topic Re: icmp denny in syslog on the firewall in Network Security

icmp denny in syslog on the firewall

cciesec2011 — Mon, 11 Mar 2019 18:15:50 GMT

access-list external extended permit icmp any any log
access-list external extended permit udp host 216.211.119.10 host 170.198.64.129 eq isakmp log
access-list external extended permit udp host 216.211.119.10 host 170.198.64.129 eq 4500 log
access-list external extended permit esp host 216.211.119.10 host 170.198.64.129 log
access-list external extended permit ip host 216.211.119.10 host 170.198.64.129 log
access-list external extended permit tcp host 216.211.119.254 host 170.198.64.97 eq smtp log
access-list external extended permit tcp host 216.211.119.254 170.198.64.96 255.255.255.224 eq smtp log
access-list external extended deny ip host 216.211.119.254 170.198.64.96 255.255.255.224 log
access-list external extended permit ip any any log

access-list Firewall extended permit udp host 216.211.119.10 host 170.198.64.129 eq isakmp log
access-list Firewall extended permit udp host 216.211.119.10 host 170.198.64.129 eq 4500 log
access-list Firewall extended permit esp host 216.211.119.10 host 170.198.64.129 log
access-list Firewall extended permit ip host 216.211.119.10 host 170.198.64.129 log
access-list Firewall extended deny udp any any eq isakmp log
access-list Firewall extended deny udp any any eq 4500 log
access-list Firewall extended deny esp any any log
access-list Firewall extended permit icmp any any log
access-list Firewall extended permit ip any any log

access-group Firewall in interface external control-plane
access-group external in interface external

URPF is NOT enable. This ASA is running version 8.2(1). There is only two interfaces, internal and external.
"no nat-control" is enable.

For the past couple of days, I am seeing this syslog message on my syslog server:

Jul 23 17:39:01 ASA-VPN Jul 23 2010 21:39:01: %ASA-3-313001: Denied ICMP type=4, code=0 from 195.97.148.89 on interface external

Why am I seeing this message when ICMP is allowed THROUGH and TO the firewall itself?

Anyone know why?

Re: icmp denny in syslog on the firewall

Jitendriya Athavale — Sat, 24 Jul 2010 16:46:02 GMT

this is a type 4 code 0 which is a source quench

from wiki:

The Source Quench is an Internet Control Message Protocol message which requests the sender to decrease the traffic rate of messages to a router or host. This message may be generated if the router or host does not have sufficient buffer space to process the request, or may occur if the router or host's buffer is approaching its limit.

now what we need to see is why the firewall is dropping this type of packet

one quick question here

the deny's that you have been seeing in the last few days are they of the same type and code

also do you recognise the public ip mentioned in the log (any vpn peer or something like that)

having said that this is a old method and is not used anymore

i would assume this to be an attack

probably your firewall is dropping it thinking it as a attack

do you have any ips module on this firewall or do you have threat detection configured

Re: icmp denny in syslog on the firewall

cciesec2011 — Sat, 24 Jul 2010 19:00:52 GMT

"the deny's that you have been seeing in the last few days are they of the same type and code"

Yes.

"also do you recognise the public ip mentioned in the log (any vpn peer or something like that)"

Yes. That IP address is my Solarwind Network Performance Monitor Server. It collects data of the ASA via SNMP.

Why is the ASA denying ICMP from my Network Management System (NMS)? The larger point is why it is doing that

when I have "permit ip any any log" in the ACL

"do you have any ips module on this firewall or do you have threat detection configured"

No. I do not have IPS module on the ASA so threat detection is not configured.

Any other suggestions?

ASA-VPN> sh ver

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"

ASA-VPN up 91 days 0 hours
failover cluster up 91 days 0 hours

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0         : address is 0026.cbb0.deea, irq 9
1: Ext: Ethernet0/1         : address is 0026.cbb0.deeb, irq 9
2: Ext: Ethernet0/2         : address is 0026.cbb0.deec, irq 9
3: Ext: Ethernet0/3         : address is 0026.cbb0.deed, irq 9
4: Ext: Management0/0       : address is 0026.cbb0.dee9, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs                : 100
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled
VPN-3DES-AES                 : Enabled
Security Contexts            : 2
GTP/GPRS                     : Disabled
SSL VPN Peers                : 2
Total VPN Peers              : 250
Shared License               : Disabled
AnyConnect for Mobile        : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials        : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions      : 2
Total UC Proxy Sessions      : 2
Botnet Traffic Filter        : Disabled

This platform has an ASA 5510 Security Plus license.

Serial Number: XXXXXX
Running Activation Key: XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX
Configuration register is 0x1
Configuration has not been modified since last system restart.
ASA-VPN>

Re: icmp denny in syslog on the firewall

Jitendriya Athavale — Sun, 25 Jul 2010 12:37:51 GMT

do you see the drops even when you try to ping the outside ip of firewall from the snmp server

i have a strong feeling that it is only deny type 4 code 0 messages

Re: icmp denny in syslog on the firewall

cciesec2011 — Sun, 25 Jul 2010 13:05:42 GMT

I am not seeing any drop when I ping the firewall outside interface from this Network Management System.

The question is why it is doing this? "permit icmp any any" and "permit ip any any" should be enough to allow this traffic, including icmp type 4 code 0, to hit the external interface of the firewall right? Why am I seeing this deny message?

Re: icmp denny in syslog on the firewall

Jitendriya Athavale — Sun, 25 Jul 2010 13:24:41 GMT

i understand, i have read your config and i can see you are permitting icmp

it should not be denying it

but i am interested in looking is if its only this type of icmp that it is dropping or is it dropping any icmp traffic randomly

as i said before according to rfc no device is supposed to send such icmp messages, so probably it thinks it is a attack

can you post the following output

show run icmp

show run | in icmp

also show threat-detection statistics

Re: icmp denny in syslog on the firewall

cciesec2011 — Sun, 25 Jul 2010 13:36:22 GMT

ASA-VPN# sh run icmp

icmp unreachable rate-limit 1 burst-size 1

icmp permit host 216.211.64.129 external

icmp permit host 216.211.64.130 external

icmp permit host 216.211.64.140 external

icmp permit host 216.211.64.141 external

icmp permit host 216.211.64.142 external

icmp permit 216.211.148.128 255.255.255.128 external

icmp permit host 216.211.155.205 external

icmp permit host 216.211.250.16 external

icmp permit host 171.214.219.10 external

icmp permit 195.97.148.0 255.255.255.0 external

icmp permit host 216.211.156.6 external

ASA-VPN#

ASA-VPN# show threat-detection statistics

Top Name Id Average(eps) Current(eps) Trigger Total events

1-hour ACL hits:

01 external/9 0 0 0 180

02 internal/2 0 0 0 148

03 internal/6 0 0 0 145

04 external/1 0 0 0 140

05 Firewall/9 0 0 0 1

8-hour ACL hits:

01 internal/6 0 0 0 1924

02 external/9 0 0 0 1423

03 internal/2 0 0 0 1269

04 external/1 0 0 0 1166

05 Firewall/9 0 0 0 2

24-hour ACL hits:

01 internal/6 0 0 0 5344

02 external/9 0 0 0 3928

03 internal/2 0 0 0 3753

04 external/1 0 0 0 3472

05 Firewall/9 0 0 0 9

06 internal/3 0 0 0 2

07 Firewall/3 0 0 0 1

08 external/6 0 0 0 1

ASA-VPN#

Re: icmp denny in syslog on the firewall

August Ritchie — Mon, 26 Jul 2010 04:56:27 GMT

Can you grab a "show run policy-map", "show run service-policy" and "show service-policy"

Re: icmp denny in syslog on the firewall

cciesec2011 — Mon, 26 Jul 2010 09:55:15 GMT

ASA-VPN# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
ASA-VPN#
ASA-VPN# sh run service-policy
service-policy global_policy global
ASA-VPN#
ASA-VPN# show service-policy

Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 241304, drop 60, reset-drop 0
      Inspect: ftp, packet 1555, drop 0, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 24, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: rsh, packet 24, drop 0, reset-drop 0
      Inspect: rtsp, packet 24, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: skinny , packet 24, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: sunrpc, packet 2716, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 24, drop 12, reset-drop 0
      Inspect: sip , packet 12, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: netbios, packet 3859, drop 0, reset-drop 0
      Inspect: tftp, packet 24, drop 12, reset-drop 0
ASA-VPN#

Re: icmp denny in syslog on the firewall

August Ritchie — Mon, 26 Jul 2010 15:43:15 GMT

Just to make sure it's not something super simple can you try adding

policy-map global_policy
class inspection_default
inspect icmp

Re: icmp denny in syslog on the firewall

cciesec2011 — Mon, 26 Jul 2010 17:32:35 GMT

"policy-map global_policy
class inspection_default
inspect icmp"

Why do I need to do this? "permit icmp any any" & "permit ip any any" will do the same trick right?

Re: icmp denny in syslog on the firewall

August Ritchie — Mon, 26 Jul 2010 18:09:13 GMT

Yes it should do the same thing. I just wanted to see if for some odd reason the results were any different.

My theory is that the ASA just doesn't know what to do with source quench once it receives it. Can you tell us what the 195.97.148.89 address is?

Looking at the wikipedia article about the Source Quench I see that the source quench should be a response to another piece of data.

http://en.wikipedia.org/wiki/ICMP_Source_Quench

00	08	16
Type = 4	Code = 0	Header Checksum
Empty
IP Header + First 8 Bytes of Original Datagram's Data

Perhaps the ASA is not able to find what connection this Source Quench is referring to so it just drops the packet. If we look in the last field we see that the connection to be slowed should be identified by the first 8 bytes of the original datagram's data, and maybe the ASA just doesn't know what the corresponding connection is, hence the drop.

Re: icmp denny in syslog on the firewall

cciesec2011 — Mon, 26 Jul 2010 19:50:05 GMT

"Can you tell us what the 195.97.148.89 address is?"

My Network Manament System (NMS) as stated in previous thread.

Re: icmp denny in syslog on the firewall

Andrew Ossipov — Mon, 26 Jul 2010 20:12:10 GMT

Hello,

Since ICMP Type 4, Code 0 messages include an embedded IP packet (the original one that the Quench corresponds to), the ASA will only permit it if it can match it to the original session (conn entry). For this to happen, ICMP Inspection must be enabled.

Andrew

Re: icmp denny in syslog on the firewall

cciesec2011 — Mon, 26 Jul 2010 20:16:01 GMT

Where do you see this in the documentation?

I need to enable icmp inspect even for traffics destined for the firewall interface?