Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
425
Views
6
Helpful
1
Replies

Will ASA block asymmetric UDP traffic?

yuhuiyao
Level 1
Level 1

‎10-27-2022 09:05 PM

Hi,

Will ASA keep UDP state and drop the asymmetric UDP traffic? If so, how? UDP is a stateless protocol and how will ASA keep track of its state?

 

Thanks, 

Labels:
0 Helpful
1 Reply 1

Kasun Bandara
VIP
VIP

‎10-27-2022 10:31 PM

according to CISCO

For UDP flows, the ASA tracks source and destination IP addresses and ports and the idle time since the last packet of the flow was seen by the ASA. For certain applications (such as DNS), the ASA also tracks request identifiers, to help it defend against packet-spoofing attacks. A UDP  flow is created in the connection table if the ASA security policy permits it. Because UDP flows have no state machine, UDP flows are deleted only when they are idle for longer than the configurable UDP idle timer

when this relating to asymmetric routing, there is many things to consider. asymmetric related TCP as below.

https://community.cisco.com/t5/security-knowledge-base/asa-asymmetric-routing-troubleshooting-and-mitigation/ta-p/3117045

its good to configure zone based policies if asymmetric is expectable,

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/interface-zones.html

another good thread about UDP session handling is at

https://community.cisco.com/t5/network-security/how-does-a-firewall-track-udp/td-p/2354302

 

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
Customers Also Viewed These Support Documents