Re: ACL logs - TCP/UDP port 0 - Page 2

aweise · ‎01-26-2012

Hi all - looking through my ACL logs, I've seen some inconsistencies about logging. In some cases, a router will log port zero from the ACL, but in other cases, it will show the port. Here's an example:

Router 1 ACL log:

Jan 26 10:00:59.757 EST: %SEC-6-IPACCESSLOGP: list BLAH denied tcp X.X.X.X(2853) -> Y.Y.Y.Y(25253)

Router 2 ACL log:

Jan 26 10:31:56.105 EST: %SEC-6-IPACCESSLOGP: list BLAH denied tcp X.X.X.X(0) -> Y.Y.Y.Y(0)

The ACL is an extended, named ACL that's applied on both routers...of which have the same IOS and are the same model (2811).

I know that if only the protocol is specified (IP in this case), it wouldn't show the port. However, this is the same ACL on both routers. Why would it show the port on one router and port zero on the other?

Richard Burts · ‎09-10-2018

I am surprised about some of the log output that you have posted.

Sep 10 04:00:21.771 PDT: %SEC-6-IPACCESSLOGP: list ACL_VLAN5 permitted udp 10.65.5.177(0) (Vlan25 d072.dc98.1b81) -> 10.11.5.60(0), 1 packet

Sep 10 04:00:23.540 PDT: %SEC-6-IPACCESSLOGP: list ACL_VLAN5 permitted tcp 10.11.3.114(0) (Vlan3 0050.56b0.1279) -> 10.11.5.58(0), 1 packet
Sep 10 04:00:27.189 PDT: %SEC-6-IPACCESSLOGP: list ACL_VLAN5 permitted tcp 10.11.3.114(0) (Vlan3 0050.56b0.1279) -> 10.11.5.57(0), 1 packet
Sep 10 04:00:29.865 PDT: %SEC-6-IPACCESSLOGP: list ACL_VLAN5 permitted udp 10.11.3.112(0) (Vlan3 0050.56b0.296c) -> 10.11.5.63(0), 1 packet
Sep 10 04:00:32.986 PDT: %SEC-6-IPACCESSLOGP: list ACL_VLAN5 permitted udp 10.11.3.114(0) (Vlan3 0050.56b0.1279) -> 10.11.5.60(0), 1 packet

I am not clear what causes this output to have zero in the port field but the one thing that we can certainly say is that since all this traffic is TCP or UDP that it was permitted in lines 1 or 2 and certainly not by line 3 of the ACL. Show me some output of an ACL for an ICMP packet and look for any indication of port number.

HTH

Rick

HTH

Rick

james.berg · ‎09-10-2018

Hi Richard. Honestly, I believe firmly it is the 3rd line. If you build the access-list with only the third line, you will get all traffic showing port 0 for source and destination. When you add in lines 1 and 2, that qty of traffic with port 0 decreased drastically, as 1 & 2 are processing the traffic first and showing accurate ports. The leftover traffic is then processed by the 3rd rule where we see this port destination as 0....in small quantities. So for the purposes of the ACL post here, this would tell someone that there is more traffic to be covered by the ACL if your internet is to identify traffic without denying it.

Richard Burts · ‎09-10-2018

If these are the lines in your ACL

permit tcp any any range 0 65535 log-input
permit udp any any range 0 65535 log-input

then I do not understand how you believe that they are outside the range which clearly includes 0.

If you want to test this further I suggest changing your access list and remove the log-input from lines 1 and 2. They will permit traffic for TCP and UDP but not log them and the only log messages will be packets permitted by line 3.

HTH

Rick

HTH

Rick

james.berg · ‎09-11-2018

I think I have clearly indicated how I came to this conclusion. I am not trying to fix an issue here, I was trying to help. If you would like me to do this so that you can satisfy your curiosity, I am happy to oblige. However, I think the testing that I have provided shows the IP statement does result in these logs. I'm not saying that it should, only that it does....and as a result can be used for testing the purpose I posted for.

superego · ‎10-29-2018

This is just a sample

permit tcp any any log-input established

permit udp any any log-input established

permit ip any any log-input