We get these from the phones which are part of an ethernet/IP phone system when they come in over an IPSec tunnel with a separate subnet at the other end and are trying to contact the switch. The local tunnel endpoint is not running on the default gateway (and no way to set routes on idiot phone switch), so there is a route on the default gateway machine to send the packets to the machine with the tunnel endpoint (certainly not an optimal network configuration, but it works for everything else). The box with the VPN endpoint then drops the martian packets (could turn that off, I suppose). The expedient course of action was to change the default route on the phone switch so that it points to the VPN gateway, and then they're not considered "martian". So far that hasn't broken anything else; I suppose if it does we'll have to add a route to the VPN box so that it redirects "normal" traffic to the default gateway.. :-\ -- Fred Morris fredm3047@inwa.net (I-ACK)