| Message Code | ASA-1-106021 |
| Severity | Alert |
| Description | Deny protocol reverse path check from source_address to dest_address on interface interface_name. |
| Explanation | An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection. Unicast RPF, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your security
appliance. This message appears when you have enabled Unicast RPF with the ip verify reverse-path command. This feature works on packets input to an interface; if it is configured on the outside, then the security appliance checks packets arriving from the outside. The security appliance looks up a route based on the source_address. If an entry is not found and a route is not defined, then this syslog message appears and the connection is dropped. If there is a route, the security appliance checks which interface it corresponds to. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The security appliance does not support asymmetric routing. If the security appliance is configured on an internal interface, it checks static route command statements or RIP, and if the source_address is not found, then an internal user is spoofing their address. |
| User Action | Even though an attack is in progress, if this feature is enabled, no user action is required. The security appliance repels the attack. |
| Reference Links |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.