Cisco ASA Port Number ReuseCisco ASA Port ForwardingCisco ASA logs “regular translation creation failed for...
Practical application of matrices and determinants
PTIJ What is the inyan of the Konami code in Uncle Moishy's song?
What does "Four-F." mean?
Why didn't Héctor fade away after this character died in the movie Coco?
Are dual Irish/British citizens bound by the 90/180 day rule when travelling in the EU after Brexit?
Can a wizard cast a spell during their first turn of combat if they initiated combat by releasing a readied spell?
PTIJ: Do Irish Jews have "the luck of the Irish"?
Have the tides ever turned twice on any open problem?
Is there a creature that is resistant or immune to non-magical damage other than bludgeoning, slashing, and piercing?
What is the significance behind "40 days" that often appears in the Bible?
How to get the n-th line after a grepped one?
Can you move over difficult terrain with only 5 feet of movement?
두음법칙 - When did North and South diverge in pronunciation of initial ㄹ?
What does Deadpool mean by "left the house in that shirt"?
Is it insecure to send a password in a `curl` command?
Print a physical multiplication table
Help rendering a complicated sum/product formula
Synchronized implementation of a bank account in Java
Worshiping one God at a time?
Should I use acronyms in dialogues before telling the readers what it stands for in fiction?
A Ri-diddley-iley Riddle
Is honey really a supersaturated solution? Does heating to un-crystalize redissolve it or melt it?
How do hiring committees for research positions view getting "scooped"?
What are substitutions for coconut in curry?
Cisco ASA Port Number Reuse
Cisco ASA Port ForwardingCisco ASA logs “regular translation creation failed for icmp …” for DNS traffic, yet it worksNetwork config / gear questionPersistent Issues on small business network using Cisco 871W and Catalyst Express 500Cisco ASA Port Forwarding for NewbiesTroubleshoot port forwarding. Could it be ISP blocking incoming connections?Cisco ASA-5505 Port ForwardingCisco 887VA - Cannot open port 110Possible Cisco Router Hack?Cisco ASDM 7.0 for ASA Blocking Our Office IP for port 80?
So our client is using a Cisco ASA and they are having occasional "Page cannot be displayed" errors. We have determined through lots of troubleshooting that our firewall doesn't like the ASA reusing port numbers within ~2-4 minutes time with a sequence number that is lower.
We know you can change the ASA to not randomize sequence numbers but is it possible to have the ASA not use the same port within a certain amount of time?
Note: We are working with our Firewall Vendor to see if we can get around it on our end instead of theirs.
Thanks,
- Vince
networking cisco port
asked Jun 29 '11 at 14:43
VinceMVinceM
265
bumped to the homepage by Community♦ 7 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
So our client is using a Cisco ASA and they are having occasional "Page cannot be displayed" errors. We have determined through lots of troubleshooting that our firewall doesn't like the ASA reusing port numbers within ~2-4 minutes time with a sequence number that is lower.
We know you can change the ASA to not randomize sequence numbers but is it possible to have the ASA not use the same port within a certain amount of time?
Note: We are working with our Firewall Vendor to see if we can get around it on our end instead of theirs.
Thanks,
- Vince
networking cisco port
asked Jun 29 '11 at 14:43
VinceMVinceM
265
bumped to the homepage by Community♦ 7 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
If you have additional Internet facing IPs, have you considered adding additional IPs to the NAT pool?
– user48838
Jun 29 '11 at 14:52
What model ASA? Have you checked the connection count on the asa when it happens (sh conn)?
– HampusLi
Jun 30 '11 at 8:49
We do have a number of IPs but the only way that changes things is if we make our client use multiple IPs right? Which isn't fun to do. Unless you have a different idea...
– VinceM
Jul 1 '11 at 12:25
HampusLi - I'm not sure the model of ASA since it's our client's. They are a big enough company that I wouldn't be able to tinker with their firewall. I could pass on the info to their guys, which would probably take 2 years to get any info back.
– VinceM
Jul 1 '11 at 12:27
add a comment |
So our client is using a Cisco ASA and they are having occasional "Page cannot be displayed" errors. We have determined through lots of troubleshooting that our firewall doesn't like the ASA reusing port numbers within ~2-4 minutes time with a sequence number that is lower.
