Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
262
Views
0
Helpful
2
Replies

PIX log messaging - discovering reasons

bberry
Level 1
Level 1

‎10-20-2004 05:26 AM - edited ‎02-20-2020 11:41 PM

I have started to clean up issues with a new network. I am trying to discover the reasons for the attached error messages on my PIX. I am thinking this is a spoofed address on the LAN but am not sure how to go about searching for it.

106021: Deny tcp reverse path check from 38.84.92.68 to 66.90.84.38 on interface inside

106021: Deny tcp reverse path check from 38.84.92.69 to 66.90.84.38 on interface inside

106021: Deny tcp reverse path check from 38.84.92.70 to 66.90.84.38 on interface inside

106021: Deny tcp reverse path check from 38.84.92.71 to 66.90.84.38 on interface inside

106021: Deny tcp reverse path check from 38.84.92.72 to 66.90.84.38 on interface inside

106021: Deny tcp reverse path check from 38.84.92.73 to 66.90.84.38 on interface inside

106021: Deny tcp reverse path check from 38.84.92.74 to 66.90.84.38 on interface inside

thanks in advance ..

0 Helpful
2 Replies 2

Patrick Iseli
Level 7
Level 7

‎10-20-2004 09:24 AM

That will be a challenging task to find that host.

Start figure out what is the MAC address. Check the Vendor Code table to see what network card is it. It might help to find it.

Put a sniffer or ntop in place and try to figure out which kind and how much traffic is comming from the host.

Check the interfaces, routers swiches, to follow the way the host is comming from. => Show interface

Good luck

sincererly

Patrick

0 Helpful

scoclayton
Level 7
Level 7

‎10-20-2004 10:27 AM

What does the topology of the netork inside the PIX look like? If everything inside the PIX is on a flat network (meaning no Layer 3 hops), issue a 'sh arp' on the PIX and find the matching MAC addresses for 38.84.92.68, 38.84.92.69, 38.84.92.70, etc. Then go to the switch(s) in question and look at the CAM table and find out which port has the MAC address (found via the 'sh arp' on the PIX) attached to it. If there are a few hops on your network inside the PIX, you may need to repeat these steps until you narrow in on the source.

Most likely, a PC on your network is infected with some sort of virus that is spoofing address and trying to blast packets out. You are doing a good thing by blocking these packets with the reverse path check. I wish everyone out there would implement reverse path checking...doing so would severly hamper the virus propogation and damage we see today.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card