Invalid transport field for protocol=TCP

Rosa Ladeira · ‎04-29-2011

Geting this message, having low performance and overrun errors

Apr 29 13:45:59 pix-servidores %PIX-4-500004: Invalid transport field for protocol=TCP, from 188.120.243.238/80 to 174.56.110.0/0

I can't find any good answer for this.

Does anybody knows about ?

Thanks

Rosa

Maykol Rojas · ‎04-29-2011

Hi Rosa,

Error Message    %PIX|ASA-4-500004: Invalid transport field for protocol=protocol, from 
source_address/source_port to dest_address/dest_port

Explanation This message appears when there is an invalid transport number, in which the source or destination port number for a protocol is zero. The protocol value is 6 for TCP and 17 for UDP.

Recommended Action If these messages persist, contact the peer's administrator.

The problem comes with the server 188.120.243.238 sending a packet to 174.56.110.0 on port 0. Based on the RFC of TCP that should not happen.

What you need to do is to put an sniffer on 188.120.243.238 to see if you get the SYN packet from 174.56.110.0 coming with a source port of 0, if it doesnt and the server is the one that is changing the reply, you may need to take a look at the server.

Thanks!

Mike

Rosa Ladeira · ‎04-29-2011

When port number is zero and this is the case, what can be configured on pix firewall in order to avoid this flood of messages and CPU overload ?

Rosa

Maykol Rojas · ‎04-29-2011

Hi Rosa,

In your specific case, the Pix is dropping the seession before it is even processed by the firewall. If you are getting a lot of this packets, there is nothing much that you can do and it may be related to a DoS attack.

I will suggest you to contact your ISP for the proper blacklisting of the offending host.

Cheers

Mike