01-21-2013 04:18 PM - edited 03-11-2019 05:50 PM
Hi,
I recently had a firewall that wasn't passing traffic (ASA 5510 running software version 9.1).
It turned out it had 130000 active connections. Doing a "clear conn port 53" dropped the active connection count back to 38k, and the firewall started passing traffic again.
A lot of the connections looked like this:
UDP prod x.x.x.x:53 dmz y.y.y.y:55639, idle 112:33:59, bytes 419, flags -
UDP prod x.x.x.x:53 dmz y.y.y.y:55638, idle 112:34:00, bytes 419, flags -
UDP prod x.x.x.x:53 dmz y.y.y.y:55603, idle 112:34:30, bytes 129, flags -
UDP prod x.x.x.x:53 dmz y.y.y.y:55602, idle 112:34:30, bytes 227, flags -
UDP prod x.x.x.x:53 dmz y.y.y.y:55600, idle 112:34:31, bytes 227, flags -
UDP prod x.x.x.x:53 dmz y.y.y.y:55599, idle 112:34:31, bytes 227, flags -
UDP prod x.x.x.x:53 dmz y.y.y.y:55597, idle 112:34:31, bytes 479, flags -
UDP prod x.x.x.x:53 dmz y.y.y.y:55595, idle 112:34:31, bytes 128, flags -
UDP prod x.x.x.x:53 dmz y.y.y.y:55594, idle 112:34:31, bytes 413, flags -
UDP prod x.x.x.x:53 dmz y.y.y.y:55568, idle 112:34:44, bytes 227, flags -
UDP prod x.x.x.x:53 dmz y.y.y.y:55567, idle 112:34:44, bytes 227, flags -
UDP prod x.x.x.x:53 dmz y.y.y.y:55566, idle 112:34:44, bytes 413, flags -
UDP prod x.x.x.x:53 dmz y.y.y.y:55565, idle 112:34:44, bytes 413, flags -
UDP prod x.x.x.x:53 dmz y.y.y.y:55564, idle 112:34:44, bytes 227, flags -
UDP prod x.x.x.x:53 dmz y.y.y.y:55563, idle 112:34:44, bytes 227, flags -
UDP prod x.x.x.x:53 dmz y.y.y.y:55562, idle 112:34:44, bytes 479, flags -
UDP prod x.x.x.x:53 dmz y.y.y.y:55561, idle 112:34:44, bytes 479, flags -
The config guide notes that the "timeout udp ..." command doesn't affect DNS.
Any ideas on how to time out DNS connections?
Thanks,
Ken.
Solved! Go to Solution.
01-21-2013 04:54 PM
Hello Ken,
I think I saw it once ( bug) , I am looking for the bug ID
Workaround available was :
Please remove the DNS inspection and clear the local host table of the ASA....
Let me know if this is the case
01-21-2013 04:54 PM
Hello Ken,
I think I saw it once ( bug) , I am looking for the bug ID
Workaround available was :
Please remove the DNS inspection and clear the local host table of the ASA....
Let me know if this is the case
01-21-2013 05:33 PM
Seeing these types of posts make me laugh .
One of the many features that Cisco claimed to be better than other firewall vendors is the "deep inspection" packets such as sqlnet, esmtp, DNS, etc...
I have seen a lot of postings in this firewall forums that whenever someone has an issue with either sqlnet, esmtp, and in this case, DNS, the work around is almost always "disable inspection". If you're going to disable "inspection" of the ASA, then what is the point of using the firewall in the first place?
01-21-2013 05:42 PM
Hello David,
No need to be sarcastic...... Try to provide something useful to the discussion so we can help each other. In this case we are mentioning a software bug and as I said is a ****Work-around**** Not a solution.. If this is the same Bug I remember we are still working on the fix code,
We are here to help not to criticize.....
Regards,
01-21-2013 05:50 PM
I am trying to be funny, guess that did not work
On a serious note, let say if this is an Internet facing firewall and I run into this issue. As a "work-around", I have to "disable DNS inspection" on my Internet facing firewall to get things working again. By disabling dns inspection on my Internet firewall, isn't that a security risk?
01-21-2013 07:17 PM
Hello David,
Sorry if I was a little serious
of course it is a security risk, but we are trying to solve this, let;s try to get to the root cause of the issue and then move from there
01-21-2013 06:26 PM
Thanks for that.
Luckily, this particular firewall is only in a sandpit environment.
I've been doing a bit more looking though, and it seems the remaining 38k connections are mostly a mix of udp 161 (SNMP) and udp 389 (AD LDAP).
Inspection for SNMP was never enabled, and there doesn't seem to be any inspection option for LDAP.
Any suggestions?
p.s. It looks like I won't be rolling this version into production...
01-21-2013 07:17 PM
Have you take out the DNS inspection and test it?
01-21-2013 07:39 PM
DNS inspection has been removed.
The DNS connections still aren't timing out though.
01-21-2013 09:23 PM
Hello,
Thanks for the update, so it is definetly something new and interesting.
Let me see what I can investigate on this
01-23-2013 01:09 PM
Are you by any chance applying connection limits/timeouts via a policy-map? I noted unexpected behaviour with this and DNS timeouts just today. ASA 5540 active/active 9.1.
Sent from Cisco Technical Support iPad App
01-23-2013 01:12 PM
I had 'match any' and the timeouts I _thought_ were TCP specific (30 min idle timeout) also applied to UDP. Result - thousands of idle DNS, SNMP etc. state entries.
Sent from Cisco Technical Support iPad App
01-23-2013 03:55 PM
David,
None of my policy maps set connection limits or timeouts (they're all for inspection).
On another note, I've since cleared all the connections, and none of the new ones seem to be exceeding the timeout values. Seems like I can't replicate my original problem.
01-23-2013 03:59 PM
Hello Ken,
Is there a way you could provide your configuration or send it on a private message so I can doble check it,
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide