Azure ATP sensors opens hundreds of TCP connections

Occasional Contributor

Hi,

Starting November 25th, most of the sensors connected to azure atp cloud service using proxy went offline.

 

Our proxy/firewall setup is only allowing access to Europe (the specific ULRs - Europe).

Ever since then, the azure atp sensor service is in restarting state, without being able to start.

That wouldn't normally be a problem, if while trying to connect to azure cloud service, didn't open like tens of connections to the proxy, all of them appearing with status time-out.

Later, we discovered that because of all of these connections initiated, that never received a response back from the proxy, the domain controller stopped responding (dcdiag, authentication and replication fails).

 

Question: is this a normal behaviour of the agent (to consume all the ports while trying to reach the workspace in a context of non-responsive proxy)?

We were forced to kill the 2 processes, and set the 2 services to disabled and a ticket was raised with MS.

 

I was wondering if anyone experienced such issues, and/or if someone from Microsoft can tell me if this might be related to the issues reported on November 25th and 26th on https://health.atp.azure.com.

 

Thank you in advance!

 

1 Reply

@mcliviu , Hi,

This is not expected, although if you have a unique proxy setup it might induced a state we did not expect.
If correlated to the outage period, it might have been some kind of trigger,

which I am interested to research, but so far I didn't see any other similar reports.

Is starting the sensor again after the outage was over still caused issues?

 

You mentioned you opened a ticket with support on this one.

Can you share with me in a private message the case #, or ask the support engineer to add me to the email thread?

 

Thanks,

 

Eli