topic C8200L contacting malicious IPs in Wireless

C8200L contacting malicious IPs

CRG_Defense_IT_Team — Fri, 10 Apr 2026 18:35:44 GMT

We have a C8200L on our network and the FortiGate 200F firewall has begun putting the C8200L into quarantine and blocking any access. The FortiGate syslog show the C8200L srcip trying to contact several known malicious IPs. dstinf=unknown-0 action=deny service=icmp/3/13 dstcountry=Netehrlands message="no protocol tuple found, drop."

Is the C8200L infected or could something else be going on? Should it be rebuilt from Factory Default? Thank you.

Re: C8200L contacting malicious IPs

aleabrahao — Fri, 10 Apr 2026 19:18:24 GMT

It's highly unlikely that the C8200L itself is "infected."

What you're seeing is almost always misattributed or misleading traffic.

The ICMP messages about an unreachable IP address are responses from the control plane, not proof of compromise.

What leads you to believe that these are suspicious IPs?

Re: C8200L contacting malicious IPs

CRG_Defense_IT_Team — Sun, 12 Apr 2026 16:49:41 GMT

Glad to hear that the C8200L may not be infected. Some of the IP which seem to trigger the quarantine are:: 91.196.152.12 (Onyphe Bot), 137.184.105.192 , 45.156.129.54. When I look them up they are reported on "Abuse" websites.

Could the FortiGate firewall be responding to one of the addresses above probing the C8200L, and since the IP doesn't get through, responding 6 seconds later to a "dead" session? Thanks.

Thanks.

Re: C8200L contacting malicious IPs

Stefan Mihajlov — Sun, 12 Apr 2026 17:45:05 GMT

@CRG_Defense_IT_Team did u tr to applay no ip unreachables cmd on ur outside-faicing int?

Re: C8200L contacting malicious IPs

CRG_Defense_IT_Team — Mon, 13 Apr 2026 18:25:37 GMT

There's not an exact equivalent of no ip unreachable on the FortiGate, but great idea. Thank you. At this time, we believe the problem is the way the Check Quarantine Trigger in the Automation Stitches in the FortiGate firewall see the C8200L and applies a quarantine to the C8200L's MAC on the FortiSwitch port. Thanks for all the ideas.

Re: C8200L contacting malicious IPs

Rich R — Sun, 19 Apr 2026 22:28:19 GMT

@CRG_Defense_IT_Team
> icmp/3/13
https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-codes-3
Type 3 — Destination Unreachable
13 Communication Administratively Prohibited [RFC1812]

This is the C8200L replying to probes from your suspicious IPs. @Stefan Mihajlov suggestion is a good start. The fact that you don't already have this configured suggests you have not followed standard good practice for a router which is exposed to the internet.
Take a look at https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

What would worry me though is if this router is behind a firewall already - why is the firewall allowing the suspicious IPs from the internet to attack the router? I think you have a much bigger problem than just those logs - maybe somebody configured "permit ip any any" inbound from the internet on the firewall?

Re: C8200L contacting malicious IPs

CRG_Defense_IT_Team — Mon, 20 Apr 2026 14:01:27 GMT

I need to change my email to sysadmins@crgrp.com to make sure our Network Admin is getting these messages also.

Re: C8200L contacting malicious IPs

Mark Elsen — Mon, 20 Apr 2026 14:07:50 GMT

- @CRG_Defense_IT_Team It's connected to your cisco profile and therefore cannot be done
instantaneously ; contact brodavie@cisco.com (commmunity manager) for more info