.5.5 問題3:您為加密服務定義的域與Exchange伺服器所在的域不匹配。
- 2.5.6 決議3:如果您的核心WAE服務不同域中的多個Exchange伺服器,則必須為Exchange伺服器所在的每個域配置加密服務標識。
- 2.5.7 問題4:如果WANecure失敗,您的連線可以丟棄到TG
- 2.5.8 決議4:從兩個WAE中刪除對等證書驗證配置,並在核心WAE上重新啟動加密服務。
- 2.5.9 問題5:如果Outlook客戶端使用NTLM,則連線將被向下推到通用AO。
- 2.5.10 第5號決議:客戶必須在Exchange環境中啟用/要求Kerberos身份驗證。不支援NTLM(自5.1起)
- 3 MAPI AO日誌記錄
MAPI加速器
MAPI加速器可最佳化Microsoft Outlook Exchange電子郵件流量。Exchange使用EMSMDB協定,該協定在MS-RPC上分層,該協定使用TCP或HTTP(不受支援)作為低級傳輸。
MAPI AO支援Microsoft Outlook 2000到2007客戶端快取和非快取模式流量。MAPI AO不會加速使用消息身份驗證(簽名)或加密的安全連線。來自較舊客戶端的此類連線和連線被傳遞給通用AO以進行TFO最佳化。此外,不支援Outlook Web Access(OWA)和Exchange-Exchange連線。
附註:預設情況下,Microsoft Outlook 2007已啟用加密。您必須禁用加密才能從MAPI應用程式加速器獲益。在Outlook中,選擇「工具」>「電子郵件帳戶」,選擇「檢視或更改現有電子郵件帳戶」,然後按一下「下一步」。選擇Exchange帳戶,然後按一下更改。按一下More Settings,然後按一下Security頁籤。取消選中Encrypt data between Microsoft Office Outlook and Microsoft Exchange Server覈取方塊,如圖1所示。
或者,也可以使用組策略為Exchange Server的所有使用者禁用加密。
- 圖1.在Outlook 2007中禁用加密
在以下情況下,MAPI AO不處理連線:
- 加密連線(傳遞給通用AO)
- 不受支援的客戶端(傳遞給通用AO)
- 無法恢復的解析錯誤。客戶端與伺服器服務之間的所有TCP連線都斷開連線。當客戶端重新連線時,所有連線都將切換到通用AO。
- 當WAE過載時,客戶端會嘗試在連線上建立新的關聯組。
- 當WAE過載且MAPI保留連線資源不可用時,客戶端會建立連線。
Outlook客戶端和伺服器通過一組稱為關聯組的TCP連線在一個會話中互動。在關聯組內,對象訪問可以跨越任何連線,並且根據需要動態建立和釋放連線。一個客戶端可以同時開啟多個關聯組,這些關聯組可以連線到不同的伺服器或相同的伺服器。(公用資料夾部署在郵件儲存區的不同伺服器上。)
關聯組中的所有MAPI連線都必須通過分支機構和資料中心中的同一對WAE。如果關聯組內的某些連線沒有通過這些WAE上的MAPI AO,則MAPI AO不會看到在這些連線上執行的事務,並且這些連線據說會「逃避」關聯組。因此,不應將MAPI AO部署到構成高可用性組的串列群集內聯WAE上。
從其WAE關聯組轉出的MAPI連線的症狀是Outlook錯誤症狀,例如重複郵件或Outlook停止響應。
在TFO過載情況下,現有關聯組的新連線會通過並逃避MAPI AO,因此MAPI AO會提前預留多個連線資源以最小化過載情況的影響。有關保留MAPI連線及其對裝置過載影響的詳細資訊,請參閱故障排除過載條件一文中的MAPI應用程式加速器保留連線對過載的影響部分。
使用show accelerator和show license命令檢驗常規AO配置和狀態,如應用程式加速故障排除一文中所述。MAPI加速器操作需要企業許可證,必須啟用EPM應用程式加速器。
接下來,使用show accelerator mapi命令驗證MAPI AO的特定狀態,如圖2所示。您想要看到MAPI AO已啟用、正在運行或已註冊,並且顯示連線限制。如果Config State為Enabled,但Operational State為Shutdown,則表示存在許可問題。
- 圖2.檢驗MAPI加速器狀態
使用show statistics accelerator epm命令驗證EPM AO是否正常工作。檢查啟動客戶端時,已處理的連線總數、已成功分析的請求總數和已成功分析的響應總數計數器是否增加。
使用show running-config命令驗證MAPI和EPM流量策略是否正確配置。您想要檢視加速mapi的電子郵件和消息應用程式操作,並且想要檢視MS-EndPortMapper分類器和定義的流量策略,如下所示:
WAE674# sh run | include mapi
map adaptor EPM mapi
name Email-and-Messaging All action optimize full accelerate mapi
WAE674# sh run | begin MS-EndPointMapper
...skipping
classifier MS-EndPointMapper
match dst port eq 135
exit
WAE674# sh run | include MS-EndPointMapper
classifier MS-EndPortMapper
name Other classifier MS-EndPortMapper action optimize DRE no compression none accelerate MS-port-mapper
使用show policy-engine application dynamic命令驗證是否存在動態匹配規則,如下所示:
- 查詢具有使用者ID的規則:EPM和對映名稱:uuida4f1db00-ca47-1067-b31f-00dd010662da。
- 流欄位指示到Exchange服務的活動連線總數。
- 對於每個MAPI客戶端,您應該看到具有使用者ID的單獨條目:MAPI。
使用show statistics connection optimized mapi命令檢查WAAS裝置是否正在建立最佳化的MAPI連線。驗證MAPI連線的「Accel」列中是否出現「M」,這表示已使用MAPI AO,如下所示:
WAE674# show stat conn opt mapi Current Active Optimized Flows: 2 Current Active Optimized TCP Plus Flows: 1 Current Active Optimized TCP Only Flows: 1 Current Active Optimized TCP Preposition Flows: 0 Current Active Auto-Discovery Flows: 0 Current Reserved Flows: 12 <---------- Added in 4.1.5 Current Active Pass-Through Flows: 0 Historical Flows: 161 D:DRE,L:LZ,T:TCP Optimization RR:Total Reduction Ratio A:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO ConnID Source IP:Port Dest IP:Port PeerID Accel RR 342 10.56.94.101:4506 10.10.100.100:1456 0:1a:64:d3:2f:b8 TMDL 61.0% <-----Look for "M"
附註:在4.1.5版中,輸出中增加了Current Reserved Flows計數器。此計數器指的是WAE上當前未使用但留作未來MAPI連線的保留MAPI連線資源數。有關保留MAPI連線及其對裝置過載影響的詳細資訊,請參閱故障排除過載條件一文中的MAPI應用程式加速器保留連線對過載的影響部分。
