Thank you, Ferdy. I found the CTX111186 notice too, but I don't believe that's what is causing it (though our Microsoft/Citrix team will be applying the patch).
Turns out our backup servers, which run ArcServe 11.5 SP2, are also crashing during the scans. In both cases (Citrix, ArcServe), the server itself doesn't crash, but just one or two critical services stop. But I think Renaud is going to end up being correct (as usual) about the cause. After some investigation, I found that 'thorough tests' was turned on the month before the problems started occurring. John -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ferdy Riphagen Sent: Monday, December 11, 2006 11:15 AM To: [email protected] Subject: Re: NESSUS CRASHING CITRIX METAFRAME SERVERS John Scherff wrote: > > *Tenable/List*, > > > > Starting last month, Nessus began crashing our Citrix Metaframe farm > (approximately 60 servers). _The same scan ran every month without > incident for over a year_ prior to November. It may be the case that > the scan did not bring down all the servers, but brought down certain > services that are critical to Metaframe functionality. Here's a quote > from the Citrix administrator: > > > > It seems that somehow the scan causes the IMA (Independent Management > Architecture) service to stop on almost all the MF servers. There were > only 5 that did not have the IMA service stopped. Of course, when that > happens, they are dead to the ZDC (Zone Data Collector) which reports > them as Server Down. The IMA service is critical to the communication > between the MF servers and the ZDC. > You should grab any logfile or debug file from the scanner and the Citrix servers to correlate things between each other (timestamps a crucial) It's is always possible that a service drops down, with any type of scan you do. Maybe you could also look at the patch levels of these servers. I know there was a bug reported a month ago in the IMA architecture. It's very unlikely this is the problem, because no "not that I know" script is testing for it. It is even unclear "to me" what the attack vector is for this bug... http://support.citrix.com/article/CTX111186 I'll think Citrix would also want to know why there IMA drops down..... --Ferdy-- _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
