ISR sending packets to 169.254.255.255 on port 138

J. S. Black · ‎03-05-2008

Hi there,

I am having an issue with my 2821 (12.4(11)XW5, CCME 4.2) - it is generating ip spoof alerts on my Sonicwall TZ-170W. Every 12 minutes, my Sonicwall is picking up an IP Spoof from 169.254.98.91, port 138, to 169.254.255.255, port 138. The associated MAC address is my ISR's 0/0 interface. I know this looks like an auto-configuration range (like a Windows machine not getting an IP address) but the ISR is not a DHCP client (however it is a DHCP server on the 0/1 interface). Anyone got any ideas? I unfortunately cannot tell when this started as my firewall's log is filled with these alerts.

Thanks.

Richard Burts · ‎03-05-2008

Jean-Sebastien

I think that it is extremely likely that this is a Windows machine set for DHCP but not getting a DHCP address (or perhaps a Windows machine with 2 NICs and the 169.254 may be on the second NIC and the PC is using that as source for some packets). The Windows machine is sending port 138 to its broadcast address. I believe that what is happening is that the 2821 receives the packet on some other interface and is forwarding toward its default route and getting to the sonicwall. The fact that the MAC is the router interface MAC is because when the router receives a frame on its 0/1 interface and forwards it out its 0/1 interface the router does a layer 2 rewrite of the frame header and puts its own MAC as the source MAC of the frame as it forwards the frame. I am confident that if you look carefully you will find something on the 0/1 interface that is generating these packets.

HTH

Rick

HTH

Rick