cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
445
Views
0
Helpful
5
Replies

SG550X-24 Unhandled Internal Packet

net tech
Level 1
Level 1

Hi,

We are using Cisco SG550X-24 (fw 2.5.0.83) at our remote office. A firewall report for Top Blocked Clients is showing SG550X-24 at the top with 5,004 hits every 24 hours. When looking at the firewall logs closer we are seeing the same pattern every min. 
Switch management IP 10.1.1.2
Firewall 10.1.1.1 

10.1.1.2 - > 10.1.1.1  HTTPS/TCP
10.1.1.2 - > 10.1.1.1  HTTP/TCP
10.1.1.2 - > 10.1.1.1  ICMP 

The only reference to 10.1.1.1 in the switch config is "ip default-gateway 10.1.1.1"

Does anybody know why SG550X-24 is constantly sending HTTPS, HTTP and ICMP packets to the firewall?

Thanks 

 

5 Replies 5

Hi @net tech 

 Do you guys access the switch using web interface? or have any tools managing the switch remotely? That could be one reason

Yes, we access the switch via the WEB interface, but not every minute. PRTG is pinging the switch every 5 min and switch is sending sFlows to PRTG. 

Wondering if the switch itself has some kind of keep alive check for the configured default gateway it has?

I took a look on the switch config and documentation and I failed to find anything related to probe using any protocol.

I dont believe this is available. One test you could do is, using local access via console, disable the HTTP/HTTPS access and monitor the traffic.

Firewall logs 

2023-07-09 22:02:56 Deny 10.1.1.2 10.1.1.1 https/tcp 40123 443 Management Firebox Denied 44 54 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 6 S 1525599705 win 4" Traffic


2023-07-09 22:02:56 Deny 10.1.1.2 10.1.1.1 http/tcp 40123 80 Management Firebox tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead). 40 40 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 A 0 win 4" Traffic


2023-07-09 22:02:56 Deny 10.1.1.2 10.1.1.1 icmp Management Firebox Denied 40 39 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" Traffic

 

I should add that ICMP is a type 13 packet (Timestamp request)

Internet Control Message Protocol
Type: 13 (Timestamp request)
Code: 0
Checksum: 0xf0d2 [correct]
[Checksum Status: Good]
Identifier (BE): 557 (0x022d)
Identifier (LE): 11522 (0x2d02)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
Originate timestamp: 0 (0 seconds after midnight UTC)
Receive timestamp: 0 (0 seconds after midnight UTC)
Transmit timestamp: 0 (0 seconds after midnight UTC)