02-19-2009 09:09 AM - edited 03-11-2019 07:53 AM
I am trying to clean up some items on my network, and I noticed this under my realtime log viewer. A IP address 10.10.10.158 (old Citrix Web interface server) has been turned off for 3 months, and I'm seeing this packet transfered every 3-5 seconds It is always a built ICMP followed by a Teardown. The IP its going to (10.10.11.28) (which is on) is a Citrix netscaler.
Does anyone have any ideas how I can track down these requests coming from this server that is turned off?
Feb 19 2009 09:59:19 302020 10.10.10.158 0 10.10.11.28 7168 Built outbound ICMP connection for faddr 10.10.10.158/0 gaddr 10.10.11.28/7168 laddr 10.10.11.28/7168
02-19-2009 09:39 AM
how about a "clear xlate" on that firewall!
-Joe
02-19-2009 10:32 AM
I have very little experiance with Cisco or IOS. What does the clear xlate command do and how could it adversly affect our network?
02-19-2009 10:03 AM
Hi Cody,
Can you do a packet capture on the interface that the source is behind? The capture will give you the MAC address of the source host and this might give you some insight into where the packet is coming from. Your capture might look something like this:
ASA(config)# access-list cap-acl permit icmp host 10.10.10.158 host 10.10.11.28
ASA(config)# capture cap1 access-list cap-acl interface
You can watch the progress of the capture with the 'show capture' command. If you have HTTP access to the firewall enabled, simply browse to https://
Hope that helps.
-Mike
02-19-2009 10:34 AM
Do I have to turn off the capture once its complete?
02-19-2009 11:07 AM
I ran the capture, and also on the entire DMZ and Internal interface... no traces of these IPs in the packet capture....
02-19-2009 11:14 AM
I noticed these two are repeatly showing up in arp broadcasts, would that cause this type of traffic?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: