Preview Tool

Cisco Bug: CSCsz10924 - Management port in promiscuous mode processes packets not destined to it

Last Modified

Nov 08, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases


Description (partial)

Two ASAs in failover may get stuck in a logging loop causing
high CPU and failover instability if the below conditions are met.
When this occurs, the ASAs loop the following syslog messages:

  ASA-2-106016 - Deny IP spoof from (<IP_A>) to <IP_B> on interface <intf>
  ASA-4-418001 - Through-the-device packet to/from management-only network is denied:

This defect, along with CSCsz02807, were filed to resolve this issue.  For 
this specific defect, the Management interface is in promiscuous mode when 
it should not be.  This defect will correct that.

1) Two ASAs in Failover
2) Logging standby must be enabled
3) The ASAs must be connected to a Layer 2 switch
4) The switch must not have a CAM entry for the 
    Destination MAC of the syslog packets (next hop MAC)
5) Logging to a syslog server must be configured at level 5 (Notification) or higher
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.