Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

IPSEC Spoof detected

Hi Jazib,

May i ask you a question? I face an unsolved issue. After i tested using packet-tracer, below is the results;

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (ipsec-spoof) IPSEC Spoof detected

But when trying on "inside", it successful.

Let me draws out my issue;

server <-connect-> pix <-connect-> router <-> pix <-connect-> user

ipsec is between the outside leg of 2 pix fws

server using port 80,443 and 2000.

I encountered problem in access web services using 2000. It is ok for 80 and 443.

In pix, using packet-tracer. All 3 ports results are same. Me ipsec configuration is simple one. end to end.

Do you know what go wrong? Really appreciate for your advise and help.

Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IPSEC Spoof detected

port 2000 is used by skinny.if f/w sees some application running on tcp 2000 but it's not skinnt traffic,f/w will drop it.

Soln :

Disable inspect skinny

policy-map global_policy

class inspection_default

no inspect skinny

Do rate if helpful

Regards,

Sushil

2 REPLIES
Silver

Re: IPSEC Spoof detected

IPSEC Spoof detected:

This counter will increment when the security appliance receives a packet which should have been encrypted but was not. The packet matched the inner header security policy check of a configured and established IPSec connection on the security appliance but was received unencrypted. This is a security issue.

Recommendation: Analyze your network traffic to determine the source of the spoofed IPSec traffic.

Refer the following URL for more information on syslog message related to "IPSEC Spoof detected" being the reason for drop:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4772700

Cisco Employee

Re: IPSEC Spoof detected

port 2000 is used by skinny.if f/w sees some application running on tcp 2000 but it's not skinnt traffic,f/w will drop it.

Soln :

Disable inspect skinny

policy-map global_policy

class inspection_default

no inspect skinny

Do rate if helpful

Regards,

Sushil

2985
Views
0
Helpful
2
Replies
CreatePlease to create content