Carbon Black Cloud: 403 Error when Attempting to Open Live Response Session
Article ID: 291523
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- An inability to use Live Response due to a 403 error upon page load.
- Inspection of the 403 response revealed a "session limit reached" error message.
Environment
- Carbon Black Cloud Console: September '17 release and Higher (0.37)
- Carbon Black Cloud: Version 3.0.x.x and Higher
Cause
- Live Response does not set a session expiration time when initializing a session. Session expiration is set by all subsequent Live Response commands. Each command will issue a new session expiration time fifteen minutes from the time of the command. However, initialized sessions that are not followed by commands will not expire.
- As Live Response limits each customer org to 100 simultaneous Live Response sessions, continually starting sessions without issuing subsequent commands will result in sessions that don't expire stacking up. Eventually, it is possible to hit the limit of 100 open sessions, at which time attempting to initialize a new session will be denied.
Resolution
A permanent fix has been implemented at this time adding a session expiration time of 30 minutes when initializing a new session.
Additional Information
Sessions are counted by the number of sensors involved. As multiple users can initiate Live Response sessions to the same sensor simultaneously, more than 100 users can be using Live Response simultaneously.
Feedback
Yes
No
Powered by
