WAF - AH00898: Error reading from remote server returned by /Microsoft-Server-ActiveSync

Hi All,

Not having any problems with the Active Sync Clients but noticing a lot of issues filling up the WAF logs every few minutes... wanted to check what the issue is?


 

 

 

 

httpd[3749]: [proxy_http:error] [pid 3749:tid 4103859056] (70007)The timeout specified has expired: [client 209.XXX.XXX.XXX:3622] AH01102: error reading status line from remote server 10.XXX.XXX.103:443
 
httpd[3749]: [proxy:error] [pid 3749:tid 4103859056] [client 209.XXX.XXX.XXX:3622] AH00898: Error reading from remote server returned by /Microsoft-Server-ActiveSync
 
httpd: id="0299" srcip="209.XXX.XXX.XXX" localip="162.XXX.XXX.XXX" size="434" user="-" host="209.XXX.XXX.XXX" method="POST" statuscode="502" reason="-" extra="-" exceptions="SkipURLHardening" time="300143092" url="/Microsoft-Server-ActiveSync" server="mail.XXXXXXXXXX.COM" port="443" query="?Cmd=Ping&User=DOMAIN%5CUSERID&DeviceId=SEC14140F09XXXX&DeviceType=SamsungDevice" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XUwdYqL3eg4AAA6lpigAAAAD"
 
httpd: id="0299" srcip="209.XXX.XXX.XXX" localip="162.XXX.XXX.XXX" size="46" user="-" host="209.XXX.XXX.XXX" method="POST" statuscode="200" reason="-" extra="-" exceptions="SkipURLHardening" time="218352129" url="/Microsoft-Server-ActiveSync" server="mail.XXXXXXXXXX.COM" port="443" query="?Cmd=Ping&User=DOMAIN%5CUSERID&DeviceId=SEC14140F0XXXX&DeviceType=SamsungDevice" referer="-" cookie="-" set-cookie="X-BackEndCookie=S-1-5-21-3768258204-2388712022-2097333300-1156=u56Lnp2ejJqBnJ3MmpnGzszSnpzPmtLLz8rK0p3Hm57Szs/Ix53Ny57OyZydgYHNz87G0s/G0s/Iq87Mxc7OxcvG; expires=Sat, 07-Sep-2019 13:11:49 GMT; path=/Microsoft-Server-ActiveSync; secure; HttpOnly" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XUweoqL3eg4AAA6lpiwAAAAv"
 
id="0299" srcip="209.XXX.XXX.XXX" localip="162.XXX.XXX.XXX" size="1580" user="-" host="209.XXX.XXX.XXX" method="POST" statuscode="200" reason="-" extra="-" exceptions="SkipURLHardening" time="366303" url="/Microsoft-Server-ActiveSync" server="mail.XXXXXXXXXX.COM" port="443" query="?Cmd=Sync&User=DOMAIN%5CUSERID&DeviceId=SEC14140F09XXXXX&DeviceType=SamsungDevice" referer="-" cookie="-" set-cookie="X-BackEndCookie=S-1-5-21-3768258204-2388712022-2097333300-1156=u56Lnp2ejJqBnJ3MmpnGzszSnpzPmtLLz8rK0p3Hm57Szs/Ix53Ny57OyZydgYHNz87G0s/G0s/Iq87Mxc7OxcrO; expires=Sat, 07-Sep-2019 13:11:51 GMT; path=/Microsoft-Server-ActiveSync; secure; HttpOnly" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XUwffqL3eg4AAA6lpi0AAAAw"
 
 

 
  • Salut and welcome to the UTM Community!

    Please show several contiguous, complete log lines ending with the one above that has statuscode="504" and including the first line above containing The timeout specified has expired.  I like the way you obfuscated your private information.

    Cheers - Bob
    PS Moving this thread to the Web Server Security forum.