Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
There are some settings on the Expressway regarding the number of auth attempts, etc. have you tried to increase those to see if that makes any difference ? On Tue, Sep 15, 2015 at 10:45 AM, Ryan Huff <ryanh...@outlook.com> wrote: > I'll hav to sift through my logs and see if that is what my issue was. > Thanks for the follow through Brian. > > Thanks, > > Ryan > > -- > Date: Tue, 15 Sep 2015 10:40:24 -0400 > Subject: Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection > From: bmead...@vt.edu > To: kev...@advancedtsg.com > CC: ryanh...@outlook.com; cisco-voip@puck.nether.net > > > We're actually on 8.6.1. > > I dug through the logs a bit more and found the same user also had an 8800 > series phone logged in via MRA. Doing some further searching, I found > someone who had the same issue logging into Jabber with an 8841 already > logged in via MRA. > > I had the user unplug their 8841 and they were able to login to Jabber > fine after this. > > It looks like I'll be reaching out to the feature preview folks to make > sure they know about this issue. > > Brian > > On Tue, Sep 15, 2015 at 8:20 AM, Kevin Przybylowski < > kev...@advancedtsg.com> wrote: > > I almost upgraded our VCS servers to 8.6 last week and noticed a couple > reviews on CCO so I stuck with 8.5.3. I’ll give 8.6.1 a try in a few days. > > > > > > *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] *On Behalf > Of *Ryan Huff > *Sent:* Monday, September 14, 2015 4:00 PM > *To:* bmead...@vt.edu; cisco-voip@puck.nether.net > *Subject:* Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection > > > Brian I had this issue this weekend in 8.6. My original issue was > the "no home uds cluster" but I had issues with the proxy protocol > violation. > Tac's response was go to 8.6.1 (released 9/11/15 ... yikes) or roll back > to 8.5 > Thanks, > Ryan > > > > ---- Original Message > From: Brian Meade <bmead...@vt.edu> > Sent: Monday, September 14, 2015 03:49 PM > To: cisco-voip@puck.nether.net > Subject: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection > > Is anyone else having issues with the "HTTP proxy protocol violation" > automated detection feature or Expressway? > > > > I've got over 10,000 hits on this built-in rule and it seems to be > blocking some legitimate logins via Jabber. > > > > It looks like this in the event log: > > 2015-09-11T21:05:09-04:00 sh[1195]: Event="Intrusion Protection" > Src-ip="X.X.X.X" Detail="Collaboration Edge HTTP Intrusion Protection > blocking X.X.X.X" Level="INFO" UTCTime="2015/09/12-01:05:09" > > 2015-09-11T21:05:09-04:00 traffic_server[24581]: Event="Sending HTTP > error response" Status="429" Reason="Unknown Status" Dst-ip="X.X.X.X" > Dst-port="52940" UTCTime="2015-09-12 01:05:09,151" > > > > It looks like this in the Jabber log: > > 2015-09-11 17:09:15,746 INFO [0x0dc0] > [ls\src\http\BasicHttpClientImpl.cpp(399)] [csf.httpclient] > [csf::http::executeImpl] - *-* HTTP response code 0 for request #2 to > https://myexpressway.client.com:8443/bG9naWNub3cuY29t/get_edge_config?service_name=_cisco-uds_name=_cuplogin > > 2015-09-11 17:09:15,746 ERROR [0x0dc0] > [ls\src\http\BasicHttpClientImpl.cpp(404)] [csf.httpclient] > [csf::http::executeImpl] - There was an issue performing the call to > curl_easy_perform for request #2: CONNECTION_TIMEOUT_ERROR > > > > It looks like this in the detailed expressway logging: > > 2015-09-11T11:12:06-04:00 atlitexpe1 UTCTime="2015-09-11 15:12:06,146" > Event="System Configuration Changed" Node="clusterdb@127.0.0.1" > PID="<0.3251.0>" Detail="xconfiguration fail2banJailStatus uuid > 12f52e25-4df6-4fd3-9697-621d9de3a796 jail: http-ce-intrusion total_fails - > changed from: 202411 to: 202416" > > > > > > Anyone else seeing issues like this? This particular user also has an > 8841 at home. Is there a limit to number of MRA connections behind a > single public IP? > > > > Thanks, > > Brian Meade > > > > ___ > cisco-voip mailing list > cisco-voip@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-voip > > ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
Justin, I'm sure I could play around with those parameters a bit but don't want to open us up to any sort of actual DOS attack. I sent it over to cefeedb...@cisco.com which is handling support during the feature preview until TAC takes over. They said that it's an issue with the 8800 series firmware where the endpoint gets stuck in a loop sending repeated authentication attempts. I was able to view these requests at https:///edgestatushttpproxyrequests and confirmed we're getting a few per second per endpoint. They're currently working on an ES for the 8800 series to resolve this issue. I'll test it once I get my hands on it and report back. Thanks, Brian On Tue, Sep 15, 2015 at 3:04 PM, Justin Steinberg <jsteinb...@gmail.com> wrote: > There are some settings on the Expressway regarding the number of auth > attempts, etc. have you tried to increase those to see if that makes any > difference ? > > On Tue, Sep 15, 2015 at 10:45 AM, Ryan Huff <ryanh...@outlook.com> wrote: > >> I'll hav to sift through my logs and see if that is what my issue was. >> Thanks for the follow through Brian. >> >> Thanks, >> >> Ryan >> >> -------------- >> Date: Tue, 15 Sep 2015 10:40:24 -0400 >> Subject: Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection >> From: bmead...@vt.edu >> To: kev...@advancedtsg.com >> CC: ryanh...@outlook.com; cisco-voip@puck.nether.net >> >> >> We're actually on 8.6.1. >> >> I dug through the logs a bit more and found the same user also had an >> 8800 series phone logged in via MRA. Doing some further searching, I found >> someone who had the same issue logging into Jabber with an 8841 already >> logged in via MRA. >> >> I had the user unplug their 8841 and they were able to login to Jabber >> fine after this. >> >> It looks like I'll be reaching out to the feature preview folks to make >> sure they know about this issue. >> >> Brian >> >> On Tue, Sep 15, 2015 at 8:20 AM, Kevin Przybylowski < >> kev...@advancedtsg.com> wrote: >> >> I almost upgraded our VCS servers to 8.6 last week and noticed a couple >> reviews on CCO so I stuck with 8.5.3. I’ll give 8.6.1 a try in a few days. >> >> >> >> >> >> *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] *On >> Behalf Of *Ryan Huff >> *Sent:* Monday, September 14, 2015 4:00 PM >> *To:* bmead...@vt.edu; cisco-voip@puck.nether.net >> *Subject:* Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection >> >> >> Brian I had this issue this weekend in 8.6. My original issue was >> the "no home uds cluster" but I had issues with the proxy protocol >> violation. >> Tac's response was go to 8.6.1 (released 9/11/15 ... yikes) or roll back >> to 8.5 >> Thanks, >> Ryan >> >> >> >> Original Message >> From: Brian Meade <bmead...@vt.edu> >> Sent: Monday, September 14, 2015 03:49 PM >> To: cisco-voip@puck.nether.net >> Subject: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection >> >> Is anyone else having issues with the "HTTP proxy protocol violation" >> automated detection feature or Expressway? >> >> >> >> I've got over 10,000 hits on this built-in rule and it seems to be >> blocking some legitimate logins via Jabber. >> >> >> >> It looks like this in the event log: >> >> 2015-09-11T21:05:09-04:00 sh[1195]: Event="Intrusion Protection" >> Src-ip="X.X.X.X" Detail="Collaboration Edge HTTP Intrusion Protection >> blocking X.X.X.X" Level="INFO" UTCTime="2015/09/12-01:05:09" >> >> 2015-09-11T21:05:09-04:00 traffic_server[24581]: Event="Sending HTTP >> error response" Status="429" Reason="Unknown Status" Dst-ip="X.X.X.X" >> Dst-port="52940" UTCTime="2015-09-12 01:05:09,151" >> >> >> >> It looks like this in the Jabber log: >> >> 2015-09-11 17:09:15,746 INFO [0x0dc0] >> [ls\src\http\BasicHttpClientImpl.cpp(399)] [csf.httpclient] >> [csf::http::executeImpl] - *-* HTTP response code 0 for request #2 to >> https://myexpressway.client.com:8443/bG9naWNub3cuY29t/get_edge_config?service_name=_cisco-uds_name=_cuplogin >> >> 2015-09-11 17:09:15,746 ERROR [0x0dc0] >> [ls\src\http\BasicHttpClientImpl.cpp(404)] [csf.httpclient] >> [csf::http::executeImpl] - There was an issue performing the call to >> curl_easy_perform for request #2: CONNECTION_TIME
Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
I almost upgraded our VCS servers to 8.6 last week and noticed a couple reviews on CCO so I stuck with 8.5.3. I’ll give 8.6.1 a try in a few days. [cid:image001.png@01D0EF8E.A89E1030] From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Ryan Huff Sent: Monday, September 14, 2015 4:00 PM To: bmead...@vt.edu; cisco-voip@puck.nether.net Subject: Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection Brian I had this issue this weekend in 8.6. My original issue was the "no home uds cluster" but I had issues with the proxy protocol violation. Tac's response was go to 8.6.1 (released 9/11/15 ... yikes) or roll back to 8.5 Thanks, Ryan Original Message From: Brian Meade <bmead...@vt.edu<mailto:bmead...@vt.edu>> Sent: Monday, September 14, 2015 03:49 PM To: cisco-voip@puck.nether.net<mailto:cisco-voip@puck.nether.net> Subject: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection Is anyone else having issues with the "HTTP proxy protocol violation" automated detection feature or Expressway? I've got over 10,000 hits on this built-in rule and it seems to be blocking some legitimate logins via Jabber. It looks like this in the event log: 2015-09-11T21:05:09-04:00 sh[1195]: Event="Intrusion Protection" Src-ip="X.X.X.X" Detail="Collaboration Edge HTTP Intrusion Protection blocking X.X.X.X" Level="INFO" UTCTime="2015/09/12-01:05:09" 2015-09-11T21:05:09-04:00 traffic_server[24581]: Event="Sending HTTP error response" Status="429" Reason="Unknown Status" Dst-ip="X.X.X.X" Dst-port="52940" UTCTime="2015-09-12 01:05:09,151" It looks like this in the Jabber log: 2015-09-11 17:09:15,746 INFO [0x0dc0] [ls\src\http\BasicHttpClientImpl.cpp(399)] [csf.httpclient] [csf::http::executeImpl] - *-* HTTP response code 0 for request #2 to https://myexpressway.client.com:8443/bG9naWNub3cuY29t/get_edge_config?service_name=_cisco-uds_name=_cuplogin 2015-09-11 17:09:15,746 ERROR [0x0dc0] [ls\src\http\BasicHttpClientImpl.cpp(404)] [csf.httpclient] [csf::http::executeImpl] - There was an issue performing the call to curl_easy_perform for request #2: CONNECTION_TIMEOUT_ERROR It looks like this in the detailed expressway logging: 2015-09-11T11:12:06-04:00 atlitexpe1 UTCTime="2015-09-11 15:12:06,146" Event="System Configuration Changed" Node="clusterdb@127.0.0.1<mailto:clusterdb@127.0.0.1>" PID="<0.3251.0>" Detail="xconfiguration fail2banJailStatus uuid 12f52e25-4df6-4fd3-9697-621d9de3a796 jail: http-ce-intrusion total_fails - changed from: 202411 to: 202416" Anyone else seeing issues like this? This particular user also has an 8841 at home. Is there a limit to number of MRA connections behind a single public IP? Thanks, Brian Meade ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
We're actually on 8.6.1. I dug through the logs a bit more and found the same user also had an 8800 series phone logged in via MRA. Doing some further searching, I found someone who had the same issue logging into Jabber with an 8841 already logged in via MRA. I had the user unplug their 8841 and they were able to login to Jabber fine after this. It looks like I'll be reaching out to the feature preview folks to make sure they know about this issue. Brian On Tue, Sep 15, 2015 at 8:20 AM, Kevin Przybylowski <kev...@advancedtsg.com> wrote: > I almost upgraded our VCS servers to 8.6 last week and noticed a couple > reviews on CCO so I stuck with 8.5.3. I’ll give 8.6.1 a try in a few days. > > > > > > *From:* cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] *On Behalf > Of *Ryan Huff > *Sent:* Monday, September 14, 2015 4:00 PM > *To:* bmead...@vt.edu; cisco-voip@puck.nether.net > *Subject:* Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection > > > > Brian I had this issue this weekend in 8.6. My original issue was > the "no home uds cluster" but I had issues with the proxy protocol > violation. > > Tac's response was go to 8.6.1 (released 9/11/15 ... yikes) or roll back > to 8.5 > > Thanks, > > Ryan > > > > Original Message > From: Brian Meade <bmead...@vt.edu> > Sent: Monday, September 14, 2015 03:49 PM > To: cisco-voip@puck.nether.net > Subject: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection > > Is anyone else having issues with the "HTTP proxy protocol violation" > automated detection feature or Expressway? > > > > I've got over 10,000 hits on this built-in rule and it seems to be > blocking some legitimate logins via Jabber. > > > > It looks like this in the event log: > > 2015-09-11T21:05:09-04:00 sh[1195]: Event="Intrusion Protection" > Src-ip="X.X.X.X" Detail="Collaboration Edge HTTP Intrusion Protection > blocking X.X.X.X" Level="INFO" UTCTime="2015/09/12-01:05:09" > > 2015-09-11T21:05:09-04:00 traffic_server[24581]: Event="Sending HTTP > error response" Status="429" Reason="Unknown Status" Dst-ip="X.X.X.X" > Dst-port="52940" UTCTime="2015-09-12 01:05:09,151" > > > > It looks like this in the Jabber log: > > 2015-09-11 17:09:15,746 INFO [0x0dc0] > [ls\src\http\BasicHttpClientImpl.cpp(399)] [csf.httpclient] > [csf::http::executeImpl] - *-* HTTP response code 0 for request #2 to > https://myexpressway.client.com:8443/bG9naWNub3cuY29t/get_edge_config?service_name=_cisco-uds_name=_cuplogin > > 2015-09-11 17:09:15,746 ERROR [0x0dc0] > [ls\src\http\BasicHttpClientImpl.cpp(404)] [csf.httpclient] > [csf::http::executeImpl] - There was an issue performing the call to > curl_easy_perform for request #2: CONNECTION_TIMEOUT_ERROR > > > > It looks like this in the detailed expressway logging: > > 2015-09-11T11:12:06-04:00 atlitexpe1 UTCTime="2015-09-11 15:12:06,146" > Event="System Configuration Changed" Node="clusterdb@127.0.0.1" > PID="<0.3251.0>" Detail="xconfiguration fail2banJailStatus uuid > 12f52e25-4df6-4fd3-9697-621d9de3a796 jail: http-ce-intrusion total_fails - > changed from: 202411 to: 202416" > > > > > > Anyone else seeing issues like this? This particular user also has an > 8841 at home. Is there a limit to number of MRA connections behind a > single public IP? > > > > Thanks, > > Brian Meade > ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
I'll hav to sift through my logs and see if that is what my issue was. Thanks for the follow through Brian. Thanks, Ryan Date: Tue, 15 Sep 2015 10:40:24 -0400 Subject: Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection From: bmead...@vt.edu To: kev...@advancedtsg.com CC: ryanh...@outlook.com; cisco-voip@puck.nether.net We're actually on 8.6.1. I dug through the logs a bit more and found the same user also had an 8800 series phone logged in via MRA. Doing some further searching, I found someone who had the same issue logging into Jabber with an 8841 already logged in via MRA. I had the user unplug their 8841 and they were able to login to Jabber fine after this. It looks like I'll be reaching out to the feature preview folks to make sure they know about this issue. Brian On Tue, Sep 15, 2015 at 8:20 AM, Kevin Przybylowski <kev...@advancedtsg.com> wrote: I almost upgraded our VCS servers to 8.6 last week and noticed a couple reviews on CCO so I stuck with 8.5.3. I’ll give 8.6.1 a try in a few days. From: cisco-voip [mailto:cisco-voip-boun...@puck.nether.net] On Behalf Of Ryan Huff Sent: Monday, September 14, 2015 4:00 PM To: bmead...@vt.edu; cisco-voip@puck.nether.net Subject: Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection Brian I had this issue this weekend in 8.6. My original issue was the "no home uds cluster" but I had issues with the proxy protocol violation. Tac's response was go to 8.6.1 (released 9/11/15 ... yikes) or roll back to 8.5 Thanks, Ryan Original Message From: Brian Meade <bmead...