[cisco-voip] MRA (Collaboration Edge) Intrusion Protection

Ryan Huff ryanhuff at outlook.com
Tue Sep 15 10:45:07 EDT 2015


I'll hav to sift through my logs and see if that is what my issue was. Thanks for the follow through Brian.

Thanks,

Ryan

Date: Tue, 15 Sep 2015 10:40:24 -0400
Subject: Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
From: bmeade90 at vt.edu
To: kevinp at advancedtsg.com
CC: ryanhuff at outlook.com; cisco-voip at puck.nether.net

We're actually on 8.6.1.
I dug through the logs a bit more and found the same user also had an 8800 series phone logged in via MRA.  Doing some further searching, I found someone who had the same issue logging into Jabber with an 8841 already logged in via MRA.
I had the user unplug their 8841 and they were able to login to Jabber fine after this.
It looks like I'll be reaching out to the feature preview folks to make sure they know about this issue.
Brian
On Tue, Sep 15, 2015 at 8:20 AM, Kevin Przybylowski <kevinp at advancedtsg.com> wrote:








I almost upgraded our VCS servers to 8.6 last week and noticed a couple reviews on CCO so I stuck with 8.5.3.  I’ll give 8.6.1 a try in a few days.
 

 
From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net]
On Behalf Of Ryan Huff

Sent: Monday, September 14, 2015 4:00 PM

To: bmeade90 at vt.edu; cisco-voip at puck.nether.net

Subject: Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
 
Brian .... I had this issue this weekend in 8.6.  My original issue was the "no home uds cluster" but I had issues with the proxy protocol violation.

Tac's response was go to 8.6.1 (released 9/11/15 ... yikes) or roll back to 8.5

Thanks,

Ryan





-------- Original Message --------

From: Brian Meade <bmeade90 at vt.edu>

Sent: Monday, September 14, 2015 03:49 PM

To: cisco-voip at puck.nether.net

Subject: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection

Is anyone else having issues with the "HTTP proxy protocol violation" automated detection feature or Expressway?

 


I've got over 10,000 hits on this built-in rule and it seems to be blocking some legitimate logins via Jabber.


 


It looks like this in the event log:



2015-09-11T21:05:09-04:00   sh[1195]: Event="Intrusion Protection" Src-ip="X.X.X.X" Detail="Collaboration Edge HTTP Intrusion Protection blocking X.X.X.X" Level="INFO" UTCTime="2015/09/12-01:05:09"


2015-09-11T21:05:09-04:00   traffic_server[24581]: Event="Sending HTTP error response" Status="429" Reason="Unknown Status" Dst-ip="X.X.X.X" Dst-port="52940" UTCTime="2015-09-12 01:05:09,151" 



 


It looks like this in the Jabber log:



2015-09-11 17:09:15,746 INFO  [0x00000dc0] [ls\src\http\BasicHttpClientImpl.cpp(399)] [csf.httpclient] [csf::http::executeImpl] - *-----* HTTP response code 0 for request #2 to

https://myexpressway.client.com:8443/bG9naWNub3cuY29t/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin


2015-09-11 17:09:15,746 ERROR [0x00000dc0] [ls\src\http\BasicHttpClientImpl.cpp(404)] [csf.httpclient] [csf::http::executeImpl] - There was an issue performing the call to curl_easy_perform for request #2: CONNECTION_TIMEOUT_ERROR



 


It looks like this in the detailed expressway logging:



2015-09-11T11:12:06-04:00 atlitexpe1 UTCTime="2015-09-11 15:12:06,146" Event="System Configuration Changed" Node="clusterdb at 127.0.0.1" PID="<0.3251.0>" Detail="xconfiguration fail2banJailStatus uuid
 12f52e25-4df6-4fd3-9697-621d9de3a796 jail: http-ce-intrusion total_fails - changed from: 202411 to: 202416"



 


 


Anyone else seeing issues like this?  This particular user also has an 8841 at home.  Is there a limit to number of MRA connections behind a single public IP?


 


Thanks,


Brian Meade






 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150915/1c990b3e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 52050 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150915/1c990b3e/attachment.png>


More information about the cisco-voip mailing list