Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3052
Views
0
Helpful
2
Replies

Annoying spoof log messages because facing a Checkppoint

sokarlsson
Level 1
Level 1

‎02-13-2014 01:53 AM - edited ‎03-11-2019 08:44 PM

One of our customers have an ASA facing a Checkpoint HA cluster. Looks like the Checkpoint cluster is using ip messages sourced from 0.0.0.0 to the network address on udp port 8116 to keep track of eachothers interfaces. This traffic is interpreted by the ASA like a spoof attack.

Since this traffic is sent with a packet rate of about one every 0.1 sec the logs in the ASA are filled upp with spoof alarms (message

106016).

I do not want to filter out all spoof alarms but I would like to get rid of alarms triggered by this traffic. Is there any way to tweak the spoof detection to not trigger by this specific traffic or to filter away syslog messages based on the message text?

3 people had this problem
Labels:
0 Helpful
2 Replies 2

rueckertd
Level 1
Level 1

‎05-26-2014 07:34 AM

Hi,

I've the same problem. My workaround is "no logging message 106016" to disable the logging for this event.

 

Daniel

0 Helpful

mohanak
Cisco Employee
Cisco Employee

‎05-27-2014 03:10 AM

This message is generated when a packet arrives at the security appliance interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the security appliance interface. In addition, this message is generated when the security appliance discarded a packet with an invalid source address, which may include one of the following or some other invalid address:

Loopback network (127.0.0.0)

Broadcast  (limited, net-directed, subnet-directed, and all-subnets-directed)

The destination host (land.c)

To further enhance spoof packet detection, use the icmp command to configure the security appliance to discard packets with source addresses belonging to the internal network, because the access-list command has been deprecated and is no longer guaranteed to work correctly.

Recommended Action    Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

It could be a virus attack or it could be that someone is trying to compromise the network by sending traffic using a soofed ip address. The best way would be take sniffer so that you could see the MAC address of the faulty machine/source.

Also, if you want to disable this log message, you can do that as well, as follows:

no logging message 106016

www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card