PIX 520: All xlate connections used within hours...

Unanswered Question
Jan 16th, 2008

I have a strange problem which looks to me like a DOS attack from the inside..but I cant be sure.

Symptoms:

All xlate connections used within hours.

Xlate connections start with all our servers across our WAN before moving onto all workstations.

No viruses have been found.

Looked in syslog and I cant find one single outside IP that seems to be a possible source.

Any ideas? My eyes hurt.

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
irisrios Tue, 01/22/2008 - 12:33

This has also happened to me anonymously . Clearing all the xlate connections using clear xlate command solved the issue beginning the connections from scratch.

NickWalker Tue, 01/22/2008 - 13:15

I clear the xlate connections 3 times a day.

Not the solution for me. Ive checked everything at all 40 offices. Dont have a clue where this is coming from. And i can admit it. Everything ont he network is clean. Im going to set up ethereal again and monitor the inside interface to see if I can gather more clues.

What a head ache.

Jonathan Beardsley Thu, 02/14/2013 - 09:28

Did you find a solution? I have two Firewalls I have to clear xlate on several times a week. Not really a firewall guy, but trying to learn.

Any assistance appreciated.

- Jonathan Beardsley

Jouni Forss Thu, 02/14/2013 - 09:55

Hi,

I got to admit that I have never run into a situation where an ASA has had problems because of too many xlates. Usually theres been a need to expand a NAT Pool abit but even if it has run out theres has always been a PAT translation to which rest of the connection fallback to.

Whats your firewall model?

Have you monitored your firewalls connection and xlate amounts?

  • show conn
  • show conn long
  • show local-host
  • + different variations of the commands using "| inc "  etc

Have you checked if there a single hosts on the network with way too many formed connections?

What are your "timeout" values for xlates?

  • show run timeout

How many hosts (approx.) are there on your network?

What is your NAT setup?

  • NAT Pool?
  • PAT translation with single public IP?
  • Both of the above?
  • Both of the above with multiple NAT Pools and PATs?

Could file sharing (Torrents) be something thats causing this?

- Jouni

Jonathan Beardsley Thu, 02/14/2013 - 10:11

I'm on with TAC on a more pressing matter. I'll respond asap with this information.

What I can say, is we have problems on our guest wireless internet, and a remote site internet. Clearing the xlate on the appropriate ASA 5505 for that site clears the issue in both cases. I have to do this about once or twice a week. These are two separate firewalls and two separate sites.....separate duplicate issues.

We should be sufficiently blocking any torrent or file sharing through Sophos application control on firm computers. I cannot rule out on other machines, and I'm not sure whether the firewall was configured to block this activity.

Thanks!

- Jonathan Beardsley

Jonathan Beardsley Mon, 02/18/2013 - 15:19

Jouni,

Thanks and sorry for the delayed response.

I do see a lot of connections when I run the "show conn" command. How often should these clear?

I'm not sure if I'm familiar enough with the ASA to really get what I should out of these commands.

I do have one host that has 21 connections logged in "show conn". Seems to be a lot...... Does a show conn give only current connections, or all connections since last clear?

sh run timeout:

chaasa01# sh run timeout

timeout xlate 3:00:00

timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 10:00:00 h225 10:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

I currently only have 4 wireless clients that would be using this firewall for internet access.

Forgive my naivete on this, but I think we are just doing NAT pool with a single public IP. We are NATing the DMZ separately.

I do not believe torrents are the issue. Most of our guest wireless clients are mobile devices, anyways. I am having similar trouble with one of my remote sites. The information above was gathered on the asa that handles our Guest wireless DMZ internet access. At the remote site, the ASA handles guest as well as corporate wireless, and they lose internet completely until I do a "clear xlate".

Thanks for your help......I'm pretty green on the firewalls.

- Jonathan Beardsley

Jonathan Beardsley Fri, 02/22/2013 - 06:57

My problem was that we were hitting the 50 internal host limit. With the every day increase in mobile device usage, we were hitting the limit. I've ordered licenses for unlimited internal hosts for both offices.

Thanks,

- Jonathan Beardsley

Actions

This Discussion