Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Illegal UDP packets

I keep getting a strange alert from CUCM 8.5.1(SU3) about an illegal UDP packet. The source address is from the H323 gateways and is in the RTP range?

Been looking around and cannot find any reference to it. Happens about once a week. Any ideas?

At Tue Nov 22 13:14:33 EST 2011 on node 10.11.2.253, the following SyslogSeverityMatchFound events generated:

SeverityMatch : Critical

MatchedEvent : Nov 22 13:14:04 callmanager-pub local4 2 : 150: callmanager-pub: Nov 22 2011 13:14:04.784 +1100: %CSA-2-EVENT_SHIELD_DENY: %[PID=12653][component=CiscoSecurityAgent] : A packet with a bad transport layer header was detected. Reason: Illegal UDP Port. UDP: 10.12.4.254/27216->10.11.2.253/0. The operation was denied. [rule 819] AppID : Cisco Syslog Agent ClusterID :

NodeID : callmanager-pub

TimeStamp : Tue Nov 22 13:14:04 EST 2011

TIA

Pieter

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Illegal UDP packets

Hi,

This looks like a bug.

CSCti45564 Bug Details
SyslogSeverityMatchFound Alarm Fires for CSA Owner change
Symptom:
Alarm is being triggered saying that there is a security issue when there is not.


Event:

Aug 5 2010 12:01:02.730 -0500: %CSA-2-EVENT_ASVC_CONF_DENY: %[PID=6657][component=CiscoSecurityAgent] : The process '/bin/chown' (as user root(0) group root(0)) attempted to modify a Cisco Security Agent resource file /common/log/taos-log-a/syslog/csalog which is located in a Cisco directory. The operation was denied. [rule 287]


Conditions:
3 node cluster with two nodes running Communications Manager

Workaround:
Disable CSA from cli "utils csa disable" to avoid the blocking

If you access the bug toolkit it tells you which 8.5.1 upgrade will fix it.

HTH

Alex

Please rate useful posts

Regards, Alex. Please rate useful posts.
4 REPLIES
Green

Illegal UDP packets

Hi,

This looks like a bug.

CSCti45564 Bug Details
SyslogSeverityMatchFound Alarm Fires for CSA Owner change
Symptom:
Alarm is being triggered saying that there is a security issue when there is not.


Event:

Aug 5 2010 12:01:02.730 -0500: %CSA-2-EVENT_ASVC_CONF_DENY: %[PID=6657][component=CiscoSecurityAgent] : The process '/bin/chown' (as user root(0) group root(0)) attempted to modify a Cisco Security Agent resource file /common/log/taos-log-a/syslog/csalog which is located in a Cisco directory. The operation was denied. [rule 287]


Conditions:
3 node cluster with two nodes running Communications Manager

Workaround:
Disable CSA from cli "utils csa disable" to avoid the blocking

If you access the bug toolkit it tells you which 8.5.1 upgrade will fix it.

HTH

Alex

Please rate useful posts

Regards, Alex. Please rate useful posts.
New Member

Illegal UDP packets

Hi Alex,

Thanks for the response. 50 views and 1 response :-)

I agree, its a bug but I doubt its the abovementioned one.

Thanks for the response.

Pieter

New Member

Illegal UDP packets

We are encountering the same issue. I've been looking for any docs but can't find any. Anyone who has encountered this and how to troubleshoot?

New Member

Re: Illegal UDP packets

Hi,

No, my customer reported that it just “stopped”. You can disable the CSA if it continues. My concern was PSTN toll fraud, but there are ways of preventing this, which is what I did to put my mind at ease.

Sorry couldn’t help.

Regards

Pieter

2222
Views
0
Helpful
4
Replies