Guest

Preview Tool

Cisco Bug: CSCur10595 - ASA cut-through proxy limiting authentication attempts from user

Last Modified

Nov 08, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.1(4)

Description (partial)

Symptom:
We need a way to limit cut-through proxy authentication attempts from the same IP in a particular period of time. Currently we have only  "aaa proxy-limit" command that limits the number of concurrent authentication attempts (at the same time) for a given IP address.

Conditions:
Modern browsers can send up to 40 ssl handshake messages per second, if  during authentication unauthenticated user presses and holds F5 button.

RSA is one of the most CPU sensitive process on ASA. Even with the smallest RSA key (512 bit), RSA processing can cause high CPU on low end ASA models such as ASA5505 as many RSA operations are executed simultaneously.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.