cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
2164
Views
0
Helpful
2
Replies
Beginner

%ASA-2-106016: Deny IP spoof from (0.0.0.0) to <public ip> on interface <inside interface>

I want to know the reason behind below logs on my ASA 5585 ssp-60 (version 8.4.5)

 

Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 219.136.248.47 on interface ByteMobile_Traffic
Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 184.173.147.57 on interface ByteMobile_Traffic
Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 219.136.248.47 on interface ByteMobile_Traffic
Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 219.136.248.47 on interface ByteMobile_Traffic
Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 184.173.147.57 on interface ByteMobile_Traffic
Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 184.173.147.57 on interface ByteMobile_Traffic
Sep 12 2014 06:52:48 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface ByteMobile_Traffic
Sep 12 2014 06:53:00 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface ByteMobile_Traffic

 

I know this is failing due to unicast RPF failure but the traffic is coming from another inside interface towards ByteMobile_Traffic interface. I have taken a capture for 3 sample destination IPs in these logs and could see different behavior for all. Multiple IPs are communicating with them.

 

Below was the capture I had done :

 

capture spoof access-list spoof interface ByteMobile_Traffic circular-buffer


access-list spoof extended permit ip any host 74.125.68.188
access-list spoof extended permit ip any host 219.136.248.47
access-list spoof extended permit ip any host 223.4.132.77
access-list spoof extended permit ip host 223.4.132.77 any
access-list spoof extended permit ip host 219.136.248.47 any
access-list spoof extended permit ip host 74.125.68.188 any

 


GIFRCHN01/act# sh access-list spoof
access-list spoof; 6 elements; name hash: 0x71e7c030
access-list spoof line 1 extended permit ip any host 74.125.68.188 (hitcnt=34783) 0x07461f73 
access-list spoof line 2 extended permit ip any host 219.136.248.47 (hitcnt=2) 0x84155be7 
access-list spoof line 3 extended permit ip any host 223.4.132.77 (hitcnt=2391) 0x86d15b72 
access-list spoof line 4 extended permit ip host 223.4.132.77 any (hitcnt=0) 0x5cda909f 
access-list spoof line 5 extended permit ip host 219.136.248.47 any (hitcnt=0) 0x4e6d6b11 
access-list spoof line 6 extended permit ip host 74.125.68.188 any (hitcnt=41686) 0xbfc5d6bd 

**** I am not able to attach the pcap file here, which i had catured as above ********

But for the first IP 74.125.68.188 I could see huge hits and the communication was happening on port 5228 hpvroom with multiple other IPs from my internal private ranges.

just to inform, this traffic is from 3G and 4G network So it comes from my GGSN (ASR 5000) to my SGSN GW which then routes it torwards the

 

2 REPLIES 2
Highlighted
Enthusiast

Can I assume that you have

Can I assume that you have configured the interface (physical or port-channel) as a sub-interface?  You will have to prune the VLANs that are coming up to the ASA on the switch.  As well you will want to make the native VLAN something different than VLAN 1.  A couple of those spoof's appear to be to the broadcast address.

Beginner

Yes I have sub interfaces on

Yes I have sub interfaces on the port channels. Not sure if customer will allow to change the native vlan

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards