05-02-2008 06:17 AM
We currently have a distributed server model were users VPN to our ASA in Chicago and access local files in one of our remote offices like in Boston. Our security team is receiving an IPS event and below is a copy of the log.
10.8.64.20/0 --> 10.12.187.98/0 ICMP ICMP Flood,NR-2152/0,Time:1209676259,Risk Rating:85,VLAN:0
My question is does the WAE send out a sort of keepalive to VPN users to make sure they haven't disconnected?
05-04-2008 08:55 AM
Clifton,
Are you referring to a WAE running WAAS software, or something else. If you are referring to WAAS, can you please explain how it fits into the topology?
Thanks,
Zach
05-05-2008 08:04 AM
Yes, I am referring to a WAE box running WAAS software. At our VPN head end site in Chicago I am redirecting the traffic from the VPN user vlan to a WAAS server. It seems that the WAAS server is sending ICMP packets to remote users. Have you seen this type of behaviour before?
05-05-2008 08:48 PM
The only ICMP traffic generated by the WAE is for CIFS file server auto-discovery.
Can you provide a full packet capture during a time when this is happening.
Thanks,
Zach
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: