Hello all! We have a fairly typical ASA 5550 setup, with all but one subnet of our 220.127.116.11 address space "inside" and one subnet 18.104.22.168 "dmz" (outside):
ip address 22.214.171.124 255.255.255.0
ip address 126.96.36.199 255.255.255.0
We are getting flooded with these, hundreds per second:
Aug 23 2009 15:36:11: %ASA-2-106006: Deny inbound UDP from 188.8.131.52/1030 to 184.108.40.206/38293 on interface inside
The message isn't really 100% clear to me, but it seems to imply there are packets from 220.127.116.11 arriving on the "dmz" interface, trying to be routed to 18.104.22.168 "inside", because the word "inbound" implies a packet coming from a lower to higher security-level.
Is this correct? If so, a logical explanation is that someone has plugged the 22.214.171.124 net, which is supposed to be inside, into a dumb hub on the DMZ somewhere.
Otherwise, if the packet is arriving on the inside interface, it could be a symptom of a severe unicast flooding problem. Even so, I don't see why the ASA ought to care, since my routes point all the inside nets except my DMZ to inside, and the ASA sees 126.96.36.199 on "inside" in the arp table:
# sh route
S 0.0.0.0 0.0.0.0 [1/0] via 188.8.131.52, dmz
S 10.0.0.0 255.0.0.0 [1/0] via 184.108.40.206, inside
S 220.127.116.11 255.255.0.0 [1/0] via 18.104.22.168, inside
C 22.214.171.124 255.255.255.0 is directly connected, inside
C 126.96.36.199 255.255.255.0 is directly connected, dmz
# show arp | include 141
inside 188.8.131.52 0011.43e4.cb0d
I need to fix this, it makes syslog rather useless, eh?
BTW this also caused "fixup dns" to blow up DNS connectivity later in the day, about 6 hr after putting the firewall inline; I had to "no fixup dns" to get it working again.