127.0.0.1

kalberts · ‎03-03-2004

Hi All

I have quite a strange one here. I have been getting these entries in the logs:

Mar 3 15:11:09.883 SA: %SEC-6-IPACCESSLOGP: list 191 denied tcp 127.0.0.1(0) -> 10.60.69.131(0), 1 packet

RTRD11-105WEST# sh access-lists 191

Extended IP access list 191

deny ip host 127.0.0.1 any log (194 matches) permit ip any any log (22212 matches)

in appox 90 minutes on only one sub interface there is 194 matches!

Weird?

I saw this on one of our distribution routers, outgoing towards the branch. i.e. I applied this ACL on the outgoing sub interface towards my branch. Something on the inside of my distrubution router has a source address of 127.0.0.1??

Also, on the branches side I will then get incompleted arp entries, where a random IP on the local ethernet wil be picked and the mac-addres is incomplete.

Anybody seen this?

lgijssel · ‎03-04-2004

With the info that is now provided, it is hard to say anything about it. 127.0.0.1 is a general purpose loopback address that could be on any host.

Maybe the destination host can help to explain things. Regarding this adress I would investigate

a: does it exist?

b: what kind of machine is it?

c: what nodes can be expected to communicate with it?

Another option is to use a sniffer to track the source mac-address. If you cannot deduce otherwise where the data comes from, this might be the one to go for.

Regards,

Leo

kalberts · ‎03-04-2004

Thanks for your post Leo, but that is exactly my problem, the destination address does not exist, that's why I am getting the incomplete arp entries on my branch router.

Only option I can see is the sniffer. Might take some time to organise one though.

PS: This seems to be hapening to all my branches in that is connecting to this distrubution router.