topic ASA logging to Remote Syslog Server failed, ip spoofing in Network Security

ASA logging to Remote Syslog Server failed, ip spoofing

srdjankatic — Tue, 12 Mar 2019 06:49:21 GMT

Hi,

i have wierd problem, i have configured ASA A/S pair (8.6) to send syslogs to remote SIEM syslog server but traffic is blocked by asa itself with message 106016, IP spoofing detected from ...

Logging is configured to send syslogs from Inside interface to host (10.14.1.69) that is also on network where Inside interface is connected.

I have checked arp tables on switch hosting Inside network, on asa also and MAC to IP entries are fine.

EE-ASA01# sho run logg - this is active ASA
logging enable
logging timestamp
logging buffer-size 131072
logging asdm-buffer-size 512
logging buffered debugging
logging asdm informational
logging host Inside 10.14.1.69

I have entered ip reverse lookup... command on Inside to disable spoofing but still same.

Also tried to initiate syslog sending from management interface but spoofing message persist even with another int as a source.

Same happens on different ASA A/S pair that is version 9.1.

Same "Inside" network

I have found few topics with same issues but none with answers

Do you have any idea how to solve this? All other networking appliances are doing fine, just ASA...

Thanks,

Srdjan

Was not clear enough. traffic

srdjankatic — Mon, 02 Nov 2015 21:47:46 GMT

Was not clear enough. traffic is blocked by asa itself with message 106016, IP spoofing detected from ... when i do packet trace. SIEM does not recieve anything but asa is not logging ip spoofing unless i do packet trace

Hi,

Rishabh Seth — Tue, 03 Nov 2015 01:57:33 GMT

Hi,

As per the problem description I understand that you are getting the ip spoofing syslog whenever you run packet-tracer to test the syslog traffic. I am assuming that your packet tracer looks like:

packet-tracer input inside udp <ASA-IP> <port> <syslog-server-ip> <port>

>> Running the above mentioned packet-tracer will generate a deny ip spoofing syslog message.

>> This happens because above mentioned packet-tracer when interpreted by ASA suggests that the source IP used in the packet tracer resides somewhere in the network behind inside interface.

But the ASA is also aware that the source IP used in the packet-tracer is also present on its inside interface. This condition will trigger the IP spoofing syslog and traffic will be dropped.

>> I want to understand if you are seeing the syslog deny message only while trying the packet-tracer or do you see it when the actual traffic is generated from the box.

Also feel free to correct my understanding of the issue.

Hope it helps.

R.Seth

Hi,

srdjankatic — Tue, 03 Nov 2015 11:12:10 GMT

Hi,

it is correct, only packet tracer generates spoofing.

Do you notice anything unusual in my syslog cfg, looks fine to me?

I dont have access to SIEM so i cant check syslog listener.

I will check packet capture, maybe it will show does some syslog traffic is going out of Inside int.

Hi,

Rishabh Seth — Tue, 03 Nov 2015 11:46:32 GMT

Hi,

Packet tracer is used to evalute configuration for pass through traffic. The ACL and NAT is not applied on the traffic which is initiated from the ASA.

There is no issue with your configuration, the ip spoof syslog is generated because you are using ASA IP as the source IP.

Hope it helps!!!

Thanks,

R.Seth

Mark the answer as correct if it helps in resolving your query!!!