如果您觀察到Accel列中帶有「TGDL」的連線,這些連線被下推到通用AO並僅使用傳輸最佳化進行最佳化。如果這些是您預期由MAPI AO處理的連線,則可能是因為它們是加密的MAPI連線。要檢查已請求的加密MAPI連線數,請使用show statistics accelerator mapi命令,如下所示:
wae# sh stat accel mapi MAPI: Global Statistics ----------------- Time Accelerator was started: Thu Nov 5 19:45:19 2009 Time Statistics were Last Reset/Cleared: Thu Nov 5 19:45:19 2009 Total Handled Connections: 8615 Total Optimized Connections: 8614 Total Connections Handed-off with Compression Policies Unchanged: 0 Total Dropped Connections: 1 Current Active Connections: 20 Current Pending Connections: 0 Maximum Active Connections: 512 Number of Synch Get Buffer Requests: 1052 Minimum Synch Get Buffer Size (bytes): 31680 Maximum Synch Get Buffer Size (bytes): 31680 Average Synch Get Buffer Size (bytes): 31680 Number of Read Stream Requests: 3844 Minimum Read Stream Buffer Size (bytes): 19 Maximum Read Stream Buffer Size (bytes): 31744 Average Read Stream Buffer Size (bytes): 14556 Minimum Accumulated Read Ahead Data Size (bytes): 0 Maximum Accumulated Read Ahead Data Size (bytes): 1172480 Average Accumulated Read Ahead Data Size (bytes): 594385 Local Response Count: 20827 Average Local Response Time (usec): 250895 Remote Response Count: 70486 Average Remote Response Time (usec): 277036 Current 2000 Accelerated Sessions: 0 Current 2003 Accelerated Sessions: 1 Current 2007 Accelerated Sessions: 0 Secured Connections: 1 <-----Encrypted connections Lower than 2000 Sessions: 0 Higher than 2007 Sessions: 0
您可以在系統日誌中搜尋如下消息,找到請求加密MAPI連線的客戶端的IP地址:
2009 Jan 5 13:11:54 WAE512 mapi_ao: %WAAS-MAPIAO-3-132104: (929480) Encrypted connection. Client ip: 10.36.14.82
可以使用show statistics connection optimized mapi detail命令檢視MAPI連線統計資訊,如下所示:
WAE674# show stat conn opt mapi detail
Connection Id: 1830
Peer Id: 00:14:5e:84:24:5f
Connection Type: EXTERNAL CLIENT
Start Time: Thu Jun 25 06:32:27 2009
Source IP Address: 10.10.10.10
Source Port Number: 3774
Destination IP Address: 10.10.100.101
Destination Port Number: 1146
Application Name: Email-and-Messaging <-----Should see Email-and-Messaging
Classifier Name: **Map Default**
Map Name: uuida4f1db00-ca47-1067-b31f-00dd010662da <-----Should see this UUID
Directed Mode: FALSE
Preposition Flow: FALSE
Policy Details:
Configured: TCP_OPTIMIZE + DRE + LZ
Derived: TCP_OPTIMIZE + DRE + LZ
Peer: TCP_OPTIMIZE + DRE + LZ
Negotiated: TCP_OPTIMIZE + DRE + LZ
Applied: TCP_OPTIMIZE + DRE + LZ
Accelerator Details:
Configured: MAPI <-----Should see MAPI configured
Derived: MAPI
Applied: MAPI <-----Should see MAPI applied
Hist: None
Original Optimized
-------------------- --------------------
Bytes Read: 4612 1973
Bytes Written: 4086 2096
. . .
以下輸出顯示了本地和遠端響應計數和平均響應時間:
. . . MAPI : 1830 Time Statistics were Last Reset/Cleared: Thu Jun 25 06:32:27 2009 Total Bytes Read: 46123985 Total Bytes Written: 40864046 Number of Synch Get Buffer Requests: 0 Minimum Synch Get Buffer Size (bytes): 0 Maximum Synch Get Buffer Size (bytes): 0 Average Synch Get Buffer Size (bytes): 0 Number of Read Stream Requests: 0 Minimum Read Stream Buffer Size (bytes): 0 Maximum Read Stream Buffer Size (bytes): 0 Average Read Stream Buffer Size (bytes): 0 Minimum Accumulated Read Ahead Data Size (bytes): 0 Maximum Accumulated Read Ahead Data Size (bytes): 0 Average Accumulated Read Ahead Data Size (bytes): 0 Local Response Count: 0 <---------- Average Local Response Time (usec): 0 <---------- Remote Response Count: 19 <---------- Average Remote Response Time (usec): 89005 <---------- . . .
