ShawnGray
asked on
ASA 5505 - Severity 1: An attack is in progress
I'm getting a lot of severity 1 - attack in progress on my ASA 5505:
Deny TCP reverse path check from xx.xx.xx.xx (external ip) to outside interface
I'm new to these logs; severity 1 seems serious.
Are these common? should I be concerned or is the asa just doing its job and telling me about it?
Any suggestions or input would be appreciated.
Deny TCP reverse path check from xx.xx.xx.xx (external ip) to outside interface
I'm new to these logs; severity 1 seems serious.
Are these common? should I be concerned or is the asa just doing its job and telling me about it?
Any suggestions or input would be appreciated.
you can verify the what is contributing to this msg with also "ip verify reverse-path interface ....". the msg is supposed to mean to alert the interface stated received a packet with the source address matching a known inside network address. The intent is to verify that source address is not spoofed and likely there is some config issue. You may want to catch these talking about the uRPF with symptoms that triggers
https://supportforums.cisco.com/discussion/11678641/deny-tcpicmp-reverse-path-check-interface-inside
an incoming packet on that specific interface sources from an address that does not exist in the routing table or exists but with an exit path toward another interface against the one on which it arrivesor
In your case you have either "ip verify reverse-path interface outside" and "ip verify reverse-path interface Inside" feature enabled on both outside and inside interfaces, so what happens is when an incoming packet arrives at the outside and/or inside interface it would be subject to the source validity check (uRPF), if a route exists for that packet flow it would be passed through, otherwise if a route does not exist, or exist but not match the flow, the packet would be denied.https://learningnetwork.cisco.com/thread/65566
https://supportforums.cisco.com/discussion/11678641/deny-tcpicmp-reverse-path-check-interface-inside
ASKER
Harbor235 - We had some malicious stuff on the inside of the network which was creating a shun for a couple of local machines. They're clean and I haven't seen any issues with that. I have not seen a shun since.
btan - thank you for the input; I'll dig in to these.
Interestingly, I've received a severity 2 "deny IP due to land attack from 'outfacing ip' to the same 'outfacing ip'
How can that happen? btan, wondering if this could be related to what you are suggesting?
Thank you both,
btan - thank you for the input; I'll dig in to these.
Interestingly, I've received a severity 2 "deny IP due to land attack from 'outfacing ip' to the same 'outfacing ip'
How can that happen? btan, wondering if this could be related to what you are suggesting?
Thank you both,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellent; thank you
your device is dropping the traffic. Unfortunately this is too common today, but it sounds like someone is attacking but your configuration is working to stop this unwanted traffic. How much traffic is it?
Does the ASA add a SHUN for the attacking sources?
harbor235 ;}