where to discuss firewall logs
me again
For example, what is going on with the port 4500 here:
TZ 100 0017-C54A-D6FC Log (part 1) dumped to email at 2011-04-17 00:00:00
04/10/2011 11:29:55.896 - Notice - Network Access - Web access request dropped -
80.68.95.174, 31298, X1, dev-null-3.vm.bytemark.co.uk - 192.168.1.205, 443, X1 -
TCP HTTPS
04/11/2011 07:28:57.560 - Notice - Network Access - TCP connection dropped -
61.164.126.14, 6000, X1 - 192.168.1.205, 1723, X1 - TCP PPTP
04/11/2011 15:11:00.832 - Warning - VPN IKE - IKEv2 Unable to find IKE SA -
208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI:
0xa69c4bd619edcace; IKEv2 RespSPI: 0x36492098e4e135b1
04/11/2011 15:11:07.320 - Warning - VPN IKE - IKEv2 Unable to find IKE SA -
208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI:
0xa69c4bd619edcace; IKEv2 RespSPI: 0x36492098e4e135b1
04/11/2011 15:11:18.320 - Warning - VPN IKE - IKEv2 Unable to find IKE SA -
208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI:
0xa69c4bd619edcace; IKEv2 RespSPI: 0x36492098e4e135b1
04/12/2011 06:00:44.800 - Notice - Network Access - TCP connection dropped -
58.144.4.22, 1224, X1 - 192.168.1.205, 1701, X1 - TCP Port: 1701
04/12/2011 07:09:53.368 - Notice - Network Access - TCP connection dropped -
192.168.1.109, 42104, X1 - 10.223.2.4, 3128, X1 - TCP Squid
04/13/2011 17:13:34.608 - Warning - VPN IKE - IKEv2 Unable to find IKE SA -
208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI:
0x3f9ce7fca09496a1; IKEv2 RespSPI: 0xb16ba26e0970d04c
04/13/2011 17:13:41.304 - Warning - VPN IKE - IKEv2 Unable to find IKE SA -
208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI:
0x3f9ce7fca09496a1; IKEv2 RespSPI: 0xb16ba26e0970d04c
04/13/2011 17:13:52.304 - Warning - VPN IKE - IKEv2 Unable to find IKE SA -
208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI:
0x3f9ce7fca09496a1; IKEv2 RespSPI: 0xb16ba26e0970d04c
04/14/2011 09:51:50.928 - Warning - VPN IKE - IKEv2 Unable to find IKE SA -
208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI:
0x196a0908e52c9615; IKEv2 RespSPI: 0xd123afd47ff99065
04/14/2011 09:51:57.736 - Warning - VPN IKE - IKEv2 Unable to find IKE SA -
208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI:
0x196a0908e52c9615; IKEv2 RespSPI: 0xd123afd47ff99065
04/14/2011 09:52:08.704 - Warning - VPN IKE - IKEv2 Unable to find IKE SA -
208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI:
0x196a0908e52c9615; IKEv2 RespSPI: 0xd123afd47ff99065
04/14/2011 12:53:04.560 - Warning - VPN IKE - IKEv2 Unable to find IKE SA -
208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI:
0x94045e711c7f3927; IKEv2 RespSPI: 0xcb5d941d501a1d03
04/14/2011 12:53:10.608 - Warning - VPN IKE - IKEv2 Unable to find IKE SA -
208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI:
0x94045e711c7f3927; IKEv2 RespSPI: 0xcb5d941d501a1d03
04/14/2011 12:53:21.624 - Warning - VPN IKE - IKEv2 Unable to find IKE SA -
208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI:
0x94045e711c7f3927; IKEv2 RespSPI: 0xcb5d941d501a1d03
04/14/2011 14:13:56.432 - Warning - VPN IKE - IKEv2 Unable to find IKE SA -
208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI:
0x9c705b0b43ce441c; IKEv2 RespSPI: 0x0db0911ffdc93a7e
04/14/2011 14:14:02.736 - Warning - VPN IKE - IKEv2 Unable to find IKE SA -
208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI:
0x9c705b0b43ce441c; IKEv2 RespSPI: 0x0db0911ffdc93a7e
04/14/2011 14:14:13.736 - Warning - VPN IKE - IKEv2 Unable to find IKE SA -
208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI:
0x9c705b0b43ce441c; IKEv2 RespSPI: 0x0db0911ffdc93a7e
04/16/2011 21:01:00.736 - Notice - Network Access - Web access request dropped -
213.123.198.25, 35258, X1, host213-123-198-25.in-addr.btopenworld.com -
192.168.1.205, 443, X1 - TCP HTTPS
This email was generated by: SonicOS Enhanced 5.3.0.0-16o (0017-C54A-D6FC)
Ansgar -59cobalt- Wiechers
> For example, what is going on with the port 4500 here:
http://en.wikipedia.org/wiki/Internet_key_exchange
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
Burkhard Ott
> What format would be appropriate for that?
>
> For example, what is going on with the port 4500 here:
> IKEv2 InitSPI: 0x9c705b0b43ce441c; IKEv2 RespSPI: 0x0db0911ffdc93a7e
> 04/16/2011 21:01:00.736 - Notice - Network Access - Web access request
> dropped - 213.123.198.25, 35258, X1,
> host213-123-198-25.in-addr.btopenworld.com - 192.168.1.205, 443, X1 -
> TCP HTTPS
>
> This email was generated by: SonicOS Enhanced 5.3.0.0-16o
> (0017-C54A-D6FC)
http://www.sonicwall.com they should be able to resolve your possible
issue.
I had to play around with sonicwall boxes in professional high
availability environments, if you plan the same don't do it, sonicwall is
one of the worst product, especially if you don't deal with a standard
SOHO environment.
The log entries, especially on sonicraps aren't accurate, they show only
a small part of the real problem.
In your case it looks like a misconfigured SA in a NAT Traversal setup.
cheers
me again
> On Mon, 18 Apr 2011 14:14:35 -0400, me again wrote:
>
>>
>> For example, what is going on with the port 4500 here:
>> IKEv2 InitSPI: 0x9c705b0b43ce441c; IKEv2 RespSPI: 0x0db0911ffdc93a7e
>> 04/16/2011 21:01:00.736 - Notice - Network Access - Web access request
>> dropped - 213.123.198.25, 35258, X1,
>> host213-123-198-25.in-addr.btopenworld.com - 192.168.1.205, 443, X1 -
>> TCP HTTPS
>>
>> This email was generated by: SonicOS Enhanced 5.3.0.0-16o
>> (0017-C54A-D6FC)
>
> http://www.sonicwall.com they should be able to resolve your possible
> issue.
>
> The log entries, especially on sonicraps aren't accurate, they show only
> a small part of the real problem.
>
> In your case it looks like a misconfigured SA in a NAT Traversal setup.
>
> cheers
I should not have written "format" but "Forum" - I was looking for a Usenet
group that looked at such trivia.
i JUST CANNOT fathom why 213.123.198.25
would be trying to access my tiny network!
Thank you for the tips !!
Burkhard Ott
Then tell us your setup, a logfile shows only a tiny part of the problem.
cheers
me again
mmm: cable==modem==router==firewall==3computers(NO WAN servers)
firewall provides VPN and access via mstsc.exe (remote console).
1 computer is Linux; two are windows XP; purpose: PublicAccess TV.
I am the only user (run TV station from home).
Every access in the log file is an accident or an attack, and yes both
are minimal, so just call me curious.
Burkhard Ott
> mmm: cable==modem==router==firewall==3computers(NO WAN servers)
>
> firewall provides VPN and access via mstsc.exe (remote console).
So you terminate the vpn on the firewall or on the clients?
Why do you have a router between your modem and your firewall?
me again
> On Tue, 19 Apr 2011 12:17:17 -0400, me again wrote:
>
>> mmm: cable==modem==router==firewall==3computers(NO WAN servers)
>>
>> firewall provides VPN and access via mstsc.exe (remote console).
>
> So you terminate the vpn on the firewall or on the clients?
Everything behind the firewall (3 computers) are accessible from
a user/passwordperuser gate in the firewall and via a "pre-shared
message/phrase" for thin clients who are remote.
> Why do you have a router between your modem and your firewall?
