cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
569
Views
0
Helpful
4
Replies

blocked packets destined to 169.254.196.189

ahassiotis1
Level 1
Level 1

All,

I am seeing quite a few of the following denied message logs:

Deny udp src inside:10.1.2.166/137 dst outside:169.254.196.189/137 by access-group "inside_access_in"

169.254.196.189 is a well known address. Why would a machine be trying to send to that address?

T.

4 Replies 4

Hi,

You may want to try to do a packet capture from the paticular source ip 10.1.2.166 to the destination 169.254.196.189. THis way you will see what kind of traffic is being sent / received. once you know this you can analyze

can you also check if you have any acl's blocking the flow.

My problem is not that the flow is blocked. The problem is that 169.254.196.189 is a non-routed IP that is given by windows when a system doesn't have an IP address configured (or cannot get a DHCP address). So, why is host 10.1.2.136 trying to send traffic to that IP?

Occasionally a device gets the 169 address (usually failed DHCP), but once it gets a valid IP it registers to DNS with the 169 address. Check your DNS table and make sure there are no 169 addresses. In this case 10.1.2.136 queries DNS to lookup the IP for SERVER1. DNS reports back 169 and it then goes out the default gateway and you see the drops. It's a long shot, but it does happen!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: