Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1708
Views
0
Helpful
2
Replies

Posible IKE starvation attack

Rajiv Dasmohapatra
Level 2
Level 2

‎09-06-2010 12:10 PM

Dear Friends,

Possibly, i am facing a IKE starvation attack on my ASA 5550, which has 3000 tunnels and when the issue occurs it touches 5k+ due to duplicate SA resulting in high cpu. Pl help analyse.

WI-GSMC-FORD-FW001# show processes

P

C         S

P         S

TATE

Runtime

SBASE

Stack   Process

Mrd

08064cc5

23e11a1c

09f6cfb4

121141078

23e0deb8

7368/16384   IKE Daemon

WI-GSMC-FORD-FW001# show proc cpu-usage non-zero

PC         Thread       5Sec     1Min     5Min   Process

08064cc5   1c5a42f0    56.5%    49.5%    25.4%   IKE Daemon

WI-GSMC-FORD-FW001# show processes cpu-usage sorted

PC         Thread       5Sec     1Min     5Min   Process

08064cc5   1c5a42f0    56.5%    49.5%    25.4%   IKE Daemon

WI-GSMC-FORD-FW001# show processes memory

Allocs

Allocated

Frees

Freed

Process

133488289

41475063393467

657482165

1458804983288

IKE   Daemon

217803927

569601130748

2178023909

69598573064

vpnfol_thread_timer

WI-GSMC-FORD-FW001# show processes internals

Invoked

Giveups    Ma

x_Runtime    Pr

ocess

2792259432

2783311168

8560.011

ssm4ge_cfg_poll_thread

1722975056

10473577

301.055

IKE   Daemon

WI-GSMC-FORD-FW001# show conn count

6713 in use, 38327 most usedb

WI-GSMC-FORD-FW001# show crypto isakmp sa

Active SA: 5763

Rekey SA: 7 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 5770

Show traffic

Maxi is on Outside interface input traffic = 40 Kbytes

WI-GSMC-FORD-FW001# show xlate count

54 in use, 55 most used

WI-GSMC-FORD-FW001# sho asp drop

Frame drop:

  Unsupported IP version (unsupported-ip-version)                              4

  No valid adjacency (no-adjacency)                                           41

  Reverse-path verify failed (rpf-violated)                              7395306

  Flow is denied by configured rule (acl-drop)                           1833326

  Invalid SPI (np-sp-invalid-spi)                                         136322

  First TCP packet not SYN (tcp-not-syn)                                    5735

  Bad TCP flags (bad-tcp-flags)                                    

  TCP data send after FIN (tcp-data-past-fin)                                  1

  TCP failed 3 way handshake (tcp-3whs-failed)                              7605

  TCP RST/FIN out of order (tcp-rstfin-ooo)                                 4756

  TCP invalid ACK (tcp-invalid-ack)                                           14

  TCP replicated flow pak drop (tcp-fo-drop)                                 121

  TCP RST/SYN in window (tcp-rst-syn-in-win)                                  29

  IPSEC tunnel is down (ipsec-tun-down)                                     2054

  ICMP Error Inspect no existing

  DNS Inspect id not matched (inspect-dns-id-not-matched)                     66

  Interface is down (interface-down)                                         445

  Dropped pending packets in a closed socket (np-socket-closed)               86

Last clearing: Never

Flow drop:

  NAT failed (nat-failed)                                                     96

  Need to start IKE negotiation (need-ike)                               3345034

  Inspection failure (inspect-fail)                                           80

Last clearing: Never

WI-GSMC-FORD-FW001# show version

Cisco Adaptive Security Appliance Software Version 8.2(3)
Device Manager Version 6.3(3)

Compiled on Fri 06-Aug-10 07:51 by builders
System image file is "disk0:/asa823-k8.bin"
Config file at boot was "startup-config"

WI-GSMC-FORD-FW001 up 15 days 22 hours
failover cluster up 29 days 22 hours

Hardware:   ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0  : address is 0026.9986.988e, irq 9
1: Ext: GigabitEthernet0/1  : address is 0026.9986.988f, irq 9
2: Ext: GigabitEthernet0/2  : address is 0026.9986.9890, irq 9
3: Ext: GigabitEthernet0/3  : address is 0026.9986.9891, irq 9
4: Ext: Management0/0       : address is 0026.9986.988d, irq 11
5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
6: Int: Not used            : irq 5
7: Ext: GigabitEthernet1/0  : address is 0026.9926.00c4, irq 255
8: Ext: GigabitEthernet1/1  : address is 0026.9926.00c5, irq 255
9: Ext: GigabitEthernet1/2  : address is 0026.9926.00c6, irq 255
10: Ext: GigabitEthernet1/3  : address is 0026.9926.00c7, irq 255
11: Int: Internal-Data1/0    : address is 0000.0003.0002, irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 250      
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled  
VPN-3DES-AES                   : Enabled  
Security Contexts              : 2        
GTP/GPRS                       : Disabled 
SSL VPN Peers                  : 2        
Total VPN Peers                : 5000     
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled 
AnyConnect for Cisco VPN Phone : Disabled 
AnyConnect Essentials          : Disabled 
Advanced Endpoint Assessment   : Disabled 
UC Phone Proxy Sessions        : 2        
Total UC Proxy Sessions        : 2        
Botnet Traffic Filter          : Disabled 

This platform has an ASA 5550 VPN Premium license.


Suspecting, If the box is with 5000 peer license then it should crack when it reaches  70%  ( ie 3500 tunnels )of the listed value

Best Regards,

Rajiv

Labels:
0 Helpful
2 Replies 2

Diego Armando Cambronero Arias
Level 3
Level 3

‎09-06-2010 03:29 PM

WI-GSMC-FORD-FW001# show conn count

6713 in use, 38327 most usedb

Go ahead and restric the embro conns.  I do not think that is reponsable for the high cpu since you have a 5550 but it might help you.

the following command will help you to determine who has so many half onened connections if there is someone.

show local-host | include host|count/limit      

There are

Active SA: 5763

Are you restricting your peers or you are using 0.0.0.0 in your pre-share key?

I hope it helps.

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to Diego Armando Cambronero Arias

‎09-06-2010 09:55 PM

firstly high cpu can be expected if you go anywhere near 5000 mark, sometimes depending on how much other traffic you have you can expect the performance to be affected even before the 5000 mark is reached

now if you feel you should have 3000 peers lets see why you have 5000 + phase 1 SA's, lets find out if we have duplicate SA's or are they some remote access users trying to make connection

try this

show cry isa sa | in

once you have an ip which has duplicate sa lets have more details about it

show vpn-sessiondb detail remote filter p-ipaddress or show vpn-sessiondb detail l2l filter

this will tell us about the session

also just a small query to understand your network, were any changes made to your network before you started seeing this, it can be anything like acquiring a new company or disbanding a company etc

just to understand why so much fluctuation in vpn sessions

0 Helpful
Customers Also Viewed These Support Documents