ASAv Deny IP Spoof VPN Peers

Arild Amundsen · ‎09-13-2022

Hi,

Ran into a problem during upgrade of a ASAv 30 today.
The firewall runs in an ESXi server on version 9.15.1 with E1000 interfaces.
There is 4 site to site VPNs configured, two route based and two IPSec with crypto maps.
The firewall are also terminating AnyConnect connections.

Due to some issues with performance we decided to upgrade the firewall to version 9.18.2 and with the VMXNET3 interfaces. Sat up a new firewall "besides" the old one and copied the config.
Everything looks exactly the same, checked multiple times to ensure its identical.
The only errors during setup was with the Trust-Points witch was recreated.

When we activate the new firewall all of the VPN Peers get a Deny IP Spoof so no connection is established.
AnyConnect connections gets denied.
No other issues, all of the other traffic works as it should.

Error: Deny IP spoof from (Peer IP) to <ASA Outside int IP> on interface outside

Have tried to disable anti spoofing for the interface.
No routing issues, the only missing routes from the table is the VPN routes.
No NAT issues, only 6 statements besides the PAT rules (3).
Have tried to move the MAC addresses in VMware.

When we activate the old firewall everything comes back online and is working.

Anybody have any ideas what can be causing this behavior?

andres.saxegaard · ‎09-15-2022

Same issue with a FPR-1010 in my lab with 9.18.2, it denies several services, and throws this into the log:
106016: Deny IP spoof from (x.x.x.x) to y.y.y.y on interface outside.

Arild Amundsen · ‎09-15-2022

I ended up with a new setup on version 9.16.3. No issues at all.
A little early for 9.18.2 in production so going to use 9.16.3 for now.