Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3703
Views
5
Helpful
4
Replies

Access-list logs show TCP port 0 / UDP port 0

Go to solution
Eric Agana
Level 1
Level 1

‎03-07-2019 06:21 AM

Guys.

 

We have an MPLS point to point connection.

Access-list logs keep on showing traffic to/from tcp or udp port 0. 

I tried to run packet capture on the interface but did not find any traffic related to port 0.

I doubt it is an attack since devices are just point to point.

Anybody who have experienced the same or can share a good documentation about this.

 

Sample:

*Mar 7 13:42:08.457: %SEC-6-IPACCESSLOGP: list pcap-traffic permitted tcp 10.X.X.X(0) (FastEthernet4 xxxx.xxxx.xxxx) -> 192.X.X.X (0), 134 packets

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni

‎03-07-2019 06:51 AM

Hello,

 

The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets.

 

When access lists are configured with the log-input keyword, tcp/udp ports are only displayed when the processing of the access lists requires the port number to be extracted for comparison. If the port is not required, the log messages will display 0 as the port number. The log is expected to report the port number if and only if a port number is mentioned in the ACL.

 

 

check it for more information: https://community.cisco.com/t5/other-network-architecture/quot-log-quot-word-on-acl-only-producing-port-0/td-p/577024

Jaderson Pessoa
*** Rate All Helpful Responses ***

View solution in original post

Go to solution
TimothyHenderson4285
Level 1
Level 1

‎08-05-2020 04:52 PM

I had this same problem:

 

So if you have and ACL:

10 permit tcp host 1.1.1.1 host 2.2.2.2

It will not show the ports, you must have at least 1 port match to check for ports:

 

20 permit tcp host 1.1.1.1 host 2.2.2.2 eq 22
After this ^ you will start seeing the ports in the logs.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni

‎03-07-2019 06:51 AM

Hello,

 

The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets.

 

When access lists are configured with the log-input keyword, tcp/udp ports are only displayed when the processing of the access lists requires the port number to be extracted for comparison. If the port is not required, the log messages will display 0 as the port number. The log is expected to report the port number if and only if a port number is mentioned in the ACL.

 

 

check it for more information: https://community.cisco.com/t5/other-network-architecture/quot-log-quot-word-on-acl-only-producing-port-0/td-p/577024

Jaderson Pessoa
*** Rate All Helpful Responses ***

Go to solution
Eric Agana
Level 1
Level 1
In response to Jaderson Pessoa

‎03-07-2019 06:25 PM

Thank you very much, Jaderson.

I can see now the specific ports in the ACL sessions.

0 Helpful

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to Eric Agana

‎03-07-2019 06:31 PM

Great,

good lucky
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Go to solution
TimothyHenderson4285
Level 1
Level 1

‎08-05-2020 04:52 PM

I had this same problem:

 

So if you have and ACL:

10 permit tcp host 1.1.1.1 host 2.2.2.2

It will not show the ports, you must have at least 1 port match to check for ports:

 

20 permit tcp host 1.1.1.1 host 2.2.2.2 eq 22
After this ^ you will start seeing the ports in the logs.

0 Helpful
Customers Also Viewed These Support Documents