cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


9646
Views
0
Helpful
4
Replies
Highlighted

Deny IP teardrop fragment logs in CISCO ASA

Hi Dudes,

I am getting the below logs in my firewall, Can any one explain me why iam getting this and how to stop it.

logs : %ASA-2-106020: Deny IP teardrop fragment (size = number, offset = number) from 12.64.100.1 to 143.66.122.44

Message id : 106020

Actually we have a static NAT in firewall for this ip (143.66.122.44)

143.66.122.44 : Public ip for my FTP server.

Client will access my FTP server thr the pulbic 143.66.122.44.

Thanks,

limat

4 REPLIES 4
Cisco Employee

Re: Deny IP teardrop fragment logs in CISCO ASA

Hi,

You can find details about this log below:

http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&locale=en&index=all&query=ASA-2-106020&counter=0&paging=5&links=reference&sa=Submit

Please apply captures on the ASA outside interface and we cna see which packets are causing these logs.

https://supportforums.cisco.com/docs/DOC-1222

Thanks and Regards,

Prapanch

Cisco Employee

Re: Deny IP teardrop fragment logs in CISCO ASA

Hello,

Teardrop packets are packets that have overlapping fragment offsets and are typically used in a denial of service attack. Do you recognize the client IP address of 12.64.100.1? If it appears to be a legitimate client, you may need to investigate the FTP client or upstream network devices to find out why the fragments are overlapping. Otherwise, you can block all traffic from this IP either in your inbound access-list or using the 'shun 12.64.100.1' command. You can also contact your ISP about blocking this traffic upstream.

Hope that helps.

-Mike

Cisco Employee

Re: Deny IP teardrop fragment logs in CISCO ASA

Hi Limat,

How is it going? If this has been resolved and you have no more questions, please mark this as answered.

Thanks and Regards,

Prapanch

Re: Deny IP teardrop fragment logs in CISCO ASA

Hi everyone,

I had the same problem this week:

Deny IP teardrop fragment (size = 1480, offset = 0) from 10.0.0.1 to 208.64.126.193

The ip: 10.0.0.1 is my internal IP.

Is this normal?

Thank's,

Renato