Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
657
Views
0
Helpful
5
Replies

SG550X-24 Unhandled Internal Packet

net tech
Level 1
Level 1

‎07-09-2023 12:49 PM

Hi,

We are using Cisco SG550X-24 (fw 2.5.0.83) at our remote office. A firewall report for Top Blocked Clients is showing SG550X-24 at the top with 5,004 hits every 24 hours. When looking at the firewall logs closer we are seeing the same pattern every min. 
Switch management IP 10.1.1.2
Firewall 10.1.1.1 

10.1.1.2 - > 10.1.1.1  HTTPS/TCP
10.1.1.2 - > 10.1.1.1  HTTP/TCP
10.1.1.2 - > 10.1.1.1  ICMP 

The only reference to 10.1.1.1 in the switch config is "ip default-gateway 10.1.1.1"

Does anybody know why SG550X-24 is constantly sending HTTPS, HTTP and ICMP packets to the firewall?

Thanks 

 

Labels:
0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

‎07-09-2023 01:40 PM

Hi @net tech 

 Do you guys access the switch using web interface? or have any tools managing the switch remotely? That could be one reason

0 Helpful

net tech
Level 1
Level 1
In response to Flavio Miranda

‎07-09-2023 04:21 PM

Yes, we access the switch via the WEB interface, but not every minute. PRTG is pinging the switch every 5 min and switch is sending sFlows to PRTG. 

Wondering if the switch itself has some kind of keep alive check for the configured default gateway it has?

0 Helpful

Flavio Miranda
VIP
VIP
In response to net tech

‎07-09-2023 05:48 PM - edited ‎07-09-2023 05:48 PM

I took a look on the switch config and documentation and I failed to find anything related to probe using any protocol.

I dont believe this is available. One test you could do is, using local access via console, disable the HTTP/HTTPS access and monitor the traffic.

0 Helpful

net tech
Level 1
Level 1
In response to Flavio Miranda

‎07-09-2023 07:07 PM

Firewall logs 

2023-07-09 22:02:56 Deny 10.1.1.2 10.1.1.1 https/tcp 40123 443 Management Firebox Denied 44 54 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 6 S 1525599705 win 4" Traffic


2023-07-09 22:02:56 Deny 10.1.1.2 10.1.1.1 http/tcp 40123 80 Management Firebox tcp syn checking failed (expecting SYN packet for new TCP connection, but received ACK, FIN, or RST instead). 40 40 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 A 0 win 4" Traffic


2023-07-09 22:02:56 Deny 10.1.1.2 10.1.1.1 icmp Management Firebox Denied 40 39 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148" Traffic

 

0 Helpful

net tech
Level 1
Level 1
In response to net tech

‎07-09-2023 07:10 PM

I should add that ICMP is a type 13 packet (Timestamp request)

Internet Control Message Protocol
Type: 13 (Timestamp request)
Code: 0
Checksum: 0xf0d2 [correct]
[Checksum Status: Good]
Identifier (BE): 557 (0x022d)
Identifier (LE): 11522 (0x2d02)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
Originate timestamp: 0 (0 seconds after midnight UTC)
Receive timestamp: 0 (0 seconds after midnight UTC)
Transmit timestamp: 0 (0 seconds after midnight UTC)

0 Helpful
Customers Also Viewed These Support Documents