Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 - Deny IP spoof from (my public IP) to my public ip on interface backup

I was asked to look into an alert we got:

<162>Feb 08 2016 17:08:49: %ASA-2-106016: Deny IP spoof from (*PUBLIC IP*) to *PUBLIC IP* on interface backup

My belief is that this is the ASA doing its job and no further action required, but I have no idea how to research this, etc.

Can somebody please advise?

Thanks,

Overkill

5 REPLIES
Bronze

Maybe there is some host

Maybe there is some host configured with the same IP address as ASA. Try 'capture' on the ASA to see if it is really so, or configure SPAN/mirrior if possible on the switch in your network.

New Member

HI Overkill,

HI Overkill,

i belive (not 100% sure though) this messages also could appear if you try to, or packets are sent to an IP Adress which is hosted by the ASA itself and that packets are not received on the right interface (appropriate interface).

Having it said the other way around you should not be able to access a interface of the firewall from another interface on the firewall, we all know you can ping all the interfaces on routers, but this does not apply to the ASA.

The asa thinks or interprets the packets have to be a spoofed packets because they are not received on the interface (in your case the Interface named backup) which has this ip adress configured.

Hello Overkill,

Hello Overkill,

When you get this syslog message, the ASA follows this behavior with this explanation:

* Explanation A: packet arrived at the ASA interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the ASA interface. In addition, this message is generated when the ASA discarded a packet with an invalid source address, which may include one of the following or some other invalid address:

  • Loopback network (127.0.0.0)
  • Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
  • The destination host (land.c)

* To further enhance spoof packet detection, use the icmp command to configure the ASA to discard packets with source addresses belonging to the internal network, because the access-list command has been deprecated and is no longer guaranteed to work correctly.

*Recommended Action Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

Please rate this post and mark as correct this post, if it helped you! Keep me posted if you have any questions,

Regards,

David Castro,

New Member

Hello Overkill,

Hello Overkill,

The ASA is basically dropping packets for invalid addresses as 127.0.0.0, 0.0.0.0, broadcast ip address, etc. Which the firewall blocks by default and it is an expected behavior. 

However if you want to check who might be sending this packets, you can place captures on the backup interface matching the ip address that is showing in the log, trace the captures and check the source mac address of the packet to see if this is being triggered by something directly connected in your backup network.

Hope this helps!

New Member

Thanks for the replies all,

Thanks for the replies all,

We ended up disabling this alert as they appear to be trash packets coming from inside the network

Appreciate all the replies!

575
Views
2
Helpful
5
Replies
CreatePlease to create content