cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3372
Views
18
Helpful
7
Replies
Highlighted
Beginner

How to clear a flow on Cisco ASA?

I have an interface with an access-list bound to that interface as "in" ACL with the following line as first line of the ACL:

access-list from-mpls line 1 extended deny udp host 10.255.9.2 eq syslog host 10.255.7.254 eq syslog

But with packet-tracer, i see the following:

packet-tracer input versatel-mpls udp 10.255.9.2 514 10.255.7.2 514 detailed


Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 2606510442, using existing flow
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: versatel-mpls
input-status: up
input-line-status: up
Action: allow

How can i get rid of that existing flow, that leads here to allowing the packet even if the access-list denies it? The firmware of the ASA is 9.2.4(10).

I know, i can get rid of that flow with rebooting the asa, but isn't there another possibility (the ASA is in production, so i can't just reboot at any time)?

7 REPLIES 7
Highlighted
Hall of Fame Guru

I believe this should do it:

I believe this should do it:

clear conn protocol udp address 10.255.9.2 address 10.255.7.2 
Highlighted
Beginner

After the "clear conn"

After the "clear conn" command, the connection doesn't show up anymore, but the packet-tracer output still generates Phase 1 with "FLOW-LOOKUP" and a found flow. So that command deletes the connection from the connection table, but not the flow record from the flow-cache. Maybe it is a bug in firmware 9.2.4(10), but the questions remains: how can i get rid of that flow?

I tried the "clear conn" already before i asked that question. I currently implemented a workaround with nat on several machines to make syslog traffic from one ASA not matching this flow anymore ...

Highlighted
Hall of Fame Guru

That's an odd one - I've not

That's an odd one - I've not seen it happen before that "clear conn" doesn't clear the flow.

Does a packet capture show the traffic actively flowing?

Highlighted
Beginner

No. The ASA is located at our

No. The ASA is located at our customer, and i have no direct access to that network.

But syslog messages reach our syslog server with the workaround (doing nat on several ASAs, so the traffic doesn't match that flow anymore), but that traffic doesn't reach our syslog server without that workaround (there is no ACL blocking that traffic). Seems, that i have tol ive with that workaround for the next time ...

Highlighted
Engager

hi,

hi,

try clear local-host <IP ADD>

Highlighted
Beginner

Unfortunately this did also

Unfortunately this did also not work. But i have  a workaround (the nat configuration), so it is not so important anymore. Thanks for your help.

Highlighted

Re: I believe this should do it:

This worked for me. I was having the same issue as traffic was already on wire before i have created rule and after adding Block rule for the same traffic - snort verdict is allow. With the help of this command now its blocking the traffic.

 

Thanks Marvin!!