RE: Unidentified traffic to exchange server
- From: "Bunting, Jeff" <BUNTING@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 17 Mar 2006 11:56:17 -0500
Thanks Jim, I see it shows ICMP once I add the transport column. I was
thinking it would show this under the protocol column which was throwing
me off.
I checked the system policy and see that rule #11, ICMP requests from
ISA are enabled. I take it this indicates the traffic isn't being seen
as ICMP Info Request, Timestamp, or Ping?
Since you said it sounds like an ICMP response, I tried filtering by the
client ip of the exchange server, but I don't see any traffic destined
for the ISA internal address.
Jeff
log snip: (I tried sending as a CSV attachment so it would be readable,
but I think the listserv doesn't like that). .38 is ISA and .16 is
Exchange
Original Client IP Client Agent Authenticated Client Service
Server Name Referring Server Destination Host Name HTTP
Method URL MIME Type Object Source Source Proxy
Destination Proxy Bidirectional Client Host Name Filter
Information Network Interface Raw IP Header Processing Time
HTTP Status Code Cache Information Log Record Type Log Time
Destination IP Destination Port Protocol Action Rule
Client IP Source Network Destination Network Result Code
Error Information Bytes Received Bytes Sent Source Port
Raw Payload Client Username Transport
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Friday, March 17, 2006 10:25 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Unidentified traffic to exchange server
http://www.ISAserver.org
Log snip?
This is sounding more like an ICMP response than anything else.
-----Original Message-----
From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
Sent: Friday, March 17, 2006 6:48 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Unidentified traffic to exchange server
http://www.ISAserver.org
I'm seeing repeated denied connections from the internal ISA NIC to the
backend Exchange server in ths ISA logs. They all have source port of 5
and destination of 1 and show protocol as "unidentified ip traffic".
result code is "0xc004000d FWX_E_POLICY_RULES_DENIED".
Anyone have an idea what might be wrong?
ISA 2004 SP1, Exchange 2003 SP2. I have OWA published from FE and RPC
over HTTP set up.
Also have POP3S and SMTPS published, but no one is using it. Inbound
SMTP is going to the FE server.
thanks,
Jeff
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bunting@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
