[cisco-voip] MRA (Collaboration Edge) Intrusion Protection

Justin Steinberg jsteinberg at gmail.com
Tue Sep 15 15:04:28 EDT 2015 

There are some settings on the Expressway regarding the number of auth
attempts, etc.  have you tried to increase those to see if that makes any
difference ?

On Tue, Sep 15, 2015 at 10:45 AM, Ryan Huff <ryanhuff at outlook.com> wrote:

> I'll hav to sift through my logs and see if that is what my issue was.
> Thanks for the follow through Brian.
>
> Thanks,
>
> Ryan
>
> ------------------------------
> Date: Tue, 15 Sep 2015 10:40:24 -0400
> Subject: Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
> From: bmeade90 at vt.edu
> To: kevinp at advancedtsg.com
> CC: ryanhuff at outlook.com; cisco-voip at puck.nether.net
>
>
> We're actually on 8.6.1.
>
> I dug through the logs a bit more and found the same user also had an 8800
> series phone logged in via MRA.  Doing some further searching, I found
> someone who had the same issue logging into Jabber with an 8841 already
> logged in via MRA.
>
> I had the user unplug their 8841 and they were able to login to Jabber
> fine after this.
>
> It looks like I'll be reaching out to the feature preview folks to make
> sure they know about this issue.
>
> Brian
>
> On Tue, Sep 15, 2015 at 8:20 AM, Kevin Przybylowski <
> kevinp at advancedtsg.com> wrote:
>
> I almost upgraded our VCS servers to 8.6 last week and noticed a couple
> reviews on CCO so I stuck with 8.5.3.  I’ll give 8.6.1 a try in a few days.
>
>
>
>
>
> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] *On Behalf
> Of *Ryan Huff
> *Sent:* Monday, September 14, 2015 4:00 PM
> *To:* bmeade90 at vt.edu; cisco-voip at puck.nether.net
> *Subject:* Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
>
>
> Brian .... I had this issue this weekend in 8.6.  My original issue was
> the "no home uds cluster" but I had issues with the proxy protocol
> violation.
> Tac's response was go to 8.6.1 (released 9/11/15 ... yikes) or roll back
> to 8.5
> Thanks,
> Ryan
>
>
>
> -------- Original Message --------
> From: Brian Meade <bmeade90 at vt.edu>
> Sent: Monday, September 14, 2015 03:49 PM
> To: cisco-voip at puck.nether.net
> Subject: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
>
> Is anyone else having issues with the "HTTP proxy protocol violation"
> automated detection feature or Expressway?
>
>
>
> I've got over 10,000 hits on this built-in rule and it seems to be
> blocking some legitimate logins via Jabber.
>
>
>
> It looks like this in the event log:
>
> 2015-09-11T21:05:09-04:00   sh[1195]: Event="Intrusion Protection"
> Src-ip="X.X.X.X" Detail="Collaboration Edge HTTP Intrusion Protection
> blocking X.X.X.X" Level="INFO" UTCTime="2015/09/12-01:05:09"
>
> 2015-09-11T21:05:09-04:00   traffic_server[24581]: Event="Sending HTTP
> error response" Status="429" Reason="Unknown Status" Dst-ip="X.X.X.X"
> Dst-port="52940" UTCTime="2015-09-12 01:05:09,151"
>
>
>
> It looks like this in the Jabber log:
>
> 2015-09-11 17:09:15,746 INFO  [0x00000dc0]
> [ls\src\http\BasicHttpClientImpl.cpp(399)] [csf.httpclient]
> [csf::http::executeImpl] - *-----* HTTP response code 0 for request #2 to
> https://myexpressway.client.com:8443/bG9naWNub3cuY29t/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin
>
> 2015-09-11 17:09:15,746 ERROR [0x00000dc0]
> [ls\src\http\BasicHttpClientImpl.cpp(404)] [csf.httpclient]
> [csf::http::executeImpl] - There was an issue performing the call to
> curl_easy_perform for request #2: CONNECTION_TIMEOUT_ERROR
>
>
>
> It looks like this in the detailed expressway logging:
>
> 2015-09-11T11:12:06-04:00 atlitexpe1 UTCTime="2015-09-11 15:12:06,146"
> Event="System Configuration Changed" Node="clusterdb at 127.0.0.1"
> PID="<0.3251.0>" Detail="xconfiguration fail2banJailStatus uuid
> 12f52e25-4df6-4fd3-9697-621d9de3a796 jail: http-ce-intrusion total_fails -
> changed from: 202411 to: 202416"
>
>
>
>
>
> Anyone else seeing issues like this?  This particular user also has an
> 8841 at home.  Is there a limit to number of MRA connections behind a
> single public IP?
>
>
>
> Thanks,
>
> Brian Meade
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150915/eb5ad55b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 52050 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150915/eb5ad55b/attachment.png>

More information about the cisco-voip mailing list