Result: input-interface: INTERNAL input-status: up input-line-status: up output-interface: EXTERNAL output-status: up output-line-status: up Action: drop Drop-reason: (sp-security-failed) Slowpath security checks failed
Result of the command: "show running-config"
ASA Version 8.4(5) !
interface Ethernet0/0 nameif INTERNAL security-level 100 ip address 192.168.1.254 255.255.255.0 ! interface Ethernet0/1 nameif TMG security-level 90 ip address 192.168.2.2 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 nameif EXTERNAL security-level 0 ip address 192.168.3.2 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.0.1 255.255.255.0 management-only ! ftp mode passive object network OBJ_GENERIC_ALL subnet 0.0.0.0 0.0.0.0 object network Mail-Server host 192.168.1.13 access-list EXTERNAL_access extended permit tcp any object Mail-Server eq smtp pager lines 24 logging asdm informational mtu INTERNAL 1500 mtu EXTERNAL 1500 mtu management 1500 mtu TMG 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network Mail-Server nat (INTERNAL,EXTERNAL) static 192.168.3.10 ! nat (INTERNAL,EXTERNAL) after-auto source dynamic OBJ_GENERIC_ALL interface nat (TMG,EXTERNAL) after-auto source dynamic OBJ_GENERIC_ALL interface access-group EXTERNAL_access in interface EXTERNAL route EXTERNAL 0.0.0.0 0.0.0.0 192.168.3.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.0.0 255.255.255.0 management http 192.168.1.0 255.255.255.0 INTERNAL no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart telnet timeout 5 ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd address 192.168.0.2-192.168.0.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:d6ec33d7249eec7c088f95b9d3827d9c : end
My question is what is "sp-security" and why it drop my packets ??
Here are the reasons why the packet might be dropped due to this reason:
Slowpath security checks failed:
This counter is incremented and packet is dropped when the security appliance is:
1) In routed mode receives a through-the-box:
- L2 broadcast packet
- IPv4 packet with destination IP address equal to 0.0.0.0
- IPv4 packet with source IP address equal to 0.0.0.0
2) In routed or transparent mode and receives a through-the-box IPv4 packet with:
- first octet of the source IP address equal to zero
- source IP address equal to the loopback IP address
- network part of source IP address equal to all 0's
- network part of the source IP address equal to all 1's
- source IP address host part equal to all 0's or all 1's
3) In routed or transparent mode and receives an IPv4 or IPv6 packet with same source and destination IP addresses
1 and 2) Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
3) If this message counter is incrementing rapidly, an attack may be in progress. Use the packet capture feature to capture type asp packets, and check the source MAC address in the packet to see where they are coming from.
1 and 2) 106016
Error Message %ASA-2-106016: Deny IP spoof from ( IP_address ) to IP_address on interface interface_name.
Explanation A packet arrived at the ASA interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the ASA interface. In addition, this message is generated when the ASA discarded a packet with an invalid source address, which may include one of the following or some other invalid address:
Loopback network (127.0.0.0)
Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
The destination host (land.c)
To further enhance spoof packet detection, use the icmp command to configure the ASA to discard packets with source addresses belonging to the internal network, because the access-listcommand has been deprecated and is no longer guaranteed to work correctly.
Recommended Action Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
Error Message %ASA-2-106017: Deny IP due to Land Attack from IP_address to IP_address
+ Explanation The ASA received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.
+ Recommended Action If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.
Please don't forget to rate and mark as correct the Post!
Let me know if there are further questions regarding this
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...