udp (0) -> udp (0) traffic ?

Discussion in 'Cisco' started by Tom, Mar 4, 2004.

  1. Tom

    Tom Guest

    Please help me to find out what's going or, or point me in a direction
    where to look.

    I have the following log records:

    Mar 4 12:18:59.552: %SEC-6-IPACCESSLOGP: list extinlist permitted udp
    X.X.X.X(0) -> WAN_IP(0), 6 packets
    Mar 4 12:32:05.225: %SEC-6-IPACCESSLOGP: list extinlist permitted udp
    X.X.X.X(0) -> WAN_IP(0), 6 packets

    I have no idea how it can match to the following rule on the WAN ACL:

    80 permit udp any eq domain any log (12 matches)

    Am I missing something? Is it a software bug?

    Thanks!

    IOS Version:

    Cisco Internetwork Operating System Software
    IOS (tm) SOHO91 Software (SOHO91-K9OY6-M), Version 12.3(2)XC, EARLY
    DEPLOYMENT RELEASE SOFTWARE (fc1)
    Synched to technology version 12.3(1.6)T
    TAC Support: http://www.cisco.com/tac
    Copyright (c) 1986-2003 by cisco Systems, Inc.
    Compiled Thu 25-Sep-03 10:51 by ealyon
    Image text-base: 0x800131E8, data-base: 0x80A3FB84

    ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
    ROM: SOHO91 Software (SOHO91-K9OY6-M), Version 12.3(2)XC, EARLY
    DEPLOYMENT RELEASE SOFTWARE (fc1)
    Tom, Mar 4, 2004
    #1
    1. Advertising

  2. In article <0RJ1c.31750$>,
    Tom <> wrote:

    > Please help me to find out what's going or, or point me in a direction
    > where to look.
    >
    > I have the following log records:
    >
    > Mar 4 12:18:59.552: %SEC-6-IPACCESSLOGP: list extinlist permitted udp
    > X.X.X.X(0) -> WAN_IP(0), 6 packets
    > Mar 4 12:32:05.225: %SEC-6-IPACCESSLOGP: list extinlist permitted udp
    > X.X.X.X(0) -> WAN_IP(0), 6 packets
    >
    > I have no idea how it can match to the following rule on the WAN ACL:
    >
    > 80 permit udp any eq domain any log (12 matches)
    >
    > Am I missing something? Is it a software bug?


    When the log message contains (0) for the port number, it means it
    matched a line in the ACL that preceded any lines that check the port
    number. The filtering engine doesn't extract the port number from a
    packet until it encounters a line in the ACL that matches on this
    criteria, so 0 is shown as a placeholder in the log message.

    So I don't think it's matching that particular rule, you must have an
    earlier rule that permits UDP.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Margolin, Mar 4, 2004
    #2
    1. Advertising

  3. Tom

    Tom Guest

    Barry Margolin wrote:
    > In article <0RJ1c.31750$>,
    > Tom <> wrote:
    >
    >
    >>Please help me to find out what's going or, or point me in a direction
    >>where to look.
    >>
    >>I have the following log records:
    >>
    >>Mar 4 12:18:59.552: %SEC-6-IPACCESSLOGP: list extinlist permitted udp
    >>X.X.X.X(0) -> WAN_IP(0), 6 packets
    >>Mar 4 12:32:05.225: %SEC-6-IPACCESSLOGP: list extinlist permitted udp
    >>X.X.X.X(0) -> WAN_IP(0), 6 packets
    >>
    >>I have no idea how it can match to the following rule on the WAN ACL:
    >>
    >>80 permit udp any eq domain any log (12 matches)
    >>
    >>Am I missing something? Is it a software bug?

    >
    >
    > When the log message contains (0) for the port number, it means it
    > matched a line in the ACL that preceded any lines that check the port
    > number. The filtering engine doesn't extract the port number from a
    > packet until it encounters a line in the ACL that matches on this
    > criteria, so 0 is shown as a placeholder in the log message.
    >
    > So I don't think it's matching that particular rule, you must have an
    > earlier rule that permits UDP.
    >


    Thanks for the quick answer. I can't really see which rule it can match,
    besides it is the only the rule that has permit ... log combination, and
    increments counters on these udp 0 packets.

    10 deny udp any any range 135 netbios-ns (118 matches)
    20 deny tcp any any eq 445 (36 matches)
    30 deny ip 192.168.0.0 0.0.255.255 any log
    40 deny ip 127.0.0.0 0.255.255.255 any log
    50 permit udp host 209.51.161.238 eq ntp any eq ntp (510 matches)
    60 permit udp host 128.105.37.11 eq ntp any eq ntp (522 matches)
    70 permit udp host 132.163.4.101 eq ntp any eq ntp (510 matches)
    80 permit udp any eq domain any log (24 matches)
    90 permit tcp any any range 6881 6883
    100 permit icmp any any administratively-prohibited
    110 permit icmp any any time-exceeded
    120 permit icmp any any echo-reply
    130 permit icmp any any source-quench
    140 permit icmp any any parameter-problem
    150 permit icmp any any packet-too-big
    160 permit icmp any any traceroute
    170 deny ip any any log (20 matches)
    Tom, Mar 4, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. RJ45
    Replies:
    5
    Views:
    1,160
    Andrey Tarasov
    May 13, 2004
  2. GreenMonkey

    Unexplained outbound UDP traffic in firewall log

    GreenMonkey, Jan 23, 2004, in forum: Computer Security
    Replies:
    2
    Views:
    821
    GreenMonkey
    Jan 23, 2004
  3. lfnetworking
    Replies:
    0
    Views:
    837
    lfnetworking
    Aug 29, 2006
  4. Replies:
    1
    Views:
    571
    headsetadapter.com
    Mar 11, 2007
  5. Joe

    UDP Broadcast traffic?

    Joe, Aug 13, 2007, in forum: Cisco
    Replies:
    19
    Views:
    6,847
Loading...

Share This Page