Greetings All,
We are currently having problems with a vpn application. The app
initially negotiates a successful handshake on udp port 500 and then
switches to udp port 10000 which presumably is the tunnel. The machine
initiating the sessions is 130.216.97.234 which is located on our
network and has out bound access on both udp 500 and 100000, return
traffic should be handed by the keep state option on the rule and in
fact we do see bi directional traffic on both ports (as observed by
independent application).
However the incoming traffic is being fragmented and some of these
fragments are being dropped:
11:12:01.669842 rule 4/0(match): block in on bge1: 128.125.253.225.10000 >
130.216.97.234.10000: udp 1532 (frag 56706:[EMAIL PROTECTED])
11:12:01.669859 rule 4/0(match): block in on bge1: 128.125.253.225 > 130.216.97.234:
(frag 56706:[EMAIL PROTECTED])
11:12:01.824700 rule 4/0(match): block in on bge1: 128.125.253.225.10000 >
130.216.97.234.10000: udp 1532 (frag 56892:[EMAIL PROTECTED])
11:12:01.824717 rule 4/0(match): block in on bge1: 128.125.253.225 > 130.216.97.234:
(frag 56892:[EMAIL PROTECTED])
11:12:01.979229 rule 4/0(match): block in on bge1: 128.125.253.225.10000 >
130.216.97.234.10000: udp 1532 (frag 57074:[EMAIL PROTECTED])
11:12:01.979246 rule 4/0(match): block in on bge1: 128.125.253.225 > 130.216.97.234:
(frag 57074:[EMAIL PROTECTED])
11:12:04.552666 rule 4/0(match): block in on bge1: 128.125.253.225.10000 >
130.216.97.234.10000: udp 1532 (frag 59870:[EMAIL PROTECTED])
11:12:04.552682 rule 4/0(match): block in on bge1: 128.125.253.225 > 130.216.97.234:
(frag 59870:[EMAIL PROTECTED])
11:12:04.991560 rule 4/0(match): block in on bge1: 128.125.253.225.10000 >
130.216.97.234.10000: udp 1532 (frag 60341:[EMAIL PROTECTED])
11:12:04.991577 rule 4/0(match): block in on bge1: 128.125.253.225 > 130.216.97.234:
(frag 60341:[EMAIL PROTECTED])
11:12:05.145053 rule 4/0(match): block in on bge1: 128.125.253.225.10000 >
130.216.97.234.10000: udp 1532 (frag 60511:[EMAIL PROTECTED])
11:12:05.145071 rule 4/0(match): block in on bge1: 128.125.253.225 > 130.216.97.234:
(frag 60511:[EMAIL PROTECTED])
11:12:05.297440 rule 4/0(match): block in on bge1: 128.125.253.225.10000 >
130.216.97.234.10000: udp 1532 (frag 60663:[EMAIL PROTECTED])
Notes:
* that rule 4 is the generic drop everything coming in rule at the
start of the rule set.
* we are not using scrub rules.
Does anyone have any ideas as to why these fragments are not being
covered by the state mechanisms?
Rules:
4) block in log on $ext_if all
pass out quick on $ext_if from <external> to any keep state
30.216.97.234 is a member of table <external>
--
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand
