| Author |
Message
|
| KIDINMQ |
 Posted: Tue Apr 30, 2019 4:18 am Post subject: Connection failure to WebServers |
 |
|
Novice
Joined: 12 Nov 2013
Posts: 15
|
Help required finding out the possible solution on this. TCP/IP errors are keep on generating in MQ error logs whenever receiving data from the WebServers. Doesn't seems to be a regular Network issue. OS is Solaris 5 and MQ 5.3.
----- amqccita.c : 2781 ---------------------------------------------------------------------------
29/04/19 10:32:42 AM
AMQ9209: Connection to host 'XXXXXXXX (X.X.X.X)' closed.
EXPLANATION:
An error occurred receiving data from 'XXXXXXXX (X.X.X.X)' over TCP/IP. The
connection to the remote host has unexpectedly terminated.
ACTION:
Tell the systems administrator.
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
29/04/19 05:01:50 PM
AMQ9207: The data received from host 'XXXXXXXX (X.X.X.X)' is not valid.
EXPLANATION:
Incorrect data format received from host 'XXXXXXXX (X.X.X.X)' over TCP/IP.
It may be that an unknown host is attempting to send data. An FFST file has
been generated containing the invalid data received.
ACTION:
Tell the systems administrator.
----- amqccita.c : 2888 -------------------------------------------------------
29/04/19 05:01:50 PM
AMQ9228: The TCP/IP responder program could not be started.
EXPLANATION:
An attempt was made to start an instance of the responder program, but the
program was rejected.
ACTION:
The failure could be because either the subsystem has not been started (in this
case you should start the subsystem), or there are too many programs waiting
(in this case you should try to start the responder program later). The reason
code was 0.
----- amqrmrsa.c : 461 -------------------------------------------------------- |
|
| Back to top |
|
 |
| LJM |
| Posted: Tue Apr 30, 2019 4:40 am Post subject: |
|
|
Novice
Joined: 05 Jul 2018
Posts: 22
|
just looks like NON MQ traffic hitting your listener to me,
I get the same when my Black Box Pen test devices spin up and trawl the LAN> |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Apr 30, 2019 5:02 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| LJM wrote: |
| just looks like NON MQ traffic hitting your listener to me |
Something like a port scanner doing a vulnerability check
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| KIDINMQ |
| Posted: Tue Apr 30, 2019 5:25 am Post subject: |
|
|
Novice
Joined: 12 Nov 2013
Posts: 15
|
| Thanks for your quick replies and welcome your inputs. |
|
| Back to top |
|
|
| KIDINMQ |
| Posted: Tue Apr 30, 2019 5:53 am Post subject: |
|
|
Novice
Joined: 12 Nov 2013
Posts: 15
|
| Will MQ Listener restart helps ? |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Apr 30, 2019 6:19 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| KIDINMQ wrote: |
| Will MQ Listener restart helps ? |
No. This will happen every time something which isn't an MQ MCA pings the port the listener is attached to. The error:
| Quote: |
Incorrect data format received from host 'XXXXXXXX (X.X.X.X)' over TCP/IP.
It may be that an unknown host is attempting to send data. An FFST file has
been generated containing the invalid data received.
ACTION:
Tell the systems administrator.
|
is exactly right. An unknown host is attempting to send data, in a non-MQ format, and nothing you do within MQ will prevent that (obviously). MQ will legitimately generate this error every time it happens.
If you want to prevent this error (and the associated FFST), your only recourse is to use the data in the FFST to identify what's doing this or ask the network people if they know of something that would scan this port. Having identified the application sending the invalid data, tell them to stop doing it.
For example, we run vulnerability checks on our network like most organizations. We have a "white list" of IP address/port combinations we don't scan because they're MQ Servers / Oracle servers / etc. that react like this to probes.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Apr 30, 2019 6:22 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Try:
| Code: |
| telnet <that server's IP> <the MQ listener's port number> |
and type something.
You'll see the same error turn up. Now think about what you could do with the MQ listener (including restarting it as you propose) that would prevent that error the next time you telnet to that port.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Apr 30, 2019 7:07 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
A pity that the MQ version is so back-level, or CHLAUTH could be used as a temporary block... 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| KIDINMQ |
| Posted: Fri May 10, 2019 4:24 am Post subject: |
|
|
Novice
Joined: 12 Nov 2013
Posts: 15
|
| Thanks all for your valuable inputs and time |
|
| Back to top |
|
|
|
|
