Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
743
Views
0
Helpful
4
Replies

botnet filter no longer functions after disk format

Go to solution
lcaruso
Level 6
Level 6

‎07-03-2011 09:43 PM - edited ‎03-11-2019 01:54 PM

Hi,

I was having major issues with a 5505 (too long a discussion to go into here) so I formatted the disk and uploaded fresh binaries and recreated my configuration. I noticed the licenses were preserved. I also noticed there were several fsck records after the format that were reclaiming lost chains. I suspect the flash on this ASA is going bad, since everytime it boots it says "reading from flash ..!!" like it cannot even read flash successfully. When I purchased this one new, it also had several fsck records being brand new. I'm going to open a case on these flash issues/questions.

Anyway, after all of the above, the only thing that is not working is the botnet filter. I copied my config line for line, but I don't know why it isn't working:

dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable 
dynamic-filter enable interface inside 
dynamic-filter enable interface outside 
dynamic-filter drop blacklist 
dynamic-filter drop blacklist interface outside threat-level range moderate very-high
dynamic-filter ambiguous-is-black
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect dns preset_dns_map dynamic-filter-snoop 
  inspect http 
  inspect icmp 
  inspect icmp error 
!
service-policy global_policy global
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-03-2011 10:05 PM

A couple of things to check:

1) Make sure that your ASA still has the AES/3DES license enabled after reformatting the flash. The output of show version will show you whether it is enabled or disabled. AES/3DES license is required to download the dynamic database.

2) From the above output, you have configured "inspect dns preset_dns_map dynamic-filter-snoop" configured, however, I couldn't find the policy-map created with the name "dynamic-filter-snoop". Can you please confirm if that policy-map has been created to inspect DNS (UDP/53) traffic?

If it hasn't, the following needs to be configured:

class-map dynamic-filter_snoop_class

     match port udp eq domain

policy-map dynamic-filter-snoop

     class dynamic-filter_snoop_class

Hope that helps.

View solution in original post

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎07-04-2011 07:36 AM

Is botnet license enabled?

"sh ver" and "sh activation-key detail"

Follow this doc and make sure the configuration in place is correct:

https://supportforums.cisco.com/docs/DOC-8782

-KS

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-03-2011 10:05 PM

A couple of things to check:

1) Make sure that your ASA still has the AES/3DES license enabled after reformatting the flash. The output of show version will show you whether it is enabled or disabled. AES/3DES license is required to download the dynamic database.

2) From the above output, you have configured "inspect dns preset_dns_map dynamic-filter-snoop" configured, however, I couldn't find the policy-map created with the name "dynamic-filter-snoop". Can you please confirm if that policy-map has been created to inspect DNS (UDP/53) traffic?

If it hasn't, the following needs to be configured:

class-map dynamic-filter_snoop_class

     match port udp eq domain

policy-map dynamic-filter-snoop

     class dynamic-filter_snoop_class

Hope that helps.

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎07-04-2011 07:36 AM

Is botnet license enabled?

"sh ver" and "sh activation-key detail"

Follow this doc and make sure the configuration in place is correct:

https://supportforums.cisco.com/docs/DOC-8782

-KS

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Kureli Sankar

‎07-04-2011 06:16 PM

Thanks for the help. It seems to be the backup config was missing some commands.

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Jennifer Halim

‎07-04-2011 06:13 PM

My config was missing those pieces. Nice catch.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card