topic Assistance Required – Firewall Land Attack Logs in Network Security

Assistance Required – Firewall Land Attack Logs

ShareefKooliyodan0444 — Sun, 01 Mar 2026 07:23:14 GMT

Dears,

I am requesting your kind help regarding a log reported by third pary .

I received a log from my third‑party security team indicating that my firewall is experiencing a Land Attack. The log shows that the source and destination IP addresses are the same, specifically tied to the firewall’s outside interface (public internet IP).
The log entry is as follows:

the log is <162>2026-01-20T04:20:12Z FTD-FW : %FTD-2-106017: Deny IP due to Land Attack from x.x.x.x to x.x.x.x .

However, I am unable to find this event in the firewall’s own logs or monitoring dashboards.
To investigate, I reviewed all relevant configurations, including routing, NAT rules, security policies, and VPN settings, but I did not identify any misconfigurations or suspicious activity.

Thakn you guys

Re: Assistance Required – Firewall Land Attack Logs

Marvin Rhoads — Sun, 01 Mar 2026 08:11:36 GMT

There are at least two common causes of this issue that have nothing to do with security and are an issue with how the firewall interprets certain flows incorrectly. It can be caused by a NAT hairpin rule (same source and destination interface) as well as traffic going into and coming out of the same interface (often due to routing issues).

There was also an old ASA bug related to this but it was long since resolved. (FTD runs LINA or ASA code as part of the underlying packet processing.) https://quickview.cloudapps.cisco.com/quickview/bug/CSCtr93086

Re: Assistance Required – Firewall Land Attack Logs

Mark Elsen — Sun, 01 Mar 2026 08:34:16 GMT

- @ShareefKooliyodan0444 This makes it also more difficult to troubleshoot :
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj44531