[isalist] Re: Outlook from VPN creates lots of denied tcp traffic
- From: Jim Harrison <jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Mon, 26 Apr 2010 17:29:26 -0700
Amy,
The consistent thing about those log entries (not_syn) is that they indicate
one of two possibilities:
1. The connection between OL and the Exch server was half-closed and
the other side continued trying to send traffic (not illegal, but definitely
rude and ISA/TMG reject this)
2. The routing for this traffic is split (one path not through TMG) -
this isn't likely since you have a W2W connection - UNLESS you have a
dual-link connection (some folks see this as "redundant")
If you know you're having other problems for this link, these log entries
may simply be symptomatic.
Jim
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Amy Babinchak
Sent: Monday, April 26, 2010 17:08
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Outlook from VPN creates lots of denied tcp traffic
I'm seeing a lot of denied TCP traffic coming from machines running Outlook
from the other side of our site-site VPN. I'm pretty sure that we narrowed
it down to only occurring when outlook is open.
Here's a sample:
Original Client IP Client Agent Authenticated Client
Service Server Name Referring Server Destination Host Name
Transport MIME Type Object Source Source Proxy
Destination Proxy Bidirectional Client Host Name
Filter Information Network Interface Raw IP Header Raw
Payload GMT Log Time Source Port Processing Time
Bytes Sent Bytes Received Result Code HTTP Status Code
Cache Information Error Information Log Record Type
Authentication Server Client IP Log Time Destination IP
Destination Port Protocol Action Rule
Client Username Source Network Destination
Network HTTP Method URL
192.168.200.18 FIREWALL
- TCP -
No - 192.168.200.23 45 00 00 28 2b 4a
40 00 80 06 8b 8a c0 a8 c8 12 c0 a8 fa 97 04 05 0e 2d 69 d5 e5 6d 5e fb 2f
39 50 11 fd 5c 7e d1 00 00 4/26/2010 11:52:32 PM 1029 0
0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
0x0 0x0 Firewall -
192.168.200.18 4/26/2010 7:52:32 PM 192.168.250.151
3629 Unidentified IP Traffic (TCP:3629) Denied Connection
Internal Internal - -
192.168.200.18 FIREWALL
- TCP -
No - 192.168.200.23 45 00 00 28 2b 51
40 00 80 06 8b 83 c0 a8 c8 12 c0 a8 fa 97 00 87 0e 2c 11 ed 58 92 ee 89 fe
b9 50 11 fb 88 09 d9 00 00 4/26/2010 11:52:32 PM 135 0
0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
0x0 0x0 Firewall -
192.168.200.18 4/26/2010 7:52:32 PM 192.168.250.151
3628 Unidentified IP Traffic (TCP:3628) Denied Connection
Internal Internal - -
192.168.200.18 FIREWALL
- TCP -
No - 192.168.200.23 45 00 00 28 2b 54
40 00 80 06 8b 80 c0 a8 c8 12 c0 a8 fa 97 04 07 0e 2f 31 f6 a5 49 c0 6c 74
dd 50 10 fa 2c 52 ec 00 00 4/26/2010 11:52:34 PM 1031 0
0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
0x0 0x0 Firewall -
192.168.200.18 4/26/2010 7:52:34 PM 192.168.250.151
3631 Unidentified IP Traffic (TCP:3631) Denied Connection
Internal Internal - -
192.168.200.18 FIREWALL
- TCP -
No - 192.168.200.23 45 00 00 28 2b 70
40 00 80 06 8b 64 c0 a8 c8 12 c0 a8 fa 97 00 87 0e 2c 11 ed 58 93 ee 89 fe
b9 50 10 fb 88 09 d9 00 00 4/26/2010 11:52:38 PM 135 0
0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
0x0 0x0 Firewall -
192.168.200.18 4/26/2010 7:52:38 PM 192.168.250.151
3628 Unidentified IP Traffic (TCP:3628) Denied Connection
Internal Internal - -
It will continue through a whole range of TCP ports. Pause for a while,
Outlook will lose its connection to the server and then it starts up again
and Outlook reconnects. It's driving me crazy. Now, outlook disconnecting
and reconnecting could be something entirely different since this connection
seems to be having other strange issues that we're having AT&T look at. But
I can turn this packets on and off by opening Outlook. Ideas for cleaning
this up?
Thanks,
Amy
Other related posts:
