I have been receiving the PIX syslog 106016 messages over the past week. I have recieved over 50 so far today. Like others, the source address is 127.0.0.1 and destination is one of our public IP address (at random). When sniffing the traffic, the source mac address is our perimeter router. My router has a CSU/DSU module installed, so I cannot put a sniffer outside. Is there any way to see the actual source mac address?
As Nadeem mentioned, the L2 addresses (source and dest MAC) are going to be re-written at each L3 hop. In order to find the culprit in this case, you are going to need to involve your ISP for assistance. The best bet here is to take a look at the TTL values and use some educated guesses to find out how many hops away the actual source of the packets was. Do all of the packets you captured in your trace have the same TTL? Different? If the same, you can possibly assume that the packets are all being sent from the same host. Your ISP will most likely be of little help in this though since the packets are causing no real problems on your network. But you will need to go higher up than the PIX to find the culprit.
I have seen this attack last week and it appears to be a teardrop attack in it's simularity to its fragmented packet vector. It appears that packet A is being over written by packet B, thus it's simularity to a teardrop or Pepsi attack vector. The PIX will block it because it see a loopback address as a spoofed IP. I have tried to work with many ISP's tracking down the source of problems, and the problem is the farther away from your ISP you track back the less likely downstream ISP's will work with you. They don't have the time or resources. Good luck.
Thanks for all of your replies. The ttl is the same on all packets (120) that I have captured. I'm going to do more captures today. Is there a way I can get the source info from the syslog of the router? I compared the syslog of the router and pix, but could not seem to find the correct match. Thanks again for all the tips.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :