Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
308
Views
0
Helpful
3
Replies

Problem with Vulnerabilty scans opening tens of thousands of connection on ASA 5520 depleating resources crashing firewall

gchevalley
Level 1
Level 1

‎03-13-2014 12:40 PM - edited ‎03-11-2019 08:56 PM

We have a ASA 5520 running ASA version 8.2(2)16 with 2GB of RAM.  Several weeks ago we encountered a problem when scans of one of the DMZ's from our threat appliance caused the firewall to open tens thousands of connections ultimately exceeding exceeding the capicity of this firewall and creating a denial of service event.  The scanning appliance has been in place for years and there were no recent static NAT or routing changes to the firewall.  The scanning appliance is provided by a third party and receives regular updates.  I'm trying to determine if the problem is with the firewall or the scanning appliance.

Has anyone else encountered this sort of problem?

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎03-14-2014 04:34 PM

Never had these problems in the last years. But your ASA-version is quite old and I would update it with a newer version. You can go to 8.2.5 without any bigger changes to your config, but I would also consider to upgrade to 8.4.7 but that involves much work for the new NAT-syntax.

0 Helpful

gchevalley
Level 1
Level 1
In response to Karsten Iwen

‎03-14-2014 09:09 PM

I'm planning on upgrading to 8.2.5 within the next two months but any further doesn't seem possible.  We have way too many nat exempt statements and there isn't a way to test the changes to the config without it being in production.

0 Helpful

gchevalley
Level 1
Level 1

‎03-25-2014 08:54 PM

I've recently configured a spare 5520 from scatch using the same ASA version as my production firewalls, 8.2(2)16  as part of this test firewall, I created a new DMZ VLAN in which I placed three VM's running Windows Server 2008 R2.  I have made very little changes to the firewall keeping it as simple as possible.  I have run numerous scans from our threat manager scanning all port on host in the /24 network obtaining similiar results as seen on our production network:  Excessive CPU utilization and over ten thousand connections.  I have attached a copy of the test firewall config along with screen shots of ASDM taken during the scans.  Does anyone have any suggestions on how to mitigate this issue?

 

Preview file
180 KB
Preview file
126 KB
Preview file
4 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card