Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Phantom ICMP Packets

I am trying to clean up some items on my network, and I noticed this under my realtime log viewer. A IP address 10.10.10.158 (old Citrix Web interface server) has been turned off for 3 months, and I'm seeing this packet transfered every 3-5 seconds It is always a built ICMP followed by a Teardown. The IP its going to (10.10.11.28) (which is on) is a Citrix netscaler.

Does anyone have any ideas how I can track down these requests coming from this server that is turned off?

Feb 19 2009 09:59:19 302020 10.10.10.158 0 10.10.11.28 7168 Built outbound ICMP connection for faddr 10.10.10.158/0 gaddr 10.10.11.28/7168 laddr 10.10.11.28/7168

6 REPLIES
joe Bronze
Bronze

Re: Phantom ICMP Packets

how about a "clear xlate" on that firewall!

-Joe

New Member

Re: Phantom ICMP Packets

I have very little experiance with Cisco or IOS. What does the clear xlate command do and how could it adversly affect our network?

Re: Phantom ICMP Packets

Hi Cody,

Can you do a packet capture on the interface that the source is behind? The capture will give you the MAC address of the source host and this might give you some insight into where the packet is coming from. Your capture might look something like this:

ASA(config)# access-list cap-acl permit icmp host 10.10.10.158 host 10.10.11.28

ASA(config)# capture cap1 access-list cap-acl interface packet-length 1518

You can watch the progress of the capture with the 'show capture' command. If you have HTTP access to the firewall enabled, simply browse to https:///capture/cap1/pcap to download the capture file that you can then open in Wireshark to see the MAC address of the packet.

Hope that helps.

-Mike

New Member

Re: Phantom ICMP Packets

Do I have to turn off the capture once its complete?

New Member

Re: Phantom ICMP Packets

I ran the capture, and also on the entire DMZ and Internal interface... no traces of these IPs in the packet capture....

New Member

Re: Phantom ICMP Packets

I noticed these two are repeatly showing up in arp broadcasts, would that cause this type of traffic?

141
Views
0
Helpful
6
Replies
CreatePlease to create content