Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA-55XX Botnet Support

I recently received my 30-day trial license for Botnet filtering on my ASA-5505. I followed the instructions in the document that I found here:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/white_paper_c11-532091.html

There were a couple of issues with submitting commands that I would like assistance with:

Step 1. I did NOT enter "domain-name mydomain.cisco.com" into the ASA as I had previously setup my domain name.

Step 6. The command "match port udp eq domain" failed with the following:

Result of the command: "match port udp eq domain"

match port udp eq domain
  ^
ERROR: % Invalid input detected at '^' marker.

Step 6. So I tried "class-map match port udp eq domain" and received the following:

Result of the command: "class-map match port udp eq domain"

class-map match port udp eq domain
                ^
ERROR: % Invalid input detected at '^' marker.

Step 6. So that command does not appear to work properly.

Step 6. The command "inspect dns dynamic-filter-snoop" results in:

Result of the command: "inspect dns dynamic-filter-snoop"

inspect dns dynamic-filter-snoop
  ^
ERROR: % Invalid input detected at '^' marker.

So, all the other commands seemed to work properly and the ASA accepted them, just not these two under Step 6.

I also appear to be having an issue downloading the database file. The following is under Monitoring/Botnet Traffic Filter/Updater Client:

Dynamic Filter updater client is enabled
Updater server url is https://update-manifests.ironport.com
Application name: trafmon, version: 1.0
Encrypted UDI: (REMOVED)
Last update attempted at 13:45:48 UTC Jul 22 2009,
  with result: Failed to connect to updater server
Next update is in 00:17:51
No database file

So if there is no database file, how does it update it? Well, in looking under Monitoring/Botnet Traffic Filter/Dynamic Database shows this:

Dynamic Filter will use dynamic database downloaded from server.
Total entries in Dynamic Filter database:
  Dynamic data: 0 domain names , 0 IPv4 addresses
  Local data: 0 domain names , 0 IPv4 addresses
Active rules in Dynamic Filter asp table:
  Dynamic data: 0 domain names , 0 IPv4 addresses
  Local data: 0 domain names , 0 IPv4 addresses

So, I see that DNS snooping is working, but on the "Reports" page, I don't see any data. Just a bunch of blank squares where the data should be.

Any advice would be GREATLY appreciated. This is on our internal system, so not a huge deal. Good thing I'm trying it out prior to selling/installing at a clients' site!

Thank you!

Chris Wardell

ABC Technologies

Ok, updater just completed:

Dynamic Filter updater client is enabled
Updater server url is https://update-manifests.ironport.com
Application name: trafmon, version: 1.0
Encrypted UDI: (REMOVED)Last update attempted at 14:45:53 UTC Jul 22 2009,
  with result: Downloaded file successfully
Next update is in 00:57:02
Database file version is '965' fetched at 14:45:53 UTC Jul 22 2009, size: 887876

So that's working, but still no data on the graphs....

Everyone's tags (2)
3 REPLIES
Silver

Re: ASA-55XX Botnet Support

Hi cjonwardell,

Sorry for the delay in responding.  The ASA 5500 series is a Cisco Classic product.  This forum is for Cisco Small Business Products.

For more help regarding the ASA 5500 Series product, please click here.

Best regards,

Cindy Toy

Cisco Small Business Support

Community Manager

Regards, Cindy If my response answered your question, please mark the response as answered. Thank you!
New Member

Re: ASA-55XX Botnet Support

Hi,

I had the same problem about the database fetch...

My problem was because I used a private IP address int the outside interface interface (default gateway interface), because my  ASA tried to reach the IRONPORT database with the outside interface (default)

I tried adding a static route to the IP that the "update-manifests.ironport.com" resolve at the time I was testing but without success.

ASA1# ping update-manifests.ironport.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.15.82.17, timeout is 2 seconds:
!!!!!

ASA1# show dynamic-filter updater-client
Dynamic Filter updater client is enabled
Updater server URL is https://update-manifests.ironport.com
Application name: threatcast, version: 1.0
Encrypted UDI: 0**...**b
Last update attempted at 01:14:37 ECT Dec 20 2010,
  with result: Failed to connect to updater server
Next update is in 00:01:54
No database file

It was not the solution...

I think I will need to change the private to public or nat in another router.


I tested this configuration in another ASA with public IP address in the interface that manage the default gateway and worked perfect...

ASA2# show dynamic-filter updater-client
Dynamic Filter updater client is enabled
Updater server URL is https://update-manifests.ironport.com
Application name: threatcast, version: 1.0
Encrypted UDI: 0****a
Last update attempted at 02:55:01 GTM Dec 20 2010,
  with result: Downloaded file successfully
Next update is in 00:59:48
Database file version is '1292830321' fetched at 02:55:01 GTM Dec 20 2010, size: 2097132

Patricio S.

New Member

ASA-55XX Botnet Support

Looks like i've found a solution

have changed

dns domain-lookup inside (security level 100)

to

dns domain-lookup outside (security level 0)

before

show dynamic-filter updater-client

Dynamic Filter updater client is enabled

Updater server URL is https://update-manifests.ironport.com

Application name: threatcast, version: 1.0

Last update attempted at 22:30:38 EEDT Apr 24 2013,

  with result: Failed to connect to updater server

after

show dynamic-filter updater-client

Dynamic Filter updater client is enabled

Updater server URL is https://update-manifests.ironport.com

Application name: threatcast, version: 1.0

Last update attempted at 22:43:12 EEDT Apr 24 2013,

  with result: Downloaded file successfully

Next update is in 00:59:48

Database file version is '1366819742' fetched at 22:43:12 EEDT Apr 24 2013, size: 2097150

6045
Views
0
Helpful
3
Replies