what does this ASA Syslog message signafy?

Unanswered Question
May 6th, 2008

05-06-2008 08:03:22 Local4.Warning 192.168.1.10 May 06 2008 08:02:30: %ASA-4-405001: Received ARP request collision from 192.168.1.182/001d.7e0a.0a70 on interface Inside

05-06-2008 08:02:17 Local4.Warning 192.168.1.10 May 06 2008 08:01:25: %ASA-4-405001: Received ARP request collision from 192.168.1.182/001d.7e0a.0a70 on interface Inside

05-06-2008 08:01:52 Local4.Warning 192.168.1.10 May 06 2008 08:01:00: %ASA-4-405001: Received ARP request collision from 192.168.1.182/0012.f07e.b6b9 on interface Inside

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
saidfrh Tue, 05/06/2008 - 07:39

I looked up the syslog message on http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html#wp1146532

I can not ping 192.168.1.182 on our lAN. Any suggestions?

Explanation The firewall received an ARP packet, and the MAC address in the packet differs from the ARP cache entry.

Recommended Action This traffic might be legitimate, or it might indicate that an ARP poisoning attack is in progress. Check the source MAC address to determine where the packets are coming from and check to see if it belongs to a valid host.

sundar.palaniappan Tue, 05/06/2008 - 16:23

As the recommended action dictates verify whether the MAC address that corresponds to 192.168.1.182 is legitimate or is it an ARP poisoning (spoofing) attack. You should be able to verify that by checking the MAC address table of the switch(s) and look for the logged MAC address and that would lead you to the port the PC or whatever device is connected to.

HTH

Sundar

Actions

This Discussion