I have an interface with an access-list bound to that interface as "in" ACL with the following line as first line of the ACL:
access-list from-mpls line 1 extended deny udp host 10.255.9.2 eq syslog host 10.255.7.254 eq syslog
But with packet-tracer, i see the following:
packet-tracer input versatel-mpls udp 10.255.9.2 514 10.255.7.2 514 detailed
Found flow with id 2606510442, using existing flow
Module information for forward flow ...
Module information for reverse flow ...
How can i get rid of that existing flow, that leads here to allowing the packet even if the access-list denies it? The firmware of the ASA is 9.2.4(10).
I know, i can get rid of that flow with rebooting the asa, but isn't there another possibility (the ASA is in production, so i can't just reboot at any time)?
After the "clear conn" command, the connection doesn't show up anymore, but the packet-tracer output still generates Phase 1 with "FLOW-LOOKUP" and a found flow. So that command deletes the connection from the connection table, but not the flow record from the flow-cache. Maybe it is a bug in firmware 9.2.4(10), but the questions remains: how can i get rid of that flow?
I tried the "clear conn" already before i asked that question. I currently implemented a workaround with nat on several machines to make syslog traffic from one ASA not matching this flow anymore ...
That's an odd one - I've not seen it happen before that "clear conn" doesn't clear the flow.
Does a packet capture show the traffic actively flowing?
No. The ASA is located at our customer, and i have no direct access to that network.
But syslog messages reach our syslog server with the workaround (doing nat on several ASAs, so the traffic doesn't match that flow anymore), but that traffic doesn't reach our syslog server without that workaround (there is no ACL blocking that traffic). Seems, that i have tol ive with that workaround for the next time ...
Unfortunately this did also not work. But i have a workaround (the nat configuration), so it is not so important anymore. Thanks for your help.
This worked for me. I was having the same issue as traffic was already on wire before i have created rule and after adding Block rule for the same traffic - snort verdict is allow. With the help of this command now its blocking the traffic.