topic ASA Troubleshooting in Network Security

ASA Troubleshooting

mahesh18 — Tue, 12 Mar 2019 02:06:21 GMT

Hi Everyone,

Found this about troubeshooting ASA connections--

ciscoasa# show perfmon

PERFMON STATS: Current Average

Xlates 0/s 0/s

Connections 2236/s 321/s

TCP Conns 2236/s 321/s

UDP Conns 0/s 0/s

URL Access 0/s 0/s

URL Server Req 0/s 0/s

TCP Fixup 0/s 0/s

TCP Intercept Established Conns 0/s 0/s

TCP Intercept Attempts 0/s 0/s

TCP Embryonic Conns Timeout 1012/s 4/s

HTTP Fixup 0/s 0/s

FTP Fixup 0/s 0/s

AAA Authen 0/s 0/s

AAA Author 0/s 0/s

AAA Account 0/s 0/s

VALID CONNS RATE in TCP INTERCEPT: Current Average

N/A 95.00%

ciscoasa# show conn

52121 in use, 52121 most used

TCP outside 17.24.101.118:26093 inside 192.168.1.111:80, idle 0:00:23, bytes 0, flags aB

TCP outside 111.76.36.109:23598 inside 192.168.1.111:80, idle 0:00:13, bytes 0, flags aB

TCP outside 24.185.110.202:32729 inside 192.168.1.111:80, idle 0:00:25, bytes 0, flags aB

TCP outside 130.203.2.204:56481 inside 192.168.1.111:80, idle 0:00:29, bytes 0, flags aB

TCP outside 39.142.106.205:18073 inside 192.168.1.111:80, idle 0:00:02, bytes 0, flags aB

TCP outside 75.27.223.63:51503 inside 192.168.1.111:80, idle 0:00:03, bytes 0, flags aB

TCP outside 121.226.213.239:18315 inside 192.168.1.111:80, idle 0:00:04, bytes 0, flags aB

What seems to be the cause of this attack and the intermittent access to the web server?

Regards

Mahesh

Re: ASA Troubleshooting

Jouni Forss — Tue, 02 Jul 2013 21:15:21 GMT

Hi Mahesh,

This would seem like a SYN flood judging by the output.

The few connections shown in the "show conn" output are all at the same state. And basically the ASA has seen a TCP SYN from "outside" and has also seen TCP SYN ACK from the "inside" server as is to be expected but no actual last TCP ACK from the host that has sent the initial TCP SYN.

The "show perfmon" output also confirms this as there is a very high rate at which new TCP connections are built on the ASA. There is also a very high Embryonic Conns Timeout which to my understanding refers to connections that were not fully formed with the Three Way Handshake of TCP (TCP SYN -> TCP SYN,ACK -> TCP ACK)

Basically your server is overloaded by the SYN flood. Depending on your ASA model the ASA might also be under heavy load. In some cases I have even seen the ASA reach the maximum connection amount for the hardware and stop accepting connections.

- Jouni

ASA Troubleshooting

mahesh18 — Tue, 02 Jul 2013 21:50:24 GMT

Hi Jouni,

Thanks for the reply so to fix issue like this we should config the TCP intercept with connection limit to server might be one of the options to fix this issue right?

Regards

Mahesh

Re: ASA Troubleshooting

Jouni Forss — Tue, 02 Jul 2013 22:45:54 GMT

Hi,

Yes, you can set the maximum connections for the server.

I guess it basically requires you to:

Create an ACL that defines the traffic from any source to your server (with certain TCP ports even)
Create an "class-map" and apply that ACL to it
Move under the current global "policy-map" and attach the "class-map" there
Define connection limits for traffic destined to the server

You can also set the maximum embryonic connections.

You can also set the max connections and max embryonic connections on a per client basis which basically means that you can limit the connections so that if alot of the SYN traffic is coming from multiple same hosts then they will be more efficiently limited.

I am not sure how many different source addresses the TCP SYNs were coming from. I would imagine there are numerous different IPs so it would be impossible to make any kind of other configuration to limit the connections. Naturally you can temporarily deny traffic to that server from Internet so that the ASA wont even build a connections for those attempts. This should possibly give you time to implement some configurations to mitigate the effects of the SYN Flood.

Here is a link to the Command Reference of ASA 8.2 software which lists the different values you can set

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045

- Jouni

ASA Troubleshooting

mahesh18 — Wed, 03 Jul 2013 16:07:28 GMT

Many thanks Jouni,

Regards

Mahesh