Video Screencast Help

NTP Blocked Incoming Ethernet 0x0 traffic

Created: 18 May 2011 | 2 comments

We are receiving the following messages on a few of our laptops under the NTP Traffic Logs:

3 5/17/2011 12:58:55 PM Blocked 15 Incoming ETHERNET [type=0x0] 9C-AF-CA-0F-67-DD 0 00-27-10-95-67-50 0    Default 1 5/17/2011 12:57:54 PM 5/17/2011 12:57:54 PM Block all other traffic 

From what I have read the Type 0x0 and traffic is an ARP Probe  "An ARP probe is an ARP request constructed with an all-zero sender IP address. The term is used in the IPv4 Address Conflict Detection specification (RFC 5227). Before beginning to use an IPv4 address (whether received from manual configuration, DHCP, or some other means), a host implementing this specification must test to see if the address is already in use, by broadcasting ARP probe packets."

I can tell from the mac addresses that it is traffic coming from a Cisco device (access point possibly) to the wireless adapter. 

I called Symantec and the only solution they said was to enable "Allow token ring traffic".  Not my issue. 

Anyone else know of any resolutions to this? 

Comments 2 CommentsJump to latest comment

pete_4u2002's picture

if you have this rule Blocked 15 Incoming then it is set to block, run the network sniffer to know more on the protocol and allow the traffic, if it is required.

Mithun Sanghavi's picture


Please follow the Steps and Edit the firewall policy associated with the clients to add a corresponding rule as follows:

  • Open the SEPM, click the Policies tab, and edit the policy you wish to change
  • Add a blank rule
  • Modify the “Host” properties so that the “Source/Destination” IP is the address you wish to block (Local/Remote is less generic, and requires the local address of the client on which the rule should be applied)
  • Change the “Action” to Allow
  • Save and deploy the policy as needed.

This will Allow all incoming and outgoing traffic associated with the specified IP address.

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.