Nessus Scan - results in MX crash

JF1
Getting noticed

Nessus Scan - results in MX crash

When performing a Nessus security scan, our MX250 appliance becomes unresponsive and crashes. 

We have noted that if we disable IPS / IDS this behaviour does not occur.

Therefore whilst the scan was running we disabled IPS / IDS and have since re-enabled. 

However we don't believe this is normal behaviour.

 

Does anyone have any experience of this? We do have a ticket open with Meraki support however feedback to date hasn't been helpful.

 

thanks in advance

13 REPLIES 13
BrandonS
Kind of a big deal

Might be worth submitting here? https://bugcrowd.com/ciscomeraki

 

 

- Ex community all-star (⌐⊙_⊙)
PhilipDAth
Kind of a big deal
Kind of a big deal

Are you running the current stable firmware?

 

If so, I would open a support case and log a bug.  That could be used for a classic denial of service.

I'd open a case even if I was running a Beta release. Something that mustn't happen IMO.

100% agreed; if they've found a possible DoS vector, I want to ensure this gets the attention it deserves.

AlexP
Meraki Employee
Meraki Employee

We take all possible DoS vectors seriously, so if you're still running into issues with this, please post your case number, and I'll try to follow up internally.

JF1
Getting noticed

We do have an open case reference 07832365

StevePhipps
Comes here often

We recently ran a Nessus scan across our entire inside 10 subnet and internal traffic slowed to less than 1/3. Once the scan was stopped, the issue disappeared. Has anyone heard anything more about this issue? I don't have access to the ticket mentioned above.

JF1
Getting noticed

For those interested some further feedback on this issue. The firmware we are running 16.16 - there are some known issues relating to IPS / IDS that can result in a memory leak and hardware crash. A new firmware release is expected early June that addresses this issue. Also, in regards to StevePhipps comment - from our experience when the scan was ran there are a number of "connections" initiated to the security appliances (prior to the scan under BAU this connection count was around 100k, when we initiated the scan this jumped to over 500k), these "connections" lead to an increase in CPU and memory usage and in our scenario this led to a drop in performance. 

Was this ever resolved for you? Was the scan of the actual appliance IP or was the scan running through it?

 

We recently transitioned from a vMX100 to a vMX-Medium running in Azure. We have been having an issue where, once a week, it just locks up and needs to be restarted via the Azure console. It is unreachable from the Meraki console. It happens a few minutes after a scheduled Nessus scan. That scan does not scan the vMX IPs but runs through the S2S VPN for some portions. We're not yet sure if this is the root cause. I opened a ticket with Meraki but haven't received a response after 48 hours!

Scan included Meraki VPN hub sites. Fix was to exclude those. Only scanning assets in the two data centers now. Haven't tried this again out of caution.

JF1
Getting noticed

Our issue appeared to be resolved by a firmware upgrade. The issue first started occurring on security appliances running firmware 16.16. Meraki advised there were known issues in this version relating to memory leaks in certain scenarios that resulted in the appliance failing. Following lengthy discussions and analysis from meraki we upgraded to MX16.16.3 and touch wood since we havent had any further repeats (we have carried out 2 Nessus scans across all networks including hubs). During our discussions Meraki support did also mention they have means to temporarily whitelist IP addresses of scanners to alleviate potential knock on compute complications on security appliances - in our scenario this ultimately wasnt required however it may be an option. Id suggest chasing Meraki...

CptnCrnch
Kind of a big deal
Kind of a big deal

Thanks for letting us know! Very interesting finding 👍

jbrotschul1
Conversationalist

We have this issue as well.  MX450's acting as vpn concentrators in 1-armed mode running latest firmware.  The issue is actually the 'frames per second' table maximum of 500k is reached when scanning through to the branch locations.  When the FPS table is maxed it causes major performance degradation.  There's no solution support has provided other than to add more MXs and split up our remote auto-vpns to multiple concentrators to try and limit the impact.  We have about 150 branch locations.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels