Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
184
Views
1
Helpful
2
Replies

ICMP "Flood" on ASA 5516

DanTee
Level 1
Level 1

‎05-14-2024 10:00 AM

Hi Community,

i do have an ASA 5516 and can see an active connection from the source adress 10.88.72.11 which is causing several GB of ICMP Traffic to one of our internal IPs.

The strange thing is, I cannot find this address either in real-time log or elsewhere. Also the IP is unknown, so it shouldn´t be in our subnet. NMAP Scan from my Admin workstation is showing host down. 

Do you guys have any idea on how to find out where this IP adress is coming from and how it is establishing a connection through the FW? Also why can´t I see it in real-time log?

Many Thanks,
Daniel

2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎05-14-2024 10:08 AM

you mean this ICMP going from LAN to External ?

or source is external to internal ?

or LAN to ASA inside interface ?

check the before Hop of ASA - can the device learn this IP in the routing table ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MHM Cisco World
VIP
VIP

‎05-14-2024 10:15 AM

Why it not appear in log, it can it appear but you config acl log with high interval that make traffic even if it hit acl not generating log. 

What solution

Run thread detection or shun this IP. 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card