topic Deny UDP reverse path check in Network Security

topic Deny UDP reverse path check in Network Security https://community.cisco.com/t5/network-security/deny-udp-reverse-path-check/m-p/1810151#M456565 <HTML><HEAD></HEAD><BODY><P>Michael, </P><P></P><P>All syslogs ASA 8.3 are referenced here:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logmsgs.html">http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logmsgs.html</A></P><P>You can easily google for different version of this document.</P><P></P><P>As far as checking what that IP is. Best start by checking whois <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>In this case it's verisign ... not sure why anyone would send UDP to it ... you might need to sniff traffic.</P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>whois 198.41.0.4</P><P>#</P><P># Query terms are ambiguous.  The query is assumed to be:</P><P>#     "n 198.41.0.4"</P><P>#</P><P># Use "?" to get help.</P><P>#</P><P></P><P>#</P><P># The following results may also be obtained via:</P><P><SPAN># </SPAN><A class="jive-link-external-small" href="http://whois.arin.net/rest/nets;q=198.41.0.4?showDetails=true&showARIN=false&ext=netref2">http://whois.arin.net/rest/nets;q=198.41.0.4?showDetails=true&showARIN=false&ext=netref2</A></P><P>#</P><P></P><P>NetRange:       198.41.0.0 - 198.41.3.255</P><P>CIDR:           198.41.0.0/22</P><P>OriginAS:</P><P>NetName:        INTERNIC1</P><P>NetHandle:      NET-198-41-0-0-1</P><P>Parent:         NET-198-0-0-0-0</P><P>NetType:        Direct Assignment</P><P>RegDate:        1993-01-04</P><P>Updated:        2005-01-13</P><P><SPAN>Ref:            </SPAN><A class="jive-link-external-small" href="http://whois.arin.net/rest/net/NET-198-41-0-0-1">http://whois.arin.net/rest/net/NET-198-41-0-0-1</A></P><P></P><P>OrgName:        VeriSign Infrastructure & Operations</P><P>OrgId:          VIO-2</P><P>Address:        12061 Bluemont Way</P><P>City:           Reston</P><P>StateProv:      VA</P><P>PostalCode:     20190</P><P>Country:        US</P><P>RegDate:        2002-07-11</P><P>Updated:        2012-01-03</P><P><SPAN>Ref:            </SPAN><A class="jive-link-external-small" href="http://whois.arin.net/rest/org/VIO-2">http://whois.arin.net/rest/org/VIO-2</A></P><P></P><P>OrgAbuseHandle: NETWO480-ARIN</P><P>OrgAbuseName:   Network Admin</P><P>OrgAbusePhone:  +1-703-948-4300</P><P><SPAN>OrgAbuseEmail:  </SPAN><A class="jive-link-email-small" href="mailto:netadmin@verisign.com">netadmin@verisign.com</A></P><P><SPAN>OrgAbuseRef:    </SPAN><A class="jive-link-external-small" href="http://whois.arin.net/rest/poc/NETWO480-ARIN">http://whois.arin.net/rest/poc/NETWO480-ARIN</A></P><P></P><P>OrgTechHandle: NETWO480-ARIN</P><P>OrgTechName:   Network Admin</P><P>OrgTechPhone:  +1-703-948-4300</P><P><SPAN>OrgTechEmail:  </SPAN><A class="jive-link-email-small" href="mailto:netadmin@verisign.com">netadmin@verisign.com</A></P><P><SPAN>OrgTechRef:    </SPAN><A class="jive-link-external-small" href="http://whois.arin.net/rest/poc/NETWO480-ARIN">http://whois.arin.net/rest/poc/NETWO480-ARIN</A></P><P></P><P>#</P><P># ARIN WHOIS data and services are subject to the Terms of Use</P><P><SPAN># available at: </SPAN><A class="jive-link-external-small" href="https://www.arin.net/whois_tou.html">https://www.arin.net/whois_tou.html</A></P><P>#</P></PRE></BODY></HTML> Wed, 18 Jan 2012 14:52:20 GMT Marcin Latosiewicz 2012-01-18T14:52:20Z Deny UDP reverse path check https://community.cisco.com/t5/network-security/deny-udp-reverse-path-check/m-p/1810150#M456564 <P>We have a ASA up for a few years now and I am finally trying to understand some of the syslog info.  I configured it yesterday to email any Alerts and Emergency messages.  In the past 21 hrs I have received 511 (I'm glad I had conversation view enabled in Outlook).  I have many questions but I will start with why, throughout the night, I receive (over 100) something like this:</P><P><185>Jan 18 2012 07:23:32: %ASA-1-106021: Deny UDP reverse path check from 169.254.146.189 to 198.41.0.4 on interface inside</P><P>Looks like a Windows client with a self assigned IP. We have an open wireless "guest" network for students to use for the smart phones, etc..., which is always out of IP addresses.    What is it trying to do? What is 198.41.0.4 (always different)?  If these are harmless, can I stop it from reporting them?</P> Mon, 11 Mar 2019 22:15:58 GMT https://community.cisco.com/t5/network-security/deny-udp-reverse-path-check/m-p/1810150#M456564 mbasso1676 2019-03-11T22:15:58Z Deny UDP reverse path check https://community.cisco.com/t5/network-security/deny-udp-reverse-path-check/m-p/1810151#M456565 <HTML><HEAD></HEAD><BODY><P>Michael, </P><P></P><P>All syslogs ASA 8.3 are referenced here:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logmsgs.html">http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logmsgs.html</A></P><P>You can easily google for different version of this document.</P><P></P><P>As far as checking what that IP is. Best start by checking whois <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>In this case it's verisign ... not sure why anyone would send UDP to it ... you might need to sniff traffic.</P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>whois 198.41.0.4</P><P>#</P><P># Query terms are ambiguous.  The query is assumed to be:</P><P>#     "n 198.41.0.4"</P><P>#</P><P># Use "?" to get help.</P><P>#</P><P></P><P>#</P><P># The following results may also be obtained via:</P><P><SPAN># </SPAN><A class="jive-link-external-small" href="http://whois.arin.net/rest/nets;q=198.41.0.4?showDetails=true&showARIN=false&ext=netref2">http://whois.arin.net/rest/nets;q=198.41.0.4?showDetails=true&showARIN=false&ext=netref2</A></P><P>#</P><P></P><P>NetRange:       198.41.0.0 - 198.41.3.255</P><P>CIDR:           198.41.0.0/22</P><P>OriginAS:</P><P>NetName:        INTERNIC1</P><P>NetHandle:      NET-198-41-0-0-1</P><P>Parent:         NET-198-0-0-0-0</P><P>NetType:        Direct Assignment</P><P>RegDate:        1993-01-04</P><P>Updated:        2005-01-13</P><P><SPAN>Ref:            </SPAN><A class="jive-link-external-small" href="http://whois.arin.net/rest/net/NET-198-41-0-0-1">http://whois.arin.net/rest/net/NET-198-41-0-0-1</A></P><P></P><P>OrgName:        VeriSign Infrastructure & Operations</P><P>OrgId:          VIO-2</P><P>Address:        12061 Bluemont Way</P><P>City:           Reston</P><P>StateProv:      VA</P><P>PostalCode:     20190</P><P>Country:        US</P><P>RegDate:        2002-07-11</P><P>Updated:        2012-01-03</P><P><SPAN>Ref:            </SPAN><A class="jive-link-external-small" href="http://whois.arin.net/rest/org/VIO-2">http://whois.arin.net/rest/org/VIO-2</A></P><P></P><P>OrgAbuseHandle: NETWO480-ARIN</P><P>OrgAbuseName:   Network Admin</P><P>OrgAbusePhone:  +1-703-948-4300</P><P><SPAN>OrgAbuseEmail:  </SPAN><A class="jive-link-email-small" href="mailto:netadmin@verisign.com">netadmin@verisign.com</A></P><P><SPAN>OrgAbuseRef:    </SPAN><A class="jive-link-external-small" href="http://whois.arin.net/rest/poc/NETWO480-ARIN">http://whois.arin.net/rest/poc/NETWO480-ARIN</A></P><P></P><P>OrgTechHandle: NETWO480-ARIN</P><P>OrgTechName:   Network Admin</P><P>OrgTechPhone:  +1-703-948-4300</P><P><SPAN>OrgTechEmail:  </SPAN><A class="jive-link-email-small" href="mailto:netadmin@verisign.com">netadmin@verisign.com</A></P><P><SPAN>OrgTechRef:    </SPAN><A class="jive-link-external-small" href="http://whois.arin.net/rest/poc/NETWO480-ARIN">http://whois.arin.net/rest/poc/NETWO480-ARIN</A></P><P></P><P>#</P><P># ARIN WHOIS data and services are subject to the Terms of Use</P><P><SPAN># available at: </SPAN><A class="jive-link-external-small" href="https://www.arin.net/whois_tou.html">https://www.arin.net/whois_tou.html</A></P><P>#</P></PRE></BODY></HTML> Wed, 18 Jan 2012 14:52:20 GMT https://community.cisco.com/t5/network-security/deny-udp-reverse-path-check/m-p/1810151#M456565 Marcin Latosiewicz 2012-01-18T14:52:20Z