Cisco Firewall :: ASA 8.4.1 SSH Timeout Vulnerability?
Feb 20, 2013
Faced this recent vulnerability?
[URL]
My understanding is that for ASA 8.4.1 and prior, there's a vulnerability that opening many ssh sessions and one of them times out, the firewalls crashes!
As we have many customers with ASA using 8.2.5(26) (for example) I'd like a confirmation that for fixing that bug I need to upgrade my ASA image to at least 8.4.x.Case that, I believe that all the former firewall configuration must be reviewed because 8.2.x version has many different commands that 8.4.x (for example, NAT)
View 19 Replies
ADVERTISEMENT
Nov 26, 2012
ASA 8.2(5), uauth absolute timeout is disabled and inactivity timeout is set to 48 hours:
timeout xlate 48:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:00:00 absolute uauth 48:00:00 inactivity
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
Users still get kicked out every 8 hours and they have to reauth. This is a logging message:
%ASA-5-109012: Authen Session End: user 'john', sid 839, elapsed 28801 seconds
View 1 Replies
View Related
Dec 9, 2012
if SSH v1 is considered vulnerable why is it still enabled by default on the ASA 8.4 by default?What is the vulnerability impact of using SSH v1 on an ASA?
View 1 Replies
View Related
Feb 28, 2012
i am using asa821-k8.bin image, in my cisco 5520, How can i check if my IOS is vulnerable ?
View 4 Replies
View Related
Oct 3, 2012
I would like to know something with more accuration about idle timeout configuration. In particular why is impossible to set "half-closed connections" to a value lower than 5 minutes neither through a policy-map? In my particular scenario, my asa is used to nat mobile phones traffic, it should be advisable to use less than 5 minutes
In my configuration I've set the timers as follows:
.
timeout xlate 0:15:00
timeout pat-xlate 0:00:30
timeout conn 0:14:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
[Code].....
View 4 Replies
View Related
Jan 31, 2012
I recently had a firewall that wasn't passing traffic (ASA 5510 running software version 9.1).It turned out it had 130000 active connections. Doing a "clear conn port 53" dropped the active connection count back to 38k, and the firewall started passing traffic again.
View 7 Replies
View Related
Jun 4, 2012
I have inherited the support of an ASA5520 running 8.0(3)12 code and I believe I have a pretty simple question here that I haven't been able to figure out on my own. I have a few users that connect to the box via IPSEC VPN client connections. They want to be able to leave up a RDP based connection, for monitoring purposes, for a most of the day, but thier RDP connection keeps getting discounnted after a few hours. The VPN connection never gets disconnected, just the RDP session running through it. I have another box running 8.0(4) code and they can leave up the RDP sessions as long as they like without getting disconnected from the server(s). I have compared the configs of both boxes and don't see any glsring differences in regards to the configuration that would cuase the RDP sessions to either to stay up or be disconnected after an inactivity type scenario.
What to look for in regards to identifying the timer that is disconnecting the RDP session after a period of time.
View 2 Replies
View Related
Aug 30, 2011
I have a 5505 for a small business that has one web server. The web server has a static NAT entry to an IP address and not an interface. There is an access rule allowing any HTTP traffic to the outside IP of the web server. From the web server I can't access the Internet.
All other computers on the network can access the Internet using a dynamic nat rule that uses the outside interface. The web server is accessible from a computer behind the firewall.
If I delete the static NAT entry for the web server I can get on the Internet.
I have turned debugging on and see that an outbound connection is built and then 30 seconds later the connection is torn down with the bytes 0 SYN Timeout message.
I am running 8.0(5).
View 3 Replies
View Related
Oct 25, 2011
I configured multiple vlan on my Cisco ASA5520. Everything work perfectly except RDP (3389) connections. The connections are established but but after a period of inactivity, the user is disconnected from server (black screen). The same problem happens with other type of connections (client/server), exemple : Oracle, file sharing. Before installing the ASA, computers and servers were in the same vlan and it worked well.
There's a notion of inter vlan timeout connection ?
