Deny IP teardrop fragment logs in CISCO ASA

tamilvanan.saravanan · ‎10-19-2010

Hi Dudes,

I am getting the below logs in my firewall, Can any one explain me why iam getting this and how to stop it.

logs : %ASA-2-106020: Deny IP teardrop fragment (size = number, offset = number) from 12.64.100.1 to 143.66.122.44

Message id : 106020

Actually we have a static NAT in firewall for this ip (143.66.122.44)

143.66.122.44 : Public ip for my FTP server.

Client will access my FTP server thr the pulbic 143.66.122.44.

Thanks,

limat

praprama · ‎10-20-2010

Hi,

You can find details about this log below:

http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&locale=en&index=all&query=ASA-2-106020&counter=0&paging=5&links=reference&sa=Submit

Please apply captures on the ASA outside interface and we cna see which packets are causing these logs.

https://supportforums.cisco.com/docs/DOC-1222

Thanks and Regards,

Prapanch

mirober2 · ‎10-20-2010

Hello,

Teardrop packets are packets that have overlapping fragment offsets and are typically used in a denial of service attack. Do you recognize the client IP address of 12.64.100.1? If it appears to be a legitimate client, you may need to investigate the FTP client or upstream network devices to find out why the fragments are overlapping. Otherwise, you can block all traffic from this IP either in your inbound access-list or using the 'shun 12.64.100.1' command. You can also contact your ISP about blocking this traffic upstream.

Hope that helps.

-Mike

praprama · ‎10-22-2010

Hi Limat,

How is it going? If this has been resolved and you have no more questions, please mark this as answered.

Thanks and Regards,

Prapanch

renatoaureliano · ‎02-17-2012

Hi everyone,

I had the same problem this week:

Deny IP teardrop fragment (size = 1480, offset = 0) from 10.0.0.1 to 208.64.126.193

The ip: 10.0.0.1 is my internal IP.

Is this normal?

Thank's,

Renato