This morning (in reviewing the logs from yesterday), I found a set of
580 such setup requests logged from Mar 20 19:30:06 - Mar 20 19:40:06
(US/Pacific; currently 7 hrs. west of GMT/UTC), each from 126.96.36.199
(part of a VAULT-NETWORKS netblock). The sshd on the internal machine
never logged anything corresponding to any of this.
Might be a SYN scan. I believe SSH will not log anything if a three-way
handshake has not been completed.
Of course, it would help if you provided ipfw logs to determine exactly
what kind of packets it was.