Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tow ASA-5520 problem

Hi all team :

I have two ASA connected together one with IPS module and the another with AntiX module, the inside interface of the first one is connected to the outside of second one

The first one have default route to the ISP “internet” and the second have default route to the first one , I don't do static in the first one coz all IP are public and I run ver 7.2 on both ASA so all my ASA will work like a router , well my problem is the second ASA can not get access to the internet , when I open the logging in the first ASA I can see that the first ASA deny the second ASA by saying :

“%ASA-2-106017: Deny IP due to Land Attack from xx.xx.xx.66 to xx.xx.xx.66”

When I remove the second one and but my lap top with the same IP address I can connect to the internet but when I but the second ASA I can not, so I know there is a special configuration when you connect two ASA to work together.

So can any one help please?

New Member

Re: Tow ASA-5520 problem

Any one can help please ?

Re: Tow ASA-5520 problem

Hi ...

Can you post your configs

New Member

Re: Tow ASA-5520 problem

Hi Fernado :

Here is my config , so hope you help friend.

New Member

Re: Tow ASA-5520 problem


I tried to go trough the configurations but without IP addresses is difficult.

The syslog message 2-106017 means that The security appliance received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems, please confirm that you don't have same IP addresses on the Firewalls and also include a permit icmp any any on line 1 of the access-list OUTSIDE_IN in the first ASA and then try to ping first the outside interface of the Secondary PIX, if that works, then try to ping and turn on debug icmp trace on both firewalls and look at the output.

New Member

Re: Tow ASA-5520 problem

Hi Freind:

first of all thank you for your car and help

then I know what the message 2-106017 mean but i want to inform you that the IP i get in this message was the IP of secoand ASA-AntiX

so i know there is no spoof attack it just false positive alarm. But about the real IP address I can not give it ,you know friend there is so many People reading the site so I can not post my rewal IP even if I was secure my network very well. what ever thanx for your help friend.

New Member

Re: Tow ASA-5520 problem

Hi Emad,

I recommend using "packet-tracer" to trace a packet going through the ASA-AntiX, This will help by tracing what happens to the packet when it goes though the ASA.

I agree that without IP addresses this is hard to troubleshoot. Using "packet-tracer" may help you see the problem from your end. Details on this command may be found using command lookup tool.*%22&Paging=25&ActionType=getCommandList&Bookmark=True

The example given in the command reference is hostname# packet-tracer input inside tcp www aol detailed

You will need to use something similar but replace IPs and specify the type of traffic you are experiencing problems with.

Let me know how you get on.