Getting intermittent unknown UDP traffic logs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Getting intermittent unknown UDP traffic logs

L3 Networker

Hi All ,

 

I am having policy  having application group and set services as application default .

 

Sometime policy is working fine but sometime its dropping packet and in logs showing application  unknown UDP.

 

Could you please suggest any troubleshooting steps here ? I did packet capture but not seeing any this specific which can indicate any issue on firewall end .

 

Thanks 

4 REPLIES 4

Cyber Elite
Cyber Elite

@deepak12,

What type of traffic are you actually seeing this on? It wouldn't be uncommon to see something developed internally have an unknown-tcp/udp determination, but if it's traversing the untrust/internet interface that's different. 

In any case, it usually means that the firewall either didn't pass enough traffic to identify the app-id, or an app-id simply doesn't exist for the traffic. 

@BPry ,

It's syslog traffic . Moreover for same set of source and destination IP , its working fine , properly identifying the APP-id.

I am using default syslog app-id .

@deepak12,

Interesting. I've never actually had the firewall fail to identify syslog traffic across the default 514 port, but I have if I customize the port without creating a custom application or doing an application-override see it come across as unknown-udp. 

Personally, I would take a packet capture of the traffic when it comes across as unknown-udp and see if you can notice any sort of difference with the traffic. If you aren't seeing anything I would try to capture the traffic and open up a TAC case for review.

@BPry 

 

Thanks , I will check with Tac and update here with findings .

  • 3523 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!