https://community.cisco.com/t5/network-security/phantom-icmp-packets/m-p/1149081#M876087 <HTML><HEAD></HEAD><BODY><P>I ran the capture, and also on the entire DMZ and Internal interface... no traces of these IPs in the packet capture....</P></BODY></HTML> Thu, 19 Feb 2009 19:07:21 GMT entaadmin 2009-02-19T19:07:21Z https://community.cisco.com/t5/network-security/phantom-icmp-packets/m-p/1149076#M876066 <P>I am trying to clean up some items on my network, and I noticed this under my realtime log viewer. A IP address 10.10.10.158 (old Citrix Web interface server) has been turned off for 3 months, and I'm seeing this packet transfered every 3-5 seconds It is always a built ICMP followed by a Teardown. The IP its going to (10.10.11.28) (which is on) is a Citrix netscaler. </P><P></P><P>Does anyone have any ideas how I can track down these requests coming from this server that is turned off?</P><P></P><P></P><P>Feb 19 2009 09:59:19 302020 10.10.10.158 0 10.10.11.28 7168 Built outbound ICMP connection for faddr 10.10.10.158/0 gaddr 10.10.11.28/7168 laddr 10.10.11.28/7168</P> Mon, 11 Mar 2019 14:53:26 GMT https://community.cisco.com/t5/network-security/phantom-icmp-packets/m-p/1149076#M876066 entaadmin 2019-03-11T14:53:26Z https://community.cisco.com/t5/network-security/phantom-icmp-packets/m-p/1149077#M876069 <HTML><HEAD></HEAD><BODY><P>how about a "clear xlate" on that firewall!</P><P></P><P>-Joe</P></BODY></HTML> Thu, 19 Feb 2009 17:39:46 GMT https://community.cisco.com/t5/network-security/phantom-icmp-packets/m-p/1149077#M876069 joe19366 2009-02-19T17:39:46Z https://community.cisco.com/t5/network-security/phantom-icmp-packets/m-p/1149078#M876077 <HTML><HEAD></HEAD><BODY><P>Hi Cody,</P><P></P><P>Can you do a packet capture on the interface that the source is behind? The capture will give you the MAC address of the source host and this might give you some insight into where the packet is coming from. Your capture might look something like this:</P><P></P><P>ASA(config)# access-list cap-acl permit icmp host 10.10.10.158 host 10.10.11.28</P><P>ASA(config)# capture cap1 access-list cap-acl interface <INT_NAME> packet-length 1518</INT_NAME></P><P></P><P>You can watch the progress of the capture with the 'show capture' command. If you have HTTP access to the firewall enabled, simply browse to <A class="jive-link-custom" href="https://" target="_blank">https://</A><ASA_IP>/capture/cap1/pcap to download the capture file that you can then open in Wireshark to see the MAC address of the packet.</ASA_IP></P><P></P><P>Hope that helps.</P><P></P><P>-Mike</P></BODY></HTML> Thu, 19 Feb 2009 18:03:33 GMT https://community.cisco.com/t5/network-security/phantom-icmp-packets/m-p/1149078#M876077 robertson.michael 2009-02-19T18:03:33Z https://community.cisco.com/t5/network-security/phantom-icmp-packets/m-p/1149079#M876080 <HTML><HEAD></HEAD><BODY><P>I have very little experiance with Cisco or IOS. What does the clear xlate command do and how could it adversly affect our network?</P></BODY></HTML> Thu, 19 Feb 2009 18:32:48 GMT https://community.cisco.com/t5/network-security/phantom-icmp-packets/m-p/1149079#M876080 entaadmin 2009-02-19T18:32:48Z https://community.cisco.com/t5/network-security/phantom-icmp-packets/m-p/1149080#M876082 <HTML><HEAD></HEAD><BODY><P>Do I have to turn off the capture once its complete?</P></BODY></HTML> Thu, 19 Feb 2009 18:34:35 GMT https://community.cisco.com/t5/network-security/phantom-icmp-packets/m-p/1149080#M876082 entaadmin 2009-02-19T18:34:35Z https://community.cisco.com/t5/network-security/phantom-icmp-packets/m-p/1149081#M876087 <HTML><HEAD></HEAD><BODY><P>I ran the capture, and also on the entire DMZ and Internal interface... no traces of these IPs in the packet capture....</P></BODY></HTML> Thu, 19 Feb 2009 19:07:21 GMT https://community.cisco.com/t5/network-security/phantom-icmp-packets/m-p/1149081#M876087 entaadmin 2009-02-19T19:07:21Z https://community.cisco.com/t5/network-security/phantom-icmp-packets/m-p/1149082#M876090 <HTML><HEAD></HEAD><BODY><P>I noticed these two are repeatly showing up in arp broadcasts, would that cause this type of traffic?</P></BODY></HTML> Thu, 19 Feb 2009 19:14:51 GMT https://community.cisco.com/t5/network-security/phantom-icmp-packets/m-p/1149082#M876090 entaadmin 2009-02-19T19:14:51Z