Solved: LRQ STORMS ON MY VCSE AND VCSC

Chet Cronin · ‎11-05-2019

Running VCSe and VCSc x8.8.2

Any ideas how to block the LRQ's I am receiving from outside my network that appear to be causing the "Out of Resource Limit" warnings . Getting Tons of LRQ's.

I have plenty of traversal and non-travsersal licenses. The servers have only three client registrations and virutally no load on them ??

Thank you.

Chet Cronin

PJMack · ‎11-06-2019

My guess is your search rules are too vague/open. Before these hackers popped up you could get away with that, but not anymore. If the destination URI gets through some catch all type of search rule on the VCSE it will then send it to the VCSC trying to find the destination, and during the time it's trying that, it's using a traversal license on both devices. It will ultimately fail and free up the license, but if you're getting out of resource messages you are probably (almost certainly) missing legitimate calls during those times.

What you need to do is have search rules that are specific on your VCSE, especially any that have source "any". For example if your standard URI is a seven digit number followed by @ABC.com, then only allow inbound from "any" that match that pattern, and not anything else. With Regex this isn't hard to do. I'm sure you'll have more than one you'll need to add.

Most of your bad inbound calls are probably coming @ip address rather than your domain, correct? I doubt in this day and age you need to support @ip calls, so don't, make sure you don't have any search rule or transform to support those calls - remember transforms get applied before search rules, so check there.

View solution in original post

Chet Cronin · ‎11-06-2019

PJMACK,

Thank you for the timely response and guidance ... I'll take a look at my Rules. I assume it would be on the VCSe that I need to check, right ?

Yes many of the LRQs are coming from inbound. Would not that limit who can call us. Could I create an allow list that would allow "ONLY" calls to say @allow.army.mil and an allow for say only calls to NPA/NXX numbers I have on my network ??? The inbound call checks the allow list first than transforms ? Right ???

Chet Cronin

View solution in original post

PJMack · ‎11-06-2019

My guess is your search rules are too vague/open. Before these hackers popped up you could get away with that, but not anymore. If the destination URI gets through some catch all type of search rule on the VCSE it will then send it to the VCSC trying to find the destination, and during the time it's trying that, it's using a traversal license on both devices. It will ultimately fail and free up the license, but if you're getting out of resource messages you are probably (almost certainly) missing legitimate calls during those times.

What you need to do is have search rules that are specific on your VCSE, especially any that have source "any". For example if your standard URI is a seven digit number followed by @ABC.com, then only allow inbound from "any" that match that pattern, and not anything else. With Regex this isn't hard to do. I'm sure you'll have more than one you'll need to add.

Most of your bad inbound calls are probably coming @ip address rather than your domain, correct? I doubt in this day and age you need to support @ip calls, so don't, make sure you don't have any search rule or transform to support those calls - remember transforms get applied before search rules, so check there.

Chet Cronin · ‎11-06-2019

PJMACK,

Thank you for the timely response and guidance ... I'll take a look at my Rules. I assume it would be on the VCSe that I need to check, right ?

Yes many of the LRQs are coming from inbound. Would not that limit who can call us. Could I create an allow list that would allow "ONLY" calls to say @allow.army.mil and an allow for say only calls to NPA/NXX numbers I have on my network ??? The inbound call checks the allow list first than transforms ? Right ???

Chet Cronin

PJMack · ‎11-07-2019

The allow list is only for device registrations, it has nothing to do with call routing. The search rules are how you can decide what is/isn't allowed, and the transforms get applied before the search rules.

If you don't know how to use Regex in your creation of search rules, take a look at this document: https://community.cisco.com/legacyfs/online/legacy/3/7/0/130073-Regular%20Expression.pdf