The sp-security-failed reason is a bit of a catch-all, but here are the reasons why a packet might be dropped for this reason (from the command reference for 'show asp drop'):
Name: sp-security-failed
Slowpath security checks failed:
This counter is incremented and packet is dropped when the security appliance is:
1) In routed mode receives a through-the-box:
- L2 broadcast packet
- IPv4 packet with destination IP address equal to 0.0.0.0
- IPv4 packet with source IP address equal to 0.0.0.0
2) In routed or transparent mode and receives a through-the-box IPv4 packet with:
- first octet of the source IP address equal to zero
- source IP address equal to the loopback IP address
- network part of source IP address equal to all 0's
- network part of the source IP address equal to all 1's
- source IP address host part equal to all 0's or all 1's
3) In routed or transparent mode and receives an IPv4 or IPv6 packet with same source
and destination IP addresses
Recommendation:
1 and 2) Determine if an external user is trying to compromise the protected network.
Check for misconfigured clients.
3) If this message counter is incrementing rapidly, an attack may be in progress. Use
the packet capture feature to capture type asp packets, and check the source MAC address
in the packet to see where they are coming from.
Syslogs:
1 and 2) 106016
3) 106017
Hope that helps.
