Yes I have sub interfaces on

ssheorai · ‎09-21-2014

I want to know the reason behind below logs on my ASA 5585 ssp-60 (version 8.4.5)

Sep 12 2014 06:50:53 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 219.136.248.47 on interface ByteMobile_Traffic
Sep 12 2014 06:51:01 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 184.173.147.57 on interface ByteMobile_Traffic
Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 219.136.248.47 on interface ByteMobile_Traffic
Sep 12 2014 06:51:05 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 219.136.248.47 on interface ByteMobile_Traffic
Sep 12 2014 06:51:06 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 184.173.147.57 on interface ByteMobile_Traffic
Sep 12 2014 06:51:17 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 184.173.147.57 on interface ByteMobile_Traffic
Sep 12 2014 06:52:48 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface ByteMobile_Traffic
Sep 12 2014 06:53:00 GIFRCHN01 : %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.1.255 on interface ByteMobile_Traffic

I know this is failing due to unicast RPF failure but the traffic is coming from another inside interface towards ByteMobile_Traffic interface. I have taken a capture for 3 sample destination IPs in these logs and could see different behavior for all. Multiple IPs are communicating with them.

Below was the capture I had done :

capture spoof access-list spoof interface ByteMobile_Traffic circular-buffer

access-list spoof extended permit ip any host 74.125.68.188
access-list spoof extended permit ip any host 219.136.248.47
access-list spoof extended permit ip any host 223.4.132.77
access-list spoof extended permit ip host 223.4.132.77 any
access-list spoof extended permit ip host 219.136.248.47 any
access-list spoof extended permit ip host 74.125.68.188 any

GIFRCHN01/act# sh access-list spoof
access-list spoof; 6 elements; name hash: 0x71e7c030
access-list spoof line 1 extended permit ip any host 74.125.68.188 (hitcnt=34783) 0x07461f73
access-list spoof line 2 extended permit ip any host 219.136.248.47 (hitcnt=2) 0x84155be7
access-list spoof line 3 extended permit ip any host 223.4.132.77 (hitcnt=2391) 0x86d15b72
access-list spoof line 4 extended permit ip host 223.4.132.77 any (hitcnt=0) 0x5cda909f
access-list spoof line 5 extended permit ip host 219.136.248.47 any (hitcnt=0) 0x4e6d6b11
access-list spoof line 6 extended permit ip host 74.125.68.188 any (hitcnt=41686) 0xbfc5d6bd

**** I am not able to attach the pcap file here, which i had catured as above ********

But for the first IP 74.125.68.188 I could see huge hits and the communication was happening on port 5228 hpvroom with multiple other IPs from my internal private ranges.

just to inform, this traffic is from 3G and 4G network So it comes from my GGSN (ASR 5000) to my SGSN GW which then routes it torwards the

kylerossd · ‎01-28-2015

Can I assume that you have configured the interface (physical or port-channel) as a sub-interface? You will have to prune the VLANs that are coming up to the ASA on the switch. As well you will want to make the native VLAN something different than VLAN 1. A couple of those spoof's appear to be to the broadcast address.

ssheorai · ‎05-25-2015

Yes I have sub interfaces on the port channels. Not sure if customer will allow to change the native vlan

%ASA-2-106016: Deny IP spoof from (0.0.0.0) to <public ip> on interface <inside interface>