cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Defender for Identity Sync Errors

FrancoisSalah
Copper Contributor

‎Oct 28 2022 04:50 AM

‎Oct 28 2022 04:50 AM

Defender for Identity Sync Errors

Hello All - I am getting the following error:

 

2022-10-28 11:09:42.8219 Error Socket SendReceiveAsync failed with socket exception [ipEndpoint=0.0.0.1:137 AddressFamily=InterNetwork] exceptionFormattedDetails=[NativeErrorCode=10051]
System.Net.Sockets.SocketException (0x80004005): A socket operation was attempted to an unreachable network
at int System.Net.Sockets.Socket.EndSendTo(IAsyncResult asyncResult)
at void Microsoft.Tri.Infrastructure.TaskExtension.AsyncCallback<TResult>(IAsyncResult asyncResult, Func<IAsyncResult, TResult> endMethod, TaskCompletionSource<TResult> taskCompletionSource)
at async Task<UdpReceiveResult> Microsoft.Tri.Common.UdpClientWrapper.SendReceiveAsync(IPEndPoint ipEndpoint, byte[] data)

 

This feels like a DNS thing. The sensor is installed on a DC and works fine. Showing as running in the portal.

1,218 Views
0 Likes
4 Replies
Reply
4 Replies
Eli Ofek

‎Oct 29 2022 01:50 PM

‎Oct 29 2022 01:50 PM

Re: Defender for Identity Sync Errors

This is a name resolution attempt over UDP/137 to address 0.0.0.1.
So this will happen if the DC got a network packet from this address.
The weird thing this is a reserved IANA range, probably for local host config or something.
I am not expecting this address to really respond on UDP/137.
But we are also not filtering the 0.0.0.0/8 range as effectively I don't think we saw actual traffic from there.
Is there anything running on the host that will initiate a connection from this special address ?
How often do you get this error?
Maybe capture a network trace to get more clues where is it coming from ?

Anyway, it shouldn't effect the sensor work.
1 Like
Reply
FrancoisSalah

‎Oct 31 2022 10:23 AM

‎Oct 31 2022 10:23 AM

Re: Defender for Identity Sync Errors

Thanks Eli - I get this error pretty much every hour from what I can see. I have ran PacketMon and captured the logs for over an hour but nothing has shown up with that address and yet when I look at the MS Tri Sensor log the error is still there.

I have even tested connectivity as per the MS website (https://learn.microsoft.com/en-us/defender-for-identity/configure-proxy) and it works fine. Not sure what is really going on.
0 Likes
Reply
FrancoisSalah

‎Nov 01 2022 02:48 AM

‎Nov 01 2022 02:48 AM

Re: Defender for Identity Sync Errors

Based on looking at the logs and the Defender portal, MDI is working fine. I noticed that 0.0.0.1 Endpoint was showing in the portal when I went to look at my sensitive devices as a device that could be added along with a number of other unknown devices.
0 Likes
Reply
Eli Ofek

‎Nov 03 2022 01:46 AM

‎Nov 03 2022 01:46 AM

Re: Defender for Identity Sync Errors

This shouldn't effect the sensor work.
0.0.0.1 is a local address, probably u sed by some software running on the machien itself, which explain why capturing won't see it.

The idea is to understand what on the machine uses this address... and to know it's legit.
0 Likes
Reply