@vt.edu> Sent: Monday, September 14, 2015 03:49 PM To: cisco-voip@puck.nether.net Subject: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection Is anyone else having issues with the "HTTP proxy protocol violation" automated detection feature or Expressway? I've got over 10,000 hits on this built-in rule and it seems to be blocking some legitimate logins via Jabber. It looks like this in the event log: 2015-09-11T21:05:09-04:00 sh[1195]: Event="Intrusion Protection" Src-ip="X.X.X.X" Detail="Collaboration Edge HTTP Intrusion Protection blocking X.X.X.X" Level="INFO" UTCTime="2015/09/12-01:05:09" 2015-09-11T21:05:09-04:00 traffic_server[24581]: Event="Sending HTTP error response" Status="429" Reason="Unknown Status" Dst-ip="X.X.X.X" Dst-port="52940" UTCTime="2015-09-12 01:05:09,151" It looks like this in the Jabber log: 2015-09-11 17:09:15,746 INFO [0x0dc0] [ls\src\http\BasicHttpClientImpl.cpp(399)] [csf.httpclient] [csf::http::executeImpl] - *-* HTTP response code 0 for request #2 to https://myexpressway.client.com:8443/bG9naWNub3cuY29t/get_edge_config?service_name=_cisco-uds_name=_cuplogin 2015-09-11 17:09:15,746 ERROR [0x0dc0] [ls\src\http\BasicHttpClientImpl.cpp(404)] [csf.httpclient] [csf::http::executeImpl] - There was an issue performing the call to curl_easy_perform for request #2: CONNECTION_TIMEOUT_ERROR It looks like this in the detailed expressway logging: 2015-09-11T11:12:06-04:00 atlitexpe1 UTCTime="2015-09-11 15:12:06,146" Event="System Configuration Changed" Node="clusterdb@127.0.0.1" PID="<0.3251.0>" Detail="xconfiguration fail2banJailStatus uuid 12f52e25-4df6-4fd3-9697-621d9de3a796 jail: http-ce-intrusion total_fails - changed from: 202411 to: 202416" Anyone else seeing issues like this? This particular user also has an 8841 at home. Is there a limit to number of MRA connections behind a single public IP? Thanks, Brian Meade ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
Brian I had this issue this weekend in 8.6. My original issue was the "no home uds cluster" but I had issues with the proxy protocol violation. Tac's response was go to 8.6.1 (released 9/11/15 ... yikes) or roll back to 8.5 Thanks, Ryan Original Message From: Brian Meade <bmead...@vt.edu> Sent: Monday, September 14, 2015 03:49 PM To: cisco-voip@puck.nether.net Subject: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection >Is anyone else having issues with the "HTTP proxy protocol violation" >automated detection feature or Expressway? > >I've got over 10,000 hits on this built-in rule and it seems to be blocking >some legitimate logins via Jabber. > >It looks like this in the event log: >2015-09-11T21:05:09-04:00 sh[1195]: Event="Intrusion Protection" >Src-ip="X.X.X.X" Detail="Collaboration Edge HTTP Intrusion Protection >blocking X.X.X.X" Level="INFO" UTCTime="2015/09/12-01:05:09" >2015-09-11T21:05:09-04:00 traffic_server[24581]: Event="Sending HTTP error >response" Status="429" Reason="Unknown Status" Dst-ip="X.X.X.X" >Dst-port="52940" UTCTime="2015-09-12 01:05:09,151" > >It looks like this in the Jabber log: >2015-09-11 17:09:15,746 INFO [0x0dc0] >[ls\src\http\BasicHttpClientImpl.cpp(399)] [csf.httpclient] >[csf::http::executeImpl] - *-* HTTP response code 0 for request #2 to >https://myexpressway.client.com:8443/bG9naWNub3cuY29t/get_edge_config?service_name=_cisco-uds_name=_cuplogin >2015-09-11 17:09:15,746 ERROR [0x0dc0] >[ls\src\http\BasicHttpClientImpl.cpp(404)] [csf.httpclient] >[csf::http::executeImpl] - There was an issue performing the call to >curl_easy_perform for request #2: CONNECTION_TIMEOUT_ERROR > >It looks like this in the detailed expressway logging: >2015-09-11T11:12:06-04:00 atlitexpe1 UTCTime="2015-09-11 15:12:06,146" >Event="System Configuration Changed" Node="clusterdb@127.0.0.1" >PID="<0.3251.0>" Detail="xconfiguration fail2banJailStatus uuid >12f52e25-4df6-4fd3-9697-621d9de3a796 jail: http-ce-intrusion total_fails - >changed from: 202411 to: 202416" > > >Anyone else seeing issues like this? This particular user also has an 8841 >at home. Is there a limit to number of MRA connections behind a single >public IP? > >Thanks, >Brian Meade > >___ >cisco-voip mailing list >cisco-voip@puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-voip ___ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
