[183469] in North American Network Operators' Group
Re: udp 500 packets when users are web browsing
daemon@ATHENA.MIT.EDU (Bjoern A. Zeeb)
Thu Sep 3 09:42:34 2015
X-Original-To: nanog@nanog.org
From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
In-Reply-To: <ximss-521099@mail.ropeguru.com>
Date: Thu, 3 Sep 2015 13:42:21 +0000
To: Robert Webb <rwebb@ropeguru.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On 03 Sep 2015, at 13:35 , Robert Webb <rwebb@ropeguru.com> wrote:
>=20
> We are seeing udp 500 packets being dropped at our firewall from =
user's browsing sessions. These are users on a 2008 R2 AD setup with =
Windows 7.
>=20
> Source and destination ports are udp 500 and the the pattern of drops =
directly correlate to the web browsing activity. We have confirmed this =
with tcpdump of port 500 and a single host and watching the pattern of =
traffic as they browse. This also occurs no matter what browser is used.
>=20
> Can anyone shine some light on what may be using udp 500 when web =
browsing?
The VPN using IPsec UDP-Encap connection that supposedly gets through =
NAT? Have you checked the content with tcpdump? Do you have =
fragments by any chance?
