Guest

Preview Tool

Cisco Bug: CSCvh86252 - Change the blacklist flow timeout inline with snort timeout

Last Modified

Aug 16, 2019

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.7(1.5)

Description (partial)

Symptom:
When a connection is blacklisted by snort, Lina remains the connection until the timeout for this connection expires.

Conditions:
ave a blacklisted connection by  snort:

•System support trace:
192.168.91.184-123 - 192.168.23.143-123 17 Packet: UDP
192.168.91.184-123 - 192.168.23.143-123 17 Session: new snort session
192.168.91.184-123 - 192.168.23.143-123 17 AppID: service NTP (767), application unknown (0)
192.168.91.184-123 > 192.168.23.143-123 17 Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0
192.168.91.184-123 > 192.168.23.143-123 17 Firewall: block rule, 'Default Action', drop
192.168.91.184-123 > 192.168.23.143-123 17 Snort: processed decoder alerts or actions queue, drop
192.168.91.184-123 > 192.168.23.143-123 17 Snort id 1, NAP id 1, IPS id 0, Verdict BLACKLIST
192.168.91.184-123 > 192.168.23.143-123 17 ===> Blocked by Firewall
Verdict reason is sent to DAQ

192.168.91.185-123 > 192.168.23.143-123 17 AS 1 I 1 deleting firewall session ---- > delete of the session after UDP timeout is reached.


From Lina side:
•Show conn shows the connection reaching the 2 minute timeout mark for UDP and then is deleted:



show conn

1 in use, 5 most used

UDP outside_wan  192.168.91.183:123 inside_lan  192.168.23.143:123, idle 0:02:01, bytes 0, flags ? N

show conn

0 in use, 5 most used
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.