IBM Support

QRadar: ICMP port unreachable messages are send to a syslog sources when the ECS is not running

Question & Answer


Question

On my network, I am seeing ICMP messages that seem to be coming from my QRadar appliance. What causes this ICMP packets?

Cause

When Event Collection Server (ECS) is down QRadar sends ICMP messages of port unreachable to the syslog sources. If there are enough log sources with a high rate, every event sent could trigger an ICMP port unreachable message for port 514 from the QRadar appliance.

Note: This issue would apply to any QRadar appliance that runs the Event Collection Server (ECS), such as 16xx Event Processors, 18xx Event/Flow Processors, 31xx Console appliances, or 15xx Event Collectors.

Answer

Port unreachable messages are expected as when ECS is not running, neither is port 514 on QRadar. As a result QRadar will send ICMP messages to the syslog source with port unreachable as per RFC specification.

For more information of ICMP message: port unreachable can review the following website: http://www.wildpackets.com/resources/compendium/tcp_ip/unreachable


 

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000bljgAAA","label":"QRadar->Networking"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
02 April 2020

UID

swg21963578