My CSA 5.1 clients repeated prompt my users with a balloon message alerting them to the following denied activity:
The process 'C:\WINDOWS\system32\svchost.exe' (as user NT AUTHORITY\LOCAL SERVICE) attempted to accept a connection as a server on UDP port 1900 from <ip>. The operation was denied.
I've noticed clients attempting to accept a connection from their default gateway, various other clients, etc. In an effort to silence this event, as I don't want my users to see this balloon message, I wanted to create an exception to ignore it. However, NONE of the UDP/1900 events are being logged in the CSAMC. There isn't a single record of this activity.
The rule stopping it is probably the blanket NAC deny rule. You need to create another rule that denies port 1900 (SSDP service in Windows XP is what does this), does NOT log it and takes precedence over other deny rules.
We had to do this to make it be quit and not bother the users.
I'm going to add a priority deny (but not log) for UDP/1900, but I noticed I already have a default rule with a description of, "All applications, client/server for SSDP services (NOTE: UPNP makes use of this service and is a security risk)". That rule already is set to DENY (without log) for all Client/Server for TCP/1900 and UDP/1900 for all applications. This should already be silencing the annoying balloon messages.
I'm still uncertain why I'm seeing these balloon messages at all given this rule.
The rule I created is set to take precendence over the others. However, so was the existing SSDP rule that was already in place. I'm digging through my rules, which are currently "out of the box", to see if I can find what it causing the prompts. What makes it difficult is that the prompt messages are NOT logged in the Event log on the CSAMC, or I'd just using the wizard to create an exception. The only place these are found are on the individual CSA console log screens.
The rule that is causing the CSA balloon message is Rule 540 - "All applications, client/server for SSDP services (NOTE: UPNP makes use of this service and is a security risk)". This is an out of the box rule set to Deny with precedence, but NOT log. The problem is that with the current CSA features, even though you are NOT logging, that doesn't mean your users balloon messages are also suppressed. Cisco really needs to enable a feature in the form a checkbox much like log/don't log - but have it be balloon messages on/off for each rule. While this event isn't being logged on the CSAMC, it IS being ballooned to the user.
I do not see a method to stop the balloon messages from prompting the user unless I set a rule to PRIOTITY ALLOW the UDP/1900 traffic, which I don't want to do. I only want the balloon messages to go away. I suppose I could DISABLE this rule, but again that is not the actual end result I desire. I only want my users to not be annoyed by the continual UDP/1900 popups that svchost.exe causes.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...