Help with sudden traffic on 2nd Failover WAN

BlankSpace

Hi Folks,

If this is not the correct forum for my question, please move.

Background:
I have a WAN failover group, primary is cable modem, secondary failover is 4gLTE modem on AT&T. When packet loss gets to X%, it does the failover to the LTE inteface. This rarely happens and there is nothing else on that LTE interface or network.

Last week I started seeing tons of traffic on that interface even though it is not in use and has not done a failover. My AT&T plan for that is about 15GB. It blasted by that amount and the only reason I knew was because AT&T was sending overage emails to me.

When I do a packet capture, I see the normal ICMP pings which I believe is the monitor. I also see some other data below which. Any ideas what could be causing this traffic?

10:32:16.033745 IP 10.xxx.xxx.4 > 10.xxx.xxx.1: ICMP echo request, id 17034, seq 662, length 9
10:32:16.034903 IP 10.xxx.xxx.1 > 10.xxx.xxx.4: ICMP echo reply, id 17034, seq 662, length 9
10:32:16.534972 IP 10.xxx.xxx.4 > 10.xxx.xxx.1: ICMP echo request, id 17034, seq 663, length 9
10:32:16.535658 IP 10.xxx.xxx.1 > 10.xxx.xxx.4: ICMP echo reply, id 17034, seq 663, length 9
10:32:17.035649 IP 10.xxx.xxx.4 > 10.xxx.xxx.1: ICMP echo request, id 17034, seq 664, length 9
10:32:17.036886 IP 10.xxx.xxx.1 > 10.xxx.xxx.4: ICMP echo reply, id 17034, seq 664, length 9
10:32:17.538803 IP 10.xxx.xxx.4 > 10.xxx.xxx.1: ICMP echo request, id 17034, seq 665, length 9
10:32:17.539952 IP 10.xxx.xxx.1 > 10.xxx.xxx.4: ICMP echo reply, id 17034, seq 665, length 9
10:32:18.050807 IP 10.xxx.xxx.4 > 10.xxx.xxx.1: ICMP echo request, id 17034, seq 666, length 9
10:32:18.051882 IP 10.xxx.xxx.1 > 10.xxx.xxx.4: ICMP echo reply, id 17034, seq 666, length 9
10:32:18.551801 IP 10.xxx.xxx.4 > 10.xxx.xxx.1: ICMP echo request, id 17034, seq 667, length 9
10:32:18.552946 IP 10.xxx.xxx.1 > 10.xxx.xxx.4: ICMP echo reply, id 17034, seq 667, length 9
10:32:18.636234 IP 10.xxx.xxx.4.61942 > 10.xxx.xxx.1.80: tcp 406
10:32:18.640604 IP 10.xxx.xxx.1.80 > 10.xxx.xxx.4.61942: tcp 222
10:32:18.681710 IP 10.xxx.xxx.4.61942 > 10.xxx.xxx.1.80: tcp 0
10:32:18.720497 IP 10.xxx.xxx.1.80 > 10.xxx.xxx.4.61942: tcp 1031
10:32:18.733662 IP 10.xxx.xxx.1.80 > 10.xxx.xxx.4.61942: tcp 1031
10:32:18.734705 IP 10.xxx.xxx.4.61942 > 10.xxx.xxx.1.80: tcp 0
10:32:18.737576 IP 10.xxx.xxx.1.80 > 10.xxx.xxx.4.61942: tcp 1031
10:32:18.738226 IP 10.xxx.xxx.1.80 > 10.xxx.xxx.4.61942: tcp 1031
10:32:18.739062 IP 10.xxx.xxx.4.61942 > 10.xxx.xxx.1.80: tcp 0
10:32:18.741802 IP 10.xxx.xxx.1.80 > 10.xxx.xxx.4.61942: tcp 1031
10:32:18.792521 IP 10.xxx.xxx.4.61942 > 10.xxx.xxx.1.80: tcp 0
10:32:18.825377 IP 10.xxx.xxx.1.80 > 10.xxx.xxx.4.61942: tcp 1031
10:32:18.830837 IP 10.xxx.xxx.1.80 > 10.xxx.xxx.4.61942: tcp 1031
10:32:18.831733 IP 10.xxx.xxx.4.61942 > 10.xxx.xxx.1.80: tcp 0
10:32:18.844381 IP 10.xxx.xxx.1.80 > 10.xxx.xxx.4.61942: tcp 1031
10:32:18.856248 IP 10.xxx.xxx.1.80 > 10.xxx.xxx.4.61942: tcp 1031
10:32:18.857176 IP 10.xxx.xxx.4.61942 > 10.xxx.xxx.1.80: tcp 0
10:32:18.863660 IP 10.xxx.xxx.1.80 > 10.xxx.xxx.4.61942: tcp 1031
10:32:18.867254 IP 10.xxx.xxx.1.80 > 10.xxx.xxx.4.61942: tcp 459
10:32:18.867305 IP 10.xxx.xxx.1.80 > 10.xxx.xxx.4.61942: tcp 5
10:32:18.868304 IP 10.xxx.xxx.4.61942 > 10.xxx.xxx.1.80: tcp 0