[isalist] Outlook from VPN creates lots of denied tcp traffic
- From: Amy Babinchak <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 26 Apr 2010 17:07:47 -0700
I'm seeing a lot of denied TCP traffic coming from machines running Outlook
from the other side of our site-site VPN. I'm pretty sure that we narrowed it
down to only occurring when outlook is open.
Here's a sample:
Original Client IP Client Agent Authenticated Client
Service Server Name Referring Server Destination Host Name
Transport MIME Type Object Source Source Proxy
Destination Proxy Bidirectional Client Host Name
Filter Information Network Interface Raw IP Header
Raw Payload GMT Log Time Source Port Processing Time
Bytes Sent Bytes Received Result Code HTTP Status Code
Cache Information Error Information Log Record
Type Authentication Server Client IP Log Time
Destination IP Destination Port Protocol Action
Rule Client Username Source Network
Destination Network HTTP Method URL
192.168.200.18 FIREWALL
- TCP -
No -
192.168.200.23 45 00 00 28 2b 4a 40 00 80 06 8b 8a c0 a8 c8 12 c0 a8 fa 97 04
05 0e 2d 69 d5 e5 6d 5e fb 2f 39 50 11 fd 5c 7e d1 00 00 4/26/2010 11:52:32
PM 1029 0 0 0 0xc0040017
FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 0x0
Firewall - 192.168.200.18 4/26/2010 7:52:32 PM
192.168.250.151 3629 Unidentified IP Traffic
(TCP:3629) Denied Connection
Internal Internal - -
192.168.200.18 FIREWALL
- TCP -
No -
192.168.200.23 45 00 00 28 2b 51 40 00 80 06 8b 83 c0 a8 c8 12 c0 a8 fa 97 00
87 0e 2c 11 ed 58 92 ee 89 fe b9 50 11 fb 88 09 d9 00 00 4/26/2010 11:52:32
PM 135 0 0 0 0xc0040017
FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 0x0
Firewall - 192.168.200.18 4/26/2010 7:52:32 PM
192.168.250.151 3628 Unidentified IP Traffic
(TCP:3628) Denied Connection
Internal Internal - -
192.168.200.18 FIREWALL
- TCP -
No -
192.168.200.23 45 00 00 28 2b 54 40 00 80 06 8b 80 c0 a8 c8 12 c0 a8 fa 97 04
07 0e 2f 31 f6 a5 49 c0 6c 74 dd 50 10 fa 2c 52 ec 00 00 4/26/2010
11:52:34 PM 1031 0 0 0 0xc0040017
FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 0x0
Firewall - 192.168.200.18 4/26/2010 7:52:34 PM
192.168.250.151 3631 Unidentified IP Traffic
(TCP:3631) Denied Connection
Internal Internal - -
192.168.200.18 FIREWALL
- TCP -
No -
192.168.200.23 45 00 00 28 2b 70 40 00 80 06 8b 64 c0 a8 c8 12 c0 a8 fa 97 00
87 0e 2c 11 ed 58 93 ee 89 fe b9 50 10 fb 88 09 d9 00 00 4/26/2010 11:52:38
PM 135 0 0 0 0xc0040017
FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 0x0
Firewall - 192.168.200.18 4/26/2010 7:52:38 PM
192.168.250.151 3628 Unidentified IP Traffic
(TCP:3628) Denied Connection
Internal Internal - -
It will continue through a whole range of TCP ports. Pause for a while, Outlook
will lose its connection to the server and then it starts up again and Outlook
reconnects. It's driving me crazy. Now, outlook disconnecting and reconnecting
could be something entirely different since this connection seems to be having
other strange issues that we're having AT&T look at. But I can turn this
packets on and off by opening Outlook. Ideas for cleaning this up?
Thanks,
Amy
Other related posts:
