Hello all! We have a fairly typical ASA 5550 setup, with all but one subnet of our 18.104.22.168 address space "inside" and one subnet 22.214.171.124 "dmz" (outside):
ip address 126.96.36.199 255.255.255.0
ip address 188.8.131.52 255.255.255.0
We are getting flooded with these, hundreds per second:
Aug 23 2009 15:36:11: %ASA-2-106006: Deny inbound UDP from 184.108.40.206/1030 to 220.127.116.11/38293 on interface inside
The message isn't really 100% clear to me, but it seems to imply there are packets from 18.104.22.168 arriving on the "dmz" interface, trying to be routed to 22.214.171.124 "inside", because the word "inbound" implies a packet coming from a lower to higher security-level.
Is this correct? If so, a logical explanation is that someone has plugged the 126.96.36.199 net, which is supposed to be inside, into a dumb hub on the DMZ somewhere.
Otherwise, if the packet is arriving on the inside interface, it could be a symptom of a severe unicast flooding problem. Even so, I don't see why the ASA ought to care, since my routes point all the inside nets except my DMZ to inside, and the ASA sees 188.8.131.52 on "inside" in the arp table:
# sh route
S 0.0.0.0 0.0.0.0 [1/0] via 184.108.40.206, dmz
S 10.0.0.0 255.0.0.0 [1/0] via 220.127.116.11, inside
S 18.104.22.168 255.255.0.0 [1/0] via 22.214.171.124, inside
C 126.96.36.199 255.255.255.0 is directly connected, inside
C 188.8.131.52 255.255.255.0 is directly connected, dmz
# show arp | include 141
inside 184.108.40.206 0011.43e4.cb0d
I need to fix this, it makes syslog rather useless, eh?
BTW this also caused "fixup dns" to blow up DNS connectivity later in the day, about 6 hr after putting the firewall inline; I had to "no fixup dns" to get it working again.