ā05-12-2015 09:31 AM - edited ā03-11-2019 10:55 PM
I'm troubleshooting a PIX525. When I run the cisco command "show conn" I see lots of UDP connection requests hitting to my firewall from several remote IP address trying to reach an inside server using port 0. When I run the cisco command "capture monitor interface outside" I never see the connection attempts in my capture, but they show up in the connection tables. Eventually the connection times out of the connection table and their is a sys log message written saying "Teardown UDP connection" . I also did a port monitor on my outside interface of my PIX525 to monitor traffic on the outside interface and I still don't see the UDP connection attempts. Any ideas how this is possible?
This is the sys log message I'm seeing, but I cannot seem to capture the packets using "capture monitor interface outside". In my sys log messages I never see the connection creation either.
%PIX-6-302016: Teardown UDP connection 86151050 for outside:x.x.x.x/53605 to inside:x.x.x.x/0 duration 0:30:01 bytes 0
Solved! Go to Solution.
ā05-13-2015 10:50 PM
Hi,
As per the basic functionality on the PIX and ASA devices , these connections are opened Pinhole connections for the inspected protocols on the ASA device.
If it is UDP , My guess would be Audio Protocols like SIP or Skinny.
Thanks and Regards,
Vibhor Amrodia
ā05-13-2015 10:50 PM
Hi,
As per the basic functionality on the PIX and ASA devices , these connections are opened Pinhole connections for the inspected protocols on the ASA device.
If it is UDP , My guess would be Audio Protocols like SIP or Skinny.
Thanks and Regards,
Vibhor Amrodia
ā05-14-2015 06:26 AM
Here is a snimplet of my connections table on my PIX525. I see lots of these connections. The interesting part is the firewall connection table is showing the outside source address to be 10.0.1.2. After looking through my wireshark captures I found this IP address in the SIP VIA headers of several inbound sip messages. Is the PIX saying the source address is 10.0.1.2 for these UDP SIP message because I have SIP FIXUP enable (sip inspect)?
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:00:19 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:00:19 flags ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:00:19 flags ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:01:11 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:02:05 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:02:50 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:03:32 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:04:15 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:04:57 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:05:52 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:06:43 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:07:26 flags Ti
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide