1. Home
  2. Cisco Systems
  3. Trackdown IP sending Broadcasts to PIX?

Trackdown IP sending Broadcasts to PIX?

My PIX is logging over 3000 Events an hour with the Text of: %PIX-3-305005: No translation group found for udp src inside-HBG:10.0.0.9(unresolved)/137 dst outside-HBG:10.0.0.255(unresolved)/137

We do not have a 10.0.x.x Subnet. We start at 10.1.x.x

Doing a SH ARP on the PIX, does not Display the IP Address Doing a SH ARP on the Core Router, does not Display the IP Address

We have quite a Few Virtual Machines on the network and I think It is one of them.

If I could at least get a MAC address I could figure out if it is really a VM, or something else.

If the PIX is seeing the Packet, how can I get the MAC address from it?

Thanks, Scott

Reply to
Scott Townsend
Loading thread data ...

Can you successfully ping or traceroute 10.0.0.9 from the PIX? The results might help isolate where the source is located. Take a look at the PIX route table to see how it would go back to 10.0.0.9.

Each router hop, ping and traceroute to 10.0.0.9 or do a 'show ip route 10.0.0.9' to see where the source is located.

HTH

Reply to
brickwalls19

Reply to
erik.freitag

The OP says he does not have a 10.0.x.x so it doesn't seem likely that the PIX would have a route to it.

We have similar messages from our FWSM logging packets from systems using 169.254 addresses because they've failed to get a DHCP response (we don't use dynamic address assignment on the network in question - we expect to register everything).

Stick a network monitor somewhere useful. That may not be on or near the PIX interface itself because if the packet has come from behind your core router then it will have the MAC address of the router, not the originating station. If the core router is a Cisco then SPAN or VACLs may help.

Sam

Reply to
Sam Wilson

I think that would only work if the PIX ARPed for or received an ARP from that address. If the packet came from behind the core router then, even if that router were doing proxy ARP, the packet would have come from the router MAC address.

SAm

Reply to
Sam Wilson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.