Unidentified IP Traffic (TCP:8888) (Full Version)

All Forums >> [ISA 2006 Firewall] >> Logging and Reporting



Message


william.spearman.ctr -> Unidentified IP Traffic (TCP:8888) (15.Jun.2011 11:42:41 PM)

I am seeing the subject line in my ISA server log files:

Denied Connection IS02 6/16/2011 12:21:58 AM
Log type: Firewall service
Status:
Rule:
Source: Internal (10.x.x.81:4117)
Destination: Local Host (x.x.x.x:8888)
Protocol: Unidentified IP Traffic (TCP:8888)
User:
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0 ms Original Client IP: 10.x.x.81
Client agent:

What does that mean? The clientsuse that port for access and the workstations I see that have this error (and it doesn't happen all the time!) are part of the group allowed to access the ISA.

Can anyone shed light on this murky issue?




paulo.oliveira -> RE: Unidentified IP Traffic (TCP:8888) (16.Jun.2011 12:52:19 PM)

Hi,

it means ISA does not have any built-in or custom protocol associated with TCP port 8888.

Regards,
Paulo Oliveira.




william.spearman.ctr -> RE: Unidentified IP Traffic (TCP:8888) (16.Jun.2011 8:02:40 PM)

Hi Paulo,

Thanks for the reply. It doesn't really make sense for that to be the case unless the workstation is producing traffic destined for the ISA server with a DESTINATION port of 8888. Why would that traffic exist? What the workstation should be doing in connecting to the ISA server with a source port of 8888 and a destination port of 80 or 443 requesting access to the proxy services for passing that traffic to the "Internet", correct? The firewall blocks are based on source IP, syn origin (the source of the session) and DESTINATION port , not source, doesn't it?

William Spearman




paulo.oliveira -> RE: Unidentified IP Traffic (TCP:8888) (19.Jun.2011 10:45:50 AM)

Hi William,

I am sure the workstation sent the traffic to ISA firewall. Unfortunally, I can not tell you the reason why.

No, the source port of the workstation is NOT 8888, but 4117, as we can see in the log you posted.

You should now investigate, what application is generating this traffic to your firewall.

Regards,
Paulo Oliveira.




william.spearman.ctr -> RE: Unidentified IP Traffic (TCP:8888) (3.Aug.2011 11:45:57 PM)

Thanks for the info Paulo, I finally got the point that the packets are forwarded based on the URL GET request. What I still don't understand is the mechanism for connection from the Internet Explorer browser (workstation) to the ISA server on port 8888 (or the default 8080) and why that traffic isn't identified in any rule I can see in the ISA installation.




Page: [1]