?
Solved

Very Frequent router log entries

Posted on 2010-08-31
16
Medium Priority
?
1,524 Views
Last Modified: 2013-11-16
Hi,

The following entry is appearing in a new router VERY frequently. Because of the port I am wondering if it has something to do with email but the connection message can appear every 5sec or so and fills up the router log many times per day. Router is a D-Link. The IP resolves to wsip-174-78-110-160.pn.at.cox.net  and does not seem to be blacklisted.

[INFO] < date time > Establishing connection w/ auth server: 174.78.110.160:443.

Ideas??
0
Comment
Question by:DanielT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 3
  • 3
16 Comments
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 33574300
This server is owned by http://ww2.cox.com/ company. The port is https and it looks like somebody from your local network is using some software for IP TV or IP telephone or similar.
Check your clients for this type of the software.
0
 
LVL 2

Author Comment

by:DanielT
ID: 33577580
Hey - Thanks Tominov

I would expect Skype then being left open on a system left on. Would that make sense? But would this level of log activity be genrated only when it is logged in? There was certainly nobody actually using the service at the times the log fill. I would have expected an entry here and there but not so frequently.

Related...
1) This event is an "info" event and I do not need the logs filling up so frequently. Can I safely filter out these types of events or is there "info" that is really much more than info - if you know what I mean...
2) May I ask how you would know this is related to VOIP etc? The company seems to provide TV, internet services to its customers but why would this relate to IP TV or phone?

0
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 33577688
I only guess based on dns name starting with wsip - SIP is VoIP technology.
The clients of these programs are communicating even the user does'nt use it.
Because they use peer to peer technology.
In D-Link you can choose what you need to log - but real functionality is based on model you have.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 2

Author Comment

by:DanielT
ID: 33577874
Ah... thanks. Was not aware of that although I expected some significance.
D-Link if DIR655. I know you can choose log detail level.

Any idea of why the message would not occur once in a while? Why would the connection not be made at software start and be retained vs continually "establishing a connection"? (if you know)
0
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 33616913
This should be functionality of the application - you must find what application is doing this connection.
On D-Link side - in event log find IP address of the computer with this connection
If you find the computer run in cmd on this computer:
netstat -n -b > c:\comm.txt
In this file you can find name of the application what is making this connection. And then we can discuss why
this application make connect every 5 sec.....
0
 
LVL 2

Author Comment

by:DanielT
ID: 33617698
Tominov,

That all makes sense.
Am familiar with NETSTAT and sometimes pipe it to an output file too when I need a record.

I am at this location periodically and will see if I can catch it happening although, right now I have not seen any clear corelation to a system that is responsible for it which is the root of my enquiry, I suppose. If I can find that - I expect the rest will be fairly easy...

Will post if I can nail something down.
0
 
LVL 12

Accepted Solution

by:
TomRScott earned 1400 total points
ID: 33748669
I had the same issue.
 
I looked through my applications, etc. on one of my computers.  Meanwhile, I did some research on the web.
 
It appears to be an issue with SOME D-Link DIR-655 routers.
 
A number of the users weighing in on the topic are computer consultants or technicians and had multiple units of this model.  For them the issue was not universal to this unit.  That is, with multiple units in the field and with multiple ISPs, not all units exhibited this issue.
 
One killed the issue by reverting to an earlier firmware (1.21).  Another tried reverting to firmware 1.20, but the issue persisted for them.
 
Some thought the communications with the Cox server is related to the securespot™ services feature of the router. Of those that tried turning off securespot (nobody reported using it anyway) not all saw the problem go away.
 
Regardless of the real cause, the traffic appears to originate from this model of the router itself.  No other router was mentioned in my somewhat brief research.  Of those that had contacted D-Link support, the universally received the equivalent of a blank stare on the issue.  Support did not seem to know what was the cause of the issue.  Granted, anybody that might have been successful in addressing the issue with D-Link support would be less likely to post inquiries about it on open forums.
 
I took a twofold approach:
  1. I disabled SecureSpot (I don't use it anyway).  
    1. Menu securespot via "ADVANCED", then "SECURESPOT"
    2. Uncheck "Enable securespot™ services" and click "Save Settings"
  2. I blocked web access to that IP address.
    1. Menu securespot via "ADVANCED", then "WEBSITE FILTER"
    2. Make sure that "Configure Website Filter below" is set to "DENY..." (that is the default or factory setting).
    3. Enter 174.78.110.160 in the first available box under "Website URL/Domain".
    4. Click "Save Settings".

I stayed with the latest firmware.
 
After performing the above my logs no longer have my logs filled with accesses to that router.
 
 - Tom
0
 
LVL 2

Author Comment

by:DanielT
ID: 33770018
TomRScott

This info seems very useful. Thanks for sharing it. I had turned off Securespot as well but thought the entries may have been resultant of something else when it did not change. Will recheck my settings (dunno if I re-enabled when test did not change it) and check into blocking.

Would have expected that the block would, itself, have generated log notices advising if the block but if it worked - that's all that matters.

0
 
LVL 12

Expert Comment

by:TomRScott
ID: 33774828
I just checked and I have not received a single log entry for this since making the two changes.  It has been several days and it used to fill the log (pushing out an e-mail) every 3.5 to 4 hours.  It has not needed to close out and e-mail a log since that time four days ago.
 
 - Tom
0
 
LVL 2

Author Comment

by:DanielT
ID: 33775661
Exellent! Thanks again.
Need to get to the location to check. Will advise...
0
 
LVL 2

Author Comment

by:DanielT
ID: 33854762
NO time to get on this yet... had other equipment down at same site.
Still in the plan.

0
 
LVL 2

Author Comment

by:DanielT
ID: 34134399
Hey - will have a final update on this soon...  the good news is that the messages of concern that were filling the logs have gone.
0
 
LVL 2

Author Comment

by:DanielT
ID: 34147028
TomRScott
Just wondering - why use "Website Filter" vs setting up "Access Control" (also on advanced tab)? It has to be enabled anyway for "Website Filter" to work.
0
 
LVL 12

Expert Comment

by:TomRScott
ID: 34252282
Sorry to take so long to get back.  Business has been very good...

I have NOT enabled Access Control and the Website Filter still functions on my unit.  I have no entries in my logs for this issue since the fix.

As to why Access Control v. Website Filter, the latter is all that I wanted and needed to do to kill access to that server (and it does not matter which host tries to access that server). Access Control is much more complex and has other impacts that I did not wish to create.

 - Tom
0
 
LVL 2

Author Comment

by:DanielT
ID: 34327831
Well, Tom... Guess I'm slower than you so I owe a bigger apology. Glad they did not close this!

Securespot had been disabled as I expected it was the cause. For some reason the entries continued for awhile afterwards. However, they did eventually slow down significantly and/or disappear without a specific block being put in place so I can only gather that it was the cause of the issue.

I believe there may be firmware update available as well so I will be doing that regardless (not far behind, maybe 1 release).

Thanks for your posts!
0
 
LVL 2

Author Closing Comment

by:DanielT
ID: 34327833
Appreciate the patience on this question. Disabling Securespot seemed to resolve even without a block on the IP address.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question