cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


687
Views
0
Helpful
5
Replies
Beginner

C65K ASA module - syn cookie & ASAx clustering (9.x)

Hi,

A couple of questions:

I want to move syn cookie protection from ACE-modules to ASA modules in a data center setup. And I want to set a max embryonic conns per server/IP behind the firewall f.ex 512/server

Acc to the ASA conf.guide 8.5 you can make and apply a service-policy f.ex to the outside interface with the following variables (among others):

- conn-max (0-2000000). I suppose this i an overall 'conns through the box' value ?

- embryonic-conn-max n. Is n the overall embryonic 'conns through the box' value ?

- per-client-embryonic-max If clients are outside-hosts accessing an inside-server, it will not mitigate dDoS syn-attacks very well, will it ?

Apparantly none of the above settings limit embryonic conns per inside server ?

On the other hand the configuration guide says:

When you use TCP SYN cookie protection to protect servers from SYN attacks, you must set the embryonic connection limit lower than the TCP SYN backlog queue on the server that you want to protect. Otherwise, valid clients can nolonger access the server during a SYN attack.

??

And to something completely different:

In 9 ASA software clustering of 5585-x is an option. Does it apply to the ASA modules as well, (which are based on the 5585-x) ?

Thanks

Regards Jesper Joensen

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

C65K ASA module - syn cookie & ASAx clustering (9.x)

Hello Jesper,

ASA-SM does not support clustering (not to confuse with failover).

Thanks

Iyer

View solution in original post

5 REPLIES 5
Cisco Employee

C65K ASA module - syn cookie & ASAx clustering (9.x)

Hello Jesper,

ASA-SM does not support clustering (not to confuse with failover).

Thanks

Iyer

View solution in original post

Beginner

C65K ASA module - syn cookie & ASAx clustering (9.x)

Hello Iyer

Thanks for your answer, which I also learned on a Cisco Tech update some time ago.

No hints on the syn-cookie guestions ? ;-)

Thank you

Jesper

Cisco Employee

C65K ASA module - syn cookie & ASAx clustering (9.x)

Jesper,

You can protect internal servers with per-client-embryonic-max.

  class-map embr

  match any

  policy-map global_policy

  class embr

  set connection per-client-embryonic-max 2

If you exceed the limit of 2 embryonic connection to the server on inside, further connections will be discarded.

Aug 01 2013 09:29:21: %ASA-6-201012: Per-client embryonic connection limit exceeded 2/2 for input packet from / to / on interface inside

Beginner

C65K ASA module - syn cookie & ASAx clustering (9.x)

Iyer

Agree - but you still have a problem with heavy dDoS attacks with thousands of spoofed IPs.

I ended up with this config (going into production very soon) - the embryonic-conn-max 512 is intended to trig syn-cookies during syn-attacks:

class-map EMBRYONIC-CONNS

match any

!

policy-map EMBRYONIC-CONNS

class EMBRYONIC-CONNS

  set connection embryonic-conn-max 512 per-client-embryonic-max 5

!

service-policy EMBRYONIC-CONNS interface msfc

Thanks

Jesper

Highlighted
Cisco Employee

C65K ASA module - syn cookie & ASAx clustering (9.x)

Configuration looks good. You might want to tweak & tune limit of 512 based on your network traffic profile.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here