We use tenable throughout the entire scope of our enterprise networking environment, mostly without issue.
When it comes to scanning our corporate environment, we've been having a lot of issues out of the scan. Our corp office consist of 2 6807xl VSS core and 2960x 15.2(7)E0a stacks for the access layer and the Nessus scanner is only scanning the management interfaces of the network equipment. There are no firewalls that it is scanning through.
I dove into all the logging and NetFlow information I can, and it appears that as soon as the Nessus scanner starts the SYN part of the scan, the switches start throwing Spanning tree PVID inconsistency errors or SSTP BPDU with bad TLV errors. The VSS attempts to mitigate whatever causes this by blocking and unblocking VLANs on the aggregate links (lacp active) to no avail, and within 4 minutes of the scanner starting, I get switches that begin crashing and throwing traceback and IPC errors and will make and render the switch unmanageable/unaccessible and stop forwarding traffic.
Also from what I can gauge, the SYN scanner seems to be doing an "all at once" scan and it looks very aggressive, INFOsec manages the Tenable/nessus scanners themselves.
This a reproducible issue with the scanners and I'm waiting to hear what TAC has to say about it. Has anyone else had issues like this to where a nessus or port scanner basically crashes switch stacks?
No comments:
Post a Comment