Flooded with 106006

Started by deanwebb, January 27, 2015, 04:26:38 PM

Previous topic - Next topic

deanwebb

ASA 5585, 9.1(3)
Log is flooded with Critical 106006, source IP is one of the IPs of the inside interface of the perimeter firewall, the destination IP is the Tufin monitoring box. Traffic that the ASA is throwing a fit over is UDP 514, syslog traffic. The perimeter firewall is in an active/passive HA cluster, and it's the passive member that's throwing all the poo at the ASA, which manages the connection from the perimeter firewall to the rest of the network.

I see some stuff online about getting flooded with 106006 messages, but nothing really concrete for a resolution... might bounce the secondary, but, well... I dunno?  :o

Thoughts?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

deanwebb

Stopping/starting syslog output reduced the flood, but I'm still seeing those criticals, now I see them for other UDP traffic that crosses the firewall, as well. There is a rule to permit that traffic, by the way, and it has flowed normally in the past.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

killabee

Is there a permit flow connection limit you're hitting, causing subsequent permits to be denied?

Is the standby perimeter firewall having issues, and that why it's generating that much traffic, or is the amount of syslog traffic it's generating normal?

deanwebb

It definitely was partly a firewall issue, since the switching off/on business took the number of alerts down from AVALAAAAANCHE!!! to a pair every few seconds. But I still see them and the firewall that used to be able to send syslogs to the Tufin box no longer does that. Tufin still gets its updates via SSH, but I am not seeing UDP go across that intermediary firewall.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.