RE: Unidentified traffic to exchange server
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 17 Mar 2006 14:38:09 -0600
Are you saying that ICMP has a type and code?
But that doesn't work with my "Open Port" button!
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Friday, March 17, 2006 12:33 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Unidentified traffic to exchange server
>
> http://www.ISAserver.org
>
> In the case of ICMP, "source port" is equivalent to "ICMP
> Type" and "destination port" is equivalent to "ICMP Code".
> Thus, the traffic you're seeing is ICMP:5.1, or "ICMP Redirect: host".
> It appears that you have some routing oddities in your network.
> Since you blanked out the IP addresses, you'll have to go
> back and see what traffic came from the host that the
> ICMP:5.1 traffic was destined for.
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> Sent: Friday, March 17, 2006 08:56
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Unidentified traffic to exchange server
>
> http://www.ISAserver.org
>
>
> Thanks Jim, I see it shows ICMP once I add the transport
> column. I was thinking it would show this under the protocol
> column which was throwing me off.
>
> I checked the system policy and see that rule #11, ICMP
> requests from ISA are enabled. I take it this indicates the
> traffic isn't being seen as ICMP Info Request, Timestamp, or Ping?
>
> Since you said it sounds like an ICMP response, I tried
> filtering by the client ip of the exchange server, but I
> don't see any traffic destined for the ISA internal address.
>
> Jeff
>
>
> log snip: (I tried sending as a CSV attachment so it would
> be readable, but I think the listserv doesn't like that).
> .38 is ISA and .16 is Exchange
>
> Original Client IP Client Agent Authenticated Client Service
> Server Name Referring Server Destination Host Name HTTP
> Method URL MIME Type Object Source Source Proxy
> Destination Proxy Bidirectional Client Host Name Filter
> Information Network Interface Raw IP Header Processing Time
> HTTP Status Code Cache Information Log Record Type Log Time
> Destination IP Destination Port Protocol
> Action Rule
> Client IP Source Network Destination Network Result Code
> Error Information Bytes Received Bytes Sent Source Port
> Raw Payload Client Username Transport
> xx.xx.xx.38 BORDERGUARD -
> - - - -
> 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
> 1 Unidentified IP Traffic Denied Connection Default rule
> xx.xx.xx.38 Local Host Internal 0xc004000d
> FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
> ICMP
> xx.xx.xx.38 BORDERGUARD -
> - - - -
> 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
> 1 Unidentified IP Traffic Denied Connection Default rule
> xx.xx.xx.38 Local Host Internal 0xc004000d
> FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
> ICMP
> xx.xx.xx.38 BORDERGUARD -
> - - - -
> 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
> 1 Unidentified IP Traffic Denied Connection Default rule
> xx.xx.xx.38 Local Host Internal 0xc004000d
> FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
> ICMP
> xx.xx.xx.38 BORDERGUARD -
> - - - -
> 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
> 1 Unidentified IP Traffic Denied Connection Default rule
> xx.xx.xx.38 Local Host Internal 0xc004000d
> FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
> ICMP
> xx.xx.xx.38 BORDERGUARD -
> - - - -
> 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
> 1 Unidentified IP Traffic Denied Connection Default rule
> xx.xx.xx.38 Local Host Internal 0xc004000d
> FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
> ICMP
> xx.xx.xx.38 BORDERGUARD -
> - - - -
> 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
> 1 Unidentified IP Traffic Denied Connection Default rule
> xx.xx.xx.38 Local Host Internal 0xc004000d
> FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
> ICMP
> xx.xx.xx.38 BORDERGUARD -
> - - - -
> 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
> 1 Unidentified IP Traffic Denied Connection Default rule
> xx.xx.xx.38 Local Host Internal 0xc004000d
> FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
> ICMP
> xx.xx.xx.38 BORDERGUARD -
> - - - -
> 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
> 1 Unidentified IP Traffic Denied Connection Default rule
> xx.xx.xx.38 Local Host Internal 0xc004000d
> FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
> ICMP
> xx.xx.xx.38 BORDERGUARD -
> - - - -
> 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
> 1 Unidentified IP Traffic Denied Connection Default rule
> xx.xx.xx.38 Local Host Internal 0xc004000d
> FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
> ICMP
>
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Friday, March 17, 2006 10:25 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Unidentified traffic to exchange server
>
> http://www.ISAserver.org
>
> Log snip?
> This is sounding more like an ICMP response than anything else.
>
> -----Original Message-----
> From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
> Sent: Friday, March 17, 2006 6:48 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Unidentified traffic to exchange server
>
> http://www.ISAserver.org
>
>
> I'm seeing repeated denied connections from the internal ISA
> NIC to the backend Exchange server in ths ISA logs. They all
> have source port of 5 and destination of 1 and show protocol
> as "unidentified ip traffic".
> result code is "0xc004000d FWX_E_POLICY_RULES_DENIED".
>
> Anyone have an idea what might be wrong?
>
> ISA 2004 SP1, Exchange 2003 SP2. I have OWA published from
> FE and RPC over HTTP set up.
> Also have POP3S and SMTPS published, but no one is using it.
> Inbound SMTP is going to the FE server.
>
> thanks,
> Jeff
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> bunting@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
