Cisco ASA IPS IP fragment missing Alert

Oleg Volkov · ‎04-15-2015

Dear Sirs!

I have two Cisco ASA5515X, and IPSec tunnel between them.
At the inside nets, I have Cisco 3925 and this routers connected together by ipip Tunnel w/o encryption (encrypt traffic made by ASA (IPIP tunnel in the IPSEc tunnel).
This tunnel need for work EIGRP.

====================================
Tunnel interface on router1:

interface Tunnel2
description -= Tunnel QinQ =-
bandwidth 100000
ip address 10.255.0.5 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 10.255.0.67
tunnel mode ipip
tunnel destination 10.255.0.68
service-policy output AGG_POL_TUN1
end

Policy Map AGG_POL_TUN1
Class class-default
Average Rate Traffic Shaping
cir 100000000 (bps)
service-policy POL_TUN1

Policy Map POL_TUN1
Class EIGRP_CL
priority 1 (%)
Class AVAYA
priority 5 (%)
Class SERVERS_TO_SERVERS_CL
bandwidth remaining 60 (%)
fair-queue
Class class-default
bandwidth remaining 40 (%)
fair-queue

Tunnel interface on the router 2:

interface Tunnel2
description -= Tunnel QinQ =-
bandwidth 100000
ip address 10.255.0.6 255.255.255.252
ip access-group TUNACL_USERS out
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 10.255.0.68
tunnel mode ipip
tunnel destination 10.255.0.67
service-policy output AGG_POL_TUN1
end

Policy Map AGG_POL_TUN1
Class class-default
Average Rate Traffic Shaping
cir 100000000 (bps)
service-policy POL_TUN1

Policy Map POL_TUN1
Class AVAYA
priority 5 (%)
Class SERVERS_TO_SERVERS_CL
bandwidth remaining 60 (%)
fair-queue
Class EIGRP_CL
priority 1 (%)
Class CL_RUTOLL_DISP_NORTH
police rate 25000000 bps burst 8500000 bytes
conform-action transmit
exceed-action drop
Class class-default
bandwidth remaining 40 (%)
service-policy INDEFAULT_MAP

ping 10.255.0.6 df-bit size 1400
Type escape sequence to abort.
Sending 5, 1400-byte ICMP Echos to 10.255.0.6, timeout is 2 seconds:
Packet sent with the DF bit set
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
ping 10.255.0.6 df-bit size 1401
Type escape sequence to abort.
Sending 5, 1401-byte ICMP Echos to 10.255.0.6, timeout is 2 seconds:
Packet sent with the DF bit set
.....
Success rate is 0 percent (0/5)

ping 10.255.0.68 source 10.255.0.67 df-bit size 1446
Type escape sequence to abort.
Sending 5, 1446-byte ICMP Echos to 10.255.0.68, timeout is 2 seconds:
Packet sent with a source address of 10.255.0.67
Packet sent with the DF bit set
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
ping 10.255.0.68 source 10.255.0.67 df-bit size 1447
Type escape sequence to abort.
Sending 5, 1447-byte ICMP Echos to 10.255.0.68, timeout is 2 seconds:
Packet sent with a source address of 10.255.0.67
Packet sent with the DF bit set
M.M.M

====================================

From other router, I ping throught Tunnel

ping 10.50.2.251 source 10.0.2.1 df-bit size 1400

Type escape sequence to abort.
Sending 5, 1400-byte ICMP Echos to 10.50.2.251, timeout is 2 seconds:
Packet sent with a source address of 10.0.2.1
Packet sent with the DF bit set
!!!!!

ping 10.50.2.251 source 10.0.2.1 df-bit size 1401

Type escape sequence to abort.
Sending 5, 1401-byte ICMP Echos to 10.50.2.251, timeout is 2 seconds:
Packet sent with a source address of 10.0.2.1
Packet sent with the DF bit set
M.M.M
Success rate is 0 percent (0/5)

But at the IDS on ASA, I see many alerts (W/O tunnel traffic, I was not see this alert):

evIdsAlert: eventId=6820745803980 vendor=Cisco severity=informational
originator:
hostId: sensor_south1
appName: sensorApp
appInstanceId: 1260
time: апр 15, 2015 10:42:38 UTC offset=3 timeZone=MSK
signature: description=IP Fragment Missing Initial Fragment id=1204 version=S212 type=anomaly created=20050304
subsigId: 0
sigDetails: IP Datagram Missing Initial Fragment
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: 0.0.0.0 locality=OUT
target:
addr: 0.0.0.0 locality=OUT
os: idSource=unknown type=unknown relevance=unknown
summary: 45 final=true initialAlert=6820745803978 summaryType=Regular
alertDetails: Regular Summary: 45 events this interval ;
riskRatingValue: 25 targetValueRating=medium
threatRatingValue: 25
interface: po0_0
protocol: IP protocol 0

=======================================================

Also, policy-map work, but not good - sometimes, I have loss packet in the class - AVAYA, but traffic, in this class, very small ( < 1 Mbps).

What can I do with this?

Thanks!

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

Oleg Volkov · ‎04-15-2015

Hmm....

It may be L3TPv3:

evIdsAlert: eventId=6820745809096 vendor=Cisco severity=high alarmTraits=32768
originator:
hostId: sensor_south1
appName: sensorApp
appInstanceId: 1260
time: апр 15, 2015 15:41:55 UTC offset=3 timeZone=MSK
signature: description=IP Fragment Overwrite - Data is Overwritten id=1203 version=S212 type=anomaly created=20030801
subsigId: 0
sigDetails: IP Fragment Overwrite - Data overwritten
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: 10.255.0.74 locality=OUT
target:
addr: 10.255.0.73 locality=OUT
os: idSource=unknown type=unknown relevance=relevant
actions:
denyPacketRequestedNotPerformed: true
alertDetails: InterfaceAttributes: context="single_vf" physical="Unknown" backplane="PortChannel0/0" ;
riskRatingValue: 100 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 100
interface: PortChannel0/0 context=single_vf physical=Unknown backplane=PortChannel0/0
protocol: IP protocol 115

My interface:

interface GigabitEthernet0/0
description "L2TPV3"
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip tcp adjust-mss 1360
duplex full
speed 1000
no cdp enable
no mop enabled
xconnect 10.255.0.73 550 encapsulation l2tpv3 pw-class L2TPV3_Class
end

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog