cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1528
Views
5
Helpful
10
Replies

ASA 5500 disable UDP connection tracking

satish.txt1
Level 1
Level 1

We have many SIP server behind ASA 5500 firewall, when we have some kind of small SIP attack of more traffic it fill my connection table and start dropping packet. Can i disable connection tracking for UDP or SIP?  I knew ASA is stateful firewall but can i tell it to not track connection for specific ACL? 

I have quick check in ASA and following traffic we are inspecting. if there is no UDP/SIP there then who is filling connection table?

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect icmp

Here is the connection table output, I can see UDP traffic and my SIP port 6050. How can i tell don't track UDP connection?

fw1/act# show conn
366629 in use, 650039 most used
UDP outside 188.16.1.180:48145 inside 63.91.252.112:6065, idle 0:00:00, bytes 784, flags -
UDP outside 93.170.181.204:11862 inside 63.91.252.112:6065, idle 0:00:00, bytes 796, flags -
UDP outside 194.44.127.194:49526 inside 63.91.252.112:6065, idle 0:00:00, bytes 1226, flags -
UDP outside 5.166.44.120:46668 inside 63.91.252.112:6065, idle 0:00:00, bytes 814, flags -

10 Replies 10

satish.txt1
Level 1
Level 1

Any help here folks??????????????

Hi Satish,

The connection table on ASA indicates the number of connections passing through the ASA. It is not related to if the traffic is inspected or not. Inspection is mainly related to allow return traffic and inspection detailed packet lookup on the basis of service present with that inspections.

Therefore you would always see the connections in the connection table. however you could implement per-client-max connections which means your ASA would restrict only certain number of simultaneous connection from a specific host :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_connlimits.html

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

We have client world wide, I can't restrict them base on client-max connection, it may break application.

Its very strange ASA doesn't have that option to exclude connection tracking for specific protocol or ACL to ignore it.  

Hi Satish,

Connection count or number to connections also helps to understand the reason for high cpu as well. When we say connection count, it actually shows how many connections are currently running on ASA.

Disabling the connection tracking means you would not even able to troubleshooting if the  particular traffic is even passing through the ASA or not. I am sure that you don't want that.  and the whole point of ASA of tracking the malicious traffic is gone.

And also disabling specific protocol limits the whole point of understanding the over subscription of the hardware.


Hope it answers your concern.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

akshay  

I just want to know can we disable connection tracking? currently that firewall isn't useful anyway.. also related troubleshooting, we are just using it to allow specific port like VoIP and 80,443. we disabled all other feature in firewall like threat detection, DDoS etc..

I just want to know can we disable connection tracking (Yes/No)?

Our firewall CPU is very low.. but problem our application using UDP port and its filling connection table.

currently we are using iptables firewall because it has option to disable connection tracking..  

No, it cannot be done.  You cannot disable connection tracking for UDP sessions on the ASA, plain and simple. 

It would worth exploring options in an effort to mitigate the attack, but as far as disabling session tracking it cannot be done. 

Mike. 

Mike

That means its drawback ASA. 

if someone sending small DDoS from random IP but validate application port and IP then it will literally fill connection, in UDP its very easy to forge/spoof source IP. 

Hi Satish,

I believe that this is not a drawback. It is not about filling a connection. It is also about security. Security does not always revolve around number of connections.

As you have mentioned that if someone sends a small DDoS. In that case if ASA would not track connection then you would never get to know that there is any connection which exists for that UDP. That is how ASA works.

Regards,

Akshay Rastogi

@akshay Thanks!

Last question, Can i reserve contraction table entry base on specific IP? in case connection table is full but if i want to reach out then it will allow my IP. 

Hi Satish,

It is not possible to specifically exempt any specific ip if connection table is full. Connection table is a combination of all the connection passing through ASA.

Regards,

Akshay Rastogi

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: