topic Возможно лог на ASA хоть in Network Security

ASA 5525-X problems

deadlove1992 — Tue, 12 Mar 2019 07:19:04 GMT

Добрый день столкнулся с проблемой при настройке BGP на ASA 5525-x, суть проблемы в том что спустя некоторые время она начинает дропать некоторые сайты к примеру fs.to, gismeteo.ua и перестает грузиться видео на youtube, ставлю mtu меньше некоторое время сайты эти работают потом перестают, отправлял пакет http через ASA PT, то он проходит, куда смотреть я не знаю, кто сталкивался с такой проблемой, нужна помощь(версии все перепробовал не помогло)?
пример конфига вот:

ASA Version 9.5(1)
!
hostname RouterBGP
domain-name domain.net
names
!
interface GigabitEthernet0/0
flowcontrol send on
nameif prov1
security-level 0
ip address 10.1.10.3 255.255.255.248
!
interface GigabitEthernet0/1
flowcontrol send on
nameif prov2
security-level 0
ip address 198.168.20.5 255.255.255.248
!
interface GigabitEthernet0/2
flowcontrol send on
nameif dmz
security-level 0
ip address 10.11.29.1 255.255.255.0
!
interface GigabitEthernet0/3
flowcontrol send on
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address a.b.c.d a.b.c.d
!
boot config disk0:/admin.cfg
ftp mode passive
dns server-group DefaultDNS
domain-name domain.net
same-security-traffic permit inter-interface
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging host management a.b.c.d
mtu prov1 1500
mtu prov2 1500
mtu dmz 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
prefix-list Anons seq 5 permit 10.11.29.0/24
!
prefix-list default seq 5 permit 0.0.0.0/0
!
bgp-community new-format
!
route-map Uran-output permit 100
match ip address prefix-list Anons
!
route-map Ukrcom-output permit 100
match ip address prefix-list Anons
set as-path prepend 197000 197000 197000 197000 197000
set community 21000:20005 21000:30005 21000:40005
!
route-map Default permit 100
match ip address prefix-list default
!
router bgp 197000
bgp log-neighbor-changes
bgp bestpath compare-routerid
no bgp enforce-first-as
bgp router-id 10.11.29.1
address-family ipv4 unicast
neighbor 198.168.20.6 remote-as 21000
neighbor 198.168.20.6 description Ukrcom
neighbor 198.168.20.6 activate
neighbor 198.168.20.6 send-community
neighbor 198.168.20.6 next-hop-self
neighbor 198.168.20.6 weight 200
neighbor 198.168.20.6 route-map Default in
neighbor 198.168.20.6 route-map Ukrcom-output out
neighbor 10.1.10.2 remote-as 12000
neighbor 10.1.10.2 description Uran
neighbor 10.1.10.2 activate
neighbor 10.1.10.2 next-hop-self
neighbor 10.1.10.2 weight 500
neighbor 10.1.10.2 route-map Default in
neighbor 10.1.10.2 route-map Uran-output out
network 10.11.29.0
no auto-summary
no synchronization
exit-address-family
!
route prov1 0.0.0.0 0.0.0.0 10.1.10.2 1
route prov2 0.0.0.0 0.0.0.0 198.168.20.6 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
snmp-server group cactus v3 auth
snmp-server host management a.b.c.d community ***** udp-port 161
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh a.b.c.d a.b.c.d management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server a.b.c.d source management
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
inspect http
!
prompt hostname context
no call-home reporting anonymou

Возможно лог на ASA хоть

vovik1233 — Wed, 17 Feb 2016 15:58:02 GMT

Возможно лог на ASA хоть немного прояснит ситуацию. А так идей нету.

packet-tracer input dmz tcp

deadlove1992 — Wed, 17 Feb 2016 17:50:05 GMT

packet-tracer input dmz tcp 10.11.29.185 http 91.226.97.14 http

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 10.1.10.2 using egress ifc prov1

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Traffic global

access-list Traffic extended permit ip any4 any4

Additional Information:

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 5433727, packet dispatched to next module

