Hello all! We have a fairly typical ASA 5550 setup, with all but one subnet of our 184.108.40.206 address space "inside" and one subnet 220.127.116.11 "dmz" (outside):
ip address 18.104.22.168 255.255.255.0
ip address 22.214.171.124 255.255.255.0
We are getting flooded with these, hundreds per second:
Aug 23 2009 15:36:11: %ASA-2-106006: Deny inbound UDP from 126.96.36.199/1030 to 188.8.131.52/38293 on interface inside
The message isn't really 100% clear to me, but it seems to imply there are packets from 184.108.40.206 arriving on the "dmz" interface, trying to be routed to 220.127.116.11 "inside", because the word "inbound" implies a packet coming from a lower to higher security-level.
Is this correct? If so, a logical explanation is that someone has plugged the 18.104.22.168 net, which is supposed to be inside, into a dumb hub on the DMZ somewhere.
Otherwise, if the packet is arriving on the inside interface, it could be a symptom of a severe unicast flooding problem. Even so, I don't see why the ASA ought to care, since my routes point all the inside nets except my DMZ to inside, and the ASA sees 22.214.171.124 on "inside" in the arp table:
# sh route
S 0.0.0.0 0.0.0.0 [1/0] via 126.96.36.199, dmz
S 10.0.0.0 255.0.0.0 [1/0] via 188.8.131.52, inside
S 184.108.40.206 255.255.0.0 [1/0] via 220.127.116.11, inside
C 18.104.22.168 255.255.255.0 is directly connected, inside
C 22.214.171.124 255.255.255.0 is directly connected, dmz
# show arp | include 141
inside 126.96.36.199 0011.43e4.cb0d
I need to fix this, it makes syslog rather useless, eh?
BTW this also caused "fixup dns" to blow up DNS connectivity later in the day, about 6 hr after putting the firewall inline; I had to "no fixup dns" to get it working again.