Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX syslog 106016 - Deny IP spoof

Has anyone come across this message and how did you remedy? We got it for the first time this morning and it is always source to a random IP on our public space.. Thx for any help...


Re: PIX syslog 106016 - Deny IP spoof


this message is logged when the PIX Firewall discards a packet with an invalid source address. Invalid sources addresses are those addresses belonging to the following:

Loopback network (

Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)

The destination host (land.c)

Try putting a sniffer in front of the pix and look for packets coming from If you see that kind of packets, try to determine the MAC address of the packets. Using the MAC address you can determine the pc that is sending the packets.



New Member

Re: PIX syslog 106016 - Deny IP spoof

I am getting the same messages from my PIX since the weekend.

I have captured packets and find the MAC address points to our boarder router.

Looking at the packet, will the MAC address match the last layer three device it crosses?


Re: PIX syslog 106016 - Deny IP spoof

Yes, this is correct, the MAC-address you will see when using a sniffer is the MAC-address of the last layer-3 device the IP-packet passes. Since this is your border router, it seems that your border router is passing traffic that uses the loopback address as source address

The one sending the packet obviously resides behing your router (from PIX point of view), so, you would have to snif in front of your router to see the MAC-address of the device sending the packets.

Bytheway, this kind of suspicious traffic usely is an indication that clients are infected with some kind of worm and trying to explore the network. So, checking for the known worms on the client would be your next step when you discovered the one sending it.

Hope this helps,


CreatePlease to create content