加密的MAPI加速
摘要
從WAAS 5.0.1開始,MAPI加速器現在可以加速加密的MAPI流量。預設情況下,此功能將在5.0.3版中啟用。但是,為了成功加速加密的MAPI流量,WAAS和Microsoft AD環境中都有許多要求。本指南將幫助您驗證eMAPI功能並對其進行故障排除。
功能資訊
eMAPI將預設在5.0.3中啟用,並且需要以下內容來成功加速加密流量。
1)必須在所有核心WAE上初始化並開啟CMS安全儲存
2)WAE必須能夠解析Exchange伺服器和Kerberos KDC(Active Directory控制器)的FQDN
3)WAE的時鐘必須與KDC同步
4)必須在從Outlook到Exchange的路徑中的所有WAE上啟用SSL協調器、WAN安全和eMAPI
5)路徑中的WAE必須具有正確的策略對映配置
6)核心WAE必須配置一個或多個加密服務域標識(使用者或電腦帳戶)
7)如果使用電腦帳戶,則此WAE必須加入到AD域。
8)然後,對於「電腦」或「使用者帳戶」使用情形,需要為Active Directory中的對象指定特定許可權。「Replicating Directory Changes」和「Replicating Directory Changes All」必須都設定為允許。
建議的方法是通過通用安全組(例如,將許可權分配給該組,然後將加密服務中指定的WAAS裝置和/或使用者名稱新增到該組)。 有關廣告配置和WAAS CM GUI的螢幕截圖,請參見所附指南。
故障排除方法
第1步 — 驗證加密服務身份配置和金鑰檢索成功
當diagnostics命令(下面的步驟2)驗證加密服務的存在時,它不會驗證金鑰檢索是否成功。因此,我們無法通過只運行診斷命令就知道是否為Active Directory中的對象(電腦或使用者帳戶)提供了正確的許可權。
摘要說明配置和驗證加密服務將成功檢索金鑰
使用者帳戶:
1.建立AD使用者
2.建立AD組並將「Replicating Directory Changes」和「Replicating Directory Changes All」設定為ALLOW
3.將使用者新增到建立的組
4.在加密服務中定義使用者帳戶域標識
5.運行get key diagnostic cli
windows-domain diagnostics encryption-service get-key <exchange server FQDN> <域名>
請注意,應使用伺服器上配置的實際/實際Exchange伺服器名稱,而不是可能解析為多個Exchange伺服器的NLB/VIP型別FQDN。
6.如果金鑰檢索成功 — 完成
成功示例:
pdi-7541-dc#windows-domain diagnostics encryption-service get-key pdidc-exchange1.pdidc.cisco.com pdidc.cisco.com
SPN pdidc-exchange1.pdidc.cisco.com,域名:pdidc.cisco.com
正在進行金鑰檢索。
pdi-7541-dc#windows-domain diagnostics encryption-service get-key pdidc-exchange1.pdidc.cisco.com pdidc.cisco.com
SPN pdidc-exchange1.pdidc.cisco.com,域名:pdidc.cisco.com
pdidc-exchange1.pdidc.cisco.com的金鑰位於記憶體金鑰快取中
電腦帳戶
1.將核心WAE裝置加入AD域
2.建立AD組並將「複製目錄更改」和「複製目錄更改全部」設定為ALLOW
3.將電腦帳戶新增到建立的組
4.配置加密服務以使用電腦帳戶
5.有時讓組策略應用到連線的機器,或強制從AD.gpupdate /force應用組策略。
6.運行get key diagnostic cli
windows-domain diagnostics encryption-service get-key <exchange server FQDN> <域名>
請注意,應使用伺服器上配置的實際/實際Exchange伺服器名稱,而不是可能解析為多個Exchange伺服器的NLB/VIP型別FQDN。
7.如果金鑰檢索成功 — 完成
有關加密服務和AD配置的更多詳細資訊和螢幕截圖,請參閱所附指南。
第2步 — 在5.0.3中,引入了一個新的診斷命令來檢查一些必需的設定。
加速̶器mapi驗證加密設定
1.CLI執行各種有效性檢查。其輸出是加速作為邊緣或核心的加密MAPI流量的能力總結。
2.檢查各元件的狀態/配置屬性,確保加密服務正常運行。
3.當發現配置問題時,它將輸出缺少的內容以及CLI或修復它的操作。
4、將總結總結歸納為邊緣裝置和核心裝置。既可以是邊緣裝置,也可以是核心裝置,該裝置應該對邊緣裝置和核心裝置都運行EMAPI。
以下是配置錯誤的WAE的輸出示例:
Core#accelerator mapi verify encryption-settings
[EDGE:]
Verifying Mapi Accelerator State
--------------------------------
Status: FAILED
Accelerator Config State Operational State
----------- ------------ -----------------
mapi Disabled Shutdown
>>Mapi Accelerator should be Enabled
>>Mapi Accelerator should be in Running state
Verifying SSL Accelerator State
-------------------------------
Status: FAILED
>>Accelerator Config State Operational State
----------- ------------ -----------------
ssl Disabled Shutdown
>>SSL Accelerator should be Enabled
>>SSL Accelerator should be in Running state
Verifying Wan-secure State
--------------------------
Status: FAILED
>>Accelerator Config State Operational State
----------- ------------ -----------------
wan-secure Disabled Shutdown
>>Wan-secure should be Enabled
>>Wan-secure should be in Running state
Verifying Mapi Wan-secure mode Setting
---------------------------------
Status: FAILED
Accelerator Config Item Mode Value
----------------------- ---- ------
WanSecure Mode User Not Applicable
>>Mapi wan-secure setting should be auto/always
Verifying NTP State
--------------------
Status: FAILED
>>NTP status should be enabled and configured
Summary [EDGE]:
===============
Device has to be properly configured for one or more components
[CORE:]
Verifying encryption-service State
----------------------------------
Status: FAILED
Service Config State Operational State
----------- ------------ -----------------
Encryption-service Disabled Shutdown
>>Encryption Service should be Enabled
>>Encryption Service status should be in 'Running' state
Verifying Encryption-service Identity Settings
----------------------------------------------
Status: FAILED
>>No active Encryption-service Identity is configured.
>>Please configure an active Windows Domain Encryption Service Identity.
