Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
325
Views
0
Helpful
1
Replies

Is this a DoS attack? Cisco ASA

Nathan Farrar
Level 1
Level 1

‎04-23-2014 06:32 AM - edited ‎02-21-2020 05:10 AM

I have a client that has been having issues with their VPN connection between two sites. The primary site seems to be fine but the VPN drops to the second site. I setup logging for the second site and everything seemed fine until I got an email early saying that the connection was down again. Around when they said it happened, I saw that logs stopped for a period of time. I first thought it was an ISP issue since there was nothing coming in from the second site. Looking more at the logs, I see a LOT of this type of message:

 

%ASA-1-106021: Deny TCP reverse path check from xx.xx.xx.xx to xx.xx.xx.xx on interface backup-isp

 

When running a constant ping to the device I am seeing a lot of dropped packets. I only get a few replies now and then. The ASA is still getting logs to our server with the same as above.

 

We are using the primary connection for the VPN but since I cannot even log in to the ASA, I can't check status or anything else. If this IS an attack, could it cause these types of issues when they are coming in on the backup-isp connection? From what I have read, the message above indicates that the ASA has blocked the attack and simply dropped the packet. I am seeing that error about 4 to 5 times a second, or at least that is what is getting to our log server.

 

Also, the source address in the message (from xx.xx.xx.xx) is coming from a handful of addresses.

 

If this is an attack, what can be best done to deal with it?

 

Thanks

0 Helpful
1 Reply 1

johnd2310
Level 8
Level 8

‎08-27-2014 05:37 PM

Hi,

From the ASA's perspective, traffic from xx.xx.xx.xx is coming in on the wrong interface to what is expected. You could have a routing issue when the vpn is on the backup ISP or it could be a spoofing attack. Check the routing for the backup-isp connection.

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card