Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10653
Views
0
Helpful
4
Replies

Deny HOPOPT reverse path check from 0.0.0.0 to 0.0.0.0 on interface inside

Go to solution
lcaruso
Level 6
Level 6

‎03-13-2011 11:43 AM - edited ‎03-11-2019 01:05 PM

Hi,

I've been getting a bunch of these on an ASA I was tasked with cleaning up and securing

Deny HOPOPT reverse path check from 0.0.0.0 to 0.0.0.0 on interface inside

What causes this message and what does it mean? Thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5

‎03-13-2011 03:26 PM

HOPOPT is IPv6 Hop-by-Hop Option.

Here is a link:

http://www.networksorcery.com/enp/protocol/ip.htm

There is some ipv6 traffic getting to the ASA. You might want to set captures on the inside interface so that you can track the MAC address of the packets with thta protocol version and with the MAC you might be able to track the device sending that traffic.

I hope this helps.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎03-13-2011 03:26 PM

I assume that you have "ip verify reverse-path" configured on some interfaces of your ASA.

Basically what that does is check the routing table to make sure that traffic is coming from where it is supposed to arrive from.

Eg:

If inside interface is 10.1.1.0/24, and traffic of source 10.1.1.5 actually arrives on DMZ interface for example, it will fail the reverse path check because it is not supposed to be arriving on DMZ interface, but inside interface.

Here is the syslog information for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4768997

And here is the reference guide for the command: "ip verify reverse-path":

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i3.html#wp1839270

Hope that helps.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5

‎03-13-2011 03:26 PM

HOPOPT is IPv6 Hop-by-Hop Option.

Here is a link:

http://www.networksorcery.com/enp/protocol/ip.htm

There is some ipv6 traffic getting to the ASA. You might want to set captures on the inside interface so that you can track the MAC address of the packets with thta protocol version and with the MAC you might be able to track the device sending that traffic.

I hope this helps.

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to PAUL GILBERT ARIAS

‎03-13-2011 03:30 PM

thank you!

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎03-13-2011 03:26 PM

I assume that you have "ip verify reverse-path" configured on some interfaces of your ASA.

Basically what that does is check the routing table to make sure that traffic is coming from where it is supposed to arrive from.

Eg:

If inside interface is 10.1.1.0/24, and traffic of source 10.1.1.5 actually arrives on DMZ interface for example, it will fail the reverse path check because it is not supposed to be arriving on DMZ interface, but inside interface.

Here is the syslog information for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4768997

And here is the reference guide for the command: "ip verify reverse-path":

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i3.html#wp1839270

Hope that helps.

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Jennifer Halim

‎03-13-2011 03:30 PM

thank you!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card