05-04-2017 06:48 AM - edited 03-12-2019 02:19 AM
I have an interface with an access-list bound to that interface as "in" ACL with the following line as first line of the ACL:
access-list from-mpls line 1 extended deny udp host 10.255.9.2 eq syslog host 10.255.7.254 eq syslog
But with packet-tracer, i see the following:
packet-tracer input versatel-mpls udp 10.255.9.2 514 10.255.7.2 514 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 2606510442, using existing flow
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: versatel-mpls
input-status: up
input-line-status: up
Action: allow
How can i get rid of that existing flow, that leads here to allowing the packet even if the access-list denies it? The firmware of the ASA is 9.2.4(10).
I know, i can get rid of that flow with rebooting the asa, but isn't there another possibility (the ASA is in production, so i can't just reboot at any time)?
05-04-2017 07:19 AM
I believe this should do it:
clear conn protocol udp address 10.255.9.2 address 10.255.7.2
05-05-2017 12:45 AM
After the "clear conn" command, the connection doesn't show up anymore, but the packet-tracer output still generates Phase 1 with "FLOW-LOOKUP" and a found flow. So that command deletes the connection from the connection table, but not the flow record from the flow-cache. Maybe it is a bug in firmware 9.2.4(10), but the questions remains: how can i get rid of that flow?
I tried the "clear conn" already before i asked that question. I currently implemented a workaround with nat on several machines to make syslog traffic from one ASA not matching this flow anymore ...
05-05-2017 02:35 AM
That's an odd one - I've not seen it happen before that "clear conn" doesn't clear the flow.
Does a packet capture show the traffic actively flowing?
05-05-2017 03:29 AM
No. The ASA is located at our customer, and i have no direct access to that network.
But syslog messages reach our syslog server with the workaround (doing nat on several ASAs, so the traffic doesn't match that flow anymore), but that traffic doesn't reach our syslog server without that workaround (there is no ACL blocking that traffic). Seems, that i have tol ive with that workaround for the next time ...
05-05-2017 05:04 AM
hi,
try clear local-host <IP ADD>
05-05-2017 06:02 AM
Unfortunately this did also not work. But i have a workaround (the nat configuration), so it is not so important anymore. Thanks for your help.
09-28-2018 01:14 PM
This worked for me. I was having the same issue as traffic was already on wire before i have created rule and after adding Block rule for the same traffic - snort verdict is allow. With the help of this command now its blocking the traffic.
Thanks Marvin!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide