Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1730
Views
8
Helpful
27
Replies

Cisco ASA Internal FW - Error Message %ASA-4-209005

RG78874
Level 1
Level 1

‎01-19-2024 04:31 AM

Hi I have a Cisco ASA filling up our logs in thousands. Below is the error.

I've been through the article https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-201002-to-219002.html

But I do not understand how to stop these Errors. As the Article suggests, but I am not even sure what to do exactly.

Recommended Action A possible intrusion event may be in progress. If the message persists, contact the remote peer administrator or upstream provider. You can change the number of fragments per packet by using the fragment chain xxx interface_name command.

209005

Error Message %ASA-4-209005: Discard IP fragment set with more than number elements: src=Too many elements are in a fragment set. 

Can someone help me with the recommended action, I do not understand it.

 

Logs are filling up every millisecond.

0 Helpful
27 Replies 27

Aref Alsouqi
VIP
VIP

‎01-19-2024 05:21 AM - edited ‎01-19-2024 05:21 AM

You might be receiving those logs because there is an ongoing attack as suggested in the provided description. A quick remediation action would be to shun the attacking IP addresses, you can do that with the command "shun < IP address >", the shun entries won't survive the firewall reload. You can removed the shunned IP by using the "no shun ..." command. However, even if this remediation works for you, it would just be a temporary solution, and you might need to investigate a more robust solution to mitigate against such DDoS attacks.

MHM Cisco World
VIP
VIP

‎01-19-2024 05:21 AM

the packets are from same source IP ?
MHM

0 Helpful

RG78874
Level 1
Level 1
In response to MHM Cisco World

‎01-19-2024 05:24 AM

@MHM Cisco Worldyes they are from the same source IP, all internal traffic so we have not classed it as an attack.

And I can see a subnet for this address on our FW, but I have no other idea about this issue.

0 Helpful

MHM Cisco World
VIP
VIP
In response to RG78874

‎01-19-2024 05:28 AM

you can directly 
shun <IP> 
as @Aref Alsouqi  mention 
this will drop any traffic toward the ASA form this IP
MHM

0 Helpful

RG78874
Level 1
Level 1
In response to MHM Cisco World

‎01-19-2024 05:31 AM

@MHM Cisco Worldhowever this recommended action, does that come into play? 

"You can change the number of fragments per packet by using the fragment chain xxx interface_name command."

I'm trying to understand the above?

Does the shun ip command stop the traffic, and how long for?

0 Helpful

Aref Alsouqi
VIP
VIP
In response to RG78874

‎01-19-2024 05:36 AM

The shunned IP will stay denied until you unshun it, or, until the firewall is reloaded.

MHM Cisco World
VIP
VIP
In response to RG78874

‎01-19-2024 05:39 AM

"You can change the number of fragments per packet by using the fragment chain xxx interface_name command." <<- that why I ask is it from same IP or different IP 
if it same IP then it hack 
if different then you need to change the behave of ASA with fragment,
you confirm it from same IP so shun it. 
your ASA since have no issue with other client then it config is OK 
MHM

0 Helpful

Aref Alsouqi
VIP
VIP
In response to RG78874

‎01-19-2024 05:43 AM

The recommendation of changing the number of the fragments or even disable it comes from the fact that the DDoS attacks might rely on fragmentation to confuse the firewalls. So, as a best practice Cisco recommend turning off the fragmentation if it is not used by any application or if it is not necessary. By default the ASA allows up to 24 fragments with a maximum of 200 I think to be queued waiting for a reassembly.

0 Helpful

Aref Alsouqi
VIP
VIP
In response to RG78874

‎01-19-2024 05:31 AM

If that IP is internal, I would try to run packet capture on the interface connected to that subnet and check if there is any suspicious traffic sourced by that host. It could be that that internal host is infected by a virus or has a malware doing some weird things. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Aref Alsouqi

‎01-19-2024 05:34 AM

shun will drop traffic until you do NO shun 
@Aref Alsouqi  shun this IP and then the client will claim and we know who is and which OS is use. 
MHM

0 Helpful

Aref Alsouqi
VIP
VIP
In response to MHM Cisco World

‎01-19-2024 05:38 AM - edited ‎01-19-2024 05:38 AM

Could be an option, but I would go with a more specific softer approach :). If the packet capture shows that this endpoint is talking to something malicious, maybe a deny rule for that specific traffic type would be a good start. However, if the IP was external, then I would straight away with the shun.

0 Helpful

RG78874
Level 1
Level 1

‎01-19-2024 05:40 AM

Ok thank you both, I will review both your comments and have a think about the impact. I will update the post once I have actioned.

RG78874
Level 1
Level 1

‎01-22-2024 08:19 AM

@MHM Cisco World @Aref Alsouqi 

Hey Guys - I checked the traffic logs and Source is an external NLB on an outside interface talking to an inside interface, our reporting tool.

However the rules are on the OUTSIDE interface of the ASA.

Would I need to add the rules on the INSIDE interface of the ASA as we do not have a rule in place. And then will this stop the error in the Monitoring Logs: Discard IP fragment set with more than 1 elements: src=x.x.x.x, dest = x.x.x.x, proto=UDP id = xxxx(these are random numbers)

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card