<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I almost upgraded our VCS servers to 8.6 last week and noticed a couple reviews on CCO so I stuck with 8.5.3. I’ll give 8.6.1 a try in a few days.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><img width="1023" height="460" id="Picture_x0020_1" src="cid:image001.png@01D0EF8E.A89E1030"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> cisco-voip [mailto:cisco-voip-bounces@puck.nether.net]
<b>On Behalf Of </b>Ryan Huff<br>
<b>Sent:</b> Monday, September 14, 2015 4:00 PM<br>
<b>To:</b> bmeade90@vt.edu; cisco-voip@puck.nether.net<br>
<b>Subject:</b> Re: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Brian .... I had this issue this weekend in 8.6. My original issue was the "no home uds cluster" but I had issues with the proxy protocol violation.<o:p></o:p></p>
<p>Tac's response was go to 8.6.1 (released 9/11/15 ... yikes) or roll back to 8.5<o:p></o:p></p>
<p>Thanks,<o:p></o:p></p>
<p>Ryan<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
-------- Original Message --------<br>
From: Brian Meade <<a href="mailto:bmeade90@vt.edu">bmeade90@vt.edu</a>><br>
Sent: Monday, September 14, 2015 03:49 PM<br>
To: <a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
Subject: [cisco-voip] MRA (Collaboration Edge) Intrusion Protection<o:p></o:p></p>
<div>
<p class="MsoNormal">Is anyone else having issues with the "HTTP proxy protocol violation" automated detection feature or Expressway?<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I've got over 10,000 hits on this built-in rule and it seems to be blocking some legitimate logins via Jabber.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">It looks like this in the event log:<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">2015-09-11T21:05:09-04:00 sh[1195]: Event="Intrusion Protection" Src-ip="X.X.X.X" Detail="Collaboration Edge HTTP Intrusion Protection blocking X.X.X.X" Level="INFO" UTCTime="2015/09/12-01:05:09"<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">2015-09-11T21:05:09-04:00 traffic_server[24581]: Event="Sending HTTP error response" Status="429" Reason="Unknown Status" Dst-ip="X.X.X.X" Dst-port="52940" UTCTime="2015-09-12 01:05:09,151" <o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">It looks like this in the Jabber log:<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">2015-09-11 17:09:15,746 INFO [0x00000dc0] [ls\src\http\BasicHttpClientImpl.cpp(399)] [csf.httpclient] [csf::http::executeImpl] - *-----* HTTP response code 0 for request #2 to
<a href="https://myexpressway.client.com:8443/bG9naWNub3cuY29t/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin">
https://myexpressway.client.com:8443/bG9naWNub3cuY29t/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">2015-09-11 17:09:15,746 ERROR [0x00000dc0] [ls\src\http\BasicHttpClientImpl.cpp(404)] [csf.httpclient] [csf::http::executeImpl] - There was an issue performing the call to curl_easy_perform for request #2: CONNECTION_TIMEOUT_ERROR<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">It looks like this in the detailed expressway logging:<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">2015-09-11T11:12:06-04:00 atlitexpe1 UTCTime="2015-09-11 15:12:06,146" Event="System Configuration Changed" Node="<a href="mailto:clusterdb@127.0.0.1">clusterdb@127.0.0.1</a>" PID="<0.3251.0>" Detail="xconfiguration fail2banJailStatus uuid
12f52e25-4df6-4fd3-9697-621d9de3a796 jail: http-ce-intrusion total_fails - changed from: 202411 to: 202416"<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Anyone else seeing issues like this? This particular user also has an 8841 at home. Is there a limit to number of MRA connections behind a single public IP?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Brian Meade<o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>