ASA 5520 8.2(1) - Botnet Traffic Filter

Tim Davies · ‎06-29-2011

Hi there

When I try to configure the Botnet Traffic filter with the commad "dynamic-filter use database" through the ASDM I get the following error message.

[ERROR] dynamic-filter use-database

Dynamic Filter: New data file not terminated with newline

Anyone have any ideas?

Cheers

Tim

mirober2 · ‎07-01-2011

Hi Tim,

What version of ASDM are you using to manage this firewall?

If you enter the command from the CLI, do you see the same error?

-Mike

Tim Davies · ‎07-01-2011

Hi Mike

Thanks for the reply.

The ASDM version is 6.2(1) and yes I get the same error when I apply the command from the CLI -

(config)# dynamic-filter use-database

ERROR: Dynamic Filter: New data file not terminated with newline

Cheers

Tim

mirober2 · ‎07-01-2011

Hi Tim,

Can you share the output of the following commands?:

show run dynamic-filter

show dynamic-filter updater-client

-Mike

Tim Davies · ‎07-01-2011

Hi Mike

The command looks like it has appeared in the running config, however the Botnet Traffic Filter dosn't seem to be working. I should add that this is a Secondery Active firewall of a failover pair, the Primary has been taken out of service for an upgrade, the Botnet Traffic Fillter was working ok on the Primary firewall.

# sh running-config dynamic-filter

dynamic-filter updater-client enable

dynamic-filter use-database

dynamic-filter enable interface Outside

# sh dynamic-filter updater-client

Dynamic Filter updater client is enabled

Updater server url is

https://update-manifests.ironport.com

Application name: trafmon, version: 1.0

Encrypted UDI: 0bb93985f42d941e50dc8f022350d1a85540e78accd0dcb0c2369b9a3d270d74c39f01cfbed6f652acaf8df5384f8f8d

Last update attempted at 14:28:37 GMT/BDT Jul 1 2011,

with result: Downloaded file successfully

Next update is in 00:56:30

Database file version is '1309525623' fetched at 14:28:37 GMT/BDT Jul 1 2011, size: 3283179

Thanks

Tim

mirober2 · ‎07-01-2011

Hi Tim,

The size of the database file installed on the Secondary unit doesn't look quite right. Can you please try the following:

no dynamic-filter use-database

dynamic-filter database purge

dynamic-filter use-database

After that, wait about 2-3 minutes and then check the output of 'show dynamic-filter updater-client' again to make sure the DB downloaded successfully.

-Mike

Tim Davies · ‎07-01-2011

The commands applied successfully with no errors, the database hasn't downloaded but the next update time is 38mins? Do I need to wait?

# sh dynamic-filter updater-client

Dynamic Filter updater client is enabled

Updater server url is

https://update-manifests.ironport.com

Application name: trafmon, version: 1.0

Encrypted UDI: 0bb93985f42d941e50dc8f022350d1a85540e78accd0dcb0c2369b9a3d270d74c39f01cfbed6f652acaf8df5384f8f8d

Last update attempted at 14:28:37 GMT/BDT Jul 1 2011,

with result: Downloaded file successfully

Next update is in 00:38:04

No database file

mirober2 · ‎07-01-2011

Hi Tim,

Yes, it looks like the updater client still hasn't kicked off yet. Try disabling and re-enabling the updater-client, which should reset the timer to about 2 minutes:

no dynamic-filter updater-client enable

dynamic-filter updater-client enable

-Mike

Tim Davies · ‎07-01-2011

Thanks Mike, the database has downloaded but it looks like a simular size to previous one -

# sh dynamic-filter updater-client

Dynamic Filter updater client is enabled

Updater server url is

https://update-manifests.ironport.com

Application name: trafmon, version: 1.0

Encrypted UDI: 0bb93985f42d941e50dc8f022350d1a85540e78accd0dcb0c2369b9a3d270d74c39f01cfbed6f652acaf8df5384f8f8d

Last update attempted at 15:29:28 GMT/BDT Jul 1 2011,

with result: Downloaded file successfully

Next update is in 00:54:33

Database file version is '1309529282' fetched at 15:29:28 GMT/BDT Jul 1 2011, size: 3283156

mirober2 · ‎07-01-2011

Hi Tim,

Do you still get the same error if you remove and re-add the 'dynamic-filter use-database' command?

-Mike

Tim Davies · ‎07-01-2011

Yes, still getting the same error.

mirober2 · ‎07-01-2011

Hi Tim,

Are you able to upgrade the ASA to 8.2(5) to see if that resolves the issue? 8.2(1) is a bit old and we've had a bunch of Botnet Traffic Filter-related bug fixes since then. One important one that you'll want the fix for (though probably unrelated to this issue) is:

CSCtg41691 - dynamic-filter database update triggers cpu-hog

If you're not able to upgrade, please open up a TAC case for this issue so we can investigate a bit further.

-Mike

Tim Davies · ‎07-01-2011

Thanks Mike for all your help, I plan to upgrade to 8.4(1) so hopefully this will solve the problem.

Thanks Again

Cheers

Tim

mirober2 · ‎07-01-2011

Hi Tim,

Just a quick note to add on that. It sounds like you've already researched the upgrade, but if not keep in mind that there are very significant changes to the NAT and ACL config in 8.4. If you haven't already, make sure you read the release notes and migration guides before moving to 8.4.

Also, if you do move to 8.4, you should use 8.4(2) to make sure you get all of the latest bug fixes.

-Mike

Tim Davies · ‎07-01-2011

Thanks Mike, yes I have upgraded a few of our ASA's already to 8.4(1). I hadn't realised 8.4(2) was out yet, thanks for the information.