• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Unidentified IP Traffic - defined?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> Unidentified IP Traffic - defined? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Unidentified IP Traffic - defined? - 28.Oct.2009 2:08:02 AM   
militarymedic22

 

Posts: 12
Joined: 17.Oct.2005
Status: offline
Would I be able to get a general explanation of what is happening when the protocol log shows "Unidentified IP Traffic"?

Currently the lovely comcast blocking actions have forced me to accept incoming SMTP traffic on port 2525. Even though email is coming through and accepted (most of the time), I am still getting a fair number of entries listing 2525 as Unidentified IP Traffic.
I will be ripping through this with a fine tooth comb on Thurs but I wanted to try and get my head set straight as to why this might be happening before I go unnecessarily bezerk with troubleshooting.
The custom port is TCP 2525 inbound, using SMTP filter.

Any other info about my settings that would help paint the picture, please ask.

Thank you!
Post #: 1
RE: Unidentified IP Traffic - defined? - 28.Oct.2009 10:57:30 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Unidentified is normally only shown when an existing protocol cannot be matched. Sometimes this happens becuase a default ISA defined protocol uses TCP for example but an application also uses UDP. In this scenario, the UDP traffic will get identified as "unidentified".

A similar thing can happen when people incorrectly define traffic as inbound/outbound and get it the wrong way around...in general, inbound is only used for publishing rules and outbound is used for access rules (even if the traffic direction is inbound relative to ISA ).

Cheers

JJ

< Message edited by Jason Jones -- 28.Oct.2009 10:59:41 AM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to militarymedic22)
Post #: 2
RE: Unidentified IP Traffic - defined? - 28.Oct.2009 1:02:15 PM   
militarymedic22

 

Posts: 12
Joined: 17.Oct.2005
Status: offline
Thanks!

So... considering my smtp setup on 2525, how would you have a rule/protocol setup?
Primary 2525 inbound, secondary 2525 outbound?

(in reply to Jason Jones)
Post #: 3
RE: Unidentified IP Traffic - defined? - 28.Oct.2009 1:43:53 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
If you are using SMTP publishing for inbound mail, you would define a custom protocol like 'SMTP Server (TCP2525)', port = 2525, direction equals inbound, protocol equals TCP, no secondary connections.

If you are using access rules you define a custom protocol like 'SMTP (TCP2525)', port = 2525, direction equals outbound, protocol equals TCP, no secondary connections.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to militarymedic22)
Post #: 4
RE: Unidentified IP Traffic - defined? - 28.Oct.2009 3:33:27 PM   
militarymedic22

 

Posts: 12
Joined: 17.Oct.2005
Status: offline
Thanks for the tip.  I think the rule/protocol is configured as you indicated but I'm off site and the moment and will check later this afternoon.

Also,
Is there way to capture the actual requests coming in so I can see what the difference is between blocked and non-blocked smtp requests? 
Maybe this is way to involved and time consuming than it's worth in the long run, but thought it would be an interesting.

Thanks

(in reply to Jason Jones)
Post #: 5
RE: Unidentified IP Traffic - defined? - 28.Oct.2009 8:32:17 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Yep, check out the logging tab; you can also set filters to cut down on log "noise" whilst investigating problems...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to militarymedic22)
Post #: 6
RE: Unidentified IP Traffic - defined? - 28.Oct.2009 9:19:31 PM   
militarymedic22

 

Posts: 12
Joined: 17.Oct.2005
Status: offline
perhaps I am not thinking of the right setup, but I have been using the logging tab to see all these denied attempts.
How exactly would I view the raw data being sent to compare with accepted data?

(in reply to Jason Jones)
Post #: 7
RE: Unidentified IP Traffic - defined? - 29.Oct.2009 9:06:26 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Not sure what you mean

Do you mean which protocols/ports are being used?

You can add new columns for what you need; the likely ones will be destination port, transport, protocol and result code.

You could also use NetMon or Wireshark on the external interface to view raw traffic....

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to militarymedic22)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> Unidentified IP Traffic - defined? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts