Hyper-V WAN Replication Blocked by IDS

JohnT
Getting noticed

Hyper-V WAN Replication Blocked by IDS

Hi Everyone,

 

I'm wondering if anyone else has run across this problem before.  I have been noticing that my Hyper-V servers have been triggering the Meraki IDS system periodically when they replicate over the WAN.  When I inspected the packets that triggered the IDS it was full of what appeared to be some sort of malware.  I was initially very nervous, but it just didn't seem to add up and probably wasn't what it appeared to be.  After further investigation I discovered that the IDS alerts would trigger just a few minutes after a Windows Defender update on one of my virtual machines.  The Windows Defender definition updates on a virtual machine would trigger replication, and then the Meraki IDS would intercept the replication packets over port 80 and block it. I decided to configure replication to happen over 443 instead of 80 and now the IDS alerts have stopped. 

 

Has anyone else seen this happen before?  Meraki support says that they have never heard of this happening.  I can't think I'm the only one. 

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

Are you able to change the topology so the replication traffic goes directly between the servers and not through the MX?

JohnT
Getting noticed

Meraki provides the site to site VPN connection for my DR site so unfortunately it's my only option.  However, I was able to solve the problem by changing the replication to transfer over port 443 instead of 80 to avoid packet inspection.  I just thought it was such a strange and interesting problem and maybe someone could benefit from this post.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels