Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6401
Views
0
Helpful
3
Replies

Land Attack False Positive for Internal Hosts

Go to solution
remitprosupport
Level 1
Level 1

‎11-22-2010 08:30 AM - edited ‎03-11-2019 12:12 PM

Hello all...

I have two hosts on "inside" networks. One is a jabber server, and the other a client trying to connect to that server.

The jabber server's IP address is 192.168.100.19, and the client has a DHCP assigned address of 192.168.150.19. Other clients on the 150.X have no trouble getting to the jabber server.

When I try to connect to the server, I see an xlate opened in the live log, but I also get the following message: "Deny IP due to Land Attack from <server name> to <server name>".

Obviously the firewall's confused about the source IP address and port of the requests. If I manually assign a different IP address to the client it can connect. I guess I could clear the xlate table to remedy this issue, but has this happened to anyone else, and can anyone suggest what might cause this?

A bug in version 8.2(3) perhaps?

Thanks!

Dan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-22-2010 09:10 AM

We should jump into conclusions about bugs yet.

Is the firewall translating the client to the servers ip address 192.168.100.19?

Is the response from the server flagged as LAND attack?

You need to first identify which packet is flagged as land attack and if it is normal. For example if the client was translated to the servers ip address then the response might indeed be flagged as LAND attack, because the LAN checks are before the NAT.

I hope it helps.

PK

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-22-2010 09:10 AM

We should jump into conclusions about bugs yet.

Is the firewall translating the client to the servers ip address 192.168.100.19?

Is the response from the server flagged as LAND attack?

You need to first identify which packet is flagged as land attack and if it is normal. For example if the client was translated to the servers ip address then the response might indeed be flagged as LAND attack, because the LAN checks are before the NAT.

I hope it helps.

PK

0 Helpful

Go to solution
remitprosupport
Level 1
Level 1
In response to Panos Kampanakis

‎11-22-2010 09:23 AM

That was it! I had a nat rule with a typo that was translating the client address to the server address.

Thanks for the assist...

Dan

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to remitprosupport

‎11-22-2010 09:33 AM

Glad we got it.

Take care,

PK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card