Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7370
Views
0
Helpful
3
Replies

Deny IP spoof from (127.0.0.1)

Go to solution
sysadmin
Level 1
Level 1

‎05-03-2010 07:13 PM - edited ‎03-11-2019 10:40 AM

Greetings!

I have recently began to receive these errors on my ASA 5510. I've done a debug when it occurs but haven't noticed an unusual traffic coming from the internal or external network.

here's the error:

2|May 03 2010|12:04:08|106016|||||Deny IP spoof from (127.0.0.1) to OUR_EXT_IP on interface outside


based on the message. should I be looking on the inside or outside of my fw? This is really the first time i've seen these messages so i'm sorta green to them.

if you need more logs, let me know and i can provide here. thanks for the help!

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-03-2010 08:19 PM

This is what syslog# 106016 means for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4768961

And the traffic is coming from the outside interface/external to your network.

View solution in original post

0 Helpful

Go to solution
astripat
Level 1
Level 1
In response to Jennifer Halim

‎05-04-2010 05:47 AM

Hi,

It could be a virus attack or it could be that someone is trying to compromise the network by sending traffic using a soofed ip address. The best way would be take sniffer so that you could see the MAC address of the faulty machine/source.

Also, if you want to disable this log message, you can do that as well, as follows:

no logging message 106016


HTH

Ashu

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-03-2010 08:19 PM

This is what syslog# 106016 means for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4768961

And the traffic is coming from the outside interface/external to your network.

0 Helpful

Go to solution
astripat
Level 1
Level 1
In response to Jennifer Halim

‎05-04-2010 05:47 AM

Hi,

It could be a virus attack or it could be that someone is trying to compromise the network by sending traffic using a soofed ip address. The best way would be take sniffer so that you could see the MAC address of the faulty machine/source.

Also, if you want to disable this log message, you can do that as well, as follows:

no logging message 106016


HTH

Ashu

0 Helpful

Go to solution
sysadmin
Level 1
Level 1
In response to astripat

‎05-04-2010 07:22 AM

thank you both for the answers.

i figured for sure it was coming form the outside but like i said, the debug wasn't very helpful when i was looking at it.

i'll setup a mirror port on my stack for the outside and see if i can catch it. thanks again, you've given me a great staring point.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card