Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9195
Views
0
Helpful
13
Replies

%ASA-2-106017: Deny IP due to Land Attack from <ASA's Outside Interface Static IP> to < ASA's Outside Interface Static IP>

stownsend
Level 2
Level 2

‎10-02-2015 08:21 AM - edited ‎03-11-2019 11:41 PM

 

On one of my 8 ASA Firewalls I get the Following about 800 times a day.

%ASA-2-106017: Deny IP due to Land Attack from <ASA's Outside Interface Static IP> to < ASA's Outside Interface Static IP>

It happens pretty much several times every hour pretty much 24 hours a day.

This Remote office is Connected via a Single Static IP Address, that Address is used to NAT Traffic to the Internet. 

Remote office has 10 IP Phones and an Active Directory Domain Controller, and maybe 1-3 people in the office from 9-4. So Minimally staffed. 

Remote Office is Connected to VPN to HQ Office with Bi-directional initiation. 

 

The HQ ASA also has a couple of these logs, though they are spotty and only while people are in the office. HW has 40 full time people working and they are using the system pretty hard.  the other 7 Remote sits don't really log this event.

 

The Site I'm having issues with is also having VPN connectivity issues and I want to clear this LAN attack issue up to eliminate it as a potential issue. 

I see references to this, though most are for an Internal IP, not the ASA's Outside Interface IP

Any Suggestions on this?

Thanks!

 

1 person had this problem
Labels:
0 Helpful
13 Replies 13

Rishabh Seth
Level 7
Level 7

‎10-02-2015 11:14 AM

Hi,

If ASA is classifying traffic as land attack and dropping it then ASA is seeing traffic with same source and destination IP address.

Now I can think of two possibilities:

1: you have a malicious host which is continuously sending malformed packets with same source IP and destination IP. You can capture traffic and check what is the source IP and can fix it.

2: There might be some legitimate traffic from a host which has destination IP as your public IP. In case you have some nat configured for outgoing traffic then ASA would translate the source IP to public IP which would then be present in destination IP field of IP header as well.

 

But first try find the source of the traffic. As you have mentioned that you have a very small setup the you can apply asp drop captures and check the source IP of the traffic.

 

Capture command:

Cap asp type asp-drop all

Show cap asp

Remove capture : no cap asp.

 

Do share your findings.

 

Hope it helps

Thanks

R Seth

0 Helpful

stownsend
Level 2
Level 2
In response to Rishabh Seth

‎10-02-2015 11:41 AM

R Seth, thank you for your reply.

Is there a way too send the Captured Packets to Syslog?  That way I can sift through the Syslog entries for the time in which i get the LAN Attack Syslog entry and I can start the capture and not worry about filling up a buffer?

 

Thanks!

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to stownsend

‎10-02-2015 12:09 PM

Hi,

The captures cannot be sent out to syslog server.

I think you should apply captures on the inside interface. Filter traffic from any host and specify destination as ASA's outside interface IP.

This way you would see what is the source IP of the machine which is sending traffic for ASA's publicIP

Command:

Cap capi interface <ingress interface name> match IP any host <ASA outside interface IP>

Toview 

Show cap capi

To remove 

No cap capi

 

Once you see the capture investigate about the application using source/destination port number.

Hope it helps!!!

Thanks 

RSeth

0 Helpful

stownsend
Level 2
Level 2
In response to Rishabh Seth

‎10-02-2015 12:19 PM

So they are UDP port 500 on both ends. 

Which is VPN initiation traffic. Though not sure if its getting Spoofed or self inflicted. 

 

I have the pcap too.

 

MAC Address of Outside interface is:  78ba.f988.b816

LAN Address of the Edge Router is: 30:E4:DB:DC:FB:10

Edge Router IP is not the same IP as the ASA's Outside IP. 

the packets look like

 12:09:36.857789 30e4.dbdc.fb10 78ba.f988.b816 0x0800 Length: 214
      (Outside IP).500 > (Outside IP).500:  [udp sum ok] udp 172 (ttl 254, id 8761)

 

 

 3: 12:09:36.857789       (outside IP).500 > (Outside IP).500:  udp 172
      ISAKMP Header
        Initiator COOKIE: 8a fd 76 64 c3 c6 9d ee
        Responder COOKIE: dc db 7b 32 c0 e0 db af
        Next Payload: Hash
        Version: 1.0
        Exchange Type: Quick Mode
        Flags: (Encryption)
        MessageID: 0BA31E91
        Length: 172

 

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to stownsend

‎10-02-2015 12:28 PM

Is this UDP traffic pass-through traffic for ASA or initiated from ASA.

 

In case it is pass-through then you might be having some NAT statement that is NATTing all your traffic to outside Ip

 

for understanding purpose can you describe the packet wrt ASA.

 

RSeth

 

0 Helpful

stownsend
Level 2
Level 2
In response to Rishabh Seth

‎10-02-2015 12:39 PM

I'm not sure what you are asking, though here is what I know. 

 

Of the Packets Captured they are Originating all rom the LAN MAC address of the Edge Router's Inside Interface to the outside MAC Address of the ASA. 

 

Internet -> Edge WAN--Edge LAN -> Outside ASA

 

The VPN Connection between HQ Office and Remote Office (the side with the LAN Attacks) is Bi-Directional and can be initiated from either end. 

 

HQ is 10.1.x.x and remote is 10.4.x.x

No NATing of traffic over VPN. NETWORK_LOCAL contains the 2 Local Subnets and REMOTE_NETWORK contains the HQ Subnets.

nat (inside,any) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK_REMOTE NETWORK_REMOTE description No not NAT traffic to/from Remote Networks
n

VPN ACLs look like the Following, there is a ACL for both the Tunnel Traffic and the Initiation Traffic and both are symmetrical (in terms of Subnets and ACLs) on the HQ ASA. 

access-list jack_cryptomap_1 extended permit ip object NETWORK-IRVINE object-group NETWORK_REMOTE
access-list jack_cryptomap_1 extended permit ip object NETWORK-IRVINE-TRAINING object-group NETWORK_REMOTE

 

Traffic to the Internet is PATed via the Outside Interface's IP. 

object network obj_any
 nat (any,outside) dynamic interface

 

 

 

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to stownsend

‎10-02-2015 12:59 PM

Hi,

Instead of having internet bound NAT as any to outside, can you specify actual ingress and egress interface names.

Also, the name of interface towards the router is outside or inside ?

 

 

R.Seth

 

0 Helpful

stownsend
Level 2
Level 2
In response to Rishabh Seth

‎10-02-2015 02:00 PM

The Traffic looks like this:

ISP <-> WAN1 -RV082- LAN <-> Outside -ASA556- Inside <-> Office Subnet

 

So you are saying too change the NAT to this?

object network obj_any
 nat (inside,outside) dynamic interface

Thank you,

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to stownsend

‎10-04-2015 12:40 AM

Hi,

 

Yes, change the nat to specific interfaces.

Also check why the traffic which has destination IP as ASA's outside interface IP is passing through the ASA.

Is there any mis-configuration on any downstream device which is making it to send UDP/500 traffic for ASA's Public IP?

As the Public IP of ASA is used in dynamic NAT, the UDP/500 will get source translated and hence will result in traffic with source and destination both as ASA's outside interface IP.

Share your findings.

 

Thanks,

R.Seth

0 Helpful

stownsend
Level 2
Level 2
In response to Rishabh Seth

‎10-05-2015 06:31 AM

I changed the  NAT to

object network obj_any
 nat (inside,outside) dynamic interface

That didn't seem to change much.  The Connection is still dropping every 6-7 hours.

 

The only thing I could think of is that one of the Sales people's PCs is trying to use AnyConnect even though they are already behind the firewall?  Thats the only thing that I can see what would be generating the Port 500 Traffic. Though the End Point they all have configured for AnyConnect is the HQ ASA, not the Remote ASA. So I'm not sure why it would have a Source/Destination of the Outside interface. 

Given that the Sending MAC address is the Gateway Address, its coming from the outside, or at least the  Public IP Subnet. There is only another Little LinkSys Router that has some devices that I know do not support VPN. 

 

 

 

0 Helpful

stownsend
Level 2
Level 2
In response to Rishabh Seth

‎10-02-2015 11:59 AM

So here are some Capture Packets and the Log events for the LAN Attacks.   I'm not sure how to read the Captured Packets

 

10/2/2015 11:53:54 AM    %ASA-2-106017: Deny IP due to Land Attack from (Outside IP) to (Outside IP)
10/2/2015 11:53:46 AM    %ASA-2-106017: Deny IP due to Land Attack from (Outside IP) to (Outside IP)
10/2/2015 11:53:46 AM    %ASA-2-106017: Deny IP due to Land Attack from (Outside IP) to (Outside IP)
10/2/2015 11:53:38 AM    %ASA-2-106017: Deny IP due to Land Attack from (Outside IP) to (Outside IP)
10/2/2015 11:53:38 AM    %ASA-2-106017: Deny IP due to Land Attack from (Outside IP) to (Outside IP)
10/2/2015 11:53:30 AM    %ASA-2-106017: Deny IP due to Land Attack from (Outside IP) to (Outside IP)
10/2/2015 11:53:22 AM    %ASA-2-106017: Deny IP due to Land Attack from (Outside IP) to (Outside IP)

