Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JackBauer
New Contributor

Created on ‎03-09-2012 08:01 PM

SSL exit error, remote IP originates from CHINANET jiangsu province network

Hello all, For a while now I' ve been seeing these SSL exit errors and the top remote IP originates from CHINANET jiangsu province network. A simple google query on this IP seems to indicate that it may have malicious intent. Here' s a rundown of my config: FWF60C MR2 patch 11 I have my SSL VPN configured over TCP 80 but am restricting the source traffic to just a few external hosts. I also have trusted hosts configured so my firewall doesn' t respond to ICMP externally or anything like that. Nessus and Rapid 7 Nexpose scans show no medium or high severity threats when scanning my external address from a remote location. No external ports are open unless being restricted by source IP. Comcast is my ISP and the public IP is being handed off to the FWF60C wan1 interface via DHCP. I log everything including allowed traffic which uploads to my Spunk server. Here is one of the most recent logs: Date 2012-03-09 Time 19:11:00 Level error Sub Type sslvpn-session ID 39946 Virtual Domain root Action ssl-exit-error Tunnel ID 0 Tunnel Type ssl Remote IP 58.218.199.227 Tunnel IP N/A User N/A Group N/A Destination Host N/A Reason N/A Message SSL exit error I' ve tried to replicate this error but can' t seem to get it to re-occur. Running Splunk queries on any of the remote IPs that I' m seeing does not produce any additional results except for the msg=" SSL exit error" . So at this point, I' m really not sure what I can do to stop these SSL exit errors except for turning down the SSL VPN service. Here are the top remote IP addresses where this traffic is originating: 58.218.199.147 58.218.199.250 116.121.231.242 Here is an IP lookup via centralops.net: Address lookup lookup failed 58.218.199.147 Could not find a domain name corresponding to this IP address. Domain Whois record Don' t have a domain name for which to get a record Network Whois record Queried whois.apnic.net with " 58.218.199.147" ... inetnum: 58.208.0.0 - 58.223.255.255 netname: CHINANET-JS descr: CHINANET jiangsu province network descr: China Telecom descr: A12,Xin-Jie-Kou-Wai Street descr: Beijing 100088 country: CN admin-c: CH93-AP tech-c: CJ186-AP mnt-by: APNIC-HM mnt-lower: MAINT-CHINANET-JS mnt-routes: MAINT-CHINANET-JS remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ remarks: This object can only be updated by APNIC hostmasters. remarks: To update this object, please contact APNIC remarks: hostmasters and include your organisation' s account remarks: name in the subject line. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ status: ALLOCATED PORTABLE changed: hm-changed@apnic.net 20050624 source: APNIC role: CHINANET JIANGSU address: 260 Zhongyang Road,Nanjing 210037 country: CN phone: +86-25-86588231 phone: +86-25-86588745 fax-no: +86-25-86588104 e-mail: ip@jsinfo.net remarks: send anti-spam reports to spam@jsinfo.net remarks: send abuse reports to abuse@jsinfo.net remarks: times in GMT+8 admin-c: CH360-AP tech-c: CS306-AP tech-c: CN142-AP nic-hdl: CJ186-AP remarks: www.jsinfo.net notify: ip@jsinfo.net mnt-by: MAINT-CHINANET-JS changed: dns@jsinfo.net 20090831 changed: ip@jsinfo.net 20090831 changed: hm-changed@apnic.net 20090901 source: APNIC changed: hm-changed@apnic.net 20111114 If anyone has any ideas or suggestions, please let me know. Thanks everyone! The screenshot below should provide a better perspective of what I' m seeing:
FCNSA CompTIA Network+
FCNSA CompTIA Network+
Preview file
84 KB
8549
0 Kudos
1 REPLY 1
ede_pfau
SuperUser
SuperUser

Created on ‎03-11-2012 06:10 AM

Hi, and welcome to the forums. Maybe you could enlighten me why you chose port 80 for the SSL VPN. As this is _the_ best known port on the net you have to expect connection attempts here. Your users don' t benefit from it at all, as they have to specify the port anyway, like in ' https://my.domain.com:80' . It' s for a reason that the default SSL VPN port is in the high 10.000' s. OK, some locations block outgoing traffic on high ports...and you might need port 443 for remote management. Anyway - From the logs I basically read that some host tried to connect to port 80, and the SSL VPN daemon responded with an error exit. Nothing to worry about much as I don' t see any other way to prevent this. Of course, you could install an IPS signature to block the source IP address after xxx attemps in yyy seconds for zzz minutes. That' s what I did. If you create a DoS policy (which binds filters to an interface, not a specific policy) and insert the IPS rate signature the FGT can handle this very efficiently. Please search the posts on all forums in the last 2-3 weeks, this has been discussed with references on the details.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3997
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.