topic ASA-2-106016 on same interface, but two subnets in Network Security

ASA-2-106016 on same interface, but two subnets

druideinformatique — Tue, 12 Mar 2019 03:47:45 GMT

Hi,

I get a strange problem here. We got another subnet from our ISP because we needed another block of IPs. Everything works fine, except one thing:

Deny IP spoof from (XXX.XXX.XXX.XXX) to XXX.XXX.XXX.XXX on interface outside

The source IP is our main IP from our primary subnet and the destination is one of the IP in the new subnet. Do I need to add a special rule to allow this trafic??

Cisco ASA 5510

ASA Version 9.1(1)

ASA-2-106016 on same interface, but two subnets

Richard Burts — Wed, 19 Feb 2014 21:19:08 GMT

Could you tell us how you are using the second subnet that the ISP provided? And it might help if you would post from the config at least the parts that deal with both of the subnets? It is difficult to know if you need to add something until we know what you already have.

HTH

Rick

ASA-2-106016 on same interface, but two subnets

INGENIERIA Y CONSULTORIAS WEBREDES LTDA — Wed, 19 Feb 2014 21:47:29 GMT

that's almost normal behavior on ASA if you don't enable the Proxy ARP on that interface and enabled anti-spoofing.

try with this.

ip verify reverse-path interface [interface_name (inside/outside/dmz)]

and this one

 arp permit-nonconnected

and this other one.

 no sysopt noproxyarp [interface_name (inside/outside/dmz)]

let us know if fix your problem !!!

had a great day!

ASA-2-106016 on same interface, but two subnets

druideinformatique — Thu, 20 Feb 2014 14:25:59 GMT

Hi Richard,

XXX.XXX.XXX is the primary subnet, YYY.YYY.YYY is the secondary.

Interface Ethernet0/1 "outside", is up, line protocol is up

Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Input flow control is unsupported, output flow control is off

IP address XXX.XXX.XXX.42, subnet mask 255.255.255.248

interface Ethernet0/1

nameif outside

security-level 0

ip address XXX.XXX.XXX.42 255.255.255.248

related config:

object network bloc-externe-supp

subnet YYY.YYY.YYY.32 255.255.255.248

object network YYY.YYY.YYY.34

host YYY.YYY.YYY.34

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.41 1

route outside YYY.YYY.YYY.32 255.255.255.248 YYY.YYY.YYY.33 1

ASA-2-106016 on same interface, but two subnets

druideinformatique — Thu, 20 Feb 2014 14:28:19 GMT

Hi,

I do have "arp permit-nonconnected", but not the other two. I will try it early next week.

Re: ASA-2-106016 on same interface, but two subnets

RANT — Thu, 09 Jan 2020 14:39:18 GMT

I hate to resurrect an old thread, but a very similar issue led me to this thread, and I tried the fix suggested above and ended up keeping the flood of logs, but now it's a different log entry:

%ASA-1-106021: Deny UDP reverse path check from <IP bound inside interface> to <IP of server behind inside interface> on interface inside

Any ideas?

Re: ASA-2-106016 on same interface, but two subnets

John Calvin — Sat, 27 Feb 2021 13:09:48 GMT

From a reliable source:

"These messages [ASA-2-106016] indicate, as the documentation mentions, that the FW is receiving packets on the mentioned interfaces with dest IP of 0.0.0.0 and dest MAC that matches our FW interface. It seems that these messages are possible when we have a HA pair in which the standby ASA interfaces are left without IP and unaddressed. The standby appliance performs a FQDN lookup on its ACEs, and due to the fact that there is no IP to use those requests are sent with 0.0.0.0."

"We should be able to resolve this by adding a standby IP to interfaces in standby context."

interface Ethernet 0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2