Re: Deny IP Spoof messages in ASA syslog

Martijn de Loos · ‎05-06-2016

Hi all,

Our company has three branch offices. All these offices have an ASA5510 firewall installed. The three ASA's are sending syslog messages to a syslog server. All three devices are spamming the same "Deny IP spoof" message.

Our provider has assigned us an outside interface IP address per ASA device. Let's take one ASA as an example. Let's say the assigned outside IP address for one of the ASAs is 1.1.1.1. We are using 1.1.1.2 as default gateway (next-hop router of our provider). Our provider has also assigned us an extra external IP block to NAT our internal servers. Let's say this is 2.2.2.1 til 2.2.2.5. Now, if I look at the syslog messages of one of our ASAs, it is for 99% the following messages that keeps spamming our log server:

%ASA-2-106016: Deny IP spoof from (1.1.1.1) to 2.2.2.1 on interface outside

%ASA-2-106016: Deny IP spoof from (1.1.1.1) to 2.2.2.2 on interface outside

%ASA-2-106016: Deny IP spoof from (1.1.1.1) to 2.2.2.3 on interface outside

%ASA-2-106016: Deny IP spoof from (1.1.1.1) to 2.2.2.4 on interface outside

%ASA-2-106016: Deny IP spoof from (1.1.1.1) to 2.2.2.5 on interface outside

As you can see, 1.1.1.1 is the cofigured outside IP address on the outside interface. The IP addresses in the 2.2.2.x subnet is the extra external IP block assigned by our provider. The external IP addresses have not yet been assigned (NATed) to one of our hosts, so they are currently not yet in use. However, they are routed to our ASA by our provider.

How can I solve this issue so that the ASA's stop logging this spoof message? And what causes it anyway? To me it seems that our own firewall is trying to reach one of the IP addresses in the alternate IP block, but for what reason?

Thanks in advance for the help.

Karsten Iwen · ‎05-06-2016

If you disable URPF on the outside interface, then these messages shouldn't be logged any more. One reason for this message could be that a client/server behind the ASA is accessing this IP. The ASA routes it through the default-route to the ISP which directly sends it back to the ASA.

Martijn de Loos · ‎05-06-2016

Hi Karsten,

I disabled it using the following command:

ASA(config)# no ip verify reverse-path interface outside

However the messages are still logged every few seconds.

Is there anything else I can do to solve this?

Martijn de Loos · ‎05-09-2016

I've waited for the weekend to pass but unfortunately it is still logging this message every few seconds. Also, according to the Cisco website, URPF should be disabled by default. I have never enabled this feature in the past on any of our 3 ASAs. But the command "no ip verify reverse-path interface outside" didn't solve it.

The 3 ASAs are all setup the same way. All have a static outside interface IP address and an extra IP block for NATting purposes.

Karsten Iwen · ‎05-09-2016

URPF is disabled by default and yes, it's a best practice to enable it if possible.

I would capture the traffic on the ASA to see what kind of traffic causes these logs and which device originates them.

Alan Ng'ethe · ‎08-09-2019

Did you get a solution to this?

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

Alan Ng'ethe · ‎08-10-2019

Solved by hairpinning traffic.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.