topic RE: Bug in syslog with l4port anomaly-protection enabled in ExtremeSwitching (EXOS/Switch Engine)

Bug in syslog with l4port anomaly-protection enabled

Teodor_Fuica — Fri, 08 Jan 2016 21:39:00 GMT

Hello all,

i had this ip-security configuration on one of the x440-24t switches that had the syslog server configured on one of the ports :

enable ip-security anomaly-protection ip
enable ip-security anomaly-protection l4port
enable ip-security anomaly-protection tcp flags
enable ip-security anomaly-protection tcp fragment
enable ip-security anomaly-protection icmp
enable ip-security anomaly-protection notify log
enable ip-security anomaly-protection notify cache
configure ip-security anomaly-protection notify cache 100
configure ip-security anomaly-protection notify trigger on 5

Also i had configured on another x440-24p switches to log to the same syslog server :

configure syslog add 192.168.40.141:514 vr VR-Default local0
enable log target syslog 192.168.40.141:514 vr VR-Default local0
configure log target syslog 192.168.40.141:514 vr VR-Default local0 filter DefaultFilter severity Info
configure log target syslog 192.168.40.141:514 vr VR-Default local0 match Any
configure log target syslog 192.168.40.141:514 vr VR-Default local0 format timestamp seconds date Mmm-dd event-name condition severity priority host-name tag-name

But the problem is that the x440-24p switch is sending the log to the syslog server using the same UDP source port as the destination UDP port :514.

Please see in the attached log :

L4 port anomaly detected on port 17 vlan Default: SMAC=00:04:96:98:23:C9 DMAC=00:11:32:1F:29:9F SIP=192.168.40.242 DIP=192.168.40.141 SPORT=514 DPORT=514 ip protocol [17] pkt length [301]

Definitely this is a bug and should be resolved in the next XOS release. Is the same "trap" as other network devices might have like printers for example using the same source port as the destination port.

I am using the 16.1.2.14 XOS release.

Best regards,

Teodor

RE: Bug in syslog with l4port anomaly-protection enabled

Drew_C — Sat, 09 Jan 2016 00:22:00 GMT

Hi Teodor,
I just want to make sure I understand your concern. Is there something we're doing that doesn't fit the "MAY use any source UDP port for transmitting messages" statement in RFC5426?

3.3. Source and Target Ports
Syslog receivers MUST support accepting syslog datagrams on the well-known UDP port 514, but MAY be configurable to listen on a different port. Syslog senders MUST support sending syslog message datagrams to the UDP port 514, but MAY be configurable to send messages to a different port. Syslog senders MAY use any source UDP port for transmitting messages.

Thanks,
-Drew

RE: Bug in syslog with l4port anomaly-protection enabled

Teodor_Fuica — Tue, 12 Jan 2016 19:15:00 GMT

Hello Drew,

Thanks fot your feedback. Indeed i looked at the RFC and it says clearly that it may use any source port to deliver the message. But this means that i cannot use both the ip-security l4port and the syslog in my configuration.

Maybe in a future XOS firmware release can this be worked out in order to use both the syslog and the protocol anomaly protection (when the UDP Source Port number = UDP Destination Port number) ?

Best regards,

Teodor

RE: Bug in syslog with l4port anomaly-protection enabled

Drew_C — Tue, 12 Jan 2016 19:15:00 GMT

Hi Teodor,
Let me ask around about this - going to leave the thread marked "In Progress" for now.

-Drew

RE: Bug in syslog with l4port anomaly-protection enabled

Drew_C — Tue, 12 Jan 2016 19:15:00 GMT

Hi Teodor,
I think it will be best for you to open a case with GTAC so this can be reviewed and possibly written up as a feature request.