Getting Error “internal service Error” when accessing the gateway externally

If we get this error first thing to check is if we are able to resolve Storefront FQDN or base URL from netscaler.

If not make an A record in Netscaler DNS.

Or else give the IP of Storefront in session profile like: https://10.10.10.10/citrix/SFWeb.

*Where 10.10.10.10 is our SF IP and SF is our store name.

Also make sure that the SSO domain that we add in session profile is same as the Userdomain.

To check this run “set” command on storefront command line and check the Userdomain field.

If we still get errors like “cannot complete your request”, check the LDAP profile.

It may have an entry in SSO name attribute field like “cn.”

Remove it.

We need SSO name attribute in only multiple domain environment, and that should be set as “userPrincipalName ” in that case.

Related:

  • No Related Posts

Cisco IOS XR Software NETCONF Over Secure Shell ACL Bypass Vulnerability

A vulnerability in the access-control logic of the NETCONF over Secure Shell (SSH) of Cisco IOS XR Software may allow connections despite an access control list (ACL) that is configured to deny access to the NETCONF over SSH of an affected device.

The vulnerability is due to a missing check in the NETCONF over SSH access control list (ACL). An attacker could exploit this vulnerability by connecting to an affected device using NETCONF over SSH. A successful exploit could allow the attacker to connect to the device on the NETCONF port. Valid credentials are required to access the device. This vulnerability does not affect connections to the default SSH process on the device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191120-iosxr-ssh-bypass

Security Impact Rating: Medium

CVE: CVE-2019-15998

Related:

  • No Related Posts

Unable to edit Application Firewall Profile. Error: “communication error with aslearn”.

The database learning limit is reached as mentioned in below link:

“The learning database is limited to 20 MB in size, which is reached after approximately 2,000 learned rules or relaxations are generated per security check for which learning is enabled​”

https://docs.citrix.com/en-us/netscaler/11-1/application-firewall/profiles/learning.html

Related:

  • No Related Posts

Cisco FXOS and NX-OS Software Authenticated Simple Network Management Protocol Denial of Service Vulnerability

A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, remote attacker to cause the SNMP application on an affected device to restart unexpectedly.

The vulnerability is due to improper validation of Abstract Syntax Notation One (ASN.1)-encoded variables in SNMP packets. An attacker could exploit this vulnerability by sending a crafted SNMP packet to the SNMP daemon on the affected device. A successful exploit could allow the attacker to cause the SNMP application to restart multiple times, leading to a system-level restart and a denial of service (DoS) condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-fxnxos-snmp-dos

This advisory is part of the August 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication, which includes five Cisco Security Advisories that describe five vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: August 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.

Security Impact Rating: High

CVE: CVE-2019-1963

Related:

  • No Related Posts

Cisco NX-OS Software SNMP Access Control List Configuration Name Bypass Vulnerability

A vulnerability in the implementation of the Simple Network Management Protocol (SNMP) Access Control List (ACL) feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to perform SNMP polling of an affected device, even if it is configured to deny SNMP traffic.

The vulnerability is due to an incorrect length check when the configured ACL name is the maximum length, which is 32 ASCII characters. An attacker could exploit this vulnerability by performing SNMP polling of an affected device. A successful exploit could allow the attacker to perform SNMP polling that should have been denied. The attacker has no control of the configuration of the SNMP ACL name.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-snmp-bypass

Security Impact Rating: Medium

CVE: CVE-2019-1969

Related:

  • No Related Posts

Monitor for Load Balanced XML Servers Through NetScaler Fails with Error: “Ticket tag not found in response”

Users cannot log on multiple times a day and NetScaler XML monitor shows the following logs:

19483 0 PPE-0 MonServiceBinding_10.20.30.13:8080_(http_xml)(svcg_xml?storefront01.example.com?8080): DOWN; Last response: Failure - TicketTag not found in the response. Sun Oct 17 04:36:17 201519493 7 PPE-0 MonServiceBinding_10.20.30.13:8080_(http_xml)(svcg_xml?storefront01.example.com?8080): UP; Last response: Success - TicketTag found in the response. Sun Oct 17 04:36:47 201519494 0 PPE-0 'server_serviceGroup_NSSVC_HTTP_10.20.30.13:8080(svcg_xml?storefront01.example.com?8080)' UP Sun Oct 17 04:36:47 201519496 0 PPE-0 'server_serviceGroup_NSSVC_HTTP_10.20.32.13:8080(svcg_xml?storefront02.example.com?8080)' DOWN Sun Oct 17 04:38:56 201519497 35 PPE-0 MonServiceBinding_10.20.30.13:8080_(http_xml)(svcg_xml?storefront01.example.com?8080): DOWN; Last response: Failure - TCP connection successful, but application timed out Sun Oct 17 04:39:34 2015[…]19508 14 PPE-0 MonServiceBinding_10.20.30.13:8080_(http_xml)(svcg_xml?storefront01.example.com?8080): UP; Last response: Success - TicketTag found in the response. Sun Oct 17 04:41:33 201519509 0 PPE-0 'server_serviceGroup_NSSVC_HTTP_10.20.30.13:8080(svcg_xml?storefront01.example.com?8080)' UP Sun Oct 17 04:41:33 2015In NetScaler traces you can observe a reset getting sent with reset code 9701.

9700 – NSDBG_RST_PASS

This code indicates that the NetScaler appliance receives a TCP RST code from either the client or the server, and is transferring it. For example, the back end server sends a RST code, and the NetScaler appliance forwards it to the client with this code.

9701 – NSDBG_RST_NEST/NSDBG_RST_ACK_PASS

In NetScaler software release 9.1 and the later this code indicates that a RST code was forwarded as in the preceding RST code 9700, and the ACK flag was also set.

Related:

  • No Related Posts

Cisco SD-WAN Solution Packet Filtering Bypass Vulnerability

A vulnerability in the packet filtering features of Cisco SD-WAN Solution could allow an unauthenticated, remote attacker to bypass L3 and L4 traffic filters.

The vulnerability is due to improper traffic filtering conditions on an affected device. An attacker could exploit this vulnerability by crafting a malicious TCP packet with specific characteristics and sending it to a target device. A successful exploit could allow the attacker to bypass the L3 and L4 traffic filters and inject an arbitrary packet in the network.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-sd-wan-bypass

Security Impact Rating: Medium

CVE: CVE-2019-1951

Related:

  • No Related Posts

WSS SyncAPI – Download to Windows –> Syslog

I need a solution

Hi All

We are currently using reporter to download the logs from WSS hourly, then have created a script to extract the files, for ingestion by nxlog, sending to our syslog server. I am aware that there is the SyncAPI option that allows more granular downloads. Does anyone know of a program similar to reporter, or have a powershell script / other script that we can use to perform this download.

Found an article for linux https://www.symantec.com/connect/forums/wss-syncapi-inquiry but ideally want windows 

0

Related:

  • No Related Posts

“show techsupport” fails to execute in admin partition with error ”Not authorized to execute this command“

The behavior is expected. NetScaler blocks all the noncli commands in partition for partition user under security consideration.

For show techsupport command, it’s done by executing the perl script below. Since partition user cannot run any noncli command under partition, it cannot run show techsupport either.

root@NS11# ls -l /netscaler/showtechsupport.pl

-r-xr-xr-x 1 root wheel 124927 Feb 27 18:11 /netscaler/showtechsupport.pl

Related:

  • No Related Posts