Cisco Support Community
Community Member

Is this a DoS attack? Cisco ASA

I have a client that has been having issues with their VPN connection between two sites. The primary site seems to be fine but the VPN drops to the second site. I setup logging for the second site and everything seemed fine until I got an email early saying that the connection was down again. Around when they said it happened, I saw that logs stopped for a period of time. I first thought it was an ISP issue since there was nothing coming in from the second site. Looking more at the logs, I see a LOT of this type of message:


%ASA-1-106021: Deny TCP reverse path check from xx.xx.xx.xx to xx.xx.xx.xx on interface backup-isp


When running a constant ping to the device I am seeing a lot of dropped packets. I only get a few replies now and then. The ASA is still getting logs to our server with the same as above.


We are using the primary connection for the VPN but since I cannot even log in to the ASA, I can't check status or anything else. If this IS an attack, could it cause these types of issues when they are coming in on the backup-isp connection? From what I have read, the message above indicates that the ASA has blocked the attack and simply dropped the packet. I am seeing that error about 4 to 5 times a second, or at least that is what is getting to our log server.


Also, the source address in the message (from xx.xx.xx.xx) is coming from a handful of addresses.


If this is an attack, what can be best done to deal with it?



Everyone's tags (1)

Hi,From the ASA's perspective


From the ASA's perspective, traffic from xx.xx.xx.xx is coming in on the wrong interface to what is expected. You could have a routing issue when the vpn is on the backup ISP or it could be a spoofing attack. Check the routing for the backup-isp connection.




CreatePlease to create content