Re: Nessus Scans killing ASA 5505

["Butturini, Russell" <Russell.Butturini () Healthways com>]

What's the software version on the 5505? 

-----Original Message-----
From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Paul 
Asadoorian
Sent: Thursday, July 21, 2011 12:58 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Nessus Scans killing ASA 5505

Hi Ron,

Just a couple of things I noticed:

1) Try switching to a TCP scan instead of a SYN scan, it will be a little slower but may cause less problems with the 
firewall

2) Your max checks per host and max hosts per scan are set really high, this is likely the reason the firewall is 
spiking CPU. Try tuning these back (start with 5 hosts at a time and 10 checks per host).

3) Feel free to open a support ticket and the fine folks at Tenable support can assist you further.

Thanks!

Cheers,
Paul

On 7/21/11 12:02 PM, Ron Henry wrote:
> This problem is probably due to my current gateway not being able to 
> keep up, but here goes.
>
> I'm scanning 10 or so /24s as part of a vuln assessment. I'm running 
> 4.4.1. The scan using the following scan policy, brings the ASA 5505 
> to it's knees. CPU utilization goes to 98% and stays there until the 
> device eventually locks up. I'm honestly probably at the point where I 
> just need to move to beefier firewall, but I figured I would run it by 
> you guys first.
>
> There are no complicated firewall rules in place and threat detection 
> is disabled.
>
>
> The scan policy can be viewed at
> http://www.ciphermonk.net/photos/scan_policy.png
>
> Thanks for your help.
>
> - Ron Henry (dijital1)
>
> Website: http://www.ciphermonk.net <http://www.ciphermonk.net/>
> <http://www.ciphermonk.net/>Email: rlh () ciphermonk net 
> <mailto:rlh () ciphermonk net>
> Twitter: http://twitter.com/dijital1
> LinkedIn: http://www.linkedin.com/in/dijital1
>
> %JMNU%521*-;UU  -GbU-   aUP
> %JMNU%521*-A3FSP
> %JMNU%521*-`4B-920-7BP
> %JMNU%521*-   94i-C3-43P
> %JMNU%521*-Bc2F-AR1C-AEBP
> %JMNU%521*-e3+T-U26-DBGP
> %JMNU%521*-bE41-KFF2-D232P
> %JMNU%521*-3Bb}-4+}A-3VAP
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

--
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552
Fax: 1.877.846.2187
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


******************************************************************************
This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than 
the named recipient of this email, 
and is to be used only for the intended purpose of this communication.
******************************************************************************
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com