PIX: Spurious Deny IP spoof messages for traffic to outside interface
Our PIX seems to have gone into a state where it rejects traffic to the outside interface with:
Aug 31 09:28:02 pix %PIX-2-106016: Deny IP spoof from (foo) to aaa.bbb.ccc.ddd on interface outside
Where foo in this case is a host on the same subnet as the outside interface pinging the outside interface address aaa.bbb.ccc.ddd for testing purposes. We've noticed this because people using Remote Access VPN were not able to connect.
We don't actually have anti-spoofing enabled and the configuration shows no changes (confirmed using RANCID).
I've tried enabling and then disabling anti-spoofing but this has had no effect.
All I can think of is that this is a PIX bug and the previous occasion when this happened about a month we had to reload.
Anything other ideas before I try and open a case with TAC and just reload it again?
Re: PIX: Spurious Deny IP spoof messages for traffic to outside
This message is logged when the PIX Firewall discards a packet with an invalid source address. Invalid source addresses are those addresses belonging to the following:
Loopback network (127.0.0.0)
Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
The destination host
Furthermore, if the sysopt connection enforcesubnet command is enabled, PIX Firewall discards packets with a source address belonging to the destination subnet from traversing the PIX Firewall and logs this message.
To further enhance spoof packet detection, use the conduit command to configure the PIX Firewall to discard packets with source addresses belonging to the internal network.
To resolve this Determine if an external user is trying to compromise the protected network. Check for misconfigured clients
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :