I recently turned the Firewall Feature set on for one of our remote sites that previously had only PAT for security. We are seeing about 1600 attempts an hour to access the PAT address on TCP and UDP port 15687. Anyone have any idea what is going on? Thanks!
Also, if anyone has any ideas on how to track this down, I would appreciate it.
Thanks! Good document. At this point, I am really interested in knowing what this traffic is. It has been continuing steady for 2 weeks.
Also, as a followup question. I put an outbound ACL that just logs traffic on tcp/udp port 15687. Oddly enough, what is showing up in the logs is traffic to UDP Port 0. Since I am not logging traffic on Port 0, I am curious why it is being logged. Any ideas? Is it an IOS ACL bug or a reporting bug?
The most common cause of the log messages reporting UDP (or TCP) port 0 is that the access list is checking IP addresses but is not specifically checking ports. In essence if the ACL is not checking ports then it can not report ports (if the ACL only specifies to look in the layer 3 header, then it has no idea what is in the layer 4 header and can not report the value of the port).
Could you post the syntax of the ACL and how it is assigned to the interface?
Thanks for posting the additional information. This is very odd. Certainly the access list is examining port numbers and the log messages should have the port numbers instead of reporting zeros. Are there any entries in syslog where it is reporting port numbers for UDP or is every entry reporting zeros?
I have seen situations where the action of the router was different from what is in running config. I have especially seen some situations where the router action reflected something that had been previously configured, the configuration changed, but the behavior seems to still reflect the old configuration. Would it be possible to save the config, reboot the router, and see if the behavior changes? If not would it be possible to copy the access list to a text file, delete the access list in the config, and paste the access list back into the config from the text file?
I think it is pretty odd too! The syslog does contain logs for actual traffic to port 15687. Here is an example:
Jun 13 00:35:00.486: %SEC-6-IPACCESSLOGP: list 106 permitted udp 10.5.60.17(15687) -> 18.104.22.168(15687), 1 packet
It is a bit of a mystery, but thought someone might have seen something similar with this on Port 0. The real question though is what is all the Inbound traffic attempts on port 15678 (not shown in these ACLs or syslogs)? The volume is about 1600 attempts an hour (not enough for DOS). My guess is that it is some kind of gaming program with a way of seeing who else is online so the users can invite them to play. I would like to verify that.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :