Are you saying that ICMP has a type and code? But that doesn't work with my "Open Port" button! Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Friday, March 17, 2006 12:33 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Unidentified traffic to exchange server > > http://www.ISAserver.org > > In the case of ICMP, "source port" is equivalent to "ICMP > Type" and "destination port" is equivalent to "ICMP Code". > Thus, the traffic you're seeing is ICMP:5.1, or "ICMP Redirect: host". > It appears that you have some routing oddities in your network. > Since you blanked out the IP addresses, you'll have to go > back and see what traffic came from the host that the > ICMP:5.1 traffic was destined for. > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx] > Sent: Friday, March 17, 2006 08:56 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Unidentified traffic to exchange server > > http://www.ISAserver.org > > > Thanks Jim, I see it shows ICMP once I add the transport > column. I was thinking it would show this under the protocol > column which was throwing me off. > > I checked the system policy and see that rule #11, ICMP > requests from ISA are enabled. I take it this indicates the > traffic isn't being seen as ICMP Info Request, Timestamp, or Ping? > > Since you said it sounds like an ICMP response, I tried > filtering by the client ip of the exchange server, but I > don't see any traffic destined for the ISA internal address. > > Jeff > > > log snip: (I tried sending as a CSV attachment so it would > be readable, but I think the listserv doesn't like that). > .38 is ISA and .16 is Exchange > > Original Client IP Client Agent Authenticated Client Service > Server Name Referring Server Destination Host Name HTTP > Method URL MIME Type Object Source Source Proxy > Destination Proxy Bidirectional Client Host Name Filter > Information Network Interface Raw IP Header Processing Time > HTTP Status Code Cache Information Log Record Type Log Time > Destination IP Destination Port Protocol > Action Rule > Client IP Source Network Destination Network Result Code > Error Information Bytes Received Bytes Sent Source Port > Raw Payload Client Username Transport > xx.xx.xx.38 BORDERGUARD - > - - - - > 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 > 1 Unidentified IP Traffic Denied Connection Default rule > xx.xx.xx.38 Local Host Internal 0xc004000d > FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 > ICMP > xx.xx.xx.38 BORDERGUARD - > - - - - > 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 > 1 Unidentified IP Traffic Denied Connection Default rule > xx.xx.xx.38 Local Host Internal 0xc004000d > FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 > ICMP > xx.xx.xx.38 BORDERGUARD - > - - - - > 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 > 1 Unidentified IP Traffic Denied Connection Default rule > xx.xx.xx.38 Local Host Internal 0xc004000d > FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 > ICMP > xx.xx.xx.38 BORDERGUARD - > - - - - > 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 > 1 Unidentified IP Traffic Denied Connection Default rule > xx.xx.xx.38 Local Host Internal 0xc004000d > FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 > ICMP > xx.xx.xx.38 BORDERGUARD - > - - - - > 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 > 1 Unidentified IP Traffic Denied Connection Default rule > xx.xx.xx.38 Local Host Internal 0xc004000d > FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 > ICMP > xx.xx.xx.38 BORDERGUARD - > - - - - > 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 > 1 Unidentified IP Traffic Denied Connection Default rule > xx.xx.xx.38 Local Host Internal 0xc004000d > FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 > ICMP > xx.xx.xx.38 BORDERGUARD - > - - - - > 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 > 1 Unidentified IP Traffic Denied Connection Default rule > xx.xx.xx.38 Local Host Internal 0xc004000d > FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 > ICMP > xx.xx.xx.38 BORDERGUARD - > - - - - > 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 > 1 Unidentified IP Traffic Denied Connection Default rule > xx.xx.xx.38 Local Host Internal 0xc004000d > FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 > ICMP > xx.xx.xx.38 BORDERGUARD - > - - - - > 0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16 > 1 Unidentified IP Traffic Denied Connection Default rule > xx.xx.xx.38 Local Host Internal 0xc004000d > FWX_E_POLICY_RULES_DENIED 0x0 0 0 5 > ICMP > > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Friday, March 17, 2006 10:25 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Unidentified traffic to exchange server > > http://www.ISAserver.org > > Log snip? > This is sounding more like an ICMP response than anything else. > > -----Original Message----- > From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx] > Sent: Friday, March 17, 2006 6:48 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Unidentified traffic to exchange server > > http://www.ISAserver.org > > > I'm seeing repeated denied connections from the internal ISA > NIC to the backend Exchange server in ths ISA logs. They all > have source port of 5 and destination of 1 and show protocol > as "unidentified ip traffic". > result code is "0xc004000d FWX_E_POLICY_RULES_DENIED". > > Anyone have an idea what might be wrong? > > ISA 2004 SP1, Exchange 2003 SP2. I have OWA published from > FE and RPC over HTTP set up. > Also have POP3S and SMTPS published, but no one is using it. > Inbound SMTP is going to the FE server. > > thanks, > Jeff > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > bunting@xxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: jim@xxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >