Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISR sending packets to on port 138

Hi there,

I am having an issue with my 2821 (12.4(11)XW5, CCME 4.2) - it is generating ip spoof alerts on my Sonicwall TZ-170W. Every 12 minutes, my Sonicwall is picking up an IP Spoof from, port 138, to, port 138. The associated MAC address is my ISR's 0/0 interface. I know this looks like an auto-configuration range (like a Windows machine not getting an IP address) but the ISR is not a DHCP client (however it is a DHCP server on the 0/1 interface). Anyone got any ideas? I unfortunately cannot tell when this started as my firewall's log is filled with these alerts.


Hall of Fame Super Silver

Re: ISR sending packets to on port 138


I think that it is extremely likely that this is a Windows machine set for DHCP but not getting a DHCP address (or perhaps a Windows machine with 2 NICs and the 169.254 may be on the second NIC and the PC is using that as source for some packets). The Windows machine is sending port 138 to its broadcast address. I believe that what is happening is that the 2821 receives the packet on some other interface and is forwarding toward its default route and getting to the sonicwall. The fact that the MAC is the router interface MAC is because when the router receives a frame on its 0/1 interface and forwards it out its 0/1 interface the router does a layer 2 rewrite of the frame header and puts its own MAC as the source MAC of the frame as it forwards the frame. I am confident that if you look carefully you will find something on the 0/1 interface that is generating these packets.