Cisco Bug: CSCur10595 - ASA cut-through proxy limiting authentication attempts from user
Apr 16, 2020
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: We need a way to limit cut-through proxy authentication attempts from the same IP in a particular period of time. Currently we have only "aaa proxy-limit" command that limits the number of concurrent authentication attempts (at the same time) for a given IP address. Conditions: Modern browsers can send up to 40 ssl handshake messages per second, if during authentication unauthenticated user presses and holds F5 button. RSA is one of the most CPU sensitive process on ASA. Even with the smallest RSA key (512 bit), RSA processing can cause high CPU on low end ASA models such as ASA5505 as many RSA operations are executed simultaneously.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases