05-28-2010 06:02 AM - edited 03-11-2019 10:52 AM
Hello world,
my ASA as detected a source of network flow (UDP broadcasting ) as ATTACK
in fact this flows had different source network address than some interfaces
resulting ASA as blocked all the NAT COMMUNICATION INBOUND and OUTBOUND
does any one know if the APPLICANCE can go to a security mod for a time by it self ??
now the broadcast flow is stop
and i run the same configuration file with a another APPLIANCE and it goes well all ready
but i want to know if it's an ASA crash or a security mode ??
regards ...
Solved! Go to Solution.
05-28-2010 01:26 PM
Hi,
How the ASA detected such attack? Do you have thread detection?
There are many security features on the ASA to help on this situations, could you describe more in detail what happened?
Federico.
05-28-2010 01:26 PM
Hi,
How the ASA detected such attack? Do you have thread detection?
There are many security features on the ASA to help on this situations, could you describe more in detail what happened?
Federico.
05-28-2010 05:24 PM
That ASA (like any L3 device) would not pass broadcasts unless you are in L2 (transparent) mode.
Something else is happening if you ASA is in Routed mode.
Please try to explain the symptoms as Federico suggested.
I would start by checking the logs.
PK
05-31-2010 12:27 AM
Thanks for your interest :
My ASA is in routed mode
with proxy cache enable for all interfaces
I have enabled the thread detection
and anti-spoofing protection
I detected a constent UDP broadcast flow with a source address network (mismatch conf from a swith from a secondary network site) logged on 2 interfaces bringing VLANs
the ASA as classified it as an ATTACK so all the paquets was dropped
and logged
Resulting ASA stopped all forwards on the interfaces infected.
Due to the emergency service quality i decided to take another ASA to load the same conf file --> all communication gone well
But when i took the first blocked ASA and reset ,reload conf it still remind in this state untill i disable enable proxy cache ...
"My point of view " :
first : the cache arp as been corrupted
second : due to an over counting dropped paquets it crashed
finaly : due to an over counting dropped paquets it put itself on a sort of security mode and disable forwards on the infected interrfaces
regards ...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide