Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315
Views
0
Helpful
3
Replies

ACL Incorrectly Blocking Traffic

namso2
Level 1
Level 1

‎04-07-2003 08:59 PM - edited ‎03-02-2019 06:29 AM

This problem is causing my Windows 2000 clients to take a very long time to log on to their remote domain controller.

Due to the SQL Slammer worm, we put ACL's on all Fast/Ethernet interfaces, inbound and outbound:

access-list 110 deny udp any any eq 1434 log

access-list 110 deny udp any eq 1434 any log

access-list 110 permit ip any any

I realize the second line maybe unnecessary.

I ran a protocol analyzer on one of the affected clients. While the client was booting up, the router was showing hits against the first line. The source of the packet was supposedly the client I was testing. But when I viewed the captured packets, there were only a handful of udp datagrams. None of them had a destination port of 1434.

So this leads me to believe the router is incorrectly blocking legitimate datagrams.

When I temporarily disable the ACL on the Ethernet interface, the problem goes away. The client can authenticate against its remote domain controller.

Has anyone encountered this?

Labels:
0 Helpful
3 Replies 3

oj88
Level 1
Level 1

‎04-07-2003 10:36 PM

You can safely remove the second line.

0 Helpful

rjackson
Level 5
Level 5
In response to oj88

‎04-08-2003 06:05 AM

You are assuming that the traffic the router blocked was the "handful" of datagrams caught by the analyzer. But if the counts dont match on the access-list and the analyzer then it wasn't set up right. The list should work without significant delays. The real point may be that it looks like the client is infected.

0 Helpful

namso2
Level 1
Level 1

‎04-08-2003 07:51 AM

I've modified the ACL on affected routers to the follwoing, and it seems to have fixed the problem. The common factors so far are: low-end routers, low-bandwidth circuits, and an old version of the IOS (the most recent I've seen is 11.2(18)).

conf t

access-list 115 permit udp any any eq 69

access-list 115 permit udp any any eq 53

access-list 115 permit udp any any eq 37

access-list 115 permit udp any any eq 137

access-list 115 permit udp any any eq 138

access-list 115 permit udp any any eq 67

access-list 115 permit udp any any eq 68

access-list 115 permit udp any any eq 49

access-list 115 permit udp any any eq 42

access-list 115 deny udp any any eq 1434 log

access-list 115 permit ip any any

int x/x

ip access-group 115 in

ip access-group 115 out

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents