Monday, May 6, 2013

cisco ASA and software development

I ran into something interesting with my cisco & the  latest code set that running on my  ASA5505.  It started with a script that I have running via cron and with "expect".  The script issues a "show  inventory" command. My ASA started rebooting and I had problems figuring out what was the issues.

My  unit seems to crash upon execution of the script and took me a while to narrow down the culprit as being the  execution of a "show cmd".

Here's a "show version" of the victim ( bold the ASA code version at top )

 
asaken> show ver



Cisco Adaptive Security Appliance Software Version 9.1(1)4

Device Manager Version 7.1(2)



Compiled on Wed 13-Mar-13 07:45 by builders

System image file is "disk0:/asa911-4-k8.bin"

Config file at boot was "startup-config"



asaken up 2 mins 23 secs



Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz,

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW080 @ 0xfff00000, 1024KB



Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

                             Boot microcode        : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.08

                             Number of accelerators: 1



 0: Int: Internal-Data0/0    : address is 001f.caf3.2111, irq 11

 1: Ext: Ethernet0/0         : address is 001f.caf3.2109, irq 255

 2: Ext: Ethernet0/1         : address is 001f.caf3.210a, irq 255

 3: Ext: Ethernet0/2         : address is 001f.caf3.210b, irq 255

 4: Ext: Ethernet0/3         : address is 001f.caf3.210c, irq 255

 5: Ext: Ethernet0/4         : address is 001f.caf3.210d, irq 255

 6: Ext: Ethernet0/5         : address is 001f.caf3.210e, irq 255

 7: Ext: Ethernet0/6         : address is 001f.caf3.210f, irq 255

 8: Ext: Ethernet0/7         : address is 001f.caf3.2110, irq 255

 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255

10: Int: Not used            : irq 255

11: Int: Not used            : irq 255



Licensed features for this platform:

Maximum Physical Interfaces       : 8              perpetual

VLANs                             : 3              DMZ Restricted

Dual ISPs                         : Disabled       perpetual

VLAN Trunk Ports                  : 0              perpetual

Inside Hosts                      : 10             perpetual

Failover                          : Disabled       perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 10             perpetual

Total VPN Peers                   : 12             perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

Cluster                           : Disabled       perpetual



This platform has a Base license.



Serial Number: JMX1215Z145

Running Permanent Activation Key: 0x65285667 0x9c212c13 0x7c505978 0xbaecc4d4 0xc231aa90

Configuration register is 0x1

Configuration has not been modified since last system restart.

asaken> en

Password: *************


And here's the  show inventory command options, if you specify a slot   it works but if you  don't , it crashes and burn. ( god you have to love software developers no adays )


 
I'm going to downgrade back one rev to see if the problem still exist. Nothing interesting flashed on  console or log, with the exception of  a ssh cpu task ran for xxxxx msec. 

The ASA just plain hangs, and then reboots. Nice!

Ken Felix
Freelance Security/Network Engineer
kfelix ---a-t--- hyperfeed ---d-o-t-com

No comments:

Post a Comment