When my Windows IPsec VPN client attempts an IPsec connection, the tunnel is established (UDP 500), but the Authentication does not complete (UDP 4500). When I look within the activity logs, I get:
Date/Time :2006-09-29 15:02:16
Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet)
Direction: UDP Outgoing
Source: 192.168.85.101:4500
Destination: x.x.x.x:4500
Reason: UDP packet length and the size on the wire(1460 bytes) do not match
Date/Time :2006-09-29 15:02:11
Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet)
Direction: UDP Outgoing
Source: 192.168.85.101:4500
Destination: x.x.x.x:4500
Reason: UDP packet length and the size on the wire(1460 bytes) do not match
Date/Time :2006-09-29 15:02:06
Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet)
Direction: UDP Outgoing
Source: 192.168.85.101:4500
Destination: x.x.x.x:4500
Reason: UDP packet length and the size on the wire(1460 bytes) do not match
If I shutdown Comodo, I am able to authenticate to my VPN server. All of the other firewalls I have tested (Trend Micro PcCillin, Outpost, Tiny, etc.) have not blocked my VPN connection.
How do I fix this? Are there any rules I need to create, beyond the default rules?
Hi, are you using bit torrent\utorrent? There has been many issues of CPF catching malformed packets that other firewalls didn’t. If the lengths don’t match, this may be due to a little traveler attaching to the packet. I would run hijack this, check for spyware etc…You may have a baddy on your pc.
Thanks for your post. No, I do not run any bit-torrant apps. My system is spyware-free (except for it being Windows, but that’s another topic.)
I disabled “Dp protocol analysis”, and was able to connect to my VPN server. However, I would really like to keep that setting enabled. This issue could very well be a bug, no?
The only way I could assume this to be a bug is if CPF is reading the packets wrong or corrupting them itself somehow, unless there are other issues at hand. This would then be beyond what I know. The basis though, the packet size is different, whether due to a bug or something else. Do you use\behind a router with NAT? You may have to adjust your router settings to work with CPF with protocol analysis enabled. Beyond that I can’t be sure as to what’s causing it. Typically it’s an attack but doesn’t sound like so in your case.
Well, I can’t be certain if something is malforming the UDP packets. I haven’t performed a packet trace yet to see if the packet size is correct. I don’t believe it is my hardware firewall (which is a Cisco PIX 501 running PIX OS 6.3(4)). But as I said, I haven’t performed and packet tracing to see.