It provides public wireless connectivity to the internet. Plus it
routes certain ports to other parts of the whole system (web
streaming video; slingbox video; firewall ).
Burkhard Ott
Ok, that helps to understand it.
208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 -
IKEv2 InitSPI:
So, your public IP is then 208.54.90.1 terminated on the router which
forward 500/udp and 4500/udp to your firewall, correct.
Your firewall has 192.168.1.205, is that correct?
me again
> On Tue, 19 Apr 2011 14:13:54 -0400, me again wrote:
>
>> Burkhard Ott wrote:
>>> On Tue, 19 Apr 2011 12:17:17 -0400, me again wrote:
>>>
>>>> mmm: cable==modem==router==firewall==3computers(NO WAN servers)
>>> Why do you have a router between your modem and your firewall?
>>
>> It provides public wireless connectivity to the internet. Plus it routes
>> certain ports to other parts of the whole system (web streaming video;
>> slingbox video; firewall ).
>
> Ok, that helps to understand it.
>
> 208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 -
> IKEv2 InitSPI:
>
> So, your public IP is then 208.54.90.1 terminated on the router which
> forward 500/udp and 4500/udp to your firewall, correct.
Nooo, and that's the interesting bit: we have a Comcast external, fixed IP.
m015a36d0.tmodns is "the intruder" if you will.
> Your firewall has [LAN IP] 192.168.1.205, is that correct?
That is true. Port 4500 is passed by the router to the firewall for NAT traversal.
>
Burkhard Ott
>> So, your public IP is then 208.54.90.1 terminated on the router which
>> forward 500/udp and 4500/udp to your firewall, correct.
>
> Nooo, and that's the interesting bit: we have a Comcast external, fixed
> IP. m015a36d0.tmodns is "the intruder" if you will.
So the modem has then 2 ports, one upstream with the public IP and one
downstream with your internal network?
In this case your router forwards packets without nat to your firewall,
which is confusing for sonicwall. Check if you have marked the interface
as external or public (can't recall what the name was), otherwise it
tries to check for spoofed IP's, since your public IP has no network
directly connected, the sonicwall thinks it's a spoofed packet.
I remember we had this issue a couple times with various customer, might
help in your case as well.
>> Your firewall has [LAN IP] 192.168.1.205, is that correct?
> That is true. Port 4500 is passed by the router to the firewall for NAT
> traversal.
Usually the initial ike packet goes everytime to port 500/udp, after it
found a NAT device it is signalling it to the other site and both switch
to 4500/udp.
Make sure you forward both ports (4500/udp and 500/udp), you can check
that with tools like ike-scan.
me again
> On Tue, 19 Apr 2011 15:58:52 -0400, me again wrote:
>
>>> So, your public IP is then 208.54.90.1 terminated on the router which
>>> forward 500/udp and 4500/udp to your firewall, correct.
>>
>> Nooo, and that's the interesting bit: we have a Comcast external, fixed
>> IP. m015a36d0.tmodns is "the intruder" if you will.
>
> So the modem has then 2 ports, one upstream with the public IP and one
> downstream with your internal network?
Yes, that' correct. The modem is 75.144.193.xxx external and 10.1.10.1 internal.
Thus the router is 10.1.10.2 facing modem and 192.168.1.1 facing firewall.
>
> In this case your router forwards packets without nat to your firewall,
> which is confusing for sonicwall. Check if you have marked the interface
> as external or public (can't recall what the name was), otherwise it
> tries to check for spoofed IP's, since your public IP has no network
> directly connected, the sonicwall thinks it's a spoofed packet.
Yes, the sonicwall knows which is which.
>
>>> Your firewall has [LAN IP] 192.168.1.205, is that correct?
>> That is true. Port 4500 is passed by the router to the firewall for NAT
>> traversal.
>
> Usually the initial ike packet goes everytime to port 500/udp, after it
> found a NAT device it is signalling it to the other site and both switch
> to 4500/udp.
>
> Make sure you forward both ports (4500/udp and 500/udp), you can check
> that with tools like ike-scan.
Yes, that is correct: 4500 and 500 are forwarded along with others. All of the
VPN and firewall features work fine. It's the intrusion "attempts" by the mobile
units that are interesting: Blackberries are suspect!