Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
2
Helpful
6
Replies

Anyconnect username USERNAME

anthony.mchie
Level 1
Level 1

‎05-23-2023 12:47 PM

ASA version 9.14(4)7 | Anyconnect 4.10 | ISE 2.6

ISE is authenticating our Annyconnect Clients that connect via a Cisco ASA. We'll get hit with hundreds of connection attempts from questionable countries with the username USERNAME (or at least that's what ISE reports). Typically we'll lose the ability to service any new anyconnect sessions for about 15 minutes after. I created a local user USERNAME specifically to reject the attempts and when I try to authenticate it does just that. Then later, I see that rejection isn't working against this attack. Anyone else see this? Any working solutions?

Attached are events that represent when I tried to auth vs the attack. 

Preview file
386 KB
Preview file
718 KB
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎05-23-2023 12:56 PM

@anthony.mchie best option would be to filter the traffic from those questionable countries before they even attempt to authenticate. You can do this with geolocation filtering on NGFW firewall placed in front of the ASA. You do have the option to use a control-plane ACL on the ASA itself, to restrict IP addresses initating traffic to the ASA.

What is causing the loss of service for 15 minutes, the ASA itself?

0 Helpful

anthony.mchie
Level 1
Level 1
In response to Rob Ingram

‎05-23-2023 01:18 PM

@Rob Ingram wrote:

@anthony.mchie best option would be to filter the traffic from those questionable countries before they even attempt to authenticate. You can do this with geolocation filtering on NGFW firewall placed in front of the ASA. You do have the option to use a control-plane ACL on the ASA itself, to restrict IP addresses initating traffic to the ASA.

What is causing the loss of service for 15 minutes, the ASA itself?

My answer would only be a guess since I don't see any logging events that clue me into the cause. 

Don't have an NGFW in front (unfortunately) so I'll have to find another way.

0 Helpful

MHM Cisco World
VIP
VIP

‎05-23-2023 01:12 PM

Use control-plane' 

Allow only vpn pool subnet access to ISE.

Note:- allow management IP if you use it with ISE.

0 Helpful

Arne Bier
VIP
VIP

‎05-23-2023 01:17 PM

Hi @anthony.mchie 

Not entirely sure how to protect your VPN from outside actors. I have seen some customers put their VPN on non-standard TCP ports. You don't have to run your SSL VPN on TCP/443. Choose a tricky port number like 50443 That will keep them guessing Of course you will need to tell your real clients to use that in the URL - but it might solve your dilemma.

USERNAME is just a standard string that ISE displays when it doesn't want to reveal the real username. By default, failed authentications have their username obfuscated with the string 'USERNAME' to protect the innocent (e.g. a user accidentally entering their password into the username field ... it happens )

You can reveal the username by navigating to Administration > System > Settings > Security Settings 

invalid usernames.png

MHM Cisco World
VIP
VIP
In response to Arne Bier

‎05-23-2023 01:19 PM

Not issue with username only'

The user is fialed to auth to Asa via ISE.

So I think he under some ddos. 

0 Helpful

anthony.mchie
Level 1
Level 1

‎05-23-2023 01:21 PM

@Arne Bier That's going to help quite a bit. Thank you!

0 Helpful
Customers Also Viewed These Support Documents