ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
User avatar
ibarrere
Cisco Inferno
Posts:
10278
Joined:
Mon Jul 10, 2006 12:58 am

ASA received large packet

Thu Jan 13, 2011 8:13 am

I've got a lot of these messages in my logs from SVC users:

Code: Select all
Jan 13 2011 04:53:05: %ASA-3-722035: Group <LOCKDOWN> User <user> IP <x.x.x.x> Received large packet 1410 (threshold 1406).


They only seem to happen for the policy that doesn't allow split-tunneling, and it only seems to be two users. Every packet received is 1410 bytes too. Anybody seen this before?

User avatar
Halo
Post Whore
Posts:
1008
Joined:
Thu Oct 14, 2010 4:39 am
Certs:
CCNP (R&S, Security), ITILv3 Foundation

Re: ASA received large packet

Thu Jan 13, 2011 8:17 am

Never seen it - might be worth hitting up the ASA packet-capture command line function and taking a look to see if anything jumps out at you?
http://www.cisco.com/en/US/docs/securit ... #wp2108895

User avatar
ibarrere
Cisco Inferno
Posts:
10278
Joined:
Mon Jul 10, 2006 12:58 am

Re: ASA received large packet

Thu Jan 13, 2011 8:41 am

I was thinking about it... but that sounded like a lot of work. :)

User avatar
ristau5741
Post Whore
Posts:
9962
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: ASA received large packet

Thu Jan 13, 2011 9:13 am

ibarrere wrote:I was thinking about it... but that sounded like a lot of work. :)


isn't that what we get paid for ?

reaper
Senior Member
Posts:
350
Joined:
Sat May 06, 2006 4:00 pm
Certs:
CCIE #37149 , CCNP, CCDA

Re: ASA received large packet

Thu Jan 13, 2011 9:17 am

Seems weird that 1410 would trigger such a message, 1500 should be allowed (1460 payload if IP and TCP). Try sending some large packets with DF set and see what happens.
http://lostintransit.se

javentre
Post Whore
Posts:
1872
Joined:
Fri Jul 09, 2010 7:38 pm

Re: ASA received large packet

Thu Jan 13, 2011 9:28 am

reaper wrote:Seems weird that 1410 would trigger such a message, 1500 should be allowed (1460 payload if IP and TCP). Try sending some large packets with DF set and see what happens.


He's probably running crypto.
http://networking.ventrefamily.com

User avatar
Halo
Post Whore
Posts:
1008
Joined:
Thu Oct 14, 2010 4:39 am
Certs:
CCNP (R&S, Security), ITILv3 Foundation

Re: ASA received large packet

Thu Jan 13, 2011 9:28 am

Having mulled it over for a few minutes, I've still got no real answer but you'd figure that there needs to be a certain space in the packet for header information; is there an options field that coming into play causing the header to go over-length and thus causing the packet to exceed threshold by a predictable 4 bytes?

Ristau: you've burst my sense of entitlement.

User avatar
ibarrere
Cisco Inferno
Posts:
10278
Joined:
Mon Jul 10, 2006 12:58 am

Re: ASA received large packet

Thu Jan 13, 2011 10:25 am

I should run a capture to get any further information on this... stupid ASAs though, the access-list functionality in captures only works a fraction of the time.

User avatar
dieselboy
Post Whore
Posts:
2670
Joined:
Tue Aug 05, 2008 6:36 am
Certs:
CCNP, CCNA Voice, SMB Select, Linux+

Re: ASA received large packet

Mon Jan 17, 2011 6:59 am

ibarrere wrote:I should run a capture to get any further information on this... stupid ASAs though, the access-list functionality in captures only works a fraction of the time.


I love the capture functionality. The ACL took some understanding before I could apply properly though, have to remember to specify both directions in the ACL if you are going to be specific otherwise you will just capture one side of the traffic flow.
Once you have some packets, export it to wireshark even while the buffer is filling in case it didnt capture what you require. Don't know why but I love doing this. Wireshark & ASA packet captures are the dogs danglies. I am very glad Cisco routers now have this functionality, although slightly saddened the buffer limit is almost too small :(
Sometimes, I sit with my headphones on without playing music.

User avatar
ibarrere
Cisco Inferno
Posts:
10278
Joined:
Mon Jul 10, 2006 12:58 am

Re: ASA received large packet

Tue Jan 18, 2011 7:15 pm

Applying an access-list hardly ever works for me, for whatever reason. I know to match on both directions an stuff like that, but it still rarely works for me. But yeah, it's rad when it does work.

User avatar
dieselboy
Post Whore
Posts:
2670
Joined:
Tue Aug 05, 2008 6:36 am
Certs:
CCNP, CCNA Voice, SMB Select, Linux+

Re: ASA received large packet

Mon Apr 04, 2011 11:31 am

Funny. I'm now getting this on my ASA running 8.3.
Sometimes, I sit with my headphones on without playing music.

User avatar
ibarrere
Cisco Inferno
Posts:
10278
Joined:
Mon Jul 10, 2006 12:58 am

Re: ASA received large packet

Mon Apr 04, 2011 11:55 am

Hmmm... interesting. I still get it on 8.4(1), so maybe it affects all versions 8.3 and higher.

User avatar
dieselboy
Post Whore
Posts:
2670
Joined:
Tue Aug 05, 2008 6:36 am
Certs:
CCNP, CCNA Voice, SMB Select, Linux+

Re: ASA received large packet

Mon Apr 11, 2011 9:04 am

I did some Googling (with Bing) and found it to be some incompatability with SVC. I didnt bother with it too much as I'm not getting any complaints - but the ASA must be dropping that traffic.
Sometimes, I sit with my headphones on without playing music.

User avatar
ibarrere
Cisco Inferno
Posts:
10278
Joined:
Mon Jul 10, 2006 12:58 am

Re: ASA received large packet

Mon Apr 11, 2011 11:47 am

Good to know. I've never gotten any complaints about it either, but it's just annoying because it spams my logs like crazy. Maybe I'll raise the level of that message to trim it out.

'

Return to Cisco Security

Who is online

Users browsing this forum: Google Feedfetcher and 20 guests