Re: [cisco-voip] untraceable connection attempt?

There's a bunch of monitoring tools out there that do a port scan then probe to make sure those ports stay open. On Wed, Dec 20, 2017 at 10:56 AM, Wes Sisk (wsisk) wrote: > +1. I have seen syn scan or TCP half open cause alerts with no ip, no > mac. > > you can get some insight

Re: [cisco-voip] untraceable connection attempt?

+1. I have seen syn scan or TCP half open cause alerts with no ip, no mac. you can get some insight if this happening using the workaround for CSCsw73304CLI show open ports to show ports in SYN_RECV -wes On Dec 20, 2017, at 7:47 AM, Dave Goodwin

Re: [cisco-voip] untraceable connection attempt?

Fulgenzi <le...@uoguelph.ca> Cc: Ryan Huff <ryanh...@outlook.com>; cisco-voip voyp list <cisco-voip@puck.nether.net> Subject: Re: [cisco-voip] untraceable connection attempt? Any chance there’s an active vulnerability scanning machine on the network? With SYN scanning (half-op

Re: [cisco-voip] untraceable connection attempt?

Any chance there’s an active vulnerability scanning machine on the network? With SYN scanning (half-open scans), it only sends a SYN packet to each port and never fully opens a TCP connection. I’m wondering whether this scenario might cause CallManager to report this incomplete registration alarm

Re: [cisco-voip] untraceable connection attempt?

Also, definitely not exceeded number of registered devices. Especially not on the node where this alarm was coming from. Sent from my iPhone On Dec 20, 2017, at 12:01 AM, Ryan Huff > wrote: Yeah it’s tough for sure, because the error is from

Re: [cisco-voip] untraceable connection attempt?

Yeah... gonna just ignore it for now. But it does worry me. Especially if it came from the data side of things. Sent from my iPhone On Dec 20, 2017, at 12:01 AM, Ryan Huff > wrote: Yeah it’s tough for sure, because the error is from the

Re: [cisco-voip] untraceable connection attempt?

Yeah it’s tough for sure, because the error is from the device failing to register, before providing any identifying information about itself ... so next to impossible to find from the mothership point of view. You haven’t by chance exceeded the “Maximum Number of Registered Devices” threshold

Re: [cisco-voip] untraceable connection attempt?

First time I think I've ever seen this. Especially with no MAC or IP addr. Only one alert. But we've recently started allowing Jabber connections from our data VLANS. I'd hate for it to be the beginning of something larger. Sent from my iPhone On Dec 19, 2017, at 11:35 PM, Ryan Huff

Re: [cisco-voip] untraceable connection attempt?

Could also be network connectivity among a lot of things but more often than not, bouncing CM service seems to fix if this is a recurring alarm. If it’s a one time alarm you’ve not seen before; likely legitimately referring to a device. If you’ve recently added any new devices, check network

Re: [cisco-voip] untraceable connection attempt?

I used that page as the source although were on 9.1. Figure reason codes are pretty static. But where do find the details about a node restart necessary? I'm on a phone so can't get good overall view of page. Also, we only just recently restarted the whole cluster. Sent from my iPhone On

Re: [cisco-voip] untraceable connection attempt?

Sounds like you should schedule a bounce of the CM service for this node. Have a read here for more detail: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/err_msgs/8_x/ccmalarms851.html Thanks, Ryan On Dec 19, 2017, at 11:11 PM, Lelio Fulgenzi

[cisco-voip] untraceable connection attempt?

This is weird. No MAC. No IP. Reason code 14 points to sip malformed header. But trying to connect to port 2000? Sent from my iPhone Begin forwarded message: %UC_CALLMANAGER-3-EndPointTransientConnection: %[Connecting Port=2000][Device name=][Device IP address=0.0.0.0][Device