Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1543
Views
0
Helpful
4
Replies

ASA logging to Remote Syslog Server failed, ip spoofing

srdjankatic
Level 1
Level 1

‎11-02-2015 07:39 AM - edited ‎03-11-2019 11:49 PM

Hi, 

i have wierd problem, i have configured ASA A/S pair (8.6) to send syslogs to remote SIEM syslog server but traffic is blocked by asa itself with message 106016, IP spoofing detected from ...

Logging is configured to send syslogs from Inside interface to host (10.14.1.69) that is also on network where Inside interface is connected.

I have checked arp tables on switch hosting Inside network, on asa also and MAC to IP entries are fine.

EE-ASA01# sho run logg  - this is active ASA
logging enable
logging timestamp
logging buffer-size 131072
logging asdm-buffer-size 512
logging buffered debugging
logging asdm informational
logging host Inside 10.14.1.69

I have entered ip reverse lookup... command on Inside to disable spoofing but still same.

Also tried to initiate syslog sending from management interface but spoofing message persist even with another int as a source.

Same happens on different ASA A/S pair that is version 9.1.

Same "Inside" network

I have found few topics with same issues but none with answers

Do you have any idea how to solve this? All other networking appliances are doing fine, just ASA...

Thanks,

Srdjan

Labels:
0 Helpful
4 Replies 4

srdjankatic
Level 1
Level 1

‎11-02-2015 01:47 PM

Was not clear enough. traffic is blocked by asa itself with message 106016, IP spoofing detected from ... when i do packet trace. SIEM does not recieve anything but asa is not logging ip spoofing unless i do packet trace

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to srdjankatic

‎11-02-2015 05:57 PM

Hi,

As per the problem description I understand that you are getting the ip spoofing syslog whenever you run packet-tracer to test the syslog traffic. I am assuming that your packet tracer looks like:

packet-tracer input inside udp <ASA-IP> <port> <syslog-server-ip> <port>

>> Running the above mentioned packet-tracer will generate a deny ip spoofing syslog message.

>> This happens because above mentioned packet-tracer when interpreted by ASA suggests that the source IP used in the packet tracer resides somewhere in the network behind inside interface.

But the ASA is also aware that the source IP used in the packet-tracer is also present on its inside interface. This condition will trigger the IP spoofing syslog and traffic will be dropped.

>> I want to understand if you are seeing the syslog deny message only while trying the packet-tracer or do you see it when the actual traffic is generated from the box.

Also feel free to correct my understanding of the issue.

Hope it helps.

R.Seth

 

0 Helpful

srdjankatic
Level 1
Level 1
In response to Rishabh Seth

‎11-03-2015 03:12 AM

Hi,

it is correct, only packet tracer generates spoofing. 

Do you notice anything unusual in my syslog cfg, looks fine to me?

I dont have access to SIEM so i cant check syslog listener.

I will check packet capture, maybe it will show does some syslog traffic is going out of Inside int.

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to srdjankatic

‎11-03-2015 03:46 AM

Hi,

Packet tracer is used to evalute configuration for pass through traffic. The ACL and NAT is not applied on the traffic which is initiated from the ASA. 

There is no issue with your configuration, the ip spoof syslog is generated because you are using ASA IP as the source IP.

Hope it helps!!!

Thanks,

R.Seth

Mark the answer as correct if it helps in resolving your query!!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card