topic How to clear a flow on Cisco ASA? in Network Security

How to clear a flow on Cisco ASA?

jilse-iph — Tue, 12 Mar 2019 09:19:06 GMT

I have an interface with an access-list bound to that interface as "in" ACL with the following line as first line of the ACL:

access-list from-mpls line 1 extended deny udp host 10.255.9.2 eq syslog host 10.255.7.254 eq syslog

But with packet-tracer, i see the following:

packet-tracer input versatel-mpls udp 10.255.9.2 514 10.255.7.2 514 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 2606510442, using existing flow
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: versatel-mpls
input-status: up
input-line-status: up
Action: allow

How can i get rid of that existing flow, that leads here to allowing the packet even if the access-list denies it? The firmware of the ASA is 9.2.4(10).

I know, i can get rid of that flow with rebooting the asa, but isn't there another possibility (the ASA is in production, so i can't just reboot at any time)?

I believe this should do it:

Marvin Rhoads — Thu, 04 May 2017 14:19:07 GMT

I believe this should do it:

clear conn protocol udp address 10.255.9.2 address 10.255.7.2

After the "clear conn"

jilse-iph — Fri, 05 May 2017 07:45:32 GMT

After the "clear conn" command, the connection doesn't show up anymore, but the packet-tracer output still generates Phase 1 with "FLOW-LOOKUP" and a found flow. So that command deletes the connection from the connection table, but not the flow record from the flow-cache. Maybe it is a bug in firmware 9.2.4(10), but the questions remains: how can i get rid of that flow?

I tried the "clear conn" already before i asked that question. I currently implemented a workaround with nat on several machines to make syslog traffic from one ASA not matching this flow anymore ...

That's an odd one - I've not

Marvin Rhoads — Fri, 05 May 2017 09:35:53 GMT

That's an odd one - I've not seen it happen before that "clear conn" doesn't clear the flow.

Does a packet capture show the traffic actively flowing?

No. The ASA is located at our

jilse-iph — Fri, 05 May 2017 10:29:36 GMT

No. The ASA is located at our customer, and i have no direct access to that network.

But syslog messages reach our syslog server with the workaround (doing nat on several ASAs, so the traffic doesn't match that flow anymore), but that traffic doesn't reach our syslog server without that workaround (there is no ACL blocking that traffic). Seems, that i have tol ive with that workaround for the next time ...

hi,

johnlloyd_13 — Fri, 05 May 2017 12:04:25 GMT

hi,

try clear local-host <IP ADD>

Unfortunately this did also

jilse-iph — Fri, 05 May 2017 13:02:27 GMT

Unfortunately this did also not work. But i have a workaround (the nat configuration), so it is not so important anymore. Thanks for your help.

Re: I believe this should do it:

pro_engineering — Fri, 28 Sep 2018 20:14:42 GMT

This worked for me. I was having the same issue as traffic was already on wire before i have created rule and after adding Block rule for the same traffic - snort verdict is allow. With the help of this command now its blocking the traffic.

Thanks Marvin!!