cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
384
Views
0
Helpful
6
Replies

Phantom ICMP Packets

entaadmin
Level 1
Level 1

I am trying to clean up some items on my network, and I noticed this under my realtime log viewer. A IP address 10.10.10.158 (old Citrix Web interface server) has been turned off for 3 months, and I'm seeing this packet transfered every 3-5 seconds It is always a built ICMP followed by a Teardown. The IP its going to (10.10.11.28) (which is on) is a Citrix netscaler.

Does anyone have any ideas how I can track down these requests coming from this server that is turned off?

Feb 19 2009 09:59:19 302020 10.10.10.158 0 10.10.11.28 7168 Built outbound ICMP connection for faddr 10.10.10.158/0 gaddr 10.10.11.28/7168 laddr 10.10.11.28/7168

6 Replies 6

joe19366
Level 1
Level 1

how about a "clear xlate" on that firewall!

-Joe

I have very little experiance with Cisco or IOS. What does the clear xlate command do and how could it adversly affect our network?

Hi Cody,

Can you do a packet capture on the interface that the source is behind? The capture will give you the MAC address of the source host and this might give you some insight into where the packet is coming from. Your capture might look something like this:

ASA(config)# access-list cap-acl permit icmp host 10.10.10.158 host 10.10.11.28

ASA(config)# capture cap1 access-list cap-acl interface packet-length 1518

You can watch the progress of the capture with the 'show capture' command. If you have HTTP access to the firewall enabled, simply browse to https:///capture/cap1/pcap to download the capture file that you can then open in Wireshark to see the MAC address of the packet.

Hope that helps.

-Mike

Do I have to turn off the capture once its complete?

I ran the capture, and also on the entire DMZ and Internal interface... no traces of these IPs in the packet capture....

I noticed these two are repeatly showing up in arp broadcasts, would that cause this type of traffic?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: