ASA Log showing file severs trying to access port 161 of VPN IP address

Our ASA Log is showing our file severs trying to accessing port 161 of VPN IP address. Here is the log messages.

Deny inbound UDP from ServerAddress/1037 to VPNAddress/161 on interface INT.
Deny inbound UDP from ServerAddress/1038 to VPNAddress/161 on interface INT

The servers are spamming that port. I reset the RDP listener on both servers wondering if one of my sessions from home got hung up when doing maintenance or something. Both servers have been rebooted as well. Another note that these two servers are using EMC replistor to each other to replicate data for backup.

Let me know if you need more info.
Paul
PaulDubAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
JFrederick29Connect With a Mentor Commented:
Easiest thing to do would be to put Wireshark/Ethereal on the server and take a quick capture of the 161 traffic.  Looking in the SNMP payload, you should see some descriptor as to what software/application is making the call.
0
 
JFrederick29Commented:
UDP 161 is SNMP polling.  The server is trying to SNMP poll the host with that IP address.  Check the management software on the server and look for a monitor with the VPNAddress.
0
 
PaulDubAuthor Commented:
Sorry JFred I can't track this one down.  I couldn't see and "management software" to look at. One server is pretty new. It's been in service a few months.  The only thing I haven't checked is printers. The IP isn't in our printer IP ranges but I have seen crazier things happen. Both these servers have the same printers installed on them. I'll look them next. Anything

0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
PaulDubAuthor Commented:
Okay I caught some of them and I have no idea what I'm looking at other than I have a destination mac address which say Cisco_XX:XX:XX then the real mac address and the source is the server mac. Trying to find a hint.

Paul
0
 
PaulDubAuthor Commented:
Got it! I was looking at some other snmp catches and they were old printer addresses before we revamped our network earlier this year. I think I complained to my network guy that original printer range was spamming my logs and he added a ignore traffic of the old printer's ip range on our switches(instead of tracking down the problem). So they weren't showing up on the ASA log viewer. This one port was configured with a wrong address and was using a VPN address. I went to the servers and deleted the old unused printer port and it's gone. Thanks for your help in tracking this down. Was a good learning experience and I'll go get so ibuprofen now.
Thanks so much for your help.

Paul
Paul
0
 
PaulDubAuthor Commented:
Thanks for your help!
0
All Courses

From novice to tech pro — start learning today.