unhandled internal packet - but should be using the BOVPN

Hi All,
We have 2 sites connected using one tunnel to bi-directional - all servers are at site and users at site use RDS to access servers across the BOVPN no problem.
However we have spreadsheets that have a direct link to a SQL server that works from other sites (not listed) but not from the site. We get the message on the firewall of the unhandled internal packet-00 for ms-sql-m/udp to the server 10.0.x.x
I would assume that any traffic from 10.4.x.x should use the BOVPN to contact anything with a 10.0.x.x address - I have no other routes set-up for internal traffic and the policies on other sites look identical to the one that is failing so not sure why this is not using the BOVPN - any clues much appreciated.


  • Options

    unhandled internal packet means that the firewall is not expecting the source IP addr to be on the firewall interface from which it came.

    Care to post a sample full log message?

  • Options

    Hi Bruce
    Please see attached screenshot of the system logs

  • Options

    Sorry - my explanation was for spoofed source, not unhandled...

    unhandled indicates that there is not a policy allowing the packet.
    Do you have a policy allowing UDP port 1434 ?

  • Options

    Hi Bruce, no we don't have a policy for that as I would expect the traffic would use the BOVPN any<>any policy? This works from our other offices without a policy specific to this port.

  • Options
    edited January 31

    Note that the dest interface is Firebox.
    Is assigned to a firewall interface as a primary or secondary IP addr ?

    Your ARP table should show if that is the case.
    . Web UI -> System Status -> ARP
    . FSM -> Status Report -> ARP section

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative is the Firebox's address, not the BOVPN. You can see the firebox denoting that in the logs when it notes
    "Trusted Firebox."

    The firebox won't know what to do with SQL traffic -- try sending it to a different host on that network.

    -James Carson
    WatchGuard Customer Support

  • Options is a server on the network, it isn't the firewall/firebox
    I don't see any entry for on the ARP table at the site
    I can access Remote Desktop Servers on the 10.0 network from the 10.4 network via the BOVPN.
    Thanks for your help so far.

  • Options

    Time for a support case to get help from a WG rep in understanding and resolving this.
    You can do this via the Support Center link above.

Sign In to comment.