Since we have started testing Jabber for iPhone we have been seeing some odd RTMT alerts from CallManager. However, things seem to be working without issue.
We see quite a few of these throughout the day. IP address referenced in the alert is from a registered iPhone (Standard Dual Mode Phone for iPhone) device.
At Wed May 30 10:45:51 EDT 2012 on node callmanager2, the following SyslogSeverityMatchFound events generated:
SeverityMatch : Critical
MatchedEvent : May 30 10:45:21 callmanager2 local4 2 : 143: callmanager2: May 30 2012 10:45:21.609 -0400: %CSA-2-EVENT_SHIELD_DENY: %[PID=14803][component=CiscoSecurityAgent] : A packet with a bad transport layer header was detected. Reason: Illegal TCP flag combination. TCP: 10.5.22.131/54077->10.5.9.26/5060, flags 0x01. The operation was denied. [rule 819] AppID : Cisco Syslog Agent ClusterID :
NodeID : callmanager2
TimeStamp : Wed May 30 10:45:21 EDT 2012
Also, we see quite a few of these throughout the day. A closer look at the logs shows that it is just one TCT device that is un-registering and registering.
Number of registered phones in the cluster drop more than configured percentage between consecutive polls. . Configured high threshold is 10 % Current monitored precanned object has decreased by 88 percent.
The alert is generated on Wed May 30 11:06:51 EDT 2012 on cluster StandAloneCluster.
Immediately followed by
Number of registered Media Devices increased in consecutive polls.
Current monitored precanned object has increased by 10 The alert is generated on Wed May 30 11:07:21 EDT 2012 on cluster StandAloneCluster.
I get the identical messages randomly from both CUCM and UCON. The only thing I have been able to figure out is it seems to happen when a user roams on and off the internal WiFi. The IP addresses in the messages are always the "public" IP on the iPhone cellular data interface.
I would love to find a solution as well. Any experts out there?
When the iPhone roams between WiFi routers, it will set the ACK, FIN, and RST flags for TCP connections. Which when the CUCM server receives this, it flags it as an invalid TCP flag combination (because it is).
The errors on the CUCM are benign and can be ignored, and I'm not aware of any cases open with Apple to modify this behavior of their TCP stack.
Are you getting this error “Installer User Interface Mode Not Supported. The installer cannot run in this UI mode. To specify the interface mode, use the -i command-line option, followed by the UI mode identifier. The value UI mode identifiers...
The below trick might come handy when you have to add a new node to a cluster but you don't have or is unsure of the security password for the publisher. This procedure has been around for ages.
1) Login into the CLI of the Publisher.