Summary [CORE]: Applicable only on CORE WAEs
============================================
Device has to be properly configured for one or more components
以下是正確配置的核心WAE的輸出:
Core#acc mapi verify encryption-settings [EDGE:]
Verifying Mapi Accelerator State
--------------------------------
Status: OK
Verifying SSL Accelerator State
-------------------------------
Status: OK
Verifying Wan-secure State
--------------------------
Status: OK
Verifying Mapi encryption Settings
----------------------------------
Status: OK
Verifying Mapi Wan-secure mode Setting
---------------------------------
Status: OK
Verifying NTP State
--------------------
Status: OK
Summary [EDGE]:
===============
Device has proper configuration to accelerate encrypted traffic
[CORE:]
Verifying encryption-service State
----------------------------------
Status: OK
Verifying Encryption-service Identity Settings
----------------------------------------------
Status: OK
Summary [CORE]: Applicable only on CORE WAEs
============================================
Device has proper configuration to accelerate encrypted traffic
步驟3 — 手動驗證上述診斷命令未檢查的WAE設定。
1)上面的命令檢查是否存在已配置的NTP,但實際上不會驗證WAE和KDC之間的時間是否同步。在Core和KDC之間保持時間同步對於金鑰檢索成功是非常重要的。
如果手動檢查顯示它們不同步,則將ntpdate命令(ntpdate <KDC ip>)作為強制WAE時鐘同步的簡單方法。 然後將WAE指向企業NTP伺服器。
2)驗證dnslookup是否在Exchange伺服器的FQDN和KDC的FQDN的所有WAE上成功
3)驗證路徑中的所有WAE上是否正確配置了類對映和策略對映。
pdi-7541-dc#sh class-map type waas MAPI
Class-map type waas match-any MAPI
Match tcp destination epm mapi(0 flow-matches)
pdi-7541-dc#show policy-map type waas Policy-map type waas
WAAS-GLOBAL(6084690計)
MAPI類(0個流匹配)
最佳化完全加速mapi應用程式電子郵件和消息傳送
4)驗證所有WAE「show cms secure store」上的CMS安全儲存是否已開啟和初始化
資料分析
除了分析diagnostic命令和手動show命令的輸出外,您還需要檢視sysreport。
具體來說,您需要複查mapiao-errorlog、sr-errorlog(僅限核心WAE)和wsao-errorlog檔案。
每個日誌中都會有提示,具體取決於會導致連線下降到通用AO的原因。
此處作為參考的是顯示各種工作元件的輸出示例
此輸出來自sr-errorlog並顯示機器帳戶加密服務標識的驗證
附註:這僅確認核心WAE已加入域,且電腦帳戶存在。
07/03/2012 19:12:07.278(Local)(6249 1.5) NTCE (278902) Adding Identity MacchineAcctWAAS to map active list in SRMain [SRMain.cpp:215] 07/03/2012 19:12:07.279(Local)(6249 1.5) NTCE (279018) Adding identity(MacchineAcctWAAS) to Map [SRDiIdMgr.cpp:562] 07/03/2012 19:12:07.279(Local)(6249 1.5) NTCE (279282) Activate Id: MacchineAcctWAAS [SRMain.cpp:260] 07/03/2012 19:12:07.279(Local)(6249 1.5) NTCE (279306) Identity MacchineAcctWAAS found in the Map [SRDiIdMgr.cpp:702] 07/03/2012 19:12:07.279(Local)(6249 1.5) NTCE (279321) Authentication for ID: MacchineAcctWAAS [SRDiIdMgr.cpp:398] 07/03/2012 19:12:07.330(Local)(6249 1.5) NTCE (330581) Authentication success, tkt validity starttime 1341342727 endtime 1341378727 [SRDiIdMgr.cpp:456] 07/03/2012 19:12:07.330(Local)(6249 1.5) NTCE (330599) ID_TAG :MacchineAcctWAAS Name : pdi-7541-dc Domain : PDIDC.CISCO.COM Realm : PDIDC.CISCO.COM CLI_GUID : SITE_GUID : CONF_GUID : Status:ENABLED Black_Listed:NO AUTH_STATUS: SUCCESS ACCT_TYPE:Machine [SRIdentityObject.cpp:85] 07/03/2012 19:12:07.331(Local)(6249 1.5) NTCE (331685) DN Info found for domain PDIDC.CISCO.COM [SRIdentityObject.cpp:168] 07/03/2012 19:12:07.347(Local)(6249 1.5) NTCE (347680) Import cred successfull for pn: pdi-7541-dc@PDIDC.CISCO.COM [AdsGssCli.cpp:111]
此輸出再次來自核心sr-errorlog,並顯示從KDC成功檢索金鑰。
10/23/2012 15:46:55.673(Local)(3780 1.2) NTCE (673766) Key Not Found in cache, initiating retrieval for spn:exchangeMDB/pdidc-exchange1.pdidc.cisco.com [SRServer.cpp:297] 10/23/2012 15:46:55.673(Local)(3780 1.2) NTCE (673811) Queued InitiateKeyRetrieval task [SRServer.cpp:264]10/23/2012 15:46:55.673(Local)(3780 1.2) NTCE (673819) Key retrieval is in Progress [SRServer.cpp:322] 10/23/2012 15:46:55.673(Local)(3780 0.0) NTCE (673818) Initiating key retrieval [SRServer.cpp:271] 10/23/2012 15:46:55.673(Local)(3780 1.2) NTCE (673827) initiating key retrieval in progress [SRDataServer.cpp:441] 10/23/2012 15:46:55.673(Local)(3780 1.2) NTCE (673834) Sending ack for result 2, item name /cfg/gl/sr/sr_get_key/pdidc-exchange1.pdidc.cisco.com@pdidc.cisco.com [SRDataServer.cpp:444] 10/23/2012 15:46:55.673(Local)(3780 0.0) NTCE (673922) Match found for DN: pdidc.cisco.com is ID:MacchineAcctWAAS [SRDiIdMgr.cpp:163] 10/23/2012 15:46:55.673(Local)(3780 0.0) NTCE (673937) Identity MacchineAcctWAAS found in the Map [SRDiIdMgr.cpp:702] 10/23/2012 15:46:55.673(Local)(3780 0.0) NTCE (673950) DN Info found for domain pdidc.cisco.com [SRIdentityObject.cpp:168] 10/23/2012 15:46:55.674(Local)(3780 0.0) NTCE (674011) DRS_SPN: E3514235-4B06-11D1-AB04-00C04FC2DCD2/e4c83c51-0b59-4647-b45d-780dd2dc3344/PDIDC.CISCO.COM for PDI-7541-DC@PDIDC.CISCO.COM [GssCli.cpp:51] 10/23/2012 15:46:55.674(Local)(3780 0.0) NTCE (674020) CREATED srkr obj(0x50aa00) for spn (exchangeMDB/pdidc-exchange1.pdidc.cisco.com) [SRKeyMgr.cpp:134] 10/23/2012 15:46:55.674(Local)(3780 1.3) NTCE (674421) Import cred successfull for pn: PDI-7541-DC@PDIDC.CISCO.COM [GssCli.cpp:135] 10/23/2012 15:46:55.676(Local)(3780 1.3) NTCE (676280) session(0x50aa00) Complete TGT stage of GSS Successful, Initiating AppApi [SRKeyRetriever.cpp:408] 10/23/2012 15:46:55.676(Local)(3780 0.1) NTCE (676415) SRKR: Success in posting connect to service <ip:0e:6e:03:a3><port:135> [IoOperation.cpp:222] 10/23/2012 15:46:55.676(Local)(3780 0.0) NTCE (676607) Connected to server. [IoOperation.cpp:389] 10/23/2012 15:46:55.677(Local)(3780 0.0) NTCE (677736) SRKR: Success in posting connect to service <ip:0e:6e:03:a3><port:1025> [IoOperation.cpp:222] 10/23/2012 15:46:55.678(Local)(3780 0.1) NTCE (678001) Connected to server. [IoOperation.cpp:389] 10/23/2012 15:46:55.679(Local)(3780 0.1) NTCE (679500) Cleaning up credential cache for PDI-7541-DC@PDIDC.CISCO.COM [GssCli.cpp:212] 10/23/2012 15:46:55.680(Local)(3780 0.1) NTCE (680011) Parsing DRSBIND Response [AppApiDrsBind.cpp:222] 10/23/2012 15:46:55.680(Local)(3780 0.1) NTCE (680030) DRSBind Success, Status:00000000 [AppApiDrsBind.cpp:359] 10/23/2012 15:46:55.685(Local)(3780 0.1) NTCE (685502) session(0x50aa00) Successful in Key Retrieval from AD for SPN:exchangeMDB/pdidc-exchange1.pdidc.cisco.com [SRKeyRetriever.cpp:269] 10/23/2012 15:46:55.685(Local)(3780 0.1) NTCE (685583) Send Key response to the Client for spn: exchangeMDB/pdidc-exchange1.pdidc.cisco.com, # of req's : 1 [SRKeyMgr.cpp:296] 10/23/2012 15:46:55.685(Local)(3780 0.1) NTCE (685594) Deleting spn: exchangeMDB/pdidc-exchange1.pdidc.cisco.com entry from Pending key request map [SRKeyMgr.cpp:303]
此輸出來自邊緣WAE上的mapiao-errorlog檔案,以成功建立eMAPI連線
'''10/23/2012 17:56:23.080(Local)(8311 0.1) NTCE (80175) (fl=2433) Edge TCP connection initiated (-1409268656), Conn: [14.110.3.117:58352 <=> 14.110.3.99:27744], Flavor: 0 [EdgeTcpConnectionDceRpcLayer.cpp:43] 10/23/2012 17:56:23.080(Local)(8311 0.1) NTCE (80199) Edge TCP connection initiated (-1409268656), Conn: [14.110.3.117:58352 <=> 14.110.3.99:27744], Flavor: 0 [EdgeTcpConnectionDceRpcLayer.cpp:48] 10/23/2012 17:56:23.108(Local)(8311 0.0) NTCE (108825) (fl=2433) Bind Request from client with AGID 0x0, callId 2, to dest-ip 14.110.3.99, AuthLevel: PRIVACY AuthType: SPNEGO AuthCtxId: 0 WsPlumb:1 [EdgeTcpConnectionDceRpcLayer.cpp:1277]''' 10/23/2012 17:56:23.109(Local)(8311 0.0) NTCE (109935) CheckAndDoAoshReplumbing perform replumbing wsPlumbState 1 [Session.cpp:315] 10/23/2012 17:56:23.109(Local)(8311 0.0) NTCE (109949) (fl=2433) AOSH Replumbing was performed returned Status 0 [Session.cpp:337] 10/23/2012 17:56:23.109(Local)(8311 0.0) NTCE (109956) CheckAndPlumb WanSecure(14) ret:= [1,0] WsPlumb:4 fd[client,server]:=[25,26] [AsyncOperationsQueue.cpp:180] 10/23/2012 17:56:23.312(Local)(8311 0.1) NTCE (312687) (fl=2433) Connection multiplexing enabled by server on the connection. [EdgeTcpConnectionDceRpcLayer.cpp:499] 10/23/2012 17:56:23.312(Local)(8311 0.1) NTCE (312700) (fl=2433) Header signing enabled by server on the connection. [EdgeTcpConnectionDceRpcLayer.cpp:510] 10/23/2012 17:56:23.312(Local)(8311 0.1) NTCE (312719) (fl=2433) OnNewConnection - Client IP 14.110.3.117 (0xe6e0375), Serv IP 14.110.3.99 (0xe6e0363), nDstPort=27744, nAssociationGroup=0x11de4,conn_fd=26, bWasConnectionFromReservedPool=0, bIsNewMapiSession=1 [ConnectionReservationManager.cpp:255] '''10/23/2012 17:56:23.366(Local)(8311 0.1) NTCE (366789) (fl=2433) Received security context from core with auth context id: 0 [EdgeTcpConnectionDceRpcLayer.cpp:2912] 10/23/2012 17:56:23.367(Local)(8311 0.1) NTCE (367157) (fl=2433) Security Layer moved to ESTB state [FlowSecurityLayer.cpp:311]''' 10/23/2012 17:56:23.368(Local)(8311 0.1) NTCE (368029) (fl=2433) Informational:: Send APC set to WS: asking for Cipher 2 [EdgeTcpConnectionDceRpcLayer.cpp:809] 10/23/2012 17:56:23.368(Local)(8311 0.1) NTCE (368041) (fl=2433) Sec-Params [CtxId, AL, AT, ACT, DCT, [Hs, ConnMplx, SecMplx]]:=[0, 6, 9, 18, 18 [1,1,0]] [FlowIOBuffers.cpp:477] 10/23/2012 17:56:23.369(Local)(8311 0.0) NTCE (369128) (fl=2433) CEdgeTcpConnectionEmsMdbLayer::ConnectRequestCommon (CallId 2): client version is ProductMajor:14, Product Minor:0, Build Major:6117, Build Minor:5001 Client ip 14.110.3.117 Client port 58352 Dest ip 14.110.3.99 Dest port 27744 [EdgeTcpConnectionEmsMdbLayer.cpp:1522] 10/23/2012 17:56:23.868(Local)(8311 0.1) ERRO (868390) (fl=2433) ContextHandle.IsNull() [EdgeTcpConnectionEmsMdbLayer.cpp:1612] 10/23/2012 17:56:23.890(Local)(8311 0.0) NTCE (890891) (fl=2433) CEdgeTcpConnectionEmsMdbLayer::ConnectRequestCommon (CallId 3): client version is ProductMajor:14, Product Minor:0, Build Major:6117, Build Minor:5001 Client ip 14.110.3.117 Client port 58352 Dest ip 14.110.3.99 Dest port 27744 [EdgeTcpConnectionEmsMdbLayer.cpp:1522]
以下是相同TCP連線的mapiao-errorlog對應的核心WAE輸出
'''10/23/2012 17:56:54.092(Local)(6408 0.0) NTCE (92814) (fl=21) Core TCP connection initiated (11892640), Conn: [14.110.3.117:58352 <=> 14.110.3.99:27744], F
lavor: 0 [CoreTcpConnectionDceRpcLayer.cpp:99]
10/23/2012 17:56:54.092(Local)(6408 0.0) NTCE (92832) Core TCP connection initiated (11892640), Conn: [14.110.3.117:58352 <=> 14.110.3.99:27744], Flavor: 0
[CoreTcpConnectionDceRpcLayer.cpp:104]'''
10/23/2012 17:56:54.175(Local)(6408 0.0) NTCE (175035) SrlibCache Cache eviction starting: static void srlib::CSrlibCache:: OnAoShellDispatchCacheCleanup(vo
id*, aosh_work*) [SrlibCache.cpp:453]
10/23/2012 17:56:54.175(Local)(6408 0.0) NTCE (175068) last_cleanup_time (1344411860), evict_in_progress(1) handled_req_cnt (1) cache_size (0) [SrlibCache.
cpp:464]
10/23/2012 17:56:54.175(Local)(6408 0.0) NTCE (175121) SendNextCmd isDuringSend 0, WriteQueue sz 1, isDuringclose 0 [SrlibClientTransport.cpp:163]
10/23/2012 17:56:54.175(Local)(6408 0.0) NTCE (175132) SendNextCmd: Sending request: exchangeMDB/PDIDC-EXCHANGE1.pdidc.cisco.com:23[v:=11], WriteQueue sz 0
[bClose 0] [SrlibClientTransport.cpp:168]
10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185576) OnReadComplete len 4 status 0 isDuringRead 1, isDuringHeaderRead 1, isDuringclose 0 [SrlibTransport.
cpp:127]
10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185587) Parse header, msg body len 152 [SrlibTransport.cpp:111]
10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185592) ReadNextMsg isDuringRead 0, isDuringHeaderRead 1, isDuringclose 0 [SrlibTransport.cpp:88]
10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185623) OnReadComplete len 148 status 0 isDuringRead 1, isDuringHeaderRead 0, isDuringclose 0 [SrlibTranspor
t.cpp:127]
'''10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185688) Insert new KrbKey: exchangeMDB/PDIDC-EXCHANGE1.pdidc.cisco.com::23[v:=11]:[{e,f,l}:={0, 0x1, 16} [S
rlibCache.cpp:735]
'''10/23/2012 17:56:54.185(Local)(6408 0.1) NTCE (185747) ReadNextMsg isDuringRead 0, isDuringHeaderRead 0, isDuringclose 0 [SrlibTransport.cpp:88]
'''10/23/2012 17:56:54.261(Local)(6408 0.1) NTCE (261575) (fl=21) Successfully created memory keytab with name: MEMORY:exchangeMDB@PDIDC-EXCHANGE1.pdidc.cisco
.com0nxrPblND [GssServer.cpp:468]
10/23/2012 17:56:54.261(Local)(6408 0.1) NTCE (261613) (fl=21) Successfully added entry in memory keytab. [GssServer.cpp:92]
10/23/2012 17:56:54.261(Local)(6408 0.1) NTCE (261858) (fl=21) Successfully acquired credentials. [GssServer.cpp:135]'''
常見問題
以下是導致eMAPI連線切換到通用AO(TG)的一些常見原因。
問題1:核心WAE上配置的加密服務標識在AD中沒有正確的許可權。
核心WAE上sr-errolog的輸出
09/25/2012 18:47:54.147(Local)(9063 0.1) ERRO (147570) session(0x517fa0) Failed to Retrieve Key from AD for SPN:exchangeMDB/outlook.sicredi.net.br error:16 [SRKeyRetriever.cpp:267] '''09/25/2012 18:47:54.147(Local)(9063 0.1) ERRO (147592) Key retrieval failed with Status 16 [SRKeyMgr.cpp:157] ''''''09/25/2012 18:47:54.147(Local)(9063 0.1) ERRO (147623) Identity "WAASMacAct" has been blacklisted [SRDiIdMgr.cpp:258] ''''''09/25/2012 18:47:54.147(Local)(9063 0.1) ERRO (147631) Key retrieval failed due to permission issue [SRKeyMgr.cpp:167] '''09/25/2012 18:47:54.147(Local)(9063 0.1) ERRO (147636) Identity: WAASMacAct will be black listed. [SRKeyMgr.cpp:168] 09/25/2012 18:47:54.147(Local)(9063 0.1) NTCE (147657) Calling KrbKeyResponse key handler in srlib [SRServer.cpp:189] 09/25/2012 18:47:54.147(Local)(9063 0.1) NTCE (147722) Queued send reponse buffer to client task [SrlibServerTransport.cpp:136] 09/25/2012 18:47:54.147(Local)(9063 0.1) NTCE (147730) KrbKeyResponse, sent to client session object [SrlibServer.cpp:203] 09/25/2012 18:47:54.147(Local)(9063 0.0) NTCE (147733) SendNextCmd isDuringSend 0, WriteQueue size 1 isDuringClose 0 [SrlibServerTransport.cpp:308] 09/25/2012 18:47:54.147(Local)(9063 0.1) NTCE (147740) Send Key response to the Client
決議1:請參考配置指南,並驗證AD中的對象具有正確的許可權。「Replicating Directory Changes」和「Replicating Directory Changes All」必須都設定為允許。
問題2:核心WAE與其嘗試從中檢索金鑰的KDC之間存在時間偏差
核心WAE上sr-errolog的輸出
10/23/2012 01:31:33.507(Local)(1832 0.1) NTCE (507836) Initiating key retrieval [SRServer.cpp:271] 10/23/2012 01:31:33.507(Local)(1832 0.1) NTCE (507878) Match found for DN: pdidc.cisco.com is ID:MacchineAcctWAAS [SRDiIdMgr.cpp:163] 10/23/2012 01:31:33.507(Local)(1832 0.1) NTCE (507888) Identity MacchineAcctWAAS found in the Map [SRDiIdMgr.cpp:702] 10/23/2012 01:31:33.507(Local)(1832 0.1) NTCE (507901) DN Info found for domain pdidc.cisco.com [SRIdentityObject.cpp:168] 10/23/2012 01:31:33.507(Local)(1832 0.1) NTCE (507923) DRS_SPN: E3514235-4B06-11D1-AB04-00C04FC2DCD2/e4c83c51-0b59-4647-b45d-780dd2dc3344/PDIDC.CISCO.COM for PDI-7541-DC@PDIDC.CISCO.COM [GssCli.cpp:51] 10/23/2012 01:31:33.507(Local)(1832 0.1) NTCE (507933) CREATED srkr obj(0x2aaaac0008c0) for spn (exchangeMDB/pdidc-exchange1.pdidc.cisco.com) [SRKeyMgr.cpp:134] 10/23/2012 01:31:33.508(Local)(1832 1.6) NTCE (508252) Import cred successfull for pn: PDI-7541-DC@PDIDC.CISCO.COM [GssCli.cpp:135] 10/23/2012 01:31:33.511(Local)(1832 1.6) ERRO (511151) CreateSecurityContext: gss_init_sec_context failed [majorStatus = 851968 (0xd0000)] [GssCli.cpp:176] '''10/23/2012 01:31:33.511(Local)(1832 1.6) ERRO (511170) GSS_MAJOR ERROR:851968 msg_cnt:0, Miscellaneous failure (see text)CD2 [GssCli.cpp:25] 10/23/2012 01:31:33.511(Local)(1832 1.6) ERRO (511177) GSS_MINOR ERROR:2529624064 msg_cnt:0, Clock skew too great [GssCli.cpp:29] 10/23/2012 01:31:33.511(Local)(1832 1.6) ERRO (511182) gsskrb5_get_subkey failed: 851968,22, [GssCli.cpp:198] 10/23/2012 01:31:33.511(Local)(1832 1.6) ERRO (511188) session(0x2aaaac0008c0) Error: Invalid security ctx state, IsContinue is false with out token exchange [SRKeyRetriever.cpp:386] 10/23/2012 01:31:33.511(Local)(1832 1.6) ERRO (511193) session(0x2aaaac0008c0) Failed to Retrieve Key from AD for SPN:exchangeMDB/pdidc-exchange1.pdidc.cisco.com error:1 [SRKeyRetriever.cpp:267]''' 10/23/2012 01:31:33.511(Local)(1832 0.0) ERRO (511213) Key retrieval failed with Status 1 [SRKeyMgr.cpp:157]
決議2:在所有WAE(尤其是核心)上使用ntpdate將時鐘與KDC同步。然後指向企業NTP伺服器(最好與KDC相同)。
問題3:您為加密服務定義的域與Exchange伺服器所在的域不匹配。
核心WAE上sr-errolog的輸出
10/23/2012 18:41:21.918(Local)(3780 1.5) NTCE (918788) Key retrieval is in Progress [SRServer.cpp:322] 10/23/2012 18:41:21.918(Local)(3780 1.5) NTCE (918793) initiating key retrieval in progress [SRDataServer.cpp:441] 10/23/2012 18:41:21.918(Local)(3780 0.0) NTCE (918790) Initiating key retrieval [SRServer.cpp:271] 10/23/2012 18:41:21.918(Local)(3780 1.5) NTCE (918798) Sending ack for result 2, item name /cfg/gl/sr/sr_get_key/pdidc-exchange.cisco.com@cisco.com [SRDataServer.cpp:444] 10/23/2012 18:41:21.918(Local)(3780 0.0) ERRO (918813) Failed to find Identity match for domain cisco.com [SRDiIdMgr.cpp:157] 10/23/2012 18:41:21.918(Local)(3780 0.0) NTCE (918821) Failed to find identity match for domain [SRKeyMgr.cpp:120] 10/23/2012 18:41:21.918(Local)(3780 0.0) NTCE (918832) Send Key response to the Client for spn: exchangeMDB/pdidc-exchange.cisco.com, # of req's: 1 [SRKeyMgr.cpp:296]
決議3:如果您的核心WAE服務不同域中的多個Exchange伺服器,則必須為Exchange伺服器所在的每個域配置加密服務標識。
注意,目前不支援子域包括。因此,如果您有myexchange.sub-domain.domain.com ,則加密服務標識必須位於sub-domain.domain.com中;它不能位於父域中。
問題4:如果WANecure失敗,您的連線可以丟棄到TG
eMAPI連線可以切換到通用AO,因為WAN安全外掛失敗。WAN安全外掛失敗,因為證書驗證失敗。對等體證書驗證將失敗,因為正在使用預設的自簽名對等體證書,或者該證書已合法地失敗了OCSP檢查。
核心WAE設定
crypto pki global-settings ocsp url http://pdidc.cisco.com/ocsp revocation-check ocsp-cert-url exit ! crypto ssl services host-service peering peer-cert-verify exit ! WAN Secure: Accelerator Config Item Mode Value ----------------------- ---- ------ SSL AO User enabled Secure store User enabled Peer SSL version User default Peer cipher list User default Peer cert User default Peer cert verify User enabled
這將產生以下mapiao-errorlog和wsao-errorlog條目:
此處的提示是第一條突出顯示的「已連續四次斷開連線」行
客戶端WAE上的Mapiao-errorlog:
'''10/08/2012 20:02:15.025(Local)(24333 0.0) NTCE (25621) (fl=267542) Client 10.16.1.201 disconnected more than four consecutive times - push down to generic ao. [EdgeTcpConnectionDceRpcLayer.cpp:1443] '''10/08/2012 20:02:15.025(Local)(24333 0.0) NTCE (25634) (fl=267542) CEdgeIOBuffers:: StartHandOverProcessSingleConnection: SECURED_STATE_NOT_ESTABLISHED [EdgeIOBuffers.cpp:826] 10/08/2012 20:02:15.025(Local)(24333 0.0) NTCE (25644) (fl=267542) CEdgeIOBuffers::CheckSendHandOverRequestToCoreAndBlockLan - Blocking LAN for read operations after last fragment of call id 0, current call id is 2 [EdgeIOBuffers.cpp:324] 10/08/2012 20:02:15.048(Local)(24333 0.1) NTCE (48753) (fl=267542) Connection multiplexing enabled by server on the connection. [EdgeTcpConnectionDceRpcLayer.cpp:499] 10/08/2012 20:02:15.048(Local)(24333 0.1) NTCE (48771) (fl=267542) Header signing enabled by server on the connection. [EdgeTcpConnectionDceRpcLayer.cpp:510] 10/08/2012 20:02:15.048(Local)(24333 0.1) NTCE (48779) (fl=267542) CEdgeIOBuffers:: StartHandOverProcessSingleConnection: GENERAL_UNCLASSIFIED [EdgeIOBuffers.cpp:826]
客戶端WAE上的WSAO錯誤日誌:
'''10/08/2012 20:04:34.430(Local)(5939 4.0) ERRO (430001) certificate verification failed 'self signed certificate' [open_ssl.cpp:1213] '''10/08/2012 20:04:34.430(Local)(5939 4.0) ERRO (430047) ssl_read failed: 'SSL_ERROR_SSL' [open_ssl.cpp:1217] 10/08/2012 20:04:34.430(Local)(5939 4.0) ERRO (430055) openssl errors: error:14090086: SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1244: [open_ssl.cpp:1220]
決議4:從兩個WAE中刪除對等證書驗證配置,並在核心WAE上重新啟動加密服務。
pdi-7541-dc(config)#crypto ssl services host-service peering pdi-7541-dc(config-ssl-peering)#no peer-cert-verify pdi-7541-dc(config)#no windows-domain encryption-service enable pdi-7541-dc(config)#windows-domain encryption-service enable
問題5:如果Outlook客戶端使用NTLM,則連線將被向下推到通用AO。
您將在客戶端WAE的mapiao-errorlog中看到以下內容:
'''waas-edge#find-patter match ntlm mapiao-errorlog.current ''' 09/21/2012 20:30:32.154(Local)(8930 0.1) NTCE (154827) (fl=83271) Bind Request from client with AGID 0x0, callId 1, to dest-ip 172.21. 12.96, AuthLevel: PRIVACY '''AuthType:NTLM '''AuthCtxId: 153817840 WsPlumb: 2 [EdgeTcpConnectionDceRpcLayer.cpp:1277] 09/21/2012 20:30:32.154(Local)(8930 0.1) NTCE (154861) (fl=83271) '''Unsupported''' '''Auth Type :NTLM''' [EdgeTcpConnectionDceRpcLayer.cpp:1401] 09/21/2012 20:30:40.157(Local) (8930 0.0) NTCE (157628) (fl=83283) Bind Request from client with AGID 0x0, callId 2, to dest-ip 172.21. 12.96, AuthLevel: PRIVACY AuthType:NTLM AuthCtxId: 153817840 WsPlumb: 2 [EdgeTcpConnectionDceRpcLayer.cpp:1277]
第5號決議:客戶必須在Exchange環境中啟用/要求Kerberos身份驗證。不支援NTLM(自5.1起)
請注意,使用CAS時,有一個名為NTLM的Microsoft技術摘要。
Kerberos不起作用的場景特定於Exchange 2010,在以下場景中:
組織/域中的多個Exchange客戶端訪問伺服器(CAS)。
這些CAS伺服器使用任何方法(使用Microsoft的內建客戶端陣列功能或第三方負載均衡器)群集在一起。
在上面的場景中,Kerberos不起作用 — 客戶端預設情況下將回退到NTLM。我認為這是因為客戶端必須通過CAS伺服器身份驗證才能訪問郵箱伺服器,就像他們在以前的Exchange版本中做的那樣。
在Exchange 2010 RTM中,沒有針對此的修補程式!上述場景中的Kerberos在Exchange 2010-SP1之前永遠不會發揮作用。
在SP1中,可以在這些環境中啟用Kerberos,但這是一個手動過程。請參閱以下文章:http://technet.microsoft.com/en-us/library/ff808313.aspx
MAPI AO日誌記錄
- 以下日誌檔案可用於排除MAPI AO故障:
- 事務日誌檔案:/local1/logs/tfo/working.log(和/local1/logs/tfo/tfo_log_*.txt)
調試日誌檔案:/local1/errorlog/mapiao-errorlog.current(和mapiao-errorlog.*)
為了更輕鬆地進行調試,您應該首先設定ACL以限制資料包只訪問一台主機。
WAE674(config)# ip access-list extended 150 permit tcp host 10.10.10.10 any WAE674(config)# ip access-list extended 150 permit tcp any host 10.10.10.10
要啟用事務日誌記錄,請使用transaction-logs配置命令,如下所示:
wae(config)# transaction-logs flow enable wae(config)# transaction-logs flow access-list 150
可以使用type-tail命令檢視事務日誌檔案的結尾,如下所示:
wae# type-tail tfo_log_10.10.11.230_20090715_130000.txt Wed Jul 15 19:12:35 2009 :2289 :10.10.10.10 :3740 :10.10.100.101 :1146 :OT :END :EXTERNAL CLIENT :(MAPI) :822 :634 :556 :706 Wed Jul 15 19:12:35 2009 :2289 :10.10.10.10 :3740 :10.10.100.101 :1146 :SODRE :END :730 :605 :556 :706 :0 Wed Jul 15 19:12:35 2009 :2290 :10.10.10.10 :3738 :10.10.100.101 :1146 :OT :END :EXTERNAL CLIENT :(MAPI) :4758 :15914 :6436 :2006 Wed Jul 15 19:12:35 2009 :2290 :10.10.10.10 :3738 :10.10.100.101 :1146 :SODRE :END :4550 :15854 :6436 :2006 :0 Wed Jul 15 19:12:35 2009 :2284 :10.10.10.10 :3739 :10.10.100.101 :1146 :OT :END :EXTERNAL CLIENT :(MAPI) :1334 :12826 :8981 :1031
要設定和啟用MAPI AO的調試日誌記錄,請使用以下命令。
附註:調試日誌記錄是CPU密集型,可以生成大量輸出。在生產環境中慎重而謹慎地使用它。
您可以按如下方式啟用磁碟的詳細日誌記錄:
WAE674(config)# logging disk enable WAE674(config)# logging disk priority detail
您可以在ACL中啟用連線的調試日誌記錄,如下所示:
WAE674# debug connection access-list 150
MAPI AO調試的選項如下:
WAE674# debug accelerator mapi ? all enable all MAPI accelerator debugs Common-flow enable MAPI Common flow debugs DCERPC-layer enable MAPI DCERPC-layer flow debugs EMSMDB-layer enable MAPI EMSMDB-layer flow debugs IO enable MAPI IO debugs ROP-layer enable MAPI ROP-layer debugs ROP-parser enable MAPI ROP-parser debugs RPC-parser enable MAPI RPC-parser debugs shell enable MAPI shell debugs Transport enable MAPI transport debugs Utilities enable MAPI utilities debugs
您可以為MAPI連線啟用調試日誌記錄,然後按如下方式顯示調試錯誤日誌的結束:
WAE674# debug accelerator mapi Common-flow WAE674# type-tail errorlog/mapiao-errorlog.current follow
意見