05-06-2016 05:25 AM - edited 03-12-2019 12:43 AM
Hi all,
Our company has three branch offices. All these offices have an ASA5510 firewall installed. The three ASA's are sending syslog messages to a syslog server. All three devices are spamming the same "Deny IP spoof" message.
Our provider has assigned us an outside interface IP address per ASA device. Let's take one ASA as an example. Let's say the assigned outside IP address for one of the ASAs is 1.1.1.1. We are using 1.1.1.2 as default gateway (next-hop router of our provider). Our provider has also assigned us an extra external IP block to NAT our internal servers. Let's say this is 2.2.2.1 til 2.2.2.5. Now, if I look at the syslog messages of one of our ASAs, it is for 99% the following messages that keeps spamming our log server:
%ASA-2-106016: Deny IP spoof from (1.1.1.1) to 2.2.2.1 on interface outside
%ASA-2-106016: Deny IP spoof from (1.1.1.1) to 2.2.2.2 on interface outside
%ASA-2-106016: Deny IP spoof from (1.1.1.1) to 2.2.2.3 on interface outside
%ASA-2-106016: Deny IP spoof from (1.1.1.1) to 2.2.2.4 on interface outside
%ASA-2-106016: Deny IP spoof from (1.1.1.1) to 2.2.2.5 on interface outside
As you can see, 1.1.1.1 is the cofigured outside IP address on the outside interface. The IP addresses in the 2.2.2.x subnet is the extra external IP block assigned by our provider. The external IP addresses have not yet been assigned (NATed) to one of our hosts, so they are currently not yet in use. However, they are routed to our ASA by our provider.
How can I solve this issue so that the ASA's stop logging this spoof message? And what causes it anyway? To me it seems that our own firewall is trying to reach one of the IP addresses in the alternate IP block, but for what reason?
Thanks in advance for the help.
05-06-2016 05:59 AM
If you disable URPF on the outside interface, then these messages shouldn't be logged any more. One reason for this message could be that a client/server behind the ASA is accessing this IP. The ASA routes it through the default-route to the ISP which directly sends it back to the ASA.
05-06-2016 06:07 AM
Hi Karsten,
I disabled it using the following command:
ASA(config)# no ip verify reverse-path interface outside
However the messages are still logged every few seconds.
Is there anything else I can do to solve this?
05-09-2016 12:11 AM
I've waited for the weekend to pass but unfortunately it is still logging this message every few seconds. Also, according to the Cisco website, URPF should be disabled by default. I have never enabled this feature in the past on any of our 3 ASAs. But the command "no ip verify reverse-path interface outside" didn't solve it.
The 3 ASAs are all setup the same way. All have a static outside interface IP address and an extra IP block for NATting purposes.
05-09-2016 03:25 AM
URPF is disabled by default and yes, it's a best practice to enable it if possible.
I would capture the traffic on the ASA to see what kind of traffic causes these logs and which device originates them.
08-09-2019 07:11 PM
Did you get a solution to this?
08-10-2019 03:30 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide