Assistance Required – Firewall Land Attack Logs

ShareefKooliyodan0444 · ‎02-28-2026

Dears,

I am requesting your kind help regarding a log reported by third pary .

I received a log from my third‑party security team indicating that my firewall is experiencing a Land Attack. The log shows that the source and destination IP addresses are the same, specifically tied to the firewall’s outside interface (public internet IP).
The log entry is as follows:

the log is <162>2026-01-20T04:20:12Z FTD-FW : %FTD-2-106017: Deny IP due to Land Attack from x.x.x.x to x.x.x.x .

However, I am unable to find this event in the firewall’s own logs or monitoring dashboards.
To investigate, I reviewed all relevant configurations, including routing, NAT rules, security policies, and VPN settings, but I did not identify any misconfigurations or suspicious activity.

Thakn you guys

Marvin Rhoads · ‎03-01-2026

There are at least two common causes of this issue that have nothing to do with security and are an issue with how the firewall interprets certain flows incorrectly. It can be caused by a NAT hairpin rule (same source and destination interface) as well as traffic going into and coming out of the same interface (often due to routing issues).

There was also an old ASA bug related to this but it was long since resolved. (FTD runs LINA or ASA code as part of the underlying packet processing.) https://quickview.cloudapps.cisco.com/quickview/bug/CSCtr93086

Mark Elsen · ‎03-01-2026

- @ShareefKooliyodan0444 This makes it also more difficult to troubleshoot :
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj44531

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)