Hello all! We have a fairly typical ASA 5550 setup, with all but one subnet of our 22.214.171.124 address space "inside" and one subnet 126.96.36.199 "dmz" (outside):
ip address 188.8.131.52 255.255.255.0
ip address 184.108.40.206 255.255.255.0
We are getting flooded with these, hundreds per second:
Aug 23 2009 15:36:11: %ASA-2-106006: Deny inbound UDP from 220.127.116.11/1030 to 18.104.22.168/38293 on interface inside
The message isn't really 100% clear to me, but it seems to imply there are packets from 22.214.171.124 arriving on the "dmz" interface, trying to be routed to 126.96.36.199 "inside", because the word "inbound" implies a packet coming from a lower to higher security-level.
Is this correct? If so, a logical explanation is that someone has plugged the 188.8.131.52 net, which is supposed to be inside, into a dumb hub on the DMZ somewhere.
Otherwise, if the packet is arriving on the inside interface, it could be a symptom of a severe unicast flooding problem. Even so, I don't see why the ASA ought to care, since my routes point all the inside nets except my DMZ to inside, and the ASA sees 184.108.40.206 on "inside" in the arp table:
# sh route
S 0.0.0.0 0.0.0.0 [1/0] via 220.127.116.11, dmz
S 10.0.0.0 255.0.0.0 [1/0] via 18.104.22.168, inside
S 22.214.171.124 255.255.0.0 [1/0] via 126.96.36.199, inside
C 188.8.131.52 255.255.255.0 is directly connected, inside
C 184.108.40.206 255.255.255.0 is directly connected, dmz
# show arp | include 141
inside 220.127.116.11 0011.43e4.cb0d
I need to fix this, it makes syslog rather useless, eh?
BTW this also caused "fixup dns" to blow up DNS connectivity later in the day, about 6 hr after putting the firewall inline; I had to "no fixup dns" to get it working again.