07-18-2011 02:56 PM - edited 03-11-2019 02:00 PM
Hi all
Can threat detection provoque frequent disconnections on allowed traffic?
We are using asa 5520 with 8.3.1 IOS
For instance in ASDM we see SYN attack messages .The source ip address correspond to external an external host (in the outside interface) wich is allowed to connect to internal servers(in the internal interfaces).
Our threat conf is as follow:
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 500 burst-rate 1000
threat-detection rate scanning-threat rate-interval 3600 average-rate 500 burst-rate 1000
threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection statistics port number-of-rate 1
threat-detection statistics protocol number-of-rate 1
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
Thanks
07-18-2011 07:09 PM
Hi Roussillon,
Yes definitely it is one of the possiblities, if the firewall sees a lot of connection request coming from the trusted host as well, it would perceive it to be a threat and give you the logs, there might be cases of internet disconnect as well.
Try taking the logs, and captures when the internet gets disconnected.
-Varun
07-19-2011 06:38 AM
Hi
I disable basic threat detection with the command:
no threat-detection basic-threat
But user get disconnected as well.
How can I disable threat detection?
Thanks
07-21-2011 02:44 AM
Hi all
Can someone please tell how to stop or properly configuring threat detection apparently the basic setting are not good for production?
Thanks
07-21-2011 08:32 AM
Hi Roussillon,
We first need to identify the exact reason for drops, if this disconnects are so frequent then you first need to check the logs that you get at the time of the disconnect on the disconnect. If the logs say something like this:
"%ASA-4-733100: [Interface] drop rate 1 exceeded. Current burst rate is 1 per second, max configured rate is 8000; Current average rate is 2030 per second, max configured rate is 2000; Cumulative total count is 3930654."
For a scanning drop caused by potential attacks:
"ASA-4-733100: [Scanning] drop rate-1 exceeded. Current burst rate is 10 per second_max configured rate is 10; Current average rate is 245 per second_max configured rate is 5; Cumulative total count is 147409 (35 instances received)
For bad packets caused by potential attacks:
"%ASA-4-733100: [Bad pkts] drop rate 1 exceeded. Current burst rate is 0 per second, max configured rate is 400; Current average rate is 760 per second, max configured rate is 100; Cumulative total count is 1938933"
Maybe the legitimate outside host is sending requests which is exceeding the normal value defined in the threat-detection. If so we can create an exception for that particular host in the threat-detection, so that it is always allowed.
Moreover could you tell me if you are using any IPS module with the ASA??
Thanks,
Varun
07-23-2011 06:52 AM
Hi Varun,
Thanks for your help.
We are not using any IPS module
I am logging all warning messages(severity=4) to a syslog server when I do a search for messages I can not find %ASA-4-733100 nor %ASA-4-733101. In the logs there are message like %ASA-4-106023 or %ASA-4-31300, but not those we are looking for.
I'am also logging messages 733100 & 733101 to console but nothing get logged.
I did as follow:
logging list notify-threat message 733100-733101
logging monitor notify-threat
term monitor
Nevertheless the command show threat-detection rate syn-attack show:
Average(eps) current(eps) trigger Total events
10-min SYN attck 0 0 2 12
I understand That an exception can be configured if scanning threat detection is enable with the command:
threat-detection scanning-threat [shun [except {ip-address ip_address mask | object-group network_object_group_id}]]
But in our ASA scanning-threat is not active. That's why I do not understand why connections get interrupted
I have noticed that connections comming from host with their own public ip address are less impacted, but really less impacted. I configure a computer with a public ip address(not nat, no ip masquerading), then I started annyconnect client and it stayed connected during 28 hours. It was me who stop the connection.
Thanks
07-26-2011 10:47 PM
Hi
can someone help us please? this is really urgent and enoyng.
how can we just make threat detection disapear??
thanks
07-26-2011 11:42 PM
Hi Roussillon,
If you really wanna disable all the thread detection on the firewall, then you can just put a no in front of the threat-detection statements and disable them or use "clear configure threat-detection" to clear all the commands:
http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/c2.html#wp2400005
Thanks,
Varun
08-17-2011 04:24 AM
Hy
sorry if i answer late, but I was out off office.
I tried both method but nothing works.
Do you know if ASA can do Save reset?
Thanks
08-17-2011 08:56 AM
You were not at all able to delete the threat-detection on the ASA, even after doing "clear configure threat-detcetion" ???
Well do you have any IPS device in the network???
Can you share your configuration from ASA and also the output " show module".
-Varun
08-17-2011 01:09 PM
Hi,
Indeed in ASDM we see SYN attack messages. But I think it is not the real problem.
The problem occurs when à user behind à box doing NAT connects to a server with a natted ip behind the ASA. I would say double NAT.
This is the output of the command show module
Mod Card Type Model
--- -------------------------------------------- ------------------
0 ASA 5520 Adaptive Security Appliance ASA5520
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 c47d.4f3b.6b15 to c47d.4f3b.6b19 2.0 1.0(11)5 8.3(1)
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
Thanks
08-17-2011 07:24 PM
Hi,
i am not sure now about the real issue, are you not able to access a server on the inside for inside hosts itself??? If that is the case then i woudl need the ip addresses of source and destination and if the inside hosts need to access the server o its natted ip only. It would be great if you can provide an output of :
show run nat
show run global
show run static
show run same
Thanks,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide