Dear all
I always wondered why my ASA, which I monitor with a netflo9 sensor, has a lot of traffic from a fileserver to IP 192.88.99.1. According to "google" its ipv6 traffic. But ipv6 is turned off and I dont see why my fileserver should generate that much traffic with IPv6. Its a Windows 2008 R2 Machine.
Is there any sensor I may add for this machine to get a better overview what exactly is generating that many traffic, without using a third party tool?
regards Thomas
Article Comments
Its quite strange. They come from a fileserver and it's the exact same amount of Megabytes, every 15 minutes measureblock
- 1. fs01.domain.internal (###.##.254.90) [192.88.99.1] 1'670 MByte
- 2. fs01.domain.internal (###.##.254.206) [192.88.99.1] 835 MByte
it kind a worries me. because other server has that too, even freshly installed and not used at the moment.
Aug, 2015 - Permalink
Couldn't you simply block both IPs? Anything in the logs of the file server (what data is downloaded, etc.)? Could it be a sensor in your PRTG by any chance?
Aug, 2015 - Permalink
I will try this and block it http://www.howfunky.com/2010/02/how-to-prevent-ipv6-tunneling-across.html
Aug, 2015 - Permalink
It seems that lots of servers communicate inside with ipv6 (whole domain and memebr servers) then they search for the server and look for the gateway (anycast adress ipv6 192.88.99.1) then the ASA forwards them to the other server.
Could that statement be true?
Aug, 2015 - Permalink
Solution:
Ok. I did not blocked the IP or disabled ipv6. What I did is disabled:
netsh int 6to4 set state state=disabled
netsh int teredo set state type=disabled
According to http://blogs.technet.com/b/jlosey/archive/2011/02/02/why-you-should-leave-ipv6-alone.aspx
Now I see the traffic in the netflow sensor exact as it should be and is more comprehensible. I don't know really why but it worked ;)
Aug, 2015 - Permalink
It's not IPv6 traffic, rather IPv6 packets delivered via IPv4, that's why you still receive it. Is there anyting obvious about the packets, like where it originates from?
Aug, 2015 - Permalink