03-13-2011 11:43 AM - edited 03-11-2019 01:05 PM
Hi,
I've been getting a bunch of these on an ASA I was tasked with cleaning up and securing
Deny HOPOPT reverse path check from 0.0.0.0 to 0.0.0.0 on interface inside
What causes this message and what does it mean? Thanks.
Solved! Go to Solution.
03-13-2011 03:26 PM
HOPOPT is IPv6 Hop-by-Hop Option.
Here is a link:
http://www.networksorcery.com/enp/protocol/ip.htm
There is some ipv6 traffic getting to the ASA. You might want to set captures on the inside interface so that you can track the MAC address of the packets with thta protocol version and with the MAC you might be able to track the device sending that traffic.
I hope this helps.
03-13-2011 03:26 PM
I assume that you have "ip verify reverse-path" configured on some interfaces of your ASA.
Basically what that does is check the routing table to make sure that traffic is coming from where it is supposed to arrive from.
Eg:
If inside interface is 10.1.1.0/24, and traffic of source 10.1.1.5 actually arrives on DMZ interface for example, it will fail the reverse path check because it is not supposed to be arriving on DMZ interface, but inside interface.
Here is the syslog information for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4768997
And here is the reference guide for the command: "ip verify reverse-path":
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i3.html#wp1839270
Hope that helps.
03-13-2011 03:26 PM
HOPOPT is IPv6 Hop-by-Hop Option.
Here is a link:
http://www.networksorcery.com/enp/protocol/ip.htm
There is some ipv6 traffic getting to the ASA. You might want to set captures on the inside interface so that you can track the MAC address of the packets with thta protocol version and with the MAC you might be able to track the device sending that traffic.
I hope this helps.
03-13-2011 03:30 PM
thank you!
03-13-2011 03:26 PM
I assume that you have "ip verify reverse-path" configured on some interfaces of your ASA.
Basically what that does is check the routing table to make sure that traffic is coming from where it is supposed to arrive from.
Eg:
If inside interface is 10.1.1.0/24, and traffic of source 10.1.1.5 actually arrives on DMZ interface for example, it will fail the reverse path check because it is not supposed to be arriving on DMZ interface, but inside interface.
Here is the syslog information for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4768997
And here is the reference guide for the command: "ip verify reverse-path":
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i3.html#wp1839270
Hope that helps.
03-13-2011 03:30 PM
thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide