cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
778
Views
0
Helpful
3
Replies

WAE - ICMP Flood to VPN Users

cfolkerts
Level 1
Level 1

We currently have a distributed server model were users VPN to our ASA in Chicago and access local files in one of our remote offices like in Boston. Our security team is receiving an IPS event and below is a copy of the log.

10.8.64.20/0 --> 10.12.187.98/0 ICMP ICMP Flood,NR-2152/0,Time:1209676259,Risk Rating:85,VLAN:0

My question is does the WAE send out a sort of keepalive to VPN users to make sure they haven't disconnected?

3 Replies 3

Zach Seils
Level 7
Level 7

Clifton,

Are you referring to a WAE running WAAS software, or something else. If you are referring to WAAS, can you please explain how it fits into the topology?

Thanks,

Zach

Yes, I am referring to a WAE box running WAAS software. At our VPN head end site in Chicago I am redirecting the traffic from the VPN user vlan to a WAAS server. It seems that the WAAS server is sending ICMP packets to remote users. Have you seen this type of behaviour before?

The only ICMP traffic generated by the WAE is for CIFS file server auto-discovery.

Can you provide a full packet capture during a time when this is happening.

Thanks,

Zach

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: