Re: Cisco ASA Internal FW - Error Message %ASA-4-209005 - Page 2

RG78874 · ‎01-19-2024

Hi I have a Cisco ASA filling up our logs in thousands. Below is the error.

I've been through the article https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-201002-to-219002.html

But I do not understand how to stop these Errors. As the Article suggests, but I am not even sure what to do exactly.

Recommended Action A possible intrusion event may be in progress. If the message persists, contact the remote peer administrator or upstream provider. You can change the number of fragments per packet by using the fragment chain xxx interface_name command.

209005

Error Message %ASA-4-209005: Discard IP fragment set with more than number elements: src=Too many elements are in a fragment set.

Can someone help me with the recommended action, I do not understand it.

Logs are filling up every millisecond.

MHM Cisco World · ‎01-22-2024

Sorry rule for fragment? Can you elaborate

Thanks

MHM

Aref Alsouqi · ‎01-22-2024

Does that mean the initiator of those connections is external? if so, maybe that traffic is intended? if not, you might have some loose security policies and NAT rules that are allowing unauthorized traffic to passthrough. Could you please share your sanitized ACL that is applied to the outside interface and a couple of those logs for review?

RG78874 · ‎01-22-2024

I checked the traffic logs and the Source is coming from the External NLB that is on the Outside interface this then goes into the Inside Interface, where I cannot see an Access Rule.

The traffic i have found is to do with a scanning tool that is part of Reporting checks.

The Monitoring Logs shows the following in the ASA

Discard IP fragment set with more than 1 elements: src=x.x.x.x, dest = x.x.x.x, proto=UDP id = xxxx

(Where "x" is they are the IP Addresses)

My question is @MHM Cisco World @Aref Alsouqi

Would you say this message in the logs indicate that I need a access rule in place or would it indicate something else?

Discard IP fragment set with more than 1 elements: src=x.x.x.x, dest = x.x.x.x, proto=UDP id = xxxx

**Just to be clear, I am expecting this traffic, it is safe**

External Load Balancer (Outside Interface) > traffic sent through hitting Inside Interface trying to go through, but no access rule is in place to support it

MHM Cisco World · ‎01-22-2024

Can you share

Show fragment

MHM

RG78874 · ‎01-23-2024

Interface: MANAGEMENT
Configuration: Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual Run-time stats: Queue: 0, Full assembly: 0
Drops: Size overflow: 0, Timeout: 0,
Chain overflow: 0, Fragment queue threshold exceeded: 0, Small fragments: 0, Invalid IP len: 0, Reassembly overlap: 12, Fraghead alloc failed: 0, SGT mismatch: 0, Block alloc failed: 0,
Invalid IPV6 header: 0, Passenger flow assembly failed: O
Interface: INSIDE
Configuration: Size: 200, Chain: 24, Timeout: 5, Reassembly: virtual Run-time stats: Queue: 0, Full assembly: 0
Drops: Size overflow: 0, Timeout: 0,
Chain overflow: 0, Fragment queue threshold exceeded: 0, Small fragments: 0, Invalid IP len: 0, Reassembly overlap: 3, Fraghead alloc failed: 0, SGI mismatch: 0, Block alloc failed: 0,
Invalid IPV6 headez: 0, Passenger flow assembly failed: 0
Interface: OUTSIDE_NLB
Configuration: Size: 200, Chain: 1, Timeout: 5, Reassembly: virtual Run-time stats: Queue: 0, Full assembly: 0
Drops: Size overflow: 0, Timeout: 0,
Chain overflow: 275508, Fragment queue threshold exceeded: 0, Small fragments: 0, Invalid IP len: 0, Reassembly overlap: 0, Fraghead alloc failed: 0, SGT mismatch: 0, Block alloc failed: 0,
Invalid IPV6 header: 0, Passenger flow assembly failed: 0
Interface: OUTSIDE MANAGEMENT
Configuration: Size: 200, Chain: 1, Timeout: 5, Reassembly: virtual Run-time state: Queue: 0, Full assembly: 0
Drops: Size overflow: 0, Timeout: 0,
Chain overflow: 6, Fragment queue threshold exceeded: 0, Small fragments: 0, Invalid IP len: 0, Reassembly overlap: 0, Fraghead alloc failed: 0, SGT mismatch: 0, Block alloc failed: 0,
Invalid IPV6 header: 0, Passenger flow assembly failed: o

RG78874 · ‎01-23-2024

@MHM Cisco WorldCan you see any issues with my show fragment output?

MHM Cisco World · ‎01-23-2024

Yes I already see it but I need to more check
the chain is 1 i.e. the asa accept only one frag of any packet other frag is drop
the default is 24 did you adjust it ?
MHM

Aref Alsouqi · ‎01-22-2024

I don't believe these logs would be related to the ACL entries. The error messages get generated because the received traffic is exceeding the maximum allowed fragments per packet on the ASA. Although you can change that value from its default which I believe it is 24 fragments with the command "fragment chain ...", I wouldn't recommend this. However, I would recommend speaking to the external scanner team and trying to understand why their traffic is being sent with such large packets so they get fragmented with more than 24 fragments per packet, and trying to work with them on fixing this issue.

On the other hand, you mentioned "External Load Balancer (Outside Interface) > traffic sent through hitting Inside Interface trying to go through, but no access rule is in place to support it". Are you referring to an entry on the ACL applied to the inside or to the outside interface? if this traffic is legitimate then I think it should be allowed all the way up to the destination(s).

Aref Alsouqi · ‎01-23-2024

In the above output you can see "Chain: 1" on both outside interfaces which means the ASA will only accept the traffic packets only if they are not fragmented as already mentioned by @MHM Cisco World.

If there is no specific reason behind this configs, then you can change the value back to its default which is 24 fragments per packet. To do so, you can use the command "fragment chain 24 < the interface name >" or you can do "no fragment chain 1 < the interface name >" which should revert back the configs to its default.

MHM Cisco World · ‎01-23-2024

thanks for confirm
MHM

RG78874 · ‎01-23-2024

@Aref Alsouqi @MHM Cisco World I haven't changed anything to do with Fragments, this is all new to me. Hence reaching out to the community.

If I change the Fragment chain packet back to default, I'm cautious that this may affect other traffic on that interface.

I need to be able to understand what the reason is for changing the Fragment Chain in the first place? Why do engineers change this?

I inherited this Network and getting up to speed with it all, and fixing old tickets.

Aref Alsouqi · ‎01-23-2024

Please refer to fragment section in this guide:

Cisco Secure Firewall ASA Series Command Reference, A-H Commands - fe – fz [Cisco Secure Firewall ASA] - Cisco

As mentioned changing the fragment would be a security best practice as fragmenting packets could potentially be used by attackers to conduct DDoS attacks, however, the default value that any ASA comes with is 24 fragments, that that should be good for your environment unless there was a specific reason behind that change. However, as you can see, having the fragment value changed to 1 is causing some issues with the scanner legitimate traffic.

MHM Cisco World · ‎01-23-2024

As @Aref Alsouqi mention chain set to 1 to protect ASA from DDoS'

And if you confirm it was work now you see log about drop of fragment

First thing we looking into MTU in Outside of ASA and ISP are it match or not.

Even small mtu mismatch can make ISP frag the packet and send to ASA' which make ASA drop it.

So check MTU

MHM