There were one hundred TLS negotiations failures with incoming connections with the following remote peer on the Mediation Server Trunk side TLS endpoint.
A Trunk may not be configured correctly, for example the Trunk peer may not be configured to send connections to the port Mediation Server is listening to. If this event fires multiple times in a short period for the same remote peer, the connections from this peer can be malicious connection attempts.
Check the Mediation Server and the Trunk server's certificates are configured correctly. Check if the MEDIATIONSERVER_MAJOR_CONFIGURATION_ALARM (Event ID: 25057) has been fired. Check whether the remote endpoint a known peer.
Target | Microsoft.LS.2013.Component.MediationServer | ||
Category | EventCollection | ||
Enabled | True | ||
Event_ID | 25087 | ||
Event Source | LS Mediation Server | ||
Alert Generate | True | ||
Alert Severity | Warning | ||
Alert Priority | Low | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | Lync Server |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
CollectEvent | DataSource | Microsoft.Windows.EventProvider | Default |
WriteAlert | WriteAction | System.Health.GenerateAlert | Default |
WriteToDB | WriteAction | Microsoft.SystemCenter.CollectEvent | Default |
WriteToDW | WriteAction | Microsoft.SystemCenter.DataWarehouse.PublishEventData | Default |
<Rule ID="Microsoft.LS.2013.Monitoring.Rule.InfoEvent.MediationServer.MEDIATIONSERVER_ONE_HUNDRED_INCOMING_GATEWAY_TLS_NEGOTIATION_FAILED" Enabled="true" Target="Microsoft.LS.2013.Component.MediationServer" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="CollectEvent" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Lync Server</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">LS Mediation Server</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">25087</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="WriteAlert" TypeID="Health!System.Health.GenerateAlert">
<Priority>0</Priority>
<Severity>1</Severity>
<AlertMessageId>$MPElement[Name="Alert_There_were_one_hundred_TLS_negotiations_failures_with_incoming_connections_with_the_following_remote_peer_on_the_Mediation_Server_Trunk_side_TLS_endpoint."]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>
<SuppressionValue>$Data/PublisherName$</SuppressionValue>
<SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
</Suppression>
</WriteAction>
<WriteAction ID="WriteToDW" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>
</WriteActions>
</Rule>