We are seeing error message in our logs that is a audit error entry. It says that the connect from an IP Address to 0.0.0.0:listening port has been rejected. The help text when I click on the error reads "Connection rejected - not allowed by ACL (CC Mode only).".
After some investigation we found that for some reason the appliance is in Common criteria mode.
The HTTPS front-side handler associated with the port on which the connection are being reject has an ACL configured.
We have 3 other appliance that are not in common criteria mode with the same HTTPS front side handler configuration, however we are not getting the same error entry in the log.
I have not been able to find out exactly what is changed in common criteria mode.
So the question is if I am only seeing the error logged on one DataPower because it is in common criteria mode, but the same behavior happens on all the appliance and is just not logged on the other.
Or is common criteria changing the working of the DataPower.
Liv2luv 270002M1RW573 Posts
Re: Common criteria mode2012-08-29T12:40:57ZThis is the accepted answer. This is the accepted answer.As you've figured out, it is the Common Criteria (CC) mode not allowing a connection on 0.0.0.0
CC mode enforces additional security (EAL4 in case of DataPower) , see below:
Re: Common criteria mode2012-08-29T15:30:46ZThis is the accepted answer. This is the accepted answer.
- Liv2luv 270002M1RW
I do have many other front-side handlers on the appliances that works perfectly without problems listening on 0.0.0.0. There is one difference and that this is the only FSH with an ACL.
To further complicate the problem I can see accepted connection in the xact log from the same the same IP and looking closer at the logs, it seems like the connection is accepted, based on the exact log and rejected the audit error in the system log.
It almost seems that it is incorrectly logging the event in the system log.
Re: Common criteria mode2012-10-16T01:19:47ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin 110000D4XK
If you do not require CC mode, you will have to reinitialise your appliance to disable it.