cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1253
Views
0
Helpful
2
Replies

SG300-10 weird pings

spartan1833
Level 1
Level 1

Hi,

I have a SG300-10 in layer 3 mode attached to a Fortinet firewall (FG). The Fortinet syslog is reporting repeated traffic violations with the following info:

src: << IP of the interface that the SG is attached to >>

dst: << IP of system connected to another interface within the same VLAN on the FG >>

src port: 0

dst port: 1281

service: 5/1/icmp

The traffic is dropped as it is not authorized traffic but I'm wondering what this is....Googling the dst port came up with "healthd" but not sure how that plays into this connection - does the SG use healthd? I have not found any system behind the SG that can be pinned as the source and the ACL/ACEs on the SG are very strict (only allows tcp port 443 from systems behind the SG) so any help here would be appreciated....it's really loading up my syslog.

Thanks...

2 Replies 2

rmanthey
Level 4
Level 4

Hello Ed S.

You could try a packet capture to verify the source and destination MAC.

Hope this helps.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

Thanks but figured it out with a little more research - turns out it was the FG trying to tell the other system (not the SG) that there was a "faster" route to a resource behind the SG. Since the traffic was blocked by access rules on the other system it never got the message. Wouldn't have mattered anyway as everything is static routes.

The icmp #5 was the clue - ICMP redirect notification.Believe it or not, found the answer on a 5 year old MSOFT KB Article: http://support.microsoft.com/kb/195686. Once I added a static route to the other system, telling to send the traffic in question directly to the SG, the messages went away.

Thanks anyway - appreciate the quick reply...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X