Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
0
Helpful
5
Replies

traffic captured by packet capture using ASDM not seen in port span traffic

donnie
Level 1
Level 1

‎05-26-2015 09:49 PM - edited ‎03-11-2019 11:00 PM

Hi all,

I have a cisco asa 5520 configured with remote access vpn using ssl. The outside interface of my asa is having an ip add 10.1.1.1/24. 

I notice a wierd traffic (10.1.1.2 attempting to access 10.1.1.3 happening constantly) when i do a packet capture on my asa. This should not happen since the 3 ip addresses 10.1.1.1, 10.1.1.2 and 10.1.1.3 are on the same subnet. I also notice the same thing when i check my asa logs. I did a port span for a few hours on the cisco switch port which is connected to my asa outside interface but could not see any of the wierd traffic(10.1.1.2 attempting to access 10.1.1.3 happening constantly). I could see other legitimate traffic. Hence i suspect what i see on asa packet capture could be vpn traffic. But my vpn split tunnel is configured such that only traffic destined to 192.168.0.0/24 will go through the vpn tunnel. Has anyone come across a smiliar wierd situation? Pls advise. TIA!

Labels:
0 Helpful
5 Replies 5

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎05-27-2015 03:59 AM

Hi,

These IP address , 10.1.1.2 and 10.1.1.3 , are these from the Ip local pool configured on the ASA device ? If not , I think you might be able to trace the MAC address and fidn the reason why this traffic is being routed to the ASA device outside interface.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

donnie
Level 1
Level 1
In response to Vibhor Amrodia

‎05-27-2015 07:16 AM

Hi Vibhor,

10.1.1.2 and 10.1.1.3 are my 2 other servers on the same subnet. I have checked the routing on the 2 servers and there are no static route to 10.1.1.1

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to donnie

‎05-30-2015 03:26 AM

Hi,

As per your latest comment , it seems that the server might not be sending these packets after all.

Can you take a captures on the ASA device interface and trace the MAC address to see the device which might be sending these packets ?

Thanks and Regards,

Vibhor Amrodia

0 Helpful

donnie
Level 1
Level 1
In response to Vibhor Amrodia

‎05-30-2015 08:36 AM

Hi Vibhor,

After shutting down 10.1.1.2 and 10.1.1.3, i did a ping test and check the arp cache of my asa(10.1.1.1) and confirm that 10.1.1.2 and 10.1.1.3 are not on the environment but why am i still seeing 10.1.1.2 attempting to access 10.1.1.3 constantly on my asa logs with the syslog id 106001 ? TIA!

0 Helpful

donnie
Level 1
Level 1
In response to Vibhor Amrodia

‎05-29-2015 03:53 AM

Hi Vibhor,

 

Just to add on. I did a test by shutting down both 10.1.1.2 and 10.1.1.3 at the same time and ensured that both ip addresses are not active in the environment by doing ping test and checking arp cache but i continue to see 10.1.1.2 attempting to access 10.1.1.3 constantly on my asa logs with the syslog id 106001. Any idea why is this so?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card