View 5 Replies
View Related
Aug 18, 2011
What does a pinhole timeout indicate? [code]
ASA 5505 8.4(2)
View 2 Replies
View Related
Oct 18, 2012
I would like to understand someting about the behaviour of ASA with our traffic scenario and the management of tcp sessions.
1) In particular we noticed that we have connections with the flags Fin without any acknowledgement. The session is silent (the bytes counters aren't incremented) but it remains in the session table as an established connection with the idle timeout of an established conn.
We have about 20% (60K on 300K total) of conns in this state: at our eyes it seems to be an incorrect behaviour...
TCP OUTSIDE 62.149.128.151:110 INSIDE 10.254.158.12:61527, idle 0:11:36, bytes 433, flags UFIO
TCP OUTSIDE 17.151.0.200:443 INSIDE 10.254.229.94:52367, idle 0:01:25, bytes 4597, flags UfIO
TCP OUTSIDE 184.169.79.33:443 INSIDE 10.255.249.146:60143, idle 0:10:39, bytes 5590, flags UFIO
TCP OUTSIDE 157.55.235.158:80 INSIDE 10.170.37.102:62421, idle 0:00:53, bytes 1770, flags UfIO
2) On the connections considered as half -closed we have received an ack to the fin (r or R flag is present), we would like to set the idle timeout to a value lower than 5 minutes but we were not able to reach that result
timeout pat-xlate 0:00:30
timeout conn 0:10:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
!
access-list timeoutClass extended permit tcp any any eq www
access-list timeoutClass extended permit tcp any any eq 8080
class-map timeoutClass
match access-list timeoutClass
class timeoutClass
3) And this type of conns with a Fin on both side that I'm not able to understand... with an ack on one of the side how can I have the other fin??
TCP OUTSIDE 69.171.247.38:443 INSIDE 10.168.139.244:51236, idle 0:11:28, bytes 10536, flags UfFIO
TCP OUTSIDE 69.171.247.38:443 INSIDE 10.168.139.244:51234, idle 0:12:22, bytes 9070, flags UfFIO
TCP OUTSIDE 88.40.119.73:36962 INSIDE 10.255.93.162:36875, idle 0:13:27, bytes 3562, flags UfFIO
View 3 Replies
View Related
Feb 15, 2013
We had an issue the other day where doing backups through the firewall (don't ask) caused the "control" session to timeout while the backups were still going on over the "data" connection. This broke the backup about two hours into the job. My first thought was that the backup solution vendor should implement some kind of tcp keepalive for the control connection. A packet capture showed they indeed were -- after 2 hours! Ah ha! Busted! How could they choose such a poor choice of TCP keepalive timer for their application that would not be compatible with the 60 minute inactivity timer that so many firewall vendors use (Cisco, Juniper, Checkpoint and Fortinet all use a default 60 minute inactivity timer for TCP)?
Well, a colleague of mine pointed out that there is actually an old RFC that covers this. RFC 1122. It says:
Keep-alive packets MUST only be sent when no data or acknowledgement packets have been received for the connection within an interval. This interval MUST be configurable and MUST default to no less than two hours.
Now I know that RFC is old (October 1989), but that's all I could find. Is there something that supercedes that? Maybe common sense perhaps? I understand not wanting to fill up your connection table because of mis-behaving applications, but I'm just looking for ammunition to use against the backup solution vendor. Surely they're going to point to this RFC.
ASA(config)# timeout conn ?
configure mode commands/options:
0:0:0 | <0:5:0> - <1193:0:0> Idle time after which a TCP connection state
will be closed, default is 1:00:00
<0-0> Specify this value to never time out
View 1 Replies
View Related
Jun 2, 2010
When users are VPN connected their telnet sessions timeout after an hour of inactivity. Looking at the connections on the firewall they are showing as idle. Is there a configuration change or something else that has to be modified?
View 2 Replies
View Related
Aug 23, 2012
I am on version 8.2(1) of ASA Code.When accessing a SQL server on a secure internal interface,(Traffic is sourcing from DMZ) i'm getting some timeouts on the initial connection on port 1433. All subsequent connections work fine. Packet tracer shows the connection builds properly, and shouldn't have a connectivity issue. The problem server is a webserver that connects back through the firewall to access the SQL server on port 1433. We also have many other webservers in the DMZ which access the same SQL server, but do not have the same timeout issues. Here are my timeouts, from the config
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
arp timeout 14400
I've seen a couple articles about increasing the tcp timeout to 3 hours for the DMZ interface?
View 1 Replies
View Related
Apr 13, 2011
How to verify on the asa 5510 , the vpn-idle timeout,is running on default setting(30mts)
View 3 Replies
View Related
May 14, 2012
I have ASA 5510 with 8.2.4 and 8.0.x OS and all seem to have common problem of idle TCP connections not timing out. The host to host connections are coming over VPN tunnels. I have default timeouts on all the firewalls. I have tried changing global timeouts and as well as host specific timeouts using MPF but doesn't work at all ! The problem is when TCP connections are sitting idle in conn table for days and when connection limit of 50,000 conns reach the firewall starts behaving unpredictably dropping packets or unresponsive! I need the unused idle connections to timeout which is NOT happening either by changing global values or MPF.
View 1 Replies
View Related
Mar 29, 2011
I am using a Pix 515 with IOS 8.0(3).I have in my access list on the outside interface.......access-list outside_access_in extended permit icmp any 12.23.34.0 255.255.255.0 echo access-list outside_access_in extended permit icmp any 12.23.34.0 255.255.255.0 echo-reply.......in order to allow ping requests and ping replies into my inside network. This certainly works since I can ping the inside from outside and vice versa, but in the ASDM display of access rules, the hit count for these two lines is always zero. If I run 'show access-list', the hit count for these lines is non-zero.
Why doesn't the hit count show up in the ASDM gui display?Also, I have read that the PIX does not treat ICMP in the same way as TCP or UDP and there is no stateful behaviour towards ICMP. However, if I set up a continuous ping from outside to inside and then disable the above access list rule allowing echo requests towards the inside, the ping continues whereas I would expect it to stop.
In the config there is 'timeout icmp 00:00:02' if there is no stateful connection for ICMP, why is there a timeout value for it?
View 4 Replies
View Related
Jul 19, 2007
I have an ASA5505 running ver 8.0(2). I have configured the ssh timeout, ssh host commands and did the crypt o key gen. I am unable to access the device from the host I am allowing. Is there like ca save all command required? I am trying to use the default pix and telnet password. Do those still work?
View 3 Replies
View Related
Oct 15, 2011
Our client tried to a download a real time generated file from a website, the generation process around 5 mins, after 5 mins, the file will be started to download
When my client direct connect to internet, the file can be download successfully, but when pass through the ASA 5510 and using the internal IP address, a message something like "Are you sure want to logout from this web page?" appears in Safari after 5 mins, i think the time of the error message appear when a "you can start to download" message send from the server to client, the page session timeout so that make the user cannot download the file from internet as the session is not vaild.
I couldn't find any timeout setting in "show runn", is it possible the setting in ASDM? how can I find it and configure it?
View 5 Replies
View Related
Mar 16, 2012
I would like to perform vulnerability scan on Cisco switch and router.Is there any free vulnerability scan tool recommended for Cisco device ?
View 2 Replies
View Related
Apr 19, 2012
We have ASR1002 routers configured to run individual SubPackages, at this point everything is operating without problems.We just received a Cisco Security Advisory informing us SSHv2 is vulnerable in our version of router code.We have to upgrade to the recommended stable release, so we downloaded, installed and expanded the IOS to expose the SubPackages on the ASR routers bootflash.
Since we are running SubPackages, do we need to upgrade all SubPackages (I.E. complete IOS upgrade) of can we just upgrade the vulnerable SubPackage? How do you determine which SubPackage contains the SSHv2 application?
View 2 Replies
View Related
Nov 28, 2012
Version: Cisco ASA 5510 8.4(4)1
I've installed cisco asa 5510.
When I "show local-host all detail connection "
Normal situation:
105 myfailover:10.255.255.2/0 NP Identity Ifc:10.255.255.1/0,
idle 0s, uptime 1D14h, timeout 2m0s, bytes 18196822
But I got this output ( timeout - )
[URL]
View 0 Replies
View Related
Jul 19, 2012
I had a bad expirience with Switch 3750-X. Because of an auditing security processess, my customer ran a software called "Nessus" to do a scanning of vulnerability on the network. When this software is point to switch, the process of the switch will next to 100% and reset. The software only do a listening on the ports to see what ports are opened and the switch should not reset because this. Bellow is the log os switch on the moment of test; we note that the processess 'HTTP' rise moments before the switch reset. I disable the HTTP service on switch but the problem persist. The test was made only one machine connected to switch.
View 4 Replies
View Related
Oct 10, 2012
We had a PCI security audit of an existing VIP on our ACE 4710. The VIP is set up as HTTPS terminating on the ACE with a http redirect for all 80 traffic. The audit reported this VIP was vunerabled to the Cisco "IOS HTTP Authorization Vulnerability". Which basicly states, http Management is on this IOS device. It does not make any sense, as the VIP is pointed to a pair IIS servers?
[URL]
View 2 Replies
View Related
Feb 16, 2011
Nature of the vulnerability that FW 1.31 is said to correct?
View 5 Replies
View Related
Jan 4, 2012
I have a DIR-600 C1 running the latest available firmware version (3.03).
Model: DIR-600
Hardware Version: C1
Firmware Version: 3.03
WiFi Protected Setup is turned ON.I would like to know if it is affected by the new disclosed vulnerability described here:[URL] Also, turning WiFi Protected Setup OFF may not assist to mitigate this vulnerability?
View 2 Replies
View Related
Apr 14, 2013
Apparently there is a vulnerability issue which was just discovered with TP-LINK TL-WR841N wireless router running firmware version: 3.13.9 Build 120201 Rel.54965n and below,as described here: [URL] and here: [URL] there latest firmware 3.13.27 Build 121101 Rel.38183n already addressing this issue or is there any other planned correction expected to address this vulnerability issue ?
View 5 Replies
View Related
Apr 9, 2011
I was informed by a co-worker that there is a security vulnerability with the local certificate authority in the ASA running 8.3 code. I've looked through the security advisories and haven't been able to find anything about this. Was this just misquote or am I missing the security advisory release?
View 1 Replies
View Related
Aug 16, 2012
How do I, if I even can, adjust the MAC table timeout from 5 minutes to whatever is bigger and allowable?
I would like to also like to change the ARP table timeout as well.
View 4 Replies
View Related
Jan 16, 2011
I know there has already been a couple of threads on this but rather than add my question to the bottom of one of those I thought I would try afresh.
We have an 857W connected to the internet via ADSL. All works very well, however if I ping from an attached PC the first one always times out. If i ping from the router (ping { URL}source 192.168.18.1) I get !!!!! every time. Back to the PC and 'Request timed out' on the first.
The only way I have been able to resolve this is by using no ip cef. It then works as expected, first ping and all. The problem is after much reading, it is not ideal to disable cef.
View 21 Replies
View Related
Apr 19, 2011
I have a D-Link DIR-825.B1, which I've recently updated to the 2.04EU firmware. The update fixed some IPv6 problems I've had, but introduced an IPv4 problem instead: TCP NATs have a rediculesly low timeout of 60 seconds, which makes the router useless for most protocols.How do I set the NAT timeout for TCP connections?
View 4 Replies
View Related
Aug 1, 2011
If any authenticated user uses protocol other than (http, https) within timeout period, that user #is deuthenticated
View 1 Replies
View Related
Sep 7, 2011
I have several devices on the same subnet and with similar configuration. All of them were entered manually on the ACS server and are configured to authenticate using TACACS+. Some of the devices can authenticate ok, but other will timeout. I did a tcpdump on the firewall port and can see the device sending the SYN to the ACS server but the server sends no reply to the device.
View 3 Replies
View Related