Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

LMS 3.0 - icmp to external (public) IP address

Our security group is reporting Ping_sweep events from our LMS 3.0, Unix - Solaris 10, system to the DOD = 30.1.*.*

I am unable to locate this IP address range within the LMS application. Is there a way to figure out if LMS is actuallying pinging this IP address range? If so, and I do find it, how can I stop it?

I did just add this range to the Excluded devices file, but I didn't think it would help much...

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: LMS 3.0 - icmp to external (public) IP address

First, make sure UTMajorAcquisition is not running. Then, edit NMSROOT/campus/etc/cwsi/ut.properties, and check for a property:

UT.ExcludePingSweep

If it's not there, add it to the end of the file with the value:

UT.ExcludePingSweep=30.1.101.0-255.255.255.0:30.1.102.0-255.255.255.0:30.1.103.0-255.255.255.0:30.1.104.0-255.255.255.0

If such a property already exists, then append the value above to the end of the existing value after first appending a colon (':').

Once that property is in place, start a new UT acquisition, and see if the firewall records a sweep. If not, let LMS run for a while, and see if the sweep shows up again.

8 REPLIES
Cisco Employee

Re: LMS 3.0 - icmp to external (public) IP address

Exactly what version of Common Services do you have? Depending on the sversion, you may have Discovery configured for ping sweeps. There is also a ping sweep capability in User Tracking. Go to Campus Manager > Admin > User Tracking > Acquisition > Ping Sweep to disable certain subnets.

Community Member

Re: LMS 3.0 - icmp to external (public) IP address

LMS 3.0.1

Common Services 3.1.1

The server in question (OKCWSI) is the Slave server in a Master/Slave configuration.

I've double checked and the Common Services discovery is disabled = there is no discovery schedule configured for it at all. Maybe there is a better way to disable discovery?

User Tracking was enabled though, however, 30.1.X.X was not listed in the 'Exclude subnets from Ping Sweep' section. The only IP's in this list are our internal 10 nets and our public 161 * 167 networks. There are no 30 networks at all.

I'm not even sure how or why CiscoWorks would know about this subnet. We don't have an piece of this public address space at all.

I checked our firewall logs and I have verified that OKCWSI is doing a sweep of this network.

I'm stumped...

Thanks,

Cisco Employee

Re: LMS 3.0 - icmp to external (public) IP address

What does the sweep pattern look like?

Community Member

Re: LMS 3.0 - icmp to external (public) IP address

Here is an excerpt:

<191>Oct 02 2009 10:00:46: %ASA-7-609001: Built local-host outside:30.1.104.1

<190>Oct 02 2009 10:00:46: %ASA-6-302020: Built outbound ICMP connection for faddr 30.1.104.1/0 gaddr 161.235.222.10/0 laddr OKCWSI/0

161.235.222.10 is the static translated IP for OKCWSI.

It starts with ICMP to 30.1.104.1 and goes through 30.1.104.254. It also scanned 30.1.101, 30.1.102 & 30.1.103. I assume it does more, but I was only looking at two hours of worth of firewall logs.

Cisco Employee

Re: LMS 3.0 - icmp to external (public) IP address

Post the NMSROOT/conf/csdiscovery/CSDiscovery-config.xml and NMSROOT/campus/etc/cwsi/RouterData.xml files.

Community Member

Re: LMS 3.0 - icmp to external (public) IP address

I'm attaching the files you requested.

Thanks,

Cisco Employee

Re: LMS 3.0 - icmp to external (public) IP address

First, make sure UTMajorAcquisition is not running. Then, edit NMSROOT/campus/etc/cwsi/ut.properties, and check for a property:

UT.ExcludePingSweep

If it's not there, add it to the end of the file with the value:

UT.ExcludePingSweep=30.1.101.0-255.255.255.0:30.1.102.0-255.255.255.0:30.1.103.0-255.255.255.0:30.1.104.0-255.255.255.0

If such a property already exists, then append the value above to the end of the existing value after first appending a colon (':').

Once that property is in place, start a new UT acquisition, and see if the firewall records a sweep. If not, let LMS run for a while, and see if the sweep shows up again.

Community Member

Re: LMS 3.0 - icmp to external (public) IP address

The mystery 30.1 network ended up being loopbacks on some of our Lab devices. I removed them from LMS and I'm waiting on our security group to see if the ping sweeps stopped. I assume they will.

Otherwise, I'll proceed with your above recommendation.

Thanks for all of the information.

271
Views
0
Helpful
8
Replies
CreatePlease to create content