05-14-2012 12:13 AM - edited 03-11-2019 04:06 PM
Hi,
I introduced failover and started seeing a "Deny IP due to Land attack from myip to myip". I see it in bursts, five at a time, 10 seconds delay, or something like that. I am not doing any dns tricks or so, in fact I dont use services in DMZ as this is a branch office. The other ideas I've seen suggested might be related to failover. I did a capture of asp-drop and opened the pcap in wireshark, but I dont see any packets originating from my ip, destined for my ip.
Any ideas how to debug this? Would show failover and debug fover be of help?
2x ASA 5505 sec+
Cisco Adaptive Security Appliance Software Version 8.3(1)
Failover On
Failover unit Primary
Failover LAN Interface: asaha Vlan999 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 2
Monitored Interfaces 7 of 23 maximum
Version: Ours 8.3(1), Mate 8.3(1)
Last Failover at: 15:21:13 CEDT May 6 2012
This host: Primary - Active
Active time: 669031 (sec)
slot 0: ASA5505 hw/sw rev (1.0/8.3(1)) status (Up Sys)
Interface outside (1.1.1.149): Normal
Interface inside (10.0.0.1): Normal
Interface menmoint (192.168.0.254): Normal (Waiting)
Interface ownit (2.2.2.19): Normal (Waiting) <--- IP I see in "land attack" is 2.2.2.20, not .19 as I nat our clients to .20
Interface cafe (192.168.255.1): Normal (Waiting)
Interface dmz (10.120.1.1): Normal
slot 1: empty
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5505 hw/sw rev (0.1/8.3(1)) status (Up Sys)
Interface outside (1.1.1.150): Normal
Interface inside (10.0.0.2): Normal
Interface menmoint (0.0.0.0): Normal (Waiting)
Interface ownit (0.0.0.0): Normal (Waiting)
Interface cafe (0.0.0.0): Normal (Waiting) <--- interface of failover node, no active ip. Does it matter?
Interface dmz (10.120.1.3): Normal
slot 1: empty
Solved! Go to Solution.
05-14-2012 12:58 AM
Please assign standby ip's to the other interfaces as well, and that should take care of the log messages.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-14-2012 12:58 AM
Please assign standby ip's to the other interfaces as well, and that should take care of the log messages.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-23-2012 02:34 AM
Hi Varun Rao,
it didnt help. I added standby ip's to all interfaces, and then wr mem & wr standby. Still same error logs:
May 23 11:29:48 asa01 %ASA-2-106017: Deny IP due to Land Attack from 2.2.28.20 to 2.2.28.20
The IP in the error log is somewhat interesting, "2.2.28.20" is actually not held by any of the device interface, but is the IP to which I source nat the "inside" interface for when egressing isp1 interface. All internal interfaces are mapped to different external IP's.
Here's the config for the 2.2.28.20 IP:
# object
object network company-isp1-ext-ip
host 2.2.28.20
description outgoing company ip via isp1
# NAT
nat (ownit,ownit) after-auto source dynamic ipsecvpnpool company-isp1-ext-ip
nat (inside,ownit) after-auto source dynamic any company-isp1-ext-ip
# Interfaces config
interface Vlan2
nameif isp2
security-level 0
ip address 1.1.37.149 255.255.255.240 standby 1.1.37.150
!
interface Vlan3
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
!
interface Vlan4
nameif otherint
security-level 50
ip address 192.168.0.1 255.255.255.0 standby 192.168.0.4
!
interface Vlan5
nameif isp1
security-level 0
ip address 2.2.28.19 255.255.255.248 standby 2.2.28.18 <---
!
interface Vlan6
nameif cafe
security-level 10
ip address 192.168.255.1 255.255.255.0 standby 192.168.255.2
!
interface Vlan100
nameif dmz
security-level 100
ip address 10.120.1.1 255.255.255.0 standby 10.120.1.3
!
interface Vlan999
description LAN Failover Interface
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide