WAE - ICMP Flood to VPN Users

Unanswered Question
May 2nd, 2008

We currently have a distributed server model were users VPN to our ASA in Chicago and access local files in one of our remote offices like in Boston. Our security team is receiving an IPS event and below is a copy of the log.

10.8.64.20/0 --> 10.12.187.98/0 ICMP ICMP Flood,NR-2152/0,Time:1209676259,Risk Rating:85,VLAN:0

My question is does the WAE send out a sort of keepalive to VPN users to make sure they haven't disconnected?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Zach Seils Sun, 05/04/2008 - 08:55

Clifton,

Are you referring to a WAE running WAAS software, or something else. If you are referring to WAAS, can you please explain how it fits into the topology?

Thanks,

Zach

cfolkerts Mon, 05/05/2008 - 08:04

Yes, I am referring to a WAE box running WAAS software. At our VPN head end site in Chicago I am redirecting the traffic from the VPN user vlan to a WAAS server. It seems that the WAAS server is sending ICMP packets to remote users. Have you seen this type of behaviour before?

Zach Seils Mon, 05/05/2008 - 20:48

The only ICMP traffic generated by the WAE is for CIFS file server auto-discovery.

Can you provide a full packet capture during a time when this is happening.

Thanks,

Zach

Actions

This Discussion