Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
397
Views
0
Helpful
1
Replies

AnyConnect VPN: "permit-validate" ASP drops on ASA

tvotna
Spotlight
Spotlight

‎08-02-2023 08:50 AM

Hi, anybody with large number of AnyConnect users and ASA (or FTD), can you check "show asp drops | i permit-validate" and let me know if you see such drops incrementing?

I see them incrementing in thousands per second and this is not related to some abnormal Internet activity or an attack, e.g. when somebody sends DTLS packets to ASA IP address and ASA doesn't have corresponding UDP connection to process the packet (this is basically what this drop code is about). They appear to be caused by legit AnyConnect users. What is weird is that "capture asp-drop" displays DTLS packets with the source IP address from the pool used by the ASA to assign IP addresses... This sounds impossible and indeed there are no such packets captured on the outside interface...

Drops appear randomly, few dozens for user1, then few dozens for user2, etc. The impact on user traffic is unknown and it's impossible to verify whether the drops are real or not...

 

ASA# sh cap
capture cap type asp-drop permit-validate [Capturing - 260924 bytes]

ASA# sh cap cap

805 packets captured

1: 16:17:05.065350 802.1Q vlan#130 P0 10.6.128.159.50528 > XXX.XXX.XX.XXX.443: udp 477 Drop-reason: (permit-validate) Permit validation failed

2: 16:17:05.065395 802.1Q vlan#130 P0 10.6.128.159.50528 > XXX.XXX.XX.XXX.443: udp 541 Drop-reason: (permit-validate) Permit validation failed

3: 16:17:05.065670 802.1Q vlan#130 P0 10.6.128.159.50528 > XXX.XXX.XX.XXX.443: udp 189 Drop-reason: (permit-validate) Permit validation failed

4: 16:17:05.065716 802.1Q vlan#130 P0 10.6.128.159.50528 > XXX.XXX.XX.XXX.443: udp 1373 Drop-reason: (permit-validate) Permit validation failed

5: 16:17:05.065716 802.1Q vlan#130 P0 Drop-reason: (permit-validate) Permit validation failed

6: 16:17:05.065838 802.1Q vlan#130 P0 10.6.128.159.50528 > XXX.XXX.XX.XXX.443: udp 285 Drop-reason: (permit-validate) Permit validation failed

7: 16:17:05.065853 802.1Q vlan#130 P0 10.6.128.159.50528 > XXX.XXX.XX.XXX.443: udp 381 Drop-reason: (permit-validate) Permit validation failed

8: 16:17:05.065899 802.1Q vlan#130 P0 10.6.128.159.50528 > XXX.XXX.XX.XXX.443: udp 477 Drop-reason: (permit-validate) Permit validation failed

9: 16:17:05.066143 802.1Q vlan#130 P0 10.6.128.159.50528 > XXX.XXX.XX.XXX.443: udp 573 Drop-reason: (permit-validate) Permit validation failed

ASA# show vpn-sessiondb detail anyconnect filter a-ipaddress 10.6.128.159

Session Type: AnyConnect Detailed

Username : USER0000000000 Index : 326921
Assigned IP : 10.6.128.159 Public IP : YY.YYY.YY.YYY
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA256 DTLS-Tunnel: (1)SHA256
Bytes Tx : 836622604 Bytes Rx : 779466869
Pkts Tx : 2096686 Pkts Rx : 1314567
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GROUP1 Tunnel Group : TGGRP1
Login Time : 08:39:03 Wed Aug 2 2023
Duration : 7h:42m:26s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0a2c11324fd0900064c9ebf7
Security Grp : none

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 326921.1
Public IP : YY.YYY.YY.YYY
Encryption : none Hashing : none
TCP Src Port : 53239 TCP Dst Port : 443
Auth Mode : Certificate and userPassword
Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes
Conn Time Out: 780 Minutes Conn TO Left : 317 Minutes
Client OS : win
Client OS Ver: 10.0.19045
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.9.04043
Bytes Tx : 48040 Bytes Rx : 0
Pkts Tx : 35 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0

DTLS-Tunnel:
Tunnel ID : 326921.3
Assigned IP : 10.6.128.159 Public IP : YY.YYY.YY.YYY
Encryption : AES256 Hashing : SHA256
Ciphersuite : DHE-RSA-AES256-SHA256
Encapsulation: DTLSv1.2 UDP Src Port : 50528
UDP Dst Port : 443 Auth Mode : Certificate and userPassword
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Conn Time Out: 780 Minutes Conn TO Left : 317 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.9.04043
Bytes Tx : 836526446 Bytes Rx : 779460455
Pkts Tx : 2096615 Pkts Rx : 1314551
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : #ACSACL#-IP-DACL_VPN_CORP-60b7eeb6

SSL-Tunnel:
Tunnel ID : 326921.7
Assigned IP : 10.6.128.159 Public IP : YY.YYY.YY.YYY
Encryption : AES256 Hashing : SHA256
Ciphersuite : DHE-RSA-AES256-SHA256
Encapsulation: TLSv1.2 TCP Src Port : 60137
TCP Dst Port : 443 Auth Mode : Certificate and userPassword
Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes
Conn Time Out: 780 Minutes Conn TO Left : 317 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.9.04043
Bytes Tx : 9608 Bytes Rx : 0
Pkts Tx : 7 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : #ACSACL#-IP-DACL_VPN_CORP-60b7eeb6

ASA# show asp table socket | i 50528
SVC_UDP 938d8098 CONNECTED XXX.XXX.XX.XXX:443 YY.YYY.YY.YYY:50528

ASA# show log | i USER0000000000
Aug 02 2023 16:13:34 ASA : %ASA-5-722037: Group <GROUP1> User <USER0000000000> IP <YY.YYY.YY.YYY> SVC closing connection: Transport closing.
Aug 02 2023 16:13:34 ASA : %ASA-5-109207: UAUTH: Session=0x4fd09000, User=USER0000000000, Assigned IP=10.6.128.159, Succeeded updating entry.
Aug 02 2023 16:13:34 ASA : %ASA-5-722034: Group <GROUP1> User <USER0000000000> IP <YY.YYY.YY.YYY> New TCP SVC connection, no existing connection.
Aug 02 2023 16:13:34 ASA : %ASA-5-722055: Group <GROUP1> User <USER0000000000> IP <YY.YYY.YY.YYY> Client Type: Cisco AnyConnect VPN Agent for Windows 4.9.04043
Aug 02 2023 16:13:34 ASA : %ASA-5-722051: Group <GROUP1> User <USER0000000000> IP <YY.YYY.YY.YYY> IPv4 Address <10.6.128.159> IPv6 address <::> assigned to session
Aug 02 2023 16:19:08 ASA : %ASA-5-722037: Group <GROUP1> User <USER0000000000> IP <YY.YYY.YY.YYY> SVC closing connection: Transport closing.
Aug 02 2023 16:19:08 ASA : %ASA-5-109207: UAUTH: Session=0x4fd09000, User=USER0000000000, Assigned IP=10.6.128.159, Succeeded updating entry.
Aug 02 2023 16:19:08 ASA : %ASA-5-722034: Group <GROUP1> User <USER0000000000> IP <YY.YYY.YY.YYY> New TCP SVC connection, no existing connection.
Aug 02 2023 16:19:08 ASA : %ASA-5-722055: Group <GROUP1> User <USER0000000000> IP <YY.YYY.YY.YYY> Client Type: Cisco AnyConnect VPN Agent for Windows 4.9.04043
Aug 02 2023 16:19:08 ASA : %ASA-5-722051: Group <GROUP1> User <USER0000000000> IP <YY.YYY.YY.YYY> IPv4 Address <10.6.128.159> IPv6 address <::> assigned to session

 

Labels:
0 Helpful
1 Reply 1

tvotna
Spotlight
Spotlight

‎08-08-2023 03:51 AM

Anybody?

 

0 Helpful
Customers Also Viewed These Support Documents