what does this ASA Syslog message signafy?

Unanswered Question
May 6th, 2008
User Badges:

05-06-2008 08:03:22 Local4.Warning 192.168.1.10 May 06 2008 08:02:30: %ASA-4-405001: Received ARP request collision from 192.168.1.182/001d.7e0a.0a70 on interface Inside


05-06-2008 08:02:17 Local4.Warning 192.168.1.10 May 06 2008 08:01:25: %ASA-4-405001: Received ARP request collision from 192.168.1.182/001d.7e0a.0a70 on interface Inside


05-06-2008 08:01:52 Local4.Warning 192.168.1.10 May 06 2008 08:01:00: %ASA-4-405001: Received ARP request collision from 192.168.1.182/0012.f07e.b6b9 on interface Inside


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
saidfrh Tue, 05/06/2008 - 07:39
User Badges:

I looked up the syslog message on http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html#wp1146532

I can not ping 192.168.1.182 on our lAN. Any suggestions?


Explanation The firewall received an ARP packet, and the MAC address in the packet differs from the ARP cache entry.


Recommended Action This traffic might be legitimate, or it might indicate that an ARP poisoning attack is in progress. Check the source MAC address to determine where the packets are coming from and check to see if it belongs to a valid host.

sundar.palaniappan Tue, 05/06/2008 - 16:23
User Badges:
  • Green, 3000 points or more

As the recommended action dictates verify whether the MAC address that corresponds to 192.168.1.182 is legitimate or is it an ARP poisoning (spoofing) attack. You should be able to verify that by checking the MAC address table of the switch(s) and look for the logged MAC address and that would lead you to the port the PC or whatever device is connected to.


HTH


Sundar

Actions

This Discussion