Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

%ASA-2-106016: Deny IP spoof from (0.0.0.0) to <public ip> on interface <inside interface>

I want to know the reason behind below logs on my ASA 5585 ssp-60 (version 8.4.5)

 

Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 219.136.248.47 on interface ByteMobile_Traffic
Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 184.173.147.57 on interface ByteMobile_Traffic
Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 219.136.248.47 on interface ByteMobile_Traffic
Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 219.136.248.47 on interface ByteMobile_Traffic
Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 184.173.147.57 on interface ByteMobile_Traffic
Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 184.173.147.57 on interface ByteMobile_Traffic
Sep 12 2014 06:52:48 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface ByteMobile_Traffic
Sep 12 2014 06:53:00 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface ByteMobile_Traffic

 

I know this is failing due to unicast RPF failure but the traffic is coming from another inside interface towards ByteMobile_Traffic interface. I have taken a capture for 3 sample destination IPs in these logs and could see different behavior for all. Multiple IPs are communicating with them.

 

Below was the capture I had done :

 

capture spoof access-list spoof interface ByteMobile_Traffic circular-buffer


access-list spoof extended permit ip any host 74.125.68.188
access-list spoof extended permit ip any host 219.136.248.47
access-list spoof extended permit ip any host 223.4.132.77
access-list spoof extended permit ip host 223.4.132.77 any
access-list spoof extended permit ip host 219.136.248.47 any
access-list spoof extended permit ip host 74.125.68.188 any

 


GIFRCHN01/act# sh access-list spoof
access-list spoof; 6 elements; name hash: 0x71e7c030
access-list spoof line 1 extended permit ip any host 74.125.68.188 (hitcnt=34783) 0x07461f73 
access-list spoof line 2 extended permit ip any host 219.136.248.47 (hitcnt=2) 0x84155be7 
access-list spoof line 3 extended permit ip any host 223.4.132.77 (hitcnt=2391) 0x86d15b72 
access-list spoof line 4 extended permit ip host 223.4.132.77 any (hitcnt=0) 0x5cda909f 
access-list spoof line 5 extended permit ip host 219.136.248.47 any (hitcnt=0) 0x4e6d6b11 
access-list spoof line 6 extended permit ip host 74.125.68.188 any (hitcnt=41686) 0xbfc5d6bd 

**** I am not able to attach the pcap file here, which i had catured as above ********

But for the first IP 74.125.68.188 I could see huge hits and the communication was happening on port 5228 hpvroom with multiple other IPs from my internal private ranges.

just to inform, this traffic is from 3G and 4G network So it comes from my GGSN (ASR 5000) to my SGSN GW which then routes it torwards the

 

2 REPLIES
New Member

Can I assume that you have

Can I assume that you have configured the interface (physical or port-channel) as a sub-interface?  You will have to prune the VLANs that are coming up to the ASA on the switch.  As well you will want to make the native VLAN something different than VLAN 1.  A couple of those spoof's appear to be to the broadcast address.

New Member

Yes I have sub interfaces on

Yes I have sub interfaces on the port channels. Not sure if customer will allow to change the native vlan

1064
Views
0
Helpful
2
Replies
CreatePlease login to create content