BCM is sending broadcast to our firewall (Violation alert)

[sienz]

We have a security alert from pur PIX firewall;

Symptom Name: PIX Violation Alert: A firewall has logged a greater number of denies to a single source IP address and single destination
socket paired as defined by the threshold.

10.22.5.31 192.168.1.150 3279 TCP


Anyone has any idea?
We use BCM 3.5

 

[MagnaRGP]

Port 3729 is used by the admind protocol which is part of the administration of the BCM. Someone on the outside of your PIX is trying to administer your BCM.

This is purely a guess as you have provided no network specifics at all.

 

[sienz]

10.22.5.31 is our lan IP for this BCM which we use it to access the BCM manager.

But I am not sure this local IP 192.168.1.150? Is this the Elan IP from the BCM?

We access the BCM from our corp network which use P2P T1 to this site.

 

[MagnaRGP]

So if 192.168.1.150 is not a part of your subnet, you need to identify what/were that IP is. That is your offender, not your BCM.

There is no ELAN on a BCM.

 

[sienz]

Is that means that 10.22.5.31 is attempting and failing to access 192.168.1.150 (no reverse) on port TCP3279?

the 192 is a local IP. I am not sure why BCM is trying to access this IP.

I believe that BCM has their own local IP which we get it when we access the BCM directly to the box.

 

[MagnaRGP]

10.22.5.31 is our lan IP for this BCM which we use it to access the BCM manager"...."the 192 is a local IP"

Start from the beginning....what is the PIX saying? It blocked traffic TO or FROM 10.22.5.31?

Also what is 192.168.1.150? Do you know?

 

[sienz]

PIX is saying that 10.22.5.31 is attempting and failing to access 192.168.1.150 (no reverse) on port TCP3279?

We do not know who has this IP 192.168.1.150.

Few weeks ago, I remember that there is a tech that login directly to the BCM box and used the 192.168 IP address. I am not sure if it is related.

 

[MagnaRGP]

I would look at the IP settings and routing info on the BCM. Sounds like one of the LAN ports has a 192 addy in it and quite possibly a 192 gateway as well.

 

[sienz]

I check every possible way and the only 192 address is the DNS server (192.168.1.1). I change it to match the our desktop which have 10. address.

I am not sure why it try to hit 192.168.1.150.

 

[acewarlock]

Will unless one or your BCM LAN's is set for 192, it's not a BCM problem.




This is a Signature and not part of the answer, it appears on every reply.

This is an Analogy so don't take it personally as some have.

Why change the engine if all you need is to change the spark plugs.

 

[sienz]

I checked yesterday and none of our BCM LAN are in 192. address

Both of them are in 10. address

 

[acewarlock]

Then get the Network peole to fix there problem, it's not the BCM.




This is a Signature and not part of the answer, it appears on every reply.

This is an Analogy so don't take it personally as some have.

Why change the engine if all you need is to change the spark plugs.

 

[sienz]

They blame it on the telcom (BCM) because the BCM is broadcasting to unknown address.

 

[NARSBARS]

A bad address in SNTP time synch will cause that type of failure. A bad address for a remote backup will do that.
If the tech backed up the BCM he could have left it as scheduled or incomplete.

NARSBARS