It's very possible that someone is crafting IP packets and sending them out on your network.
Another possible explanation is that there is a misconfigured device that is sending traffic to the addresses you specified.
If you use a sniffer you might be able to better track down which host it is that is doing so. You could also try to learn what the MAC address is and search for which machine is sending out the traffic by looking through the CAM tables on your switches.
The 1206 alarm is for fragments that are too small, and 1208 alarm is for datagrams where not all of the fragments have been seen.
If 1206 fires for the 2nd or later fragment in the datagram then it is possible that the sensor has not yet seen the first fragment of the datagram. Or in the case of 1208 it may be the first fragment that was not seen by the sensor.
The sensor fills in the Source and Destination IP Addresses from the information in the first fragment. So if the first fragment is not seen then the sensor has not filled in these fields. So what happens is that sensor just grabs the junk data that was in memory and you wind up with IP Addresses that don't match real packets.
This is a bug in the sensor. The 2nd and following fragments have the source and dest ip addresses and the sensor should have been filling in those fields.
So with 1206 and 1208 it is possible to see incorrect IPs in the alarms when the first fragment is dropped or not yet seen.
Another possibility is that someone is using tcpreplay or another tool and replaying packets on the network that were collected from other networks. The replayed data may be from a network with those addresses.
So I would suggest using tcpdump or another sniffer to look for these addresses on your network. If you don't find any packets then it is most likely a first fragment dropped problem.
If you only get a few of these every now and then; it may be nothing to worry about.
If you are seeing this often then it is possible that the sensor is dropping packets.
The sensor may be oversubscribed and not be able to capture and analyze all of the packets and dropping some of the fragments.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :