Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
3
Replies

ASA 5520 BLOCKED

Go to solution
vpancisco
Level 1
Level 1

‎05-28-2010 06:02 AM - edited ‎03-11-2019 10:52 AM

Hello world,

my ASA as detected a source of network flow (UDP broadcasting )  as ATTACK

in fact this flows had different source network address than some interfaces

resulting ASA as blocked all the NAT COMMUNICATION INBOUND and OUTBOUND

does any one know if the APPLICANCE can go to a security mod for a time by it self ??

now the broadcast flow is stop

and i run the same configuration file with a another APPLIANCE and it goes well all ready

but i want to know if  it's an ASA crash or a security mode ??

regards ...

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-28-2010 01:26 PM

Hi,

How the ASA detected such attack? Do you have thread detection?

There are many security features on the ASA to help on this situations, could you describe more in detail what happened?

Federico.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-28-2010 01:26 PM

Hi,

How the ASA detected such attack? Do you have thread detection?

There are many security features on the ASA to help on this situations, could you describe more in detail what happened?

Federico.

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to Federico Coto Fajardo

‎05-28-2010 05:24 PM

That ASA (like any L3 device) would not pass broadcasts unless you are in L2 (transparent) mode.

Something else is happening if  you ASA is in Routed mode.

Please try to explain the symptoms as Federico suggested.

I  would start by checking the logs.

PK

0 Helpful

Go to solution
vpancisco
Level 1
Level 1
In response to Federico Coto Fajardo

‎05-31-2010 12:27 AM

Thanks for your interest :

My ASA is in routed mode

with proxy cache enable for all interfaces

I have enabled the thread detection

and anti-spoofing protection

I detected a constent UDP broadcast flow with a source address network (mismatch conf from a swith from a secondary network site) logged on 2 interfaces bringing VLANs

the ASA as classified it as an ATTACK so all the paquets was dropped

and logged

Resulting ASA  stopped all forwards on the interfaces infected.

Due to the emergency service quality i decided to take another ASA to load the same conf file --> all communication gone well

But when i took the first blocked ASA and reset ,reload conf it still remind in this state untill i disable enable proxy cache ...

"My point of view " :

first : the cache arp as been corrupted

second : due to an over counting dropped paquets it crashed

finaly : due to an over counting dropped paquets it put itself on a sort of security mode and disable forwards on the infected interrfaces

regards ...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card