Hello all,

Recently (finally) got around to configuring and setting up a syslog server in our environment. I have all of our Cisco devices sending syslogs to syslog ingestion tool. Everything appears to be working great but I am seeing a significant amount of traffic from our ASA. Specifically with the log:

ec 14 2022 13:24:44: %ASA-2-106016: Deny IP spoof from (216.68.X.X) to 216.68.X.X on interface outside

With the initial IP address (216.68.X.X) being the public IP address of our ASA and the secondary IP 216.68.X.X being our syslog/network monitoring server. I have read through several other similar threads here, here and here but have not found a solution. I also found that you can limit how often it is sent, but I'd rather just understand if it something I should be concerned about or not. But I am also not sure if I understand how limiting works.

So it would make sense that our syslog/netmon server would be communicating with the ASA but I am not sure what from the ASA might be generating a "spoof" that is being sent to our syslog server.

I have checked the show route option and I am not seeing anything that really gives me more information that might help. My next logical step is to do a packet capture but I wanted to see if someone else might be able to provide guidance.