I recently had the case at one of my customers that the ASA Service Module in their coreswitch was making trouble. The symptoms were massive packet-loss for valid connections and also problems with high-availablity (the failover-cluster fell apart multiple times, with both modules being in the same chassis).
During troubleshooting, we found one (one!) PC in a segment which had a perl-script running. The script sent loads of small UDP-packets, as much as the PC could generate. This host was located inside and tried to send to internet - those packets were denied and also generated lots of syslog-messages (because of the deny).
As soon as the host was removed from the network, the problems disappeared.
I want to ask:
Is this normal, expected behaviour? A single PC can knock out the ASASM?
What methods can you think of the mitigate this beforehand?
I searched the configuration-guide of ASASM and only found log rate-limiting, which I'd like to try out (I don't know yet if the logging was the reason for the problems at all, but I guess at the moment). Any other ideas?
Regarding your suggestions: TCP normalization stuff and connection limits are both not applicable. This is because the specific connection which triggered the failure was denied by the ASASM in the first place. So these techniques wouldn't come into action, because they only apply to allowed connections.
The shun feature might prevent the excessive logging (i didn't try it out). But I would still prefer a solution where i wouldn't have to run into the problem first, before I can place the counter-measure. In other words: I would like to configure the ASASM in a way which prevents it from being knocked out by a single host.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...