07-12-2016 08:31 AM - edited 03-12-2019 01:00 AM
We have an ASA-5510 running 8.2(5.50) that all the sudden started rebooting randomly during the week last week. I'm attaching the syslog information, and I've search Cisco's web site but can't find the reason. Any ideas? Thanks
Timestamp
2016-07-11 20:13:39.526
Received by
appliance-syslog-udp on f415495d / graylog
Stored in index
graylog_262
facility
local4
from_syslog
true
level
4
local_facility
asa
local_level
4
message
Task ran for 23924 msec, Process = Checkheaps, PC = 9355cb5, Call stack = 0x09355CB5 0x09356CC0 0x089848BA 0x089A8A38 0x0805E995 0x0805F1BF 0x08A63C84 0xDD6AA6D5 0xDD57D1E0 0x0933F6B5 0x09340B62 0x093452D1 0x09361FB6 0x08063BA3
source
172.24.10.253
timestamp
2016-07-11T20:13:39.526Z
Solved! Go to Solution.
07-12-2016 09:28 AM
Hi,
did anything change? New type of traffic/protocols? The 8.2.5(50) is old, maybe you should update/upgrade:
from: http://www.cisco.com/web/software/280775065/45357/ASA-825-Interim-Release-Notes.html
Your Revision: Version 8.2.5(50) – 06/30/2014
The latest interim is 8.3.5(59) Feb 2016
Your release is pre-IKE-fragmentation-vulnerability. Maybe someone hits you with fragmented IKE-probes?
Rgds, MiKa
07-12-2016 09:28 AM
Hi,
did anything change? New type of traffic/protocols? The 8.2.5(50) is old, maybe you should update/upgrade:
from: http://www.cisco.com/web/software/280775065/45357/ASA-825-Interim-Release-Notes.html
Your Revision: Version 8.2.5(50) – 06/30/2014
The latest interim is 8.3.5(59) Feb 2016
Your release is pre-IKE-fragmentation-vulnerability. Maybe someone hits you with fragmented IKE-probes?
Rgds, MiKa
07-12-2016 09:47 AM
The last change to this firewall was 15 Nov 2015, so it's been several months. We updated the firmware for a wireless LAN controller the 7th of this month, and there is a Catalyst 4507r between the WLC and ASA, and that wasn't upgraded. I'm not aware of any new protocols. I realize that 8.2.5 is old, but Cisco's web site still shows 8.2.5 and 8.4.7 as the suggested firmware versions.
Thanks for the feedback regarding the pre-IKE-frag-vulnerability. I was suspecting a bug or some type of attack causing this but wasn't sure. We'll look at upgrading the firmware.
As a side note, every once in a while when I log onto Cisco's web site, I can see the subversion, e.g. 8.2.5(50) or whatever the latest is, and sometimes not. I've heard that 8.2.5 is up to 8.2.5.(65) or something close to that, but I can't tell from Cisco's download specifically what version. I'm just wondering if it depends on which web server I hit.
07-12-2016 10:23 AM
Thanks for the feedback!
The latest release I can see is 8.2.5(59) for the 8.2.5 train, I just looked it up in the download center.
Just remember If you upgrade beyond 8.2 the syntax and behavior changes significantly.
Good luck!
MiKa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide