[cisco-voip] MRA (Collaboration Edge) Intrusion Protection
Kevin Przybylowski
kevinp at advancedtsg.com
Tue Sep 15 08:20:50 EDT 2015
I almost upgraded our VCS servers to 8.6 last week and noticed a couple reviews on CCO so I stuck with 8.5.3. I’ll give 8.6.1 a try in a few days.
[cid:image001.png at 01D0EF8E.A89E1030]
From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ryan Huff
Sent: Monday, September 14, 2015 4:00 PM
To: bmeade90 at vt.edu; cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
Brian .... I had this issue this weekend in 8.6. My original issue was the "no home uds cluster" but I had issues with the proxy protocol violation.
Tac's response was go to 8.6.1 (released 9/11/15 ... yikes) or roll back to 8.5
Thanks,
Ryan
-------- Original Message --------
From: Brian Meade <bmeade90 at vt.edu<mailto:bmeade90 at vt.edu>>
Sent: Monday, September 14, 2015 03:49 PM
To: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
Is anyone else having issues with the "HTTP proxy protocol violation" automated detection feature or Expressway?
I've got over 10,000 hits on this built-in rule and it seems to be blocking some legitimate logins via Jabber.
It looks like this in the event log:
2015-09-11T21:05:09-04:00 sh[1195]: Event="Intrusion Protection" Src-ip="X.X.X.X" Detail="Collaboration Edge HTTP Intrusion Protection blocking X.X.X.X" Level="INFO" UTCTime="2015/09/12-01:05:09"
2015-09-11T21:05:09-04:00 traffic_server[24581]: Event="Sending HTTP error response" Status="429" Reason="Unknown Status" Dst-ip="X.X.X.X" Dst-port="52940" UTCTime="2015-09-12 01:05:09,151"
It looks like this in the Jabber log:
2015-09-11 17:09:15,746 INFO [0x00000dc0] [ls\src\http\BasicHttpClientImpl.cpp(399)] [csf.httpclient] [csf::http::executeImpl] - *-----* HTTP response code 0 for request #2 to https://myexpressway.client.com:8443/bG9naWNub3cuY29t/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin
2015-09-11 17:09:15,746 ERROR [0x00000dc0] [ls\src\http\BasicHttpClientImpl.cpp(404)] [csf.httpclient] [csf::http::executeImpl] - There was an issue performing the call to curl_easy_perform for request #2: CONNECTION_TIMEOUT_ERROR
It looks like this in the detailed expressway logging:
2015-09-11T11:12:06-04:00 atlitexpe1 UTCTime="2015-09-11 15:12:06,146" Event="System Configuration Changed" Node="clusterdb at 127.0.0.1<mailto:clusterdb at 127.0.0.1>" PID="<0.3251.0>" Detail="xconfiguration fail2banJailStatus uuid 12f52e25-4df6-4fd3-9697-621d9de3a796 jail: http-ce-intrusion total_fails - changed from: 202411 to: 202416"
Anyone else seeing issues like this? This particular user also has an 8841 at home. Is there a limit to number of MRA connections behind a single public IP?
Thanks,
Brian Meade
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150915/a0e62a9a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 52050 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150915/a0e62a9a/attachment.png>
More information about the cisco-voip
mailing list