Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2785
Views
0
Helpful
4
Replies

Illegal UDP packets

Go to solution
Pieter de jong
Level 1
Level 1

‎11-21-2011 06:29 PM - edited ‎03-16-2019 08:10 AM

I keep getting a strange alert from CUCM 8.5.1(SU3) about an illegal UDP packet. The source address is from the H323 gateways and is in the RTP range?

Been looking around and cannot find any reference to it. Happens about once a week. Any ideas?

At Tue Nov 22 13:14:33 EST 2011 on node 10.11.2.253, the following SyslogSeverityMatchFound events generated:

SeverityMatch : Critical

MatchedEvent : Nov 22 13:14:04 callmanager-pub local4 2 : 150: callmanager-pub: Nov 22 2011 13:14:04.784 +1100: %CSA-2-EVENT_SHIELD_DENY: %[PID=12653][component=CiscoSecurityAgent] : A packet with a bad transport layer header was detected. Reason: Illegal UDP Port. UDP: 10.12.4.254/27216->10.11.2.253/0. The operation was denied. [rule 819] AppID : Cisco Syslog Agent ClusterID :

NodeID : callmanager-pub

TimeStamp : Tue Nov 22 13:14:04 EST 2011

TIA

Pieter

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acampbell
VIP Alumni
VIP Alumni

‎11-24-2011 08:28 AM

Hi,

This looks like a bug.

CSCti45564 Bug Details
SyslogSeverityMatchFound Alarm Fires for CSA Owner change
Symptom:
Alarm is being triggered saying that there is a security issue when there is not.


Event:

Aug 5 2010 12:01:02.730 -0500: %CSA-2-EVENT_ASVC_CONF_DENY: %[PID=6657][component=CiscoSecurityAgent] : The process '/bin/chown' (as user root(0) group root(0)) attempted to modify a Cisco Security Agent resource file /common/log/taos-log-a/syslog/csalog which is located in a Cisco directory. The operation was denied. [rule 287]


Conditions:
3 node cluster with two nodes running Communications Manager

Workaround:
Disable CSA from cli "utils csa disable" to avoid the blocking

If you access the bug toolkit it tells you which 8.5.1 upgrade will fix it.

HTH

Alex

Please rate useful posts

Regards, Alex. Please rate useful posts.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
acampbell
VIP Alumni
VIP Alumni

‎11-24-2011 08:28 AM

Hi,

This looks like a bug.

CSCti45564 Bug Details
SyslogSeverityMatchFound Alarm Fires for CSA Owner change
Symptom:
Alarm is being triggered saying that there is a security issue when there is not.


Event:

Aug 5 2010 12:01:02.730 -0500: %CSA-2-EVENT_ASVC_CONF_DENY: %[PID=6657][component=CiscoSecurityAgent] : The process '/bin/chown' (as user root(0) group root(0)) attempted to modify a Cisco Security Agent resource file /common/log/taos-log-a/syslog/csalog which is located in a Cisco directory. The operation was denied. [rule 287]


Conditions:
3 node cluster with two nodes running Communications Manager

Workaround:
Disable CSA from cli "utils csa disable" to avoid the blocking

If you access the bug toolkit it tells you which 8.5.1 upgrade will fix it.

HTH

Alex

Please rate useful posts

Regards, Alex. Please rate useful posts.
0 Helpful

Go to solution
pieterddejong
Level 1
Level 1
In response to acampbell

‎11-24-2011 02:21 PM

Hi Alex,

Thanks for the response. 50 views and 1 response :-)

I agree, its a bug but I doubt its the abovementioned one.

Thanks for the response.

Pieter

0 Helpful

Go to solution
philip.c.agustin
Level 1
Level 1
In response to pieterddejong

‎01-25-2012 06:12 PM

We are encountering the same issue. I've been looking for any docs but can't find any. Anyone who has encountered this and how to troubleshoot?

0 Helpful

Go to solution
pieterddejong
Level 1
Level 1
In response to philip.c.agustin

‎01-26-2012 10:37 PM

Hi,

No, my customer reported that it just “stopped”. You can disable the CSA if it continues. My concern was PSTN toll fraud, but there are ways of preventing this, which is what I did to put my mind at ease.

Sorry couldn’t help.

Regards

Pieter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents