07-02-2013 02:07 PM - edited 03-11-2019 07:06 PM
Hi Everyone,
Found this about troubeshooting ASA connections--
ciscoasa# show perfmon
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 2236/s 321/s
TCP Conns 2236/s 321/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept Established Conns 0/s 0/s
TCP Intercept Attempts 0/s 0/s
TCP Embryonic Conns Timeout 1012/s 4/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
VALID CONNS RATE in TCP INTERCEPT: Current Average
N/A 95.00%
ciscoasa# show conn
52121 in use, 52121 most used
TCP outside 17.24.101.118:26093 inside 192.168.1.111:80, idle 0:00:23, bytes 0, flags aB
TCP outside 111.76.36.109:23598 inside 192.168.1.111:80, idle 0:00:13, bytes 0, flags aB
TCP outside 24.185.110.202:32729 inside 192.168.1.111:80, idle 0:00:25, bytes 0, flags aB
TCP outside 130.203.2.204:56481 inside 192.168.1.111:80, idle 0:00:29, bytes 0, flags aB
TCP outside 39.142.106.205:18073 inside 192.168.1.111:80, idle 0:00:02, bytes 0, flags aB
TCP outside 75.27.223.63:51503 inside 192.168.1.111:80, idle 0:00:03, bytes 0, flags aB
TCP outside 121.226.213.239:18315 inside 192.168.1.111:80, idle 0:00:04, bytes 0, flags aB
What seems to be the cause of this attack and the intermittent access to the web server?
Regards
Mahesh
Solved! Go to Solution.
07-02-2013 02:15 PM
Hi Mahesh,
This would seem like a SYN flood judging by the output.
The few connections shown in the "show conn" output are all at the same state. And basically the ASA has seen a TCP SYN from "outside" and has also seen TCP SYN ACK from the "inside" server as is to be expected but no actual last TCP ACK from the host that has sent the initial TCP SYN.
The "show perfmon" output also confirms this as there is a very high rate at which new TCP connections are built on the ASA. There is also a very high Embryonic Conns Timeout which to my understanding refers to connections that were not fully formed with the Three Way Handshake of TCP (TCP SYN -> TCP SYN,ACK -> TCP ACK)
Basically your server is overloaded by the SYN flood. Depending on your ASA model the ASA might also be under heavy load. In some cases I have even seen the ASA reach the maximum connection amount for the hardware and stop accepting connections.
- Jouni
07-02-2013 03:45 PM
Hi,
Yes, you can set the maximum connections for the server.
I guess it basically requires you to:
You can also set the maximum embryonic connections.
You can also set the max connections and max embryonic connections on a per client basis which basically means that you can limit the connections so that if alot of the SYN traffic is coming from multiple same hosts then they will be more efficiently limited.
I am not sure how many different source addresses the TCP SYNs were coming from. I would imagine there are numerous different IPs so it would be impossible to make any kind of other configuration to limit the connections. Naturally you can temporarily deny traffic to that server from Internet so that the ASA wont even build a connections for those attempts. This should possibly give you time to implement some configurations to mitigate the effects of the SYN Flood.
Here is a link to the Command Reference of ASA 8.2 software which lists the different values you can set
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045
- Jouni
07-02-2013 02:15 PM
Hi Mahesh,
This would seem like a SYN flood judging by the output.
The few connections shown in the "show conn" output are all at the same state. And basically the ASA has seen a TCP SYN from "outside" and has also seen TCP SYN ACK from the "inside" server as is to be expected but no actual last TCP ACK from the host that has sent the initial TCP SYN.
The "show perfmon" output also confirms this as there is a very high rate at which new TCP connections are built on the ASA. There is also a very high Embryonic Conns Timeout which to my understanding refers to connections that were not fully formed with the Three Way Handshake of TCP (TCP SYN -> TCP SYN,ACK -> TCP ACK)
Basically your server is overloaded by the SYN flood. Depending on your ASA model the ASA might also be under heavy load. In some cases I have even seen the ASA reach the maximum connection amount for the hardware and stop accepting connections.
- Jouni
07-02-2013 02:50 PM
Hi Jouni,
Thanks for the reply so to fix issue like this we should config the TCP intercept with connection limit to server might be one of the options to fix this issue right?
Regards
Mahesh
07-02-2013 03:45 PM
Hi,
Yes, you can set the maximum connections for the server.
I guess it basically requires you to:
You can also set the maximum embryonic connections.
You can also set the max connections and max embryonic connections on a per client basis which basically means that you can limit the connections so that if alot of the SYN traffic is coming from multiple same hosts then they will be more efficiently limited.
I am not sure how many different source addresses the TCP SYNs were coming from. I would imagine there are numerous different IPs so it would be impossible to make any kind of other configuration to limit the connections. Naturally you can temporarily deny traffic to that server from Internet so that the ASA wont even build a connections for those attempts. This should possibly give you time to implement some configurations to mitigate the effects of the SYN Flood.
Here is a link to the Command Reference of ASA 8.2 software which lists the different values you can set
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1424045
- Jouni
07-03-2013 09:07 AM
Many thanks Jouni,
Regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide