Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4040
Views
0
Helpful
13
Replies

ASA 9.1 conn timeout for DNS?

Go to solution
aimken123
Level 1
Level 1

‎01-21-2013 04:18 PM - edited ‎03-11-2019 05:50 PM

Hi,

I recently had a firewall that wasn't passing traffic (ASA 5510 running software version 9.1).

It turned out it had 130000 active connections.  Doing a "clear conn port 53" dropped the active connection count back to 38k, and the firewall started passing traffic again.

A lot of the connections looked like this:

UDP prod  x.x.x.x:53 dmz  y.y.y.y:55639, idle 112:33:59, bytes 419, flags -

UDP prod  x.x.x.x:53 dmz  y.y.y.y:55638, idle 112:34:00, bytes 419, flags -

UDP prod  x.x.x.x:53 dmz  y.y.y.y:55603, idle 112:34:30, bytes 129, flags -

UDP prod  x.x.x.x:53 dmz  y.y.y.y:55602, idle 112:34:30, bytes 227, flags -

UDP prod  x.x.x.x:53 dmz  y.y.y.y:55600, idle 112:34:31, bytes 227, flags -

UDP prod  x.x.x.x:53 dmz  y.y.y.y:55599, idle 112:34:31, bytes 227, flags -

UDP prod  x.x.x.x:53 dmz  y.y.y.y:55597, idle 112:34:31, bytes 479, flags -

UDP prod  x.x.x.x:53 dmz  y.y.y.y:55595, idle 112:34:31, bytes 128, flags -

UDP prod  x.x.x.x:53 dmz  y.y.y.y:55594, idle 112:34:31, bytes 413, flags -

UDP prod  x.x.x.x:53 dmz  y.y.y.y:55568, idle 112:34:44, bytes 227, flags -

UDP prod  x.x.x.x:53 dmz  y.y.y.y:55567, idle 112:34:44, bytes 227, flags -

UDP prod  x.x.x.x:53 dmz  y.y.y.y:55566, idle 112:34:44, bytes 413, flags -

UDP prod  x.x.x.x:53 dmz  y.y.y.y:55565, idle 112:34:44, bytes 413, flags -

UDP prod  x.x.x.x:53 dmz  y.y.y.y:55564, idle 112:34:44, bytes 227, flags -

UDP prod  x.x.x.x:53 dmz  y.y.y.y:55563, idle 112:34:44, bytes 227, flags -

UDP prod  x.x.x.x:53 dmz  y.y.y.y:55562, idle 112:34:44, bytes 479, flags -

UDP prod  x.x.x.x:53 dmz  y.y.y.y:55561, idle 112:34:44, bytes 479, flags -

The config guide notes that the "timeout udp ..." command doesn't affect DNS.

Any ideas on how to time out DNS connections?

Thanks,
Ken.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-21-2013 04:54 PM

Hello Ken,

I think I saw it once ( bug) , I am looking for the bug ID

Workaround available was :

Please remove the DNS inspection and clear the local host table of the ASA....

Let me know if this is the case

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
13 Replies 13

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-21-2013 04:54 PM

Hello Ken,

I think I saw it once ( bug) , I am looking for the bug ID

Workaround available was :

Please remove the DNS inspection and clear the local host table of the ASA....

Let me know if this is the case

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
david.tran
Level 4
Level 4
In response to Julio Carvajal

‎01-21-2013 05:33 PM

Seeing these types of posts make me laugh .

One of the many features that Cisco claimed to be better than other firewall vendors is the "deep inspection" packets such as sqlnet, esmtp, DNS, etc...

I have seen a lot of postings in this firewall forums that whenever someone has an issue with either sqlnet, esmtp, and in this case, DNS, the work around is almost always "disable inspection".  If you're going to disable "inspection" of the ASA, then what is the point of using the firewall in the first place?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to david.tran

‎01-21-2013 05:42 PM

Hello David,

No need to be  sarcastic...... Try to provide something useful to the discussion so we can help each other. In this case we are mentioning a software bug and as I said is a ****Work-around**** Not a solution.. If this is the same Bug I remember we are still working on the fix code,

We are  here to help not to criticize.....

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
david.tran
Level 4
Level 4
In response to Julio Carvajal

‎01-21-2013 05:50 PM

I am trying to be funny, guess that did not work

On a serious note, let say if this is an Internet facing firewall and I run into this issue.  As a "work-around", I have to "disable DNS inspection" on my Internet facing firewall to get things working again.  By disabling dns inspection on my Internet firewall, isn't that a security risk?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to david.tran

‎01-21-2013 07:17 PM

Hello David,

Sorry if I was a little serious

of course it is a  security risk, but we are trying to solve this, let;s try to get to the root cause of the issue and then move from there

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
aimken123
Level 1
Level 1
In response to Julio Carvajal

‎01-21-2013 06:26 PM

Thanks for that.

Luckily, this particular firewall is only in a sandpit environment.

I've been doing a bit more looking though, and it seems the remaining 38k connections are mostly a mix of udp 161 (SNMP) and udp 389 (AD LDAP).

Inspection for SNMP was never enabled, and there doesn't seem to be any inspection option for LDAP.

Any suggestions?

p.s.  It looks like I won't be rolling this version into production...

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to aimken123

‎01-21-2013 07:17 PM

Have you take out the DNS inspection and test it?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
aimken123
Level 1
Level 1
In response to Julio Carvajal

‎01-21-2013 07:39 PM

DNS inspection has been removed.

The DNS connections still aren't timing out though.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to aimken123

‎01-21-2013 09:23 PM

Hello,

Thanks for the update, so it is definetly something new and interesting.

Let me see what I can investigate on this

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
farrell.da
Level 1
Level 1
In response to Julio Carvajal

‎01-23-2013 01:09 PM

Are you by any chance applying connection limits/timeouts via a policy-map? I noted unexpected behaviour with this and DNS timeouts just today. ASA 5540 active/active 9.1.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
farrell.da
Level 1
Level 1
In response to farrell.da

‎01-23-2013 01:12 PM

I had 'match any' and the timeouts I _thought_ were TCP specific (30 min idle timeout) also applied to UDP. Result - thousands of idle DNS, SNMP etc. state entries.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
aimken123
Level 1
Level 1
In response to Julio Carvajal

‎01-23-2013 03:55 PM

David,

None of my policy maps set connection limits or timeouts (they're all for inspection).

On another note, I've since cleared all the connections, and none of the new ones seem to be exceeding the timeout values.  Seems like I can't replicate my original problem.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to aimken123

‎01-23-2013 03:59 PM

Hello Ken,

Is there a way you could provide your configuration or send it on a private message so I can doble check it,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card