[183470] in North American Network Operators' Group
Re: udp 500 packets when users are web browsing
daemon@ATHENA.MIT.EDU (Robert Webb)
Thu Sep 3 09:53:49 2015
X-Original-To: nanog@nanog.org
From: "Robert Webb" <rwebb@ropeguru.com>
In-Reply-To: <F937D1B8-CEA2-4D76-B0B6-F68702A41901@lists.zabbadoz.net>
To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Date: Thu, 03 Sep 2015 09:53:46 -0400
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
There is no VPN in the picture here. These are straight workstations on the
network that the packets are coming from.
According to a pcaket capture in wireshark, these are isakmp packets
reaching out to host names of web sites that are being browsed. So
destinations are sites like twitter, facebook, amazon, cnn, etc..
We have further discovered that they seem to be initiated from the Windows 7
svchost, but we have not been able to find documentation as to how or why
this is ocurring.
Robert
On Thu, 3 Sep 2015 13:42:21 +0000
"Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> wrote:
>
>> On 03 Sep 2015, at 13:35 , Robert Webb <rwebb@ropeguru.com> wrote:
>>
>> We are seeing udp 500 packets being dropped at our firewall from
>>user's browsing sessions. These are users on a 2008 R2 AD setup with
>>Windows 7.
>>
>> Source and destination ports are udp 500 and the the pattern of
>>drops directly correlate to the web browsing activity. We have
>>confirmed this with tcpdump of port 500 and a single host and
>>watching the pattern of traffic as they browse. This also occurs no
>>matter what browser is used.
>>
>> Can anyone shine some light on what may be using udp 500 when web
>>browsing?
>
> The VPN using IPsec UDP-Encap connection that supposedly gets
>through NAT? Have you checked the content with tcpdump? Do you
>have fragments by any chance?
>
>
