Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3502
Views
3
Helpful
6
Replies

Deny inbound protocol 112 src inside:xxx.xxx.xxx.xxx dst identity:224.0.0.18

edillenburg
Level 1
Level 1

‎10-15-2012 09:09 AM - edited ‎03-11-2019 05:09 PM

Does anybody know how to make the ASA report this VRRP traffic and an error?

It's just a regular swicth (Juniper EX3300) sending VRRP traffic on the same VLAN and the ASA5510 inside port...

And if md5 authentication is enabled on the VRRP switch then message changes to:

Deny inbound protocol 51 src inside:xxx.xxx.xxx.xxx dst identity:224.0.0.18

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 6.4(5)

Labels:
0 Helpful
6 Replies 6

edillenburg
Level 1
Level 1

‎10-15-2012 09:15 AM

Sorry for the typo:

The question is "Does anybody know how to make the ASA stop reporting this VRRP traffic as an error?"

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to edillenburg

‎10-15-2012 10:16 AM

Hello Eugenio,

Well, traffic is basically getting denied you if you want to stop receiving this log you should :

1) Disable the logging for this kind of errors ( not good as you might end loosing key information)

2) permit the communication over AH.

Any other question..Sure.. Just remember to rate all of the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

edillenburg
Level 1
Level 1
In response to Julio Carvajal

‎10-15-2012 10:45 AM

Hello Julio,

Yes, I tried to option# 1 before and it didn't feel right. It was like sweeping under the rug...

About the option# 2, without authentication the message shows "protocol 112", and with md5 authentication it shows "protocol 51" that's why i wonder if there is something that could be applied to VRRP as a whole.

Thanks for the help.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to edillenburg

‎10-15-2012 10:56 AM

Hello Eugenio,

Well are you going to use it with authentication or not?

VRPP is IP protocol 112 so you could do it like that and remember that the routers involved send hello packets to the multicast address 224.0.0.18

Based on your answer just configure the ACL on your ASA and that should make it,

Any other question..Sure.. Just remember to rate all of the helpful posts

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

edillenburg
Level 1
Level 1
In response to Julio Carvajal

‎10-15-2012 11:00 AM

That's the whole point.

No matter if using authentication (prot 51) or not (prot 112) the ASA dislikes the VRRP hellos.

There is no ACL in place, it's a first cut configuration with the interfaces allowing any any...

I don't see a place to allow such traffic on the configuration, that's why I came to knock on your guys door...

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to edillenburg

‎10-15-2012 11:23 AM

Hello Eugenio,

Can you post the ASA configuration?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card