What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Why is there strange traffic on a probe when monitoring ESX hosts?

Votes:

0

We encounter unexplainable traffic on our probe which is monitoring several ESX hosts. The probe creates several connections to an external IP range whenever the probe pulls information from the ESX hosts. This happens, for example, with the VMware sensors.

It turned out that the IP range belongs to Akamai Technologies, an Internet content delivery network. Is there an explanation for this behavior?

akamai certificate connection cryptoapi esx prtg ssl traffic vmware

Created on Sep 16, 2013 9:35:12 AM by Gerald Schoch [Paessler Support]



1 Reply

Accepted Answer

Votes:

0

This article applies to PRTG Network Monitor 13 or later

Connection Attempts to Akamai CDN

Sensors that make use of SSL secured connections need corresponding certificates for communication. These certificates are used to encrypt data in https connections. Certificates have to be issued by a trustworthy certificate authority (CA). To check this, there is a list of trustable root certificates. Every Application that relies on the CryptoAPI provided by Windows uses root certificates provided by Microsoft.

However, Windows’ CryptoAPI has a mechanism which dynamically updates the list of root certificates in the case that the currently needed one is not found on the system. This Automatic Root Certificates Update is activated on all Windows versions by default.

If the certificate of a server indicates that it was certificated by a CA which the browser does not know, Windows downloads the file authrootstl.cab from the Windows update server. This list includes digitally signed information about CAs. If the unknown CA is on the list, this CA’s certificate will be downloaded and marked as trustworthy from the system. This import runs automatically in background—the user will not be notified.

In order to get the root CA list authrootstl.cab, Windows tries to connect to the Akamai content delivery network (CDN). This explains the “strange” connections from your probe when using sensors with SSL secured connections.

You can find details about this issue of automatic CA certificate updates in this article by the c’t magazine (only available in German): Microsofts Hintertür — Zweifelhafte Updates gefährden SSL-Verschlüsselung

Consequences of Automatic Root CA Updates

  • Potentially, all sensors with SSL connections can be affected of connection attempts to Akamai.
  • Affected sensors might have a longer runtime.
  • If you use dedicated certificates for your VMware machines, ensure that root-ca is installed on your probe machine.
  • You might encounter problems with the trust. For example, if you turn off the automatic update of root CAs and regular, bought certificates are used, the system could classify these CAs not as trusted if it does not know the root certificate of a particular CA.

Created on Sep 16, 2013 9:40:04 AM by Gerald Schoch [Paessler Support]

Last change on Sep 16, 2013 10:58:41 AM by Gerald Schoch [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.