[cisco-voip] MRA (Collaboration Edge) Intrusion Protection

Brian Meade bmeade90 at vt.edu
Tue Sep 15 15:15:28 EDT 2015 

Justin,

I'm sure I could play around with those parameters a bit but don't want to
open us up to any sort of actual DOS attack.

I sent it over to cefeedback at cisco.com which is handling support during the
feature preview until TAC takes over.  They said that it's an issue with
the 8800 series firmware where the endpoint gets stuck in a loop sending
repeated authentication attempts.

I was able to view these requests at
https://<expressway-c>/edgestatushttpproxyrequests
and confirmed we're getting a few per second per endpoint.

They're currently working on an ES for the 8800 series to resolve this
issue.  I'll test it once I get my hands on it and report back.

Thanks,
Brian

On Tue, Sep 15, 2015 at 3:04 PM, Justin Steinberg <jsteinberg at gmail.com>
wrote:

> There are some settings on the Expressway regarding the number of auth
> attempts, etc.  have you tried to increase those to see if that makes any
> difference ?
>
> On Tue, Sep 15, 2015 at 10:45 AM, Ryan Huff <ryanhuff at outlook.com> wrote:
>
>> I'll hav to sift through my logs and see if that is what my issue was.
>> Thanks for the follow through Brian.
>>
>> Thanks,
>>
>> Ryan
>>
>> ------------------------------
>> Date: Tue, 15 Sep 2015 10:40:24 -0400
>> Subject: Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
>> From: bmeade90 at vt.edu
>> To: kevinp at advancedtsg.com
>> CC: ryanhuff at outlook.com; cisco-voip at puck.nether.net
>>
>>
>> We're actually on 8.6.1.
>>
>> I dug through the logs a bit more and found the same user also had an
>> 8800 series phone logged in via MRA.  Doing some further searching, I found
>> someone who had the same issue logging into Jabber with an 8841 already
>> logged in via MRA.
>>
>> I had the user unplug their 8841 and they were able to login to Jabber
>> fine after this.
>>
>> It looks like I'll be reaching out to the feature preview folks to make
>> sure they know about this issue.
>>
>> Brian
>>
>> On Tue, Sep 15, 2015 at 8:20 AM, Kevin Przybylowski <
>> kevinp at advancedtsg.com> wrote:
>>
>> I almost upgraded our VCS servers to 8.6 last week and noticed a couple
>> reviews on CCO so I stuck with 8.5.3.  I’ll give 8.6.1 a try in a few days.
>>
>>
>>
>>
>>
>> *From:* cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] *On
>> Behalf Of *Ryan Huff
>> *Sent:* Monday, September 14, 2015 4:00 PM
>> *To:* bmeade90 at vt.edu; cisco-voip at puck.nether.net
>> *Subject:* Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
>>
>>
>> Brian .... I had this issue this weekend in 8.6.  My original issue was
>> the "no home uds cluster" but I had issues with the proxy protocol
>> violation.
>> Tac's response was go to 8.6.1 (released 9/11/15 ... yikes) or roll back
>> to 8.5
>> Thanks,
>> Ryan
>>
>>
>>
>> -------- Original Message --------
>> From: Brian Meade <bmeade90 at vt.edu>
>> Sent: Monday, September 14, 2015 03:49 PM
>> To: cisco-voip at puck.nether.net
>> Subject: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection
>>
>> Is anyone else having issues with the "HTTP proxy protocol violation"
>> automated detection feature or Expressway?
>>
>>
>>
>> I've got over 10,000 hits on this built-in rule and it seems to be
>> blocking some legitimate logins via Jabber.
>>
>>
>>
>> It looks like this in the event log:
>>
>> 2015-09-11T21:05:09-04:00   sh[1195]: Event="Intrusion Protection"
>> Src-ip="X.X.X.X" Detail="Collaboration Edge HTTP Intrusion Protection
>> blocking X.X.X.X" Level="INFO" UTCTime="2015/09/12-01:05:09"
>>
>> 2015-09-11T21:05:09-04:00   traffic_server[24581]: Event="Sending HTTP
>> error response" Status="429" Reason="Unknown Status" Dst-ip="X.X.X.X"
>> Dst-port="52940" UTCTime="2015-09-12 01:05:09,151"
>>
>>
>>
>> It looks like this in the Jabber log:
>>
>> 2015-09-11 17:09:15,746 INFO  [0x00000dc0]
>> [ls\src\http\BasicHttpClientImpl.cpp(399)] [csf.httpclient]
>> [csf::http::executeImpl] - *-----* HTTP response code 0 for request #2 to
>> https://myexpressway.client.com:8443/bG9naWNub3cuY29t/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin
>>
>> 2015-09-11 17:09:15,746 ERROR [0x00000dc0]
>> [ls\src\http\BasicHttpClientImpl.cpp(404)] [csf.httpclient]
>> [csf::http::executeImpl] - There was an issue performing the call to
>> curl_easy_perform for request #2: CONNECTION_TIMEOUT_ERROR
>>
>>
>>
>> It looks like this in the detailed expressway logging:
>>
>> 2015-09-11T11:12:06-04:00 atlitexpe1 UTCTime="2015-09-11 15:12:06,146"
>> Event="System Configuration Changed" Node="clusterdb at 127.0.0.1"
>> PID="<0.3251.0>" Detail="xconfiguration fail2banJailStatus uuid
>> 12f52e25-4df6-4fd3-9697-621d9de3a796 jail: http-ce-intrusion total_fails -
>> changed from: 202411 to: 202416"
>>
>>
>>
>>
>>
>> Anyone else seeing issues like this?  This particular user also has an
>> 8841 at home.  Is there a limit to number of MRA connections behind a
>> single public IP?
>>
>>
>>
>> Thanks,
>>
>> Brian Meade
>>
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150915/8138f963/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 52050 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150915/8138f963/attachment.png>

More information about the cisco-voip mailing list