cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9084
Views
33
Helpful
7
Replies

How to clear a flow on Cisco ASA?

jilse-iph
Level 1
Level 1

I have an interface with an access-list bound to that interface as "in" ACL with the following line as first line of the ACL:

access-list from-mpls line 1 extended deny udp host 10.255.9.2 eq syslog host 10.255.7.254 eq syslog

But with packet-tracer, i see the following:

packet-tracer input versatel-mpls udp 10.255.9.2 514 10.255.7.2 514 detailed


Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 2606510442, using existing flow
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: versatel-mpls
input-status: up
input-line-status: up
Action: allow

How can i get rid of that existing flow, that leads here to allowing the packet even if the access-list denies it? The firmware of the ASA is 9.2.4(10).

I know, i can get rid of that flow with rebooting the asa, but isn't there another possibility (the ASA is in production, so i can't just reboot at any time)?

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

I believe this should do it:

clear conn protocol udp address 10.255.9.2 address 10.255.7.2 

After the "clear conn" command, the connection doesn't show up anymore, but the packet-tracer output still generates Phase 1 with "FLOW-LOOKUP" and a found flow. So that command deletes the connection from the connection table, but not the flow record from the flow-cache. Maybe it is a bug in firmware 9.2.4(10), but the questions remains: how can i get rid of that flow?

I tried the "clear conn" already before i asked that question. I currently implemented a workaround with nat on several machines to make syslog traffic from one ASA not matching this flow anymore ...

That's an odd one - I've not seen it happen before that "clear conn" doesn't clear the flow.

Does a packet capture show the traffic actively flowing?

No. The ASA is located at our customer, and i have no direct access to that network.

But syslog messages reach our syslog server with the workaround (doing nat on several ASAs, so the traffic doesn't match that flow anymore), but that traffic doesn't reach our syslog server without that workaround (there is no ACL blocking that traffic). Seems, that i have tol ive with that workaround for the next time ...

hi,

try clear local-host <IP ADD>

Unfortunately this did also not work. But i have  a workaround (the nat configuration), so it is not so important anymore. Thanks for your help.

This worked for me. I was having the same issue as traffic was already on wire before i have created rule and after adding Block rule for the same traffic - snort verdict is allow. With the help of this command now its blocking the traffic.

 

Thanks Marvin!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: