Deny udp reverse path check

pannick · ‎05-10-2006

I am a lot of of Deny udp reverse path check messages on my PIX from multiple IP sources to 255.255.255.255 on interface outside. I can not figure out what is causing it and how find more info.

Any tips, help or info would greatly be appreicated.

Thanks

jp

federico_caminos · ‎05-10-2006

Hello Joel

A tip , maybe you can enable syslog messages and chek the system log messages

go to configuration mode (I assume you already did this)

! go into config mode

conf term

!see if you are alerady logging

sh logging

!set logg to monitor everything

logg monitor 6

! or set logg to console

logg console 6

!then enable messages to telnet or ssh

terminal monitor

!start logging

logg on

!to stop logging

no logg on

Post messages or search them at

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guides_list.html

there you will find the Error and System Messages Guides for every version available by message number

Hope this helps

pannick · ‎05-10-2006

Thanks for the info but I am already logging to a kiwi syslog server my error code is PIX-1-106021 by that .pdf that you mention my fear is right I am getting spoofed, or an attempt.

What I need to know it I see this with 6 or 7 different IP address. Are they all being spoofed or do I have one source doing it? How the heck do I tell the actual source of this? Each machine is an aactual IP in my subnet range, a couple or servers and a couple are workstations.

I am running ip verify reverse-path on each interface, hence why the packet is getting dropped.

I just want to find the source or sources and stop it.

Thanks again

pannick · ‎06-06-2006

Believe it or not I finally found it. We have a Trend virus wall that is causing it. It has something to do with the external port. I am trying to figure it out after finally tracking it down.