[cisco-voip] MRA (Collaboration Edge) Intrusion Protection

Brian Meade bmeade90 at vt.edu
Tue Sep 15 10:40:24 EDT 2015


We're actually on 8.6.1.

I dug through the logs a bit more and found the same user also had an 8800
series phone logged in via MRA.  Doing some further searching, I found
someone who had the same issue logging into Jabber with an 8841 already
logged in via MRA.

I had the user unplug their 8841 and they were able to login to Jabber fine
after this.

It looks like I'll be reaching out to the feature preview folks to make
sure they know about this issue.

Brian

On Tue, Sep 15, 2015 at 8:20 AM, Kevin Przybylowski <kevinp at advancedtsg.com>
wrote:

> I almost upgraded our VCS servers to 8.6 last week and noticed a couple
> reviews on CCO so I stuck with 8.5.3.  I’ll give 8.6.1 a try in a few days.
>
>
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] *On Behalf
> Of *Ryan Huff
> *Sent:* Monday, September 14, 2015 4:00 PM
> *To:* bmeade90 at vt.edu; cisco-voip at puck.nether.net
> *Subject:* Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
>
>
>
> Brian .... I had this issue this weekend in 8.6.  My original issue was
> the "no home uds cluster" but I had issues with the proxy protocol
> violation.
>
> Tac's response was go to 8.6.1 (released 9/11/15 ... yikes) or roll back
> to 8.5
>
> Thanks,
>
> Ryan
>
>
>
> -------- Original Message --------
> From: Brian Meade <bmeade90 at vt.edu>
> Sent: Monday, September 14, 2015 03:49 PM
> To: cisco-voip at puck.nether.net
> Subject: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
>
> Is anyone else having issues with the "HTTP proxy protocol violation"
> automated detection feature or Expressway?
>
>
>
> I've got over 10,000 hits on this built-in rule and it seems to be
> blocking some legitimate logins via Jabber.
>
>
>
> It looks like this in the event log:
>
> 2015-09-11T21:05:09-04:00   sh[1195]: Event="Intrusion Protection"
> Src-ip="X.X.X.X" Detail="Collaboration Edge HTTP Intrusion Protection
> blocking X.X.X.X" Level="INFO" UTCTime="2015/09/12-01:05:09"
>
> 2015-09-11T21:05:09-04:00   traffic_server[24581]: Event="Sending HTTP
> error response" Status="429" Reason="Unknown Status" Dst-ip="X.X.X.X"
> Dst-port="52940" UTCTime="2015-09-12 01:05:09,151"
>
>
>
> It looks like this in the Jabber log:
>
> 2015-09-11 17:09:15,746 INFO  [0x00000dc0]
> [ls\src\http\BasicHttpClientImpl.cpp(399)] [csf.httpclient]
> [csf::http::executeImpl] - *-----* HTTP response code 0 for request #2 to
> https://myexpressway.client.com:8443/bG9naWNub3cuY29t/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin
>
> 2015-09-11 17:09:15,746 ERROR [0x00000dc0]
> [ls\src\http\BasicHttpClientImpl.cpp(404)] [csf.httpclient]
> [csf::http::executeImpl] - There was an issue performing the call to
> curl_easy_perform for request #2: CONNECTION_TIMEOUT_ERROR
>
>
>
> It looks like this in the detailed expressway logging:
>
> 2015-09-11T11:12:06-04:00 atlitexpe1 UTCTime="2015-09-11 15:12:06,146"
> Event="System Configuration Changed" Node="clusterdb at 127.0.0.1"
> PID="<0.3251.0>" Detail="xconfiguration fail2banJailStatus uuid
> 12f52e25-4df6-4fd3-9697-621d9de3a796 jail: http-ce-intrusion total_fails -
> changed from: 202411 to: 202416"
>
>
>
>
>
> Anyone else seeing issues like this?  This particular user also has an
> 8841 at home.  Is there a limit to number of MRA connections behind a
> single public IP?
>
>
>
> Thanks,
>
> Brian Meade
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150915/c046a0b0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 52050 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150915/c046a0b0/attachment.png>


More information about the cisco-voip mailing list