topic The direct syslog on the ASA in Network Security

ASA TCP connection drop

saifuddin.miyaji — Tue, 12 Mar 2019 08:16:36 GMT

Hi,

We have been investigating the 'connection drops' for some critical Internet bound applications from quit a while now. During the investigation, we have seen some weird error messages on the CISCO ASA 5525. It continuously generates the "connection timed out, Removing rule" log messages in the syslog. We could see that the IPs of the applications under investigation also fall in these syslog messages.

Initially, we suspected the TCP timeouts, so we increased the tcp timeouts for certain IPs to '0', so that it never times out. But still the timeout messages for the same IPs are visible very frequently in the syslog messages.

Please have a look at the attached log and advise.

ASA 5525, Version 9.5(1)

Saif

The direct syslog on the ASA

saifuddin.miyaji — Sun, 18 Sep 2016 13:37:25 GMT

The direct syslog on the ASA has the syslog ID as follows:

Error Message %ASA-5-338303: Address ipaddr (name) timed out, Removing rule

Explanation: An IP address that was discovered from the dynamic filter rule table was removed. • ipaddr—The IP address from the DNS reply • name—The domain name Recommended Action None required.

Could someone explain more on this??

Hi Saifuddin,

Aditya Ganjoo — Fri, 23 Sep 2016 15:05:40 GMT

Hi Saifuddin,

By any means are we using any botnet filtering on the ASA ?

If yes could you share the related config ?

Also check your DNS config on the ASA as DNS failures can cause the inability of the botnet filter to verify the DNS snooping data causing the ASA to drop traffic.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Hi Aditya,

saifuddin.miyaji — Sat, 24 Sep 2016 18:02:39 GMT

Hi Aditya,

Yes, you are correct. We are doing BOTNET filtering and DHCP Snooping. We are suspecting that the dhcp snooping is causing this whole menace. Do you know of any way to filter some specific domains from snooping?

Saif

Hi Saif,

Aditya Ganjoo — Sun, 25 Sep 2016 00:03:22 GMT

Hi Saif,

You can add those domains to the Whitelist manually using the following command:

https://supportforums.cisco.com/document/33011/asa-botnet-configuration#Never_block_addresses:

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Hi Aditya,

saifuddin.miyaji — Tue, 27 Sep 2016 05:38:49 GMT

Hi Aditya,

1. For the command

#dynamic-filter whitelist

#name <>

what are the options for the <>? Can we use regular expressions here to specify all the subdomains of a parent domain? e.g. for msn.com and all its associated sub domains, can we use expression like "*.msn.com"?

2. After whitelisting some of the domains, I see some weird type of syslog messages:

First it times out the whiltelisted domain as if it was not -

Address 74.109.89.93 (otp.actnet.com) timed out. Removing rule

then, after a few minutes, we receive the following message on the syslog:

Address 74.109.89.93 discovered for domain otp.actnet.com from whitelist. Adding rule

Please advise

Saif