05-06-2008 07:13 AM - edited 03-11-2019 05:40 AM
05-06-2008 08:03:22 Local4.Warning 192.168.1.10 May 06 2008 08:02:30: %ASA-4-405001: Received ARP request collision from 192.168.1.182/001d.7e0a.0a70 on interface Inside
05-06-2008 08:02:17 Local4.Warning 192.168.1.10 May 06 2008 08:01:25: %ASA-4-405001: Received ARP request collision from 192.168.1.182/001d.7e0a.0a70 on interface Inside
05-06-2008 08:01:52 Local4.Warning 192.168.1.10 May 06 2008 08:01:00: %ASA-4-405001: Received ARP request collision from 192.168.1.182/0012.f07e.b6b9 on interface Inside
05-06-2008 07:39 AM
I looked up the syslog message on http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html#wp1146532
I can not ping 192.168.1.182 on our lAN. Any suggestions?
Explanation The firewall received an ARP packet, and the MAC address in the packet differs from the ARP cache entry.
Recommended Action This traffic might be legitimate, or it might indicate that an ARP poisoning attack is in progress. Check the source MAC address to determine where the packets are coming from and check to see if it belongs to a valid host.
05-06-2008 04:23 PM
As the recommended action dictates verify whether the MAC address that corresponds to 192.168.1.182 is legitimate or is it an ARP poisoning (spoofing) attack. You should be able to verify that by checking the MAC address table of the switch(s) and look for the logged MAC address and that would lead you to the port the PC or whatever device is connected to.
HTH
Sundar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: