topic ASA 9.1 conn timeout for DNS? in Network Security

ASA 9.1 conn timeout for DNS?

aimken123 — Tue, 12 Mar 2019 00:50:19 GMT

Hi,

I recently had a firewall that wasn't passing traffic (ASA 5510 running software version 9.1).

It turned out it had 130000 active connections. Doing a "clear conn port 53" dropped the active connection count back to 38k, and the firewall started passing traffic again.

A lot of the connections looked like this:

UDP prod x.x.x.x:53 dmz y.y.y.y:55639, idle 112:33:59, bytes 419, flags -

UDP prod x.x.x.x:53 dmz y.y.y.y:55638, idle 112:34:00, bytes 419, flags -

UDP prod x.x.x.x:53 dmz y.y.y.y:55603, idle 112:34:30, bytes 129, flags -

UDP prod x.x.x.x:53 dmz y.y.y.y:55602, idle 112:34:30, bytes 227, flags -

UDP prod x.x.x.x:53 dmz y.y.y.y:55600, idle 112:34:31, bytes 227, flags -

UDP prod x.x.x.x:53 dmz y.y.y.y:55599, idle 112:34:31, bytes 227, flags -

UDP prod x.x.x.x:53 dmz y.y.y.y:55597, idle 112:34:31, bytes 479, flags -

UDP prod x.x.x.x:53 dmz y.y.y.y:55595, idle 112:34:31, bytes 128, flags -

UDP prod x.x.x.x:53 dmz y.y.y.y:55594, idle 112:34:31, bytes 413, flags -

UDP prod x.x.x.x:53 dmz y.y.y.y:55568, idle 112:34:44, bytes 227, flags -

UDP prod x.x.x.x:53 dmz y.y.y.y:55567, idle 112:34:44, bytes 227, flags -

UDP prod x.x.x.x:53 dmz y.y.y.y:55566, idle 112:34:44, bytes 413, flags -

UDP prod x.x.x.x:53 dmz y.y.y.y:55565, idle 112:34:44, bytes 413, flags -

UDP prod x.x.x.x:53 dmz y.y.y.y:55564, idle 112:34:44, bytes 227, flags -

UDP prod x.x.x.x:53 dmz y.y.y.y:55563, idle 112:34:44, bytes 227, flags -

UDP prod x.x.x.x:53 dmz y.y.y.y:55562, idle 112:34:44, bytes 479, flags -

UDP prod x.x.x.x:53 dmz y.y.y.y:55561, idle 112:34:44, bytes 479, flags -

The config guide notes that the "timeout udp ..." command doesn't affect DNS.

Any ideas on how to time out DNS connections?

Thanks,
Ken.

ASA 9.1 conn timeout for DNS?

Julio Carvajal — Tue, 22 Jan 2013 00:54:08 GMT

Hello Ken,

I think I saw it once ( bug) , I am looking for the bug ID

Workaround available was :

Please remove the DNS inspection and clear the local host table of the ASA....

Let me know if this is the case

ASA 9.1 conn timeout for DNS?

david.tran — Tue, 22 Jan 2013 01:33:07 GMT

Seeing these types of posts make me laugh .

One of the many features that Cisco claimed to be better than other firewall vendors is the "deep inspection" packets such as sqlnet, esmtp, DNS, etc...

I have seen a lot of postings in this firewall forums that whenever someone has an issue with either sqlnet, esmtp, and in this case, DNS, the work around is almost always "disable inspection". If you're going to disable "inspection" of the ASA, then what is the point of using the firewall in the first place?

ASA 9.1 conn timeout for DNS?

Julio Carvajal — Tue, 22 Jan 2013 01:42:42 GMT

Hello David,

No need to be sarcastic...... Try to provide something useful to the discussion so we can help each other. In this case we are mentioning a software bug and as I said is a ****Work-around**** Not a solution.. If this is the same Bug I remember we are still working on the fix code,

We are here to help not to criticize.....

Regards,

ASA 9.1 conn timeout for DNS?

david.tran — Tue, 22 Jan 2013 01:50:38 GMT

I am trying to be funny, guess that did not work

On a serious note, let say if this is an Internet facing firewall and I run into this issue. As a "work-around", I have to "disable DNS inspection" on my Internet facing firewall to get things working again. By disabling dns inspection on my Internet firewall, isn't that a security risk?

ASA 9.1 conn timeout for DNS?

aimken123 — Tue, 22 Jan 2013 02:26:52 GMT

Thanks for that.

Luckily, this particular firewall is only in a sandpit environment.

I've been doing a bit more looking though, and it seems the remaining 38k connections are mostly a mix of udp 161 (SNMP) and udp 389 (AD LDAP).

Inspection for SNMP was never enabled, and there doesn't seem to be any inspection option for LDAP.

Any suggestions?

p.s. It looks like I won't be rolling this version into production...

ASA 9.1 conn timeout for DNS?

Julio Carvajal — Tue, 22 Jan 2013 03:17:29 GMT

Hello David,

Sorry if I was a little serious

of course it is a security risk, but we are trying to solve this, let;s try to get to the root cause of the issue and then move from there

ASA 9.1 conn timeout for DNS?

Julio Carvajal — Tue, 22 Jan 2013 03:17:49 GMT

Have you take out the DNS inspection and test it?

ASA 9.1 conn timeout for DNS?

aimken123 — Tue, 22 Jan 2013 03:39:30 GMT

DNS inspection has been removed.

The DNS connections still aren't timing out though.

ASA 9.1 conn timeout for DNS?

Julio Carvajal — Tue, 22 Jan 2013 05:23:17 GMT

Hello,

Thanks for the update, so it is definetly something new and interesting.

Let me see what I can investigate on this

Re: ASA 9.1 conn timeout for DNS?

farrell.da — Wed, 23 Jan 2013 21:09:04 GMT

Are you by any chance applying connection limits/timeouts via a policy-map? I noted unexpected behaviour with this and DNS timeouts just today. ASA 5540 active/active 9.1.

Sent from Cisco Technical Support iPad App

Re: ASA 9.1 conn timeout for DNS?

farrell.da — Wed, 23 Jan 2013 21:12:55 GMT

I had 'match any' and the timeouts I _thought_ were TCP specific (30 min idle timeout) also applied to UDP. Result - thousands of idle DNS, SNMP etc. state entries.

Sent from Cisco Technical Support iPad App

ASA 9.1 conn timeout for DNS?

aimken123 — Wed, 23 Jan 2013 23:55:14 GMT

David,

None of my policy maps set connection limits or timeouts (they're all for inspection).

On another note, I've since cleared all the connections, and none of the new ones seem to be exceeding the timeout values. Seems like I can't replicate my original problem.

ASA 9.1 conn timeout for DNS?

Julio Carvajal — Wed, 23 Jan 2013 23:59:53 GMT

Hello Ken,

Is there a way you could provide your configuration or send it on a private message so I can doble check it,

Regards