IP Spoofing Errors Triggered by BOVPN VIF Traffic

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

An IP spoofing error is a security event in which a firewall rejects a packet because the source IP address does not align with the interface or path the firewall expects. The Firebox drops traffic and logs IP spoofing errors when BOVPN Virtual Interface (VIF) traffic arrives on an interface other than the one the Firebox expects. This issue can occur when the configuration does not have enough VIF virtual IP addresses or uses incorrect routing. Every routed network must map to the VIF interface.

Symptoms

An IP spoofing error typically presents these symptoms:

• The Firebox drops traffic that enters or exits a BOVPN VIF.
• Firebox logs show Deny … ip spoofing messages.
• The BOVPN tunnel shows an established status, but traffic does not pass through the tunnel successfully.

Diagnostic Steps

From the Firebox:

• Review traffic and deny logs for IP spoofing messages. Example:
  Deny <protocol> <source IP> <destination IP> ip spoofing attack
• Identify the source and destination IP addresses of the dropped packets.
• Make sure the BOVPN is route-based, not policy-based.
• Verify that each tunnel endpoint includes configured VIF virtual IP addresses.
• Review the routing table to confirm that routes point to the correct VIF interface.

Possible Causes and Solutions

Possible Cause	Solution
Insufficient VIF virtual IP addresses.	Configure enough VIF virtual IP addresses on both sides of the BOVPN tunnel so the Firebox can associate traffic with the correct interface. For more information, go to: Locally-Managed: Configure BOVPN Virtual Interface IP Addresses Cloud-Managed: Configure a BOVPN to a Locally-Managed Firebox or Third-Party VPN Endpoint
Incorrect or unexpected routing.	Correct static or dynamic routes so the Firebox sends traffic destined for remote networks through the BOVPN VIF interface. For more information, go to: Locally-Managed: Configure BOVPN Virtual Interface IP Addresses Cloud-Managed: Manage BOVPNs for Cloud-Managed Fireboxes
Dropped packets.	Review traffic and identify the source and destination IP addresses of the dropped packets. For more information, go to: Locally-Managed: Traffic Monitor Cloud-Managed: Monitor Traffic on Fireboxes and FireClusters

Related Topics

Manual Branch Office VPN Tunnels