Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > udp (0) -> udp (0) traffic ?

Reply
Thread Tools

udp (0) -> udp (0) traffic ?

 
 
Tom
Guest
Posts: n/a
 
      03-04-2004
Please help me to find out what's going or, or point me in a direction
where to look.

I have the following log records:

Mar 4 12:18:59.552: %SEC-6-IPACCESSLOGP: list extinlist permitted udp
X.X.X.X(0) -> WAN_IP(0), 6 packets
Mar 4 12:32:05.225: %SEC-6-IPACCESSLOGP: list extinlist permitted udp
X.X.X.X(0) -> WAN_IP(0), 6 packets

I have no idea how it can match to the following rule on the WAN ACL:

80 permit udp any eq domain any log (12 matches)

Am I missing something? Is it a software bug?

Thanks!

IOS Version:

Cisco Internetwork Operating System Software
IOS (tm) SOHO91 Software (SOHO91-K9OY6-M), Version 12.3(2)XC, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 25-Sep-03 10:51 by ealyon
Image text-base: 0x800131E8, data-base: 0x80A3FB84

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
ROM: SOHO91 Software (SOHO91-K9OY6-M), Version 12.3(2)XC, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1)
 
Reply With Quote
 
 
 
 
Barry Margolin
Guest
Posts: n/a
 
      03-04-2004
In article <0RJ1c.31750$(E-Mail Removed) >,
Tom <(E-Mail Removed)> wrote:

> Please help me to find out what's going or, or point me in a direction
> where to look.
>
> I have the following log records:
>
> Mar 4 12:18:59.552: %SEC-6-IPACCESSLOGP: list extinlist permitted udp
> X.X.X.X(0) -> WAN_IP(0), 6 packets
> Mar 4 12:32:05.225: %SEC-6-IPACCESSLOGP: list extinlist permitted udp
> X.X.X.X(0) -> WAN_IP(0), 6 packets
>
> I have no idea how it can match to the following rule on the WAN ACL:
>
> 80 permit udp any eq domain any log (12 matches)
>
> Am I missing something? Is it a software bug?


When the log message contains (0) for the port number, it means it
matched a line in the ACL that preceded any lines that check the port
number. The filtering engine doesn't extract the port number from a
packet until it encounters a line in the ACL that matches on this
criteria, so 0 is shown as a placeholder in the log message.

So I don't think it's matching that particular rule, you must have an
earlier rule that permits UDP.

--
Barry Margolin, http://www.velocityreviews.com/forums/(E-Mail Removed)
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
 
Reply With Quote
 
 
 
 
Tom
Guest
Posts: n/a
 
      03-04-2004
Barry Margolin wrote:
> In article <0RJ1c.31750$(E-Mail Removed) >,
> Tom <(E-Mail Removed)> wrote:
>
>
>>Please help me to find out what's going or, or point me in a direction
>>where to look.
>>
>>I have the following log records:
>>
>>Mar 4 12:18:59.552: %SEC-6-IPACCESSLOGP: list extinlist permitted udp
>>X.X.X.X(0) -> WAN_IP(0), 6 packets
>>Mar 4 12:32:05.225: %SEC-6-IPACCESSLOGP: list extinlist permitted udp
>>X.X.X.X(0) -> WAN_IP(0), 6 packets
>>
>>I have no idea how it can match to the following rule on the WAN ACL:
>>
>>80 permit udp any eq domain any log (12 matches)
>>
>>Am I missing something? Is it a software bug?

>
>
> When the log message contains (0) for the port number, it means it
> matched a line in the ACL that preceded any lines that check the port
> number. The filtering engine doesn't extract the port number from a
> packet until it encounters a line in the ACL that matches on this
> criteria, so 0 is shown as a placeholder in the log message.
>
> So I don't think it's matching that particular rule, you must have an
> earlier rule that permits UDP.
>


Thanks for the quick answer. I can't really see which rule it can match,
besides it is the only the rule that has permit ... log combination, and
increments counters on these udp 0 packets.

10 deny udp any any range 135 netbios-ns (118 matches)
20 deny tcp any any eq 445 (36 matches)
30 deny ip 192.168.0.0 0.0.255.255 any log
40 deny ip 127.0.0.0 0.255.255.255 any log
50 permit udp host 209.51.161.238 eq ntp any eq ntp (510 matches)
60 permit udp host 128.105.37.11 eq ntp any eq ntp (522 matches)
70 permit udp host 132.163.4.101 eq ntp any eq ntp (510 matches)
80 permit udp any eq domain any log (24 matches)
90 permit tcp any any range 6881 6883
100 permit icmp any any administratively-prohibited
110 permit icmp any any time-exceeded
120 permit icmp any any echo-reply
130 permit icmp any any source-quench
140 permit icmp any any parameter-problem
150 permit icmp any any packet-too-big
160 permit icmp any any traceroute
170 deny ip any any log (20 matches)
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to generate UDP traffic? _mario.lat Java 1 11-20-2006 09:23 PM
udp traffic not passing over vpnclient connection to pix ASA 7.2 lfnetworking Cisco 0 08-29-2006 08:24 PM
catalyst 3750 and UDP traffic policing ? RJ45 Cisco 5 05-13-2004 02:26 AM
Unexplained outbound UDP traffic in firewall log GreenMonkey Computer Security 2 01-23-2004 06:18 AM
Monitor/log UDP traffic? Kevin Java 5 11-05-2003 05:45 PM



Advertisments