1. Home
  2. Networking Firewalls
  3. where to discuss firewall logs

where to discuss firewall logs

What format would be appropriate for that?

For example, what is going on with the port 4500 here:

TZ 100 0017-C54A-D6FC Log (part 1) dumped to email at 2011-04-17 00:00:00

04/10/2011 11:29:55.896 - Notice - Network Access - Web access request dropped - 80.68.95.174, 31298, X1, dev-null-3.vm.bytemark.co.uk - 192.168.1.205, 443, X1

- TCP HTTPS

04/11/2011 07:28:57.560 - Notice - Network Access - TCP connection dropped - 61.164.126.14, 6000, X1 - 192.168.1.205, 1723, X1 - TCP PPTP 04/11/2011 15:11:00.832 - Warning - VPN IKE - IKEv2 Unable to find IKE SA - 208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI: 0xa69c4bd619edcace; IKEv2 RespSPI: 0x36492098e4e135b1 04/11/2011 15:11:07.320 - Warning - VPN IKE - IKEv2 Unable to find IKE SA - 208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI: 0xa69c4bd619edcace; IKEv2 RespSPI: 0x36492098e4e135b1 04/11/2011 15:11:18.320 - Warning - VPN IKE - IKEv2 Unable to find IKE SA - 208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI: 0xa69c4bd619edcace; IKEv2 RespSPI: 0x36492098e4e135b1 04/12/2011 06:00:44.800 - Notice - Network Access - TCP connection dropped - 58.144.4.22, 1224, X1 - 192.168.1.205, 1701, X1 - TCP Port: 1701 04/12/2011 07:09:53.368 - Notice - Network Access - TCP connection dropped - 192.168.1.109, 42104, X1 - 10.223.2.4, 3128, X1 - TCP Squid 04/13/2011 17:13:34.608 - Warning - VPN IKE - IKEv2 Unable to find IKE SA - 208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI: 0x3f9ce7fca09496a1; IKEv2 RespSPI: 0xb16ba26e0970d04c 04/13/2011 17:13:41.304 - Warning - VPN IKE - IKEv2 Unable to find IKE SA - 208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI: 0x3f9ce7fca09496a1; IKEv2 RespSPI: 0xb16ba26e0970d04c 04/13/2011 17:13:52.304 - Warning - VPN IKE - IKEv2 Unable to find IKE SA - 208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI: 0x3f9ce7fca09496a1; IKEv2 RespSPI: 0xb16ba26e0970d04c 04/14/2011 09:51:50.928 - Warning - VPN IKE - IKEv2 Unable to find IKE SA - 208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI: 0x196a0908e52c9615; IKEv2 RespSPI: 0xd123afd47ff99065 04/14/2011 09:51:57.736 - Warning - VPN IKE - IKEv2 Unable to find IKE SA - 208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI: 0x196a0908e52c9615; IKEv2 RespSPI: 0xd123afd47ff99065 04/14/2011 09:52:08.704 - Warning - VPN IKE - IKEv2 Unable to find IKE SA - 208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI: 0x196a0908e52c9615; IKEv2 RespSPI: 0xd123afd47ff99065 04/14/2011 12:53:04.560 - Warning - VPN IKE - IKEv2 Unable to find IKE SA - 208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI: 0x94045e711c7f3927; IKEv2 RespSPI: 0xcb5d941d501a1d03 04/14/2011 12:53:10.608 - Warning - VPN IKE - IKEv2 Unable to find IKE SA - 208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI: 0x94045e711c7f3927; IKEv2 RespSPI: 0xcb5d941d501a1d03 04/14/2011 12:53:21.624 - Warning - VPN IKE - IKEv2 Unable to find IKE SA - 208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI: 0x94045e711c7f3927; IKEv2 RespSPI: 0xcb5d941d501a1d03 04/14/2011 14:13:56.432 - Warning - VPN IKE - IKEv2 Unable to find IKE SA - 208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI: 0x9c705b0b43ce441c; IKEv2 RespSPI: 0x0db0911ffdc93a7e 04/14/2011 14:14:02.736 - Warning - VPN IKE - IKEv2 Unable to find IKE SA - 208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI: 0x9c705b0b43ce441c; IKEv2 RespSPI: 0x0db0911ffdc93a7e 04/14/2011 14:14:13.736 - Warning - VPN IKE - IKEv2 Unable to find IKE SA - 208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI: 0x9c705b0b43ce441c; IKEv2 RespSPI: 0x0db0911ffdc93a7e 04/16/2011 21:01:00.736 - Notice - Network Access - Web access request dropped - 213.123.198.25, 35258, X1, host213-123-198-25.in-addr.btopenworld.com - 192.168.1.205, 443, X1 - TCP HTTPS

This email was generated by: SonicOS Enhanced 5.3.0.0-16o (0017-C54A-D6FC)

Reply to
me again
Loading thread data ...

formatting link
cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

formatting link
they should be able to resolve your possible issue.

I had to play around with sonicwall boxes in professional high availability environments, if you plan the same don't do it, sonicwall is one of the worst product, especially if you don't deal with a standard SOHO environment. The log entries, especially on sonicraps aren't accurate, they show only a small part of the real problem.

In your case it looks like a misconfigured SA in a NAT Traversal setup.

cheers

Reply to
Burkhard Ott

I should not have written "format" but "Forum" - I was looking for a Usenet group that looked at such trivia.

i JUST CANNOT fathom why 213.123.198.25 would be trying to access my tiny network!

Thank you for the tips !!

Reply to
me again

dropped -

Then tell us your setup, a logfile shows only a tiny part of the problem. cheers

Reply to
Burkhard Ott

mmm: cable==modem==router==firewall==3computers(NO WAN servers)

firewall provides VPN and access via mstsc.exe (remote console).

1 computer is Linux; two are windows XP; purpose: PublicAccess TV.

I am the only user (run TV station from home).

Every access in the log file is an accident or an attack, and yes both are minimal, so just call me curious.

Reply to
me again

So you terminate the vpn on the firewall or on the clients?

Why do you have a router between your modem and your firewall?

Reply to
Burkhard Ott

Everything behind the firewall (3 computers) are accessible from a user/passwordperuser gate in the firewall and via a "pre-shared message/phrase" for thin clients who are remote.

It provides public wireless connectivity to the internet. Plus it routes certain ports to other parts of the whole system (web streaming video; slingbox video; firewall ).

Reply to
me again

Ok, that helps to understand it.

208.54.90.1, 4500, m015a36d0.tmodns.net - 192.168.1.205, 4500 - IKEv2 InitSPI:

So, your public IP is then 208.54.90.1 terminated on the router which forward 500/udp and 4500/udp to your firewall, correct. Your firewall has 192.168.1.205, is that correct?

Reply to
Burkhard Ott

Nooo, and that's the interesting bit: we have a Comcast external, fixed IP. m015a36d0.tmodns is "the intruder" if you will.

That is true. Port 4500 is passed by the router to the firewall for NAT traversal.

>
Reply to
me again

So the modem has then 2 ports, one upstream with the public IP and one downstream with your internal network?

In this case your router forwards packets without nat to your firewall, which is confusing for sonicwall. Check if you have marked the interface as external or public (can't recall what the name was), otherwise it tries to check for spoofed IP's, since your public IP has no network directly connected, the sonicwall thinks it's a spoofed packet. I remember we had this issue a couple times with various customer, might help in your case as well.

Usually the initial ike packet goes everytime to port 500/udp, after it found a NAT device it is signalling it to the other site and both switch to 4500/udp.

Make sure you forward both ports (4500/udp and 500/udp), you can check that with tools like ike-scan.

Reply to
Burkhard Ott

Yes, that' correct. The modem is 75.144.193.xxx external and 10.1.10.1 internal. Thus the router is 10.1.10.2 facing modem and 192.168.1.1 facing firewall.

Yes, the sonicwall knows which is which.

Yes, that is correct: 4500 and 500 are forwarded along with others. All of the VPN and firewall features work fine. It's the intrusion "attempts" by the mobile units that are interesting: Blackberries are suspect!

Reply to
me again

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.