04-07-2003 08:59 PM - edited 03-02-2019 06:29 AM
This problem is causing my Windows 2000 clients to take a very long time to log on to their remote domain controller.
Due to the SQL Slammer worm, we put ACL's on all Fast/Ethernet interfaces, inbound and outbound:
access-list 110 deny udp any any eq 1434 log
access-list 110 deny udp any eq 1434 any log
access-list 110 permit ip any any
I realize the second line maybe unnecessary.
I ran a protocol analyzer on one of the affected clients. While the client was booting up, the router was showing hits against the first line. The source of the packet was supposedly the client I was testing. But when I viewed the captured packets, there were only a handful of udp datagrams. None of them had a destination port of 1434.
So this leads me to believe the router is incorrectly blocking legitimate datagrams.
When I temporarily disable the ACL on the Ethernet interface, the problem goes away. The client can authenticate against its remote domain controller.
Has anyone encountered this?
04-07-2003 10:36 PM
You can safely remove the second line.
04-08-2003 06:05 AM
You are assuming that the traffic the router blocked was the "handful" of datagrams caught by the analyzer. But if the counts dont match on the access-list and the analyzer then it wasn't set up right. The list should work without significant delays. The real point may be that it looks like the client is infected.
04-08-2003 07:51 AM
I've modified the ACL on affected routers to the follwoing, and it seems to have fixed the problem. The common factors so far are: low-end routers, low-bandwidth circuits, and an old version of the IOS (the most recent I've seen is 11.2(18)).
conf t
access-list 115 permit udp any any eq 69
access-list 115 permit udp any any eq 53
access-list 115 permit udp any any eq 37
access-list 115 permit udp any any eq 137
access-list 115 permit udp any any eq 138
access-list 115 permit udp any any eq 67
access-list 115 permit udp any any eq 68
access-list 115 permit udp any any eq 49
access-list 115 permit udp any any eq 42
access-list 115 deny udp any any eq 1434 log
access-list 115 permit ip any any
int x/x
ip access-group 115 in
ip access-group 115 out
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: