XOA shows hundreds of client connections
-
I was just setting up my new router that shows numbers of client connections and was struck by suddenly having hundreds of client connections on my router as static connections where I should have a dozen or so at this stage. Then I noticed I only had the amount of ip.addresses I should on the router but on one ip.address it shows I had over 200 clients coming in on that ip.address. I couldn't ping the ip.address or get to it any other way. Then I proceeded to look up the mac address which doesn't show as a registered MAC address in any MAC address lookup tool which from experience meant it was an XCP-Ng MAC and this happened to belong to the XOA client.
I have shutdown the client for now and will use XCP-ng Center.
My question is why would there be 200+ connections coming in over XOA? That seems like a security issue.
-
Ping @julien-f
I'm not aware about any security issues regarding that. Is your XOA fully up to date?
-
Just to make sure I understand, you found hundreds of opened (but inactive) connections from XOA to an XCP-ng host?
-
This is what I see when XOA client is up and running it has hundreds of connections"
Note the 226 client connections next to the computer icon. This occurs as soon as I boot the XOA vm.
The A2:EC:7E:F2:66:D7 MAC address is xcp-ng as I've noticed even prior to this.
I'm speculating that perhaps its due to licensing, updates and connectivity to be able to do these types of activities.
I'm just curious to know why so many connections?
Anyone have any idea about these connections?
-
@olivierlambert I have just made sure I'm updated and the same condition is there with the multiple connections, plus I updated my xcp-ng server master and other pool client.
-
This is @julien-f domain of expertise
-
tcpdump it? Or check netstat while it's running and see what it is.
What is that UI? Who honestly knows what it's counting as a 'connection'. I seriously doubt it's individual flows. More than likely, this is related to websockets (in my opinion).
But again... a pcap would help in diagnosing.
-
I ran into something VERY similar with XCP-ng and\or XOA a while back - ended up with close to 200 new "clients" showing up on my Meraki gear. They weren't even "connected" long enough to register as IP clients, only MAC clients (ARP, possibly). I didn't think much about it at the time, as both the MAC addresses and hardware information didn't seem to be tied to any actual device by some manufacturer. I may be able to pull those out from my client history...
EDIT: Here is a small section of that list:
