Solved: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed

Bradley Hudson · ‎04-17-2015

I am seeing a lot on my INSIDE interface, from multiple IP's and all pointing to port 137, Could this be a DNS lookup issue?

Frame drop:
Punt rate limit exceeded (punt-rate-limit)                               22096
Invalid encapsulation (invalid-encap)                                        1
No route to host (no-route)                                             699896
Reverse-path verify failed (rpf-violated)                                  202
Flow is denied by configured rule (acl-drop)                            605248
NAT-T keepalive message (natt-keepalive)                                    18
First TCP packet not SYN (tcp-not-syn)                                    8589
TCP failed 3 way handshake (tcp-3whs-failed)                              2785
TCP RST/FIN out of order (tcp-rstfin-ooo)                                73986
TCP SYNACK on established conn (tcp-synack-ooo)                             10
TCP packet SEQ past window (tcp-seq-past-win)                               10
TCP RST/SYN in window (tcp-rst-syn-in-win)                                  21
TCP packet failed PAWS test (tcp-paws-fail)                                 82
IPSEC tunnel is down (ipsec-tun-down)                                        2
Slowpath security checks failed (sp-security-failed)                   1820459
FP L2 rule drop (l2_acl)                                                173542
Dropped pending packets in a closed socket (np-socket-closed)              651

Vibhor Amrodia · ‎04-18-2015

Hi,

I think this would the be the broadcast being dropped on the ASP on the ASA device.

Slowpath security checks failed:
This counter is incremented and packet is dropped when the security appliance is:
1) In routed mode receives a through-the-box:
- L2 broadcast packet
- IPv4 packet with destination IP address equal to 0.0.0.0
- IPv4 packet with source IP address equal to 0.0.0.0
2) In routed or transparent mode and receives a through-the-box IPv4 packet with:
- first octet of the source IP address equal to zero
- source IP address equal to the loopback IP address
- network part of source IP address equal to all 0's
- network part of the source IP address equal to all 1's
- source IP address host part equal to all 0's or all 1's
3) In routed or transparent mode and receives an IPv4 or IPv6 packet with same source and destination IP addresses

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s3.html#pgfId-1682248

I think you would be able to verify it easily using the asp capture:-

capture asp type asp-drop sp-security-failed buffer 3333333

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Vibhor Amrodia · ‎04-18-2015

Hi,

I think this would the be the broadcast being dropped on the ASP on the ASA device.

Slowpath security checks failed:
This counter is incremented and packet is dropped when the security appliance is:
1) In routed mode receives a through-the-box:
- L2 broadcast packet
- IPv4 packet with destination IP address equal to 0.0.0.0
- IPv4 packet with source IP address equal to 0.0.0.0
2) In routed or transparent mode and receives a through-the-box IPv4 packet with:
- first octet of the source IP address equal to zero
- source IP address equal to the loopback IP address
- network part of source IP address equal to all 0's
- network part of the source IP address equal to all 1's
- source IP address host part equal to all 0's or all 1's
3) In routed or transparent mode and receives an IPv4 or IPv6 packet with same source and destination IP addresses

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s3.html#pgfId-1682248

I think you would be able to verify it easily using the asp capture:-

capture asp type asp-drop sp-security-failed buffer 3333333

Thanks and Regards,

Vibhor Amrodia

Bradley Hudson · ‎04-18-2015

Yep that looks like it, why would it be dropping, how would I correct it?

transitions# sh cap asp

301 packets captured

   1: 04:16:21.508411 802.1Q vlan#1 P0 192.168.10.117.137 > 192.168.10.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
   2: 04:16:21.601622 802.1Q vlan#1 P0 192.168.10.85.137 > 192.168.10.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
   3: 04:16:21.648785 802.1Q vlan#1 P0 192.168.10.117.137 > 192.168.10.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
   4: 04:16:22.340970 802.1Q vlan#1 P0 192.168.10.117.137 > 192.168.10.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
   5: 04:16:22.365673 802.1Q vlan#1 P0 192.168.10.85.137 > 192.168.10.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
   6: 04:16:23.099588 802.1Q vlan#1 P0 192.168.10.117.137 > 192.168.10.255.137: udp 50
   7: 04:16:23.130043 802.1Q vlan#1 P0 192.168.10.85.137 > 192.168.10.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
   8: 04:16:23.863755 802.1Q vlan#1 P0 192.168.10.117.137 > 192.168.10.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
   9: 04:16:24.229220 802.1Q vlan#1 P0 192.168.10.241.137 > 192.168.10.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
10: 04:16:24.697397 802.1Q vlan#1 P0 192.168.10.117.137 > 192.168.10.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
11: 04:16:24.980112 802.1Q vlan#1 P0 192.168.10.241.137 > 192.168.10.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
12: 04:16:25.365291 802.1Q vlan#1 P0 192.168.10.40.137 > 192.168.10.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed

Vibhor Amrodia · ‎04-18-2015

Hi,

I don't think you need to work much about these as ASA device will never allow the Broadcast thru.

This is Net bios Traffic and i think you should be able to ignore this.

Thanks and Regards,

Vibhor Amrodia