Solved: what is the equivalent implementation of isr ios cli "ip tcp synwait-time 10" on asa cli

Oscar Quinonez · ‎10-08-2013

I would like to see an implementation of an ISR IOS cli:

ip tcp synwait-time 10

on an ASA cli. thank you much in advance.

Patrick Moubarak · ‎10-09-2013

Hi Oscar,

this is supported but you need a class-map type management:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/mpf_service_policy.html#wp1167296

TCP and UDP connection limits and timeouts, and TCP sequence number randomization: supported for management traffic...

access-list CONTROL_ACL extended permit tcp host 1.1.1.2 interface outside eq https log

access-list CONTROL_ACL extended permit tcp host 1.1.1.2 interface outside eq ssh log

class-map type management CONTROL

match access-list CONTROL_ACL

policy-map global_policy

class CONTROL

set connection conn-max 1

service-policy global_policy global

In my tests, it worked for SSH but not for HTTPS:

ciscoasa(config)# sh conn all

2 in use, 2 most used

TCP outside 1.1.1.2:38670 NP Identity Ifc 1.1.1.10:22, idle 0:00:38, bytes 20, flags UfrOB

TCP outside 1.1.1.2:26470 NP Identity Ifc 1.1.1.10:443, idle 0:00:02, bytes 0, flags UB

After other sessions:

%ASA-7-710005: TCP request discarded from 1.1.1.2/25085 to outside:1.1.1.10/22

%ASA-3-201011: Connection limit exceeded 1/1 for input packet from 1.1.1.2/25085 to 1.1.1.10/22 on interface outside

ciscoasa(config)# sh conn all

4 in use, 5 most used

TCP outside 1.1.1.2:41726 NP Identity Ifc 1.1.1.10:443, idle 0:00:43, bytes 0, flags UB

TCP outside 1.1.1.2:26087 NP Identity Ifc 1.1.1.10:443, idle 0:00:45, bytes 0, flags UB

TCP outside 1.1.1.2:33312 NP Identity Ifc 1.1.1.10:443, idle 0:00:47, bytes 0, flags UB

TCP outside 1.1.1.2:26470 NP Identity Ifc 1.1.1.10:443, idle 0:00:04, bytes 0, flags UB

Somehow, 0 hitcount on HTTPS ACL...

ciscoasa(config)# sh access-list

access-list CONTROL_ACL line 1 extended permit tcp host 1.1.1.2 interface outside eq https log informational interval 300 (hitcnt=0) 0x59b7aa4c

access-list CONTROL_ACL line 2 extended permit tcp host 1.1.1.2 interface outside eq ssh log informational interval 300 (hitcnt=8) 0x31fe983c

ciscoasa(config)# sh asp drop

Frame drop:

Flow is denied by configured rule (acl-drop) 2

First TCP packet not SYN (tcp-not-syn) 49

Connection limit reached (conn-limit) 2

FP L2 rule drop (l2_acl) 48

Flow drop:

SSL bad record detected (ssl-bad-record-detect) 3

ciscoasa(config)# sh service-policy

Global policy:

Service-policy: global_policy

Class-map: CONTROL

Set connection policy: conn-max 1

current conns 1, drop 2

you can also control each feature timeouts seperately via:

telnet/ssh timeout 1

http server idle-timeout/session-timeout 1

Note: I tried this in GNS (asa 8.4.2) and using telnet from a router (not using a real browser for HTTPS) so the results might not be reflect a production environnement...

Patrick

View solution in original post

Patrick Moubarak · ‎10-08-2013

Hi Oscar,

class-map ...

match any

policy-map ...

class ...

set connection timeout embryonic

service-policy ... global|interface...

The embryonic hh:mm:ss keyword sets the timeout period until a TCP embryonic (half-open) connection is closed, between 0:0:5 and 1193:0:0. The default is 0:0:30. You can also set this value to 0, which means the connection never times out.

http://www.cisco.com/en/US/partner/docs/security/asa/command-reference/s1.html#wp1453113

Oscar Quinonez · ‎10-09-2013

Hi Patrick,

thank you for the prompt response. I have implemented this for data flow going through the ASA (Data Plane).

My requirement is for traffic terminating (where the asa is the tcp server listener) on the ASA device itself (Management Plane).

