ASA Log showing file severs trying to access port 161 of VPN IP address

Our ASA Log is showing our file severs trying to accessing port 161 of VPN IP address. Here is the log messages.

Deny inbound UDP from ServerAddress/1037 to VPNAddress/161 on interface INT.
Deny inbound UDP from ServerAddress/1038 to VPNAddress/161 on interface INT

The servers are spamming that port. I reset the RDP listener on both servers wondering if one of my sessions from home got hung up when doing maintenance or something. Both servers have been rebooted as well. Another note that these two servers are using EMC replistor to each other to replicate data for backup.

Let me know if you need more info.
Paul
PaulDubAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JFrederick29Commented:
UDP 161 is SNMP polling.  The server is trying to SNMP poll the host with that IP address.  Check the management software on the server and look for a monitor with the VPNAddress.
0
PaulDubAuthor Commented:
Sorry JFred I can't track this one down.  I couldn't see and "management software" to look at. One server is pretty new. It's been in service a few months.  The only thing I haven't checked is printers. The IP isn't in our printer IP ranges but I have seen crazier things happen. Both these servers have the same printers installed on them. I'll look them next. Anything

0
JFrederick29Commented:
Easiest thing to do would be to put Wireshark/Ethereal on the server and take a quick capture of the 161 traffic.  Looking in the SNMP payload, you should see some descriptor as to what software/application is making the call.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

PaulDubAuthor Commented:
Okay I caught some of them and I have no idea what I'm looking at other than I have a destination mac address which say Cisco_XX:XX:XX then the real mac address and the source is the server mac. Trying to find a hint.

Paul
0
PaulDubAuthor Commented:
Got it! I was looking at some other snmp catches and they were old printer addresses before we revamped our network earlier this year. I think I complained to my network guy that original printer range was spamming my logs and he added a ignore traffic of the old printer's ip range on our switches(instead of tracking down the problem). So they weren't showing up on the ASA log viewer. This one port was configured with a wrong address and was using a VPN address. I went to the servers and deleted the old unused printer port and it's gone. Thanks for your help in tracking this down. Was a good learning experience and I'll go get so ibuprofen now.
Thanks so much for your help.

Paul
Paul
0
PaulDubAuthor Commented:
Thanks for your help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.