ATA Services suddenly failing to start.

%3CLINGO-SUB%20id%3D%22lingo-sub-217843%22%20slang%3D%22en-US%22%3EATA%20Services%20suddenly%20failing%20to%20start.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217843%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Guys%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20my%20DCs%20have%20recently%20rebooted%2C%20the%20ATA%20lightwieght%20gateway%20agent%20on%20them%20is%20failing%20to%20start.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooking%20at%20the%20error%20log%20is%20see%20the%20following%20error%20repeatedly%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4832%204%26nbsp%3B%20%26nbsp%3BError%20%5BWebClient%2B%3CINVOKEASYNC%3Ed__8%601%5D%20System.Net.Http.HttpRequestException%3A%20PostAsync%20failed%20%5BrequestTypeName%3DUpsertGatewayMonitoringAlertRequest%5D%20---%26gt%3B%20System.Net.Http.HttpRequestException%3A%20Error%20while%20copying%20content%20to%20a%20stream.%20---%26gt%3B%20System.IO.IOException%3A%20Unable%20to%20read%20data%20from%20the%20transport%20connection%3A%20The%20connection%20was%20closed%3C%2FINVOKEASYNC%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20have%20any%20suggestions%20as%20to%20what%20might%20be%20causing%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EDavid%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-217843%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-218762%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Services%20suddenly%20failing%20to%20start.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-218762%22%20slang%3D%22en-US%22%3E%3CP%3EQuick%20update%20for%20anyone%20experiencing%20the%20same%20issue.%20In%20our%20instance%20the%20connection%20was%20being%20dropped%20by%20our%20Tipping%20Point%20IPS.%3C%2FP%3E%3CP%3EOnce%20we%20whitelisted%20the%20detection%20the%20gateways%20reconnected%20immediately.%3C%2FP%3E%3CP%3EHeres%20the%20description%20of%20the%20OpenSSL%20vulnerability%20it%20was%20detecting%20between%20the%20gateways%20and%20the%20ATA%20Centre.%20Im%20still%20engaged%20with%20MS%20to%20see%20if%20this%20can%20be%20resolved%20rather%20than%20just%20whitelisted.%3C%2FP%3E%3CP%3EDescription%3CBR%20%2F%3EThis%20filter%20detects%20an%20attempt%20to%20exploit%20a%20security%20bypass%20vulnerability%20in%20OpenSSL.%3C%2FP%3E%3CP%3EThe%20specific%20flaw%20exists%20within%20how%20ChangeCipherSpec%20messages%20are%20handled%20by%20the%20client.%20An%20attacker%20can%20leverage%20this%20vulnerability%20to%20decrypt%20and%20inject%20traffic%20resulting%20in%20affecting%20the%20security%20policy%20of%20the%20current%20process.%3C%2FP%3E%3CP%3EUser%20authentication%20in%20not%20required%20to%20exploit%20this%20vulnerability.%3C%2FP%3E%3CP%3EReferences%3A%3C%2FP%3E%3CP%3ECommon%20Vulnerabilities%20and%20Exposures%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2014-0224%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2014-0224%3C%2FA%3E%3C%2FP%3E%3CP%3EVendor%20Advisory%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fwww.openssl.org%2Fnews%2Fsecadv_20140605.txt%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.openssl.org%2Fnews%2Fsecadv_20140605.txt%3C%2FA%3E%3C%2FP%3E%3CP%3ESecurityFocus%20Bugtraq%20ID%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fwww.securityfocus.com%2Fbid%2F67899%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.securityfocus.com%2Fbid%2F67899%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217883%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Services%20suddenly%20failing%20to%20start.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217883%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Eli%2C%20I%20guess%20Ill%20just%20have%20to%20open%20a%20case.%26nbsp%3BI%20was%20able%20to%20successfully%20restart%20the%20gateway%20service%20on%20a%20machine%20not%20affected%20by%20this%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217880%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Services%20suddenly%20failing%20to%20start.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217880%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%0A%3CP%3EAt%20this%20point%20I%20would%20suggest%20to%20open%20a%20ticket%20with%20support%20where%20they%20can%20look%20more%20closely%20on%20the%20full%20logs%2C%20and%20give%20specific%20instruction%20for%20more%20data%20collection.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20you%20can%20do%20to%20get%20more%20data%2C%20is%20for%20one%20of%20the%20DC's%20that%20is%20still%20working%20fine%2C%26nbsp%3B%20do%20not%20reboot%20the%20DC%20itself%2C%20but%20restart%20the%20GW%20service%20only%2C%20and%20see%20if%20it%20can%20start%20or%20fails%20like%20the%20others.%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217877%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Services%20suddenly%20failing%20to%20start.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217877%22%20slang%3D%22en-US%22%3E%3CP%3E4%20of%20the%2011%20are%20failing.%20It%20might%20be%20that%20only%20these%204%20have%20rebooted%20recently.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooking%20at%20the%20Centre%20logs%20I%20i%20see%20this%20error%20repeatedly%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4496%2096%20Error%20%5BExceptionFilterStream%5D%20System.IO.IOException%20---%26gt%3B%20System.Net.HttpListenerException%3A%20The%20I%2FO%20operation%20has%20been%20aborted%20because%20of%20either%20a%20thread%20exit%20or%20an%20application%20request%3CBR%20%2F%3Eat%20System.Net.HttpRequestStream.Read(Byte%5B%5D%20buffer%2C%20Int32%20offset%2C%20Int32%20size)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217862%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Services%20suddenly%20failing%20to%20start.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217862%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20all%20the%20GWs%20failing%20or%20just%20some%3F%3C%2FP%3E%0A%3CP%3EAre%20there%20any%20recent%2F%20repetitive%20errors%26nbsp%3Bin%20the%26nbsp%3B%20Center's%20textual%20logs%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217859%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Services%20suddenly%20failing%20to%20start.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217859%22%20slang%3D%22en-US%22%3E%3CP%3EWere%20running%201.9.7312.32791%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217855%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Services%20suddenly%20failing%20to%20start.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217855%22%20slang%3D%22en-US%22%3E%3CP%3EWhich%20ATA%20version%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217852%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Services%20suddenly%20failing%20to%20start.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217852%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Eli%2C%20I%20sure%20can.%20DNS%20seems%20fine%20as%20well%2C%20I%20can%20resolve%20the%20FQDN%20without%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-217844%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Services%20suddenly%20failing%20to%20start.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-217844%22%20slang%3D%22en-US%22%3E%3CP%3ELooks%20like%20the%20DCs%20lost%20communication%20with%20the%20center%20machine.%3C%2FP%3E%0A%3CP%3EAre%20you%20able%20to%20browse%20the%20Console%20UI%20using%20Internet%20Explorer%20from%20these%20machines%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi Guys,

 

After my DCs have recently rebooted, the ATA lightwieght gateway agent on them is failing to start.

 

Looking at the error log is see the following error repeatedly:

 

4832 4   Error [WebClient+<InvokeAsync>d__8`1] System.Net.Http.HttpRequestException: PostAsync failed [requestTypeName=UpsertGatewayMonitoringAlertRequest] ---> System.Net.Http.HttpRequestException: Error while copying content to a stream. ---> System.IO.IOException: Unable to read data from the transport connection: The connection was closed

 

Anyone have any suggestions as to what might be causing this?

 

Thanks

David

9 Replies
Highlighted

Looks like the DCs lost communication with the center machine.

Are you able to browse the Console UI using Internet Explorer from these machines?

Highlighted

Hi Eli, I sure can. DNS seems fine as well, I can resolve the FQDN without issue.

Highlighted

Which ATA version?

Highlighted

Were running 1.9.7312.32791

Highlighted

Are all the GWs failing or just some?

Are there any recent/ repetitive errors in the  Center's textual logs?

Highlighted

4 of the 11 are failing. It might be that only these 4 have rebooted recently.

 

Looking at the Centre logs I i see this error repeatedly:

 

4496 96 Error [ExceptionFilterStream] System.IO.IOException ---> System.Net.HttpListenerException: The I/O operation has been aborted because of either a thread exit or an application request
at System.Net.HttpRequestStream.Read(Byte[] buffer, Int32 offset, Int32 size)

Highlighted

 

At this point I would suggest to open a ticket with support where they can look more closely on the full logs, and give specific instruction for more data collection.

 

What you can do to get more data, is for one of the DC's that is still working fine,  do not reboot the DC itself, but restart the GW service only, and see if it can start or fails like the others.

Highlighted

Thanks Eli, I guess Ill just have to open a case. I was able to successfully restart the gateway service on a machine not affected by this issue.

Highlighted

Quick update for anyone experiencing the same issue. In our instance the connection was being dropped by our Tipping Point IPS.

Once we whitelisted the detection the gateways reconnected immediately.

Heres the description of the OpenSSL vulnerability it was detecting between the gateways and the ATA Centre. Im still engaged with MS to see if this can be resolved rather than just whitelisted.

Description
This filter detects an attempt to exploit a security bypass vulnerability in OpenSSL.

The specific flaw exists within how ChangeCipherSpec messages are handled by the client. An attacker can leverage this vulnerability to decrypt and inject traffic resulting in affecting the security policy of the current process.

User authentication in not required to exploit this vulnerability.

References:

Common Vulnerabilities and Exposures
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224

Vendor Advisory
http://www.openssl.org/news/secadv_20140605.txt

SecurityFocus Bugtraq ID
http://www.securityfocus.com/bid/67899