Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2179
Views
0
Helpful
17
Replies

Cisco 2901 - Getting log message with Source and Destination port of 0

Go to solution
GW M
Level 1
Level 1

‎12-14-2015 05:20 AM - edited ‎03-08-2019 03:06 AM

Hi have a Cisco 2901 and last night I started to get log message over and over again with the source being the router's Internet interface with a source port of 0. This continues over and over again with different destinations every 5 secs. How do I determine where this is coming from? Also, why is this using port 0?

025099: Dec 14 08:17:13.795 PCTime: %SEC-6-IPACCESSLOGP: list 100 denied udp 74.74.64.220(0) -> 91.226.236.222(0), 1 packet
025100: Dec 14 08:17:15.151 PCTime: %SEC-6-IPACCESSLOGP: list 100 denied udp 74.74.64.220(0) -> 42.177.204.175(0), 1 packet
025101: Dec 14 08:17:16.275 PCTime: %SEC-6-IPACCESSLOGP: list 100 denied udp 74.74.64.220(0) -> 78.142.19.231(0), 1 packet
025102: Dec 14 08:17:17.779 PCTime: %SEC-6-IPACCESSLOGP: list 100 denied udp 74.74.64.220(0) -> 78.142.19.216(0), 1 packet
025103: Dec 14 08:17:18.783 PCTime: %SEC-6-IPACCESSLOGP: list 100 denied udp 74.74.64.220(0) -> 178.162.199.244(0), 1 packet
025104: Dec 14 08:17:20.007 PCTime: %SEC-6-IPACCESSLOGP: list 100 denied udp 74.74.64.220(0) -> 36.10.18.196(0), 1 packet
025105: Dec 14 08:17:21.747 PCTime: %SEC-6-IPACCESSLOGP: list 100 denied udp 74.74.64.220(0) -> 120.88.58.173(0), 1 packet
025106: Dec 14 08:17:24.403 PCTime: %SEC-6-IPACCESSLOGP: list 100 denied udp 74.74.64.220(0) -> 93.198.187.153(0), 1 packet
025107: Dec 14 08:17:25.431 PCTime: %SEC-6-IPACCESSLOGP: list 100 denied udp 74.74.64.220(0) -> 107.188.64.210(0), 1 packet
025108: Dec 14 08:17:27.315 PCTime: %SEC-6-IPACCESSLOGP: list 100 denied udp 74.74.64.220(0) -> 100.214.127.59(0), 1 packet
025109: Dec 14 08:17:28.783 PCTime: %SEC-6-IPACCESSLOGP: list 100 denied udp 74.74.64.220(0) -> 44.197.139.134(0), 1 packet
025110: Dec 14 08:17:30.023 PCTime: %SEC-6-IPACCESSLOGP: list 100 denied udp 74.74.64.220(0) -> 82.187.212.23(0), 1 packet

Here is a section of the configuraton

ip nat inside source route-map NAT_MAP_1 interface GigabitEthernet0/0 overload

access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.10.1
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.10.2
access-list 100 deny ip 192.168.2.0 0.0.0.255 host 192.168.10.1
access-list 100 deny ip 192.168.2.0 0.0.0.255 host 192.168.10.2
access-list 100 deny ip 192.168.3.0 0.0.0.255 host 192.168.10.1
access-list 100 deny ip 192.168.3.0 0.0.0.255 host 192.168.10.2
access-list 100 deny ip 192.168.4.0 0.0.0.255 host 192.168.10.1
access-list 100 deny ip 192.168.4.0 0.0.0.255 host 192.168.10.2
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 100 deny ip any any log

route-map NAT_MAP_1 permit 1
match ip address 100

Labels:
0 Helpful
17 Replies 17

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to GW M

‎12-14-2015 11:54 AM

GM

I would agree that removing the log parameter from the access list statement is a good solution. Having the log entries might be helpful if you are trying to solve a problem where DNS was not working or where some address translation was not working. But as long as DNS is doing what you expect it to do and other address translation is working as expected then the log messages from access list 100 are just clutter in your log and you do well to remove it.

Your original post shows that in a period of about 17 seconds there were 12 different IP addresses that the router was trying to access. Probably that was all DNS traffic but we do not know and there is some possibility that some other type of UDP traffic was involved.

A couple of posts ago you showed DHCP pools that identify the inside hosts would use 192.168.2.1 and 192.168.3.1 as their DNS servers. I do not know what they would have used before. But with this configuration the client would send DNS requests to the router. If the router had the information to resolve the address request it would respond. But if the router did not have the information to resolve the address request then the router would generate a DNS request to the upstream DNS servers. So the DNS request would come from the router and not from the clients.

I do not have an explanation for why this behavior seems to have started last night.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
GW M
Level 1
Level 1
In response to Richard Burts

‎12-14-2015 11:57 AM

Thank you for all your help. Have a wonderful Christmas holiday and a Happy New Year!!!

GM

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to GW M

‎12-14-2015 12:00 PM

GM

This has been an interesting discussion. I am glad that my suggestions have been helpful. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify discussions which have helpful information.

I hope that you have a terrific Christmas holiday and a great New Year.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents