Cisco has identified a software anomaly in the following ASA codes. After reaching an uptime of roughly 213 days, the affected devices will fail to process ARP packets resulting in a loss of connectivity to and from the ASA. Despite this issue, console access will still be functional.
ASA codes affected include:
• 9.7(1) or later
• 9.6(2.1) or later
• 9.5(3) or later
• 9.4(4) or later
• 9.4(3.5) or later
• 9.2(4.15) or later
• 9.1(7.8) or later 9.1.(7.eight)
Additional symptoms include:
• ASA does not have ARP entries in its ARP table. "show arp" is empty
• The output of "show asp drop" and ASP drop captures indicate a rapidly increasing counter for "punt-rate-limit exceeded" and the dropped packets are predominantly ARP
Workarounds
For ASA 9.7.1 or above, use the command arp rate-limit <value> to reconfigure the ARP rate limiter before approaching 213 days of operation. The reconfiguration will reset the ARP rate limiter and extend the up time by another 5120 hours.
For ASA's before 9.7.1, the arp rate-limit <value> command does not exist. A planned reboot of the device before approaching 213 days of operation is needed
https://blogs.cisco.com/security/urgent-proactive-customer-notification-asa
:itcrowd:
Do that ^ to your ASA every 212 days... niiiiiiiiiice...
Hahaha srsly? I was reading your post waiting for the punch line. In my head I'm going "naaah shutt upppp :XD: "
Better plan a reload of my ASAX 9.7, then.
I'm still waiting to work with a dev to do a reproduce and collect logs for another issue, though.
We were having this very issue on our network... we were planning an upgrade of ASA code, now we're seeing if a downgrade is going to do the trick...
nothing over 163 days here, but just to be safe customer want us to reboot all firewalls, (even those with < 60 days) Just to be safe.
Asa requested, I'm working a on list of applications that go through each firewall so management can get a heads up.
:'( on that last part
We're getting application lists, albeit for different reasons.
Some apps are soooooooooooooooo old, nobody knows if they're still running, or if they're one of those once-a-year apps that go with an annual report or something like that.
Quote from: deanwebb on March 31, 2017, 12:15:06 PM
We're getting application lists, albeit for different reasons.
Some apps are soooooooooooooooo old, nobody knows if they're still running, or if they're one of those once-a-year apps that go with an annual report or something like that.
q is there a tool that does this? I know net scout is good at identifying apps, but they need to be defined first, base on port/protocol.
Quote from: ristau5741 on April 01, 2017, 05:32:16 PM
Quote from: deanwebb on March 31, 2017, 12:15:06 PM
We're getting application lists, albeit for different reasons.
Some apps are soooooooooooooooo old, nobody knows if they're still running, or if they're one of those once-a-year apps that go with an annual report or something like that.
q is there a tool that does this? I know net scout is good at identifying apps, but they need to be defined first, base on port/protocol.
There are tools for identifying active apps, but some apps are hard to tell if they're still active or inactive. And so many run on port TCP 80/443... a lot of it is in doing investigation work, and that usually means more shoe leather and talking involved than packet captures and header examinations.