 

 66: 11:52:11.975337 58bc.27f3.5425 0180.c200.000e 0x88cc Length: 77

                         0207 0458 bc27 f354 2404 0405 6769 3106
                         0200 780a 1a69 7276 696e 652d 6761 7465
                         7761 792d 766c 616e 2d73 7769 7463 680e
                         0400 1400 14fe 0600 80c2 0100 6800 00 Drop-reason: (l2_acl) FP L2 rule drop
  67: 11:52:12.875214 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  68: 11:52:14.875198 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  69: 11:52:16.875168 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  70: 11:52:18.875137 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  71: 11:52:19.283371 30e4.dbdc.fb10 ffff.ffff.ffff 0x0800 Length: 66
      209.234.149.209.520 > 209.234.149.215.520:  [udp sum ok] udp 24 (DF) (ttl 64, id 0) Drop-reason: (sp-security-failed) Slowpath security checks failed
  72: 11:52:20.875137 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet
  73: 11:52:22.875092 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  74: 11:52:24.875092 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  75: 11:52:26.875031 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet
  76: 11:52:28.875000 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  77: 11:52:30.874985 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet
  78: 11:52:32.874970 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  79: 11:52:34.874954 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  80: 11:52:36.874924 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  81: 11:52:38.874893 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  82: 11:52:40.874863 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  83: 11:52:41.974970 58bc.27f3.5425 0180.c200.000e 0x88cc Length: 77

                         0207 0458 bc27 f354 2404 0405 6769 3106
                         0200 780a 1a69 7276 696e 652d 6761 7465
                         7761 792d 766c 616e 2d73 7769 7463 680e
                         0400 1400 14fe 0600 80c2 0100 6800 00 Drop-reason: (l2_acl) FP L2 rule drop
  84: 11:52:42.874817 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  85: 11:52:44.874817 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  86: 11:52:45.995004 58bc.27f3.5425 0100.0ccc.cccc 0x00b1 Length: 191
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  87: 11:52:46.874771 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  88: 11:52:48.874756 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  89: 11:52:49.284760 30e4.dbdc.fb10 ffff.ffff.ffff 0x0800 Length: 66
      209.234.149.209.520 > 209.234.149.215.520:  [udp sum ok] udp 24 (DF) (ttl 64, id 0) Drop-reason: (sp-security-failed) Slowpath security checks failed
  90: 11:52:50.874710 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  91: 11:52:52.874710 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  92: 11:52:54.874649 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  93: 11:52:56.874603 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  94: 11:52:58.874634 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  95: 11:53:00.874603 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  96: 11:53:02.874527 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  97: 11:53:04.874512 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
  98: 11:53:06.830691 30e4.dbdc.fb10 78ba.f988.b816 0x0800 Length: 214
      209.234.149.210.500 > 209.234.149.210.500:  [udp sum ok] udp 172 (ttl 254, id 8382) Drop-reason: (sp-security-failed) Slowpath security checks failed
  99: 11:53:06.874512 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 100: 11:53:08.874481 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 101: 11:53:10.874420 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 102: 11:53:11.974528 58bc.27f3.5425 0180.c200.000e 0x88cc Length: 77

                         0207 0458 bc27 f354 2404 0405 6769 3106
                         0200 780a 1a69 7276 696e 652d 6761 7465
                         7761 792d 766c 616e 2d73 7769 7463 680e
                         0400 1400 14fe 0600 80c2 0100 6800 00 Drop-reason: (l2_acl) FP L2 rule drop
 103: 11:53:12.874420 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 104: 11:53:14.820315 30e4.dbdc.fb10 78ba.f988.b816 0x0800 Length: 214
      209.234.149.210.500 > 209.234.149.210.500:  [udp sum ok] udp 172 (ttl 254, id 22594) Drop-reason: (sp-security-failed) Slowpath security checks failed
 105: 11:53:14.874359 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 106: 11:53:16.874344 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet
 107: 11:53:18.874298 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 108: 11:53:19.286056 30e4.dbdc.fb10 ffff.ffff.ffff 0x0800 Length: 66
      209.234.149.209.520 > 209.234.149.215.520:  [udp sum ok] udp 24 (DF) (ttl 64, id 0) Drop-reason: (sp-security-failed) Slowpath security checks failed
 109: 11:53:20.874283 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 110: 11:53:22.816898 30e4.dbdc.fb10 78ba.f988.b816 0x0800 Length: 214
      209.234.149.210.500 > 209.234.149.210.500:  [udp sum ok] udp 172 (ttl 254, id 1054) Drop-reason: (sp-security-failed) Slowpath security checks failed
 111: 11:53:22.820422 30e4.dbdc.fb10 78ba.f988.b816 0x0800 Length: 214
      209.234.149.210.500 > 209.234.149.210.500:  [udp sum ok] udp 172 (ttl 254, id 22942) Drop-reason: (sp-security-failed) Slowpath security checks failed
 112: 11:53:22.874252 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 113: 11:53:24.874222 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 114: 11:53:26.874176 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 115: 11:53:28.874146 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 116: 11:53:30.817264 30e4.dbdc.fb10 78ba.f988.b816 0x0800 Length: 110
      209.234.149.210.500 > 209.234.149.210.500:  [udp sum ok] udp 68 (ttl 254, id 5286) Drop-reason: (sp-security-failed) Slowpath security checks failed
 117: 11:53:30.821948 30e4.dbdc.fb10 78ba.f988.b816 0x0800 Length: 214
      209.234.149.210.500 > 209.234.149.210.500:  [udp sum ok] udp 172 (ttl 254, id 15889) Drop-reason: (sp-security-failed) Slowpath security checks failed
 118: 11:53:30.874115 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 119: 11:53:32.874100 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 120: 11:53:34.874085 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 121: 11:53:36.874039 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 122: 11:53:36.929227 0015.5d03.2100 ffff.ffff.ffff 0x0800 Length: 92
      10.4.0.5.137 > 10.4.255.255.137:  [udp sum ok] udp 50 (ttl 128, id 10419)
 123: 11:53:37.673655 0015.5d03.2100 ffff.ffff.ffff 0x0800 Length: 92
      10.4.0.5.137 > 10.4.255.255.137:  [udp sum ok] udp 50 (ttl 128, id 10422) Drop-reason: (sp-security-failed) Slowpath security checks failed
 124: 11:53:38.439064 0015.5d03.2100 ffff.ffff.ffff 0x0800 Length: 92
      10.4.0.5.137 > 10.4.255.255.137:  [udp sum ok] udp 50 (ttl 128, id 10424) Drop-reason: (sp-security-failed) Slowpath security checks failed
 125: 11:53:38.816058 30e4.dbdc.fb10 78ba.f988.b816 0x0800 Length: 214
      209.234.149.210.500 > 209.234.149.210.500:  [udp sum ok] udp 172 (ttl 254, id 1918) Drop-reason: (sp-security-failed) Slowpath security checks failed
 126: 11:53:38.874008 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 127: 11:53:40.873978 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 128: 11:53:41.974101 58bc.27f3.5425 0180.c200.000e 0x88cc Length: 77

                         0207 0458 bc27 f354 2404 0405 6769 3106
                         0200 780a 1a69 7276 696e 652d 6761 7465
                         7761 792d 766c 616e 2d73 7769 7463 680e
                         0400 1400 14fe 0600 80c2 0100 6800 00 Drop-reason: (l2_acl) FP L2 rule drop
 129: 11:53:42.873932 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet
 130: 11:53:44.873901 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 131: 11:53:45.994104 58bc.27f3.5425 0100.0ccc.cccc 0x00b1 Length: 191
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 132: 11:53:46.873871 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 133: 11:53:48.873871 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop
 134: 11:53:49.287277 30e4.dbdc.fb10 ffff.ffff.ffff 0x0800 Length: 66
      209.234.149.209.520 > 209.234.149.215.520:  [udp sum ok] udp 24 (DF) (ttl 64, id 0)
 135: 11:53:50.873825 58bc.27f3.5425 0180.c200.0000 0x0027 Length: 60
      802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

 

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to stownsend

‎10-02-2015 12:21 PM

I don't see any packets for land attack in the asp drop. Probably there is no such traffic as of now.

I think you should apply capture for inside interface as I have mentioned and leave it for some time.

Check the captures when you see syslog msgs for land attack.

Note : use captures as mentioned below for inside interface.

 

Thanks

R.Seth

0 Helpful

stownsend
Level 2
Level 2
In response to Rishabh Seth

‎10-02-2015 12:27 PM

I did of the other Capture, see below.   Thank you!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card