Monthly Archives: February 2015

%ASA-2-106017 Deny IP due to Land Attack errors

Posted on by
Reply

I recently had excessive Land Attack errors in the logs of an ASA. The land attack was from the public (PAT) IP address of the ASA back to itself.

%PIX|ASA-2-106017: Deny IP due to Land Attack from IP_address to IP_address

After a bit of troubleshooting using Splunk I found UDP deny errors between two hosts at the exact same second(s) when the Land Attack errors appeared. The UDP session in question was from an internal guest WiFi IP to an Apple server. It appears that this issue is quite common and talked about much online which lead me to this article regarding AppleTalk, i Messaging etc..

https://discussions.apple.com/thread/3995672

After reading the article, the solution to stop these errors was to add an access list to stop UDP traffic from the private guest IP range to the PAT public IP of the ASA.

access-list guest_out line 1 deny “guestnetwork and subnet” hosts “PAT public IP”.

A check of the logs shows no more land errors since the access list was applied – problem solved!

 

What does the error “IDS_ACCESS_FORBIDDEN” mean?

Posted on by
Reply
Environment: Cisco Web Security Appliance (WSA), AsyncOS version 6.0 and later, data filters enabled

Symptoms: Unable to upload files/document on a web site and users receive this error message. The error message is seen while logging into certain web sites.

AsyncOS Versions 6.0 and later provide a new feature called Data Security (IDS) filters. The IDS feature helps in blocking file uploads on certain web sites based on their WBRS score, URL category, or file size.

The notification message IDS_ACCESS_FORBIDDEN indicates that a file upload or access was blocked, based on the Data Security policy configuration.

Further, the BLOCK-WEBCAT code indicates that a particular URL category was configured to Block under:
GUI -> Security services -> Cisco Data Security

You can allow access by using either of these methods:
Monitor access in IDS policies

  1. Under GUI -> Web Security Manager -> Cisco Data Security
  2. Configure the particular URL category to Monitor
  3. Submit and Commit the changes

Allow access using a custom URL category

  1. Under GUI -> Web Security Manager -> Custom URL Categories
  2. Create a custom URL category for the web site (Include both domains like example.com, .example.com)
  3. Under GUI -> Web Security Manager -> Cisco Data Security
  4. Configure the above custom URL category to Monitor
  5. Submit and Commit the changes

Please note:
On AsyncOS versions 6.3 and later, the web site could also be categorized by Dynamic Content Analysis (DCA) engine. In order to verify this, please check if DCA is enabled under GUI -> Security services -> Acceptable Use Controls