10-05-2018 06:27 AM
10-05-2018 06:52 AM
Hello,
Look at the source/destination. Hopefully that will give you insight. I know my external interface gets then when people are probing for weak spots, etc.
Hope that helps.
11-01-2018 07:44 PM
That would definitely help if its basically comming from an untrusted/external internet facing interafce but the problem here is its comming from trusted direct connect link. In addition this traffic is being dropped due to non -syn tcp so had to allow non-syn tcp for this specific zone. which is a serious security concern.
At the end we are still puzzled why is there non-syn -tcp traffic in the first place?
Any thoughts are welcome
thanks
11-02-2018 02:37 AM
It can only be asymmetric routing or someone deliberately probing your network.
If you had to allow this in order to get your deisred connections to work then it's definitelly some asymetry in your network.
To debug: find a TCP connection (source and destination IP addresses, source and destination port). Let's say 1.1.1.1:43500 -> 2.2.2.2:443 (https).
Check the logs for SYN packet: source 1.1.1.1, dst 2.2.2.2, dst port 443. Now check ingress and egress interface for this.
Then check the logs for SYN-ACK packet; src.port 443, dst.port 43500, dst 1.1.1.1. Now check ingress and egress interface for this.
That should give you a clear picture of packet flow and prove the asymmetric routing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
