<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
+1. I have seen syn scan or TCP half open cause alerts with no ip, no mac.
<div class=""><br class="">
</div>
<div class="">you can get some insight if this happening using the workaround for</div>
<div class="">CSCsw73304 CLI show open ports to show ports in SYN_RECV <br class="">
</div>
<div class=""><br class="">
</div>
<div class="">-wes
<div class=""><br class="">
<div>
<div class="">On Dec 20, 2017, at 7:47 AM, Dave Goodwin <<a href="mailto:Dave.Goodwin@december.net" class="">Dave.Goodwin@december.net</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">
<div class="">
<div dir="auto" class="">Any chance there’s an active vulnerability scanning machine on the network? With SYN scanning (half-open scans), it only sends a SYN packet to each port and never fully opens a TCP connection. I’m wondering whether this scenario might
cause CallManager to report this incomplete registration alarm while not reporting the source IP - since the TCP connection was never considered to be established.</div>
<div dir="auto" class=""><br class="">
</div>
<div dir="auto" class="">I’d like to try for myself a SYN scan of port 2000 using nmap to see if I can produce this alarm. </div>
<div class=""><br class="">
<div class="gmail_quote">
<div class="">On Wed, Dec 20, 2017 at 12:25 AM Lelio Fulgenzi <<a href="mailto:lelio@uoguelph.ca" class="">lelio@uoguelph.ca</a>> wrote:<br class="">
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto" class="">
<div class=""><br class="">
</div>
<div id="m_8007962503105663917AppleMailSignature" class="">Also, definitely not exceeded number of registered devices. Especially not on the node where this alarm was coming from. <br class="">
<br class="">
Sent from my iPhone</div>
<div class=""><br class="">
</div>
</div>
<div dir="auto" class="">
<div class="">On Dec 20, 2017, at 12:01 AM, Ryan Huff <<a href="mailto:ryanhuff@outlook.com" target="_blank" class="">ryanhuff@outlook.com</a>> wrote:<br class="">
<br class="">
</div>
</div>
<div dir="auto" class="">
<blockquote type="cite" class="">
<div class="">Yeah it’s tough for sure, because the error is from the device failing to register, before providing any identifying information about itself ... so next to impossible to find from the mothership point of view.
<div class=""><br class="">
</div>
<div class="">You haven’t by chance exceeded the <br class="">
<div class=""><span style="background-color:rgba(255,255,255,0)" class="">“Maximum Number of Registered Devices” threshold for that node have you (CM Service Parameter)? You’d likely have other alarms if you did though.</span></div>
<div class=""><span style="background-color:rgba(255,255,255,0)" class=""><br class="">
</span></div>
<div class="">If it’s a small cluster scenario where you can reasonably access all the phones and access switches; I’d do a registration audit. </div>
<div class=""><br class="">
</div>
<div class="">Could be as simple as a non-Cisco sip device that got plugged into a access port with the admin vlan and tried to use CUCM as its registrar but failed miserably.</div>
<div class=""><br class="">
</div>
<div class="">I’m guessing that isn’t your scenario; my thoughts, if it were me, would be to clear it and see if it comes back. Very possible that it’s an
<span style="background-color:rgba(255,255,255,0)" class="">innocuous event that just sent some packets at the wrong time :).</span><br class="">
<br class="">
Thanks,</div>
<div class=""><br class="">
</div>
<div class="">Ryan<br class="">
<div class=""><br class="">
On Dec 19, 2017, at 11:39 PM, Lelio Fulgenzi <<a href="mailto:lelio@uoguelph.ca" target="_blank" class="">lelio@uoguelph.ca</a>> wrote:<br class="">
<br class="">
</div>
<blockquote type="cite" class="">
<div class="">
<div class=""><br class="">
</div>
<div id="m_8007962503105663917AppleMailSignature" class="">First time I think I've ever seen this. Especially with no MAC or IP addr. </div>
<div id="m_8007962503105663917AppleMailSignature" class=""><br class="">
</div>
<div id="m_8007962503105663917AppleMailSignature" class="">Only one alert. </div>
<div id="m_8007962503105663917AppleMailSignature" class=""><br class="">
</div>
<div id="m_8007962503105663917AppleMailSignature" class="">But we've recently started allowing Jabber connections from our data VLANS. </div>
<div id="m_8007962503105663917AppleMailSignature" class=""><br class="">
</div>
<div id="m_8007962503105663917AppleMailSignature" class="">I'd hate for it to be the beginning of something larger. <br class="">
<br class="">
Sent from my iPhone</div>
<div class=""><br class="">
On Dec 19, 2017, at 11:35 PM, Ryan Huff <<a href="mailto:ryanhuff@outlook.com" target="_blank" class="">ryanhuff@outlook.com</a>> wrote:<br class="">
<br class="">
</div>
<blockquote type="cite" class="">
<div class="">Could also be network connectivity among a lot of things but more often than not, bouncing CM service seems to fix if this is a recurring alarm. If it’s a one time alarm you’ve not seen before; likely legitimately referring to a device.
<div class=""><br class="">
</div>
<div class="">If you’ve recently added any new devices, check network connectivity / verify they are all registered. Could also be a bad device that is no longer working but still attempting a registration ... sort of.</div>
<div class=""><br class="">
</div>
<div class="">-Ryan<br class="">
<div class=""><br class="">
On Dec 19, 2017, at 11:22 PM, Ryan Huff <<a href="mailto:ryanhuff@outlook.com" target="_blank" class="">ryanhuff@outlook.com</a>> wrote:<br class="">
<br class="">
</div>
<blockquote type="cite" class="">
<div class="">Sounds like you should schedule a bounce of the CM service for this node.
<div class=""><br class="">
</div>
<div class="">Have a read here for more detail: <a href="https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/err_msgs/8_x/ccmalarms851.html" target="_blank" class="">https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/err_msgs/8_x/ccmalarms851.html</a><br class="">
<br class="">
<div class="">Thanks,</div>
<div class=""><br class="">
</div>
<div class="">Ryan</div>
<div class=""><br class="">
On Dec 19, 2017, at 11:11 PM, Lelio Fulgenzi <<a href="mailto:lelio@uoguelph.ca" target="_blank" class="">lelio@uoguelph.ca</a>> wrote:<br class="">
<br class="">
</div>
<blockquote type="cite" class="">
<div class="">An endpoint attempted to register but did not complete registration</div>
</blockquote>
</div>
</div>
</blockquote>
<blockquote type="cite" class="">
<div class=""><span class="">_______________________________________________</span><br class="">
<span class="">cisco-voip mailing list</span><br class="">
<span class=""><a href="mailto:cisco-voip@puck.nether.net" target="_blank" class="">cisco-voip@puck.nether.net</a></span><br class="">
<span class=""><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank" class="">https://puck.nether.net/mailman/listinfo/cisco-voip</a></span><br class="">
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
_______________________________________________<br class="">
cisco-voip mailing list<br class="">
<a href="mailto:cisco-voip@puck.nether.net" target="_blank" class="">cisco-voip@puck.nether.net</a><br class="">
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" rel="noreferrer" target="_blank" class="">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br class="">
</blockquote>
</div>
</div>
</div>
</div>
_______________________________________________<br class="">
cisco-voip mailing list<br class="">
<a href="mailto:cisco-voip@puck.nether.net" class="">cisco-voip@puck.nether.net</a><br class="">
https://puck.nether.net/mailman/listinfo/cisco-voip<br class="">
</div>
</div>
<br class="">
</div>
</div>
</body>
</html>