Solved

outbound smtp connection attempt - source port shivadiscovery (tcp/1502)

Posted on 2013-06-05
4
932 Views
Last Modified: 2013-06-11
We have several PC's that are unable to establish any outbound connection to a particular domain name or the IP address of a server used by the domain.  For example, we are not able to access the website of domain.com, cannot telnet to mail.domain.com or the IP of mail.domain.com.  We are able to telnet to other smtp servers without issue.

There is also a separate internal network (on a different interface) that utilizes the same internet gateway.  Devices on the second network are able to connect just fine.

Here is the capture of when a connection attempt is made from network 1:

UNSUCCESSFUL CONNECTION:
1327      4.849653000      192.168.1.59      YYY.YYY.YYY.YYY      TCP      shivadiscovery > smtp [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1

Here is the capture of when a connection attempt is made from network 2:

SUCCESSFUL CONNECTION:
114      2.967202      192.168.10.21      YYY.YYY.YYY.YYY      TCP      52592 > smtp [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1
117      3.016186      YYY.YYY.YYY.YYY      192.168.10.21      TCP      smtp > 52592 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1 WS=7

[Where YYY.YYY.YYY.YYY is a public IP address]

Clearly the difference is the outbound port that the TCP connection attempt is made.  Does shivadiscovery indicate that we have some type of malware on these devices?

In limited troubleshooting the only other thing that seemed unusual was the routing table, the metric of what should be the default route was higher than some of the other routing table entries.

Any ideas?
0
Comment
Question by:gatorIT
  • 2
4 Comments
 
LVL 69

Expert Comment

by:Qlemo
ID: 39226714
The metric of routes is relevant only if there are multiple routes to the same target. The most restrictive route is used first, then the less ones. Only if the restriction is the same, e.g. two 192.168.1.0/24 routes, metric is used to decide which one to take.

The ShivaDiscovery port is NOT the outpound port, it is the source port, and that can and will be dynamic. Only the destination port is fixed, as SMTP. Of course that is reversed for the reply, which needs to come on the port used as source for the request.

First thing to try is a tracert from both sources to the public IP, and compare them with each other and with the tracert from 192.168.1.59 to a different (public) target.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39227104
It may be that your firewall is only allowing connections FROM source ports above a certain number.

For example, your firewall might block connections from ports 0-1024, or from between 5000-6000.
0
 

Accepted Solution

by:
gatorIT earned 0 total points
ID: 39227111
Turns out it was the remote server that was blocking the IP.  We have a block of five routable/public IPs and when we changed IP's we were able to connect without an issue.  No idea why we were blocked though.
0
 

Author Closing Comment

by:gatorIT
ID: 39237154
Actual outcome.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question