cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1355
Views
0
Helpful
3
Replies

Troubleshooting ASA large number of connection

S891
Level 2
Level 2

Hi,

 

I am seeing an unusually  large number of connections (close to 1 Million) on Firewall.. I am not sure if this connection is initiated from outside or inside. It seems large number inside machines trying to reach some outside addresses from connection flag as they are using random port numbers as source and connection to outside on port 80 but Inside antivirus servers and client machine antivirus  software are not showing these machines infected.

sh conn

TCP OUTSIDE a.b.c.d:80 INSIDE w.x.y.z:8942 idle 0:00:17 Bytes 1908 FLAGS - sX

.................

 

There are few difference OUTSIDE addresses but INSIDE is pretty much our entire public IP network user machines range.

The outside port is port 80 which indicates that it is an outside server but how could all these machines be trying to connect to this server.

AM I reading this incorrectly and it could be an outside machine trying to scan my public network machines using source port 80?

My other question is how to read the  connection flag correctly to determine the source?

3 Replies 3

Divya Subramanian
Cisco Employee
Cisco Employee

Hi Fawad,

Explaining the output of show conn : TCP OUTSIDE a.b.c.d:80 INSIDE w.x.y.z:8942 idle 0:00:17 Bytes 1908 FLAGS - sX

The inside host w.x.y.z is awaiting a SYN from the outside ip a.b.c.d

So every TCP connection contains 2 SYN and 2 ACK. "s" is the SYN from the outside server which the inside server is waiting for.

The connection was initiated by the inside host a.b.c.d on port 80 for the outside server. The SYN was sent from inside host to outside server.

However the connection is awaiting the SYN/ACK back from outside server to inside client.

Please check the ips to determine if these connections are legitimate.

The connection flags can be read correctly as per the following doc :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113602-ptn-113602.html

 

Hi Divya, thanks for your reply but I'm little confused with your answer. Can you explain it? 

You said connection was initiated from inside host a.b.c.d ; while in my case a.b.c.d is the outside address.  You also said connection was initiated by inside host but when we checked on these machines some the inside IPs didn't even existed (though the IP is within valid subnet) so I am pretty sure this tcp SYN type of attack was initiated from outside (a.b.c.d). But again the confusing thing is how an outside machine can start sessions on port 80 (which is a server port) to a client port (random port). 

The problem I faced was there were 1000000s of these connections and they flooded the firewall connection limit. 

Hi,

Maybe this will help you:

http://www.tunnelsup.com/understanding-cisco-asa-connection-flags

Because there is a X, you have IPS, or CX module. How about logs there.

Is there any chance you can have spoofed addresses on inside?

 

About your question (port 80) - there is no problem to send traffic with source port 80 (registered) and target with high port.

 

HTH,

Review Cisco Networking for a $25 gift card