Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
811
Views
2
Helpful
7
Replies

C8200L contacting malicious IPs

CRG_Defense_IT_Team
Community Member

‎04-10-2026 11:35 AM

We have a C8200L on our network and the FortiGate 200F firewall has begun putting the C8200L into quarantine and blocking any access.  The FortiGate syslog show the C8200L srcip trying to contact several known malicious IPs.  dstinf=unknown-0   action=deny  service=icmp/3/13  dstcountry=Netehrlands message="no protocol tuple found, drop." 

Is the C8200L infected or could something else be going on?  Should it be rebuilt from Factory Default?  Thank you.

0 Helpful
7 Replies 7

aleabrahao
Meraki Community All-Star
Meraki Community All-Star

‎04-10-2026 12:18 PM

It's highly unlikely that the C8200L itself is "infected."

What you're seeing is almost always misattributed or misleading traffic.

The ICMP messages about an unreachable IP address are responses from the control plane, not proof of compromise.

What leads you to believe that these are suspicious IPs?

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

CRG_Defense_IT_Team
Community Member
In response to aleabrahao

‎04-12-2026 09:49 AM

Glad to hear that the C8200L may not be infected.  Some of the IP which seem to trigger the quarantine are::  91.196.152.12 (Onyphe Bot),  137.184.105.192 ,  45.156.129.54.  When I look them up they are reported on "Abuse" websites. 

Could the FortiGate firewall be responding to one of the addresses above probing the C8200L, and since the IP doesn't get through, responding 6 seconds later to a "dead" session?  Thanks.

Thanks.

0 Helpful

Stefan Mihajlov
VIP
VIP

‎04-12-2026 10:45 AM

@CRG_Defense_IT_Team did u tr to applay no ip unreachables cmd on ur outside-faicing int?

CRG_Defense_IT_Team
Community Member

‎04-13-2026 11:25 AM

There's not an exact equivalent of no ip unreachable on the FortiGate, but great idea.  Thank you.  At this time, we believe the problem is the way the Check Quarantine Trigger in the Automation Stitches in the FortiGate firewall see the C8200L and applies a quarantine to the C8200L's MAC on the FortiSwitch port.  Thanks for all the ideas.

0 Helpful

Rich R
VIP
VIP

‎04-19-2026 03:27 PM - edited ‎04-19-2026 03:28 PM

@CRG_Defense_IT_Team 
icmp/3/13
https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-codes-3
Type 3 — Destination Unreachable
13 Communication Administratively Prohibited [RFC1812]

This is the C8200L replying to probes from your suspicious IPs.  @Stefan Mihajlov suggestion is a good start.  The fact that you don't already have this configured suggests you have not followed standard good practice for a router which is exposed to the internet.
Take a look at https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

What would worry me though is if this router is behind a firewall already - why is the firewall allowing the suspicious IPs from the internet to attack the router?  I think you have a much bigger problem than just those logs - maybe somebody configured "permit ip any any" inbound from the internet on the firewall?

 

------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

CRG_Defense_IT_Team
Community Member

‎04-20-2026 07:01 AM

I need to change my email to sysadmins@crgrp.com to make sure our Network Admin is getting these messages also. 

0 Helpful

Mark Elsen
Hall of Fame
Hall of Fame
In response to CRG_Defense_IT_Team

‎04-20-2026 07:07 AM

 

   - @CRG_Defense_IT_Team                It's connected to your cisco profile and therefore cannot be done
                                                             instantaneously ; contact brodavie@cisco.com (commmunity manager) for more info

  M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card