Written By: |
Mark Christensen |
---|---|
Manufacturer: |
Avaya |
Product: |
Communication Manager |
Version: |
All |
Patch Information: |
|
Ticket Number(s): |
28009 |
Description: Troubleshooting avMSSDenialOfService Traps
Related Articles:
Problem Clarification: Alarmtraq reported an avMSSDenialOfService trap
Here's an example of the trap:
Minor - (avMSSDenialOfService) Uptime 117 days 10 55 52.03#012#011avMSSVarbindsDoSType.0 = INTEGER avMSSDoSICMPReflectAttack(3)#011avMSSVarbindsSrcAddr.0 = IpAddress 192.168.1.1#011avMSSVarbi
Cause:
There are multiple causes for this trap:
Stations that repeatedly register or unregister
Stations may repeatedly register or unregister, most likely due to network issues.
In Communication Manager's SAT, type the command "list usage ip-address" using "IpAddress" from the trap:
"IpAddress 192.168.1.1#011avMSSVarb".
list usage ip-address 192.168.1.1
LIST USAGE REPORT
Used By
Station Extension 12345 Station IP Addr
This is more than likely caused by an IP station trying to register, but failing (and eventually successfully registering).
Events related to the extension above may be seen if logging-levels are set:
display logging-levels Page 2 of 2
LOGGING LEVELS
Log All Submission Failures: y
Log PMS/AD Transactions: n
Log IP Registrations and events: y
Log CTA/PSA/TTI Transactions: y
To see IP registrations and events, go to the Communication Manager Linux command line. As root, type "cd /var/log".
Type "grep IPEVT mess* |grep <station #> |less -i" . (Don't type the "<" or ">")
Here's an example:
grep IPEVT mess* | grep 12345 | less -i
Output:
messages.1:Nov 26 10:09:30 acmesprkts logmanager: IPEVT IPT_UNREG board=PROCR ip=192.168.2.1 net_reg= 1 ext= 12345 ip= 192.168.1.1;26821 net_reg= 2 reason=0
messages.1:Nov 26 10:10:37 acmesprkts logmanager: IPEVT IPT_REG board=PROCR ip=192.168.2.1 net_reg= 1 ext= 12345 ip= 192.168.1.1;25580 net_reg= 2 reason=normal
messages.1:Nov 26 10:10:37 acmesprkts logmanager: IPEVT IPT_TCP_UP board=PROCR ip=192.168.2.1 net_reg= 1 ext= 12345 the 1st ip=192.168.1.1;23958 the 2nd ip=0.0.0.0; 0 net_reg= 2 reason=switch_request
messages.1:Nov 26 10:31:55 acmesprkts logmanager: IPEVT IPT_UNREG board=PROCR ip=192.168.2.1 net_reg= 1 ext= 12345 ip= 192.168.1.1;25580 net_reg= 2 reason=0
messages.1:Nov 26 10:33:03 acmesprkts logmanager: IPEVT IPT_REG board=PROCR ip=192.168.2.1 net_reg= 1 ext= 12345 ip= 192.168.1.1;25806 net_reg= 2 reason=normal
messages.1:Nov 26 10:33:03 acmesprkts logmanager: IPEVT IPT_TCP_UP board=PROCR ip=192.168.2.1 net_reg= 1 ext= 12345 the 1st ip=192.168.1.1;28006 the 2nd ip=0.0.0.0; 0 net_reg= 2 reason=switch_request
This gives you an idea about the behavior of the extension in question. Keep in mind that some unregistrations and registrations are intentional.
Automated systems that are not successfully logging in
If you don't find the cause of the "avMSSDenialOfService" by running "list usage ip-address", exit out of SAT and go to the Linux command line.
su to root (su - root), and type "cd /var/log".
Type "grep -R "192.168.1.1" * |less -i". The "-R" option looks in the directory you're in as well as subdirectories.
The file /var/log/secure may help you find a login attempt. Look at how many times a particular login attempt is made within a short time to see if it's something to be concerned about:
Dec 13 10:21:53 avacmespkts2 sshd[1589362]: pam_unix(sshd:session): session opened for
user Sentry by (uid=0)
Dec 13 10:21:53 avacmespkts2 sudo: Sentry : TTY=pts/2 ; PWD=/var/home/Sentry ; USER=
root ; COMMAND=/opt/ecs/bin/defsat
Dec 13 10:21:53 avacmespkts2 sudo: pam_unix(sudo:session): session opened for user roo
t by Sentry(uid=2012)
Dec 13 10:21:53 avacmespkts2 defsat: SAT_auth:session pid 1589393 started from parent
Dec 13 10:21:53 avacmespkts2 logmanager: SAT_auth:tui04: Login Sentry new session 1589
395 parent 1589393
Dec 13 10:21:54 avacmespkts2 logmanager: SAT_auth:tui04: Login Sentry Sid 0x10009a06 P
id 1589395 Attempt 1 successful
Sentry login entries:
SENTRY™ is a 911 management solution that provides location discovery of user extensions and on-site notifications to key personnel when 911 is dialed so that first responders may quickly be directed to the emergency. SENTRY™ supports location discovery of analog, digital, H.323, and SIP endpoints.
Output from a grep command might also look like this. The command was run from /var/log:
[root@avacmespkts2 log]# grep -R "192.168.1.1" * |less -i
ecs/commandhistory.21:Nov 6 08:39:49 avacme2 logmanager: pam[1051043]: Sid 0x10
00f21d sat 1051011 5784 intlx intlx 18 s 192.168.1.1 login
ecs/commandhistory.21:Nov 6 08:40:32 avacme2 logmanager: pam[1051043]: Sid 0x10
00f21d sat 1051011 5784 intlx intlx 18 s 192.168.1.1 logoff
/var/log/ecs/commandhistory* log files may show a valid login and logoff attempt.
Solution:
For stations that regularly trigger the avMSSDenialOfService trap, this may need to be reported to the customer for further troubleshooting.
If you find a login that is not recognizable, do some digging to try to determine if it looks like it's a problem with someone or some valid server constantly trying to log in. If it looks like a real denial of service attack, contact the Service Delivery Manager or Account Manager for assistance.
Manufacturer Release notes:
Please copy the content of this and edit your copy if not creating your article from a ZenDesk Ticket, Delete the text in red
Disclaimer: intlx Solutions Knowledge Base
The information contained in this knowledge base ("Content") is provided for informational purposes only and is intended to be a general resource. intlx Solutions does not guarantee the accuracy, completeness, or timeliness of the Content.
Use at Your Own Risk: By accessing and using the Content, you agree that you do so at your own risk. intlx Solutions assumes no responsibility for any errors or omissions in the Content, nor for any damages or losses you may suffer arising out of or related to the use of the Content.
Current Customers: If you are a current intlx Solutions customer and have questions or require further clarification on any information presented here, please do not hesitate to contact our support team directly. They are available to assist you and ensure you have the most up-to-date information specific to your needs.
Not a Customer? If you are not currently an intlx Solutions customer but are interested in learning more about our solutions and how we can help your business, please click here. We look forward to the opportunity to discuss your needs and explore how a partnership with intlx Solutions can benefit you.
Thank you for your understanding.
This article contains data that is aimed at helping fix an issue with a product. Please use this information at your own risk as intlx Solutions is not responsible for actions taken by the steps or procedures shown in these articles.