Webex Hybrid Data Security - KMS strange behavior

gabriel.caclin · ‎04-03-2020

Hi All,

I am currently in a setup of Hybrid Data Security on Webex Teams, involving 3x KMS.

I already have a case open, but the engineer looks not understanding ...

In fact, the KMS are configured with IP:

10.10.10.10
10.10.10.20
10.10.10.30

For a total unkown reason, the KMS are sending out packet with source IP in range 172.16.X.X or 172.17.X.X. It's a total unknow range, and why the KMS will send packet with a different IP than the one configured during the setup?

As well, we saw that the KMS is sending UDP/53 (DNS) packets to IP 172.17.255.255, but same, this IP is unknown, because the DNS configured on the KMS is 10.10.20.20.

My guess is that black box is running several instance of docker stuff with an internal network, but it put a total mess in the configuration and troublshooting.

If anybody has an idea, I will appreciate.

Thanks!

gabriel.caclin · ‎04-06-2020

Answer to myself: after digging on the KMS, in the GUI web page, there is the menu of the network configuration, and then there is a tab named "advanced configuration". Here we can found that unknown network plan which is used by the containers within the KMS. TAC does not know what we have to do with that network, I mean if we have to configure a customer network or not.

shazam021 · ‎01-23-2021

Thanks Gabriel. It seems TAC doesn’t know much about on-prem KMS. Seems not many customers have deployed it.

Have you encountered an issue with your other hybrid connectors (calendar, message) retrieving keys from on-prem KMS after some time?