Re: Troubleshooting

ray_stone · ‎12-26-2008

Hi,

We have installed ASA 5505 in Datacenter and configured two zones DMZ and Inside. The App Servers are placed in DMZ and DB Servers are placed in Inside Zone. One unmanagable switch is connected with DMZ interface of FW and the second one with Inside Interface. We are experiencing so much issue in Datacenter Network and getting so much delayed response while do work on Servers and facing very strange behaviour. I used sh interface dmz stats command into FW and the report is attached for your refernce. As I am assuming number of dropping packets are huge but need your feedback also in this regard. Please help and put your feedbacks. Thanks!!!

andrew.prince · ‎12-26-2008

Do you have an ASL on the DMZ interface? I would also check to make sure your NAT is also correct - perhaps you could post your config for review.

HTH>

ray_stone · ‎12-27-2008

Hi, May I know first what is ASL and I have checked NAT commands which are configured properly. I am looking very intersting thing, the shun command is enabled for three Servers in which two are from DMZ and one from Inside and all Traffic are being blocked in Syslogs output. When I run no shun command for all three Server then Server being accessible but after some time again I see that shun command is enabled for all three Servers. Please do the needful on priority basis.

The Configuration file is attached for your reference.

Thanks.

andrew.prince · ‎12-27-2008

Ray,

The shun command allows a dynamic response to an attacking host by preventing new connections and disallowing packets from any existing connection. So I would remove this for the DMZ - and then re-test connectivity.

HTH>

ray_stone · ‎12-27-2008

Yes, I have removed but and same time I am able to access all Servers. But after some time I see in Syslogs that again Shun command has been estlablished and all traffic are being blocked. Pl suggest.

andrew.prince · ‎12-29-2008

for the servers you know are ok - write a shun exception rule.

hth>

godinerik · ‎01-05-2009

Hi,

I'm still fairly new to ASAs so this might not be the only case, however, one case where a SHUN is automatically applied is for port-scanning attacks:

fw-ASA5505(config)# threat-detection scanning-threat ?

configure mode commands/options:

shun Keyword to enable shunning over hosts conducting scanning

This information that I'm posting is related to an ASA5505, however I'm sure other ASAs have the same type of functionality (and better).

As far as I can see, any other SHUN entries (base license, no extra modules) would have to be added manually. There is also basic IPS for info/attack signatures (some of which, I was told could be triggered by a defective NIC or a computer infected with a trojan/virus) however the 5505 doesn't allow you to shun based on one of those signatures being detected, it allows either or all of 3 actions: drop (packet to be dropped), reset (reset the entire connection) or alarm (syslog).

In regards to info/attack signatures, have a look at ip audit. This is out of my own config:

fw-ASA5505(config)# show run ip audit info

ip audit info action alarm drop

fw-ASA5505(config)# show run ip audit attack

ip audit attack action alarm reset

fw-ASA5505(config)#