Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1412
Views
0
Helpful
5
Replies

ASA TCP connection drop

saifuddin.miyaji
Level 3
Level 3

‎09-15-2016 07:03 AM - edited ‎03-12-2019 01:16 AM

Hi,

We have been investigating the 'connection drops' for some critical Internet bound applications from quit a while now. During the investigation, we have seen some weird error messages on the CISCO ASA 5525. It continuously generates the "connection timed out, Removing rule" log messages in the syslog. We could see that the IPs of the applications under investigation also fall in these syslog messages.

Initially, we suspected the TCP timeouts, so we increased the tcp timeouts for certain IPs to '0', so that it never times out. But still the timeout messages for the same IPs are visible very frequently in the syslog messages.

Please have a look at the attached log and advise.

ASA 5525, Version 9.5(1)

Saif 

Labels:
Preview file
4 KB
0 Helpful
5 Replies 5

saifuddin.miyaji
Level 3
Level 3

‎09-18-2016 06:37 AM

The direct syslog on the ASA has the syslog ID as follows:

Error Message %ASA-5-338303: Address ipaddr (name) timed out, Removing rule

Explanation: An IP address that was discovered from the dynamic filter rule table was removed. • ipaddr—The IP address from the DNS reply • name—The domain name Recommended Action None required.

Could someone explain more on this??

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to saifuddin.miyaji

‎09-23-2016 08:05 AM

Hi Saifuddin,

By any means are we using any botnet filtering on the ASA ?

If yes could you share the related config ?

Also check your DNS config on the ASA as DNS failures can cause the inability of the botnet filter to verify the DNS snooping data causing the ASA to drop traffic.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

saifuddin.miyaji
Level 3
Level 3
In response to Aditya Ganjoo

‎09-24-2016 11:02 AM

Hi Aditya,

Yes, you are correct. We are doing BOTNET filtering and DHCP Snooping. We are suspecting that the dhcp snooping is causing this whole menace. Do you know of any way to filter some specific domains from snooping? 

Saif

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to saifuddin.miyaji

‎09-24-2016 05:03 PM

Hi Saif,

You can add those domains to the Whitelist manually using the following command:

https://supportforums.cisco.com/document/33011/asa-botnet-configuration#Never_block_addresses:

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

saifuddin.miyaji
Level 3
Level 3
In response to Aditya Ganjoo

‎09-26-2016 10:38 PM

Hi Aditya,

1. For the command 

#dynamic-filter whitelist

 #name <>

what are the options for the <>? Can we use regular expressions here to specify all the subdomains of a parent domain? e.g. for msn.com and all its associated sub domains, can we use expression like "*.msn.com"?

2. After whitelisting some of the domains, I see some weird type of syslog messages:

First it times out the whiltelisted domain as if it was not - 

Address 74.109.89.93 (otp.actnet.com) timed out. Removing rule

then, after a few minutes, we receive the following message on the syslog:

Address 74.109.89.93 discovered for domain otp.actnet.com from whitelist. Adding rule

Please advise

Saif

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card