We received an alert from our security analyst that a certain external IP as source is traversing through our trusted network to various external destination IPs. Later we found out that this source IP is a router interface on one of the spokes used to build dmvpn tunnel back to our data centers.
We have a couple of DMVPN Hubs each located in different data centers. This particular spoke somehow is "trying" to communicate through port 500 (isakmp) to multiple external IPs in the internet. This external IP is not part of the encryption domain and should have been only used to build the tunnel but not route its own traffic within our network.
Just wanted to see if anyone has seen this behavior before and what maybe the next steps to troubleshoot this. Thanks!
No comments:
Post a Comment