Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5520 BLOCKED

Hello world,

my ASA as detected a source of network flow (UDP broadcasting )  as ATTACK

in fact this flows had different source network address than some interfaces

resulting ASA as blocked all the NAT COMMUNICATION INBOUND and OUTBOUND

does any one know if the APPLICANCE can go to a security mod for a time by it self ??

now the broadcast flow is stop

and i run the same configuration file with a another APPLIANCE and it goes well all ready

but i want to know if  it's an ASA crash or a security mode ??

regards ...

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA 5520 BLOCKED

Hi,

How the ASA detected such attack? Do you have thread detection?

There are many security features on the ASA to help on this situations, could you describe more in detail what happened?

Federico.

3 REPLIES

Re: ASA 5520 BLOCKED

Hi,

How the ASA detected such attack? Do you have thread detection?

There are many security features on the ASA to help on this situations, could you describe more in detail what happened?

Federico.

Cisco Employee

Re: ASA 5520 BLOCKED

That ASA (like any L3 device) would not pass broadcasts unless you are in L2 (transparent) mode.

Something else is happening if  you ASA is in Routed mode.

Please try to explain the symptoms as Federico suggested.

I  would start by checking the logs.

PK

Community Member

Re: ASA 5520 BLOCKED

Thanks for your interest :

My ASA is in routed mode

with proxy cache enable for all interfaces

I have enabled the thread detection

and anti-spoofing protection

I detected a constent UDP broadcast flow with a source address network (mismatch conf from a swith from a secondary network site) logged on 2 interfaces bringing VLANs

the ASA as classified it as an ATTACK so all the paquets was dropped

and logged

Resulting ASA  stopped all forwards on the interfaces infected.

Due to the emergency service quality i decided to take another ASA to load the same conf file --> all communication gone well

But when i took the first blocked ASA and reset ,reload conf it still remind in this state untill i disable enable proxy cache ...

"My point of view " :

first : the cache arp as been corrupted

second : due to an over counting dropped paquets it crashed

finaly : due to an over counting dropped paquets it put itself on a sort of security mode and disable forwards on the infected interrfaces

regards ...

191
Views
0
Helpful
3
Replies
CreatePlease to create content