Re: Recieving alert 4055 whenever Logging into VPN Concentrator
This is a known False Positive for the alarm.
THe NSDB entry for 4055 says to refer to the NSDB entry for 3992 for a list of Benign Triggers.
The NSDB entry for 3992 states:
The traffic produced by Napster and BearShare (a variant of the Gnutella file-sharing program) have caused this signature to fire. This is due to the compression used in MP3 and video files transferred by these programs, which closely resemble the patterns found in BO2K encrypted traffic. Other false positive triggers include: Age Of Empires network game traffic, HP JetDirect printer dialog, BGP routing protocol traffic, encrypted VPN traffic (including the Cisco VPN 3000 concetrator / client).
The last false positive trigger listed is VPN traffic.
The encryption in the VPN traffic sometimes randomly matches the pattern we are looking for in BO2K traffic, and you get the false positive firing of the alarm.
If you can verify that the alarms are going to or coming from your VPN concentrator then you can exclude the VPN concentrator for these alarms to prevent reporting of the false positives.
As for why it started being seen after S69 I am not sure why you would not have seen the false positive before S69.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...