Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5590
Views
0
Helpful
2
Replies

IPSEC Spoof detected

Go to solution
cheehongchoo
Level 1
Level 1

‎10-20-2008 01:03 AM - edited ‎02-21-2020 03:59 PM

Hi Jazib,

May i ask you a question? I face an unsolved issue. After i tested using packet-tracer, below is the results;

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (ipsec-spoof) IPSEC Spoof detected

But when trying on "inside", it successful.

Let me draws out my issue;

server <-connect-> pix <-connect-> router <-> pix <-connect-> user

ipsec is between the outside leg of 2 pix fws

server using port 80,443 and 2000.

I encountered problem in access web services using 2000. It is ok for 80 and 443.

In pix, using packet-tracer. All 3 ports results are same. Me ipsec configuration is simple one. end to end.

Do you know what go wrong? Really appreciate for your advise and help.

Thank you.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
suschoud
Cisco Employee
Cisco Employee

‎10-24-2008 03:14 PM

port 2000 is used by skinny.if f/w sees some application running on tcp 2000 but it's not skinnt traffic,f/w will drop it.

Soln :

Disable inspect skinny

policy-map global_policy

class inspection_default

no inspect skinny

Do rate if helpful

Regards,

Sushil

View solution in original post

0 Helpful
2 Replies 2

Go to solution
smahbub
Level 6
Level 6

‎10-24-2008 02:18 PM

IPSEC Spoof detected:

This counter will increment when the security appliance receives a packet which should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established IPSec connection on the security appliance but was received unencrypted. This is a security issue.

Recommendation: Analyze your network traffic to determine the source of the spoofed IPSec traffic.

Refer the following URL for more information on syslog message related to "IPSEC Spoof detected" being the reason for drop:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4772700

0 Helpful

Go to solution
suschoud
Cisco Employee
Cisco Employee

‎10-24-2008 03:14 PM

port 2000 is used by skinny.if f/w sees some application running on tcp 2000 but it's not skinnt traffic,f/w will drop it.

Soln :

Disable inspect skinny

policy-map global_policy

class inspection_default

no inspect skinny

Do rate if helpful

Regards,

Sushil

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents