One of our SRX1500 firewalls is generating these messages every 20-90 seconds:
Dec 16 10:11:15 hostname junos-alg: RT_ALG_NTC_PKT_MALFORMED: MSRPC ALG received one alter_context message with encrypted pdu body from à^\^Kp^A/16602 to /34560, bypass it.
Dec 16 10:11:15 hostname junos-alg: RT_ALG_NTC_PKT_MALFORMED: MSRPC ALG received one bind message with encrypted pdu body from À½^Kp^A/16602 to /34560, bypass it.
Dec 16 10:11:15 hostname junos-alg: RT_ALG_NTC_PKT_MALFORMED: MSRPC ALG received one request message with encrypted pdu body from ^Pù^Kp^A/16602 to /34560, bypass it.
Dec 16 10:11:57 hostname junos-alg: RT_ALG_NTC_PKT_MALFORMED: MSRPC ALG received one bind message with encrypted pdu body from Àò^Up^A/18138 to /34560, bypass it.
Dec 16 10:11:57 hostname junos-alg: RT_ALG_NTC_PKT_MALFORMED: MSRPC ALG received one request message with encrypted pdu body from ð×^Up^A/18138 to /34560, bypass it.
Dec 16 10:11:57 hostname junos-alg: RT_ALG_NTC_PKT_MALFORMED: MSRPC ALG received one alter_context message with encrypted pdu body from ÐM^Up^A/18138 to /34560, bypass it.
Does anyone know what might be causing this?
The only thing I've redacted in the above messages is the hostname. Otherwise, this is exactly what is in the syslog messages. The IP addresses appear to be screwed up in the messages. They are always in groups of three but not always in the same order (bind, request, alter_context). The destination port is always 34560.
------------------------------
JEFFREY VICKERS
------------------------------