How can I resolve drop code "IP Spoof"?

12/20/2019 960 People found this article helpful 495,102 Views

Description

This article provides troubleshooting steps to resolve packets being dropped on the SonicWall firewall due to drop code "IP Spoof".

Cause

A common cause could be a loop in the physical configuration of the SonicWall and the devices connected to it. IP Spoof drops are caused when the SonicWall sees an IP address on one network segment that, as per firewall configuration, it believes the traffic belongs to a different network segment. Also, it can be caused by a discrepancy on SonicWall ARP table information and the MAC address of the packet arriving, among other causes.

Resolution

Check the following configurations if the packets are dropped due to "IP Spoof".

Check if the packets are arriving on the correct port. If packets are arriving on the wrong port of firewall, check the configurations on upstream/downstream switch.
SonicWall with VLAN configuration: Packet that should be arriving on x0:v20 with the VLAN tag 20 would arrive on x0 interface without the tag. As SonicWall knows that it should expect traffic to arrive on x0:v20 and not on x0 port, it will drop the packet.
If the packets are arriving on the correct port and still getting dropped due to IP Spoof, then check if SonicWall has a route to reach that IP address. Usually seen when the firewall does not have a route to reach the internal networks that are not directly connected to the SonicWall.
IP Spoof drop can also occur due to incorrect ARP information on firewall. Check if the ARP table (Manage | Network | ARP) has an ARP entry associated to the appropriate interface.
Check if multiple network interfaces are configured on the client machine.

For more information, check out: IPSpoof dropped messages in the SonicWall Log

NOTE: Drop code numbers may change based on the firmware version, however, the drop code message (description) remains the same.