In my environment, I have a few devices that is connected via Cisco AnyConnect VPN where I noticed that a few of these mac devices occasionally send several ICMP request packets (up to 100+, each packet is approx. 1386 bytes and 4158 bytes) towards different Apple owned IP addresses (e.g: 22.214.171.124 – 126.96.36.199).
The only commonality I have is that whenever these devices that sent ICMP request packet over to Apple IPs often have prior HTTP denied traffic towards apple domains.
Is this behaviour expected? Can’t seems to find any indicator from apple documentation or forum that may explain this behaviour.
The logical explanation I can think of is Icmp is just another alternative way for mac device to “double check” if they can establish connection to the apple server for any potential updates or task but no actual confirmation from apple dev team on my guess.
Many thanks in advance!