Hello,
Looking at my blocked traffic I see some TOR exit node IP (23.129.64.159). Strange thing is, the initiator IP is my SFR module. It's NTP traffic. What's going on here? Why is my SFR module looking at a TOR node for time? I looked at my FMC and the IP isn't listed in the time configuration.
Hi Marvin,
I don't have any option in my FMC for System > Local > System Policy but I do have System > Configuration > Time which displays this:
The blocked IP isn't listed there.
I ran the
/etc/sysconfig/configure-network
But there wasn't an option for a NTP server there before it completed.
After I ran the configure-network this error popped up in the FMC but it cleared itself up after a few min:
I ran the initial setup a couple of weeks ago when I re-imaged the SFR module, but I don't recall if I saw a setting for NTP there. If it was there it may not have been configured at that time.
Thank you for your help.
@anousakisioannis wrote:Hello,
I have the same events and most of the devices that initiate this traffic, belong to voice vlan (voip phones).
I haven's also configured this IP, i have left the default servers.
Did you find why this kind of traffic is being initiated from inside?
Thank you
It was never clear as to why our SFR module was looking at that IP for time. I raised a ticket with TAC and the engineer had me create a platform setting policy configured to synchronize time with the FMC. Since I set up that platform setting policy I haven't seen the SFR trying to access the TOR IP.
In my case it was only the SFR module that was doing this. I hadn't seen any other devices touching that TOR IP.
