Meraki

Community

Microsoft Teams - L7 country blocking acted up a bit weird today (did it do so for anyone else) ?

Solved
thomasthomsen
Kind of a big deal
‎Aug 12 2024 7:13 AM
‎Aug 12 2024 7:13 AM

Microsoft Teams - L7 country blocking acted up a bit weird today (did it do so for anyone else) ?

We had a fun problem today.

This morning Microsoft teams acted up very strange, seemed online, but we could not send messages, or call anyone.

No update of the MXs in the environment had been done, and they are running different releases.

 

Pinging teams.microsoft.com you got no reply, and a packet-capture on the LAN side of the firewall said that all SYN's toward that resolved IP (52.123.128.14) was only replied with RST.

Capturing packets on the WAN side towards 52.123.128.14, nothing, so it was pretty clear that the MX was the one "eating" these packets.

 

To begin with I suspected content filtering, because the site we started to troubleshoot was running an old MX software 18.1xx.x, and I have some experience here where content filtering was doing "something wrong(tm)".

But we then had reports of other sites, where luckily they where running a 18.2xx.x, and here the firewall log feature told us that traffic was being blocked by L7 rules.

The only L7 rules the customer uses are country filtering, but the same list on all sites. Removing the list, problem solved.

We are now trying to figure out what this IP has now been "assigned to". It should be US, that is not blocked in the list, but clearly something has happened.

 

I dont even know who maintains the country list on MX ... Talos ?

 

/Thomas

1 Accepted Solution
Malwina
Meraki Employee
Meraki Employee
‎Aug 12 2024 10:56 PM
‎Aug 12 2024 10:56 PM

Hi All! Maxmind has released a new list with an update for the two Microsoft ranges.

MXs should now have the new list with the corrections. 

View solution in original post

14 Replies 14
thomasthomsen
Kind of a big deal
‎Aug 12 2024 7:17 AM
‎Aug 12 2024 7:17 AM

The country that it was block on was : "Qatar"

NordOps
Getting noticed
‎Aug 12 2024 7:31 AM
‎Aug 12 2024 7:31 AM

Thanks!

0 Kudos
MannyElPollo
Here to help
‎Aug 12 2024 7:53 AM
‎Aug 12 2024 7:53 AM

Hey Thomas,

 

Certainly- had some of our clients that are OPEN on Sunday's experience this-

 

COUNTRY = QATAR

 

We opened a meraki case "12051425" which per ticket notes a request has been made to MaxMind to fix the country flagging (MaxMind is used by Meraki GeoIP)

In response to MannyElPollo
thomasthomsen
Kind of a big deal
‎Aug 12 2024 8:28 AM
‎Aug 12 2024 8:28 AM

Thanks for the info, that was one of the providers I did not know Meraki was using.

0 Kudos
thomasthomsen
Kind of a big deal
‎Aug 12 2024 8:34 AM
‎Aug 12 2024 8:34 AM

PS: I immediately wish for the Firewall log feature to tell me WHAT L7 rule / country (in this instance) the block is coming from 🙂

In response to thomasthomsen
CWHLOUKY
Conversationalist
‎Aug 12 2024 10:25 AM
‎Aug 12 2024 10:25 AM

Oh to dream...  That and fixing it so we can choose the order a device is named to fix the mDNS naming issue they created a couple of years ago, 

0 Kudos
In response to thomasthomsen
MannyElPollo
Here to help
‎Aug 12 2024 11:14 AM
‎Aug 12 2024 11:14 AM

Hehehe- COMPLETELY AGREE- still shocked L7 firewall events do NOT get logged 😕

 

One thing you can do (after firmware v18+ if recall correctly) is use the TOOLS > FIREWALL 

 

And you can filter a host to see what gets blocked/etc. sometimes helps 🙂

MannyElPollo_0-1723486456394.png

 

 

Thanks!

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 12 2024 1:53 PM
‎Aug 12 2024 1:53 PM

Sometimes this can be caused by ISP routing.  The normal path to teams.microsoft.com is not available (for example), and it gets routed to the next closest, which is in another country.

 

Sometimes you get actual attacks, like BGP Hijacking, to divert traffic via another country.

https://news.sophos.com/en-us/2018/10/30/china-hijacking-internet-traffic-using-bgp-claim-researcher...

 

 

It is not clear from the information wether this block was correct or not, because you don't mention in what country your access to teams.microsoft.com was being served by.  You would have needed to do a minimum of a traceroute at the time to check.

0 Kudos
In response to PhilipDAth
MannyElPollo
Here to help
‎Aug 23 2024 6:17 AM
‎Aug 23 2024 6:17 AM

Thanks for info-

 

RE country = USA 

0 Kudos
Malwina
Meraki Employee
Meraki Employee
‎Aug 12 2024 10:56 PM
‎Aug 12 2024 10:56 PM

Hi All! Maxmind has released a new list with an update for the two Microsoft ranges.

MXs should now have the new list with the corrections. 

In response to Malwina
dlevasseur
Comes here often
‎Aug 13 2024 6:11 AM
‎Aug 13 2024 6:11 AM

Confirmed.  I didn't apply the changes because nobody cares about Teams except those that send us Teams meetings.  Today all is good.

0 Kudos
SwissAmi
Here to help
‎Aug 13 2024 2:25 AM
‎Aug 13 2024 2:25 AM

Hello Thomasthomsen,

Just to confirm: What a strange coincidence! I experienced the exact same behavior and the problem was that Meraki (or Maxmind) was detecting the IP addresses for Microsoft Teams in Qatar.

Greetings

Keristopa
New here
‎Aug 13 2024 7:49 PM
‎Aug 13 2024 7:49 PM

Is there a way for us to replace the current IP geolocation database with IP2Location, which is known for its higher accuracy?

0 Kudos
In response to Keristopa
MannyElPollo
Here to help
‎Aug 23 2024 6:19 AM
‎Aug 23 2024 6:19 AM

Curious on this btw-

 

Don't think "we" consumers get a choice on this

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.