Category Archives: AVAYA

Avaya Contact Center Agent Desktop Display Quietly Crashing

Leave a reply

869352_72885464I thought I would share this story… it’s another story of “it’s the network’s fault” when in reality it really has nothing to-do with the network but it falls to the network engineers and consultants to prove the point beyond a reasonable doubt.

I can’t tell you how it irks me to hear people say “it’s the networks fault” when they have absolutely no clue as to how anything works and have no data to support their wild claims. I would think a lot more of them if they just said, “I’m sorry, I haven’t got a frigging clue what’s happening here but can you help me?” And of course the problem always needs to be resolved yesterday as if the building itself was on fire.

We have multiple Avaya Aura Contact Center (formerly Nortel Symposium) installations. At one of these locations we began receiving trouble tickets that the Agent Desktop Display (ADD) which is a small software application that listens to a Multicast stream and displays a ticker tape banner showing the contact center queue details was quietly closing after only a few minutes of running on the local desktop/laptop. The local telecom technician verified that the problem only occurred on a specific floor, the users on the other floors had no issues or problems. A quick check of the core Avaya Ethernet Routing Switch 8600 and edge Avaya Ethernet Routing Switch 5520s indicated that IGMP and PIM were configured and working properly.

Note:A few years back now I detailed how to configure IGMP, DVMRP and PIM for Multicast routing.

I asked the local telecom technician to perform a packet trace so I could see what was happening on the wire. The packet trace indicated that the desktop/laptop was issuing an IGMP leave request and was closing the HTTP/TCP socket it had open to the web server so that was proof enough for me that the application was silently crashing and the operating system was cleaning up all the open ports and IGMP sessions.

6376 2013-05-16 07:47:46.052281 10.1.46.144 10.1.38.55 TCP     54   3317 > 80 [RST, ACK] Seq=4467 Ack=10430 Win=0 Len=0
6377 2013-05-16 07:47:46.052595 10.1.46.144 224.0.0.2  IGMPv2  46   Leave Group 230.0.0.2

The actual Multicast stream from the application/web server was fine;

6353	2013-05-16 07:47:43.995183	10.1.38.55	230.0.0.2	UDP	511	Source port: 1031  Destination port: 7040
6354	2013-05-16 07:47:43.995502	10.1.38.55	230.0.0.2	UDP	502	Source port: 1025  Destination port: 7050
6355	2013-05-16 07:47:43.995885	10.1.38.55	230.0.0.2	UDP	813	Source port: 1026  Destination port: 7030
6356	2013-05-16 07:47:43.996301	10.1.38.55	230.0.0.2	UDP	860	Source port: 1032  Destination port: 7020
6357	2013-05-16 07:47:43.996505	10.1.38.55	230.0.0.2	UDP	343	Source port: 1033  Destination port: 7060
6358	2013-05-16 07:47:43.996726	10.1.38.55	230.0.0.2	UDP	331	Source port: 1027  Destination port: 7070
6359	2013-05-16 07:47:43.996886	10.1.38.55	230.0.0.2	UDP	153	Source port: 1028  Destination port: 7110
6360	2013-05-16 07:47:43.997048	10.1.38.55	230.0.0.2	UDP	153	Source port: 1034  Destination port: 7100
6361	2013-05-16 07:47:43.997199	10.1.38.55	230.0.0.2	UDP	135	Source port: 1030  Destination port: 7090
6362	2013-05-16 07:47:43.997371	10.1.38.55	230.0.0.2	UDP	135	Source port: 1036  Destination port: 7080
6363	2013-05-16 07:47:43.997525	10.1.38.55	230.0.0.2	UDP	127	Source port: 1035  Destination port: 7120
6364	2013-05-16 07:47:43.997647	10.1.38.55	230.0.0.2	UDP	127	Source port: 1029  Destination port: 7130

The packet trace did show some odd UDP broadcast traffic from one specific desktop that happen to be running GE’s Centricity Perinatal (CPN). This is a software application used to monitor Labor & Delivery, the Nursery and the NICU. We use it to actually monitor, chart and graph the strips put out by the fetal monitors. There’s a software component of the GE CPN solution called B-Relay which is the piece of software that floods the VLAN with all those UDP broadcasts. Unfortunately this UDP flooding is by design and is required for the application to function properly.

6205	2013-05-16 07:47:26.710685	10.1.47.210	10.1.47.255	UDP	251	Source port: 1759  Destination port: 7005
6206	2013-05-16 07:47:26.853810	10.1.47.210	10.1.47.255	UDP	822	Source port: 1760  Destination port: 7043
6211	2013-05-16 07:47:28.215486	10.1.47.210	10.1.47.255	UDP	60	Source port: 1783  Destination port: 7013

Looking at the packet traces I quickly noticed that while there are multiple destination ports they are overlapping between 7001 and 7999. I would theorize that the GE CPN software was eventually hitting a UDP port that the ADD software was listening on and since it was a broadcast packet it tried to process the data and was quietly choking and crashing. I shutdown the Ethernet port connecting the GE CPN desktop and had the local telecom technician run his test again. He called back about 30 minutes later to let me know that everything was working fine and that whatever I had done had fixed the problem. Well it wasn’t really fixed because now I had to figure out how to get both applications to co-exist.

The solution was to isolate the GE CPN desktops to their own VLAN so that the UDP broadcasts wouldn’t hit the closet VLAN where the Contact Center users resided. Another possible solution might have been to try and change the UDP ports that either GE CPN or Avaya ADD software was using but that change would have probably taken weeks if not months. I was able to spin up a new VLAN in about 30 minutes and get everyone back up and running again.

Have you got a story to share? I’d love to hear it!

Cheers!

Avaya Ethernet Routing Switch 4800 – SNMP MIBS

1 Reply

AvayaERS4850GTS-EDMWe recently installed quite a few Ethernet Routing Switch 4850GTS-PWR+ switches into our network. Since we have quite a few custom home grown applications and scripts that perform backups, idle port reports, etc. I usually need to add the sysObjectID to the list of supported devices and due some quick tests to make sure that everything works properly with the new switch model.

This time around though I quickly found that the sysObjectIDs for the ERS 4800 series switches were missing from SYNTOPICS-ROOT-MIB contained in the most recent software release, v5.6.2.

I received confirmation this morning from Avaya that the SNMP MIBS are missing the proper information and as released don’t include any of the actual sysObjectID OIDs for the Ethernet Routing Switch 4800 switch models.

You can find an updated copy of the SYNOPTICS-ROOT-MIB here. Just replace this file with the SYNOPTICS-ROOT-MIB.mib that is included in the 5.6.2 software release.

You’ll notice that also included are the VSP 7000 and Ethernet Routing Switch 3500 series switches.

This SNMP MIB includes support for the following OIDs;

-- ERS 48xx Series
sreg-ERS-48xx OBJECT IDENTIFIER ::= { registration 78 }
sreg-ERS-4826GTS-PWR-PLUS  OBJECT IDENTIFIER ::= { sreg-ERS-48xx 1 }
sreg-ERS-4850GTS-PWR-PLUS  OBJECT IDENTIFIER ::= { sreg-ERS-48xx 2 }
sreg-ERS-4826GTS           OBJECT IDENTIFIER ::= { sreg-ERS-48xx 3 }
sreg-ERS-4850GTS           OBJECT IDENTIFIER ::= { sreg-ERS-48xx 4 }

-- VSP 7xxx Series
sreg-VSP-7xxx OBJECT IDENTIFIER ::= { registration 79 }
sreg-VSP-7024XLS  OBJECT IDENTIFIER ::= { sreg-VSP-7xxx 1 }

-- ERS 35xx Series
sreg-ERS-35xx OBJECT IDENTIFIER ::= { registration 80 }
sreg-ERS-3526T              OBJECT IDENTIFIER ::= { sreg-ERS-35xx 1 }
sreg-ERS-3526T-PWR-PLUS     OBJECT IDENTIFIER ::= { sreg-ERS-35xx 2 }
sreg-ERS-3524GT             OBJECT IDENTIFIER ::= { sreg-ERS-35xx 3 }
sreg-ERS-3524GT-PWR-PLUS    OBJECT IDENTIFIER ::= { sreg-ERS-35xx 4 }
sreg-ERS-3510GT             OBJECT IDENTIFIER ::= { sreg-ERS-35xx 5 }
sreg-ERS-3510GT-PWR-PLUS    OBJECT IDENTIFIER ::= { sreg-ERS-35xx 6 }

Cheers!

Avaya Innovations Twitter account hijacked

Leave a reply

Over the weekend I received a curious direct message on Twitter from @AvayaInnovations with the following text, “Did you see this funny pic of you? lol! bit.ly/XSzado”.

WebForgery2

I didn’t attend the recent Avaya Technology Forums in Florida or any other official event recently so the message immediately raised my suspicions such that I left the message alone until this morning. A quick search via the Internet revealed that I wasn’t the only person to receive this curious message. That said I could certainly see more than a few people believing the message to be genuine if they had some interaction with an Avaya employee or partner at the ATF or any other official function or venue which we hear about weekly from this same Twitter account.

WebForgeryI decided to pursue the actual HTTP link and see where it went. The original link was from Bit.ly which is a link shortening service. These services popped up overnight with the success of Twitter and social networking sites like Facebook to help save space and characters. Unfortunately they have a significant security downfall, in that you don’t really know where the link goes until you actually visit it. See the story by David Weiss entitled, “The Security Implications of URL Shortening Services” for a good explanation. The link from Bit.ly relayed me to twpitter.com which was immediately reported as a web forgery on Mozilla’s Firefox. Mozilla’s Firefox 3 and later incorporates built-in Malware and Phishing protection in participation with Google.

The name of the site was itself very suspicious, twpitter.com. Having a quick look at the WHOIS database told me all that I needed to know.

[Querying whois.verisign-grs.com]
[Redirected to grs-whois.hichina.com]
[Querying grs-whois.hichina.com]
[grs-whois.hichina.com]
Domain Name ..................... twpitter.com
Name Server ..................... dns9.hichina.com
dns10.hichina.com
Registrant ID ................... hc292727277-cn
Registrant Name ................. yong yi
Registrant Organization ......... yi yong
Registrant Address .............. Shang Hai City
Registrant City ................. Shang Hai
Registrant Province/State ....... Shang Hai
Registrant Postal Code .......... 200000
Registrant Country Code ......... CN
Registrant Email ................ liwei553@hotmail.com
Administrative ID ............... hc292727277-cn
Administrative Name ............. yong yi
Administrative Organization ..... yi yong
Administrative Address .......... Shang Hai City
Administrative City ............. Shang Hai
Administrative Province/State ... Shang Hai
Administrative Postal Code ...... 200000
Administrative Country Code ..... CN
Administrative Email ............ liwei553@hotmail.com
Billing ID ...................... hc292727277-cn
Billing Name .................... yong yi
Billing Organization ............ yi yong
Billing Address ................. Shang Hai City
Billing City .................... Shang Hai
Billing Province/State .......... Shang Hai
Billing Postal Code ............. 200000
Billing Country Code ............ CN
Billing Email ................... liwei553@hotmail.com
Technical ID .................... hc292727277-cn
Technical Name .................. yong yi
Technical Organization .......... yi yong
Technical Address ............... Shang Hai City
Technical City .................. Shang Hai
Technical Province/State ........ Shang Hai
Technical Postal Code ........... 200000
Technical Country Code .......... CN
Technical Email ................. liwei553@hotmail.com
Expiration Date ................. 2014-03-09 01:42:03

Looks like the miscreants are up to their old tricks, although you can’t really trust WHOIS either.

Later in the afternoon I received a follow-up  tweet from an Avaya employee;

WebForgery3

This is the new attack vector of the miscreants, utilizing trusted sources for spreading their wares. This includes trusted websites along with email and twitter contacts. I was disappointed that I didn’t receive any follow-up from either Avaya or Avaya Innovations. Normally I wouldn’t bother writing a post up about such a trivial matter but I got the impression that Avaya or whoever is managing the Avaya Innovations account was just going to ignore it entirely and pretend that it never happened. Well it did happen and you put our followers at risk! Avaya should at a minimum inform all those users of the issue and provide advice if they happened to visit the link before it was blocked. I took the action of reporting the link to Bit.ly via email.

Cheers!