blocked packets destined to 169.254.196.189

Unanswered Question
Oct 7th, 2009



All,


I am seeing quite a few of the following denied message logs:

Deny udp src inside:10.1.2.166/137 dst outside:169.254.196.189/137 by access-group "inside_access_in"


169.254.196.189 is a well known address. Why would a machine be trying to send to that address?


T.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
uzair syed naveed Wed, 10/07/2009 - 04:21

Hi,

You may want to try to do a packet capture from the paticular source ip 10.1.2.166 to the destination 169.254.196.189. THis way you will see what kind of traffic is being sent / received. once you know this you can analyze

ahassiotis1 Wed, 10/07/2009 - 05:00

My problem is not that the flow is blocked. The problem is that 169.254.196.189 is a non-routed IP that is given by windows when a system doesn't have an IP address configured (or cannot get a DHCP address). So, why is host 10.1.2.136 trying to send traffic to that IP?

Collin Clark Wed, 10/07/2009 - 06:30

Occasionally a device gets the 169 address (usually failed DHCP), but once it gets a valid IP it registers to DNS with the 169 address. Check your DNS table and make sure there are no 169 addresses. In this case 10.1.2.136 queries DNS to lookup the IP for SERVER1. DNS reports back 169 and it then goes out the default gateway and you see the drops. It's a long shot, but it does happen!

Actions

This Discussion