Within our 6500 we're seeing the following error messages being recorded by the FWSM syslog:
%FWSM-2-106017: Deny IP due to Land Attack from 126.96.36.199 to 2.3.4.x
I understand through my research that typically the land attacks have the same source and destination IP and ports, but these do not. We receive the message 2-6 times a minute and the destination IP *always* varies (source always remains the same) across lan segments, not just individual IPs within the 2.3.4.x segment.
Ideally I'd like to get the MAC address for the source, but nothing seems to be found in ARP tables and such. I've also attempted to run a capture on the raw-data and asp-drop to no avail. It doesn't record the packets for further review.
What else can I do to track down where this is coming from? I know the FWSM is doing its job by denying it, but I need to know if its coming from our private network and who the troublesome host is in general.
Thank you kindly for any assistance you can provide. I'm fresh out of ideas...