• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Weird ISA traffic logged

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> Weird ISA traffic logged Page: [1]
Login
Message << Older Topic   Newer Topic >>
Weird ISA traffic logged - 4.Nov.2009 10:33:01 AM   
ewallig

 

Posts: 19
Joined: 2.Jan.2008
Status: offline
Hi,

ISA 2006 in guest OS on ESXi 3.5 update 3 which serves as a 2nd tier firewall behind a Fortigate device. ISA has ClearTunnel and BitDefender for ISA installed, also NetMon 3.3 (for diagnostics) otherwise nothing else.

During some troubleshooting, I noticed some unexpected traffic showing up in the ISA logs. Specifically, I'm seeing entries that look like this:

Log Time Dest IP Dest Port Protocol Action Rule
date/time 127.0.0.3 22 SSH Init, Close -

Client IP Src Network Dest Network
127.0.0.3 Local Host Local Host

(sorry, text wrapped)

???? - There is no SSH server on that box and it does not publish any SSH servers. SSH is not allowed through the FG from the WAN either and I can't find any corresponding, related traffic in the ISA logs or on the FG syslog. Based on the "additional information" section of the ISA log entry, there appears to be data passed during a "Close Connection" event but it looks like its going to local host if the log is to be believed. NetMon was no help either - couldn't see anything related to SSH on any of the LAN segments (3-leg system). I copied one of the close events to Notepad and noted a 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN in the entry so don't know what to think about that either. I ran ProcessExplorer on the ISA, looking for odd-ball stuff - nothing that could be id as SSH-related.

Anyone have any thoughts before I send up a flare? Thanks...
Post #: 1

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> Weird ISA traffic logged Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts