Possible Sudden Uptick in ASA DOS?
Eddie Tardist
edtardist at gmail.com
Fri Jul 10 19:56:50 UTC 2015
On Fri, Jul 10, 2015 at 3:31 PM, Paul Hoogsteder <mailings at meanie.nl> wrote:
> On 09-07-15 23:51, Nick Hilliard wrote:
>
>> On 09/07/2015 22:35, Ricky Beam wrote:
>>
>>> "Free" if you have a support contract.
>>>
>> No, free-as-in-beer.
>>
>> You register a guest CCO account, email tac at cisco.com, provide the device
>> serial number (or output of "show hardware") and the bugid + Cisco PSIRT
>> URL reference. Cisco TAC will then provide you with a download link with
>> fixed software, at no cost to you. It's not a pain in the ass - it works
>> fine.
>>
>> Nick
>>
>>
>> And while that's the general procedure for almost all Cisco products,
> there is even an faster way for the ASA:
>
> - register a CCO account
> - in ASDM choose Tools > Check for ASA/ASDM Updates
> - follow the onscreen instructions
>
> Paul.
Hello Gentlemen,
I had a crashing ASA 5585-S40 yesterday and it is still crashing today. Box
is up to date, I have similar setups on LAX and on east coast and I only
see the problem on west coast on circuits connected to Level3 traffic. I
have a couple tickets still open with Cisco staff. They have added some
dataplane protection which minimized the instability, but I dont know if
it's a coincidence or effective, since it's not that often but 5585-S40
boxes are still crashing.
If anyone got any update on what's going on please share. I have replaced
one critical box with a Juniper one but I can't do it for all my sites
promptly so.
So far what I found is that it's related to protocol 132 (sctp?). I have
tried to filter 132 but no success. I can't just filter source address
since it's legit, and proto 132 filtered traffic stills reaching the box up
the point it leads to the problem (if in fact it's sctp related).
It looks like I'm back to 90's since it seems like a single packet attack.
I can't see volumetric deviations, I can't see unusual patterns, proto 132
starts showing up and nothing goes wrong, suddenly I get the crash, no
matter if it's been a couple minutes with some proto 132 traffic or if the
traffic just started this second... the only "coincidence" is proto 132
popping up without any further specific pattern.
Weird and keeps happening.
More information about the NANOG
mailing list