Re: Invalid Field for Transport=6

rkollar59 · ‎09-19-2005

This morning, I recently received this entry on my syslog daemon from my PIX. Can anyone please shed light as to what this means? Thanks.

...%PIX-4-500004: Invalid transport field for protocol=6, from 69.226.93.202/0 to (My WAN IP)/445

Patrick Iseli · ‎09-19-2005

Looks like someone tryed to fingerprint (OS and open port detection) your PIX with a Port Scanner. Happend all the time !

See:http://www.sans.org/y2k/110300.htm

See section 4:

4) Nmap protocol scan on firewall IP address

A protocol type nmap scan -sO upon the firewall IP showed all protocols as being active (1-133) from the scanners point of view. The firewall dropped all of these packets. Partial logfile:

sincerely

Patrick

Patrick Iseli · ‎09-19-2005

Cisco log and error message:

500004

Error Message %PIX-4-500004: Invalid transport field for protocol=protocol, from

source_address/source_port to dest_address/dest_port

Explanation This message appears when there is an invalid transport number, in which the source or destination port number for a protocol is zero. The protocol field is 6 for TCP and 17 for UDP.

Recommended Action If these messages persist, contact the peer's administrator.

See:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a008051a0cd.html#wp1021158

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_system_message_guides_list.html

sincerely

Patrick