I tried testing the below cli snippet, but was able to log into the device more than one times (set conn max to 1):

I launched on two ssh sessions from MY.MAN.IP.ADDR to the INSIDE.IP.ADDR.ASA successfully, where I expected only one session to complete.

object network INT_inside

host INSIDE.IP.ADDR.ASA

object network INT_outside

host OUTSIDE.IP.ADDR.ASA

object-group network INT_NET0965

network-object object INT_inside

network-object object INT_outside

access-list INT_NET0965 permit ip any object-group INT_NET0965 log

class-map INT_NET0965

match access-list INT_NET0965

policy-map global_policy

class INT_NET0965

set connection conn-max 1

set connection embryonic 0:0:10

service-policy global_policy global

ssh MY.MAN.IP.ADDR 255.255.255.255 inside

Patrick Moubarak · ‎10-09-2013

Hi Oscar,

this is supported but you need a class-map type management:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/mpf_service_policy.html#wp1167296

TCP and UDP connection limits and timeouts, and TCP sequence number randomization: supported for management traffic...

access-list CONTROL_ACL extended permit tcp host 1.1.1.2 interface outside eq https log

access-list CONTROL_ACL extended permit tcp host 1.1.1.2 interface outside eq ssh log

class-map type management CONTROL

match access-list CONTROL_ACL

policy-map global_policy

class CONTROL

set connection conn-max 1

service-policy global_policy global

In my tests, it worked for SSH but not for HTTPS:

ciscoasa(config)# sh conn all

2 in use, 2 most used

TCP outside 1.1.1.2:38670 NP Identity Ifc 1.1.1.10:22, idle 0:00:38, bytes 20, flags UfrOB

TCP outside 1.1.1.2:26470 NP Identity Ifc 1.1.1.10:443, idle 0:00:02, bytes 0, flags UB

After other sessions:

%ASA-7-710005: TCP request discarded from 1.1.1.2/25085 to outside:1.1.1.10/22

%ASA-3-201011: Connection limit exceeded 1/1 for input packet from 1.1.1.2/25085 to 1.1.1.10/22 on interface outside

ciscoasa(config)# sh conn all

4 in use, 5 most used

TCP outside 1.1.1.2:41726 NP Identity Ifc 1.1.1.10:443, idle 0:00:43, bytes 0, flags UB

TCP outside 1.1.1.2:26087 NP Identity Ifc 1.1.1.10:443, idle 0:00:45, bytes 0, flags UB

TCP outside 1.1.1.2:33312 NP Identity Ifc 1.1.1.10:443, idle 0:00:47, bytes 0, flags UB

TCP outside 1.1.1.2:26470 NP Identity Ifc 1.1.1.10:443, idle 0:00:04, bytes 0, flags UB

Somehow, 0 hitcount on HTTPS ACL...

ciscoasa(config)# sh access-list

access-list CONTROL_ACL line 1 extended permit tcp host 1.1.1.2 interface outside eq https log informational interval 300 (hitcnt=0) 0x59b7aa4c

access-list CONTROL_ACL line 2 extended permit tcp host 1.1.1.2 interface outside eq ssh log informational interval 300 (hitcnt=8) 0x31fe983c

ciscoasa(config)# sh asp drop

Frame drop:

Flow is denied by configured rule (acl-drop) 2

First TCP packet not SYN (tcp-not-syn) 49

Connection limit reached (conn-limit) 2

FP L2 rule drop (l2_acl) 48

Flow drop:

SSL bad record detected (ssl-bad-record-detect) 3

ciscoasa(config)# sh service-policy

Global policy:

Service-policy: global_policy

Class-map: CONTROL

Set connection policy: conn-max 1

current conns 1, drop 2

you can also control each feature timeouts seperately via:

telnet/ssh timeout 1

http server idle-timeout/session-timeout 1

Note: I tried this in GNS (asa 8.4.2) and using telnet from a router (not using a real browser for HTTPS) so the results might not be reflect a production environnement...

Patrick

Oscar Quinonez · ‎10-11-2013

Hi Patrick,

your feedback helped a lot.

I went ahead and ran a script to cycle through 65535 ports on a ASA h/w platform running s/w ver 8.4.38 and the only port that did not triggered the conn-max was https. It seems like a silly added feature or defect.

This does not resolve my business policy requirments but at least it allows me to mitage to some level.

I wonder why there is not a set function for timing out a half-open session based on time rather than number.

I ended up using the:

set connection embryonic-conn-max n

although I really need:

set connection timeout embryonic 0:0:10