Unicast Reverse Path on Cisco ASA

ssilvest · ‎07-05-2016

When we have enabled Unicast RPF on Cisco ASA, The RPF drops on the outside interface keeps on increasing and we are getting many alerts. I understand that it's an expected behavior, So how we can find the logs filtered for this particular drops or any solution to bring the drops down. Kindly let me know. Thanks in advance.

Thanks & Regards

Soosai Silvester

Philip D'Ath · ‎07-05-2016

Assuming that you have your routing table correct you'll only be able to bring the drops down by asking attackers to stop spoofing your IP addresses.

Aditya Ganjoo · ‎07-05-2016

Hi Soosai,

You can use the command sh asp drop for checking the logs.

Also check this command:

The show ip verify statistics command can provide information about Unicast RPF statistics on a PIX/ASA/FWSM firewall. The following example shows 21 drops by Unicast RPF on the outside interface and 2738 packets dropped by Unicast RPF on the inside interface. Dropped packets should be investigated to determine their source and administrators should consider whether the packets indicate attempts to circumvent network security.

R4-ASA5520a# show ip verify statistics
interface outside: 21 unicast rpf drops
interface inside: 2738 unicast rpf drops
interface vpn: 0 unicast rpf drops
R4-ASA5520a#

More info:

http://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html

To bring these errors down please check the source routing for the packets.

Regards,

Aditya

Please rate helpful posts and mark correct answers.