Solved: ASA failover: Deny IP due to land attack from <ip> to <ip>

3moloz123 · ‎05-14-2012

Hi,

I introduced failover and started seeing a "Deny IP due to Land attack from myip to myip". I see it in bursts, five at a time, 10 seconds delay, or something like that. I am not doing any dns tricks or so, in fact I dont use services in DMZ as this is a branch office. The other ideas I've seen suggested might be related to failover. I did a capture of asp-drop and opened the pcap in wireshark, but I dont see any packets originating from my ip, destined for my ip.

Any ideas how to debug this? Would show failover and debug fover be of help?

2x ASA 5505 sec+

Cisco Adaptive Security Appliance Software Version 8.3(1)

Failover On

Failover unit Primary

Failover LAN Interface: asaha Vlan999 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 2

Monitored Interfaces 7 of 23 maximum

Version: Ours 8.3(1), Mate 8.3(1)

Last Failover at: 15:21:13 CEDT May 6 2012

This host: Primary - Active

Active time: 669031 (sec)

slot 0: ASA5505 hw/sw rev (1.0/8.3(1)) status (Up Sys)

Interface outside (1.1.1.149): Normal

Interface inside (10.0.0.1): Normal

Interface menmoint (192.168.0.254): Normal (Waiting)

Interface ownit (2.2.2.19): Normal (Waiting) <--- IP I see in "land attack" is 2.2.2.20, not .19 as I nat our clients to .20

Interface cafe (192.168.255.1): Normal (Waiting)

Interface dmz (10.120.1.1): Normal

slot 1: empty

Other host: Secondary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5505 hw/sw rev (0.1/8.3(1)) status (Up Sys)

Interface outside (1.1.1.150): Normal

Interface inside (10.0.0.2): Normal

Interface menmoint (0.0.0.0): Normal (Waiting)

Interface ownit (0.0.0.0): Normal (Waiting)

Interface cafe (0.0.0.0): Normal (Waiting) <--- interface of failover node, no active ip. Does it matter?

Interface dmz (10.120.1.3): Normal

slot 1: empty

varrao · ‎05-14-2012

Please assign standby ip's to the other interfaces as well, and that should take care of the log messages.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

View solution in original post

varrao · ‎05-14-2012

Please assign standby ip's to the other interfaces as well, and that should take care of the log messages.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

3moloz123 · ‎05-23-2012

Hi Varun Rao,

it didnt help. I added standby ip's to all interfaces, and then wr mem & wr standby. Still same error logs:

May 23 11:29:48 asa01 %ASA-2-106017: Deny IP due to Land Attack from 2.2.28.20 to 2.2.28.20

The IP in the error log is somewhat interesting, "2.2.28.20" is actually not held by any of the device interface, but is the IP to which I source nat the "inside" interface for when egressing isp1 interface. All internal interfaces are mapped to different external IP's.

Here's the config for the 2.2.28.20 IP:

# object

object network company-isp1-ext-ip

host 2.2.28.20

description outgoing company ip via isp1

# NAT

nat (ownit,ownit) after-auto source dynamic ipsecvpnpool company-isp1-ext-ip

nat (inside,ownit) after-auto source dynamic any company-isp1-ext-ip

# Interfaces config

interface Vlan2

nameif isp2

security-level 0

ip address 1.1.37.149 255.255.255.240 standby 1.1.37.150

!

interface Vlan3

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2

!

interface Vlan4

nameif otherint

security-level 50

ip address 192.168.0.1 255.255.255.0 standby 192.168.0.4

!

interface Vlan5

nameif isp1

security-level 0

ip address 2.2.28.19 255.255.255.248 standby 2.2.28.18 <---

!

interface Vlan6

nameif cafe

security-level 10

ip address 192.168.255.1 255.255.255.0 standby 192.168.255.2

!

interface Vlan100

nameif dmz

security-level 100

ip address 10.120.1.1 255.255.255.0 standby 10.120.1.3

!

interface Vlan999

description LAN Failover Interface

!