07-24-2010 09:20 AM - edited 03-11-2019 11:15 AM
access-list external extended permit icmp any any log
access-list external extended permit udp host 216.211.119.10 host 170.198.64.129 eq isakmp log
access-list external extended permit udp host 216.211.119.10 host 170.198.64.129 eq 4500 log
access-list external extended permit esp host 216.211.119.10 host 170.198.64.129 log
access-list external extended permit ip host 216.211.119.10 host 170.198.64.129 log
access-list external extended permit tcp host 216.211.119.254 host 170.198.64.97 eq smtp log
access-list external extended permit tcp host 216.211.119.254 170.198.64.96 255.255.255.224 eq smtp log
access-list external extended deny ip host 216.211.119.254 170.198.64.96 255.255.255.224 log
access-list external extended permit ip any any log
access-list Firewall extended permit udp host 216.211.119.10 host 170.198.64.129 eq isakmp log
access-list Firewall extended permit udp host 216.211.119.10 host 170.198.64.129 eq 4500 log
access-list Firewall extended permit esp host 216.211.119.10 host 170.198.64.129 log
access-list Firewall extended permit ip host 216.211.119.10 host 170.198.64.129 log
access-list Firewall extended deny udp any any eq isakmp log
access-list Firewall extended deny udp any any eq 4500 log
access-list Firewall extended deny esp any any log
access-list Firewall extended permit icmp any any log
access-list Firewall extended permit ip any any log
access-group Firewall in interface external control-plane
access-group external in interface external
URPF is NOT enable. This ASA is running version 8.2(1). There is only two interfaces, internal and external.
"no nat-control" is enable.
For the past couple of days, I am seeing this syslog message on my syslog server:
Jul 23 17:39:01 ASA-VPN Jul 23 2010 21:39:01: %ASA-3-313001: Denied ICMP type=4, code=0 from 195.97.148.89 on interface external
Why am I seeing this message when ICMP is allowed THROUGH and TO the firewall itself?
Anyone know why?
07-24-2010 09:46 AM
this is a type 4 code 0 which is a source quench
from wiki:
The Source Quench is an Internet Control Message Protocol message which requests the sender to decrease the traffic rate of messages to a router or host. This message may be generated if the router or host does not have sufficient buffer space to process the request, or may occur if the router or host's buffer is approaching its limit.
now what we need to see is why the firewall is dropping this type of packet
one quick question here
the deny's that you have been seeing in the last few days are they of the same type and code
also do you recognise the public ip mentioned in the log (any vpn peer or something like that)
having said that this is a old method and is not used anymore
i would assume this to be an attack
probably your firewall is dropping it thinking it as a attack
do you have any ips module on this firewall or do you have threat detection configured
07-24-2010 12:00 PM
"the deny's that you have been seeing in the last few days are they of the same type and code"
Yes.
"also do you recognise the public ip mentioned in the log (any vpn peer or something like that)"
Yes. That IP address is my Solarwind Network Performance Monitor Server. It collects data of the ASA via SNMP.
Why is the ASA denying ICMP from my Network Management System (NMS)? The larger point is why it is doing that
when I have "permit ip any any log" in the ACL
"do you have any ips module on this firewall or do you have threat detection configured"
No. I do not have IPS module on the ASA so threat detection is not configured.
Any other suggestions?
ASA-VPN> sh ver
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
ASA-VPN up 91 days 0 hours
failover cluster up 91 days 0 hours
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 0026.cbb0.deea, irq 9
1: Ext: Ethernet0/1 : address is 0026.cbb0.deeb, irq 9
2: Ext: Ethernet0/2 : address is 0026.cbb0.deec, irq 9
3: Ext: Ethernet0/3 : address is 0026.cbb0.deed, irq 9
4: Ext: Management0/0 : address is 0026.cbb0.dee9, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5510 Security Plus license.
Serial Number: XXXXXX
Running Activation Key: XXXXXX XXXXXX XXXXXX XXXXXX XXXXXX
Configuration register is 0x1
Configuration has not been modified since last system restart.
ASA-VPN>
07-25-2010 05:37 AM
do you see the drops even when you try to ping the outside ip of firewall from the snmp server
i have a strong feeling that it is only deny type 4 code 0 messages
07-25-2010 06:05 AM
I am not seeing any drop when I ping the firewall outside interface from this Network Management System.
The question is why it is doing this? "permit icmp any any" and "permit ip any any" should be enough to allow this traffic, including icmp type 4 code 0, to hit the external interface of the firewall right? Why am I seeing this deny message?
07-25-2010 06:24 AM
i understand, i have read your config and i can see you are permitting icmp
it should not be denying it
but i am interested in looking is if its only this type of icmp that it is dropping or is it dropping any icmp traffic randomly
as i said before according to rfc no device is supposed to send such icmp messages, so probably it thinks it is a attack
can you post the following output
show run icmp
or
show run | in icmp
also show threat-detection statistics
07-25-2010 06:36 AM
ASA-VPN# sh run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 216.211.64.129 external
icmp permit host 216.211.64.130 external
icmp permit host 216.211.64.140 external
icmp permit host 216.211.64.141 external
icmp permit host 216.211.64.142 external
icmp permit 216.211.148.128 255.255.255.128 external
icmp permit host 216.211.155.205 external
icmp permit host 216.211.250.16 external
icmp permit host 171.214.219.10 external
icmp permit 195.97.148.0 255.255.255.0 external
icmp permit host 216.211.156.6 external
ASA-VPN#
ASA-VPN# show threat-detection statistics
Top Name Id Average(eps) Current(eps) Trigger Total events
1-hour ACL hits:
01 external/9 0 0 0 180
02 internal/2 0 0 0 148
03 internal/6 0 0 0 145
04 external/1 0 0 0 140
05 Firewall/9 0 0 0 1
8-hour ACL hits:
01 internal/6 0 0 0 1924
02 external/9 0 0 0 1423
03 internal/2 0 0 0 1269
04 external/1 0 0 0 1166
05 Firewall/9 0 0 0 2
24-hour ACL hits:
01 internal/6 0 0 0 5344
02 external/9 0 0 0 3928
03 internal/2 0 0 0 3753
04 external/1 0 0 0 3472
05 Firewall/9 0 0 0 9
06 internal/3 0 0 0 2
07 Firewall/3 0 0 0 1
08 external/6 0 0 0 1
ASA-VPN#
07-25-2010 09:56 PM
Can you grab a "show run policy-map", "show run service-policy" and "show service-policy"
07-26-2010 02:55 AM
ASA-VPN# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
ASA-VPN#
ASA-VPN# sh run service-policy
service-policy global_policy global
ASA-VPN#
ASA-VPN# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 241304, drop 60, reset-drop 0
Inspect: ftp, packet 1555, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 24, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 24, drop 0, reset-drop 0
Inspect: rtsp, packet 24, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 24, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sunrpc, packet 2716, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 24, drop 12, reset-drop 0
Inspect: sip , packet 12, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: netbios, packet 3859, drop 0, reset-drop 0
Inspect: tftp, packet 24, drop 12, reset-drop 0
ASA-VPN#
07-26-2010 08:43 AM
Just to make sure it's not something super simple can you try adding
policy-map global_policy
class inspection_default
inspect icmp
07-26-2010 10:32 AM
"policy-map global_policy
class inspection_default
inspect icmp"
Why do I need to do this? "permit icmp any any" & "permit ip any any" will do the same trick right?
07-26-2010 11:09 AM
Yes it should do the same thing. I just wanted to see if for some odd reason the results were any different.
My theory is that the ASA just doesn't know what to do with source quench once it receives it. Can you tell us what the 195.97.148.89 address is?
Looking at the wikipedia article about the Source Quench I see that the source quench should be a response to another piece of data.
http://en.wikipedia.org/wiki/ICMP_Source_Quench
00 | 01 | 02 | 03 | 04 | 05 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Type = 4 | Code = 0 | Header Checksum | |||||||||||||||||||||||||||||
Empty | |||||||||||||||||||||||||||||||
IP Header + First 8 Bytes of Original Datagram's Data |
Perhaps the ASA is not able to find what connection this Source Quench is referring to so it just drops the packet. If we look in the last field we see that the connection to be slowed should be identified by the first 8 bytes of the original datagram's data, and maybe the ASA just doesn't know what the corresponding connection is, hence the drop.
07-26-2010 12:50 PM
"Can you tell us what the 195.97.148.89 address is?"
My Network Manament System (NMS) as stated in previous thread.
07-26-2010 01:12 PM
Hello,
Since ICMP Type 4, Code 0 messages include an embedded IP packet (the original one that the Quench corresponds to), the ASA will only permit it if it can match it to the original session (conn entry). For this to happen, ICMP Inspection must be enabled.
Andrew
07-26-2010 01:16 PM
Where do you see this in the documentation?
I need to enable icmp inspect even for traffics destined for the firewall interface?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: