VPN client connections are logged as "Port Scan Attack!" on Symantec Firewall/VPN appliance

Article:TECH81181  |  Created: 2003-01-08  |  Updated: 2003-01-08  |  Article URL http://www.symantec.com/docs/TECH81181
Article Type
Technical Solution



You have a VPN client behind a firewall or home gateway (cable/DSL router) that cannot connect a VPN tunnel to a Symantec Enterprise Firewall/VPN (SFVPN) appliance. Connection attempts result in "Port Scan Attack!" messages in the SFVPN log. Log messages indicate that the offending packet arrived at port 500 on the SFVPN appliance from an ephemeral port (1024 through 65535) at the client's IP address. Dial-up connections from the same client computer can successfully connect. Other users may be able to connect successfully.


The SFVPN appliance can only establish VPN tunnels from a source port of 500 to a destination port of 500. This is not a limitation with Symantec Enterprise Firewall software (which can accept ephemeral source ports).

If the VPN client is behind another firewall or router, ensure that the device is not acting as a proxy for the UDP 500 connections. The VPN client must maintain the source port of 500 throughout the connection attempt to the SFVPN. If the SFVPN does not see a connection from port 500 to port 500, it regards the packet as an illegal connection attempt and logs a "Port Scan Attack!!" message.

Maintaining the client source port is typically done for home gateways or routers by enabling the IPSec Passthrough option within the device's configuration. However, refer to your device's literature or support documentation for proper configuration for this situation.

Legacy ID


Article URL http://www.symantec.com/docs/TECH81181

Terms of use for this information are found in Legal Notices