Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
511
Views
0
Helpful
4
Replies

Packet Capture - explaination?

Go to solution
Anthony.Herman
Level 1
Level 1

‎01-07-2014 10:04 AM - edited ‎03-11-2019 08:26 PM

1: 07:48:59.867249 0026.51d7.65c1 0025.4538.6b73 0x0800 95: 10.235.5.31.38001 > 64.x.x.x.1194:  [udp sum ok] udp 53 (DF) (ttl 62, id 0)

I'm troubleshooting an issue with a device that once installed is per their support supposed to create a tunnel over port 1194 to their cloud. I see traffic passing to and from this device to their address space including this port but it is all udp 53? Can someone explain this?

Needless to say at this point the tunnel is not forming.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-07-2014 12:24 PM

Hi,

Isnt the source/destination port mentioned right after the IP address?

10.235.5.31.38001 > 64.x.x.x.1194

I guess that would mean that the 53 is the packet size?

Where is this output from? I am too used to looking captures through Wireshark even though I take captures on the ASA itself most of the time.

Can't say I know what the problem might be but if we are talking about UDP then naturally there is no actual connection forming/sync. Is there traffic both ways or is the UDP traffic one way?

- Jouni

View solution in original post

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎01-07-2014 12:32 PM

I believe you are correct about the ports Jouni. I too have been spoiled by Wireshark.

Anthony- Can you do a packet tracer so we can see if/where it could be blocked on the ASA?

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎01-07-2014 10:43 AM

UDP53 is DNS lookups. Perhaps the vendors device is trying to perform name resolution to the cloud hostname.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-07-2014 12:24 PM

Hi,

Isnt the source/destination port mentioned right after the IP address?

10.235.5.31.38001 > 64.x.x.x.1194

I guess that would mean that the 53 is the packet size?

Where is this output from? I am too used to looking captures through Wireshark even though I take captures on the ASA itself most of the time.

Can't say I know what the problem might be but if we are talking about UDP then naturally there is no actual connection forming/sync. Is there traffic both ways or is the UDP traffic one way?

- Jouni

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎01-07-2014 12:32 PM

I believe you are correct about the ports Jouni. I too have been spoiled by Wireshark.

Anthony- Can you do a packet tracer so we can see if/where it could be blocked on the ASA?

0 Helpful

Go to solution
Anthony.Herman
Level 1
Level 1
In response to Collin Clark

‎01-07-2014 01:26 PM

Thanks for the replies guys. You are correct those are packet sizes and those are the ports. It turns out the device firmware was the cause of the issue.

That capture was from a packet capture on 8.2 ASA. I didn't understand what the '53' was showing me until Jouni mentioned it.

I appreciate the feedback.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card