01-16-2008 11:59 AM - edited 03-11-2019 04:49 AM
I have a strange problem which looks to me like a DOS attack from the inside..but I cant be sure.
Symptoms:
All xlate connections used within hours.
Xlate connections start with all our servers across our WAN before moving onto all workstations.
No viruses have been found.
Looked in syslog and I cant find one single outside IP that seems to be a possible source.
Any ideas? My eyes hurt.
01-22-2008 12:33 PM
This has also happened to me anonymously . Clearing all the xlate connections using clear xlate command solved the issue beginning the connections from scratch.
01-22-2008 01:15 PM
I clear the xlate connections 3 times a day.
Not the solution for me. Ive checked everything at all 40 offices. Dont have a clue where this is coming from. And i can admit it. Everything ont he network is clean. Im going to set up ethereal again and monitor the inside interface to see if I can gather more clues.
What a head ache.
02-14-2013 09:28 AM
Did you find a solution? I have two Firewalls I have to clear xlate on several times a week. Not really a firewall guy, but trying to learn.
Any assistance appreciated.
- Jonathan Beardsley
02-14-2013 09:55 AM
Hi,
I got to admit that I have never run into a situation where an ASA has had problems because of too many xlates. Usually theres been a need to expand a NAT Pool abit but even if it has run out theres has always been a PAT translation to which rest of the connection fallback to.
Whats your firewall model?
Have you monitored your firewalls connection and xlate amounts?
Have you checked if there a single hosts on the network with way too many formed connections?
What are your "timeout" values for xlates?
How many hosts (approx.) are there on your network?
What is your NAT setup?
Could file sharing (Torrents) be something thats causing this?
- Jouni
02-14-2013 10:11 AM
I'm on with TAC on a more pressing matter. I'll respond asap with this information.
What I can say, is we have problems on our guest wireless internet, and a remote site internet. Clearing the xlate on the appropriate ASA 5505 for that site clears the issue in both cases. I have to do this about once or twice a week. These are two separate firewalls and two separate sites.....separate duplicate issues.
We should be sufficiently blocking any torrent or file sharing through Sophos application control on firm computers. I cannot rule out on other machines, and I'm not sure whether the firewall was configured to block this activity.
Thanks!
- Jonathan Beardsley
02-18-2013 03:19 PM
Jouni,
Thanks and sorry for the delayed response.
I do see a lot of connections when I run the "show conn" command. How often should these clear?
I'm not sure if I'm familiar enough with the ASA to really get what I should out of these commands.
I do have one host that has 21 connections logged in "show conn". Seems to be a lot...... Does a show conn give only current connections, or all connections since last clear?
sh run timeout:
chaasa01# sh run timeout
timeout xlate 3:00:00
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 10:00:00 h225 10:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
I currently only have 4 wireless clients that would be using this firewall for internet access.
Forgive my naivete on this, but I think we are just doing NAT pool with a single public IP. We are NATing the DMZ separately.
I do not believe torrents are the issue. Most of our guest wireless clients are mobile devices, anyways. I am having similar trouble with one of my remote sites. The information above was gathered on the asa that handles our Guest wireless DMZ internet access. At the remote site, the ASA handles guest as well as corporate wireless, and they lose internet completely until I do a "clear xlate".
Thanks for your help......I'm pretty green on the firewalls.
- Jonathan Beardsley
02-22-2013 06:57 AM
My problem was that we were hitting the 50 internal host limit. With the every day increase in mobile device usage, we were hitting the limit. I've ordered licenses for unlimited internal hosts for both offices.
Thanks,
- Jonathan Beardsley
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: