Commodore
Commodore
686 views

Tracing a D101 error.

Jump to solution

Good Afternoon!

Recently I have been discovering a TON of D101 errors in my POA log files for a former employee showing like this: 

Error: User not on post office [D101] User:xxxxxx    App( SOAP )

 Is there a way to trace where these request to the POA are coming from?   We only have one Post Office, user is no longer in GroupWise, doesn't have any outstanding nicknames, isn't in GMS, isn't in eDirectory, etc.

I have tried rebuilding my post office database as mentioned in a TID I saw, but that didn't help either.

I discovered this because every few weeks, always on the weekend for some reason, our server bogs down and requires a restart.  Since there are many more of these errors on the weekend, they may be the cause.

GroupWise 18.2.1 running on OES 2018

Thanks for any help you can provide!

0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

Hi,

I suggest doing a packet capture on the server filtering on the SOAP port.  That could reveal the IP address that the SOAP requests are coming from.  I use "tcpdump" on servers to accomplish this.

Cheers,

Laura

 

 

 

 

Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...

View solution in original post

0 Likes
13 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

A simple login attempt via WebAccess would cause this. Try to login to WebAccess as "Dirk Nowitzki" (unless he has a valid account, of course) or someone else without an account in your system and check the logs.

 

If you like it: like it.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

I don't recall, but can left over event configurations cause this?

See https://support.microfocus.com/kb/doc.php?id=7005743

--
Ken
Knowledge Partner

Create and vote for enhancements in the Idea Exchange forums!
Don't forget to Like helpful posts and mark Solutions!
0 Likes
Commodore
Commodore

Thanks for the suggestions.  This user's name wasn't in the list as described in the TID, and I did a test login with a bad username in Webaccess and did see the bad username in the log but only once.  The departed user in question shows up 1064 times in a 50 minute chunk of log file. The only user I'm seeing in the logs near as much is the only user we have that works remote and uses a caching mailbox on the Windows client.  I'm pretty sure the departed user didn't have the know-how to set that up.

Mark

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Did you check apache logs for what happened at the times you get the D101 logged?

If you like it: like it.
0 Likes
Commodore
Commodore

I just looked at logs in /var/log/appache2 and user's name doesn't show up in any of those, but neither did the bogus user I used for test, so maybe I'm not looking at the correct logs.

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

You wouldn't see a username there, but you'd see ip addresses of connecting devices. As you've mentioned that it happens mainly on the weekend (i.e. not too many "regular" logins) it should be fairly easy to track down.

 

If you like it: like it.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

And you can see the invalid user in the webaccess log along with the timestamp.

 

If you like it: like it.
0 Likes
Commodore
Commodore
After looking at those logs, request is definitely not coming from webaccess.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

It could be merely anything using SOAP, which potentially means any sort of 3rd. party software. This could include smarthosts which check for the existence of the receiver of an incoming mail.

 

If you like it: like it.
0 Likes
Commodore
Commodore

Could the user have had access to a system that was sending automated reports at the weekend and kept trying? 

0 Likes
Commodore
Commodore

To be clear, it's not just on the weekends, there's just more on the weekends.  Still thousands a day no matter what day it is.    I'm going to look at router for SOAP access to see if it's from the outside.  However, if it's internal, I was just looking to see if there was a way to trace here the requests are coming from.

Thanks for all the suggestions!  I've been out of the office a few days.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.