07-07-2015 08:59 PM - edited 03-11-2019 11:14 PM
So I've been banging my head on this issue for some time now and finally broke down and posting here hoping for some help.
I have an ASA5505 at my house with my residential cable modem plugged into the outside interface and my LAN on the inside interface. Pretty simple setup.
Lately I've noticed my logs getting spammed with the following entries:
Jul 07 2015 22:52:37: %ASA-2-106017: Deny IP due to Land Attack from 255.255.255.255 to 255.255.255.255
Jul 07 2015 22:52:37: %ASA-1-106021: Deny UDP reverse path check from 255.255.255.255 to 255.255.255.255 on interface OUTSIDE
Jul 07 2015 22:52:40: %ASA-2-106017: Deny IP due to Land Attack from 255.255.255.255 to 255.255.255.255
Jul 07 2015 22:52:40: %ASA-1-106021: Deny UDP reverse path check from 255.255.255.255 to 255.255.255.255 on interface OUTSIDE
Jul 07 2015 22:52:43: %ASA-2-106017: Deny IP due to Land Attack from 255.255.255.255 to 255.255.255.255
Jul 07 2015 22:52:43: %ASA-1-106021: Deny UDP reverse path check from 255.255.255.255 to 255.255.255.255 on interface OUTSIDE
Jul 07 2015 22:52:46: %ASA-2-106017: Deny IP due to Land Attack from 255.255.255.255 to 255.255.255.255
Jul 07 2015 22:52:46: %ASA-1-106021: Deny UDP reverse path check from 255.255.255.255 to 255.255.255.255 on interface OUTSIDE
I setup a capture using the following:
access-list weird line 1 extended permit udp host 255.255.255.255 any4 (hitcnt=12) 0x4e486a09
access-list weird line 2 extended permit udp any4 host 255.255.255.255 (hitcnt=21) 0x0fb9dad7
and the results of this packet capture are as follows:
1: 22:46:39.698816 802.1Q vlan#2 P0 75.134.16.1.67 > 255.255.255.255.68: udp 309
2: 22:46:46.697122 802.1Q vlan#2 P0 75.134.16.1.67 > 255.255.255.255.68: udp 309
3: 22:47:36.706781 802.1Q vlan#2 P0 75.134.16.1.67 > 255.255.255.255.68: udp 309
4: 22:47:44.707574 802.1Q vlan#2 P0 75.134.16.1.67 > 255.255.255.255.68: udp 309
5: 22:48:46.700525 802.1Q vlan#2 P0 75.134.16.1.67 > 255.255.255.255.68: udp 309
6: 22:49:02.700357 802.1Q vlan#2 P0 75.134.16.1.67 > 255.255.255.255.68: udp 309
7: 22:49:58.710137 802.1Q vlan#2 P0 75.134.16.1.67 > 255.255.255.255.68: udp 309
8: 22:50:15.938183 802.1Q vlan#2 P0 97.83.128.1.67 > 255.255.255.255.68: udp 313
9: 22:50:18.937176 802.1Q vlan#2 P0 255.255.255.255.67 > 255.255.255.255.68: udp 307
10: 22:50:22.571198 802.1Q vlan#2 P0 255.255.255.255.67 > 255.255.255.255.68: udp 307
11: 22:50:33.699243 802.1Q vlan#2 P0 75.134.16.1.67 > 255.255.255.255.68: udp 309
12: 22:51:30.704004 802.1Q vlan#2 P0 75.134.16.1.67 > 255.255.255.255.68: udp 309
13: 22:51:34.732231 802.1Q vlan#2 P0 75.134.16.1.67 > 255.255.255.255.68: udp 309
14: 22:51:53.740394 802.1Q vlan#2 P0 255.255.255.255.67 > 255.255.255.255.68: udp 307
15: 22:51:55.979411 802.1Q vlan#2 P0 255.255.255.255.67 > 255.255.255.255.68: udp 307
16: 22:52:33.702051 802.1Q vlan#2 P0 75.134.16.1.67 > 255.255.255.255.68: udp 309
17: 22:52:37.142601 802.1Q vlan#2 P0 255.255.255.255.67 > 255.255.255.255.68: udp 300
18: 22:52:40.151023 802.1Q vlan#2 P0 255.255.255.255.67 > 255.255.255.255.68: udp 300
19: 22:52:41.702051 802.1Q vlan#2 P0 75.134.16.1.67 > 255.255.255.255.68: udp 309
20: 22:52:43.344098 802.1Q vlan#2 P0 255.255.255.255.67 > 255.255.255.255.68: udp 307
21: 22:52:46.284500 802.1Q vlan#2 P0 255.255.255.255.67 > 255.255.255.255.68: udp 307
22: 22:53:38.703836 802.1Q vlan#2 P0 75.134.16.1.67 > 255.255.255.255.68: udp 309
23: 22:53:53.705789 802.1Q vlan#2 P0 75.134.16.1.67 > 255.255.255.255.68: udp 309
So can anyone explain why I'm getting all this traffic from 255.255.255.255 to 255.255.255.255? I feel like the cable modem is some how to blame but can't figure this out.
07-07-2015 11:10 PM
Hi,
Could you send me the output of the following command:
show run | in verify
Regards,
Prateek Verma
07-08-2015 06:48 AM
firewall# show run | in verify
ip verify reverse-path interface INSIDE
ip verify reverse-path interface OUTSIDE
08-25-2015 06:31 AM
Hi,
From my experience ip verify reverse-path on outside interface (if default router is directed through this interface) doesn't make sense.
Why?
Because you have default-route there and every single route is OK by conditions of verify reverse-path.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide