Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

UDP reverse path check

Hi,

ASA running 8.2(5).

When I enable ip spoofing on my network interfaces I see this getting logged:

Deny UDP reverse path check from 10.100.100.102 to 10.100.100.255 on interface SPECTRA-LAN

This is because interface SPECTRA-LAN (VLAN50) is the interface connected to the network with ip 10.100.100.0/24 but the interface do not have a ip address so it does not exist in the routing table I believe?

However interface INTERN do also belong to network 10.100.100.0/24 which also is the management interface and the default route for hosts in network 10.100.100.0/24, but has no vlan.

How do I solve this?

1. move the management0/0 to SPECTRA-LAN and give SPECTRA-LAN ip 10.100.100.1?

2. give SPECTRA-LAN a ip address in the 10.100.100.0 range?

3. or ??

My routing table and interface list is:

Current available interface(s):

  DATA-BACKUP     Name of interface Redundant1.10

  DMZ             Name of interface Redundant1.900

  GUEST           Name of interface Redundant1.990

  HOSTING         Name of interface Redundant1.100

  Infrastruktur   Name of interface Redundant1.20

  Intern          Name of interface Management0/0

  OUTSIDE-BACKUP  Name of interface Redundant1.998

  PHONE           Name of interface Redundant1.200

  SPECTRA-LAN     Name of interface Redundant1.50

  outside         Name of interface Ethernet0/3

Gateway of last resort is 1.2.3.4 to network 0.0.0.0

C    172.31.0.0 255.255.255.0 is directly connected, DMZ

S    192.168.200.46 255.255.255.255 [1/0] via 1.2.3.4, outside

S    192.168.200.47 255.255.255.255 [1/0] via 1.2.3.4, outside

S    VPN-hosting 255.255.255.0 [1/0] via 192.168.200.1, outside

C    93.167.197.80 255.255.255.240 is directly connected, outside

S    10.100.110.0 255.255.255.0 [1/0] via 10.100.110.1, outside

C    10.10.10.0 255.255.255.0 is directly connected, GUEST

C    10.100.100.0 255.255.255.0 is directly connected, Intern

S    10.100.101.0 255.255.255.0 [5/0] via 10.100.100.252, Intern

S    10.100.0.0 255.255.0.0 [10/0] via 10.100.100.252, Intern

C    10.200.100.0 255.255.252.0 is directly connected, PHONE

C    10.199.1.0 255.255.255.0 is directly connected, Infrastruktur

C    10.199.0.0 255.255.255.0 is directly connected, DATA-BACKUP

C    192.168.254.0 255.255.255.0 is directly connected, HOSTING

S*   0.0.0.0 0.0.0.0 [1/0] via 1.2.3.4, outside

S    192.168.0.0 255.255.0.0 [5/0] via 192.168.254.1, HOSTING

Regards

Robert

Everyone's tags (3)
3 REPLIES
Cisco Employee

UDP reverse path check

The reason why you are seeing that error message is because 10.100.100.102 is connected to the wrong subnet/VLAN. It should have been connected to the Intern subnet/VLAN, however, it has incorrectly assigned/conencted to SPECTRA-LAN subnet.

Just configure 10.100.100.102 host correctly by assigning it to the correct VLAN, and you won't have that error anymore.

You can't have 2 VLANs in the same subnet.

New Member

Re: UDP reverse path check

As far as I can see it is not the case where I have 2 vlans in the same subnet.

Looking in ASDM I see:

Management0/0 interface = security level 100 = Intern = native vlan (ip address 10.100.100.1)

Redundant1.50 interface = security level 100 = SPECTRA-LAN = vlan50 (no ip address)

Subnet 10.100.100.0/24 must belong to vlan50.

Redundant1 is ethernet0/0 and ethernet0/1. Configuration allows communication between interfaces with same security level. All acl policies from subnet 10.100.100.0/24 is bound to interface and acl from allows all traffic to any less secure network.

I´m currently not sure how the fysical cabling is connected, but I´ll have to look as it seems traffic from subnet 10.100.100.0/24 can come in from both management0/0 and the redundant interfaces eth0/0 + eth0/1 ??

Does this make sence at all ?

Robert

Cisco Employee

Re: UDP reverse path check

As per your above statement, 10.100.100.0/24 belongs to native vlan (Intern), not vlan50 (SPECTRA-LAN).

Eventhough SPECTRA-LAN is not configured with any ip address, the subnet 10.100.100.0/24 can't belong to this vlan50 as it already belong to Intern (native vlan) subnet.

958
Views
0
Helpful
3
Replies
CreatePlease to create content