12-30-2020 12:36 PM
I have a Port Forwarding rule set to forward port 5721 (TCP) to a LAN server (10.10.0.6). It's working (and has been) for a long time. But in looking at the logs today I stumbled across the entry below. I'm trying to figure out why this packet is being dropped? While I recognize all the basic pieces of info below (e.g. DST_MAC, SRC_MAC, SRC, DST etc), there are some acronyms that I am clueless about (e.g. TOS, PREC). Does Cisco provide any docs on understanding their logs?
I assume "eth0" = WAN? "eth2.1" - maybe ethernet port 2?
kernel: [3355945.955220] FIREWALL:PACKET DROPIN=eth0 OUT=eth2.1
DST_MAC=68:9c:e2:a0:e2:38 SRC_MAC=:00:17:10:8e:09:1e
src=72.76.243.160 DST=10.10.0.6 LEN=52 TOS=0x00
PREC=0x00 TTL=116 ID=4653 DF PROTO=TCP SPT=63380 DPT=5721
WINDOW=251 RES=0x00 ACK PSH URGP=0 MARK=0xff00
01-26-2021 05:59 AM
We also had this occur here. Logs show a block of 5 lines (see below) occurring twice once on a Monday and the following Tuesday during our normal business hours. I am investigating this as a TPC SYN Flood attack that was unacknowledged (blocked) and after the second attack I have a boat load of errors from BCAP (see below the below). I am going to get in touch with support on this.
2021-01-19T05:23:23-08:00 <warning>kernel: [6463664.486096] FIREWALL SYN-FLOOD:IN=eth2 OUT= DST_MAC=28:ac:9e:0d:f6:88 SRC_MAC=:10:93:97:0d:39:f0 src=8.252.197.126 DST=192.168.2.90 LEN=1500 TOS=0x00 PREC=0x00 TTL=58 ID=29549 PROTO=TCP SPT=80 DPT=50573 WINDOW=501 RES=0x00 ACK URGP=0 MARK=0xff00
BCAP server error (704): Invalid major or minor version
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide