09-06-2010 12:10 PM
Dear Friends,
Possibly, i am facing a IKE starvation attack on my ASA 5550, which has 3000 tunnels and when the issue occurs it touches 5k+ due to duplicate SA resulting in high cpu. Pl help analyse.
WI-GSMC-FORD-FW001# show processes
P | C S | P S | TATE | Runtime | SBASE | Stack Process |
Mrd | 08064cc5 | 23e11a1c | 09f6cfb4 | 121141078 | 23e0deb8 | 7368/16384 IKE Daemon |
WI-GSMC-FORD-FW001# show proc cpu-usage non-zero
PC Thread 5Sec 1Min 5Min Process
08064cc5 1c5a42f0 56.5% 49.5% 25.4% IKE Daemon
WI-GSMC-FORD-FW001# show processes cpu-usage sorted
PC Thread 5Sec 1Min 5Min Process
08064cc5 1c5a42f0 56.5% 49.5% 25.4% IKE Daemon
WI-GSMC-FORD-FW001# show processes memory
Allocs | Allocated | Frees | Freed | Process |
133488289 | 41475063393467 | 657482165 | 1458804983288 | IKE Daemon |
217803927 | 569601130748 | 2178023909 | 69598573064 | vpnfol_thread_timer |
WI-GSMC-FORD-FW001# show processes internals
Invoked | Giveups Ma | x_Runtime Pr | ocess |
2792259432 | 2783311168 | 8560.011 | ssm4ge_cfg_poll_thread |
1722975056 | 10473577 | 301.055 | IKE Daemon |
WI-GSMC-FORD-FW001# show conn count
6713 in use, 38327 most usedb
WI-GSMC-FORD-FW001# show crypto isakmp sa
Active SA: 5763
Rekey SA: 7 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 5770
Show traffic
Maxi is on Outside interface input traffic = 40 Kbytes
WI-GSMC-FORD-FW001# show xlate count
54 in use, 55 most used
WI-GSMC-FORD-FW001# sho asp drop
Frame drop:
Unsupported IP version (unsupported-ip-version) 4
No valid adjacency (no-adjacency) 41
Reverse-path verify failed (rpf-violated) 7395306
Flow is denied by configured rule (acl-drop) 1833326
Invalid SPI (np-sp-invalid-spi) 136322
First TCP packet not SYN (tcp-not-syn) 5735
Bad TCP flags (bad-tcp-flags)
TCP data send after FIN (tcp-data-past-fin) 1
TCP failed 3 way handshake (tcp-3whs-failed) 7605
TCP RST/FIN out of order (tcp-rstfin-ooo) 4756
TCP invalid ACK (tcp-invalid-ack) 14
TCP replicated flow pak drop (tcp-fo-drop) 121
TCP RST/SYN in window (tcp-rst-syn-in-win) 29
IPSEC tunnel is down (ipsec-tun-down) 2054
ICMP Error Inspect no existing
DNS Inspect id not matched (inspect-dns-id-not-matched) 66
Interface is down (interface-down) 445
Dropped pending packets in a closed socket (np-socket-closed) 86
Last clearing: Never
Flow drop:
NAT failed (nat-failed) 96
Need to start IKE negotiation (need-ike) 3345034
Inspection failure (inspect-fail) 80
Last clearing: Never
WI-GSMC-FORD-FW001# show version
Cisco Adaptive Security Appliance Software Version 8.2(3)
Device Manager Version 6.3(3)
Compiled on Fri 06-Aug-10 07:51 by builders
System image file is "disk0:/asa823-k8.bin"
Config file at boot was "startup-config"
WI-GSMC-FORD-FW001 up 15 days 22 hours
failover cluster up 29 days 22 hours
Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 0026.9986.988e, irq 9
1: Ext: GigabitEthernet0/1 : address is 0026.9986.988f, irq 9
2: Ext: GigabitEthernet0/2 : address is 0026.9986.9890, irq 9
3: Ext: GigabitEthernet0/3 : address is 0026.9986.9891, irq 9
4: Ext: Management0/0 : address is 0026.9986.988d, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Not used : irq 5
7: Ext: GigabitEthernet1/0 : address is 0026.9926.00c4, irq 255
8: Ext: GigabitEthernet1/1 : address is 0026.9926.00c5, irq 255
9: Ext: GigabitEthernet1/2 : address is 0026.9926.00c6, irq 255
10: Ext: GigabitEthernet1/3 : address is 0026.9926.00c7, irq 255
11: Int: Internal-Data1/0 : address is 0000.0003.0002, irq 255
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 250
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 5000
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5550 VPN Premium license.
Suspecting, If the box is with 5000 peer license then it should crack when it reaches 70% ( ie 3500 tunnels )of the listed value
Best Regards,
Rajiv
09-06-2010 03:29 PM
WI-GSMC-FORD-FW001# show conn count
6713 in use, 38327 most usedb
Go ahead and restric the embro conns. I do not think that is reponsable for the high cpu since you have a 5550 but it might help you.
the following command will help you to determine who has so many half onened connections if there is someone.
show local-host | include host|count/limit
There are
Active SA: 5763
Are you restricting your peers or you are using 0.0.0.0 in your pre-share key?
I hope it helps.
09-06-2010 09:55 PM
firstly high cpu can be expected if you go anywhere near 5000 mark, sometimes depending on how much other traffic you have you can expect the performance to be affected even before the 5000 mark is reached
now if you feel you should have 3000 peers lets see why you have 5000 + phase 1 SA's, lets find out if we have duplicate SA's or are they some remote access users trying to make connection
try this
show cry isa sa | in
once you have an ip which has duplicate sa lets have more details about it
show vpn-sessiondb detail remote filter p-ipaddress
this will tell us about the session
also just a small query to understand your network, were any changes made to your network before you started seeing this, it can be anything like acquiring a new company or disbanding a company etc
just to understand why so much fluctuation in vpn sessions
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide