Showing results for 
Search instead for 
Did you mean: 

Nicholas Poole

Cisco ASA anti-spoofing problem

I have turned on anti-spoofing on all interfaces on an ASA 5520 HA pair running 8.4(3).

I am getting some RPF fails, but when i check some of the source and destination addresses i dont see why it has failed.

The source packet came in on the inside interface, with a 10.49.x.x, and there is a route to 10/8 on the inside network.

So why did it fail?  Even using the packet tracer says it fails, but i dont get why.

Any ideas?


Hi ,

if u enable anti-spoofing it will check both source and destination route entry for the same not there then it will fail.

Pity the ASA log doesnt say why it failed anti-spoofing,just that it did and on what interface it came in on.  How hard could it be for the log to say it failed because it was expecting it on interface A, but it came in interface B!!!

If you are troubleshooting someone elses network that you dont know where subnet sits, its not the easiest thing to do.

Sadly again as the ASA doesnt allow you to do a show route x.x.x.x without specifying an interface.  So all i did was check the route against the interface it came in on and the route was a match.  What i didnt know was that there was a more specific route on a different interface.

Should have been simple to spot?  Well the log only gives the host that fails, (not the network which is understandable) but if you do a sh route on an ASA and all the networks have been given name, you cant match it!

What should have been a simple troubleshooting exercise was made difficult by the ASA coding in my opinion.

In short, the answer was assymetric routing, as another interface had a more specific route.