04-08-2009 05:36 AM - edited 03-11-2019 08:16 AM
We have our firewall hitting 98% at some occasions and it has pretty huge connection count 15561 and this was usual and utilization used to stay at 50 tp 60 % but suddenly it pikes up to 98% a day and come back to 50 next morning..
i tried all i can but we are not able to figure out what was happening.
But here is what the log shows:
Deny ICMP reverse path check from x.x.x.x to x.x.x.x on interface outside
we have reverse path specified to outside and this message is the only one we have in the log and this is suppose to be informational,,can someone help me out with this?
thnk uou so much in advance
04-08-2009 11:32 AM
You should not be doing reverse path checking on the outside interface. Reverse path checking is typically done on interior interfaces to ensure traffic recieved at the FW interface was sourced from the network the FW interface is confgiured for. This stops interior hosts from spoofing addresses. Mostly all traffic hitting the outside interface will be sourced from a different network then the outside interface ip range. So this is not needed and will be resource intensive.
mike
04-08-2009 12:06 PM
Would this be the reason for high cpu..
Cpu stays good for few days and suddenly pikes up to 98 a day. everything seems fine.
Do you think verify path on inside would redce our cpu utilization without any impact.
04-08-2009 06:54 PM
I apologize, enabling reverse path forwarding is a viable config for the outside interface. It ensures that packets sourced from the outside are not spoofed packets. Perhaps there is a large amount of spoofed traffic hitting the outside interface of your ASA.
What is the source IP of the traffic in the log message? Is it an address that is used on the inside of the ASA?
Sorry for the confusion, not sur ewhat i was thinking about.
mike
04-09-2009 06:56 AM
I think that source IP is from outside.
We had a issue a month back with IP from inside.
Can you help me of what should i do in both cases
04-10-2009 05:50 AM
What does the output of teh following command yeild?
show asp drop
mike
04-10-2009 06:00 AM
Also the following command
show ip verify statistics
04-10-2009 06:08 AM
The only thing I can think of is that your routing table on the ASa is routing packets receeived on the outside out a different interface (i.e not the outside interface?)
could be the following;
1) Someone is directing spoofed traffic to the outside interface , verify via commands
2) Routing on the ASA is asymmetrical causing issues
Here is a link on urpf
http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html
mike
04-10-2009 06:44 AM
Frame drop:
Invalid TCP Length (invalid-tcp-hdr-length) 40
Invalid UDP Length (invalid-udp-length) 2418
No valid adjacency (no-adjacency) 1595
Reverse-path verify failed (rpf-violated) 3488
Flow is denied by configured rule (acl-drop) 200124160
Flow denied due to resource limitation (unable-to-create-flow) 6
First TCP packet not SYN (tcp-not-syn) 15433941
Bad TCP flags (bad-tcp-flags) 13406
Bad option length in TCP (tcp-bad-option-len) 1386
TCP data exceeded MSS (tcp-mss-exceeded) 2744046
TCP data send after FIN (tcp-data-past-fin) 29
TCP failed 3 way handshake (tcp-3whs-failed) 1089609
TCP RST/FIN out of order (tcp-rstfin-ooo) 762692
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 35774
TCP SYNACK on established conn (tcp-synack-ooo) 5
TCP packet SEQ past window (tcp-seq-past-win) 265
TCP invalid ACK (tcp-invalid-ack) 6200
TCP replicated flow pak drop (tcp-fo-drop) 3236
TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 24
TCP Out-of-Order packet buffer full (tcp-buffer-full) 192174
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 189557
TCP RST/SYN in window (tcp-rst-syn-in-win) 967336
TCP DUP and has been ACKed (tcp-acked) 4614408
TCP packet failed PAWS test (tcp-paws-fail) 18666
IPSEC tunnel is down (ipsec-tun-down) 429
Early security checks failed (security-failed) 17
Slowpath security checks failed (sp-security-failed) 11519
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 48483
DNS Guard id not matched (dns-guard-id-not-matched) 194207284
Interface is down (interface-down) 252
Invalid app length (invalid-app-length) 4584
Last clearing: Never
Flow drop:
NAT failed (nat-failed) 265228
Need to start IKE negotiation (need-ike) 63888
Inspection failure (inspect-fail) 98752656
interface outside: 3488 unicast rpf drops
interface inside: 0 unicast rpf drops
interface IDMZ: 0 unicast rpf drops
interface PUB-DMZ: 0 unicast rpf drops
interface inside2-failover: 0 unicast rpf drops
interface VDMZ-SprintVPN: 0 unicast rpf drops
interface VDMZ-SprintDNS: 0 unicast rpf drops
interface VDMZ-CSG: 0 unicast rpf drops
interface intf5: 0 unicast rpf drops
04-13-2009 03:45 AM
Is there more than 100 object groups and acls are configred then try following command on your PIX
access-list
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide