Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3898
Views
0
Helpful
2
Replies

udp port 3544 traffic to external public and private addresses

fsebera
Level 4
Level 4

‎01-23-2017 12:05 PM - edited ‎03-08-2019 09:01 AM

Hi,

We are an IPv4 only shop but do not block IPv6 traffic nor do we disable the Microsoft dynamic tunnels on PCs.

A Qradar network activity search shows a LOT of traffic between hosts using ucp ports 3544. Teredo default port is udp 3544.

Many of the destinations are outside our Internal address range as-well-as RFC 1918 addresses; although some are to Microsoft's IP address.

Is this an indication of Teredo tunnels between host that traverse the network/Internet with valid public addresses or is this a potential red herring?

Thank you

Frank

Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎01-23-2017 02:21 PM

Hello,

the traffic almost certainly comes from your Windows clients, which use local and remote IP addresses for IPv6 transition.

Block the port using the Windows firewall as described below and check if you still see the traffic:

https://www.stigviewer.com/stig/windows_7/2013-10-01/finding/V-17449

0 Helpful

fsebera
Level 4
Level 4
In response to Georg Pauwen

‎01-24-2017 08:29 AM

Hi Georg,

Yes we are confident the tunnel traffic is originating from our internal Windows clients but the remote IP addresses (RFC 1918 and not Internet routable) are NOT part of our internal IP address range AND we do not run IPv6 on any internet/external routers.

ANY idea IF or HOW this traffic is reaching us?

Is it possible this is a red herring and no alarm should be set?

Thank you

Frank

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card