I've been having this problem for over a month now. Periodically I see 10 to 15 times the normal traffic on our switch/router out to the Internet. This high traffic consists of numerous tcp reset packets between the content security filter/firewall and the default router. After a number of sniffing sessions and troubleshooting I've figured out how to duplicate the problem and have an idea what's triggering the issue but I'm at a loss on how to resolve it.
We have a wireless router that bypasses the firewall and allows visiting vendors to access to the Internet. Employees, however, sometimes use this when working with vendors. Anyway, what happens is if you're plugged into the wired network behind the firewall, connect to the wireless network, unplug the wired connection then reconnect the wired connection you sometime get the high TCP reset traffic. While sniffing I've seen TCP packets tagged as "Continuation Data" with a source IP address of the wireless card, a destination IP of some registered IP on the Internet (usually some akamai deployment server) followed immediately by the TCP resets. Subsequent packets alternate these source and destination IP addresses and the traffic seems to go between the default router and the internal interface of our content security filter which is in-line with the firewall. The only way to stop the traffic is to pull the plug or disable the port at the managed switch.
Does the fact that I'm seeing packets tagged with wireless IP addresses on the wired network make sense to anyone? That definitely seems like the trigger. I wouldn’t expect to see that traffic on the wire.