locked
Multiple Event ID 14498 and 14425 Messages RRS feed

  • Question

  • Hello,

    For some reason, The Lync Front-End server event logs are being spammed with Event ID 14498 and 14425 messages from User's client machines. I am unable to determine the cause of this. I've checked the certificates and they are correctly assigned. The Root CA and Issuing CA certs are also in the correct places on the front-end servers. It seems like the clients are trying to get presence info for people in the user's Outlook contacts. 

    Any help would be appreciated.

    Thanks,

    PK

    Below is the detail of the messages:

    EVENT ID 14425

    Many security events have been identified by the proxy stack.

    In the past 0 seconds, 30 security events have been identified by the proxy stack. A large number of security events could indicate that the server is under attack. The last event was:

    $$begin_record

    LogType: security

    Text: The received sequence number is invalid. The sequence number could be too old.

    Result-Code: 0xc3e93ed6 SIP_E_AUTH_INVALID_SEQUENCE

    SIP-Start-Line: SUBSCRIBE sip:external.user@externaldomain.com SIP/2.0

    SIP-Call-ID: 7385ed62b6af427f88a5e797793f68e7

    SIP-CSeq: 1 SUBSCRIBE

    $$end_record

    Cause: The server may be under attack, or there might be a configuration problem that is causing errors.

    Resolution:

    Launch the Lync Server 2010 Logging Tool. Select the "SIPStack" component, the "Errors" level and the TF_SECURITY flag. Review the events reported to the trace log using the "Analyze Log Files" feature of the logging tool.

    EVENT ID 14498

    A significant number of authentication or authorization failures have occurred on messages for the account user@SIPDomain.com and the first attempt was from the IP address 2.2.2.2(Client IP). 30 failures have been identified in the last 17 minutes. There have been 30 errors in total. Note: the user uri might have been truncated to 64 characters.

    Resolution:

    It is recommended that this IP address be examined to determine if it should be blocked at the firewall to prevent password guessing attacks. This account may also be worth blocking with a script on the Access Edge Server to prevent continued attacks against it.

    Wednesday, October 24, 2012 10:26 PM

All replies

  • Will this issue happen if you block this IP address at the firewall?

    If the client fails to get presence info for people in the user’s outlook contacts, please try the methods displayed in the following link.

    http://support.microsoft.com/kb/2464556

    Friday, October 26, 2012 7:21 AM
    Moderator
  • Hi , Did you get to the bottom of this we are having the same issue .

    Thanks 

    Thursday, April 17, 2014 3:49 PM