An outer IP addresses trying to communicate via UDP with lsass.exe


My firewall is saying that various IP-Addresses are trying to communicate with lsass.exe via UDP. Something to be concerned about?
Here is a pic…

[attachment deleted by admin]

Are you using a vpn of any kind, maybe pptp or l2tp?

what are these? some kind of protocols?

A VPN is a Virtual Private Network and the others are methods for creating these. I’d be most interested in L2TP (Layer 2 Transport Protocol) as it can be used with IPSec (IP Security)

In the image you posted, all of the connections are to UDP port 500, which is the port used for (ISAKMP) Internet Security Association and Key Management Protocol, which is used for authentication in IPSec. Lsass (Local Security Authority Subsystem Service) is the service use in the authentication process.

Basically, if you’re using IPSec, perhaps via a vpn, the log entries might make some sense. However, if you’re not using IPSec, we’d need to find out why these connections are being made.

well how do I know if I am using it? I mean, I have two accounts, admin and a guest account on my comp. Is that what you mean?

If you were using a vpn, I guess you’d know. Can you post screen shots of your Global and application firewall rules, please. Use the Additional Options at the bottom of the reply box to attach the images.

Edit: you appear to be behind a router, so you should check the router settings, for what is and what is not allowed through.

here they are…

[attachment deleted by admin]

here are my router settings (if I’m right):

[attachment deleted by admin]

Your logs show that port 500 must be open on your router. Usually you can’t see the ports opened by the Universal Plug and Play interface in the web interface.

Open the Universal Plug and Play interface under Network to see if the port 500 is opened. See attached image.

[attachment deleted by admin]

But where do I find these settings on XP?

Based on the traffic it almost look like the host is setup as a 'DMZ" host, it’s receiving traffic it should never see on a 'NAT" setup and it is destined to a Private IP so there should be NAT in the middle here. First secure the router then see what’s left to tweak on the PC(s).

Try to see if your Router setup page has a ‘Firewall’ or something like DMZ Host setup entry, if you don’t know where to look please post the make and model so we can see if we can find the manuals for it.

DMZ may also be called Exposed Host. Try Ronny’s angle first. I will when needed look up some info on how to enable uPnP in XP.

It’s default on.

Hi guys,
Router model is Thomson TWG850-4U and it has a firewall. You can see some screenshots above.


should Windows FW be turne off if I use Comodo FW?

Yes. It’s never recommended to run more than one software firewall on your system.

I had a look through the manual for your router and I noticed it has an option for IPSec passtrough, which seems to be enabled by default. It might be worth disabling this and observing the behaviour following a restart of the router. (see image)

It might also be interesting to see what ShieldsUP sees by way of open ports on your router. Just make sure the IP address identified before the test starts is that or your router. Post the results here.

[attachment deleted by admin]


How do I restart the router? You mean, I should change these IPSec-thing and then restart the router?

However, here are the screenshots of ShieldsUp

[attachment deleted by admin]

Some routers have an option to reboot when changes to the configuration have been made. If you don’t see this, it may be unnecessary. If not just uncheck the box for IPSec.

The scan is showing a NetBIOS port (139) as open, which is not really what you need. Just to confirm, the IP address is the IP address of the router? (open a command prompt and type ipconfig /all and post the screen shot)

What is the port being shown as closed?

GRC Port Authority Report created on UTC: 2011-07-13 at 10:44:30

Results from scan of ports: 0-1055

1 Ports Open
1 Ports Closed

1054 Ports Stealth

1056 Ports Tested

The port found to be OPEN was: 139

The port found to be CLOSED was: 1032

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.

[attachment deleted by admin]