unhandled internal packet - but should be using the BOVPN

Hi All,
We have 2 sites connected using one tunnel to bi-directional - all servers are at site and users at site use RDS to access servers across the BOVPN no problem.
However we have spreadsheets that have a direct link to a SQL server that works from other sites (not listed) but not from the site. We get the message on the firewall of the unhandled internal packet-00 for ms-sql-m/udp to the server 10.0.x.x
I would assume that any traffic from 10.4.x.x should use the BOVPN to contact anything with a 10.0.x.x address - I have no other routes set-up for internal traffic and the policies on other sites look identical to the one that is failing so not sure why this is not using the BOVPN - any clues much appreciated.


  • unhandled internal packet means that the firewall is not expecting the source IP addr to be on the firewall interface from which it came.

    Care to post a sample full log message?

  • Hi Bruce
    Please see attached screenshot of the system logs

  • Sorry - my explanation was for spoofed source, not unhandled...

    unhandled indicates that there is not a policy allowing the packet.
    Do you have a policy allowing UDP port 1434 ?

  • Hi Bruce, no we don't have a policy for that as I would expect the traffic would use the BOVPN any<>any policy? This works from our other offices without a policy specific to this port.

  • edited January 31

    Note that the dest interface is Firebox.
    Is assigned to a firewall interface as a primary or secondary IP addr ?

    Your ARP table should show if that is the case.
    . Web UI -> System Status -> ARP
    . FSM -> Status Report -> ARP section

  • james.carsonjames.carson Moderator, WatchGuard Representative is the Firebox's address, not the BOVPN. You can see the firebox denoting that in the logs when it notes
    "Trusted Firebox."

    The firebox won't know what to do with SQL traffic -- try sending it to a different host on that network.

    -James Carson
    WatchGuard Customer Support

  • is a server on the network, it isn't the firewall/firebox
    I don't see any entry for on the ARP table at the site
    I can access Remote Desktop Servers on the 10.0 network from the 10.4 network via the BOVPN.
    Thanks for your help so far.

  • Time for a support case to get help from a WG rep in understanding and resolving this.
    You can do this via the Support Center link above.

Sign In to comment.