WAE - ICMP Flood to VPN Users

Unanswered Question
May 2nd, 2008
User Badges:

We currently have a distributed server model were users VPN to our ASA in Chicago and access local files in one of our remote offices like in Boston. Our security team is receiving an IPS event and below is a copy of the log.


10.8.64.20/0 --> 10.12.187.98/0 ICMP ICMP Flood,NR-2152/0,Time:1209676259,Risk Rating:85,VLAN:0


My question is does the WAE send out a sort of keepalive to VPN users to make sure they haven't disconnected?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Zach Seils Sun, 05/04/2008 - 08:55
User Badges:
  • Cisco Employee,

Clifton,


Are you referring to a WAE running WAAS software, or something else. If you are referring to WAAS, can you please explain how it fits into the topology?


Thanks,

Zach



cfolkerts Mon, 05/05/2008 - 08:04
User Badges:

Yes, I am referring to a WAE box running WAAS software. At our VPN head end site in Chicago I am redirecting the traffic from the VPN user vlan to a WAAS server. It seems that the WAAS server is sending ICMP packets to remote users. Have you seen this type of behaviour before?

Zach Seils Mon, 05/05/2008 - 20:48
User Badges:
  • Cisco Employee,

The only ICMP traffic generated by the WAE is for CIFS file server auto-discovery.


Can you provide a full packet capture during a time when this is happening.


Thanks,

Zach



Actions

This Discussion