Result:

output-interface: prov1

output-status: up

output-line-status: up

Action: allow

но запись в таблице asp выглядит так

TCP dmz: 10.11.29.19/63531 prov1: 91.226.97.14/80,

flags SaAB , idle 0s, uptime 0s, timeout 30s, bytes 0

а вот ее дропы

Frame drop:

Invalid TCP Length (invalid-tcp-hdr-length) 7

Invalid UDP Length (invalid-udp-length) 98

No valid adjacency (no-adjacency) 6919

No route to host (no-route) 1102

Flow is denied by configured rule (acl-drop) 1133629

First TCP packet not SYN (tcp-not-syn) 65151

Bad TCP flags (bad-tcp-flags) 89

TCP Dual open denied (tcp-dual-open) 172

TCP data send after FIN (tcp-data-past-fin) 1

TCP failed 3 way handshake (tcp-3whs-failed) 236

TCP RST/FIN out of order (tcp-rstfin-ooo) 6706

TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 50

TCP SYNACK on established conn (tcp-synack-ooo) 2

TCP packet SEQ past window (tcp-seq-past-win) 492

TCP RST/SYN in window (tcp-rst-syn-in-win) 149

Slowpath security checks failed (sp-security-failed) 754

DNS Inspect invalid packet (inspect-dns-invalid-pak) 4

DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 2107

DNS Inspect packet too long (inspect-dns-pak-too-long) 3395

DNS Inspect id not matched (inspect-dns-id-not-matched) 2026

FP L2 rule drop (l2_acl) 284

Interface is down (interface-down) 4

логи сейчас переберу последние, и выложу

вот часть логов

deadlove1992 — Wed, 17 Feb 2016 18:08:58 GMT

вот часть логов

No matching connection for ICMP error message: icmp src dmz:212.111.209.68 dst prov1:199.254.63.254 (type 3, code 3) on dmz interface. Original IP payload: udp src 199.254.63.254/53 dst 21$

Feb 10 11:31:52 192.168.100.190 %ASA-4-410001: Dropped UDP DNS request from dmz:212.111.209.21/56988 to prov1:104.192.108.120/53; packet length 858 bytes exceeds configured limit of 512 bytes

Feb 10 11:31:52 192.168.100.190 %ASA-4-410001: Dropped UDP DNS reply from dmz:212.111.209.91/53 to prov1:121.137.48.91/60256; packet length 3993 bytes exceeds configured limit of 512 bytes

Feb 10 11:31:52 192.168.100.190 %ASA-4-410001: message repeated 5 times: [ Dropped UDP DNS reply from dmz:212.111.209.91/53 to prov1:121.137.48.91/60256; packet length 3993 bytes exceeds configured limit of 512 bytes]

Feb 10 11:31:52 192.168.100.190 %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 212.111.209.21 on interface prov1

Feb 10 11:31:52 192.168.100.190 %ASA-4-209005: Discard IP fragment set with more than 24 elements: src = 212.111.209.8, dest = 91.226.97.14, proto = ICMP, id = 49892

Feb 10 11:31:53 192.168.100.190 %ASA-4-410001: Dropped UDP DNS reply from dmz:212.111.209.91/53 to prov1:121.137.48.91/16035; packet length 3993 bytes exceeds configured limit of 512 bytes

Feb 10 11:31:53 192.168.100.190 %ASA-4-410001: message repeated 13 times: [ Dropped UDP DNS reply from dmz:212.111.209.91/53 to prov1:121.137.48.91/16035; packet length 3993 bytes exceeds configured limit of 512 bytes]

Бросается в глаза запись с

vovik1233 — Wed, 17 Feb 2016 19:58:58 GMT

Бросается в глаза запись с логов:

... packet length 3993 bytes exceeds configured limit of 512 bytes

Возможно это както поможет

https://supportforums.cisco.com/discussion/10172111/dns-dropped-because-packets-big-configured-512

Спасибо, завтра переключусь

deadlove1992 — Wed, 17 Feb 2016 20:45:51 GMT

Спасибо, завтра переключусь посмотрю будут изменения или нет)))