We know you can change the ASA to not randomize sequence numbers but is it possible to have the ASA not use the same port within a certain amount of time?
Note: We are working with our Firewall Vendor to see if we can get around it on our end instead of theirs.
Thanks,
- Vince
networking cisco port
asked Jun 29 '11 at 14:43
VinceMVinceM
265
So our client is using a Cisco ASA and they are having occasional "Page cannot be displayed" errors. We have determined through lots of troubleshooting that our firewall doesn't like the ASA reusing port numbers within ~2-4 minutes time with a sequence number that is lower.
We know you can change the ASA to not randomize sequence numbers but is it possible to have the ASA not use the same port within a certain amount of time?
Note: We are working with our Firewall Vendor to see if we can get around it on our end instead of theirs.
Thanks,
- Vince
networking cisco port
networking cisco port
asked Jun 29 '11 at 14:43
VinceMVinceM
265
asked Jun 29 '11 at 14:43
VinceMVinceM
265
asked Jun 29 '11 at 14:43
VinceMVinceM
265
asked Jun 29 '11 at 14:43
VinceMVinceM
265
asked Jun 29 '11 at 14:43
VinceMVinceM
265
265
bumped to the homepage by Community♦ 7 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 7 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
If you have additional Internet facing IPs, have you considered adding additional IPs to the NAT pool?
– user48838
Jun 29 '11 at 14:52
What model ASA? Have you checked the connection count on the asa when it happens (sh conn)?
– HampusLi
Jun 30 '11 at 8:49
We do have a number of IPs but the only way that changes things is if we make our client use multiple IPs right? Which isn't fun to do. Unless you have a different idea...
– VinceM
Jul 1 '11 at 12:25
HampusLi - I'm not sure the model of ASA since it's our client's. They are a big enough company that I wouldn't be able to tinker with their firewall. I could pass on the info to their guys, which would probably take 2 years to get any info back.
– VinceM
Jul 1 '11 at 12:27
add a comment |
If you have additional Internet facing IPs, have you considered adding additional IPs to the NAT pool?
– user48838
Jun 29 '11 at 14:52
What model ASA? Have you checked the connection count on the asa when it happens (sh conn)?
– HampusLi
Jun 30 '11 at 8:49
We do have a number of IPs but the only way that changes things is if we make our client use multiple IPs right? Which isn't fun to do. Unless you have a different idea...
– VinceM
Jul 1 '11 at 12:25
HampusLi - I'm not sure the model of ASA since it's our client's. They are a big enough company that I wouldn't be able to tinker with their firewall. I could pass on the info to their guys, which would probably take 2 years to get any info back.
– VinceM
Jul 1 '11 at 12:27
If you have additional Internet facing IPs, have you considered adding additional IPs to the NAT pool?
– user48838
Jun 29 '11 at 14:52
If you have additional Internet facing IPs, have you considered adding additional IPs to the NAT pool?
– user48838
Jun 29 '11 at 14:52
What model ASA? Have you checked the connection count on the asa when it happens (sh conn)?
– HampusLi
Jun 30 '11 at 8:49
What model ASA? Have you checked the connection count on the asa when it happens (sh conn)?
– HampusLi
Jun 30 '11 at 8:49
We do have a number of IPs but the only way that changes things is if we make our client use multiple IPs right? Which isn't fun to do. Unless you have a different idea...
– VinceM
Jul 1 '11 at 12:25
We do have a number of IPs but the only way that changes things is if we make our client use multiple IPs right? Which isn't fun to do. Unless you have a different idea...
– VinceM
Jul 1 '11 at 12:25
HampusLi - I'm not sure the model of ASA since it's our client's. They are a big enough company that I wouldn't be able to tinker with their firewall. I could pass on the info to their guys, which would probably take 2 years to get any info back.
– VinceM
Jul 1 '11 at 12:27
HampusLi - I'm not sure the model of ASA since it's our client's. They are a big enough company that I wouldn't be able to tinker with their firewall. I could pass on the info to their guys, which would probably take 2 years to get any info back.
– VinceM
Jul 1 '11 at 12:27
add a comment |
1 Answer
1
active
oldest
votes
You'd be better allowing/keeping the port randomisation otherwise you could fall into a sequence number attack based on mitm etc. Not good. Are you using a strange firewall your send? I've never seen anything like this on webservices with ASA on the front door.
answered Jun 29 '11 at 15:14
ASAUserASAUser
1
Yeah I did see that that was a risk. Our firewall is made by Watchguard. We probably wouldn't want to ask our client to modify their firewall to turn off port/sequence number randomization. It would be better if we can force the ASA to not re-use port numbers within a few minutes.
– VinceM
Jul 1 '11 at 12:23
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f285325%2fcisco-asa-port-number-reuse%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You'd be better allowing/keeping the port randomisation otherwise you could fall into a sequence number attack based on mitm etc. Not good. Are you using a strange firewall your send? I've never seen anything like this on webservices with ASA on the front door.
answered Jun 29 '11 at 15:14
ASAUserASAUser
1
Yeah I did see that that was a risk. Our firewall is made by Watchguard. We probably wouldn't want to ask our client to modify their firewall to turn off port/sequence number randomization. It would be better if we can force the ASA to not re-use port numbers within a few minutes.
– VinceM
Jul 1 '11 at 12:23
add a comment |
You'd be better allowing/keeping the port randomisation otherwise you could fall into a sequence number attack based on mitm etc. Not good. Are you using a strange firewall your send? I've never seen anything like this on webservices with ASA on the front door.
answered Jun 29 '11 at 15:14
ASAUserASAUser
1
Yeah I did see that that was a risk. Our firewall is made by Watchguard. We probably wouldn't want to ask our client to modify their firewall to turn off port/sequence number randomization. It would be better if we can force the ASA to not re-use port numbers within a few minutes.
– VinceM
Jul 1 '11 at 12:23
add a comment |
You'd be better allowing/keeping the port randomisation otherwise you could fall into a sequence number attack based on mitm etc. Not good. Are you using a strange firewall your send? I've never seen anything like this on webservices with ASA on the front door.
answered Jun 29 '11 at 15:14
ASAUserASAUser
1
You'd be better allowing/keeping the port randomisation otherwise you could fall into a sequence number attack based on mitm etc. Not good. Are you using a strange firewall your send? I've never seen anything like this on webservices with ASA on the front door.
answered Jun 29 '11 at 15:14
ASAUserASAUser
1
answered Jun 29 '11 at 15:14
ASAUserASAUser
1
answered Jun 29 '11 at 15:14
ASAUserASAUser
1
answered Jun 29 '11 at 15:14
ASAUserASAUser
1
1
Yeah I did see that that was a risk. Our firewall is made by Watchguard. We probably wouldn't want to ask our client to modify their firewall to turn off port/sequence number randomization. It would be better if we can force the ASA to not re-use port numbers within a few minutes.
– VinceM
Jul 1 '11 at 12:23
add a comment |
Yeah I did see that that was a risk. Our firewall is made by Watchguard. We probably wouldn't want to ask our client to modify their firewall to turn off port/sequence number randomization. It would be better if we can force the ASA to not re-use port numbers within a few minutes.
– VinceM
Jul 1 '11 at 12:23
Yeah I did see that that was a risk. Our firewall is made by Watchguard. We probably wouldn't want to ask our client to modify their firewall to turn off port/sequence number randomization. It would be better if we can force the ASA to not re-use port numbers within a few minutes.
– VinceM
Jul 1 '11 at 12:23
Yeah I did see that that was a risk. Our firewall is made by Watchguard. We probably wouldn't want to ask our client to modify their firewall to turn off port/sequence number randomization. It would be better if we can force the ASA to not re-use port numbers within a few minutes.
– VinceM
Jul 1 '11 at 12:23
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f285325%2fcisco-asa-port-number-reuse%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
If you have additional Internet facing IPs, have you considered adding additional IPs to the NAT pool?
– user48838
Jun 29 '11 at 14:52
What model ASA? Have you checked the connection count on the asa when it happens (sh conn)?
– HampusLi
Jun 30 '11 at 8:49
We do have a number of IPs but the only way that changes things is if we make our client use multiple IPs right? Which isn't fun to do. Unless you have a different idea...
– VinceM
Jul 1 '11 at 12:25
HampusLi - I'm not sure the model of ASA since it's our client's. They are a big enough company that I wouldn't be able to tinker with their firewall. I could pass on the info to their guys, which would probably take 2 years to get any info back.
– VinceM
Jul 1 '11 at 12:27