Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

tcp connect through a firewall

I am trying to set up an IP SLA monitor to have an internal router connect to an external device over port 22, and the external destination is going through a firewall. Below is my monitor:

ip sla monitor 40006
type tcpConnect dest-ipaddr 147.xx.xx.xx dest-port 22 source-ipaddr 10.xxx.xxx.xxx
timeout 180000
threshold 1000
owner SW.IpSla.xxxxxx.ORIONSLX
frequency 300
ip sla monitor schedule 40006 life forever start-time now ageout 3600

I can telnet from my this router to the specified destination over port 22 with no problem, and it's getting logged on firewall with no issue. However, my IP SLA monitor is failing. I see in my firewall logs that instead of communicating over port 22, it is using UDP 1967, which of course my firewall is dropping because I don't have a rule for it, and the destination IP address wouldn't allow that port anyway.

Why would a IP SLA Monitor be using UDP 1967 instead of tcp port 22?

Find more posts tagged with

Accepted answers

mcbridea

Try adding this to the IP SLA operation config

control disable

Actually the config uses this command in the type config line as below...

 type tcpConnect dest-ipaddr 10.0.0.1 dest-port 22 control disable

It looks like the operation you have was placed by IP SLA Manager. To add the control disable command you should delete the operation using IP SLA Manager and replace it manually via CLI with control disable included. Then go to IP SLA Manager and add the operation using the monitor existing operations option in Add New Operations. You can check the operation in CLI using sho ip sla monitor stat

All comments

mcbridea

It is an initial communication between the IP SLA requestor and the responder.

mcbridea

Here is a Cisco paper on IP SLA use of UDP 1967 through firewalls.

http://www.cisco.com/warp/public/707/cisco-amb-20090325-sip-and-udp.shtml

timf

I was trying to get some SLA's on a connection over a port over a 3rd party circuit that we have. I doubt that I'll be able to convince this 3rd party to open up this additional UDP port on their firewall, so I guess I'm stuck.

mcbridea

I'm still looking at ways to do this. What type of device are you connecting to? If it is a Cisco device, does it have IP SLA responder enabled? Are there any other IP SLA operations going to this device?

Andy

timf

The device would be a server at the third party environment listening on port 22, or SSH. Again, this is all behind firewalls, so the only port that is open is 22. There are no other ip sla operations going to this device. I do have an APM set up to monitor this port. However, I am really looking for SLA's from our branch sites, or remote routers, so I can keep tabs on the application performance from our branches.

thanks for the investigation