*** Cisco ASA URGENT Proactive Customer Notification ***

Started by icecream-guy, March 31, 2017, 06:26:30 AM

Previous topic - Next topic

icecream-guy

Cisco has identified a software anomaly in the following ASA codes.  After reaching an uptime of roughly 213 days, the affected devices will fail to process ARP packets resulting in a loss of connectivity to and from the ASA.  Despite this issue, console access will still be functional.
 
ASA codes affected include:
•   9.7(1) or later
•   9.6(2.1) or later
•   9.5(3) or later
•   9.4(4) or later
•   9.4(3.5) or later
•   9.2(4.15) or later
•   9.1(7.8) or later  9.1.(7.eight)

Additional symptoms include:
•   ASA does not have ARP entries in its ARP table. "show arp" is empty
•   The output of "show asp drop" and ASP drop captures indicate a rapidly increasing counter for "punt-rate-limit exceeded" and the dropped packets are predominantly ARP

Workarounds
For ASA 9.7.1 or above, use the command arp rate-limit <value> to reconfigure the ARP rate limiter before approaching 213 days of operation. The reconfiguration will reset the ARP rate limiter and extend the up time by another 5120 hours.

For ASA's before 9.7.1, the arp rate-limit <value> command does not exist. A planned reboot of the device before approaching 213 days of operation is needed

https://blogs.cisco.com/security/urgent-proactive-customer-notification-asa
:professorcat:

My Moral Fibers have been cut.

deanwebb

:itcrowd:

Do that ^ to your ASA every 212 days... niiiiiiiiiice...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

Hahaha srsly? I was reading your post waiting for the punch line. In my head I'm going "naaah shutt upppp  :XD: "

Better plan a reload of my ASAX 9.7, then.

I'm still waiting to work with a dev to do a reproduce and collect logs for another issue, though.

deanwebb

We were having this very issue on our network... we were planning an upgrade of ASA code, now we're seeing if a downgrade is going to do the trick...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

nothing over 163 days here, but just to be safe customer want us to reboot all firewalls, (even those with < 60 days) Just to be safe.
Asa requested, I'm working a on list of applications that go through each firewall so management can get a heads up.

:'( on that last part
:professorcat:

My Moral Fibers have been cut.

deanwebb

We're getting application lists, albeit for different reasons.

Some apps are soooooooooooooooo old, nobody knows if they're still running, or if they're one of those once-a-year apps that go with an annual report or something like that.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

Quote from: deanwebb on March 31, 2017, 12:15:06 PM
We're getting application lists, albeit for different reasons.

Some apps are soooooooooooooooo old, nobody knows if they're still running, or if they're one of those once-a-year apps that go with an annual report or something like that.

q is there a tool that does this?  I know net scout is good at identifying apps, but they need to be defined first, base on port/protocol.
:professorcat:

My Moral Fibers have been cut.

deanwebb

Quote from: ristau5741 on April 01, 2017, 05:32:16 PM
Quote from: deanwebb on March 31, 2017, 12:15:06 PM
We're getting application lists, albeit for different reasons.

Some apps are soooooooooooooooo old, nobody knows if they're still running, or if they're one of those once-a-year apps that go with an annual report or something like that.

q is there a tool that does this?  I know net scout is good at identifying apps, but they need to be defined first, base on port/protocol.

There are tools for identifying active apps, but some apps are hard to tell if they're still active or inactive. And so many run on port TCP 80/443... a lot of it is in doing investigation work, and that usually means more shoe leather and talking involved than packet captures and header examinations.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.