X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: by onstor-exch02.onstor.net 
	id <01C894F1.D9A37F20@onstor-exch02.onstor.net>; Wed, 2 Apr 2008 11:46:23 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-class: urn:content-classes:message
Subject: RE: nfxnis_rcvPortmapResponse
Date: Wed, 2 Apr 2008 11:46:23 -0700
Message-ID: <BB375AF679D4A34E9CA8DFA650E2B04E09321C9A@onstor-exch02.onstor.net>
In-Reply-To: <BB375AF679D4A34E9CA8DFA650E2B04E09321C7A@onstor-exch02.onstor.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: nfxnis_rcvPortmapResponse
Thread-Index: AciU7PpQgTqJvoBeTcutV43b/VBUNwAAInyQAABwwFAAAJk2gA==
References: <BB375AF679D4A34E9CA8DFA650E2B04E09321C22@onstor-exch02.onstor.net><BB375AF679D4A34E9CA8DFA650E2B04E09321C36@onstor-exch02.onstor.net> <20080402111130.12f454d8@ripper.onstor.net> <BB375AF679D4A34E9CA8DFA650E2B04E09321C62@onstor-exch02.onstor.net> <BB375AF679D4A34E9CA8DFA650E2B04E09321C7A@onstor-exch02.onstor.net>
From: "Eric Barrett" <eric.barrett@onstor.com>
To: "Doug Cook" <doug.cook@onstor.com>,
	"Maxim Kozlovsky" <maxim.kozlovsky@onstor.com>,
	"Andy Sharp" <andy.sharp@onstor.com>
Cc: "Rich LaReau" <rich.lareau@onstor.com>,
	"dl-cstech" <dl-cstech@onstor.com>

I have seen this at lots of customer sites going way back.  I think it
boils down to either a bug in our request tracking or a bug in some
versions of Solaris NIS (highly probable).  No customer I was working
with ever cared to track it down, and it always seemed harmless except
for the elog spam.


-----Original Message-----
From: Doug Cook=20
Sent: Wednesday, April 02, 2008 11:28 AM
To: Maxim Kozlovsky; Andy Sharp
Cc: Rich LaReau; dl-cstech
Subject: RE: nfxnis_rcvPortmapResponse

Could this boil down to duplicate IP addresses?  One machine is making a
request and we are getting the answer?

-----Original Message-----
From: Maxim Kozlovsky=20
Sent: Wednesday, April 02, 2008 2:17 PM
To: Andy Sharp
Cc: Rich LaReau; dl-cstech
Subject: RE: nfxnis_rcvPortmapResponse

It is unlikely as that machine does try to send a response and uses
source port 111. This sounds more like a Mac with some buggy software.
However anything is possible.

>-----Original Message-----
>From: Andy Sharp
>Sent: Wednesday, April 02, 2008 11:12 AM
>To: Maxim Kozlovsky
>Cc: Rich LaReau; dl-cstech
>Subject: Re: nfxnis_rcvPortmapResponse
>
>Is it possible that it's some virus laden Windows machine (ok, that was
>trite) that is trying to break into machines on its network via some
>sort of portmapper exploit?  I assume we don't filter out portmapper
>requests from IP addresses that are not configured as NIS servers.
>
>Cheers,
>
>a
>
>On Wed, 2 Apr 2008 10:59:49 -0700 "Maxim Kozlovsky"
><maxim.kozlovsky@onstor.com> wrote:
>
>> Hi Rich,
>>
>> This error means that we received a portmap response from NIS server,
>> but we don't have a request that is currently executed against this
>> NIS server. If this happens repeatedly there may be something wrong
>> with their NIS. Try to gather a trace between the filer and the IP
>> given in the error message, this may explain what is going on.
>>
>> Max
>>
>> >-----Original Message-----
>> >From: Rich LaReau
>> >Sent: Wednesday, April 02, 2008 10:52 AM
>> >To: dl-cstech
>> >Subject: nfxnis_rcvPortmapResponse
>> >
>> >
>> >This error fills the logs at one site.  I couldn't find a reference
>> >to
>> it
>> >anywhere, could somebody interpret it for me please?  Is see that
>> >port
>> 111
>> >is sunrpc-- is it jus some kind of scanning process?
>> >
>> >
>> >Apr  2 03:00:11 fss-pnasgw1 : 0:0:ea:ERROR:
>> >nfxnis_rcvPortmapResponse: Portmap Resp [xid=3D0x8b4f4403] from
>> >ip=3D143.199.103.10 port=3D111. NO
>> Request
>> >for VS=3D3.
>> >
>> >Thanks,
>> >Rich
