cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2207
Views
0
Helpful
2
Replies

what does this ASA Syslog message signafy?

saidfrh
Level 1
Level 1

05-06-2008 08:03:22 Local4.Warning 192.168.1.10 May 06 2008 08:02:30: %ASA-4-405001: Received ARP request collision from 192.168.1.182/001d.7e0a.0a70 on interface Inside

05-06-2008 08:02:17 Local4.Warning 192.168.1.10 May 06 2008 08:01:25: %ASA-4-405001: Received ARP request collision from 192.168.1.182/001d.7e0a.0a70 on interface Inside

05-06-2008 08:01:52 Local4.Warning 192.168.1.10 May 06 2008 08:01:00: %ASA-4-405001: Received ARP request collision from 192.168.1.182/0012.f07e.b6b9 on interface Inside

2 Replies 2

saidfrh
Level 1
Level 1

I looked up the syslog message on http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html#wp1146532

I can not ping 192.168.1.182 on our lAN. Any suggestions?

Explanation The firewall received an ARP packet, and the MAC address in the packet differs from the ARP cache entry.

Recommended Action This traffic might be legitimate, or it might indicate that an ARP poisoning attack is in progress. Check the source MAC address to determine where the packets are coming from and check to see if it belongs to a valid host.

As the recommended action dictates verify whether the MAC address that corresponds to 192.168.1.182 is legitimate or is it an ARP poisoning (spoofing) attack. You should be able to verify that by checking the MAC address table of the switch(s) and look for the logged MAC address and that would lead you to the port the PC or whatever device is connected to.

HTH

Sundar

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: