RE: Unidentified traffic to exchange server
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 17 Mar 2006 10:32:52 -0800
In the case of ICMP, "source port" is equivalent to "ICMP Type" and
"destination port" is equivalent to "ICMP Code".
Thus, the traffic you're seeing is ICMP:5.1, or "ICMP Redirect: host".
It appears that you have some routing oddities in your network.
Since you blanked out the IP addresses, you'll have to go back and see what
traffic came from the host that the ICMP:5.1 traffic was destined for.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
Sent: Friday, March 17, 2006 08:56
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Unidentified traffic to exchange server
http://www.ISAserver.org
Thanks Jim, I see it shows ICMP once I add the transport column. I was
thinking it would show this under the protocol column which was throwing me off.
I checked the system policy and see that rule #11, ICMP requests from ISA are
enabled. I take it this indicates the traffic isn't being seen as ICMP Info
Request, Timestamp, or Ping?
Since you said it sounds like an ICMP response, I tried filtering by the client
ip of the exchange server, but I don't see any traffic destined for the ISA
internal address.
Jeff
log snip: (I tried sending as a CSV attachment so it would be readable, but I
think the listserv doesn't like that). .38 is ISA and .16 is Exchange
Original Client IP Client Agent Authenticated Client Service
Server Name Referring Server Destination Host Name HTTP
Method URL MIME Type Object Source Source Proxy
Destination Proxy Bidirectional Client Host Name Filter
Information Network Interface Raw IP Header Processing Time
HTTP Status Code Cache Information Log Record Type Log Time
Destination IP Destination Port Protocol Action Rule
Client IP Source Network Destination Network Result Code
Error Information Bytes Received Bytes Sent Source Port
Raw Payload Client Username Transport
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
xx.xx.xx.38 BORDERGUARD -
- - - -
0 0x0 Firewall 3/17/2006 11:17 xx.xx.xx.16
1 Unidentified IP Traffic Denied Connection Default rule
xx.xx.xx.38 Local Host Internal 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0 0 5
ICMP
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Friday, March 17, 2006 10:25 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Unidentified traffic to exchange server
http://www.ISAserver.org
Log snip?
This is sounding more like an ICMP response than anything else.
-----Original Message-----
From: Bunting, Jeff [mailto:BUNTING@xxxxxxxxxxxx]
Sent: Friday, March 17, 2006 6:48 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Unidentified traffic to exchange server
http://www.ISAserver.org
I'm seeing repeated denied connections from the internal ISA NIC to the backend
Exchange server in ths ISA logs. They all have source port of 5 and
destination of 1 and show protocol as "unidentified ip traffic".
result code is "0xc004000d FWX_E_POLICY_RULES_DENIED".
Anyone have an idea what might be wrong?
ISA 2004 SP1, Exchange 2003 SP2. I have OWA published from FE and RPC over
HTTP set up.
Also have POP3S and SMTPS published, but no one is using it. Inbound SMTP is
going to the FE server.
thanks,
Jeff
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bunting@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
