Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

CSA 5.1 and UDP/1900 balloon messages

My CSA 5.1 clients repeated prompt my users with a balloon message alerting them to the following denied activity:

------------

The process 'C:\WINDOWS\system32\svchost.exe' (as user NT AUTHORITY\LOCAL SERVICE) attempted to accept a connection as a server on UDP port 1900 from <ip>. The operation was denied.

------------

I've noticed clients attempting to accept a connection from their default gateway, various other clients, etc. In an effort to silence this event, as I don't want my users to see this balloon message, I wanted to create an exception to ignore it. However, NONE of the UDP/1900 events are being logged in the CSAMC. There isn't a single record of this activity.

Please advise.

5 REPLIES
Blue

Re: CSA 5.1 and UDP/1900 balloon messages

The rule stopping it is probably the blanket NAC deny rule. You need to create another rule that denies port 1900 (SSDP service in Windows XP is what does this), does NOT log it and takes precedence over other deny rules.

We had to do this to make it be quit and not bother the users.

Tom S

Community Member

Re: CSA 5.1 and UDP/1900 balloon messages

I'm going to add a priority deny (but not log) for UDP/1900, but I noticed I already have a default rule with a description of, "All applications, client/server for SSDP services (NOTE: UPNP makes use of this service and is a security risk)". That rule already is set to DENY (without log) for all Client/Server for TCP/1900 and UDP/1900 for all applications. This should already be silencing the annoying balloon messages.

I'm still uncertain why I'm seeing these balloon messages at all given this rule.

Blue

Re: CSA 5.1 and UDP/1900 balloon messages

The "no log" rule must also be set to take precedence over other deny rules. That way it will take precedence over the original rule which is probably set to log.

If that is already the case, there may be another rule in another policy or rule module that is causing the prompts.

Tom S

Community Member

Re: CSA 5.1 and UDP/1900 balloon messages

The rule I created is set to take precendence over the others. However, so was the existing SSDP rule that was already in place. I'm digging through my rules, which are currently "out of the box", to see if I can find what it causing the prompts. What makes it difficult is that the prompt messages are NOT logged in the Event log on the CSAMC, or I'd just using the wizard to create an exception. The only place these are found are on the individual CSA console log screens.

Community Member

Re: CSA 5.1 and UDP/1900 balloon messages

I believe I have uncovered the issue.

The rule that is causing the CSA balloon message is Rule 540 - "All applications, client/server for SSDP services (NOTE: UPNP makes use of this service and is a security risk)". This is an out of the box rule set to Deny with precedence, but NOT log. The problem is that with the current CSA features, even though you are NOT logging, that doesn't mean your users balloon messages are also suppressed. Cisco really needs to enable a feature in the form a checkbox much like log/don't log - but have it be balloon messages on/off for each rule. While this event isn't being logged on the CSAMC, it IS being ballooned to the user.

I do not see a method to stop the balloon messages from prompting the user unless I set a rule to PRIOTITY ALLOW the UDP/1900 traffic, which I don't want to do. I only want the balloon messages to go away. I suppose I could DISABLE this rule, but again that is not the actual end result I desire. I only want my users to not be annoyed by the continual UDP/1900 popups that svchost.exe causes.

444
Views
0
Helpful
5
Replies
CreatePlease to create content