ASA 5545-X with IPS generating DHCPDiscover packets

marceloyoshioka · ‎01-16-2014

I am installing a brand new Cisco ASA 5545-X with IPS and for some reason, even after a "configure factory-default", one of the interfaces (Gi0/6) is generating DHCP Discover packets.

I have already checked all the other interfaces and only Gi0/6 has this behavior. Keep in mind that the switch interfaces have the same config for all the firewall ports (like the one below). Does anyone have idea of what is happening on this firewall to generate this traffic even with no specific config?

=============================================

Some traffic captured from this firewall

19:23:34.540527 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from e4:c7:22:f3:35:68, length 548

19:23:34.540549 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from e4:c7:22:f3:35:68, length 548

19:23:34.540572 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from e4:c7:22:f3:35:68, length 548

=============================================

SWITCH INTERFACES FOLLOW THIS TEMPLATE...

interface eth1/1

switchport access vlan 10

speed 1000

duplex full

=============================================

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 9.1(2)8

Device Manager Version 7.1(5)

Compiled on Fri 30-Aug-13 15:13 PDT by builders

System image file is "disk0:/asa912-8-smp-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 33 mins 39 secs

Hardware: ASA5545, 12288 MB RAM, CPU Lynnfield 2660 MHz, 1 CPU (8 cores)

ASA: 6144 MB RAM, 1 CPU (1 core)

Internal ATA Compact Flash, 8192MB

BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)

Boot microcode : CNPx-MC-BOOT-2.00

SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020

IPSec microcode : CNPx-MC-IPSEC-MAIN-0025

Number of accelerators: 1

Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

0: Int: Internal-Data0/0 : address is e4c7.22f3.355f, irq 11

1: Ext: GigabitEthernet0/0 : address is e4c7.22f3.3564, irq 5

2: Ext: GigabitEthernet0/1 : address is e4c7.22f3.3560, irq 5

3: Ext: GigabitEthernet0/2 : address is e4c7.22f3.3565, irq 10

4: Ext: GigabitEthernet0/3 : address is e4c7.22f3.3561, irq 10

5: Ext: GigabitEthernet0/4 : address is e4c7.22f3.3566, irq 5

6: Ext: GigabitEthernet0/5 : address is e4c7.22f3.3562, irq 5

7: Ext: GigabitEthernet0/6 : address is e4c7.22f3.3567, irq 10

8: Ext: GigabitEthernet0/7 : address is e4c7.22f3.3563, irq 10

9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0

10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0

11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0

12: Ext: Management0/0 : address is e4c7.22f3.355f, irq 0

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 300 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

Encryption-DES : Enabled perpetual

Encryption-3DES-AES : Enabled perpetual

Security Contexts : 2 perpetual

GTP/GPRS : Disabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 2500 perpetual

Total VPN Peers : 2500 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

IPS Module : Enabled perpetual

Cluster : Disabled perpetual

This platform has an ASA5545 VPN Premium license.

Serial Number: xxxxxxxxxx

Running Permanent Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Configuration register is 0x1

Configuration last modified by enable_15 at 11:15:20.849 UTC Thu Jan 16 2014

ciscoasa#

=============================================

ciscoasa# sh module

Mod Card Type Model Serial No.

---- -------------------------------------------- ------------------ -----------

0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt ASA5545 FCH17387H07

ips ASA 5545-X IPS Security Services Processor ASA5545-IPS FCH17387H07

cxsc Unknown N/A FCH17387H07

Mod MAC Address Range Hw Version Fw Version Sw Version

---- --------------------------------- ------------ ------------ ---------------

0 e4c7.22f3.355f to e4c7.22f3.3568 1.0 2.1(9)8 9.1(2)8

ips e4c7.22f3.355d to e4c7.22f3.355d N/A N/A 7.1(8)E4

cxsc e4c7.22f3.355d to e4c7.22f3.355d N/A N/A

Mod SSM Application Name Status SSM Application Version

---- ------------------------------ ---------------- --------------------------

ips IPS Up 7.1(8)E4

cxsc Unknown No Image Present Not Applicable

Mod Status Data Plane Status Compatibility

---- ------------------ --------------------- -------------

0 Up Sys Not Applicable

ips Up Up

cxsc Unresponsive Not Applicable

Mod License Name License Status Time Remaining

---- -------------- --------------- ---------------

ips IPS Module Enabled perpetual

ciscoasa#

=============================================

ciscoasa# sh run

: Saved

:

ASA Version 9.1(2)8

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

pager lines 24

logging asdm informational

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http server idle-timeout 5

http server session-timeout 5

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

dhcprelay timeout 60

!

tls-proxy maximum-session 1000

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

ciscoasa#

=============================================

ciscoasa# sh int | i line|packets

Interface GigabitEthernet0/0 "", is up, line protocol is up