This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: Bug in syslog with l4port anomaly-protection e...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Bug in syslog with l4port anomaly-protection enabled
Bug in syslog with l4port anomaly-protection enabled
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-08-2016 01:39 PM
Hello all,
i had this ip-security configuration on one of the x440-24t switches that had the syslog server configured on one of the ports :
enable ip-security anomaly-protection ip
enable ip-security anomaly-protection l4port
enable ip-security anomaly-protection tcp flags
enable ip-security anomaly-protection tcp fragment
enable ip-security anomaly-protection icmp
enable ip-security anomaly-protection notify log
enable ip-security anomaly-protection notify cache
configure ip-security anomaly-protection notify cache 100
configure ip-security anomaly-protection notify trigger on 5
Also i had configured on another x440-24p switches to log to the same syslog server :
configure syslog add 192.168.40.141:514 vr VR-Default local0
enable log target syslog 192.168.40.141:514 vr VR-Default local0
configure log target syslog 192.168.40.141:514 vr VR-Default local0 filter DefaultFilter severity Info
configure log target syslog 192.168.40.141:514 vr VR-Default local0 match Any
configure log target syslog 192.168.40.141:514 vr VR-Default local0 format timestamp seconds date Mmm-dd event-name condition severity priority host-name tag-name
But the problem is that the x440-24p switch is sending the log to the syslog server using the same UDP source port as the destination UDP port :514.
Please see in the attached log :
L4 port anomaly detected on port 17 vlan Default: SMAC=00:04:96:98:23:C9 DMAC=00:11:32:1F:29:9F SIP=192.168.40.242 DIP=192.168.40.141 SPORT=514 DPORT=514 ip protocol [17] pkt length [301]
Definitely this is a bug and should be resolved in the next XOS release. Is the same "trap" as other network devices might have like printers for example using the same source port as the destination port.
I am using the 16.1.2.14 XOS release.
Best regards,
Teodor
i had this ip-security configuration on one of the x440-24t switches that had the syslog server configured on one of the ports :
enable ip-security anomaly-protection ip
enable ip-security anomaly-protection l4port
enable ip-security anomaly-protection tcp flags
enable ip-security anomaly-protection tcp fragment
enable ip-security anomaly-protection icmp
enable ip-security anomaly-protection notify log
enable ip-security anomaly-protection notify cache
configure ip-security anomaly-protection notify cache 100
configure ip-security anomaly-protection notify trigger on 5
Also i had configured on another x440-24p switches to log to the same syslog server :
configure syslog add 192.168.40.141:514 vr VR-Default local0
enable log target syslog 192.168.40.141:514 vr VR-Default local0
configure log target syslog 192.168.40.141:514 vr VR-Default local0 filter DefaultFilter severity Info
configure log target syslog 192.168.40.141:514 vr VR-Default local0 match Any
configure log target syslog 192.168.40.141:514 vr VR-Default local0 format timestamp seconds date Mmm-dd event-name condition severity priority host-name tag-name
But the problem is that the x440-24p switch is sending the log to the syslog server using the same UDP source port as the destination UDP port :514.
Please see in the attached log :
L4 port anomaly detected on port 17 vlan Default: SMAC=00:04:96:98:23:C9 DMAC=00:11:32:1F:29:9F SIP=192.168.40.242 DIP=192.168.40.141 SPORT=514 DPORT=514 ip protocol [17] pkt length [301]
Definitely this is a bug and should be resolved in the next XOS release. Is the same "trap" as other network devices might have like printers for example using the same source port as the destination port.
I am using the 16.1.2.14 XOS release.
Best regards,
Teodor
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-12-2016 11:15 AM
Hi Teodor,
I think it will be best for you to open a case with GTAC so this can be reviewed and possibly written up as a feature request.
I think it will be best for you to open a case with GTAC so this can be reviewed and possibly written up as a feature request.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-12-2016 11:15 AM
Hi Teodor,
Let me ask around about this - going to leave the thread marked "In Progress" for now.
-Drew
Let me ask around about this - going to leave the thread marked "In Progress" for now.
-Drew
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-12-2016 11:15 AM
Hello Drew,
Thanks fot your feedback. Indeed i looked at the RFC and it says clearly that it may use any source port to deliver the message. But this means that i cannot use both the ip-security l4port and the syslog in my configuration.
Maybe in a future XOS firmware release can this be worked out in order to use both the syslog and the protocol anomaly protection (when the UDP Source Port number = UDP Destination Port number) ?
Best regards,
Teodor
Thanks fot your feedback. Indeed i looked at the RFC and it says clearly that it may use any source port to deliver the message. But this means that i cannot use both the ip-security l4port and the syslog in my configuration.
Maybe in a future XOS firmware release can this be worked out in order to use both the syslog and the protocol anomaly protection (when the UDP Source Port number = UDP Destination Port number) ?
Best regards,
Teodor
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-08-2016 04:22 PM
Hi Teodor,
I just want to make sure I understand your concern. Is there something we're doing that doesn't fit the "MAY use any source UDP port for transmitting messages" statement in RFC5426?
-Drew
I just want to make sure I understand your concern. Is there something we're doing that doesn't fit the "MAY use any source UDP port for transmitting messages" statement in RFC5426?
3.3. Source and Target PortsThanks,
Syslog receivers MUST support accepting syslog datagrams on the well-known UDP port 514, but MAY be configurable to listen on a different port. Syslog senders MUST support sending syslog message datagrams to the UDP port 514, but MAY be configurable to send messages to a different port. Syslog senders MAY use any source UDP port for transmitting messages.
-Drew
