udp 500 packets when users are web browsing
Oliver O'Boyle
oliver.oboyle at gmail.com
Thu Sep 3 14:19:53 UTC 2015
You can configure Windows to encrypt traffic based on protocol definitions.
E.g., Use IPSEC to encrypt all traffic on port 80 between hosts X and hosts
Y.
It's possible that such a policy is in place locally on the workstations
and/or servers and it's also possible that it's being enforced using GPOs.
On Thu, Sep 3, 2015 at 9:53 AM, Robert Webb <rwebb at ropeguru.com> wrote:
> There is no VPN in the picture here. These are straight workstations on
> the network that the packets are coming from.
>
> According to a pcaket capture in wireshark, these are isakmp packets
> reaching out to host names of web sites that are being browsed. So
> destinations are sites like twitter, facebook, amazon, cnn, etc..
>
> We have further discovered that they seem to be initiated from the Windows
> 7 svchost, but we have not been able to find documentation as to how or why
> this is ocurring.
>
> Robert
>
>
>
> On Thu, 3 Sep 2015 13:42:21 +0000
> "Bjoern A. Zeeb" <bzeeb-lists at lists.zabbadoz.net> wrote:
>
>>
>> On 03 Sep 2015, at 13:35 , Robert Webb <rwebb at ropeguru.com> wrote:
>>>
>>> We are seeing udp 500 packets being dropped at our firewall from user's
>>> browsing sessions. These are users on a 2008 R2 AD setup with Windows 7.
>>>
>>> Source and destination ports are udp 500 and the the pattern of drops
>>> directly correlate to the web browsing activity. We have confirmed this
>>> with tcpdump of port 500 and a single host and watching the pattern of
>>> traffic as they browse. This also occurs no matter what browser is used.
>>>
>>> Can anyone shine some light on what may be using udp 500 when web
>>> browsing?
>>>
>>
>> The VPN using IPsec UDP-Encap connection that supposedly gets through
>> NAT? Have you checked the content with tcpdump? Do you have fragments
>> by any chance?
>>
>>
>>
>
>
--
:o@>
More information about the NANOG
mailing list