pix 535 hitting 98%

Unanswered Question
Apr 8th, 2009
User Badges:

We have our firewall hitting 98% at some occasions and it has pretty huge connection count 15561 and this was usual and utilization used to stay at 50 tp 60 % but suddenly it pikes up to 98% a day and come back to 50 next morning..


i tried all i can but we are not able to figure out what was happening.


But here is what the log shows:

Deny ICMP reverse path check from x.x.x.x to x.x.x.x on interface outside


we have reverse path specified to outside and this message is the only one we have in the log and this is suppose to be informational,,can someone help me out with this?


thnk uou so much in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

You should not be doing reverse path checking on the outside interface. Reverse path checking is typically done on interior interfaces to ensure traffic recieved at the FW interface was sourced from the network the FW interface is confgiured for. This stops interior hosts from spoofing addresses. Mostly all traffic hitting the outside interface will be sourced from a different network then the outside interface ip range. So this is not needed and will be resource intensive.


mike

dbellamkonda Wed, 04/08/2009 - 12:06
User Badges:

Would this be the reason for high cpu..

Cpu stays good for few days and suddenly pikes up to 98 a day. everything seems fine.

Do you think verify path on inside would redce our cpu utilization without any impact.

I apologize, enabling reverse path forwarding is a viable config for the outside interface. It ensures that packets sourced from the outside are not spoofed packets. Perhaps there is a large amount of spoofed traffic hitting the outside interface of your ASA.


What is the source IP of the traffic in the log message? Is it an address that is used on the inside of the ASA?


Sorry for the confusion, not sur ewhat i was thinking about.


mike

dbellamkonda Thu, 04/09/2009 - 06:56
User Badges:

I think that source IP is from outside.

We had a issue a month back with IP from inside.

Can you help me of what should i do in both cases



The only thing I can think of is that your routing table on the ASa is routing packets receeived on the outside out a different interface (i.e not the outside interface?)


could be the following;


1) Someone is directing spoofed traffic to the outside interface , verify via commands


2) Routing on the ASA is asymmetrical causing issues


Here is a link on urpf


http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html


mike

dbellamkonda Fri, 04/10/2009 - 06:44
User Badges:

Frame drop:

Invalid TCP Length (invalid-tcp-hdr-length) 40

Invalid UDP Length (invalid-udp-length) 2418

No valid adjacency (no-adjacency) 1595

Reverse-path verify failed (rpf-violated) 3488

Flow is denied by configured rule (acl-drop) 200124160

Flow denied due to resource limitation (unable-to-create-flow) 6

First TCP packet not SYN (tcp-not-syn) 15433941

Bad TCP flags (bad-tcp-flags) 13406

Bad option length in TCP (tcp-bad-option-len) 1386

TCP data exceeded MSS (tcp-mss-exceeded) 2744046

TCP data send after FIN (tcp-data-past-fin) 29

TCP failed 3 way handshake (tcp-3whs-failed) 1089609

TCP RST/FIN out of order (tcp-rstfin-ooo) 762692

TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 35774

TCP SYNACK on established conn (tcp-synack-ooo) 5

TCP packet SEQ past window (tcp-seq-past-win) 265

TCP invalid ACK (tcp-invalid-ack) 6200

TCP replicated flow pak drop (tcp-fo-drop) 3236

TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 24

TCP Out-of-Order packet buffer full (tcp-buffer-full) 192174

TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 189557

TCP RST/SYN in window (tcp-rst-syn-in-win) 967336

TCP DUP and has been ACKed (tcp-acked) 4614408

TCP packet failed PAWS test (tcp-paws-fail) 18666

IPSEC tunnel is down (ipsec-tun-down) 429

Early security checks failed (security-failed) 17

Slowpath security checks failed (sp-security-failed) 11519

ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 48483

DNS Guard id not matched (dns-guard-id-not-matched) 194207284

Interface is down (interface-down) 252

Invalid app length (invalid-app-length) 4584


Last clearing: Never


Flow drop:

NAT failed (nat-failed) 265228

Need to start IKE negotiation (need-ike) 63888

Inspection failure (inspect-fail) 98752656











interface outside: 3488 unicast rpf drops

interface inside: 0 unicast rpf drops

interface IDMZ: 0 unicast rpf drops

interface PUB-DMZ: 0 unicast rpf drops

interface inside2-failover: 0 unicast rpf drops

interface VDMZ-SprintVPN: 0 unicast rpf drops

interface VDMZ-SprintDNS: 0 unicast rpf drops

interface VDMZ-CSG: 0 unicast rpf drops

interface intf5: 0 unicast rpf drops




abhijit.kasarekar Mon, 04/13/2009 - 03:45
User Badges:

Is there more than 100 object groups and acls are configred then try following command on your PIX


access-list object-group-search


Thanks

Actions

This Discussion