ASA - Deny TCP reverse path. WHY ????
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2016 03:02 AM - edited 03-12-2019 12:44 AM
Hi,
on my asa ASA5540 I have the following error:
1 May 13 2016 11:19:07 106021 10.168.101.100 232.239.122.219 Deny TCP reverse path check from 10.168.101.100 to 232.239.122.219 on interface Outside
The source 10.168.101.100 is directly connected, the destination has the following static route:
route Outside 232.239.122.192 255.255.255.224 10.168.201.1 1
ASA5540#show route
C 10.168.101.100 255.255.254.0 is directly connected, Inside
S 232.239.122.192 255.255.255.224 [1/0] via 10.168.201.1, Outside
I made a capture on the source and destination interface filtering the destination 232.239.122.219:
1: 11:19:06.784581 802.1Q vlan#18 P0 10.168.101.100.38529 > 232.239.122.219.21: S 3629871294:3629871294(0) win 14600 <mss 1460,sackOK,timestamp 745899726 0,nop,wscale 7>
2: 11:19:07.783879 802.1Q vlan#18 P0 10.168.101.100.38529 > 232.239.122.219.21: S 3629871294:3629871294(0) win 14600 <mss 1460,sackOK,timestamp 745900726 0,nop,wscale 7>
3: 11:19:09.784047 802.1Q vlan#18 P0 10.168.101.100.38529 > 232.239.122.219.21: S 3629871294:3629871294(0) win 14600 <mss 1460,sackOK,timestamp 745902726 0,nop,wscale 7>
What is wrong ?
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2016 05:39 AM
The router with the IP 10.168.201.1 could have a route for 232.239.122.192/24 back to your firewall.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2016 05:42 AM
yes it has a route back to Outside Interface on my firewall.
For this I cannot understand why this error
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2016 05:59 AM
- The initial packet came from your internal network. 10.168.101.100 has a network-location that is not outside of your firewall.
- The router routes the packet back to your firewall. There it arrives with a source-address of 10.168.101.100 on the outside interface. Based on the routing-table this packet is spoofed as the location of 10.168.101.100 is inside.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2016 06:15 AM
you're right.
checking routing!!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2016 07:36 AM
found the routing problem. as described from you was like a "loop"
